X
On April 28, 2025, Naomi Buckwalter, Senior Director of Product Security at Contrast Security, sat down with Techstrong TV’s Lisa Martin to discuss the critical role of application security in production. The conversation addressed industry challenges and the need for better insights, emphasizing how AppSec can improve developer experience and enable proactive security. Naomi highlighted how Contrast Security Application Detection and Response can effectively block attacks and aid developers in remediating vulnerabilities, ultimately leading to enhanced application security.
Naomi Buckwalter, CISSP CISM, is the Director of Product Security for Contrast Security and author of the LinkedIn course: “Training today for tomorrow's solutions - Building the Next Generation of Cybersecurity Professionals”. She is also the founder and Executive Director of Cybersecurity Gatebreakers Foundation, a nonprofit dedicated to closing the demand gap in cybersecurity hiring. She has over 20 years' experience in IT and Security and has held roles in Software Engineering, Security Architecture, Security Engineering, and Security Executive Leadership. As a cybersecurity career adviser and mentor for people around the world, her passion is helping people, particularly women, get into cybersecurity. Naomi has two Masters degrees from Villanova University and a Bachelors of Engineering from Stevens Institute of Technology.
Lisa Martin is a technology analyst, podcaster, and former NASA scientist who brings a unique blend of science, marketing, and broadcasting expertise to her work in the tech industry. With a talent for making complex concepts accessible to technologists and laypeople, she has interviewed industry giants and thought leaders from Michael Dell and Pat Gelsinger to Suze Orman and Deepak Chopra on live TV. As a respected marketer, broadcaster, and analyst, Lisa provides insightful analysis on the latest tech trends and innovations, appearing on programs like Bloomberg Asharq, The Schwab Network programs "Trading 360", "The Watch List", and "Market on Close", as well as iHeartRadio, KFBK News Radio, US News and World Report, Business Insider, Yahoo Finance, Benzinga, Digital Trends, The Street, Kiplinger, and TechTarget.
Lisa Martin
Welcome back to Techstrong TV. I'm Lisa Martin live from RSAC at Moscone West in San Francisco. We're gonna be talking all things security all the way through Thursday. Some great content we've already filmed.
Hopefully, you've been watching. More great content coming your way. My next guest is Naomi Buckwalter. She's the Senior Director of Product Security at Contrast Security.
Naomi, it's great to have you on.
Naomi Buckwalter
Hi, everyone. It's good to be here.
Lisa
Thank you for joining me.
Naomi
I am so excited. How are you today?
Lisa
I'm excellent. Awesome. My feet don't hurt yet. It's day one.
Naomi
That's why I'm on the road.
Lisa
So I love the tagline of contrast security. You can't stop what you can't see. Tell the audience a little bit about contrast security. What is it that you guys are solving for customers?
Naomi
Oh, interesting. Well, if I could give you an elevator pitch, we do application security in production. That's the easiest way I can explain it.
Lisa
I love that.
Naomi
Right? It's so easy to understand. Yeah. Well, if you think about it, we have other things in security production. Like, we have our Crowdstrikes that's running in production boxes. Right? Like, we have different agents that run in production. If you think about the vendor space, there's not a ton of application security happening in production, in runtime.
A lot of it's before the runtime happens. So you've got your static scans, your SCAs, all the scans that happen in QA and dev and all the things that aren't actually production. Yeah. And you have to wonder why.
It's kind of weird. It's weird.
Well, you're saying, you know, that doing AppSec in production isn't crazy. It's smart.
Actually, it is smart because, why aren't folks because it's where behavior happens? It's where the users are. It's where the attacks are. Why aren't we doing more security where the bad stuff is happening?
Right. Why do we assume we're testing for all the cases prior to releasing the thing in production? Yeah. Well, I can tell you why.
I know it's smart. We just said it. You said it. But I think it's because people are scared of doing AppSec in production.
I think just tech in the past, we've had downtime as an issue. Your company is like, no. We need to have this uptime ninety nine point nine nine nine or whatever, right, to five nine sync you.
And I think it's put us back a lot. A lot. So if you think about some of the bigger breaches in the past, it really comes down to, you probably just had this old server running with an unpatched thing for the longest time. And you were afraid of taking it offline, off production, right, just to fix it and then put it back up. Yeah. Because your business is like, no, we need all the uptime, we need all the revenue.
And it becomes this problem because you don't have the protections that you actually need in production.
Well, it's a double edged sword. And it's like nobody wants to be the next headline for a breach. So it makes sense. Right?
I know. I mean, the brand reputation, the churn that happens, nobody wants to be that. I mean, in this day and age, security attacks aren't going to happen to us? It's when?
Oh, it's happened now.
How often? It's happened. Yeah. What is the cost that's gonna cost my business?
So that alone, you think would make enough sense for them to put apps, like, in production? Production.
But I didn't even get to the biggest part. It's because we don't have the insight that we need in production, in our applications. We are really good as an industry of getting our network traffic understood, all the things that are happening on our hosts understood. We know all the things that are going on because we have observation.
We have sensors in those areas. Yeah. What we don't have are those same sensors happening in our applications at run time in production. And now we're trying to say, as a company, I think it's time.
It's okay to do AppSec in production. It's okay, guys. Like, I almost feel like here at RSA would be our, like, our failing. Yeah.
Is that and is that a word? Yeah. Unveiling, like, our unboxing for YouTubers? Yeah. So it would be our way of saying to the community, like, it's time.
Shift left probably has failed.
Lisa
Well, how much of what you're doing at Contrast is really education and making these folks aware that it's about it's time and this is why that old playbook has to be thrown out because nobody wants to have the next time.
Naomi
Absolutely. And it's a little like pulling teeth. Yeah. If we had, like, an interpretive dance, maybe people would probably understand it perfectly.
Because sometimes they're like, what are you talking about? I had dinner yesterday with somebody at a different company, someone who does static scanning. And it's like when I told him we should do AppSec in production, it's like I stabbed his child. Like, his reaction to that was just like, you could just tell his face.
I was like, I'm sorry. Do I need to apologize right now? Like, he was just so insulted, the fact that I even said that. Because it's so ingrained, it's cultural.
And that's why to change.
Our critical thinking turns off whenever we are thrown another framework Yeah. Or another way of doing something. Oh, and everyone does it this way. Think of the thousands of other people here.
It's a bias that is not well understood by me just because I can see the issues. And most of us in AppSec actually do.
Yeah. And here's another problem is security people traditionally don't have the best grasp of applications anyway. Okay. So what they do is, or what we do, is we kind of just say, hey, we're gonna let the developers take care of it.
We're gonna do our scans. We're gonna give them the issues, and then they're just gonna magically fix it. That's not what the developers wanna do. Trust me.
They wanna build stuff fast. Yes. They wanna make money. They wanna go home and build cool shit at the end of the day.
I'm sorry. They build cool shit. Yeah. And then call it a day.
They see security people, and they always have, as a gate, as a detractor to what they're trying to do and know you can't do.
So what we're now saying is maybe that approach has failed us because think of all the issues that are still happening. OWASP Top 10 hasn't changed in, like, two decades.
Right? How embarrassing for us. Now we're saying application security can be done without the developers. We don't need them anymore.
Okay. Yeah. And I know that sounds really, like, who heck are you kidding? But we haven't given this a shot enough to say that maybe it won't work, maybe it will. Yeah. Why not?
So you're in effect enabling the optimal developer experience because you're pulling this out of there. That's another way. Hands and the AppSec folks can take the responsibility in production.
Lisa
Where are you talking? Who are you selling to? Is it the developers? Is it the security folks? Is it both? Is it the application owners?
Naomi
Oh, my gosh. Well, everyone and anyone who will write a check. But I will say, we are targeting a new audience, and it's our SOC people, our security operations folks. Yeah.
So what we're trying to sell them is more insight into the applications that are on their networks. Like, all the applications and hosts that are on the machines that you care about run processes and things and accept traffic and do stuff with that traffic in your host that you should really know about. Right? So we're giving them observations, more data, more insight into their application layer, into their APIs that they don't already have.
Right. And I think our SOC what we're hearing from the fields is that, wow, this is great. Like, before, it was just another network packet. Like, I don't know what this is doing.
Now it's, wow, it's not only do I know where this packet is going, what route it's hitting, what that route is doing, what it's executing in the host, or what data point it's hitting on the back end. Right? Like, now that we have all that insight, we can do something about it. If it's an application attack, we can block it because contrast does that really well.
Yeah. If it's a vulnerability that is out there, maybe we could tell the developers how to fix it, and we do that too. Not only do we block the attack, we can tell you where the vulnerability is, we can patch it, right? Like, we have AI to fix.
Like, we have all these cool tools that can just tell you how to fix it. Yeah. It's really cool.
Well, that application detection and response technologies observability are game changing for organizations. Yes. It's like the tagline, you can't stop what you can't see. You need to have that visibility. Yeah. But also, in a sense, getting out of the way of the developers. Letting them have the optimal developer experience that they want, that they expect.
But providing that visibility so the blinders are off. And you're letting them do their job better. And you're doing your job better too as security people. Yeah.
Security people can do application security. I know it's sometimes hard because they have to keep up with their technology. But once we do, we can show them we're on the same team. Right.
And then now you're building relationships. Now you're building culture on your team. And trust. And trust.
And that is a hundred percent. What you need when you're working with developers. Like Yep. I had conversations.
We're like, why are we doing it with you guys? We can ruin your life if we want to. Like, that is an adversarial relationship. Wow.
Right? This is not a person that I work with, but Yeah. I was just talking. They're like, we can ruin security people's lives if we want to.
Like, why are they so jealous?
Lisa
What's your favorite customer story of Contrast that you think just perfectly shines a spotlight on what we do well and why we're doing it?
Naomi
Well, it's funny because I'm a security practitioner. I'm my favorite customer. I actually use Contrast every single day.
I'm a security practitioner. I would not be working for a security vendor if I did not deeply believe in our product.
I am not even saying that lightly. Like, I understand how cringe it is to be here. I'm sorry, RSA.
It's security vendors doing too much, and it's not actually helping do security. So me, as a security practitioner, really appreciates a tool like Contrast because it makes my job so much easier. I don't have to do a scan and be like, here's five hundred vulnerabilities at the static, and I haven't even validated each one. Good luck with that, developers.
Like, I can give our developers actual vulnerabilities, actual vulnerable routes, things that have been exercised in our applications, which means endpoints that have been hit. In production because we know this is a route that has been used, and here's a vulnerability, here's an attack that happened, and then we could do something about it immediately. I don't have to wait for the patch.
I could do something with our tool. Contrast can be like, okay, we're gonna block this for now, and then gives us some time to patch on the developer side. Yeah. And think about Log4Shell, it was the same way.
Yeah. We blocked Log4Shell out of the box, before anyone even knew Log4Shell was a thing.
And now it buys the developers time. Yeah. Right? Because you're like, yeah, you're using old versions of Log4J that are vulnerable to Log4Shell.
Go ahead and fix this thing. And by the way, we have Contrast on the other side acting as that last gate. Yeah.
Lisa
Naomi, it's been such a pleasure having you on TechStrong TV. Thank you for really explaining what you guys are doing so well, why AppSec in production is smart. We appreciate your insights and your candor as well. For Naomi Buckwalter, I'm Lisa Martin. You're watching Techstrong TV live from RSAC.
Schedule a demo and see how to eliminate your application-layer blind spots.
Book a demo
