In this dynamic discussion, Jeremiah Kung (Global Head of Information Security at AppLovin) and Aman Sirohi (SVP - Chief Security Officer & Platform at People.ai) sit down with Jenn Gile (Head of Community at Endor Labs) to discuss the profound impact of AI on application security and developer velocity.

The panel explores how AI code assistants are finally making the "shift-left dream" a 100% reality, fundamentally changing the speed of releases. Learn their CISO strategies for moving away from "noisy" security tools to high-signal solutions, and discover how to rebuild developer trust by empowering engineers to be partners in the security pipeline rather than adversaries.

For more on how People.ai uses Endor Labs, read People.ai Transforms Security and Compliance with Endor Labs.

AI's Impact on Application Security (AppSec)

[00:00] Jenn Gile: So we came here today to talk about application security and how it's changing because of AI. Do you think AI AppSec is something different from AppSec?

[00:15] Jeremiah Kung: No, not really. It's more enhancements to it, right? When I think of AI, GenAI, I really think about data and data protection, data privacy. It's moving data from here to there. And then it's also about enhancing the tools that you currently have to make it more efficient on that side. So, I think it's just going to get faster and hopefully better when it comes to that side.

[00:41] Jenn Gile: What do you think?

[00:41] Aman Sirohi: I think it's going to, I think it's going to be a game-changer because coding is a commoditized business now. Right? So it's become that you need to have the right security posture at the time individuals are writing code. And you want to have the right guardrails to say, "Look, this code is written and it's got vulnerabilities in it before you push it to production and cause more fix it." That's catch it earlier. I think the way coding is changing the game with the Vibe Coding and Cursors of the world, this is going to become more and more important.

The Shift-Left Dream and Developer Trust

[01:21] Jenn Gile: You said something about your existing tools. What do you think, characteristic-wise, your tools need to be able to do now, you know, have already built in in order to handle the way things, you know, new dependencies, new places they're being deployed? How do they, you know, need to architecturally be structured, features, what are you looking for?

[01:52] Jeremiah Kung: Yeah, it really forwards, it's always faster, better, more, quicker, right? That whole deal, right? Especially when you're a technology company, you live or die by the speed of your releases. And so to say, "Okay, I'm going to go to the pipeline, you're going to do a review, and I'm going to do this review, and then we'll push it to approval, then we'll put it to UAT, Dev, QA, and then eventually throw it out to the production." Okay, well, our competitor just did three releases before we're doing that. So really, ideally, like, again, Cursor, Wincer, great examples, where you're coding, it'll come up with, it'll complete the sentence for you. Add a security piece to that, that's great. Right? You're coding something, "Hey, you're going to cause a log ship here, you're going to cause issue there. Do this instead." And so that's the direction we kind of want to move to. I'm waiting to see that, to see the all the different type of code assist companies to add that feature in there, or to have some kind of parity into somebody like Endor Labs that can kind of feed that information. And then, then now you got your developers coming spitting stuff out right away before it even gets to the pipeline.

[03:00] Jenn Gile: Yeah, I mean, it's like that real shift left dream. It's finally possible. Like, it doesn't get any further left than that.

[03:07] Aman Sirohi: Right. And and for us CISOs actually, you know, this is a win for us. And, you know, for developers, this is definitely a win, but for us, it's a big win because we're not waiting to catch the vulnerabilities later in the pipelines, and then going back and causing the developers to redo it, fix it, they get frustrated or annoyed by it. So, for us to being able to introduce a code and Endor to them, this will make them feel better, they'll be able to code faster, get to production faster, and, you know, less headache on our side too.

[03:52] Jeremiah Kung: Yeah, you got to understand as CISOs, we don't write the code. And usually, especially again at tech heavy companies, the coders and the engineers are kind of the geniuses. They're the ones making all the money. So, we're just almost like overhead to them. I like to think of us as partners or their key customers, but we want them to kind of partner with us and get these things in place. Mind you, the story when we, when I first got a SE, SAST tool in the pipeline working with the developers, I got the best compliment I could ever get from the head developer was like, "Hey, this didn't suck as much as I thought it was going to suck." Right? And so that, to me, is the best you can do. And now, if you're getting a tool that's just spitting a bunch of noise and you're losing all that equity, you got to keep that equity and build on it with something that's going to be elegant and quiet and and sensible.

[04:47] Jenn Gile: I think you've both had the experience of pulling out a noisy tool and putting in a new one, which, you know, you're in control of things like budget and perhaps ultimately what you choose, but what about the process of rebuilding trust with developers after perhaps they've lost some trust in your organization because that tool is not frictionless?

[05:21] Jeremiah Kung: Yeah, you're always in the hole there, right? So, you want to come in swinging with the best. And then you always want to touch base, make sure, "Hey, is it working good?" Have a champion's program. And I get it, if you have, you know, company 70,000 people large, it's tough to do. It's hard to do that. Yeah. Smaller companies, easier because you kind of know everybody. But yeah, you do regular check-ins and see how things are going, and if it's not working, you got to be willing to make that change.

[05:47] Aman Sirohi: In my previous life, you know, working for a smaller startup, it was easier like Jeremiah was mentioning, but for larger organizations, what I ended up doing was, I talked to the CTO, engineering leader too, and I said, "Who are one or two people in the team that come along for the ride?" With me in picking the tool, going through the capabilities, and then when we did a, you know, the test drive, we just gave it to them. Come back and tell me you hate this product. That's fine. I'm good with it. Like, I mean, I'm going to let you, you're going to have a big vote in this. It's not like CISO is going to tell you this is the right tool because it gives me this. If you guys to your point, if they don't give good feedback back then, then it's like, they're like, "Oh, another CISO picked another tool, throw it down my throat, I got to go use this." So, I changed that game a couple of, in my last two, two companies ago, and it's worked well going forward. Yeah. Because they feel like more empowered. They're like, to your point, we're letting them, they're the geniuses. We're letting them tell you what security measures work and don't work, and that feedback goes back to the vendor. So, the vendor doesn't look at the CISO and like, "Well, why aren't you buying us?" I'm like, "Well, your primary user is telling you this is not working or working, that's the answer, right? And we're almost facilitating a better outcome for the organization and the company." So our roles are a little different when it comes to something that's impacting the developers and engineers.

Implementing New Tools (Endor Labs)

[07:37] Jenn Gile: So you presumably did that when you implemented Endor Labs.

[07:41] Aman Sirohi: We did. So I mean, so, uh, you know, my platform guy loved it, right? So, I mean, impressing some platform engineers is hard. Yeah. Because they're like, so um, he was, uh, you know, he was locked in. He found the ability to integrate it really fast, being able to use it in terms of giving it to the separate engineering teams. So that was been really good for us. Um, and then, you know, we definitely have stories that, you know, we can always share and like, their anecdotal of like, uh, aha moments that um, I found interesting as well. Uh, but yeah, I think that, positive signs across the board.

[08:33] Jenn Gile: Cool. And I know App 11 is a little earlier in your journey with Endor. What have you heard so far in terms of feedback from, you know, your team, the engineering org?

[08:44] Jeremiah Kung: Yeah, it's just a lot cleaner, a lot less noise. You know it's a problem when, uh, you bring on interns, they're like, "I don't even know. Oh, we have a tool that does that." You're like, "Okay, we have a problem here." Let's bring something else in that people are using. And now you're seeing, "Okay, folks are using this now. They like it. It helps them on a day-to-day basis." So, again, if it's just too much noise, I'm going to I'm going to ignore it, right? The signal-to-noise ratio, especially in a fast-moving company, has got to be high signal, very low noise. So, if you have a security tool, which is, in my realm, that's causing a lot of noise, you got to cut that out as quickly as you can.

Adoption and Velocity of AI Code Assistants

[09:28] Jenn Gile: I think we could almost say that experiences using AI code assistance that in some ways that code that's being produced is quote unquote noise because it doesn't have all of the security best practices. Often there's code quality issues. So, what are you seeing in terms of, you know, if you think of like the Gartner Hype Cycle, you know, you get all I remember is the trough of despair. Delusion or something. Like, where would you say your engineering teams are in terms of their attitude toward these tools?

[10:14] Jeremiah Kung: Attitude towards the security tools, uh, it's still it's still getting there, right?

[10:20] Jenn Gile: What about the code assistant?

[10:20] Aman Sirohi: The code assistants, they love them. They love the tools. They're all leaning in. It's almost like if you're not doing it, it's almost like we have a list. We have a list, and we actually see which users are actually using it and how much you're using it versus not using it. And then there's actually a conversation. "Please go, we have a weekly engineering leadership meeting. I'm part of it. And it'll be like, 'Hey, you know, so and so, can you go talk to your team members or these two, why are they not adopting the tool?'" "Like, are we missing something or like, what's going on?" right? So, there there's definitely a choice by engineers to kind of lean in and really push it across the entire environment.

[11:10] Jenn Gile: Are you seeing application release velocity increasing in those teams that are heavy adopters?

[11:15] Aman Sirohi: 100%.

[11:16] Jeremiah Kung: Yeah. Yeah, absolutely. I think, what you're seeing is the folks that they, they use it or lose, you're going to fall behind as a matter of day, right? And so now you're getting maybe a junior-level coder is now coding at a, at a mid to almost senior level because of this assistance. So why wouldn't you use it? Yeah.

Conference Takeaways (Black Hat)

[11:42] Jenn Gile: All right, last question. Has nothing to do with anything we've talked about so far. We're here in Vegas. There's all the conferences, all the conversations. What's something that you've encountered so far that you've been excited about, enjoyed, got you stoked to go back and talk about with your team? What anything?

[12:07] Jeremiah Kung: Yeah, I think, you know, being at Black Hat for us is because there are so many vendors and VCs, and right now, it's in a good space in security. It's pretty hot. A lot of new startups are coming, a lot of buyouts are happening. You could argue whether it's a bubble or not, whether the prices are good or not. Okay, but the point is there's excitement here. There's stuff being developed, there's money, there's smart people are getting funded, doing great things. And so, if you're, and I think you and I are kind of in this where we're lucky enough to work with some of these folks, we can help shape what they're doing. What I have noticed is a big divide. There's either a really smart AI guy who doesn't know cyber or a really smart cyber guy who doesn't know AI. And so, in the case of smart cyber guy or AI guy that doesn't know cyber, we've kind of pitched in some of these places to say, "Hey, do it this way, make it do this," and also now you have a better product that everyone can use. So, very exciting. I hope it's not a bubble that pops, but right now we're in a good spot with a lot of a lot of synergy, a lot of talk, a lot of excitement.

[13:21] Jenn Gile: A lot of innovation, huh?

[13:22] Jeremiah Kung: Yeah, yeah.

[13:23] Jenn Gile: Excellent. Is that similar for you?

[13:24] Aman Sirohi: Yeah, similar, and I think it's like reconnecting with some of our friends on the East Coast and, you know, other parts of the US where we don't get to see them that often. I think getting some of these smaller conversations and events has been like, "Oh, you're using that product? Oh, I'm using this one." And then we exchange notes and sometimes like, we're like, "Oh, we should go talk to them about this is the next feature parity that they should be doing." Because we both already align that that's where they should be going, and it's almost like reshaping them together, right? So, it's almost like getting a collective union of CISOs just in a conversation realizing that, "Hey, we should link up after this and let's go talk to the vendor." And that's that's awesome, right? That's one of the things that, that almost is like refreshing, but sometimes we always feel like we're alone on an island back home just trying to solve this all on our own.

[14:26] Jenn Gile: Yeah, yeah. You're the one of one, right?

[14:30] Jeremiah Kung: Yeah, and that's what's kind of nice. So if you're reaching out to a good VC that, "Oh yeah, we have a company," and the best ones are, "Hey, maybe they were not in our portfolio, but I think that kind of fit with what you need," and you get those intros and if they're early enough, Series A, what have you, they'll start working with you. And then now you have free work basically being done for you.

[14:55] Jenn Gile: You get to shape the product. Yeah.

[14:56] Jeremiah Kung: I mean, I wouldn't bet the farm on it, like it's a critical control, but definitely something you want an area you want to grow into. It's nice to partner. I've done that multiple times and it's worked out well, but you do got to be careful, right? Because they get bought and you're like, "Oh, now what happens?"

[15:11] Jenn Gile: Yeah, you're not on all the sync, right? Yeah.

[15:13] Aman Sirohi: Absolutely.

[15:14] Jenn Gile: All right, well, thanks for doing this.

[15:15] Jeremiah Kung: Oh, absolutely. Thanks for being here, Jenn.

[15:16] Aman Sirohi: Thank you.