Appsec News & Interviews from RSAC on Identity and AI – Charlotte Wylie, Rami Saas – ASW #331
In the news, Coinbase deals with bribes and insider threat, the NCSC notes the cross-cutting problem of incentivizing secure design, we cover some research that notes the multitude of definitions for secure design, and discuss the new Cybersecurity Skills Framework from the OpenSSF and Linux Foundation. Then we share two more sponsored interviews from this year's RSAC Conference.
With more types of identities, machines, and agents trying to access increasingly critical data and resources, across larger numbers of devices, organizations will be faced with managing this added complexity and identity sprawl. Now more than ever, organizations need to make sure security is not an afterthought, implementing comprehensive solutions for securing, managing, and governing both non-human and human identities across ecosystems at scale.
This segment is sponsored by Okta. Visit https://securityweekly.com/oktarsac to learn more about them!
At Mend.io, we believe that securing AI-powered applications requires more than just scanning for vulnerabilities in AI-generated code—it demands a comprehensive, enterprise-level strategy. While many AppSec vendors offer limited, point-in-time solutions focused solely on AI code, Mend.io takes a broader and more integrated approach.
Our platform is designed to secure not just the code, but the full spectrum of AI components embedded within modern applications. By leveraging existing risk management strategies, processes, and tools, we uncover the unique risks that AI introduces—without forcing organizations to reinvent their workflows. Mend.io’s solution ensures that AI security is embedded into the software development lifecycle, enabling teams to assess and mitigate risks proactively and at scale.
Unlike isolated AI security startups, Mend.io delivers a single, unified platform that secures an organization’s entire codebase—including its AI-driven elements. This approach maximizes efficiency, minimizes disruption, and empowers enterprises to embrace AI innovation with confidence and control.
This segment is sponsored by Mend.io. Visit https://securityweekly.com/mendrsac to book a live demo!
Charlotte Wylie, SVP and Deputy Chief Security Officer at Okta, leads Okta’s technical cybersecurity services. This includes overseeing Okta’s global engineering teams to enhance the company’s security postures and programs that support its nearly 20,000 customers. She’s a seasoned security executive with extensive global experience across financial and technology industries in Australia and the United States. Charlotte has an extensive background in delivering security transformation programs and leading global engineering teams to create value through enhancing security posture and aligning with business goals for large corporations.
Rami Sass is co-founder and CEO of Mend.io, a company that enables organizations to accelerate the development of secure software at scale with automated tools that help bridge the security knowledge gap. Since the company’s founding in 2011, Rami has grown Mend.io from a small Israeli startup to a global business with over 300 employees across several countries and hundreds of enterprise customers including Microsoft and IBM.
Identiverse 2025 is returning to Las Vegas, June 3-6. Hear from 250+ expert speakers and connect with 3,000+ identity security professionals across four days of keynotes, breakout sessions, and deep dives into the latest identity security trends. Plus, take part in hands-on workshops and explore the brand-new Non-Human Identity Pavilion. Register now and save 25% with code IDV25-SecurityWeekly at https://www.securityweekly.com/IDV2025
Mike Shema
- Consult the European Vulnerability Database to enhance your digital security!
Here's the EUVD. All the entries so far seem to be a mapping of CVEs to EUVDs. I'd expect these two vuln tracking sets to significantly overlap for a while. It'll be the eventual differences, specifically in the EUVD, and the nature of those differences that will be interesting to see. Such differences could be anything from preference for reporting, where EUVD becomes the favored "first notified", to showing gaps in the administration of the CVE program, to disputes on the validity or severity of an entry.
- Encourage investment and markets for secure tech – NCSC.GOV.UK
- Linux Foundation and OpenSSF Release Cybersecurity Skills Framework to Strengthen Enterprise Readiness
Check out the Cybersecurity Skills Framework. (The skill drop-downs don't work in Safari, so stop by the HTML Skills Framework first or try a different browser.)
- Secure by Design: Defining Best Practices, Enabling Developers and Benchmarking Preventative Security Outcomes
Yes, it's vendor research, but it's not stuck behind a regwall.
It's a good seed for discussing what Secure by Design either means or looks like. And it has a very interesting comment on what it observed in how companies approach threat modeling that's worth exploring more.
- Coinbase says hackers bribed staff to steal customer data and are demanding $20 million ransom
Also covered in The Record
There's plenty of precedence for bribery as a shortcut to hacking as well as a means of spying.
It might not seem like there's an immediate appsec angle here, but threat modeling for insider threat and designing controls for systems that have sensitive data access are surely critical tasks that fall under secure by design.
