In this episode of the Future of Application Security, Harshil speaks with Jacob Salassi, Director, Product Security at Snowflake, a cloud computing and data management company. They discuss how Snowflake approaches product security — from what they expect engineers and developers to do, to their risk-based reporting — and why Jacob takes a scientific approach to it. They also discuss how Jacob's team creates property graphs to better understand risk flows and what to prioritize, automated threat detection, how they're writing more intelligent detections at scale, and the challenges of big data to product security.

Topics discussed:

• How Snowflake approaches product security, including: 
  • How they build autonomy for engineers through repeatable processes
  • How they optimize for business value and not just security outcomes, and 
  • Why they take a quantitative risk-based reporting approach
• Why Jacob takes a "science, not art" approach to product security, and why he defines product security as anything related to the security posture of the service.
• The ways in which data- at- scale and disparate data sources prove to be a challenge for threat detection, and why security teams can benefit from pulling together those sources so they can uniformly analyze data across systems.
• How Jacob's team created and scaled a repeatable and structured method to risk assess every new feature that's being shipped.
• How this method of risk assessment and scoring helps uncover dynamics in their environment, gives developers better prioritization of their work, and enables automated threat detection.
• Challenges to the observability problem of who can own and access data, how many people are ingesting APIs, how much it's costing, and other access concerns.
• The ways in which they're communicating KPIs and risk posture through live dashboards, and how they're thinking about powering quantitative risk analysis and forecasting through those dashboards.