'Inside Security' with Anshuman Bhartiya (Staff Security Engineer, Lyft)

'Inside Security'
Blog
Leen Security
January 3, 2025

Application Security (AppSec) has rapidly evolved over the years, becoming a cornerstone of organizational security frameworks. At its core, AppSec ensures that the software powering businesses is secure from vulnerabilities, mitigating risks to data, customers, and systems.

Initially, AppSec focused on basic code reviews and static analysis, identifying flaws during the development cycle. With the rise of web applications in the early 2000s, threats like SQL injection and cross-site scripting (XSS) pushed organizations to adopt dynamic testing and secure coding practices. The advent of DevOps and CI/CD pipelines further transformed AppSec, embedding security directly into development workflows through DevSecOps. Modern AppSec now leverages automation, AI, and advanced vulnerability management tools, addressing increasingly sophisticated threats in real time. Its evolution underscores a shift from reactive to proactive defense strategies.

We recently had the privilege of sitting down with Anshuman Bhartiya (Staff Security Engineer, Lyft), to get his perspectives on what goes into building a world-class AppSec practice, the challenges of building one, and the proactive steps companies can taken to embed security into its culture and processes.

From his journey as a curious student inspired by the stories of early hackers to leading AppSec initiatives at one of the most dynamic companies in the world, Anshuman’s perspective on security emphasizes empathy, innovation, and collaboration.

Understanding AppSec: Beyond the Code

AppSec is often misconceived as merely running code scans or patching vulnerabilities post-discovery. While these activities are crucial, they represent just the tip of the iceberg in a much broader, proactive, and strategic discipline aimed at embedding security into the software development lifecycle (SDLC) from the outset. Effective AppSec programs don’t just react to issues—they anticipate and mitigate them, creating a resilient foundation for modern applications, forming the backbone of an effective AppSec program.

Let's look at the different components of AppSec.

1. Threat Modeling: Seeing Security Before It’s Needed

One of the foundational components of a robust AppSec program is threat modeling. This process involves systematically identifying potential threats, vulnerabilities, and attack vectors during the design phase of a software project.

Threat modeling is like a blueprint for security. It’s where we ask –– What could go wrong, and how do we prevent it?’ Instead of waiting for vulnerabilities to surface later, we address them at the root. By analyzing how an attacker might exploit an application, security teams can design mitigations before a single line of code is written.

Best practices demand AppSec teams to integrate threat modeling into project workflows, ensuring that security considerations are baked into the architecture and design. This not only reduces the risk of vulnerabilities but also saves time and resources by preventing costly rework later in the development cycle.

At Lyft the AppSec team is deeply involved in every stage of development, ensuring security by default. For instance, secure-by-default SDKs and libraries are built in collaboration with Lyft’s Security Foundations team. These tools address common vulnerability classes and simplify security implementation for engineers.

The idea is to make the secure path the easiest one to follow. If we can eliminate vulnerabilities at the root, engineers can focus on innovation rather than constantly worrying about security.

2. Secure Coding Practices: Building with Resilience

Secure coding practices are another cornerstone of effective AppSec. These involve educating developers on writing code that inherently avoids common security pitfalls, such as injection attacks, insecure authentication, and improper error handling.

Lyft’s approach includes providing developers with secure-by-default libraries and SDKs, which abstract away the complexities of security.

When we build tools that make it easy for developers to do the right thing, we’re not just solving today’s problems—we’re future-proofing our applications. This philosophy aligns with the broader concept of "paved roads" in security, where teams make the secure path the easiest one to follow.

Additionally, regular training sessions and workshops reinforce secure coding principles among engineers, helping them stay updated on the latest threats and mitigation techniques. Security isn’t just a function—it’s a skillset that every engineer should have.

3. Vulnerability Management: From Discovery to Resolution

Managing vulnerabilities is a continuous process that extends far beyond identifying issues. It involves triaging, prioritizing, and remediating vulnerabilities in a way that aligns with the organization’s risk tolerance and resource constraints.

At Lyft, vulnerability management is treated as a lifecycle. Automated tools are used to scan for issues in static code, dynamic applications, and APIs, while the AppSec team consolidates findings across these tools to provide a holistic risk profile. We don’t just want to find vulnerabilities; we want to understand their impact, prioritize them effectively, and ensure they get fixed.

To streamline this process, many AppSec teams have begun to leverage automation for routine tasks, such as ticket creation and follow-ups. By automating the tedious parts of vulnerability management, teams free up resources to focus on high-value activities.

4. Cross-Functional Collaboration: Breaking Down Silos

We've heard this before and this won't be the last time this comes up –– security fails when it operates in silos. AppSec too doesn’t operate (well) in isolation; its success depends on close collaboration with engineering, DevOps, product, and even legal teams. This cross-functional approach ensures that security considerations are integrated into every aspect of software development and deployment.

Security is a team sport. At Lyft, we work closely with engineers to understand their challenges and align our goals with theirs. Over the years, we've nurtured a culture where engineers feel comfortable seeking help from the AppSec team. If engineers see us as blockers, we’ve failed. We enable this collaboration through initiatives like joint sprint planning, where AppSec team members sit in on engineering discussions to identify potential security implications early. This hands-on involvement helps us build trust and ensures that security is seen as an enabler rather than a blocker.

Together, these components—threat modeling, secure coding, vulnerability management, and collaboration—form the backbone of a proactive AppSec program. They shift the focus from reactive measures to strategic foresight, enabling organizations to anticipate risks, build secure systems, and respond effectively to emerging threats.

AppSec isn’t just about protecting what we've built; it’s about enabling innovation by building securely from the start. Our approach exemplifies how a thoughtful, comprehensive strategy can elevate AppSec from a defensive function to a competitive advantage. We embed security into the fabric of development, and that in turn not only safeguards our applications but also empowers the overall organization to move faster and more confidently.

The Future of AppSec: Balancing AI with Human-Centric Security

The growing importance of AppSec cannot be overstated. With organizations relying more heavily on interconnected systems, microservices, and cloud-based infrastructure, the attack surface has expanded dramatically. The future is all about integration of AI and automation and the role it will play in addressing these challenges.

For instance, with the rapid pace of development, capacity of traditional security teams to review every line of code or scrutinize every deployment will get increasingly difficult. In this context, AI and automation are poised to be game-changers. However, he's aware of the nascency of the industry.

Tools powered by generative AI could automate basic design reviews or assist in detecting misconfigurations that might otherwise go unnoticed, helping scale efforts by handling the tedious, repetitive aspects of security. But, the AI we have today lacks context. It can identify patterns, but it doesn’t understand the nuances of a specific organization’s environment. That’s where human expertise comes in. The focus must be on using AI to augment, rather than replace, human capabilities. By automating low-value tasks, the team can redirect its energy toward high-impact activities like threat modeling, secure architecture design, and cultivating relationships with engineering teams. The goal isn’t to remove humans from the equation but to enable them to focus on what truly matters.

Looking ahead, the future of AppSec lies in achieving a balance and adaptability. As cyber threats evolve, so too must AppSec practices. The rise of AI-driven attacks, supply chain vulnerabilities, and sophisticated zero-day exploits presents new challenges for security teams. When done right, AppSec can be more than just a defensive measure—it can become a strategic advantage.

We'd like to thank Anshuman for his insights and participation in this series. You can connect with him on LinkedIn.