In today’s security landscape, a key challenge is the distinction between application security and software supply chain security, often overlooked but crucial to addressing different attack vectors. Idan Plotnik, Co-Founder and CEO of Apiiro, explains how this oversight weakens organizational defenses and highlights the need for distinct approaches. In this interview, he discusses common CISO mistakes, the impact of GenAI on risk management, and best practices for seamlessly integrating security into DevOps workflows.
What do you consider to be the most overlooked challenge or opportunity for security professionals today?
One challenge in the security industry today is the critical distinction between application security and software supply chain security that is often overlooked. These are two separate attack vectors that pose distinct threats to organizations. Misinterpreting them as a single issue creates challenges in organizational protection and in determining who is responsible for managing security.
Application security focuses on risks within the custom code developed by an organization, and if there's a flaw in this code, it directly impacts the application. On the other hand, software supply chain security involves the open-source components integrated into the application. A vulnerability in these components can also compromise the entire application.
Understanding these nuances is crucial because each represents a different attack surface, and treating them as interconnected but distinct issues can significantly enhance an organization's security posture and risk management.
What are some of the biggest mistakes CISOs make when approaching application security?
One of the biggest risk management mistakes CISOs continue to make is relying on outdated manual processes for security reviews and remediation. These processes are no longer sufficient in today's AI-driven development environments. Manual methods, which involve labor-intensive tasks like code reviews, security testing, and vulnerability assessments, can’t keep up with the speed at which new code is generated, especially as AI-assisted coding has accelerated the creation of new software. A manual approach can cause detrimental delays and oversights, opening up new vulnerabilities for attackers to exploit.
To correct these mistakes, CISOs should shift toward automated, AI-driven security measures that integrate risk management early in the development lifecycle. Leveraging tools that provide a centralized view across both development and security operations allows risks to be mitigated proactively before they escalate. This approach enhances security and aligns risk reduction with development velocity.
How has GenAI complicated and impacted organizations’ ability to prevent application risk throughout the software development lifecycle?
Your code and dev environments have always been complex (hundreds or thousands of devs, multiple languages, frameworks, open-source dependencies, etc. – and new code being committed and deployed every day).
But the rate of code change and complexity is exploding. Adoption of AI has introduced new GenAI frameworks into the codebase. And the rise of AI coding assistants means that soon AI could be semi-autonomously (or autonomously) developed, committed, and deployed. All of this amounts to a world where the rate of code change skyrockets – and traditional AppSec approaches don’t scale.
Against this backdrop, businesses have been increasingly trying to adopt DevOps approaches like secure-by-design and “shift left” to balance the demands of security and developer velocity. But application security is one domain where these trends have not yet been able to drive meaningful change – because of the complexity of the codebase and application attack surface.
Businesses that want to release secure code faster need to understand their software architecture to actually embed secure-by-design throughout the SDLC.
What are the best practices for developing a comprehensive strategy that encompasses both application and software supply chain security?
The best practice for securing both application and software supply chain security is to adopt a unified risk management strategy. This involves using tools and processes that provide visibility into both custom and third-party code.
Automation plays a crucial role here, especially in the form of AI-driven risk detection at the earliest stages of the software development lifecycle. By identifying risks during the design phase, organizations can address vulnerabilities proactively before code is even written. Continuous monitoring and real-time threat detection also help ensure that security remains robust as software evolves.
Organizations should adopt comprehensive tools that offer visibility across both custom applications and third-party components. AI-driven tools are particularly useful, as they can detect risks early in the development lifecycle—before code is even written—and continuously monitor for vulnerabilities as the software evolves.
Automation is key in managing these risks efficiently. By leveraging tools that automatically assess and prioritize vulnerabilities, organizations can ensure that both application security and software supply chain security are addressed in tandem, reducing the likelihood of an attack.
How do you integrate security posture management into DevOps workflows to ensure security is addressed without slowing down the development process?
Integrating security posture management into DevOps, or adopting a DevSecOps approach, requires embedding security processes early in the development lifecycle. This “shift-left” strategy ensures that vulnerabilities are identified and addressed before they become costly problems in production without introducing bottlenecks.
Automation plays a critical role in achieving this balance. By incorporating automated security checks—such as Static Application Security Testing (SAST), Software Composition Analysis (SCA), and Infrastructure as Code (IaC) scanning—directly into CI/CD pipelines, security is continuously monitored without slowing down development velocity. These tools scan for misconfigurations, vulnerabilities, and architecture drifts in real time, providing immediate feedback to developers so that they can address issues on the fly.
Another essential component is ensuring strong collaboration between development, security, and operations teams. By fostering communication and using tools that offer a unified view of both code quality and security risks, teams can address potential issues collaboratively, speeding up the remediation process while keeping security intact.