NerdWallet's DK Koran on Building Proactive Security Through Red Teams

From testing critical infrastructure and IoT devices to leading application security at NerdWallet, DK Koran, BISO, draws from his experience finding vulnerabilities in police cruisers and SCADA systems to discuss his transition to building and managing proactive security teams. On this episode of Ahead of the Breach, he and Casey explore the challenges of implementing security guardrails, running an internal red team, and testing AI systems for prompt injection vulnerabilities. 

Through candid insights about his evolution from individual contributor to security leader, DK emphasizes the importance of understanding the 'why' behind security requirements and building strong relationships with development teams.

Topics discussed:

• Exploring vulnerabilities in automotive systems and IOT devices, including experiences testing police cruisers and critical infrastructure for security weaknesses.
• Transitioning from offensive security testing to application security leadership, focusing on preventing recurring vulnerabilities through proactive measures.
• Implementing automated security guardrails and requirements across infrastructure and applications to prevent security issues before production deployment.
• Managing the evolution from individual contributor to security leader while maintaining technical relevance and fostering team growth.
• Building and scaling an internal red team program, including strategies for target selection and maintaining continuous value delivery.
• Testing AI systems and chatbots for prompt injection vulnerabilities, highlighting the resurgence of classic security issues in new technologies.
• Developing effective relationships with development teams by focusing on the “why” behind security requirements and showing empathy for business needs.
• Creating automated enforcement mechanisms through pre-commit hooks and pipeline controls to ensure security requirement compliance.
• Balancing team autonomy with security controls in a single-threaded team model while managing infrastructure security at scale.
• Supporting professional growth and certification pursuits while transitioning from technical roles to security leadership positions.