Sentry’s Cody Florek on AppSec Programs That Create Partnerships Not Problems

How do you effectively measure security operations in a world where vulnerabilities never stop coming? Cody Florek, Director of Information Security Operations at Sentry, brings a refreshing approach that combines agile methodology with practical security execution. In this episode of Ahead of the Breach, he tells Casey how his journey from computer repair technician to security leader shaped his perspective on measuring capacity, building AppSec programs that don't antagonize developers, and communicating security risk effectively to leadership.

Cody explains why many AppSec programs fail by overwhelming development teams with vulnerability findings without context, and offers a better approach using DREAD modeling to prioritize what truly matters. He also reveals his strategies for conducting effective tabletop exercises that uncover critical security blind spots most organizations miss. Whether you're running security operations or building an application security program, Cody's practical insights on balancing project work with operational demands will transform how you measure security effectiveness.  

Topics discussed:

• Measuring security operations capacity with agile methodology, using story points to quantify both project work and operational demands, with each day representing two points to realistically plan team bandwidth.
• The evolution of application security implementation from vulnerability scanning to strategic DREAD modeling that helps prioritize findings based on context, exploitability, and real-world impact rather than overwhelming developers.
• Strategic approaches to communicating security risk to leadership by translating technical issues into business impact while leveraging technical background to accurately assess vulnerability context.
• Implementing structured vulnerability prioritization frameworks that combine CVSS scores with business context, exploitability analysis, and threat intelligence to focus remediation on what truly matters.
• Building effective partnerships with development teams by avoiding the "throw it over the fence" mentality and instead providing context-driven vulnerability assessments with prioritized remediation plans.
• Practical shift-left security implementation strategies that recognize organizational maturity levels and gradually empower developers after cleaning up existing vulnerabilities.
• Designing and conducting effective tabletop exercises that uncover critical security blind spots, including encouraging reluctant participants to actively engage in scenario planning.
• Holistic security metrics frameworks that balance operational effectiveness, program impact measurement, and threat intelligence to provide comprehensive security oversight.
• Creating comprehensive security coverage using a "Plinko game" metaphor to ensure multiple defensive layers prevent attacks from finding direct paths through defenses.
• The importance of curiosity-driven incident analysis that goes beyond immediate fixes to understand root causes and systemic improvements needed for long-term security posture enhancement.

Listen to more episodes: 

Apple 

Spotify 

YouTube

Website