EP 31 — Cloudflare’s Sri Pulla on Building Collaboration and Synergies for Better Product Security

In this episode of the Future of Application Security, Harshil speaks with Sri Pulla, Director, Application Security at Cloudflare, a company that wants to "build a better internet" through its cloud platform of network services. They discuss how Cloudflare protects its products, uses risk scoring for prioritization and decision making, and why the engineering team must answer a security questionnaire before each deployment. They also discuss how to better collaborate across teams — engineering, privacy, compliance, and legal — and how Cloudflare is moving to a centralized team model to better scale their security.

Topics discussed:

• The evolution of Sri's career, including her background as a software engineer, how she's been at "the right place at the right time" to help big companies rebuild apps after data breaches, and how she joined Cloudflare as the Director of Application Security.
• Why Cloudflare is moving from a decentralized model where security engineers were embedded in product teams to a centralized model so security can scale better.
• How AppSec fits into the SDLC, and how before each product is shipped, the review process includes a security questionnaire about the changes being deployed.
• How Cloudflare defines a product, how they use risk scores to determine which products to prioritize, and how they're integrating more data privacy.
• Why the future of AppSec will be found in collaboration, and how the security team and engineering team can support one another.
• How security teams need to be prepared for a future where the cloud is here to stay, and how to sustain a model where products are secure even after deployment.
• What skills Sri looks for when hiring, which includes some kind of programming or products background that can help build empathy with software engineers.