Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today, I’m joined by Nir Valtman, CEO & co-founder of Arnicaan ASPM platform with a pipelineless approach. Before founding Arnica, Nir led product and data security at Finastra, established security at Kabbage as CISO, and headed application security at NCR.
He’s also a well-known speaker at top security conferences, including Black Hat, Defcon, RSA, BSides, and OWASP.
In this episode, we unpack the reachability hype-why every vendor claiming "we do reachability!" means something slightly different, and what makes Pipelineless Reachability Analysis stand out.
We’ll also discuss why reachability is critical for vulnerability prioritization, plus some eye-opening stats-like why developers prefer scan results in under 30 seconds and how 9% of detected vulnerabilities still make it into production, even after developers are notified on push.
Dive right in!
Connect with Nir: https://www.linkedin.com/in/valtmanir/
Connect with Alexandra: https://www.linkedin.com/in/alexandra-charikova/
This podcast is brought to you byEscape: https://escape.tech — API Security & DAST Platform
Mentioned in the video:
https://www.arnica.io/ - ASPM with pipelineless, developer-native approach
Nir’s Linkedin Post on reachability: https://www.linkedin.com/posts/valtmanir_reachability-appsec-security-activity-7249039515888046080-IrvvHype Cycle for Application Security, 2024: https://www.gartner.com/en/documents/5622191Defining
Reachability - is it just hype? https://pulse.latio.tech/p/reachability-matters-13
Does Reachability Matter? By James Berthoty https://pulse.latio.tech/p/does-reachability-matter
Book: Freakonomics by Steven Levitt & Stephen Dubner: https://www.amazon.com/gp/product/0063032376/ref=as_li_qf_asin_il_tl?ie=UTF8&tag=freakonomic08-20&creative=9325&linkCode=as2&creativeASIN=0063032376&linkId=f70dd7af6a315da4e8d04e7001c8e1d6
Podcast recommendation: Acquired (playbooks that built the world’s greatest companies - and how you can apply them as a founder, operator, or investor) - https://www.acquired.fm/