Developing the Skills Needed for Modern Software Development - Keith Hoodlet, Shashwat Sehgal, Ron Rasin - ASW #376

In this episode of Application Security Weekly, host Mike Shima and guests Keith Hoodlett, Shashwat Sehgal, and Ron Rasin explore the evolving landscape of modern software development and application security in the age of AI and agentic systems. Keith Hoodlett, Director of Security Research at 1Password, shares insights from his B-Sides presentation on growing elite security research teams, emphasizing that even in an AI-driven world, human expertise remains critical. He highlights the importance of foundational skills—such as understanding programming fundamentals, memory management, and system-level concepts—while also advocating for the strategic use of large language models (LLMs) as tools to accelerate learning and research. The conversation shifts to the changing role of AppSec professionals, from bug hunters to architects of security guardrails, with a strong emphasis on threat modeling, secure design, and runtime access control. Shashwat Sehgal of PZero Security discusses the challenges of managing identity in agentic systems, stressing that while connectivity and authentication are increasingly commoditized, authorization remains the most pressing security challenge. Ron Rasin from Silverfort elaborates on the need for real-time, context-aware access control for both human and non-human identities, including AI agents, advocating for a unified identity security layer that enforces least privilege at runtime. The episode concludes with a call to action: security must evolve beyond reactive patching to become embedded in the development lifecycle through proactive, human-in-the-loop design and governance. Key takeaways include: (1) Foundational programming knowledge—especially in Python, Rust, and system-level concepts—remains essential even in an AI-augmented world; (2) Security professionals must shift from reactive bug hunting to proactive threat modeling and secure-by-design principles; (3) LLMs are powerful accelerators but should not replace critical thinking or deep technical understanding; (4) Identity security must evolve to handle agentic systems with runtime enforcement, context-aware policies, and least-privilege access; (5) The future of AppSec lies in integrating security into the development workflow through tools like skills.md files, policy-as-code, and automated guardrails; (6) Human judgment and accountability remain irreplaceable, especially in high-stakes scenarios; (7) Organizations must balance innovation speed with security governance through just-in-time access and continuous monitoring; and (8) The most effective security teams are T-shaped (broad exposure, deep expertise) and evolve into E-shaped (multiple deep areas) over time.