Every week, host Casey Cammilleri interviews an expert leading the charge on empowering security experts and practitioners with the knowledge and insights needed to excel in the future of cybersecurity.
We recently spoke with Tim Silverline, Vice President of Security at Rocket Lawyer. Here are the top takeaways from the interview.
#1: Use Runtime Analysis to Cut Through Vulnerability Noise
“The NextJS was actually really interesting because that was one that was only vulnerable for specific types of middleware. And so one of the ways that we get better visibility into that stuff is leveraging runtime solutions that are able to plug in with eBPF sensors into our environment and actually see what's running and how it's running. Because you have a lot of these static analysis scanners that'll say, “Okay, you have this package, but it might not be getting loaded into memory, we may not know how it's being used.” And so it's much harder to take some of those static analyses. And it's just a lot more noise. The amount of noise we get from some of that is really hard to sift through and identify. This is the particular one that we need to go and patch because it's being used in a way where it is exploitable, and it's exposed to the internet or something like that. So we've definitely been leaning more towards the runtime capabilities from the various different security solutions to make sure that we're helping to prioritize and really go in triage where we need to.”
Actionable Takeaway: Static scanners flag every package whether it's loaded or not, creating massive noise. Runtime solutions with eBPF sensors show what's actually executing in memory, letting you focus on vulnerabilities that are genuinely exploitable and internet-exposed rather than theoretical risks.
#2: Integrate Security Findings Directly Into Development Sprints
“With Sprocket, I like the fact that you guys integrate directly with Jira and not only do you integrate with them, but it's a two-way communication. So when we get the findings, we evaluate them, make sure that we think they're legitimate and then we just open up the case. In Jira, we have three different engineering teams inside of Rocket Lawyer that my security team will meet with every other week. There's our product security engineering team, there's the cloud security engineering team, and then there's the data engineering team. So we meet with them every other week. And then if the findings are relevant for what Sprocket is finding or there are other different tools, then we'll go over those results, try to make sure that they understand what the security implications are, get them to buy in, and then we work to put that on their upcoming sprints to address them.”
Actionable Takeaway: Two-way Jira integration transforms security findings from ignored reports into actionable sprint items. Regular bi-weekly meetings with product, cloud, and data engineering teams ensure vulnerabilities get prioritized alongside feature development, creating accountability and momentum for remediation.
#3: Demand Penetration Testers Who Think Like Real Attackers
“The continuous aspect is something that's important to me again because we don't want to have that gap in coverage for the whole year you're waiting to have another penetration test, or six months, or whatever it may be. And then just really penetration caps testing. A lot of it comes down to the skill level of the engineers that are doing the work during our sales cycle. This is how you guys won the business was somebody had identified it wasn't actually a real vulnerability, but they identified that one of our QA people had posted something in Postman and actually it wasn't even a Rocket Lawyer employee, but it was one of our partners had posted an API key in Postman in a public collection, and it didn't actually lead to anything. It wasn't being used anymore. We did go and remove it just to make sure it was gone, but that was something where it was like it wasn't even looking at our website, it was just understanding the overall Rocket Lawyer attack surface and just the fact that we have collections out there that have our company tagged to it. That was something that was interesting to me, that I thought was a good find, but it just showed that the skill level of the engineer that was doing that evaluation was pretty good.”
Actionable Takeaway: Skilled pentesters look beyond your website to understand your complete attack surface. The best ones discover issues like third-party partners accidentally posting API keys in public Postman collections — creative reconnaissance that reveals risks traditional scans miss entirely.
Listen on:
