NopSec recently hosted a fireside chat with:

• Henry Jiang, CISO at Ensora Health

• Shawn Evans, Head of Security Research at NopSec

• Moderated by Rob Johnson

What started as a panel quickly became a candid discussion about what’s working in AppSec—and what’s clearly not.

💥 Key Takeaways:

• We’re still battling the same old flaws—like injection and misconfigurations.

• Teams are overwhelmed, and priorities are often unclear.

• Even with modern tooling, operational gaps are the real bottleneck.

“You’ve got tools that show you how to fix issues—and some even fix them for you.
But people aren’t using them. It’s not a tech issue anymore—it’s operational.”
— Henry Jiang

🔓 Hidden Threats:

Shawn Evans highlighted a major blind spot:

“It’s rarely your app that gets breached.
It’s the outdated library, the untracked dependency, the forgotten system.”

🤖 The AI Factor

AI was front and center.
Henry shared how AI is helping teams analyze code, flag bugs, and even suggest fixes—but also warned that attackers are using the same tools.

“AI-generated phishing emails look shockingly real.
But it’s also caught bugs and generated perfect fixes in seconds.
It’s not magic—it’s just powerful.” — Henry Jiang

🏗️ Automation ≠ Governance

Rob Johnson reminded everyone that automation won’t fix broken fundamentals:

“You can’t automate your way out of a bad structure.
Know what data AI is touching.
Know who’s accountable. Otherwise, you're just scaling your blind spots.”

🌐 It’s All Connected

AppSec now touches everything:

• Code

• Cloud infrastructure

• Identity & access

• Third-party integrations

• And yes—people.

“You can’t just secure the code anymore.
You’ve got to secure how it’s built, how it’s deployed, and who’s managing it.”
— Shawn Evans

✅ Final Thought

The future of AppSec is proactive, automated, and holistic—but it still relies on doing the basics right.

📺 Watch the full conversation above to hear more insights (and a few war stories too).