Five Questions with an OG, Chris Hertz: Application Security

MissionOG is fortunate to be supported by a deep network of experienced operators and entrepreneurs. This entry is part of a blog series where we share perspectives from “OGs” – original innovators from specific market segments and/or business disciplines.

 

Chris Hertz is the co-founder and CEO of Heeler where he is working to transform application security with unified code, runtime, and business context. He is obsessed with delivering amazing customer experiences. Chris has founded and grown multiple venture backed start-ups with 3 successful exits. Previously, Chris was the Chief Revenue Officer of DivvyCloud (acquired by Rapid7) where he helped grow the company 10x in under four years. Prior to joining DivvyCloud, Chris was founder and CEO of New Signature. Under his leadership, New Signature (acquired by Cognizant) helped hundreds of companies adopt cloud computing, achieved 12 years of consecutive double-digit revenue growth, and won more than 120 awards including being named twice as Microsoft’s United States Partner of the Year—in 2014 and 2015. Chris has helped lead and found multiple other technology startups including HelloWallet (acquired by Morningstar) and AllHerb.com. Chris holds a Master of Business Administration from the MIT Sloan School of Management and a Bachelor of Science with a double major in Information Management and Technology and Anthropology from Syracuse University.

 

WHY DID YOU START HEELER?

In today’s rapidly evolving threat landscape, a massive gap exists in application security. This gap stems from the lack of a unified data layer that integrates code, runtime, and business context, making current security efforts labor-intensive and difficult to scale. Without this context, prioritizing security becomes impossible, and crucial activities like impact analysis, threat modeling, and developer guidance are only performed in an ad hoc manner. As a result, application security teams are overwhelmed, struggling to keep up with engineering demands while maintaining customer trust. This challenge will only grow until every company hits a tipping point where security debt becomes a significant obstacle. To overcome this, a paradigm shift is necessary. Companies must transform their culture, people, and processes to focus on security resilience. This means not only addressing critical issues but reducing security debt and limiting new risks to withstand present and future threats. We launched Heeler to bridge this context gap and drive the transformation needed in application security. Our mission is to amplify developers’ security impact tenfold without requiring additional time. By unifying application, runtime, and business context, seamlessly integrating into existing workflows, and automating high-friction, repetitive tasks between security and development teams, we make security a proactive part of the development process.

 

WHAT ARE COMPANIES GETTING RIGHT AND WRONG WITH APP SECURITY TODAY?

Companies are increasingly recognizing the importance of application security, investing in dedicated security teams, secure development practices, and compliance with industry standards. They are also leveraging threat intelligence and monitoring to stay ahead of emerging threats. However, many organizations still struggle with overloading developers with low-impact tasks, lacking real-time context and prioritization, and insufficiently integrating security into the development workflow. Additionally, companies often lack the ability to perform continuous threat modeling and impact analysis due to the absence of a unified model that provides critical insights. This gap leaves them unable to prioritize vulnerabilities effectively and provide actionable guidance to developers. To improve, companies must focus on integrating comprehensive, real-time security insights into workflows, enabling them to close these gaps and build secure applications.

 

HOW WILL “SHIFT LEFT” CONTINUE TO EVOLVE IN APP DEVELOPMENT?

As application development increasingly incorporates emerging technologies like AI, machine learning, and cloud-native architectures, “shift left” strategies will need to adapt to address the unique security challenges these technologies present. This adaptation will include specialized tools and methodologies for securing AI-driven components, cloud environments, and other advanced technologies. The “shift left” approach must evolve by leveraging comprehensive service architecture understanding, integrating code, runtime, and business context into a unified real-time framework. This evolution will drive more precise prioritization of security issues, allowing teams to focus on the most critical vulnerabilities based on their potential business impact and presence in the live environment. As part of this progression, impact analysis must become embedded into developer workflows, enabling developers to anticipate how changes could affect the security and operations of an application. Continuous threat modeling must also be adopted, providing an up-to-date understanding of potential threats as the application evolves. By aligning security insights with development practices, developers can proactively address security concerns throughout the SDLC, ensuring that software is built with resilience against both current and emerging threats. Automation will play a critical role in the continued evolution of “shift left.” Automating routine security tasks, such as architectural modeling, context gathering, impact analysis, and threat modeling will reduce the manual workload on security teams and developers. This automation will not only improve efficiency but also ensure consistency in security practices across the organization.

 

HOW DO YOU FORESEE REMEDIATION STRATEGIES EVOLVING, PARTICULARLY WITH THE INCREASING INTEGRATION OF AUTOMATION AND AI?

The future of application security shouldn’t solely revolve around evolving remediation strategies; this narrow focus is part of the problem. Instead, the emphasis should shift towards building resilient software from the outset. With the increasing integration of automation and AI, the goal is to empower developers to proactively incorporate security measures into their workflows from day one. This means arming them with the necessary context to perform impact analysis, maintain dependency hygiene, and conduct threat modeling directly within their existing development environments.

To be effective, automation and ML/AI must have access to real-time, comprehensive data that includes code, runtime, business, and security contexts, as well as a thorough understanding of service architectures, dependencies, and the correlation between code changes and runtime environments. This rich data set enables ML/AI strategies to assist developers in understanding the security implications of their changes as they code. By providing this insight, we move beyond a reactive approach to a more holistic and proactive stance. This ensures that security is not an afterthought but an integral part of the software development lifecycle, helping to prevent vulnerabilities and fostering the creation of more secure and resilient applications.

This is why Heeler has approached application security as fundamentally a data science problem and developed our patent-pending ProductDNA technology. We have built a brand new data layer that closes this gap in application security. By adopting this proactive strategy, application security teams can significantly amplify the impact developers have on security—potentially increasing it tenfold. The focus shifts from merely responding to security issues after they occur to preventing them from arising in the first place. This integrated and forward-thinking approach is crucial for creating secure, resilient applications and represents the true evolution of security strategies in the age of automation and AI.

 

WHAT DEVELOPMENTS IN THE INDUSTRY ARE YOU MOST EXCITED ABOUT?

We’re incredibly excited because we have the opportunity to drive the innovation in real-time security solutions and the integration of comprehensive context into application security. Our patent-pending ProductDNA technology is at the forefront of this innovation. ProductDNA offers a groundbreaking, real-time data model that bridges the gap between developers and security teams, providing unparalleled visibility and control throughout the software lifecycle. It allows developers and security teams for the first time, in real time, to accurately map service architectures, understand dependencies, and correlate code changes with runtime environments. This transformative capability enables precise prioritization, continuous threat modeling, and real-time developer guidance. We’re enthusiastic about the potential of ProductDNA to reshape application security practices and enhance software resilience, making a significant impact on the industry.