Jahanzeb Farooq discusses his journey in cybersecurity and the challenges of building AppSec programs from scratch. Jahanzeb shares his experience working in various industries, including Siemens, Novo Nordisk, and Danske Bank, highlighting the importance of understanding developer needs and implementing the right tools. The conversation covers the complexities of cybersecurity in the pharmaceutical and financial sectors, shedding light on regulatory requirements and the role of software in critical industries. Learn about prioritizing security education, threat modeling, and navigating digital transformation.

Mentioned in this Episode:

The Power of Habit by Charles Duhigg

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

David Quisenberry shares about his journey into the security world, insights on building AppSec programs in small to mid-sized companies, and the importance of data-driven decision-making. The conversation delves into the value of mentoring and why it's important to build real relationships with the people you work with, the vital role of trust with engineering teams, and the significance of mental health and community in the industry. 

Books Shared in the Episode:

SRE Engineering by Betsy Beyer, Chris Jones, Jennifer Petoff and Niall Richard Murphy 
The Phoenix Project by Gene Kim, Kevin Behr and George Spafford 
Security Chaos Engineering by Aaron Rinehart and Kelly Shortridge
CISO Desk Reference Guide by Bill Bonney, Gary Hayslip, Matt Stamper
Wiring the Winning Organization by Gene Kim and Dr. Steven J. Spear
The Body Keeps the Score by Bessel van der Kolk, M.D.
Intelligence Driven Incident Response by Rebekah Brown and Scott J. Roberts
Never Eat Alone by Keith Ferrazzi 
Thinking Fast and Slow by Daniel Kahneman
Do Hard Things by Steve Magness
How Leaders Create and Use Networks, Whitepaper by Herminia Ibarra and Mark Lee Hunter

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Matt Rose, an experienced technical AppSec testing leader discusses his career journey and significant contributions in AppSec. The conversation delves into the nuances of software supply chain security and exploring how different perceptions affect its understanding. Matt provides insights into the XZ compromise, critiques the buzzword 'shift left,' and discusses the role of digital twins and AI in enhancing the supply chain security. He emphasizes the need for a comprehensive approach beyond SCA, the relevance of threat modeling, and the potential risks and benefits of AI in security.

Mentioned in the episode:

The Application Security Program Handbook by Derek Fisher
https://www.manning.com/books/application-security-program-handbook

Podcast Episode: Derek Fisher – The Application Security Program Handbook
https://youtu.be/DgmlHgNT-UM

Authors mentioned:
Steven E. Ambrose  https://www.simonandschuster.com/authors/Stephen-E-Ambrose/1063454
Mark Frost  https://en.wikipedia.org/wiki/Mark_Frost

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

James Berthoty, a cloud security engineer with a diverse IT background, discusses his journey into application and product security. James highlights his career trajectory from IT operations to cloud security, his experiences with security tools like Snyk and StackHawk, and the evolving landscape of Dynamic Application Security Testing (DAST) and API security. They delve into the practical challenges of CVEs, reachability analysis, and the complexities of patching in mid-sized companies. James shares his views on the often misunderstood role of WAF and the importance of fixing issues over merely identifying them. 

James Berthoty’s LinkedIn post: AppSec Kool-Aid Statements I Disagree With

What is Art by Leo Tolstoy

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mark Curphey and Simon Bennetts, join Chris on the podcast to discuss the challenges of funding and sustaining major open source security projects like ZAP. 

Curphey shares about going fully independent and building a non-profit sustainable model for ZAP. The key is getting companies in the industry, especially companies commercializing ZAP, to properly fund its ongoing development and maintenance.

Bennetts, who has led ZAP for over 15 years, shares the harsh reality that while ZAP is likely the world's most popular web scanner with millions of active users per month, very few companies contribute back financially despite making millions by building products and services on top of ZAP. 

Curphey and Bennetts are asking those in the industry to step up and properly fund open source projects like ZAP that are critical infrastructure, rather than freeloading off the hard work of a few individuals. Curphey's company is investing substantial funds in a "responsible marketing" model to sustain ZAP as a non-profit, with hopes others will follow this ethical example to prevent open source security going down a dangerous path.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Devon Rudnicki, the Chief Information Security Officer at Fitch Group, shares her journey of developing an application security program from scratch and advancing to the CISO role. She emphasizes the importance of collaboration, understanding the organization's business, and using metrics to drive positive change in the security program.

Elon Musk - Walter Isaacson
Steve Jobs - Walter Isaacson
The Code Breaker: Jennifer Doudna, Gene Editing, and the Future of the Human Race - Walter Isaacson
https://www.simonandschuster.com/authors/Walter-Isaacson/697650

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Dustin Lehr, Senior Director of Platform Security/Deputy CISO at Fivetran and Chief Solutions Officer at Katilyst Security, joins Robert and Chris to discuss security champions. Dustin explains the concept of security champions within the developer community, exploring the unique qualities and motivations behind developers becoming security advocates. He emphasizes the importance of fostering a security culture and leveraging gamification to engage developers effectively. They also cover the challenges of implementing security practices within the development process and how to justify the need for a champion program to engineering leadership. Dustin shares insights from his career transition from a developer to a cybersecurity professional, and he provides practical advice for organizations looking to enhance their security posture through community and culture-focused approaches.

Links:
"Maker's Schedule, Manager's Schedule" article by Paul Graham — https://www.paulgraham.com/makersschedule.html

Never Split the Difference by Chris Voss & Tahl Raz —
https://www.harpercollins.com/products/never-split-the-difference-chris-vosstahl-raz?variant=32117745385506

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Francesco Cipollone, CEO of Phoenix Security, joins Chris and Robert to discuss security and explain Application Security Posture Management (ASPM). Francesco shares his journey from developer to cybersecurity leader, revealing the origins and importance of ASPM. The discussion covers the distinction between application security and product security, the evolution of ASPM from SIEM solutions, and ASPM's role in managing asset vulnerabilities and software security holistically. Francesco emphasizes the necessity of involving the business side in security decisions and explains how ASPM enables actionable, risk-based decision-making. The episode also touches on the impact of AI on ASPM. It concludes with Francesco advocating for a stronger integration between security, development, and business teams to effectively manage software security risks.

Recommended Reading:
Cyber for Builders: The Essential Guide to Building a Cybersecurity Startup by Ross Haleliuk — https://ventureinsecurity.net/p/cyber-for-builders

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mukund Sarma, the Senior Director for Product Security at Chime, talks with Chris about his career path from being a software engineer to becoming a leader in application security. He explains how he focuses on building security tools that are easy for developers to use and stresses the importance of looking at application security as a part of the broader category of product security. Mukund highlights the role of collaboration over security mandates and the introduction of security scorecards for proactive risk management. He and Chris also discuss the strategic implementation of embedded security functions within development teams. Discover the potential of treating security as an enabling function for developers, fostering a culture of shared responsibility, and the innovative approaches Chime employs to secure its services with minimal friction for developers.

Links
Chime's Monocle
-- https://medium.com/life-at-chime/monocle-how-chime-creates-a-proactive-security-engineering-culture-part-1-dedd3846127f
-- https://medium.com/life-at-chime/mitigating-risky-pull-requests-with-monocle-risk-advisor-part-2-7013e1485bf2

Introduction to Overwatch
-- https://www.youtube.com/watch?v=QtZKBtw8VO4

Recommended Reading
Building Secure and Reliable Systems by Adkins, Beyer, Blankinship, Lewandowski, Oprea, Stubblefield -- https://www.oreilly.com/library/view/building-secure-and/9781492083115/
Drive by Daniel Pink -- https://www.danpink.com/books/drive/

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

AppSec specialist Megan Jacquot joins Chris and Robert for a compelling conversation about community, career paths, and productive red team exercises. Megan shares her unique cybersecurity origin story, tracing her interest in the field from childhood influences through her tenure as an educator and her formal return to academia to pivot into a tech-focused career. She delves into her roles in threat intelligence and application security, emphasizing her passion for technical work, penetration testing, and bug bounty programs. Additionally, Megan highlights the importance of mentorship, her involvement with the Women in Cybersecurity (WeCyS) community, and her dedication to fostering the next generation of cybersecurity professionals.

The discussion covers assumed breach and red team engagements in cybersecurity, the significance of empathy in bug bounty interactions, tips for Call for Papers (CFP) submissions, and the value of community engagement within organizations like OWASP and DEF CON. Megan concludes with insights on the importance of difficult conversations and giving back to the cybersecurity community.

Links

Difficult Conversations (How to Discuss What Matters Most) by Douglas Stone, Bruce Patton, Sheila Heen -- https://www.stoneandheen.com/difficult-conversations

Being Henry: The Fonz...and Beyond by Henry Winkler -- https://celadonbooks.com/book/being-henry-fonz-and-beyond-henry-winkler/

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Robert is joined by Bill Sempf, an application security architect with over 20 years of experience in software development and security. Bill shares his security origins as a curious child immersed in technology, leading to his lifelong dedication to application security. They discuss CodeMash, a developer conference in Ohio, and recount Bill's presentation on the Veilid application framework, designed for privacy-driven mobile applications. Bill also explores his efforts in educating children about technology and programming, drawing on his experiences with Kidsmash and other initiatives. Additionally, they delve into the challenges of application security, particularly modern software development practices and the utility of languages like Rust for creating secure applications. Bill concludes with intriguing thoughts on application security trends and the importance of a diverse skill set for both developers and security professionals.

Helpful Links:

Bill's homepage - https://www.sempf.net/
CodeMash conference - https://codemash.org
Veilid Application Framework - https://veilid.com/

Math Without Numbers - https://www.amazon.com/Math-Without-Numbers-Milo-Beckman/dp/1524745545

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Robert and Chris talk with Hendrik Ewerlin, a threat modeling advocate and trainer. Hendrik believes you can threat model anything, and he recently applied threat modeling to the process of threat modeling itself. His conclusions are published in the document Threat Modeling of Threat Modeling, where he aims to help practitioners, in his own words, "tame the threats to the threat modeling process."

They explore the role of threat modeling in software development, emphasizing the dire consequences of overlooking this crucial process.
They discuss why threat modeling serves as a cornerstone for security, and why Hendrik stresses the importance of adopting a process that is effective, efficient, and satisfying. If you care about secure software, you will want to listen in as Hendrik emphasizes why the approach to threat modeling, as well as the process itself, is so critical to success in security.

Links:
=> Hendrik Ewerlin: https://hendrik.ewerlin.com/security/
=> Threat Modeling of Threat Modeling: https://threat-modeling.net/threat-modeling-of-threat-modeling/

Recommended Reading:
=> Steal Like An Artist and other books by Austin Kleon https://austinkleon.com/books/

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Jason Nelson, an accomplished expert in information security management, joins Chris to share insights on establishing successful threat modeling programs in data-intensive industries like finance and healthcare. Jason presents his three main pillars to consider when establishing a threat modeling program: consistency, repeatability, and efficacy. The discussion also provides a series of fascinating insights into security practices, regulatory environments, and the value of a threat modeling champion. As a threat modeling practitioner, Jason provides an essential perspective to anyone serious about application security.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Erik Cabetas joins Robert and Chris for a thought-provoking discussion about modern software security. They talk about the current state of vulnerabilities, the role of memory-safe languages in AppSec, and why IncludeSec takes a highly systematic approach to security assessments and bans OWASP language. Along the way, Erik shares his entry into cybersecurity and his experience consulting about hacking for TV shows and movies. The conversation doesn't end before they peek into threat modeling, software engineering architecture, and the nuances of running security programs.

Helpful Links:
Security Engineering by Ross Anderson - https://www.wiley.com/en-us/Security+Engineering%3A+A+Guide+to+Building+Dependable+Distributed+Systems%2C+3rd+Edition-p-9781119642817

New School of Information Security by Adam Shostack and Andrew Stewart - https://www.informit.com/store/new-school-of-information-security-9780132800280

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Justin Collins of Gusto joins Robert and Chris for a practical conversation about running security teams in an engineering-minded organization. Justin shares his experience leading product security teams, the importance of aligning security with business goals, and the challenges arising from the intersection of product security and emerging technologies like GenAI.

They also discuss the concept of security partners and the future of AI applications in the field of cybersecurity. And he doesn’t finish before sharing insights into the role of GRC and privacy in the current security landscape. Find out why Justin believes that above all, security should align with the goals of a business, tailored to the business itself, its situation, and its resources.

Book Recommendation:
The DevOps Handbook by Gene Kim et al.
https://itrevolution.com/product/the-devops-handbook-second-edition/

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Kyle Kelly joins Chris to explore the wild west of software supply chain security. Kyle, author of the CramHacks newsletter, sheds light on the complicated and often misunderstood world of software supply chain security. He brings unique insights into the challenges, issues, and potential solutions in this constantly growing field. From his experiences in sectors like cybersecurity and security research, he adapts a critical perspective on the state of the software supply chain, suggesting it is in a 'dumpster fire' state. We'll dissect that incendiary claim and discuss the influence of open-source policies, the role of GRC, and the importance of build reproducibility. From starters to experts, anyone with even a mild interest in software security and its future will find this conversation enlightening.

Links:
CramHacks - https://www.cramhacks.com/

Solve for Happy by Mo Gawdat - https://www.panmacmillan.com/authors/mo-gawdat/solve-for-happy/9781509809950

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Chris Hughes, co-founder of Aquia, joins Chris and Robert on the Application Security Podcast to discuss points from his recent book Software Transparency: Supply Chain Security in an Era of a Software-Driven Society, co-authored with Tony Turner. The conversation touches on the U.S. government in the software supply chain, the definition and benefits of software transparency, the concept of a software bill of materials (SBOM), and the growth of open-source software.

The episode also covers crucial topics like compliance versus real security in software startups, the role of SOC 2 in setting security baselines, and the importance of threat modeling in understanding software supply chain risks. They also talk about the imbalance between software suppliers and consumers in terms of information transparency and the burden on developers and engineers to handle vulnerability lists with little context.

As an expert in the field, Chris touches on the broader challenges facing the cybersecurity community, including the pitfalls of overemphasizing technology at the expense of building strong relationships and trust. He advocates for a more holistic approach to security, one that prioritizes people over technology.

Links

Software Transparency: Supply Chain Security in an Era of a Software-Driven Society by Chris Hughes and Tony Turner
https://www.wiley.com/en-us/Software+Transparency%3A+Supply+Chain+Security+in+an+Era+of+a+Software+Driven+Society-p-9781394158492

Application Security Program Handbook by Derek Fisher https://www.simonandschuster.com/books/Application-Security-Program-Handbook/Derek-Fisher/9781633439818

Agile Application Security by Laura Bell, Michael Brunton-Spall, Rich Smith, Jim Bird
https://www.oreilly.com/library/view/agile-application-security/9781491938836/

CNCF Catalog of Supply Chain Compromises
https://github.com/cncf/tag-security/blob/main/supply-chain-security/compromises/README.md

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Jay Bobo and Darylynn Ross from CoverMyMeds join Chris to explain their assertion that 'AppSec is Dead.' They discuss the differences between product and application security, emphasizing the importance of proper security practices and effective communication with senior leaders, engineers, and other stakeholders. Jay proposes that product security requires a holistic approach and cautions against the current state of penetration testing in web applications. Darylynn encourages AppSec engineers to broaden their scope beyond individual applications to product security. With enlightening insights and practical advice, this episode thoughtfully challenges AppSec professionals with new ideas about application and product security.

Links:
Jay recommends:
How to Measure Anything in Cybersecurity Risk, 2nd Edition
by Douglas W. Hubbard, Richard Seiersen
https://www.wiley.com/en-us/How+to+Measure+Anything+in+Cybersecurity+Risk%2C+2nd+Edition-p-9781119892311

Darylynn recommends:
Kristin Hannah: https://kristinhannah.com/

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Eitan Worcel joins the Application Security Podcast, to talk automated code fixes and the role of artificial intelligence in application security. We start with a thought-provoking discussion about the consistency and reliability of AI-generated responses in fixing vulnerabilities like Cross-Site Scripting (XSS). The conversation highlights a future where AI on one side writes code while AI on the other side fixes it, raising questions about the outcomes of such a scenario.

The discussion shifts to the human role in using AI for automated code fixes. Human oversight is important in setting policies or rules to guide AI, as opposed to letting it run wild on the entire code base. This controlled approach, akin to a 'controlled burn,' aims at deploying AI in a way that's beneficial and manageable, without overwhelming developers with excessive changes or suggestions.

We also explore the efficiency gains expected from AI in automating tedious tasks like fixing code vulnerabilities. We compare this to the convenience of household robots like Roomba, imagining a future where AI takes care of repetitive tasks, enhancing developer productivity. However, we also address potential pitfalls, such as AI's tendency to 'hallucinate' or generate inaccurate solutions, underscoring the need for caution and proper validation of AI-generated fixes.

This episode offers a balanced perspective on the integration of AI in application security, highlighting both its promising potential and the challenges that need to be addressed. Join us as we unravel the complexities and future of AI in AppSec, understanding how it can revolutionize the field while remaining vigilant about its limitations.

Recommended Reading from Eitan:
The Hard Thing About Hard Things by Ben Horowitz - https://www.harpercollins.com/products/the-hard-thing-about-hard-things-ben-horowitz?variant=32122118471714

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Bjorn Kimminich, the driving force behind the OWASP Juice Shop project, joins Chris and Robert to discuss all things Juice Shop. The OWASP Juice Shop is a deliberately vulnerable web application that serves as an invaluable training tool for security professionals and enthusiasts. Bjorn provides a comprehensive overview of the latest features and challenges introduced in the Juice Shop, underscoring the project's commitment to simulating real-world security scenarios.

Key highlights include the introduction of coding challenges, where users must identify and fix code vulnerabilities. This interactive approach enhances the learning experience and bridges the gap between theoretical knowledge and practical application. Additionally, Bjorn delves into the integration of Web3 and smart contracts within the Juice Shop, reflecting the project's adaptation to emerging technologies in the blockchain domain. This integration poses new challenges and learning opportunities, making the Juice Shop a continually relevant and evolving platform for cybersecurity training.

The episode concludes with an acknowledgment of the project's maintenance efforts and the introduction of a novel cheating detection mechanism. This system assesses the patterns and speed of challenge completions, ensuring the integrity of the learning process. Bjorn's discussion also highlights the inclusion of 'shenanigan' challenges, adding a layer of fun and creativity to the application. The significant impact of the Juice Shop on the cybersecurity community, as a tool for honing skills and understanding complex security vulnerabilities, is evident throughout the discussion, marking this episode as an essential watch for those in the field.

Links:
OWASP Juice Shop - https://owasp.org/www-project-juice-shop/

Pwning OWASP Juice Shop by Björn Kimminich. The official companion guide to the OWASP Juice Shop - https://leanpub.com/juice-shop

"OWASP Juice Shop Jingle" by Brian Johnson of 7 Minute Security - https://soundcloud.com/braimee/owasp-juice-shop-jingle

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Arshan Dabirsiaghi of Pixee joins Robert and Chris to discuss startups, AI in appsec, and Pixee's Codemodder.io. The conversation begins with a focus on the unrealistic expectations placed on developers regarding security. Arshan points out that even with training, developers may not remember or apply security measures effectively, especially in complex areas like deserialization. This leads to a lengthy and convoluted process for fixing security issues, a problem that Arshan and his team have been working to address through their open-source tool, Codemodder.io.

Chris and Arshan discuss the dynamic nature of the startup world. Chris reflects on the highs and lows experienced in a single day, emphasizing the importance of having a resilient team that can handle these fluctuations. They touch upon the role of negativity in an organization and its potential to hinder progress. Arshan then delves into the history of Contrast Security and its pioneering work in defining RASP (Runtime Application Self-Protection) and IAST (Interactive Application Security Testing) as key concepts in appsec.

The group also explores the future of AI in application security. Arshan expresses his view that AI will serve more as a helper than a replacement in the short term. He believes that those who leverage AI will outperform those who don't. The conversation also covers the potential risks of relying too heavily on AI, such as the introduction of vulnerabilities and the loss of understanding in code development. Arshan emphasizes the importance of a feedback loop in the development process, where each change is communicated to the developer, fostering a learning environment. This approach aims to improve developers' understanding of security issues and promote better coding practices.

Links:
Pixee https://www.pixee.ai/
Pixee's Codemodder.io: https://codemodder.io/

Book Recommendation:
Hacking: The Art of Exploitation, Vol. 2  by John Erickson: https://nostarch.com/hacking2.htm

Aleph One's "Smashing The Stack for Fun and Profit":
http://phrack.org/issues/49/14.html

Tim Newsham's "Format String Attacks": 
https://seclists.org/bugtraq/2000/Sep/214

Matt Conover's "w00w00 on Heap Overflows" (reposted):
https://www.cgsecurity.org/exploit/heaptut.txt

Jeremiah Grossman, aka rain forest puppy (rfp):
https://www.jeremiahgrossman.com/#writing

Justin Rosenstein's original codemod on GitHub:
https://github.com/facebookarchive/codemod

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Chris and Robert are thrilled to have an insightful conversation with Dr. Jared Demott, a seasoned expert in the field of cybersecurity. The discussion traverses a range of topics, from controversial opinions on application security to the practical aspects of managing bug bounty programs in large corporations like Microsoft.

We dive into the technicalities of bug bounty programs, exploring how companies like Microsoft handle the influx of reports and the importance of such programs in a comprehensive security strategy. Dr. Demott provides valuable insights into the evolution of bug classes and the never-ending challenge of addressing significant bug types, emphasizing that no bug class can ever be fully eradicated.

This episode is a must-listen for anyone interested in the nuances of software security, the realities of cybersecurity employment, and the ongoing challenges in bug mitigation. Join us for an enlightening journey into the heart of application security with Dr. Jared Demott.

Links:

Microsoft Security Response Center MSRC: https://www.microsoft.com/en-us/msrc

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Dr. Katharina Koerner, a renowned advisor and community builder with expertise in privacy by design and responsible AI, joins Chris and Robert to delve into the intricacies of responsible AI in this episode of the Application Security Podcast. She explores how security intersects with AI, discusses the ethical implications of AI's integration into daily life, and emphasizes the importance of educating ourselves about AI risk management frameworks. She also highlights the crucial role of AI security engineers, the ethical debates around using AI in education, and the significance of international AI governance. This discussion is a deep dive into AI, privacy, security, and ethics, offering valuable insights for tech professionals, policymakers, and individuals.

Links:

• UNESCO Recommendation on the Ethics of Artificial Intelligence:  https://www.unesco.org/en/artificial-intelligence?hub=32618
• OECD AI Principles: https://oecd.ai/en/ai-principles
• White House Blueprint for an AI Bill of Rights: https://www.whitehouse.gov/ostp/ai-bill-of-rights/
• NIST AI Risk Management Framework: https://www.nist.gov/itl/ai-risk-management-framework
• NIST Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations: https://csrc.nist.gov/pubs/ai/100/2/e2023/ipd
• Microsoft Responsible AI Standard, v2: https://www.microsoft.com/en-us/ai/principles-and-approach
• ==> Microsoft Failure Modes in Machine Learning: https://learn.microsoft.com/en-us/security/engineering/failure-modes-in-machine-learning
• ENISA Securing Machine Learning Algorithms: https://www.enisa.europa.eu/publications/securing-machine-learning-algorithms
• Google Secure AI Framework (SAIF): https://developers.google.com/machine-learning/resources/saif
• ==> Google Why Red Teams Play a Central Role in Helping Organizations Secure AI Systems: https://services.google.com/fh/files/blogs/google_ai_red_team_digital_final.pdf

Recommended Book:

• The Ethical Algorithm: The Science of Socially Aware Algorithm Design  by Michael Kearns and Aaron Roth: https://global.oup.com/academic/product/the-ethical-algorithm-9780190948207?cc=us&lang=en&

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

For Security Pros & Business Leaders | Strategic Insights & Leadership Lessons

🔒🌟 When Ray Espinoza joined Chris and Robert on the Application Security Podcast, he gave a treasure trove of insights for both security professionals and business leaders alike! Whether you're deep in the trenches of information security or steering the ship in business leadership, this episode is packed with valuable takeaways. Dive in to discover why this is a must-listen for professionals across the spectrum. 🌟🔒

For Security Professionals:
1. CISO Insights: Gain a glimpse into the strategic mind of a Chief Information Security Officer. Learn from their real-world experiences and challenges in aligning security with business goals.
2. Career Development: Get inspired by the speaker's career journey and learn the importance of mentorship in your professional growth.
3. Data-Driven Security: Embrace a data-driven approach to security solutions, focusing on tangible results and measurable outcomes.

For Business Leaders:
1. Strategic Security Understanding: Learn how information security is integral to overall business strategy and decision-making.
2. Universal Risk Management: Gain insights into risk management strategies applicable across various business aspects.
3. Communication & Relationship Building: Enhance your skills in effective communication and professional relationship building.
4. Leadership & Mentorship: Absorb valuable lessons in guiding and inspiring your team, crucial for effective leadership.
5. Adaptability in Leadership: Understand the importance of flexibility and adaptability in today's rapidly evolving business landscape.
6. Data-Driven Decisions: Embrace the power of data in driving efficient and accountable business processes.

Why Listen?
👉 For security pros, this is your chance to deepen your understanding of strategic security management and enhance your interpersonal skills.
👉 For business leaders, this episode offers a unique perspective on how security strategies impact broader business objectives and leadership practices.

Don't Miss Out!
🎧 Tune in now for an enlightening discussion filled with actionable insights. Whether you're an aspiring CISO, a seasoned security professional, or a business leader looking to broaden your horizons, this podcast has something for everyone.

👍 Like, Share, and Subscribe for more insightful content!
💬 Drop your thoughts and takeaways in the comments below!

#SecurityLeadership #BusinessStrategy #RiskManagement #CareerGrowth #DataDrivenDecisions #LeadershipSkills

---

Remember, your engagement helps us bring more such content. So, hit that like button, share with your network, and subscribe for more insightful episodes! 🌟🔊📈

Ray's Book Recommendation:
Extreme Ownership by Jocko Willink and Leif Babin
https://echelonfront.com/books/extreme-ownership/

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Chris John Riley joins Chris and Robert to discuss the Minimum Viable Secure Product. MVSP is a minimalistic security checklist for B2B software and business process outsourcing suppliers. It was designed by a team that included experts from Google, Salesforce, Okta, and Slack. The MVSP objectives are targeted at startups and other companies creating new applications, helping such organizations meet security standards expected by larger enterprises like Google. The MVSP is designed to be accessible for users, as a way to streamline the process of vendor assessment and procurement from the start to the contractual control stages.

Using MVSP, developers and application security enthusiasts can establish a baseline for building secure applications. MVSP includes controls about business operations, application design, implementation, and operational controls. For instance, it encourages third-party penetration testing on applications, as it believes that every product has an issue somewhere and needs regular testing to maintain a good security posture. The controls are designed to be reasonable and achievable, but also evolutionary to keep up with changes in the cybersecurity landscape.

Moving forward, MVSP intends to continue updating its guidelines to reflect the realities of the software development landscape but to keep the number of controls manageable to maintain wide acceptance. Chris encourages firms to consider MVSP as a baseline during the Request for Proposal (RFP) process to ensure prospective vendors meet the required security guidelines.

Links:

• Minimum Viable Secure Product:  https://mvsp.dev/

Recommended Books:

• Cybersecurity Myths and Misconceptions... by Eugene H. Spafford, Leigh Metcalf, and Josiah Dykstra: 
  • https://www.pearson.com/en-us/subject-catalog/p/cybersecurity-myths-and-misconceptions-avoiding-the-hazards-and-pitfalls-that-derail/P200000007269/9780137929238
• Phantoms in the Brain: Probing the Mysteries of the Human Mind  by V.S. Ramachandran
  • https://www.harpercollins.com/products/phantoms-in-the-brain-v-s-ramachandran?variant=32130994110498

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Steve Wilson and Gavin Klondike are part of the core team for the OWASP Top 10 for Large Language Model Applications project. They join Robert and Chris to discuss the implementation and potential challenges of AI, and present the OWASP Top Ten for LLM version 1.0. Steve and Gavin provide insights into the issues of prompt injection, insecure output handling, training data poisoning, and others. Specifically, they emphasize the significance of understanding the risk of allowing excessive agency to LLMs and the role of secure plugin designs in mitigating vulnerabilities.

The conversation dives deep into the importance of secure supply chains in AI development, looking at the potential risks associated with downloading anonymous models from community-sharing platforms like Huggingface. The discussion also highlights the potential threat implications of hallucinations, where AI produces results based on what it thinks it's expected to produce and tends to please people, rather than generating factually accurate results.

Wilson and Klondike also discuss how certain standard programming principles, such as 'least privilege', can be applied to AI development. They encourage developers to conscientiously manage the extent of privileges they give to their models to avert discrepancies and miscommunications from excessive agency. They conclude the discussion with a forward-looking perspective on how the OWASP Top Ten for LLM Applications will develop in the future.

Links:

OWASP Top Ten for LLM Applications project homepage:
https://owasp.org/www-project-top-10-for-large-language-model-applications/

OWASP Top Ten for LLM Applications summary PDF: 
https://owasp.org/www-project-top-10-for-large-language-model-applications/assets/PDF/OWASP-Top-10-for-LLMs-2023-slides-v1_1.pdf

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Tanya Janca, also known as SheHacksPurple, joins the Application Security Podcast again to discuss secure coding, threat modeling, education, and other topics in the AppSec world. With a rich background spanning over 25 years in IT, coding, and championing cybersecurity, Tanya delves into the essence of secure coding.

Tanya highlights the difference between teaching developers about vulnerabilities and teaching them the practices to avoid these vulnerabilities in the first place. Instead of focusing on issues like SQL injection, she emphasizes the importance of proactive measures like input validation and always using parameterized queries. She believes teaching developers how to build secure applications is more effective than merely pointing out vulnerabilities.

She also explains the importance of a secure system development life cycle (SDLC). Software companies often state "We take your security seriously." Tanya believes the phrase should only be used by companies that have a secure SDLC in place. Without it, the phrase is rendered meaningless.

Discussing the intersection of coding and threat modeling, Tanya shares personal anecdotes that underscore the need to view systems with a critical eye, always anticipating potential vulnerabilities and threats. She recounts her initial reactions during threat modeling sessions, where she is surprised by the myriad ways applications can be exploited.

One of her most crucial takeaways for developers is the principle of distrust and verification. Tanya stresses that when writing code, developers should not trust any input or connection blindly. Everything received should be validated to ensure its integrity and safety. This practice, she believes, not only ensures the security of applications but also makes the lives of incident responders easier.

Toward the end of the podcast, Tanya recommends This is How They Tell Me the World Ends," which offers a deep dive into the zero-day industry. She lauds the book for its meticulous research and compelling narrative. The episode wraps up with Tanya encouraging listeners to stay connected with her work and to anticipate her upcoming book.

Links:

Alice and Bob Learn Application Security by Tanya Janca
     https://www.wiley.com/en-us/Alice+and+Bob+Learn+Application+Security-p-9781119687405

This is How They Tell Me the World Ends by Nicole Perlroth
     https://thisishowtheytellmetheworldends.com/

WeHackPurple
     https://wehackpurple.com/

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Hasan Yasar believes that everyone shares the responsibility of creating a secure environment, and this can only be achieved by working collaboratively. He underscores the idea that security is not an isolated endeavor but a collective effort, urging everyone to come together and build a world where safety and security are paramount.

Yasar also shares his thoughts about education and security. He highlights the need for integrating security concepts right from the foundational levels of teaching programming languages. By introducing concepts like input validation and sanitization early on, students can be better equipped to handle security challenges in their professional lives. Yasar also mentions the importance of bridging the gap between real-world problems and academic research. By organizing workshops and connecting researchers with real-world challenges, there's an opportunity to create more awareness and solutions that are grounded in practicality.

He contrasts the challenges faced in developing complex systems like simulators with those of web applications. In the context of simulators, every aspect, from memory management to user interface, needs to be meticulously crafted, keeping both safety and security in mind. This holistic approach ensures that safety and security are intertwined, ensuring a robust system. On the other hand, with web applications, developers often only see the tip of the iceberg, unaware of the underlying dependencies, making security a more challenging endeavor.

Hasan Yasar introduces Chris and Robert to the concept of "actionable SBOM" (Software Bill of Materials). He passionately argues against viewing the SBOM as just a static file tucked away in repositories. Instead, Yasar champions the idea that it should be actively integrated into the infrastructure as code. This ensures that when deploying tools like Docker containers, there's a consistent alignment between the software components and their documented versions in the SBOM.

Yasar further underscores the importance of real-time monitoring of the SBOM, especially in a production environment. This proactive approach not only keeps track of the software components but also alerts organizations to new vulnerabilities as they arise. By integrating the SBOM with vulnerability management tools, organizations can maintain a secure environment, ensuring timely updates and patches when potential threats are detected.

The podcast also touches upon the challenges of maintaining an actionable SBOM in fast-paced development environments, where software updates can occur multiple times a day. However, Yasar remains optimistic. He believes that with the right mindset and tools, it's entirely possible to keep the SBOM updated and relevant, making it an invaluable asset in the ever-evolving world of software development and security.

Links:

Software Transparency: Supply Chain Security in an Era of a Software-Driven Society
by Chris Hughes, Tony Turner
https://www.amazon.com/dp/1394158483?ref_=cm_sw_r_cp_ud_dp_PHSFCKCRM7Q8KZ41RDXT

Cybersecurity First Principles: A Reboot of Strategy and Tactics  by Rick Howard
https://www.amazon.com/Cybersecurity-First-Principles-Strategy-Tactics/dp/1394173083

Carnegie Mellon Universi

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Varun Badhwar is a three-time founder, a luminary in the cyber security industry, and a clear communicator. He joins Chris and Robert on the Application Security Podcast to discuss scanning with context, SBOM plus VEX, and the developer productivity tax. The concept of a "Developer Productivity Tax" acknowledges the challenges developers face when bombarded with a plethora of vulnerabilities. This "tax" represents the drain on developers' time and resources as they navigate through a myriad of potential threats, many of which lack actionable context. The inefficiencies arising from this process can lead to significant delays in software development, emphasizing the need for more refined tools and techniques.

A key solution Varun offers is the integration of SBOM plus VEX (Software Bill of Materials with Vulnerability Exploitability eXchange). While SBOM offers transparency by detailing all software components and dependencies, it can be overwhelming due to the sheer volume of potential vulnerabilities it flags. VEX, designed as a companion to SBOM, provides the much-needed context, detailing the applicability, reachability, and availability of fixes for vulnerabilities. This combination aims to streamline the vulnerability management process, ensuring that only relevant and critical threats are addressed.

Lastly, the importance of "Scanning with Context" was emphasized. Traditional vulnerability scanning can often result in a multitude of false positives or irrelevant findings due to the lack of context. The podcast delved into the two primary approaches to contextual scanning: static analysis and runtime analysis. While both methods have their merits, the discussion leaned towards static analysis for its scalability and efficiency. The episode concluded by stressing the need for further research and development in vulnerability annotation to specific code functions, ensuring a more precise and actionable vulnerability management process.

Important Links:

• Endor Labs - https://www.endorlabs.com/

Recommended books:

• The Hard Thing About Hard Things by Ben Horowitz
• Software Transparency: Supply Chain Security in an Era of a Software-Driven Society by Chris Hughes, Tony Turner

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The Application Security Podcast presents the OWASP Board of Directors Debate for the 2023 elections. This is a unique and engaging discussion among six candidates vying for a position on the board. Throughout the debate, candidates address pressing questions about their priorities as potential board members, the future direction of OWASP, and strategies for community growth and vendor neutrality. Topics such as vendor agnosticism, the allocation of profits from global OWASP events, and the importance of community involvement are among the critical issues discussed.

The questions presented by Chris and Robert include:

1. What experience do you have running an organization like OWASP? Have you been a C-level exec? Have you served on a Board of Directors? What hard decisions about the strategic direction of an organization have you personally made?
2. What are your priorities as a board member, and what should not be on the board's agenda?
3. How do you envision maintaining the legacy of OWASP's open-source projects in the future, especially compared to organizations like the Linux Foundation, which has successfully nurtured community engagement and secured funding for project sustainability?
4. The individual paid memberships are in a steady decline year over year. What is your plan to increase the number of paid members of OWASP?
5. How do you plan on remaining vendor agnostic and maintaining the open-source character of the org without becoming an incubator for companies?
6. With the individual events happening around the globe under the OWASP brand, what should happen with the profit from those events? Should it become part of the Global OWASP bank account?

For those interested in the future of OWASP and the perspectives of its potential leaders, this debate offers valuable insights. We want to invite all application security professionals to tune in and listen to the complete discussion to gain a deeper understanding of the candidates' visions and strategies for the advancement of OWASP in the coming years.

Chris concludes with this message: 

"I can't stress enough the importance of your active participation in the upcoming board elections. These elections play a pivotal role, and you, as a valued member of the OWASP community, have the power to shape our organization's future. 

I want to remind you that there's a dedicated candidate page for each contender, complete with videos where they lay out their platforms and provide written answers to various questions. You must be informed. As an OWASP member, I urge you to exercise your right to vote. The voting period for the board of directors will open on October 15 and run until October 30. 

I genuinely believe that voting isn't just a right—it's a responsibility. Your vote will help determine the next generation of leaders who will steer OWASP in the coming years."

Links:

OWASP Global Board Candidates webpage:  https://owasp.org/www-board-candidates/

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Itzik Alvas, Co-founder and CEO of Entro, is an expert on secrets security.
Itzik joins Chris and Robert to discuss the significance of understanding and managing secrets, emphasizing the importance of knowing how many secrets an organization has, where they are located, and their potential impact. He elaborates on the three pillars of secrets management: listing and locating secrets, classifying and understanding their potential blast radius, and monitoring them for any abnormal behavior.

The conversation takes a turn towards the future of secrets management, where Itzik believes there's a need for a shift in mentality. He stresses the importance of education in this domain, urging listeners to seek knowledge, understand the potential risks, and start with actionable steps. Itzik's perspective on prioritizing risks, investing in processes, and the challenges of remediation offers a fresh take on application security.

As the episode wraps up, Itzik shares a key takeaway for the audience: the importance of getting educated about secrets, understanding their potential risks, and starting with quick, actionable steps. Chris Romeo, the host, and Itzik also touch upon their love for sci-fi, adding a personal touch to the conversation. This episode is a must-listen for anyone keen on enhancing their understanding of secrets security and management.


Helpful Links:
Entro -- https://entro.security/

Recommended Reading:
Foundation by Isaac Asimov -- https://www.amazon.com/Foundation-Isaac-Asimov/dp/0553293354
Ringworld by Larry Niven -- https://www.amazon.com/dp/B0B1911GL1
Seveneves by Neal Stephenson -- https://www.amazon.com/Seveneves-Neal-Stephenson/dp/0062334514

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Harshil Parikh is a seasoned security leader with experience building security and compliance functions from the ground up. He notably built the security and compliance team at Medallia from scratch and led it through several transitions. He is also a conference speaker, and, most recently, he co-founded Tromzo. Harshil shares insights about AppSec, running a startup, selling effectively, and provides justification for his mantra, "Context is king."

Harshil underscores the importance of understanding context in security, emphasizing that it's the bedrock for making informed decisions. He also brings to light the significance of data-driven metrics in application security.

Harshil champions the cause of enhancing the developer experience in application security. He posits that security professionals should be more than just watchdogs; they should be enablers, aiding developers in making the right security decisions. This involves equipping developers with the necessary tools and knowledge and providing them with the relevant context to understand the bigger picture. Harshil's insights into the trend of developer autonomy, especially in modern companies, are particularly enlightening. He discusses how developers today often take ownership beyond just coding, emphasizing the need for security guardrails to guide them.

Rounding off the episode, Harshil touches upon the challenges of scaling application security programs in organizations. His main message resonates powerfully: the role of security professionals extends beyond mere problem detection. It's about risk management, improving developer experiences, and navigating the complex labyrinths of organizational hierarchies. This episode is a treasure trove of insights for anyone keen on understanding the nuances of application security in today's dynamic tech landscape.

Recommended Reading:
The Metrics Manifesto by Richard Seiersen. https://www.wiley.com/en-us/The+Metrics+Manifesto%3A+Confronting+Security+with+Data-p-9781119515418

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Jeff Willams of Contrast Security joins Chris and Robert on the Application Security Podcast to discuss runtime security, emphasizing the significance of Interactive Application Security Testing (IAST) in the modern DevOps landscape. After reflecting on the history of OWASP, the conversation turns to the challenges organizations face in managing their application security (AppSec) backlogs. Jeff highlights the alarming number of unresolved issues that often pile up, emphasizing the inefficiencies of traditional security tools.

Jeff champions IAST, and here are a few highlights that he shares. IAST is ideally suited for DevOps by seamlessly transforming regular test cases into security tests. IAST can provide instant feedback, leading to a Mean Time To Repair (MTTR) of just three days across numerous applications. Unlike Static Application Security Testing (SAST) or Dynamic Application Security Testing (DAST), which can take hours or even days, IAST can complete security testing during the build, fitting within the tight SLAs of modern pipelines.

IAST offers developers comprehensive insights, which aids in a better understanding and quicker resolution of the identified issues. It is also adaptable, as IAST can detect vulnerabilities before they are exploited. Jeff argues that IAST's ability to work with existing test cases and provide rapid feedback makes it a perfect fit for the fast-paced DevOps environment.

Jeff emphasizes that while runtime security can be a game-changer, it doesn't replace other essential aspects of AppSec programs, such as training. In conclusion, Jeff Williams champions IAST as a revolutionary tool in the application security domain. Its adaptability, efficiency, and depth of insights make it a must-have in the toolkit of modern developers and security professionals.

Links:

• Jeff on LinkedIn: https://www.linkedin.com/in/planetlevel/
• Java Observability Toolkit (JOT): https://github.com/planetlevel/jot
• Identified by John Wilander: https://www.amazon.com/IDENTIFIED-hacker-thriller-headlines-newspapers/dp/B09NRF399J
• Venture in Security article about circle stickers:  https://ventureinsecurity.net/p/solving-the-circle-sticker-problem

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mark Curphey and John Viega join Chris and Robert to explain the details of Chalk, Crash Override's new tool. Mark also talks about why ZAP departed from OWASP and joined the Software Security Project, highlighting some of the value and differences of both organizations. Open Source Software is important to the industry, but Mark calls on companies to contribute to the development and support of the projects they use.

The conversation explores the challenges faced by companies, especially large tech firms, in managing their software engineering processes. Many organizations grapple with identifying code ownership, determining code versions during incidents, and prioritizing alerts from static analysis tools. Chalk emerges as a solution to these challenges, providing clarity and reducing friction in the software development and maintenance process.

Toward the end, both speakers emphasize the importance of understanding the entire software engineering process to make informed decisions. They advocate for an "outside-in" perspective, urging listeners to step into the shoes of others and view challenges from a broader perspective. This holistic approach, they suggest, can lead to more effective decision-making in the realm of software development.

Listen until the end for book recommendations on cybersecurity, business, and personal growth.

Links:

• Crash Override: https://crashoverride.com/about/
• Chalk: https://crashoverride.com/docs/chalk/overview/
• The Software Security Project: https://softwaresecurityproject.org/
• The Open Worldwide Application Security Project (OWASP): https://owasp.org/

Books:

• Cybersecurity Myths and Misconceptions... by Eugene H. Spafford, Leigh Metcalf, and Josiah Dykstra: https://www.pearson.com/en-us/subject-catalog/p/cybersecurity-myths-and-misconceptions-avoiding-the-hazards-and-pitfalls-that-derail/P200000007269/9780137929238
• Crossing the Chasm by Geoffrey A. Moore: https://www.harpercollins.com/products/crossing-the-chasm-3rd-edition-geoffrey-a-moore?variant=32130444066850
• The Pragmatic Framework: https://www.pragmaticinstitute.com/product/framework/
• Atomic Habits by James Clear: https://jamesclear.com/atomic-habits
• Start with Why by Simon Sinek: https://simonsinek.com/books/start-with-why/

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Maril Vernon is passionate about Purple teaming and joins Robert and Chris to discuss the intricacies of purple teaming in cybersecurity. She underscores the significance of fostering a collaborative environment between developers and the security team. Drawing from her experiences, Maril shares the challenge of development overlooking her remediation recommendations. She chose to engage directly with the developers, understanding their perspective and subsequently learning to frame her remediations in developer-centric language. This approach made her recommendations actionable and bridged the communication gap between the two teams.

Maril also looks into the future of purple teaming, envisioning a landscape dominated by automation and AI tools. While these tools will enhance the efficiency of certain tasks, she firmly believes that the human element, especially the creativity and intuition of red teamers, will remain irreplaceable. She envisions a future where dedicated purple teams might be replaced by a more holistic approach, or white teams, emphasizing collaboration across all departments.

Maril's powerful message on the essence of security: "You get what you inspect, not what you expect." She emphasizes the importance of proactive inspection and testing rather than relying on assumptions. And she re-states the centrality of cooperation between teams. Maril's insights serve as a reminder of the dynamic nature of cybersecurity and the need for continuous adaptation and collaboration.

Helpful Links:

• Follow Maril: @shewhohacks
• Purple Team Exercise Framework: https://github.com/scythe-io/purple-team-exercise-framework
• Scythe: https://scythe.io/
• MITRE ATT&CK Framework: https://attack.mitre.org/
• MITRE ATT&CK Navigator: https://github.com/mitre-attack/attack-navigator
• AttackIQ: https://www.attackiq.com/
• SafeBreach: https://www.safebreach.com/ 
• PlexTrac - https://plextrac.com/
• Atomic Red Team: https://atomicredteam.io/

Book Recommendations: 

• Security+ All-in-One Exam Prep: https://www.mheducation.com/highered/product/comptia-security-all-one-exam-guide-sixth-edition-exam-sy0-601-conklin-white/9781260464009.html
• The Pentester BluePrint - https://www.wiley.com/en-us/The+Pentester+BluePrint:+Starting+a+Career+as+an+Ethical+Hacker-p-9781119684305
• The First 90 Days - https://hbr.org/books/watkins

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Dan Küykendall visits The Application Security Podcast to discuss his series "Why All AppSec Products Suck" and explain why software companies should understand the uses and limitations of any security tool. The series aims to highlight the limitations of each tool and to help users make informed decisions when selecting the right tools for their needs. In this field, there is no such thing as an expert; there is always something new to learn.

Dan, Chris, and Robert remember the late Kevin Mitnick, a well-known figure in the cybersecurity community. They share their personal experiences with Mitnick, highlighting his curiosity, humility, and the importance of remembering that everyone in the cybersecurity community is a regular person with feelings and concerns.

The hosts discuss the challenges of dealing with heavy client-side applications, such as those built with React, and the difficulties faced by Dynamic Application Security Testing (DAST) scanners in handling different data formats and client-side complexities. They share their experiences in redesigning DAST scanners to handle various data formats and the importance of separating data formats from attack payloads. Dan helps Chris see the usefulness of DAST in certain situations, such as a large enterprise, without hiding some of the limitations inherent in DAST.

The podcast also touches on the importance of training engineers in web security and the need for a collection of tools that address different security concerns. The hosts emphasize the value of designing security into applications from the beginning and the role of training in achieving this goal. Learning the basics, such as understanding TCP/IP, is still important for security and developers.

To gain more valuable insights and resources from Dan Kuykendall

The Dan On Dev website

 - https://danondev.com

Social Media

- https://twitter.com/dan_kuykendall

- https://twitter.com/Dan_On_Dev

- https://instagram.com/dan_on_dev

- https://facebook.com/danondev

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Kevin Johnson is the CEO of Secure Ideas. He began his career as a developer but turned toward security when he discovered that the interface for an intrusion detection system, Snort, was out of date. This led him to create BASE (Basic Analysis and Security Engine), a testament to Kevin's proactive approach.

Kevin has a deep-rooted passion for open-source projects. He highlights the challenges and joys of initiating and sustaining such ventures, emphasizing the pivotal role of community contributions. Kevin also details how to install and start with SamuraiWTF, a tool tailored for those keen on mastering application security. He outlines two paths for developers: one focused on learning application security intricacies and another on actively contributing to the project's growth.

Kevin also discusses the notable departure of ZAP from OWASP. Kevin expresses his concerns and reflects on the broader implications of this decision on the cybersecurity community. The episode wraps up with a touch of nostalgia, as Kevin and Chris reminisce about their early tech adventures, showcasing Kevin's unwavering commitment to knowledge-sharing and community collaboration.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Tony Quadros, the AppSec Lumberjack, shares the unique career path that led him to find his passion in Application Security. The discussion delves into the work of an AppSec vendor, with Tony explaining his role and the responsibilities it entails. He emphasizes the importance of understanding the needs and environment of the customer, and whether the product he represents can fulfill their requirements. Tony also shares his philosophy of sales, centered around solving problems and providing business value.

Tony reveals the challenges salespeople face in the cybersecurity industry, particularly the pressure to meet quotas and the need for good company culture. Chris, Robert, and Tony highlight the importance of setting realistic expectations at the executive level to avoid putting undue pressure on customers and prospects.

In addition, the conversation touches on the importance of sales leadership in setting processes and creating a positive company culture. Sales leaders need to educate themselves about their products and market segment. Tony stresses they should provide value to customers through their conversations.

He also talks about becoming involved with OWASP Maine and encourages community involvement for all members of the AppSec community.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Cloud security is on an evolutionary path,  with newer platforms embracing secure-by-default settings. This has led to a significant improvement in security but also adds complexity as developers need to understand these defaults when deploying to the cloud.

Steve Giguere defines cloud application security, describes cloud-first development and cloud complexity, security by default, and the need to broaden AppSec by creating new security personas and being secure from idea to destination. Steve provides many nuggets of insight from his travels, including pointing us to Wing, a programming language for the cloud that includes code and IaC together.

We discuss the consolidation of application security, particularly Static Application Security Testing (SAST) and Software Composition Analysis (SCA). These should not be separate products but must provide actionable insights and be tied together for practical reachability analysis.

We introduce a new segment of rapid-fire questions, asking about what Steve would put on a billboard at RSA or Blackhat and asking for book recommendations. Steve recommends "Hacking Kubernetes," praising its use-case focus and engaging narrative.

We plan to revisit this conversation in a few years to see if Steve's predictions about the security pipeline and other aspects of cloud application security have come to fruition.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

"Visualizing the Software Supply Chain" is a project which aims to kick off a discussion about the scope and breadth of the software supply chain.

Paul McCarty emphasizes the importance of understanding what's in the software supply chain to secure it effectively. He uses the burrito analogy, stating that you can't decide if you want to eat it if you don't know what's in it. We discuss the nuances around the Software Bill of Materials (SBOM) and the importance of understanding the differences between various SBOMs, especially for companies that deploy frequently.

The conversation also covers third-party components, such as APIs, SaaS solutions, payment gateways, and identity providers, which are part of the software supply chain. Paul gives the example of Stripe, a payment platform that includes software components and SaaS.

Paul's project helps people understand the different threats associated with each category in the software supply chain. The episode concludes with a call to action for organizations to prioritize understanding their software supply chain and leveraging automation as much as possible.

Gain valuable insights into securing the software supply chain and consider guidance on actionable steps organizations can take to enhance their security.

Four key takeaways from the episode:

1. Understanding the Software Supply Chain: Paul McCarty emphasizes the importance of understanding the scope and breadth of the software supply chain. He suggests you can't secure or have a valuable conversation about the software supply chain if you don't know what's in it.
2. The Role of Third-Party Components:  Third-party components in the software supply chain are crucial. These can include APIs, SaaS solutions, payment gateways, and identity providers. Paul uses Stripe as an example to illustrate this point.
3. The Nuances of the Software Bill of Materials (SBOM): SBOM has nuance. We highlight the importance of understanding the differences between various SBOMs, especially for companies that deploy frequently.
4. Threat Thinking in the Software Supply Chain: We appreciate the depth of threat thinking in Paul's project. This approach helps people understand the different threats associated with each category in the software supply chain.

Links:

• https://github.com/SecureStackCo/visualizing-software-supply-chain
• https://github.com/6mile/DevSecOps-Playbook

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Farshad Abasi shares three models for deploying resources within application security teams:

1. The Dedicated AppSec Person Model involves assigning an AppSec person to work with each team. Farshad shares his experience of working with developers and the challenges faced in getting them to understand and implement threat modeling. He also discusses the transition from waterfall to Agile and how it affected threat modeling.
2. The Federated Model: A security consultant attends weekly standups and sprint planning sessions in this model. They work with a checklist to quickly determine if any user stories could be security sensitive. This model reduces the allocation required to 10 to 20% of an AppSec consultant.
3. The Champion or Deputy Model: The AppSec team deputizes developers to do the bulk of the application security work, and the AppSec team becomes a resource and escalation point for more complex problems. Each DevOps team appoints a security champion, and these champions form a working group supported by an AppSec person. The champions handle day-to-day issues and threat modeling, with the AppSec team providing mentorship and support.

Over several years, Farshad's journey progressed from the expert-led model to a fully-deputized, champion-driven approach to AppSec. 

After careful consideration, we conclude that the fully deputized model is the only path to scalability.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Kim Wuyts discusses her work in privacy threat modeling with LINDDUN, a framework inspired by Microsoft's STRIDE for security threat modeling. LINDDUN provides a structure to analyze privacy threats across multiple categories such as linking, detecting data disclosure, and unawareness. The framework has been updated over the years to incorporate new knowledge and developments in privacy, and it has become recognized as a go-to approach for privacy threat modeling.

Kim believes that privacy and security can be combined and highlights the importance of protecting individuals' rights and data while securing systems and assets.

Privacy by design, which focuses on reducing unnecessary data collection and considering individual needs, is discussed in relation to secure architecture and threat modeling. The Threat Modeling Manifesto is emphasized as a significant resource for promoting privacy threat modeling. 

Kim addresses emerging trends in privacy, including the concerns surrounding AI and responsible AI, and stresses the need for increased awareness among individuals and companies about privacy issues and the importance of privacy protection.

Listen in as Kim explains the importance of collaboration between security and privacy teams, integrating privacy into security practices, and recognizing the value of privacy for both privacy protection and overall security.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Software supply chain -- how deep does the problem go? François is here to help us realize how deep the rabbit hole of the supply chain is and enlighten us with strategies to get out of the hole.

François emphasizes the importance of branch protection in source code repositories as the cornerstone of any supply chain, highlighting the need for peer review and static code analysis before merging. He also discusses the concept of tag protection, which prevents anyone with rewrite access to the repository from modifying a tag. This is particularly important in the context of build systems, where an overwritten tag could compromise the entire system.

The conversation then shifts to a "Let's Encrypt" equivalent for package signing, which François believes is being addressed by the SIG store project. This project introduces the concept of keyless signatures, which eliminates the need to manage private keys, a process that can be risky and cumbersome.

François also discusses the importance of understanding your dependency tree and using package manager lock files to ensure that the version of a package you're downloading is the one you expect. He mentions the Terraform modules, where the lack of a lock file for modules can lead to security vulnerabilities.

Toward the end of the episode, François recommends listeners explore the OpenSSF (Open Source Security Foundation) and its various projects, such as the Scorecard project, which provides a security posture for your repo. He also mentions https://deps.dev, a free Google service that scans open-source repos and runs the Scorecard on those projects.

Look up towards the light if you find yourself at the bottom of the rabbit hole.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

How do we do security in the world of AI and LLMs? A great place to start is with an OWASP project tasked with creating a standardized guideline for building secure AI applications with large language models such as ChatGPT. Enter OWASP Top Ten for LLMs, and Steve Wilson, the project leader.

You'll experience Large Language Models (LLMs) and their implications in AI. Steve explains how the introduction of ChatGPT marked a significant shift in the AI landscape. He elaborates on the concept of LLMs, their functioning, and the unique properties that emerge when used at a large scale.

Traditional OWASP Top Ten issues like SQL injection and broken authorization are still applicable when dealing with AI applications, and the  OWASP API Top Ten could be layered onto these considerations. Think about it -- AI applications have web frontends.

A new discipline of AI security engineering is on the horizon, focusing on the security of large language models and the applications that access them. A focus on both AI safety AND security must occur.

We look forward to the release of the 1.0 version of the OWASP Top Ten for LLMs. Join the discussion today on OWASP Slack, and help form the new list.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

What is the state of application security? JB Aviat answered that question, by creating the state of application security report based on data from Datadog customers using the application security and APM products. It provides insights into threat detection, vulnerability detection, prioritization, and general trends on where the most significant risks lie.

We discuss:

• the prioritization of vulnerabilities;
• the risks associated with non-production environments like staging or pre-production. They discuss how attackers often target these environments, potentially as practice grounds, before launching an attack on the production environment;
• future trends of application security, particularly with the rise of low-code or no-code development tooling.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

What is zero trust, and how does it impact the world of applications and application security? We dive deep into zero trust with Joshua Wells, a seasoned cybersecurity expert with over ten years of experience. Joshua explores the intricacies of zero trust, a cybersecurity model that dictates no user or machine is trusted by default and must be authenticated every time.

Listen in as Joshua discusses his journey from aspiring to be an NFL player to becoming a leading voice in cybersecurity. He shares insights on how zero trust operates in different domains, including architectural security, endpoint detection, mobile device management, and risk assessment. He also touches on its implementation across various government bodies and private organizations.

Further, Joshua sheds light on the challenges of implementing zero trust, such as the need for a mix of different security tools and the stress of smaller teams when handling this robust framework. The episode also covers important considerations for Application Security (AppSec) professionals in a zero-trust environment and the role of attribute-based access control within this model.

Don't miss this enlightening discussion on cybersecurity's current landscape and future direction. Whether you're a cybersecurity professional, a tech enthusiast, or simply keen on understanding how your data is being kept secure, this episode will surely provide invaluable insights.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Jeevan Singh, the director of product security at Twilio, discusses the future of application security engineers. Singh highlights the importance of embedding security into all aspects of software development and the need for a strong security culture within organizations. He also explains the skills required for a senior application security engineer, such as application security, software development, and teaching skills. Singh underscores the importance of empathy and influence, emphasizing that soft skills can significantly affect adequate application security. He also discusses the impact of AI, particularly OpenAI's GPT, in supporting the work of security engineers by providing valuable insights and information. Singh concludes by urging application security engineers to broaden their skills, particularly in software development, to ensure they can effectively handle the industry's evolving demands.

Five takeaways:

1. The future of application security engineering requires a blend of skills: Application Security (AppSec), software development, and teaching skills. Communicating and teaching others about security best practices is becoming as important as technical know-how.
2. The role of application security engineers is evolving: They are expected to identify and fix security issues and embed security considerations into the entire software development process. They are also tasked with educating other staff on security best practices.
3. Empathy and influence are crucial soft skills for application security engineers: It's essential to understand the perspectives of various stakeholders, from developers to executives, and influence them to prioritize security. This involves presenting data effectively and advocating for security measures.
4. Future demand for application security engineers is anticipated. As organizations increasingly realize the importance of securing their applications, there will be a growing need for professionals in this field. This is particularly the case for startups and smaller organizations.
5. Scaling application security efforts requires a team-based approach: To keep pace with growing engineering teams and increasing security demands, application security efforts must be scaled. This could involve creating "security champions" within development teams, implementing automated tools, and involving executive leadership to incentivize security improvements.

Jeevan's first appearance on the Application Security Podcast was entitled Jeevan Singh -- Threat modeling based in democracy.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Have you ever considered using an SBOM to inform your threat modeling? Tony Turner has. Tony joins us to discuss SBOMs, threat modeling, and the importance of Cyber Informed Engineering. 

Tony delves into the SBOM (Software Bill of Materials) concept, highlighting their value proposition in identifying vulnerabilities, demonstrating compliance with software licenses, and informing M&A activities and incident response indicators related to cyberattacks. We also explore the integration of SBOMs into the system engineering process and security engineering.

Tony further introduces the concept of Consequence-Driven Cyber Informed Engineering, which emphasizes understanding the potential consequences of cyberattacks on critical infrastructure rather than just on individuals or individual businesses. We discuss the four-step process of consequence-driven CIE. The conversation also addresses the challenges in communicating SBOM information, the importance of demanding transparency from suppliers, and the need to place trust in trusted third-party attestations.

Follow up:

- Research tools for integrating SBOMs into threat modeling
- Explore methods of communicating SBOM information
- Investigate Cyber Informed Engineering and Consequence-Driven principles in more detail

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Christian Frichot, an AppSec hacker, security leader, and developer of hcltm. He discusses the DevOps threat modeling tool he dreamed up and built. The tech was created to fit into developers' workflows and leverage tools they are familiar with. hcltm is designed to drive valuable change and be updated and maintained easily by software engineers. It is a developer-centric software product not heavily opinionated on diagramming, allowing users to employ their preferred methods for threat modeling. The solution is still evolving, and Frichot is open to user feedback and suggestions to improve it. He encourages people to try hcltm and see if it fits their threat modeling needs, as everyone approaches the process differently.

Critical actions for you to take from this episode:

1. Try out hcltm: familiarize yourself with the hcltm threat modeling tool, which uses HashiCorp Configuration Language (HCL) to help manage threat models alongside software code in a developer-friendly way.
2. Integrate threat modeling into your workflow: As a developer or security professional, explore ways to incorporate threat modeling into your current processes, such as using hcltm to manage threat models in a software repo and updating the model with each change.
3. Improve communication and collaboration: learn from Christian's experience and focus on building relationships and networks in the security community and improving communication and influencing skills.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Zohar Shachar joins us to discuss the bug bounty process from both sides. Zohar has spent time as a bug bounty hunter and shares wisdom on avoiding bug bounty-causing issues for your AppSec posture. We hope you enjoy this conversation with...Zohar Shachar.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Sarah-Jane Madden is the Chief Information Security Officer of Sensing Technology Group. - part of Fortive. She has over 20 years of software experience, from the most formal environments to ‘let’s fix it in production’ type teams. She has been a longtime advocate of deliberate application security as a partnership with product management and believes security does not have to be an overhead. Sarah-Jane joins us to discuss her talk at OWASP Dublin, "Far from green fields — introducing Threat Modeling to established teams." She shares lessons learned from her 3-year journey and is transparent with the mistakes she made along the way. We hope you enjoy this conversation with...Sarah-jane Madden.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Jet Anderson's passion is teaching today's software developers to write secure code as part of modern DevOps pipelines, at speed and scale, without missing a beat. He's been a software engineer for over 25 years and believes fixing security bugs is better than finding them. Jet joins us to discuss software or security engineer first, how fixing security bugs is better than just finding them, and the Code Doctor security training program he built and deployed. We hope you enjoy this conversation with...Jet Anderson.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

James Mckee is a developer (MCPDEA) and security advocate (CISSP) whose biggest responsibility is leading developer security practices. He sets the standards and procedures for the practice's operations and leads all client engagement efforts concerning security. He also takes the lead in ensuring that company staff (developers specifically) are properly trained and following best practices concerning application security. Currently, he is responsible for training and providing product guidance for developers worldwide. James joins us to discuss offensive application security for developers. We also get into the role of security professionals in reaching developers outside of the security echo chamber. We hope you enjoy this conversation with...James Mckee.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Derek is the author of “The Application Security Handbook.” He is a university instructor at Temple University, where he teaches software development security to undergraduate and graduate students. He is a speaker on topics in the cybersecurity space and has led security teams, large and small, at organizations in the healthcare and financial industries. Derek joins us to unpack the goals of an application security program, what is cutting edge in application security programs today, the role of open source vs. commercial, and guidance such as "decentralized application security." "enablement instead of gates; application security as a service," and "stop chasing the shiny new tool." We hope you enjoy this conversation with...Derek Fisher.

Find the book at https://www.manning.com/books/application-security-program-handbook

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Rob van der Veer has a 30-year background in software engineering, building AI businesses, creating software, and assessing software. He is a senior director at the Software Improvement Group, where he established practices for AI, security, and privacy. Rob is involved in several standardization initiatives like OWASP SAMM, ENISA, CIP, and AI security & privacy guide. He leads the writing group for the new ISO standard on AI engineering: 5338. Rob co-leads the OWASP integration project, with openCRE.org as a key result, aiming to create alignment in the standards landscape. Rob joins us to introduce the OWASP AI Security and Privacy Guide. We cover Rob's observations on how AI engineering differs from regular software engineering, typical software engineering pitfalls for AI engineers, the new guide's scope, threats introduced with AI, and mitigations that orgs and teams can use to build a secure AI system. We hope you enjoy this conversation with...Rob van der Veer.

Show Notes:

• Visit the OWASP Security & Privacy Guide here --> https://owasp.org/www-project-ai-security-and-privacy-guide/

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Robyn Lundin started working in tech after a coding boot camp as a developer for a small startup. She then discovered her passion for security, pivoted into pentesting for NCC Group, and now works as a Senior Product Security Engineer for Slack. 

Robyn joins us to discuss the role of penetration testing within the application security realm. Robyn provides actionable guidance you can apply directly to your application pen testing program. We hope you enjoy this conversation with....Robyn Lundin.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Michael Bargury is the Co-Founder and CTO of Zenity, where he helps companies secure their low-code/no-code apps. In the past, he headed security product efforts at Azure, focused on IoT, APIs and IaC. 

Michael is passionate about all things related to cloud, SaaS and low-code security and spends his time finding ways they could go wrong. He also leads the OWASP low-code security project and writes about it on DarkReading. Michael is a regular speaker at OWASP, BSides and DEFCON conferences. 

Michael joins us to unpack Low Code / No Code and the new OWASP Top Ten that defines specific risks against Low/No Code. We hope you enjoy this conversation with...Michael Bargury.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Alex leads the Cyber Security Consulting Group, part of Rakuten's Cyber Security Defense Department. The group's dedication is to providing global security services, including security architecture, DevSecOps tooling and integration services, delivery of technical training, and running Rakuten's Security Champion community. His focus is on empowering teams to improve security throughout the development lifecycle.

Alex joins us to discuss security champions, a topic near and dear to our hearts. We get into democratizing appsec, the value of security governance and empowerment activities for security champions and the organization, how scope, cost and effort fit, and the ROI of training and security champions. We hope you enjoy this conversation with...Alex Olsen.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mark Curphey is one of the creators of OWASP from the very early days. Mark worked in the background over the few decades of OWASP but has recently taken more to the spotlight. After running, he was elected and joined the OWASP Board of Directors. 

This conversation starts with the historical story of Mark and his history with OWASP. Then we jump into the visions for OWASP in the future and the plans in place to reach those goals. We hope you enjoy this conversation with...Mark Curphey.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Tiago Mendo is a co-founder and CTO of Probely. He has extensive experience in pentesting applications, training, and providing all-around security consultancy. 

Tiago started working with security in the early 2000s, beginning with a tenure of 12 years at Portugal Telecom. While there, he built the web security team and worked with 150+ developers. He holds a Master's in Information Technology/Information Security from Carnegie Mellon University and a CISSP certification. 

He is also a qualified member of AP2SI, a non-profit organization that promotes Information Security in Portugal, and Co-Leader of the Lisbon OWASP Chapter. He is a frequent speaker at security events, such as Confraria da Segurança da Informação, BSides Lisbon, BSides Kraków and LASCON. 

Tiago Mendo joins us to discuss OWASP ZAP and DAST scanning at scale. Tiago shares what scanning at scale is, the common challenges development teams must overcome when scanning at scale, and how to overcome them using OWASP ZAP. We hope you enjoy this conversation with ... Tiago Mendo.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

J. Wolfgang Goerlich is an Advisory CISO for Cisco Secure. He has been responsible for IT and IT security in the healthcare and financial services verticals. Wolfgang has led advisory and assessment practices for cybersecurity consulting firms. 

Wolf joins us to talk about some security things that will stretch your mind, like security beyond vulnerabilities, how apps intended functionality can be misused, data privacy, and nudges and behavior science. 

Wolf challenged my thinking in this episode and pointed out a new area of threat modeling I had never considered. We hope you enjoy this conversation with... J. Wolfgang Goerlich.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Sam Stepanyan is an OWASP London Chapter Leader and an Independent Application Security Consultant with over 20 years of IT experience and a background in software engineering and web application development. 

Sam has worked for various financial services institutions in the City of London, specializing in Application Security consulting, Secure Software Development Lifecycle (SDLC), developer training, source code reviews and vulnerability management. He is also a Subject Matter Expert in Web Application Firewalls (WAF) and SIEM systems. Sam holds a Master’s degree in Software Engineering and a CISSP certification. 

Sam joins us to introduce us to OWASP Nettacker. He describes the tool's capabilities, how you can put it into use in various scenarios for asset generation and vuln scanning, and how to contribute to the project going forward. We hope you enjoy this conversation with...Sam Stepanyan.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Dolev Farhi is a security engineer and author with extensive experience leading security engineering teams in complex environments and scales in the Fintech and cyber security industries. Currently, he is the Principal Security Engineer at Wealthsimple. He is one of the founders of DEFCON Toronto (DC416). He enjoys researching vulnerabilities in IoT devices, participating in and building CTF challenges and contributing exploits to Exploit-DB.

Nick Aleks is a leader in Toronto's cybersecurity community and a distinguished and patented security engineer, speaker, and researcher. He is currently the Senior Director of Security at Wealthsimple, leads his security firm, ASEC.IO, and is a Senior Advisory Board member for HackStudent, George Brown, and the University of Guelph's Master of Cybersecurity and Threat Intelligence programs. A founder of DEFCON Toronto, he specializes in offensive security and penetration testing. He has over ten years of experience hacking everything from websites, safes, locks, cars, drones, and even intelligent buildings.

Dolev and Nick join us to unpack the world of GraphQL security. We introduce GraphQL, threats, and mitigations to secure your GraphQL instances. We hope you enjoy this conversation with....Dolev and Nick.

Important Links:

Link to the book → https://nostarch.com/black-hat-graphql

CrackQL → https://github.com/nicholasaleks/CrackQL

Damn Vulnerable GraphQL Application → https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

With nearly 25 years of experience in the cyber-security industry, Guy held various positions in both corporates and startups.
In his role as the CTO for the cyber crisis management firm Profero, his focus is making incident response fast and scalable, harnessing the latest technologies and a cloud-native approach.
Guy is the BSidesTLV chairman and CTF lead, a Public speaker in well-known global security events (SAS, t2, 44CON, BSidesLV, and several DefCon villages, to name a few), and the recipient of the Cisco “black belt” security ninja honor – Cisco’s highest cybersecurity advocate rank.
Guy joins us to explore his front-row seat for the incident response with Log4j. There are many AppSec lessons to learn by understanding the greater depth of Log4J. We hope you enjoy this episode with .... Guy Barhart-Magen.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Brett Smith is a Software Architect/Engineer/Developer with 20+ years of experience. Specialties: Automation, Continuous Integration/Delivery/Testing/Deployment 
Expertise: Linux, packaging, and tool design. Brett joins us to discuss why he hates security and shares his vast knowledge of building a secure and cutting-edge build pipeline. We hope you enjoy this conversation with...Brett Smith.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Chen Gour-Arie is the Chief Architect and Co-Founder of Enso Security. With over 15 years of hands-on experience in cybersecurity and software development, Chen demonstrably bolstered the software security of dozens of global enterprise organizations across multiple industry verticals. An enthusiastic builder, he has focused his career on building tools to optimize and accelerate security testing and all related workflows. Ken joins us to introduce the AppSec Map and provides a live demo of the catalog and what AppSec practitioners can use it for. We hope you enjoy this conversation with...Chen Gour-Arie.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Dominique Righetto is an AppSec enthusiast and OWASP projects contributor. Dominique joins us to discuss the OWASP Secure Headers project. We discuss headers at a high level and then dive into all the goodies you'll find within the project, from awareness, guidance, and a test suite that can be integrated into your CI/CD pipeline to test your security headers. We hope you enjoy this conversation with...Dominique Righetto.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Hillel Solow is Chairman of the Board at ProtectOnce, where he helps guide product and security strategy. Hillel is a serial entrepreneur in the cybersecurity space, but his favorite thing is still writing code at 2 am. 

Hillel joins us to discuss how to do appsec without a security team. We explore the building blocks of an appsec program, and what appsec looks like for companies of different sizes, from startup to midsize to enterprise.  Then dive into Hillel's most important advice for companies who can't afford a security person. We hope you enjoy this conversation with… Hillel Solow. 

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

In this episode of the Application Security Podcast, Chris Romeo walks through the origin story of Security Journey and shares some experiences taking a security startup from bootstrap to acquisition. Chris talks about how and why he started the company, what defining factors made Security Journey successful and why they're being acquired now. He ends by giving an overview of what to expect from Security Journey moving forward. We hope you enjoy this conversation with…Chris Romeo.

Check out these resources for more information about the acquisition!
Press Release: https://www.accesswire.com/702562/HackEDU-Acquires-Security-Journey-to-Provide-the-Most-Comprehensive-Application-Security-Training-Offering-Helping-Development-Teams-Deliver-Secure-Code-and-Protect-Data

Chris's Blog Post: https://www.securityjourney.com/post/hackedu-acquires-security-journey

Joe's Blog Post: https://www.hackedu.com/blog/hackedu-acquires-security-journey-to-create-industry-leading-application-security-offering

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

In this episode of the Application Security Podcast, we talk to Kristen Tan and Vaibhav Garg from Comcast. They wrote a paper called "An Analysis of Open-source Automated Threat Modeling Tools and Their Extensibility from Security into Privacy".  They join us to share their story about what they were doing and why they did it. We hope you enjoy this conversation with...Kristen and VG. 

https://www.usenix.org/publications/loginonline/analysis-open-source-automated-threat-modeling-tools-and-their

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Patrick is a Senior Product Security Engineer in the Application Security team at ServiceNow. He is also Co-Leader of the OWASP CycloneDX project. A lightweight Software Bill of Materials (SBOM) standard designed for use in application security contexts and supply chain component analysis.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Daniel Krivelevich is a cybersecurity expert and problem solver, with 15+ years of enterprise security experience with a proven track record working with 100+ enterprises across multiple industries, with a strong orientation to Application & Cloud Security. Daniel co-Founded Cider Security as the company’s CTO. Cider is a startup focused on securing CI/CD pipelines, flows, and systems.

Omer is a seasoned application and cloud security expert with over 13 years of experience across multiple security disciplines. An experienced researcher and public speaker, Omer discovered the Web Cache Deception attack vector in 2017. Omer leads research at Cider Security.

We hope you enjoy this conversation with...Omer and Daniel. 

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Josh Grossman has over 15 years of experience in IT Risk and Application Security consulting, and he has also worked as a software developer. He currently works as CTO for Bounce Security, where he focuses on helping organizations build secure products by providing value-driven Application Security support and guidance.
In his spare time, he is very involved with OWASP. He is on the OWASP Israel chapter board, he is a co-leader of the OWASP Application Security Verification Standard project, and he has contributed to various other projects as well, including the Top 10 Risks, Top Ten Proactive Controls and JuiceShop projects. We hope you enjoy this conversation with...Josh Grossman.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Alex Mor is a passionate cybersecurity defender or breaker depending on the time of day, providing expert technical guidance to product teams and building security in their platforms. Alex joins us to talk about application risk profiling. He defines what this concept is to help us understand it. Then we talk about how can you do application risk profiling at scale? Whether you have ten applications or 1500 applications? How do you bring this together and gain real true security value from this idea of profiling your applications? We hope you enjoyed this conversation with Alex Mor.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Brenna Leath is currently the Head of Product Security for a data analytics company where she sets the application security strategy for R&D and leads a team of security architects. Brenna originally joined us to talk about EO 14028 and the implications for private sector programs, BUT, we were chatting about security champions and product security leads, and we changed our focus to cover these topics instead. We hope you enjoy this conversation with...Brenna Leath.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Will Ratner is a software security professional with extensive experience building and implementing security solutions across a myriad of industries including banking, media, construction, and information technology. In his current role at Atlassian, Will focuses on improving the vulnerability management process by building highly scalable and automated solutions for the enterprise. Will joins us to discuss a centralized approach he built for container scanning. We explore the challenges and lessons learned, building a scalable, enterprise-grade solution, and how to build something that developers will see value in. We hope you enjoy this conversation with...Will Ratner.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Neil Matatall is an engineer with a background in security. He has previously worked at GitHub and Twitter and is a co-founder of Loco Moco Product Security Conference. Neil joins us for his second visit, to discuss account security at scale. He describes the underlying principles behind security at scale, how he worked to build a sign-in analysis feature, and how attacks were detected. We ended the conversation with an authentication lightning round, with Neil responding to various statements about authentication off the cuff! We hope you enjoy this episode with Neil Matatall.

Check out our previous conversation with Neil Matatall. 
https://www.buzzsprout.com/1730684/8122595-neil-matatall-content-security-policy

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Joern Freydank is a Lead Cyber Security Engineer with more than 20 years of experience. He is currently establishing the Threat Modeling Program at a major insurance company. Joern joins us to talk about security design anti-patterns. He defines the term, explains security debt, reviews the categories of anti-patterns, and walks us through the example of a common role misconception. We hope you enjoy this conversation with...Joern Freydank.

For more from Joern, check out his talk, Security Design Anti-Patterns -- Creating Awareness to Limit Security Debt, from Global AppSec: 
https://youtu.be/o_Wq7Ga4M-0

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Ken Toler is a principal consultant at Kudelski Security and is passionate about building and optimizing application security programs that stick through strong adoption and ease of use. Ken has spent considerable time on all sides of the security aisle from playing defense and managing security teams to offense by breaking applications and reviewing code. Ken is also the host and creator of the Relating to DevSecOps podcast that focuses on forging strong relationships between engineers, operations, and security through collaboration, understanding, skill-sharing, and healthy debate. Ken joins us to talk about all things Blockchain and AppSec. We define Blockchain, discuss the connections between cloud, appsec, and blockchain, common architecture failures, pen testing, and even dive into smart contracts. We hope you enjoy this conversation with...Ken Toler.

Links from the episode:

Secureum Videos

https://www.youtube.com/c/SecureumVideos/videos

BLOCKCHAIN SECURITY: A NEED FOR TODAY’S BUSINESSES (COMPLETE GUIDE FOR BEGINNERS)

https://www.blockchain-council.org/blockchain/blockchain-security-a-need-for-todays-businesses-complete-guide-for-beginners/

The Rust Programming Language

https://doc.rust-lang.org/book/

Blockchain Security @ Kudelski

https://kudelskisecurity.com/services/applied-security/blockchain-security/

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Jeroen Willemsen is a passionate, hands-on security architect with a knack for mobile security and security automation. As a "jack of all trades," he has been involved with various OWASP projects and has developed various trainings. He has spent over 10 years as a full-stack developer and has worked as a (security) architect, security lead, and risk manager.

Ben de Haan is a Freelance Security consultant and engineer. Ben's specialties are architecting and implementing cloud security and building secure CI/CD environments in Agile, DevOps, and SRE cultures. Ben believes security should be built-in and can be scaled to meet these modern ways of working. Outside of regular work, Ben enjoys hosting security trainings or workshops, and he's an AWS NL Meetup regular.

Jeroen and Ben join us to speak about their OWASP project, Wrong Secrets. We discuss the problems secrets bring into applications and explore how you can use Wrong Secrets to bolster your knowledge of what not to do with secrets. We hope you enjoy this conversation with... Jereon and Ben.

Explore these helpful resources mentioned during the interview:
https://owasp.org/www-project-wrongse...
https://xebia.com/secure-deployment-1...
github; https://github.com/commjoen/wrongsecrets
free heroku dyno hosted version; https://wrongsecrets.herokuapp.com/

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Adam is a leading expert on threat modeling, and a consultant, expert witness, author and game designer. He has decades of experience delivering security. His experience ranges across the business world from founding startups to nearly a decade at Microsoft. While not consulting or training, Shostack serves as an advisor to a variety of companies and academic institutions. Adam joins us to talk about fast, cheap, and good threat models. We discuss how Adam defines these categories, the weight of threat modeling, questionnaires/requirements, expertise, and how to make threat modeling conversational. We hope you enjoy this conversation with...Adam Shostack.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Loren Kohnfelder has over 20 years of experience in the security industry. At Microsoft, he was a key contributor to STRIDE, the industry’s first formalized proactive security process methodology, and also program-managed the .NET platform security effort. At Google, he worked as a software engineer on the Security team and as a founding member of the Privacy team. Loren joins us to talk about his new book, Designing Secure Software. We start the conversation geeking out about his work to create STRIDE and digital certificates. We then discuss facets of the book, like secure software, security design review, and what he would implement if he could only do one thing to improve software security. We hope you enjoy this conversation with...Loren Kohnfelder.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Ochaun Marshall is an Application Security Consultant. In his roles of secure ideas, he works on on-going development projects utilizing Amazon web services and breaks other people's web applications. Ochaun joins us to talk about SAST and IaC, static application security testing and infrastructure as code. We talk about what they are, how they work, the security benefits, some of the tools that make them possible, and we finish our conversation talking about developer empathy and why Ochaun has developer empathy as a result of some of the experiences that he has as a developer and as a security person. We hope that you enjoy this episode with...Ochaun Marshall.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Simon Bennetts is the OWASP Zed Attack Proxy (ZAP) Project Leader and a Distinguished Engineer at StackHawk, a company that uses ZAP to help users fix application security bugs before they hit production. He has talked about and demonstrated ZAP at conferences all over the world. Prior to making a move into security, he was a developer for 25 years and strongly believes that you cannot build secure web applications without knowing how to attack them.
Simon joins us for the second time to refresh our knowledge of Zap, explain how to use Zap as an automation tool in your pipeline, and what he knows about rolling Zap out across an Enterprise. We hope you enjoy this conversation with....Simon Bennetts.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Timo Pagel has been in the IT industry for over fifteen years. After a system administrator and web developer career, he advises customers as a DevSecOps consultant and trainer. His focus is on security test automation for software and infrastructure and assessment of complex applications in the cloud. In his spare time, he teaches “Web and Application Security” at various universities. Timo joins us to talk about the OWASP DevSecOps Maturity Model or DSOMM. We explore maturity models, this specific one, how you can use it, and how to get started. We hope you enjoy this conversation with...Timo Pagel.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mazin Ahmed is a security engineer that specializes in AppSec and offensive security. He is passionate about information security and has previously found vulnerabilities in Facebook, Twitter, Linkedin, and Oracle, to name a few. Mazin is the developer of several popular open-source security tools that have been integrated into security testing frameworks and distributions. Mazin also built FullHunt.io, the next-generation continuous attack surface security platform. He is also passionate about cloud security, where he has been running dozens of experiments in the cloud security world. Mazin joins us to introduce Infrastructure as Code and TerraForm and discuss the security benefits IaC brings to our cloud environments. We hope you enjoy this conversation with...Mazin Ahmed.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Dr. James Ransome is the Chief Scientist for CyberPhos, an early-stage cybersecurity startup. He is also a member of the board of directors for the Bay Area Chief Security Officer Council and serves as an adviser to ForAllSecure and Resilient Software Security.

Dr. Ransome's career includes leadership positions in the private and public sectors. He has served in three chief information security officer and four chief security officer roles before taking on Chief Product Security Officer roles over the last 11 years.  During this time, he has been building and enhancing developer-centric, self-sustaining, and scalable software security programs that are holistic, cost-effective, and operationally relevant. 

Brook S.E. Schoenfield is the author of Secrets Of A Cyber Security Architect (Auerbach, 2019) and Securing Systems: Applied Security Architecture and Threat Models(CRC Press, 2015). Building In Security At Agile Speed (with James Ransome, Auerbach, 2021), focuses on software security for continuous development practices and DevOps. Brook helps clients with their software security and secure design practices. He mentors technical leaders to effectively deliver security strategy. He consults as a technical leader for True Positives, LLC and SEC Consult America’s holistic security architecture services. 

https://www.amazon.com/Building-Security-at-Agile-Speed/dp/0367433265/ref=sr_1_1?dchild=1&keywords=building+in+security+at+agile+speed&qid=1631297374&sr=8-1

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Robert and I break down the OWASP Top 10 2021 Peer Review Edition. We walk through and give you our insights and highlights of the things that stand out to us and our questions. We feel it brings value to our audience's understanding of the OWASP Top 10 2021 and what it will likely look like when it comes out. We encourage you to go and do your own peer review of the document, submit your own poll requests, provide your feedback and issues on Github because together as a community, this is how we make this document better. Enjoy!

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Anastasiia Voitova is the Head of customer solutions and a security software engineer at Cossack Labs. She works on data security and encryption tools and their integration into the real world apps.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Eran Kinsbruner is the Chief Evangelist and Senior Director at Perforce Software. His published books include the 2016 Amazon bestseller, “The Digital Quality Handbook”, “Continuous Testing for DevOps Professionals”, and “Accelerating Software Quality – ML and AI in the Age of DevOps”. Eran is a recognized influencer on continuous testing and DevOps thought leadership, an international speaker, and blogger. Eran joins us to talk about the role of testing in a secure software pipeline. We talk about the intersection of security and quality, biggest challenges in getting started, and even a brief conversation about how SAST is used to check automotive software. We hope you enjoy this conversation with...Eran Kinsbruner.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mark Loveless - aka Simple Nomad - is a security researcher and hacker. He's spoken at numerous security and hacker conferences worldwide, including Blackhat, DEF CON, ShmooCon, and RSA. He's been quoted in the press including CNN, Washington Post, and the New York Times. Mark joins us to discuss his series of blog posts on Threat Modeling at GitLab. We discuss his philosophical approach, framework choice (spoiler alert, it's a pared down version of PASTA), and success stories / best practices he's seen for threat modeling success. We hope you enjoy this conversation with...Mark Loveless.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Jeroen Willemsen is a Principal Security Architect at Xebia. Jeroen is more or less a jack of all trades with an interest in infrastructure security, risk management, and application security. With a love for mobile security, he enjoys sharing knowledge on various security topics. Jeroen joins us to unpack security automation in a DevOps world. We discuss categories of tools, typical quick wins, potential downsides, and how dependency management specifically plays into automation. We hope you enjoy this conversation with...Jeroen Willemsen.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Kevin Greene is the Director of Security Solutions at Parasoft and has extensive experience and expertise in software security, cyber research and development, and DevOps. He leverages his knowledge to create meaningful solutions and technologies to improve software security practices. Kevin and I had a conversation to discuss software security from the past and into the future. We cover how to make security easier for developers, SBOM, software minimalism, cyber resiliency, and so much more! We hope you enjoy this conversation with...Kevin Greene.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Jeevan Singh is a Security Engineer Manager at Segment, where he is embedding security into all aspects of the software development process. Jeevan enjoys building security culture within organizations and educating staff on security best practices. Before life in the security space, Jeevan had a wide variety of development and leadership roles over the past 15 years. Jeevan joins us to speak about self-serve threat modeling at Segment or threat modeling based in democracy. We discuss their focus with the program, how it fits in their dev methodology and their ultimate goal with the threat modeling program. We hope you enjoy this conversation with... Jeevan Singh.

Additional Resources:

• https://github.com/segmentio/threat-modeling-training
• https://segment.com/blog/redefining-threat-modeling/

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Dima Kotik is an Application Security Engineer at Security Journey and has been programming in Python for years. As he was working on building out Security Journey's Secure Coding with Python content, he came across the Zen of Python, a set of guidelines for how to program in Python. He wrote a blog post about how to apply application security to the Zen of Python, and then we recorded this interview to talk about the concept in more depth. We hope you enjoy this interview with....Dima Kotik.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Before taking the plunge into information security leadership, Dustin Lehr spent over a decade as a software engineer and architect in a variety of industries, including retail, DoD, and even video games. This diverse background has helped him forge close partnerships with development teams, engineering leaders, and software security advocates while pursuing the organizational culture shift of building good security habits into daily work. Dustin joins us to talk about the challenges developers face with security and so much more. We hope you enjoy this conversation with...Dustin Lehr.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Aaron Rinehart is expanding the possibilities of chaos engineering to cybersecurity. He began pioneering security in chaos engineering when he released ChaoSlingr during his tenure as Chief Security Architect at UnitedHealth Group (UHG). Rinehart is the O'Reilly Author on Security Chaos Engineering and has recently founded a chaos engineering startup called Verica with Casey Rosenthal from Netflix. Aaron joins us to explain what the heck security chaos engineering is. We explore the origin story of chaos engineering and security chaos engineering and how a listener starts with this new technique. We hope you enjoy this conversation with...Aaron Rinehart.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

In this episode of the Application Security Podcast, we're joined by friends Izar and Matt, authors of the book "Threat Modeling: A Practical Guide for Development Teams." Izar is currently the Squarespace Principal Security Engineer. He lives in NY, where he enjoys telling people who separate security from development to get off his lawn. Matt is currently a Product & Application Security Engineer at Dell Technologies. Matt lives in Massachusetts, is an avid gamer, and enjoys time with his family when not thinking or talking to others about security. We discuss why they wrote the book, what it covers, the target audience, and how to wield the information within to threat model all the things. Robert and I both love the book, and highly recommend it, and on this episode, you'll hear why.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Charles is a Senior Security Consultant for Red Siege. He has over 18 years of experience in IT. In his spare time, Charles does retro gaming and works on the SECBSD open source project, a penetration testing distro. He currently works as Staff at several Security Conferences, podcasts (GrumpyHackers) (Positively Blue Team Cast), and is a part of the MentalHealthHackers DeadPixelSec NovaHackers and  HackingisNotaCrime Family. Charles joins us to talk about positivity in InfoSec. If you've never seen Charle's videos, you're missing out. We'll unpack what drives his positivity and how we as infosec / appsec people can embrace a more positive approach to our world. We hope you enjoy this conversation with...Charles Shirer.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Leif Dreizler is the manager of the Product Security team at Segment. Leif got his start in the security industry at Redspin doing security consulting work and was later an early employee at Bugcrowd. He helps organize the Bay Area OWASP Chapter, the LocoMocoSec Conference, and the AppSec California conference. Leif caught our attention when he published an article called Shifting Engineering Right: What security engineers can learn from DevSecOps. In this interview, we focus in on the tactical tips and takeaways from the article, or how you as a security person can shift engineering right. We hope you enjoy this conversation with...Leif Driezler.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vandana Verma is the President of Infosec girls and Infosec Kids, a board of directors member for OWASP, and a leader for BSides Dehli. She joins us to introduce the OWASP Spotlight Series. With each video she creates, she highlights an OWASP project. We survey the projects she's covered and discuss a specific takeaway from each for the application security person. We hope you enjoy this conversation with...Vandana Verma.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Dr. Anita D’Amico is the CEO of Code Dx, which provides Application Security Orchestration and Correlation solutions to industry and government. Her roots are in experimental psychology and human factors. Her attention is now focused on enhancing the decisions and work processes of software developers and AppSec analysts to make code more secure. Anita joins us to discuss research she has done answering the question, "do certain types of developers or teams write more secure code?" Being a security culture fanatic, this topic is near and dear for me. We hope you enjoy this conversation with...Dr. Anita D'Amico.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Alyssa Miller is a life-long hacker, security advocate, and cybersecurity leader. She is the BISO for S&P Global ratings and has over 15 years of experience in security roles. She is heavily involved in the cybersecurity community as an international speaker, author, and advocate. Alyssa joins us to talk about bringing security to DevOps and the CI/CD pipeline. We talk about the success of the DevOps transformation, mistakes AppSec teams make with DevOps and explore the possible idea that DevSecOps is its own silo. We hope you enjoy this conversation with...Alyssa Miller.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Liran Tal is an application security activist and long-time proponent of open-source software. He is a member of the Node.js security working group, an OWASP project lead, author of Essential Node.js Security, and O’Reilly’s Serverless Security. He is leading the developer advocacy team at Snyk in a mission to empower developers with better dev-first security. Liran joins us to talk about cloud-native and application security. We begin by defining cloud-native and the changes it is causing. We then get into threats in a cloud-native world and the role of developers and AppSec. We hope you enjoy this conversation with…. Liran Tal.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

For this episode, Robert and I decided to talk about an article I wrote called "DevOps security culture: 12 fails your team can learn from". We hope you enjoy this walkthrough of the 12 fails. If we missed any, hit us up on Twitter and let us know what we should add to the list.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Jim Routh has built software security programs at some of the biggest brands in the world. He has served as CISO or CSO six different times in his career, always staying close to his cyber and software security roots. Jim has hung up his CISO badge and now focuses on serving on boards and advising security-focused startups. Jim’s original AppSec podcast episode is our #1 listened to of all time. Having the opportunity to interact with Jim and absorb his vast wisdom and knowledge is a treat for everyone. At the end of this interview, my immediate thought was to go back and listen to this one again. Jim talks with us about the impact of DevSecOps on the CISO, security controls for a devsecops pipeline model, and “shift left” still the dominant theme for software security. We hope you enjoy this conversation with Jim Routh.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Andrew van der Stock has been around the world of Application Security for quite a long time. In 2020, he took over as the Executive Director of OWASP, and he's working from within the organization to further the mission of taking application security to the masses. We discuss Andrew's OWASP origin story and he defines OWASP and the OWASP core mission. We talk membership, the future, and drop some details about the upcoming 20th anniversary of OWASP. We hope you enjoy this conversation with Andrew van der Stock.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

JC Herz is the COO of Ion Channel, a software logistics and supply chain assurance platform for critical infrastructure. She is a visiting fellow at George Mason’s National Security Institute and co-chairs a Department of Commerce working group on software bills of materials for security-sensitive public and private sector enterprises. JC and Steve Springett join  to talk all things software bill of materials. We define what an SBOM is and what it’s used for. We talk threats that SBOM counters, who started it, and what the OWASP tie in. JC concludes our time by explaining why now is the time YOU must care about SBOMS. We hope you enjoy this conversation with…. JC Herz and Steve Springett.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Brian Reed is Chief Mobility Officer at NowSecure. Brian has over 30 years in tech and 15 years in mobile, security, and apps dating back to the birth of mobile including BlackBerry, Good Technology, BoxTone, and MicroFocus. Brian joins us to discuss mobile application security, the good, the bad, and the ugly as we head into 2021. We discuss recent issues in mobile apps, mobile firewalls, mobile vs. web, and how AppSec is different in a mobile world. We hope you enjoy this conversation with…Brian Reed.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

This is part two of the story of a diverse group of security and privacy people that love threat modeling and gathered to define threat modeling, encourage people to threat model, help them succeed, and change the world. This is our story of the Threat Modeling Manifesto. In this episode, we move on from definition to working through the values and principles that make up threat modeling, and then we ship the product.

The working group of the Threat Modeling Manifesto consists of individuals with years of experience in threat modeling for security or privacy.

• Zoe Braiterman
• Adam Shostack
• Jonathan Marcil
• Stephen de Vries
• Irene Michlin
• Kim Wuyts
• Robert Hurlbut
• Brook S.E. Schoenfield
• Fraser Scott
• Matthew Coles
• Chris Romeo
• Alyssa Miller
• Izar Tarandach
• Avi Douglen
• Marc French

Other episodes on threat modeling:

• The Threat Modeling Manifesto – Part 1
• Adam Shostack — Remote Threat Modeling
• Kim Wuyts — Privacy Threat Modeling
• Izar Tarandach — Command line threat modeling with pytm
• Stephen de Vries — Threat Modeling with a bit of #Startup

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

This is part one of the story of a diverse group of security and privacy people that love threat modeling and gathered to define threat modeling, encourage people to threat model, help them succeed, and change the world. This is our story of the Threat Modeling Manifesto. Our intention is to share a distilled version  of our collective threat modeling knowledge in a way that should inform, educate, and inspire other practitioners to adopt threat modeling as well as improve security and privacy during development.

We developed this Manifesto after years of experience thinking about, performing, teaching, and developing the practice of, Threat Modeling. We have diverse backgrounds as industry professionals, academics, authors, hands-on experts, and presenters. We bring together varied perspectives on threat modeling. Our ongoing conversations, which focus on the conditions and approaches that lead to the best results in threat modeling, as well as how to correct when we fail, continue to shape our ideas.

The working group of the Threat Modeling Manifesto consists of individuals with years of experience in threat modeling for security or privacy.

• Zoe Braiterman
• Adam Shostack
• Jonathan Marcil
• Stephen de Vries
• Irene Michlin
• Kim Wuyts
• Robert Hurlbut
• Brook S.E. Schoenfield
• Fraser Scott
• Matthew Coles
• Chris Romeo
• Alyssa Miller
• Izar Tarandach
• Avi Douglen
• Marc French

Other episodes on threat modeling:

• Adam Shostack — Remote Threat Modeling
• Kim Wuyts — Privacy Threat Modeling
• Izar Tarandach — Command line threat modeling with pytm
• Stephen de Vries — Threat Modeling with a bit of #Startup

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

This is our final episode of Season 7, and we thought we'd share some of our favorite clips with you. We've covered lots of ground, from featuring many OWASP projects to DevSecOps, penetration testing, AWS security, SameSite cookies, crypto, and that just scratches the surface. We hope you enjoy this wrap-up episode with.... A whole bunch of Season 7 guests.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Jb Aviat is CTO and co-founder at Sqreen. Prior to this, Jb worked at Apple as a reverse engineer, pentester, and developer. Jb joins us to discuss the new Application Security Report that Sqreen has released. We review what the report contains, key takeaways and conclusions, and even consider which framework/language is the most secure. We hope you enjoy this conversation with…. Jb Aviat.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Frank Rietta is the CEO of Rietta.com, a Security Focused Web Application Firm. He is a web application security architect, expert witness, author, and speaker. Frank joins us to discuss secure coding with Ruby on Rails. We get into a discussion about RoR vs. other languages, primary threats, counters to threats, and tools available for the RoR developer to assist with security. We hope you enjoy this conversation with… Frank Rietta.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Dmitry Sotnikov serves as Chief Product Officer at 42Crunch – an enterprise API security company. He maintains https://APISecurity.io, a popular community site with daily API Security news and weekly newsletter API vulnerabilities, breaches, standards, best practices, regulations, and tools. Dmitry joins us to discuss REST API Security. We talk about the top API security threats, counters to those threats, and the details on APISecurity.IO. We hope you enjoy this conversation with … Dmitry Sotnikov.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Caroline Wong is the Chief Strategy Officer at Cobalt.io. Wong's close and practical information security knowledge stems from broad experience as a Cigital consultant, a Symantec Product Manager, and day-to-day leadership roles at eBay and Zynga. Caroline joins us to talk about penetration testing and reviews key findings from the Cobalt.io "State of Pentesting" report. We hope you enjoy Caroline Wong’s second visit to the Application Security Podcast.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Aaron Davis is a founder, dev, and a lead security researcher at MetaMask, a popular Ethereum wallet. He introduces us to LavaMoat, an approach to solving javascript software supply chain security for node and the browser. The LavaMoat runtime prevents modifying JavaScript's primordials, limits access to the platform API, and prevents packages from corrupting other packages. We hope you enjoy this conversation with… Aaron Davis.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Anastasiia Voitova is a software engineer who works on data security solutions at @cossacklabs, making complex crypto easy-to-use in modern software. She joins us to explore the idea of boring crypto. She caught our attention with a talk at OWASP 24 where she encouraged developers to NOT learn crypto. You'll have to listen to understand her rationale. She explains mistakes folks make with crypto, boring crypto, and how to get started implementing boring crypto. We hope you enjoy this conversation with…Anastasiia Voitova.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Michael Furman is the Lead Security Architect at Tufin, and is responsible for the security and Security Development Lifecycle (SDL) of Tufin software products. Michael is passionate about application security for over 13 years already and evangelizes about application security at various conferences (including OWASP conferences) and security meetups. Michael joins us to break down SameSite cookies, which are all the rage in browsers these days. He describes what they are, the threats they counter, and how SameSite + the Synchronizer Token Pattern work together to counter CSRF. We hope you enjoy this conversation with…. Michael Furman.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application security applies to everyone, network architects included. Chris had an opportunity to join a friend's Podcast called "The Hedge." Chris talks with hosts Tom and Russ about the state of security and what network engineers need to know about security from an application perspective. They talk about the importance of empathy in all jobs, walking a mile in the shoes of those that work around you.

You’ll find this episode on the Hedge site at https://rule11.tech/hedge-048/.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Neil Matatall is a product security engineer at GitHub. He focuses on designing and engineering user experiences solutions related to authentication and account recovery. Working remotely from Hawaii, Neil is a strong believer in the future of remote work. Neil joins us for a deep-dive into Content Security Policy. We explore what it is, the purpose, and why it’s so difficult to implement.

We hope you enjoy this conversation with… Neil Matatall.

https://github.com/github/secure_headers

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Grant Ongers is co-founder of the bearded trio called Secure Delivery, with a philosophy and purpose for optimal delivery and security in one dynamic package. Grant's experience spans Dev, Ops, and Security, with over 30 years pushing the limits of (Info)Sec. Grant’s community involvement is global: Staff at BSides (London, Las Vegas, and Cape Town), Goon at DEF CON (USA) for nearly ten years and DC2721 co-founder, staff at BlackHat (USA and EU), and an OWASP Global Board member.

Grant joins us to talk about gamification and threat modeling, and introduces me to the OWASP Cornucopia card game, which you can use to teach developers and product team members threat modeling, in a fun and engaging way.

We hope you enjoy this conversation with…. Grant Ongers. @rewtd

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Elie Saad is an application security engineer, leading three different OWASP projects. He focuses on helping developers own and champion security in their projects by providing guidance, tests, secure pipeline design and aiding them in applying external security measures. In this conversation, Elie educates us about the current happenings with WSTG, Cheat Sheets, and the Integration Standard. He walks us through demo’s of each project.

We hope you enjoy this conversation with Elie Saad. @7hunderson

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Graham Holmes is the founder and owner of AoP CyberSecurity, LLC whose mission is to enable organizations to “create scalable and effective strategies for trustworthy outcomes.” His career includes over 22 years as a leader at Cisco Systems, where he infamously served as my boss for a period of time, and before that he served in the US Navy as a commissioned officer for 9 years. Graham joins us to discuss adversarial machine learning. We explore the threats and attacks in an AI/ML world, and review solutions to address these challenges using trust as a foundation. Please enjoy this conversation with Graham Holmes.

Its Life 3.0

https://www.amazon.com/Life-3-0-Being-Artificial-Intelligence/dp/1101946598

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Ochaun Marshall is a developer and security consultant. In his roles at Secure Ideas, he works on ongoing development projects utilizing Amazon Web Services and breaks other people's web applications. Ochaun joins us to talk about the changing tide of serverless and frustrations with AWS security. Before we got to the actual topic, we talked about how he currently works as a developer some times, and a pen tester/security person the rest of the time, and the conflict that arises from this split role. Please enjoy this conversation with…Ochaun Marshall.

@OchaunM

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Drew Dennison is the CTO & co-founder of r2c, a startup working to profoundly improve software security and reliability to safeguard human progress. Drew joins us to introduce a tool called semgrep. Semgrep is a fast source code analysis tool, potentially faster than anything you've seen before. If you want to see the live demo of semgrep, head over to the Application Security Podcast Youtube channel to see the video.

We hope you enjoy this conversation with… Drew Dennison.

Twitter: DrewDennison

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Aaron Guzman specializes in IoT, embedded, and automotive security. Aaron is the Co-Author of “IoT Penetration Testing Cookbook”. He helps lead both OWASP’s Embedded Application Security and Internet of Things projects; providing practical guidance for addressing top security vulnerabilities to the embedded and IoT community. Aaron joins us to explore IoTGoat. IoTGoat is a deliberately insecure firmware created to educate software developers and security professionals with testing commonly found vulnerabilities in IoT devices. He describes what it is, where it comes from, and does a demo for us on how to put it to use.

For season 7 and beyond, we’ve launched our Youtube channel, Application Security Podcast, where we post the video feeds for all episodes. You’ll want to check it out, as many interviews now have demo’s included, where we capture screen during the interview. We hope you enjoy this conversation with…Aaron Guzman.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Adam Shostack is a leading expert on threat modeling, and consultant, entrepreneur, technologist, author, and game designer. He has taught threat modeling at a wide range of commercial, non-profit, and government organizations. Adam joins us to discuss his new white paper called the Jenga View of Threat Modeling. For season 7 and beyond, we've launched our YouTube channel, Application Security Podcast, where we post the video feeds for all episodes. You’ll want to check it out, as many interviews now have demo’s included, where we capture a screen during the interview.

You can grab a copy of the whitepaper on Adam’s site, https://associates.shostack.org/whitepapers.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Cindy Blake is the Senior Security Evangelist at GitLab. Cindy collaborates around best practices for integrated DevSecOps application security solutions with major enterprises. She is proud to introduce her new book, “10 Steps to Securing Next-Gen Software”. The book combines her cyber security experience with a background in lean and software development, and simplifies the complexities of today’s software evolution into pragmatic advice for security programs. Cindy joins us to discuss how to align security testing with Agile development.

For season 7 and beyond, we’ve launched our YouTube channel, Application Security Podcast, where we post the video feeds for all episodes. You’ll want to check it out, as many interviews now have demo’s included, where we capture screen during the interview.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Jannik Hollenbach is a Security Automation Engineer at iteratec GmbH, working on and with open source security testing tools to continuously detect security vulnerabilities in the companies software and systems. He is also a member of the OWASP Juice Shop project team. Jannik joins us to discuss MultiJuicer, or how to run JuiceShop in a Kubernetes cluster, with a separate JuiceShop instance for each user.

For season 7 and beyond, we’ve launched our Youtube channel, Application Security Podcast, where we post the video feeds for all episodes. You’ll want to check it out, as many interviews now have demo’s included, where we capture screens during the interview.

We hope you enjoy this conversation with.. Jannik Hollenbach.

Links:

• https://github.com/iteratec/multi-juicer

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Sebastien Deleersnyder is co-founder, CEO of Toreon, and Bart De Win is a director within PwC Belgium. They work together to co-lead both the OWASP Belgium Chapter and the OWASP SAMM project. Sebastien and Bart join us to introduce OWASP SAMM 2.0. OWASP SAMM (Software Assurance Maturity Model) is the OWASP framework to help organizations assess, formulate, and implement a strategy for software security they can integrate into an existing Software Development Lifecycle (SDLC). We explore where it came from, and walk through the framework.

For season 7 and beyond, we’ve launched our Youtube channel, Application Security Podcast, where we post the video feeds for all episodes. You’ll want to check it out, as many interviews now have demo’s included, where we capture a screen during the interview.

We hope you enjoy this conversation with… Sebastien and Bart.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

We’ve reached the end of season six, and here are a few of our favorite clips. Season seven is around the corner.

• S06E01 — Marc French — The AppSec CISO
  • What are some tips for someone who wants to become a CISO? Is there such a thing as a CISO school?
• S06E05 — Steve Lipner — The Past, Present, and Future of SDL
  • Lipner is a giant in the industry and someone that I’ve looked up to for years. After some setup, I ask him for a definition of SDL.
• S06E08 — Maya Kaczorowski — Container and Orchestration Security
  • Containers are not a security tool. Do you agree or disagree? The philosophy of container security.
• S06E10 — DJ Schleen — DevOps: The Sec is Silent
  • DevOps/DevSecOps Unicorns.
• S06E15 — Kim Wuyts — Privacy Threat Modeling
  • We walk through the LINDUN privacy threat modeling framework, step by step.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mark Merkow works at WageWorks in Tempe, Arizona, leading application security architecture and engineering efforts in the office of the CISO. Mark has over 40 years of experience in IT in a variety of roles, including application development, systems analysis, and design, security engineering, and security management. Mark has authored or co-authored 17 books on  IT and has been a contributing editor to four others.

Mark joins us to discuss how application security and Agile software development methodology fit together. We hope you enjoy this conversation with… Mark Merkow.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Zsolt is the founder and CTO of GUARDARA with more than 15 years of experience in cybersecurity, both on the offensive and defensive side. Zsolt explains fuzz testing, who does it, and why. He also helps us to understand how to deal with fuzz testing results, and how to get started doing fuzz testing on your own. We hope you enjoy this conversation with … Zolt Imre.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Adam joins us to discuss remote threat modeling, and we do a live threat modeling exercise to figure out how remote threat modeling actually works. If you want to see the screen share as we figure out remote threat modeling, check out the Youtube version of the episode. Bio: Adam Shostack is a leading expert on threat modeling, and consultant, entrepreneur, technologist, author and game designer. He has taught threat modeling at a wide range of commercial, non-profit and government organizations. He’s a member of the Black Hat Review Board, is the author of Threat Modeling: Designing for Security, and the co-author of The New School of Information Security.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Kim Wuyts is a postdoctoral researcher at the Department of Computer Science at KU Leuven (Belgium). She has more than 10 years of experience in security and privacy in software engineering. Kim is one of the main forces behind the development and extension of LINDDUN, a privacy threat modeling framework that provides systematic support to elicit and mitigate privacy threats in software systems. Kim joins us to explain the difference between security and privacy and introduce us to LINDDUN and how to use it.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

John Martin has owned responsibilities ranging from Software Supply Chain to DevSecOps Security Champions to Cloud Security Monitoring. His career spans the years between Blue-Box MF generators, through the era of automated hacks, and into our modern age of industrialized paranoia. He is a frequent speaker on the topic of commercial software security and a contributor to many SAFECode and CSA efforts. John joins us to discuss the prevention of a cyberpocalypse. You heard it correctly. Now tune in to learn what a cyberpocalypse is and why you need to care about it. We hope you enjoy this conversation with John Martin.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Jeremy Long is a principal engineer specializing in securing the SDLC. Jeremy is the founder and project lead for the OWASP dependency-check project; a software composition analysis tool that identifies known vulnerable 3rd party libraries. Jeremy joins us to share the origin story of dependency check, the problems it solves, the number of companies that use it, how to integrate it, and the future of the project.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Alyssa is a hacker, security evangelist, cybersecurity professional and international public speaker with almost 15 years of experience in the security industry. A former developer, her background is application security, not only conducting technical assessments but also helping develop complete security programs. Alyssa joins us to share her take on DevOps, automation, and beyond. She also shares a great story about how she got domain admin in 3 minutes.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vandana Verma is a passionate advocate for application security. From serving on the OWASP Board to running various groups promoting security to organizing conferences, she is engaged in making the global application security community a better place. She manages the @Infosecgirls organization and is a leader for the @OWASPBangalore chapter. Vandana joins us to discuss her work so far on the OWASP Board, to discuss her AppSec DC keynote on diversity, and to catch us up on InfoSecGirls and WIA.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

DJ Schleen is a seasoned DevSecOps advocate at Sonatype and provides thought leadership to organizations looking to integrate security into their DevOps practices. He encourages organizations to deeply integrate a culture of security and trust into their core values and product development journey. DJ joins us to talk about the philosophy of DevOps and flow, DevSecOps and silos, and the DevSecOps reference architectures. We hope you enjoy this conversation with… DJ Schleen.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Niels Tanis has a background in .NET development, pen-testing, and security consultancy. He has experience breaking, defending and building secure applications. Neils joins us to continue our .NET conversation from last year. This time around we focus on the 3rd party risk we pull into our applications by using third party libraries in a .NET conversation from last year. This time around we focus on the 3rd party risk we pull into our applications by using third party libraries in a .NET world.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Maya is a Product Manager in Security & Privacy at Google, focused on container security. She previously worked on encryption at rest and encryption key management. Maya has a Master's in mathematics, focusing on cryptography and game theory. Maya joins us to discuss how containers improve security, a high-level threat model of containers and orchestration, and tips for enhancing security as you role out containers and Kubernetes.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Geoffrey Hill is an AppSec DevSecOps leader and Architect. Geoff joins us to discuss his experiences rolling out DevSecOps in both Agile and non-Agile practicing shops. We hope you enjoy this conversation with...Geoff Hill.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Erez Yalon heads the security research group at Checkmarx. With vast defender and attacker experience and as an independent security researcher, he brings invaluable knowledge and skills to the table. Erez joins us to speak about the new OWASP API Security Project, and more specifically, the new API Security Top 10. We hope you enjoy this conversation with … Erez Yalon.

Find the Document on the OWASP GitHub: https://github.com/OWASP/API-Security

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Steve Lipner is a pioneer in cybersecurity, approaching 50 years’ experience. He retired in 2015 from Microsoft where he was the creator and long-time leader of Microsoft’s Security Development Lifecycle (SDL) team. While at Microsoft, Steve also created initiatives to encourage industry adoption of secure development practices and the SDL and served as a member and chair of the SAFECode board. Steve joins us to talk about all things SDL, and I must say, I was super excited for this interview, with way too many questions for someone who was there on day 1 of Secure Development Lifecycle. We hope you enjoy this conversation with…Steve Lipner.

You’ll find Steve’s Bio on the SafeCode website.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

David Kosorok is a code security expert, software tester, father of 9, and a self-described major nerd. David is the Director of AppSec at Align Tech, and a fellow member of the Raleigh Durham tech community. David joins us to speak about the three pillars of building an application security program: Prevent, Detect, and React. When we think the program, we’ve never heard anyone relate a program this way, and thought you needed to hear about a different approach to program building. We hope you enjoy this conversation with…. David Kosorok.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

As the hosts of the Application Security Podcast, we get the opportunity from time to time to mix it up. This week we gather a few security articles, share a summary, and offer our opinions (for what our opinions are worth). The source of the articles is Hi-5,  a weekly newsletter containing five security articles that are worth your time. We scour the Interwebs looking for the best articles on application and product security and share those with you. You can subscribe to Hi-5 on the Security Journey website.

Hit us up on Twitter and let us know if you like this format and if we should do more of this type of content. We hope you enjoy this episode with, Chris and Robert.

These are the articles:

Interest In Secure Design Practices Is Increasing Leading To Two Predictions

Developers mentoring other developers: practices I’ve seen work well

7 Web Application Security Best Practices

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Bill Dougherty is the vice president of IT and security at Omada Health, where he leads a team responsible for all aspects of internal IT including SaaS strategy, end-user support, vendor management, operational security and compliance. Bill along with Patrick Curry created the INCLUDES NO DIRT approach to threat modeling, which takes threat modeling to the next level, beyond STRIDE, and goes head on with a more modern set of real-world security considerations. We hope you enjoy this conversation with, Bill Dougherty.

Find Bill on Twitter @bdognet.

For an article about the methodology, see INCLUDES NO DIRT: A Practical Threat Modeling Approach for Digital Healthcare and Beyond 

For the paper that describes the methodology and how to implement, see INCLUDES NO DIRT

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Marc French is a security person, firearms geek, scuba guy, lousy golfer, and an aspiring blacksmith. We met Marc in the hallway at the Boston Application Security Conference. Marc has extensive experience as a CISO but came from the world of AppSec to the exec suite, which is not the normal path. We discuss what is a CISO, and what does a CISO actually do, the role of AppSec in the life of the CISO, and tips Marc has for those that wish to become a CISO someday. We hope you enjoy this conversation with Marc French.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Threat modeling, secrets, mentoring, self-care, program building, and much more. Clips from Georgia Weidman, Simon Bennetts, Izar Tarandach, Omer Levi Hevroni, Tanya Janca, Björn Kimminich, Caroline Wong, Adam Shostack, Steve Springett, Matt McGrath, Brook Schoenfield, and Ronnie Flathers.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Ronnie Flathers is a security guy, a pentester, and a researcher. In this conversation, we explore his experiences in building application security programs. He's had the opportunity to program build inside of companies big and small.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Brook Schoenfield is a Master Security Architect @IOActive and author of Securing Systems, as well as an industry leader in security architecture and threat modeling, and a friend. "We have a static analysis tool. Why do we need a program?" This is what Brook overheard at one point in his past, from a company CTO, and it sums up the program issue. The CTO was trying to drive a technical strategy for an entire company, and security was just one piece of that. A mandate or a tool would have made life so easy.

Brook takes us on a journey based on his experience building programs, with advice, stories, comments, and quotes. We talk about architecture, culture, mindset, tools, compilers and so much more.

Catch Brook’s next book, “Secrets of a Cyber Security Architect” which arrives in Fall 2019.

Here is Brook’s first book on Amazon: Securing Systems: Applied Security Architecture and Threat Models

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Liran Tal is a Developer Advocate @snyksec and is the author of Essential Node.js Security. He takes #opensource and protecting the #web very seriously. Liran and I start by geeking out about BBS's in the days of old. SYSOP page, anyone? Then we go into the state of open source security based on the report that Liran contributed heavily to and discuss many of the key takeaways from that report, including the developer response to open source security, security vulnerability rates in docker containers, and the length of time that vulnerabilities lie dormant in open source. We close out with the three things Liran would do to improve open source security if he could only do three things.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Why should someone care about open source security?

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Steve Springett is a technologist, husband, father, entrepreneur, and tequila aficionado. He is the creator of the OWASP @DependencyTrack and @CycloneDX_Spec. In this conversation, we begin with the problem of software supply chain risk and the failures of commercial Software Composition Analysis tools. We then go through an extensive list of criteria for purchasing a software composition analysis tool. I have never seen a list like this ever shared anywhere in the industry. Steve is definitely in the know when it comes to these types of tools, and this is a detailed checklist of what he looks for in a tool.  We end with a 60-second update on Dependency Track.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The question is for Steve Springett, in regards to Software Composition Analysis / Software Supply Chain and OWASP Dependency Track.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Elissa Shevinsky is CEO at Faster Than Light. She's had a storied career as an entrepreneur with Brave, Everyday Health, and Geekcorps. We discuss Elissa's origin story, security startups, and the value of mentoring to her career. Then we get into Static Analysis and how we make security easier for people so that security gets done.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Robert asks Elissa Shevinsky, why should people be nice, or why is niceness important in security?

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Matt McGrath is an old school Java developer that made the transition into security. Matt has had success in rolling out a programmatic approach to security improvement called security coaching. A security coach is much more than a wellness or life coach for your developers. They have some commonalities, but the security coach is thinking about how you help the developer want to get better at security. In his experience, developers are not going to kick and scream away from security but will embrace it when asked.

The job description for a good coach does not require a development background. The biggest thing you need is a passion for security. Communication is one of the most important things for a coach to have as well, and technical skills do not hurt.

We hope you enjoy this conversation with Matt McGrath.

Our sponsor for this episode is Security Journey. Security Journey knows that building security culture takes time and planning. Our belts are carefully designed to help you build security culture from the ground up.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Erez Yalon and Liora Herman are both passionate security professionals. They joined forces to create the AppSec Village, an event at DefCon in Las Vegas. If you are in Vegas for BH/DC, stop by the village and say hi to Robert, who will be in attendance as well.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

It's BlackHat and DefCon season, so we asked a question of Erez Yalon; why did you start the AppSec Village?

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Tommy Ross serves as Senior Director, Policy with BSA | The Software Alliance. In this role, he works with BSA members to develop and advance global policy positions on a range of key issues, with a focus on cybersecurity, privacy, and market access barriers. Tommy is one of the coordinators/collaborators on the BSA Framework for Secure Software.  This document caught our attention when it came out a few months ago, as it is a reliable representation of all the pieces an organization needs for software security. Tommy shares with us some of the background stories on how this document came to be, and also walks through the various pieces contained within.

If you’d like to comment or collaborate on this document, it is available in the review form at https://github.com/thomasrbsa/BSA-Framework-for-Secure-Software

The PDF is available on the BSA website: https://www.bsa.org/files/reports/bsa_software_security_framework_web_final.pdf

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Adam Shostack is a leading expert on threat modeling, and a consultant, entrepreneur, technologist, author and game designer. He's a member of the BlackHat Review Board and helped create the CVE and many other things. He currently helps many organizations improve their security via Shostack & Associates, and advises startups. Adam is known for his work with threat modeling. In this episode, we take threat modeling to a whole new level as we explore the idea of threat modeling layer 8 or human beings, and explore the concept of conflict modeling.

You’ll find Adam’s conflict modeling work on GitHub.

https://github.com/adamshostack/conflictmodeling

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

If you've done anything with threat modeling, you've heard of Adam Shostack. We asked him the question, "why would anyone threat model?".

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Zoe Braiterman is an Innovation Intelligence Strategist focused on both the Machine and Human and also the OWASP WIA Chair. We explore the intersection of application security with artificial intelligence and machine learning and end up discussing data protection. Zoe approaches AppSec from a different angle, and her perspectives get us thinking about the importance of appsec in the future of autonomous everything.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Caroline Wong has had a long career in security, starting with eBay and leading to her role today at Cobalt.IO as Chief Strategist. Caroline shares her explanation of self-care and tells her story about how neglecting self-care led to problems. She offers ideas about how to better approach self-care as a security professional, work-life balance, and ways for approaching a successful career in security.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Björn Kimminich is the project leader for OWASP JuiceShop. This is his second visit to the podcast, and we discuss new features in JuiceShop, including XSS in jingle promo video, marketing campaign coupon hacking, GDPR related features and challenges, working 2FA with TOTP, and the DLP failure challenges. Then we get into the cool new things that will come as a result of the GSoC, where a developer will add new functionality to the JS where new vulns can be hidden. We end discussing the upcoming Open Security Summit from OWASP.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Björn Kimminich is the project leader for OWASP JuiceShop. He created JuiceShop out of necessity, after reviewing all the available vulnerable web apps years ago, and not finding what he needed. OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security training, awareness demos, CTFs, and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire OWASP Top Ten along with many other security flaws found in real-world applications!

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Nancy Gariché and Tanya Janca are two of the project leaders for the OWASP DevSlop Project. As we learn more about DevSlop, we realize that it is much more than a project: it's a movement. DevSlop is about the learning and sharing of four awesome women and is a platform for them to share what they’ve learned with the community.

DevSlop consists of four different modules:

1. Patty – An Azure DevSecOps pipeline
2. Pixi-CRS & Pixi-CRS-ZAP are two Circle-CI pipelines that demonstrate adding a WAF to your pipeline for automatic tuning before moving your apps to prod
3. Pixi is an intentionally vulnerable app and consists of a vulnerable web app and API service,
4. The DevSlop Show, a video streaming series where project members build things live, interview members of the OWASP and InfoSec community, and learn where they fit into DevOps.

We hope you enjoy.

Find Nancy, Tanya, and DevSlop on Twitter.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Tanya Janca is excited about mentoring. She's started a hashtag on Twitter for mentors to find mentee's, and for mentee's to search for mentors. Mentoring is such an essential part of growing our community, so if you are not mentoring anyone today, I can only ask, why not? Here is Tanya's take on mentoring and her advice on how to get involved with #MentoringMonday.

5 Minute AppSec is an AppSec Podcast experiment with micro-content. Hit us up on Twitter and tell us what you think, @AppSecPodcast.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Matt Clapham is a product security person, as a developer, security engineer, advisor,  and manager. He began his career as a software tester, which led him down the path of figuring out how to break things. Matt lives in the medical software world and visited the Healthcare Information and Management Systems Society (HIMSS) conference. Matt shares his perspectives on application/cybersecurity through the eyes of the healthcare industry. There is much for us to understand by viewing how other segments approach security and privacy. Matt believes in stepping outside the echo chamber and experiencing how other industries see security, and he achieved that by visiting this non-security conference and sharing his experiences with us. (And if he visits your booth at an event, you better know how your companies make a secure product or solution!)

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Jon McCoy is a security engineer, a developer, and a hacker; and a passionate OWASP advocate. Maybe even a hacker first. Jon has a passion to connect people and break down barriers between hackers and corporate folks. Jon explains the idea of hacker outreach and breaks down what we can expect if we venture to the DefCon event in Las Vegas.  Jon also remembered a cautionary tale of Robert’s Fitbit out at a DefCon event. Jon is someone we can all learn from about giving back to our community.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Omer Levi Hevroni has written extensively on the topic of Kubernetes and secrets, and he's a super dev. He's the author of a tool for secrets management called Kamus. Kamus is an open source, GitOps, zero-trust secrets encryption and decryption solution for Kubernetes applications. Kamus enables users to easily encrypt secrets that can be decrypted only by the application running on Kubernetes. The encryption is done using strong encryption providers (currently supported: Azure KeyVault, Google Cloud KMS, and AES).

Find Omer on Twitter to converse about all things K8s and secrets.

Show notes:

https://blog.solutotlv.com/can-kubernetes-keep-a-secret/

https://github.com/Soluto/kamus

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Izar Tarandach is a threat modeling pioneer, seen as one of the movers and shakers in the threat modeling world. Izar leads a small team that develops the pytm tool, which is self-described as a "A Pythonic framework for threat modeling". The GitHub page goes on to say define your system in Python using the elements and properties described in the pytm framework. Based on your definition, pytm can generate, a Data Flow Diagram (DFD), a Sequence Diagram and most important of all, threats to your system.

Reach out to Izar on Twitter and visit the pytm GitHub page to download and try this tool out for yourself!

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Simon Bennetts is the project leader for OWASP ZAP. Simon joined Robert at CodeMash to talk about the origin of ZAP, the new heads up display, and ZAP API. ZAP is an OWASP FlagShip Project and is available here: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Robert meets up with Bill Sempf at the CodeMash conference and discusses how to grow AppSec people. Developers can transform into application security people. They also cover how to inspire the next generation of cybersecurity people (kids) through the example of KidzMash.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Georgia Weidman (@georgiaweidman) met with Robert at CodeMash to discuss her origin story, mobile, IoT, penetration testing, and details about her various companies. If you've never seen Georgia's book on penetration testing, we recommend you grab a copy. http://www.nostarch.com/pentesting To sign up for the  newsletter mentioned at the start of this week's show, visit https://info.securityjourney.com/hi5signup

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Here it is. The finale of season four. Thanks to everyone who listens in, and remember, if there are any people you want us to interview on the podcast, tweet at us @AppSecPodcast

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Geoff Hill joins Chris and Robert to talk about Rapid Threat Model Prototyping Process. You can find Geoff on Twitter @Tutamantic_Sec

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Bill Wilder joins Chris and Robert to talk about Running Azure Securely. You can find Bill on Twitter @codingoutloud

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Matt Konda joins Chris and Robert to talk about what Glue is.

You can find Matt on Twitter @mkonda

OWASP Glue

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Josh Grossman, Avi Douglen, and Ofer Maor at AppSec USA join Chris. They discuss the AppSec group in Israel and a few critical talks you should watch from AppSec USA this year.

You can find Josh on Twitter @JoshCGrossman

You can find Avi on Twitter @sec_tigger

You can find Ofer on Twitter @OferMaor

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Daniel Miessler joins Chris and Robert to talk about the upcoming Top 10 list for IoT.

You can find Daniel on Twitter @DanielMiessler

IoT Project

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Travis McPeak joins Chris to talk about SecOps and how it can help make a developer's life easier. 

You can find Travis on Twitter @travismcpeak

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~