The Elephant in AppSec

Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.

Today, I’m thrilled to welcome Magdalena Modric to the show! Magdalena is an AppSec Program Strategist at Secure Code Warrior, where she’s been empowering developers in the German-speaking market to build secure applications since 2018.

Beyond her professional expertise, Magdalena is also a talented violinist—a wonderful reminder of how many AppSec professionals channel their passion into music and creativity outside of work.

In this episode, Magdalena and I dive into the critical role of Security Champion programs in scaling security efforts effectively. We explore why metrics should focus on business outcomes rather than just training participation, and whether cultural factors are the secret ingredient to successful security practices.

And much more! If you’re interested in specific stories of companies that introduced security champion programs and scaled them, this episode is for you.

Dive right in!

Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.

Today, I’m thrilled to welcome Patrick Mathieu to the podcast! Patrick is currently a Senior Manager of Product Security at DoorDash, but his impact on the cybersecurity world spans years. 

Fifteen years ago, he founded Hackfest.ca, Canada's largest bilingual infosec conference and hacking community. Beyond Hackfest, Patrick is a sought-after speaker at cybersecurity conferences worldwide and the host of Securite.fm, a popular podcast on all things security and hacking.

In addition to his industry roles, Patrick serves as an advisor on Quebec’s Cybersecurity Committee, where he helps shape policy at a governmental level.

In this episode, Patrick shares his journey from his early days in the 90s—when he started hacking when the internet first became widely accessible—through to his motivations behind creating Hackfest and what sets it apart. We explore the vital role of cybersecurity committees, the influence of big tech on government policies, the dangers of social engineering and phishing, and so much more.

If you’re as passionate about hacking and security as Patrick is, you won’t want to miss this episode. Dive right in!

Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.

Today, I’m super excited to have Ariel Shin on the podcast! Ariel started as a pentester, moved into appsec, and now she’s a Security Engineering Manager at Datadog. Before that, she led the Product Security team at Twilio, where she led an effort to democratize vulnerability management across the company, which had a significant impact on reducing risk.

She’s also a regular speaker at conferences, and I actually got to meet her in person for the first time at BSides San Francisco this year, where she led an impressive panel on scaling security.

In this episode, I learned from Ariel why cultural transformation is challenging but necessary for successful product security initiatives and how Democratizing vulnerability management involves shifting the responsibility of risk from security compliance to engineering.

And much more! If you’re interested in practical ways to ease the cognitive load on engineers, find allies in security, and start creating a real shift in culture, this episode is for you. 

Dive right in!

Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.

Today, I’m excited to welcome Akansha Shukla, a cybersecurity expert with over 10 years of experience, currently specializing in API security at ABN AMRO, one of the largest banks in the Netherlands. Akansha has a strong background in application security, DevSecOps, threat modeling, and vulnerability assessments.

Beyond her work at the bank, Akansha enjoys sharing her knowledge and runs her own blog focused on API security. She’s also a notable contributor to platforms like Nordic APIs. And, of course, don’t miss her session at the upcoming API Days event in Paris!

Akansha's blog 👉 https://medium.com/@akanshashukla_78664 In this episode, we discuss why lots of organizations are still struggling to develop a clear vision and roadmap for API governance, why collaboration between security experts and API management teams is crucial for effective API security, and how regulations influence api security roadmap.

And much more! If you’re curious about how to start sharing your expertise and want to learn from someone who has done it successfully, this episode is perfect for you.

Dive right in!

Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room. Today, I have two incredible guests with me: Ante Gojsalic and Benjamin Dulieu. Ben is a Chief Information Security Officer at Duck Creek Technologies, an Insurance SaaS provider supporting the end-to-end insurance process for many of the world’s largest carriers. A former U.S. Marine Corps Captain, Ben transitioned into cybersecurity leadership in 2016, leading Cyber and Technology Risk Management at Brown Brothers Harriman before taking on his current role, where he oversees cybersecurity, privacy, and IT infrastructure strategies. Ante is the CTO and Co-founder of SplxAI, a platform for automated and continuous red teaming of conversational AI. Before launching SplxAI, Ante managed teams of 40+ engineers and delivered over 50 successful projects for global brands like Ford and GM, spanning across different countries. Both Ben and Ante are passionate about sharing their knowledge, frequently speaking at conferences and on podcasts to help others learn from their extensive experience. In this episode, we discuss how is the rise of AI challenging the traditional ways of securing systems, whether AI chatbots are a security disaster waiting to happen or if they can be built securely, and the crucial steps to ensure AI chatbot security. And much more! If you’re curious about a CISO's view on AI security or managing the complexities of multi-language chatbots, this episode is for you. Dive right in!

Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room. Today, my guest is Kyle Kelly, Tech Lead for Supply Chain Security Research at Semgrep and the founder of the CramHacks weekly newsletter. You can subscribe here 👉 cramhacks.com With a background in consulting and research, he specializes in supply chain security, using his expertise to shape the insights he shares. Through CramHacks, he empowers readers to take an active role in software security and deepen their understanding of supply chain vulnerabilities. In this episode, Kyle shares when you should focus on open source vs commercial tools and why open-source vulnerability management is, in his words, "a dumpster fire." We explore whether open-source versions of commercial tools are more trustworthy, and Kyle debunks the common theory that vulnerabilities persist simply because open-source maintainers haven’t fixed them yet. But that's not all! We also dive into Kyle's passion for malware analysis and hear about his experiences as a cyber creator—like the time he was banned from Reddit (like me 🥲) for sharing his work. Dive right in!

Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room. Today, my guest is Kim Wuyts, a leading privacy engineering expert with over 15 years of experience in security and privacy. Before joining PwC Belgium as Manager of Cyber & Privacy, Kim was a senior researcher at KU Leuven, where she led the development and extension of LINDDUN, a popular privacy threat modeling framework. Kim is also a co-author of the Threat Modeling Manifesto, program co-chair of the International Workshop on Privacy Engineering (IWPE), and a member of ENISA’s working group on Data Protection Engineering. She is a frequent speaker at international privacy and security conferences, and what I truly love about Kim’s presentations is that she raises privacy issues in a fun, entertaining way that really sticks with the audience. In this episode, we talk with Kim about how privacy used to be part of security because security professionals cared about data, how they now need to coexist, and what impact AI will have on privacy. And there’s much more! This episode is perfect if you want to know what your car can collect about you, and where to get started in investing in your privacy engineering skills, so you don’t fall behind. Dive right in!

Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room. Today, I’m joined by Diego Sempreboni, a Senior Application Security Engineer at Pleo. Diego earned his PhD in Computer Science, specializing in security, at King’s College London. After realizing his passion lay in solving real-world problems, he transitioned from academia to product and application security, gaining valuable experience in various fintech companies in the UK. In this episode, we discuss the key differences between academia and engineering in security and why vendors should focus on creating tools that do less but do it better—tools that actually help to fix problems. We also explore the challenges of automating threat modeling and remediation, and why trust within a company is crucial for AppSec engineers. And there’s much more! This episode is perfect for anyone weighing the choice between security research and engineering or for newcomers eager to learn more about AppSec! Dive right in!

Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room. Today, my guest is Rob Picard. Rob started his career as a pentester and went on to become an early security hire at both Robinhood and Vanta, where he helped establish scalable security programs. He is now leading Observa, a security consulting firm focused on helping startups build strong security foundations. Rob frequently participates in podcasts, sharing his expertise on how startups can develop security programs, often with an AppSec focus. In this episode, Rob discusses when startups should adopt application security, the key differences between AppSec challenges at startups versus large enterprises, his hot take on integrating security into internal tool development, and the importance of security training for developers. And there’s much more! This episode is perfect for anyone looking to build a security program in a startup, whether for compliance reasons or not, or for those who want to learn more about breaking into the field. Dive right in!

Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room. Today, my guest is Kaiwen Jiang, an Application Security Engineer at a financial services company in the UK. Her primary areas of focus are . She was previously a cybersecurity consultant at Deloitte. Kaiwen also runs a blog, AppSec Kiki, where she shares her knowledge with the community, and she’s an active participant in London’s OWASP community meetups! In this first episode of Season 2, Kaiwen shared insights on why open-source security in the supply chain has become such a hot topic this year, how to evaluate the risks of open-source software, and how to prioritize unit tests. We also discussed the importance of asset management and how she transitioned to a developer role for a time to better understand what prevents developers from fixing vulnerabilities in their release cycles. And there’s so much more! This episode is perfect for anyone who wants to dive into application security or learn more about getting started in the field. Dive right in!

Get ready for more bold opinions starting next week! 🔥

Today, we have an amazing guest, Rob van der Veer, joining us. Rob is an AI pioneer with 32 years of experience, specializing in engineering, security, and privacy. Currently, he is a Senior Principal Expert at the Software Improvement Group (SIG), where he leads global thought leadership, advisory, and innovation in AI and software security. Rob is the lead author of the ISO/IEC 5338 standard on the AI lifecycle, a contributor to the OWASP SAMM (Software Assurance Maturity Model), co-founder of OWASP's digital bridge for security standards OpenCRE.org, and creator of the OWASP AI Exchange – an open-source living publication for the worldwide exchange of AI security expertise 👉 https://owaspai.org/ He is a sought-after speaker at numerous global application security conferences and podcasts. Today, we’ll be talking with Rob about how AI security has evolved since 1992, the challenges in developing secure AI systems, how to prioritize AI threats at different stages of the lifecycle, and the role of standards in AI security. Dive right in!

Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room. 

Today, we have an amazing guest, Catharina "DD" Budiharto, joining us. 

DD has extensive experience in cybersecurity, having worked for several years with multiple Oil and Gas companies. She also served as the chairperson for the American Petroleum Institute (API) IT Security Sub-Committee.

Currently, DD is the founder of Cyberpoint Advisory, which offers Fractional CISO services to help SMBs protect their assets from cyber attacks. She has received numerous awards in cybersecurity and is a sought-after speaker at security podcasts, global conferences, and panels.

DD is passionately involved in supporting minorities, and I admire her favorite motto: “We don’t let the bad guys win.” I was fortunate enough to meet DD in person a month ago!

Given my experience in the Oil & Gas sector, I was particularly curious about the critical applications in this industry, where the supply chain involves numerous third-party applications and software vendors, each potentially introducing security risks. Beyond that, we discussed her favorite topic: the loge triangle the government, OEMs, and Owners/Operators regarding the shared responsibilities of securing America's critical infrastructure.

Dive right in!

Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room. Today, we have an amazing guest, Chris Romeo, joining us. Chris has 26 years of experience in cybersecurity, having worked for 11 years at CISCO, founded his own security education company, Security Journey, and now Devici, an AI-infused collaborative threat modeling tool. Chris is a sought-after speaker at numerous global application security conferences. He is also the author of a weekly newsletter, The Reasonable AppSec, where he shares the top 5 security articles worth your time. Chris hosts not one but three security podcasts: the Threat Modeling Podcast, @SecTablePodcast and my personal favorite, @ApplicationSecurityPodcast I appreciate how he freely expresses his opinions, sometimes quite strong ones, like "DAST is dead". I was very eager to discuss his opinions with him! We also talked about whether "shift left" is just a marketing term, how AppSec professionals should first educate themselves to understand all the tools and messaging thrown at them, and shared some Threat Modeling stories. Dive right in!

Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room. We have two incredible guests with us: Andrew Wilder and Amir Shaked. Andrew is the Retained Chief Security Officer at Community Veterinary Partners and the former Regional CISO for Nestle, where he spent 18 years shaping cybersecurity across the Americas, Asia, and Europe. Amir is the VP of Research and Development at Oasis Security, specializing in Non-Human Identity Management. With a background in software development, Amir transitioned to cybersecurity, contributing to companies like PerimeterX and Human in R&D and Engineering. Both Andrew and Amir are passionate about sharing their expertise. Andrew teaches cybersecurity at Washington University in St. Louis and serves on its Board, while Amir coaches engineering managers at GrowthSpace. They frequently speak at conferences and on podcasts, helping others learn from their extensive experience. In February, the Cloudflare breach highlighted the critical risks of managing non-human identities. Today, we’ll explore this fascinating topic with Andrew and Amir, discussing why these breaches occur, the main risks involved, and the anticipated proliferation of non-human accounts. We’ll also delve into the challenges of understanding the context around non-human identities. Dive right in!

Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room. Today, we have an amazing guest, David Homoney, join us. David is the newly appointed Sales Engineer at Apiiro. Before stepping into this role, he made significant contributions as a Technical Solutions Architect II for Application, API, and Workload Security at World Wide Technology (WWT), a leading global technology provider and integrator. With an impressive 30-year career in network and system administration, David has established himself as one the strong voices in the field of API security. He's not only an API security evangelist but also a blog contributor and speaker, having written several articles on various aspects of application and API security and presenting at industry conferences. Outside of his professional pursuits, David is the Associate Executive Producer of the No Agenda Show, a popular podcast known for its insightful media deconstruction, social engineering discussions, and political analysis. In today's episode, we're diving deep into the world of API security. We'll get his expert insights on the latest industry buzz, including the rumored acquisition of Noname by Akamai, which was now confirmed at the RSA Conference. We'll also explore the differences between runtime protection and security on the left side of the SDLC, debate whether DAST for API security testing is dead, and discuss how runtime protection API security vendors often integrate known vulnerable apps into their algorithms instead of implementing advanced algorithms. Dive right in! Books discussed: Hacking APIs: Breaking Web Application Programming Interfaces by Corey J. Ball: https://www.amazon.com/Hacking-APIs-Application-Programming-Interfaces/dp/1718502443/ Defending APIs: Uncover advanced defense techniques to craft secure application programming interfaces by Colin Domoney - https://www.amazon.com/Defending-APIs-against-Cyber-Attack/dp/1804617121/

Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room. Today, we’re excited to have an amazing guest, Cassie Crossley, join us. Cassie is the Vice President, Supply Chain Security in the global Cybersecurity & Product Security Office at Schneider Electric. Starting from a development background, she moved through different roles like technical support, technical documentation, and software development project management. She led compliance, policy, and governance and gradually transitioned into her high-level Product security role. Cassie is also the author of the Software Supply Chain security book that has received praise from multiple industry thought leaders. You can buy it here: https://www.amazon.com/Software-Suppl... Cassie’s goal is to make a difference in the cyber community. That’s why she is also a frequent speaker on various supply chain security topics and a workshop trainer. In this episode, we asked Cassie whether it’s realistic to have a secure software supply chain, why you need to be very careful about what gets committed into code because of backdoors, how her people-person skills made her switch from development to security, and how it feels to be a celebrity! Dive right in!

Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room. Today we’re excited to have an amazing guest, Max Imbiel, join us. Max is the driving force behind “Ahead Security,” an agency specializing in vCISO activities, and currently serves as the CISO at BitPanda, an online crypto trading platform. Max’s career began in IT and software development and took him through various industries, with the last one being finance. His notable leadership roles include Deputy CISO at UniCredit Bank and, most recently, Deputy Group CISO at N26. Max is also a frequent keynote speaker and an ambassador for Mission TOP 5 - https://missiontop5.de/, a community organization that aims to propel Germany into the top 5 digital nations in Europe by 2025. With his extensive experience in the security of the financial sector, I had the chance to learn from Max about the unique challenges of building secure financial applications and what the explosion of decentralized finance might bring. Dive right in!

*I apologize for the sound issues on my side in this episode - everything is great for Max!

Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room. Today we’re excited to have an amazing guest, Swan Beaujard, join us. Swan is a security software engineer at Escape, specializing in Dynamic Application Security Testing. He is a core contributor to a lot of open-source projects related to GraphQL security and is passionate about machine learning and reverse engineering. He presented his contributions and research at several international security conferences like BSides Oslo:    • BSides Oslo 2023   This year, Swan published his new research detailing scanning and analysis of the 1 million most popular domains. Scanning the front-end code of these domains led to shocking results. He discovered 18,000 exposed tokens and turned a $100 investment in the project into $20 million in Stripe tokens. In this episode, we discuss Swan’s technical approach and how it feels to find so many exposed secrets. Dive right in!

Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room. 

Today we’re excited to have an amazing guest, Mihir Shah, join us. 

Mihir Shah is a Senior Staff Application Security Engineer at ForgeRock, specializing in architecting secure cloud-based Identity & Access Management services hosted using Kubernetes and Google Cloud Platform. 

He is also the author of the Cloud Native Software Security Handbook, a comprehensive guide on securing cloud-native applications and services. 

Additionally, he serves as an Industry Mentor at Stanford University's Advanced Cybersecurity Program and holds two patents on defense against cloud-native infrastructure.

Mihir is passionate about learning and sharing his knowledge on cloud-native security, software development security, and serverless computing. He is a frequent speaker and trainer at security conferences such as BlackHat, DefCon, and OWASP. Moreover, he has published multiple articles on Medium covering various security topics, such as hacking Windows machines, scanning vulnerable Docker images, and compromising Windows systems.

With his passion for the security of cloud-native applications, we decided to ask him how challenging it is. Dive right in!

Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room. Today we’re excited to have an amazing guest, Keshav Malik, join us. Keshav is a Senior Product Security Engineer at LinkedIn. With experience in information security and a passion for automation, Keshav brings a unique blend of expertise to the table. Keshav is also a dedicated tech enthusiast and deeply passionate about contributing to the community. He actively writes custom security rules for various applications like Semgrep and has built several projects like QuickXSS, a bash script automating XSS workflows. Not stopping there, Keshav loves to share his knowledge by organizing workshops, empowering others to write their own custom security tests. Building on Keshav's experience in writing custom security rules, we've challenged him on whether adding custom rules to existing security software can be the next product security engineer's superpower. Want to find out what he thinks? Dive right in!

Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room. Today we’re excited to have an amazing guest, Jacob Salassi, join us. Jacob is the Director of Product Security and Regulatory Expansion at Snowflake, where he has played a pivotal role in guiding the company through its pre- and post-IPO phases. With over 15 years of experience, initially in software engineering before transitioning to security, Jacob is a sought-after speaker at numerous conferences and podcasts, sharing his wealth of insights with others. Jacob has a deep passion for cycling, and he revealed to us that he has a large repository of ideas stored in his smartphone notes that he records while cycling. Jacob held a strong opinion that product security should be approached as a science, not an art. Therefore, we challenged him on how, in this case, one can nurture developer creativity to build secure applications and asked in-depth about his scientific approach. Dive right in!

Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room. Today we’re excited to have an amazing guest, Ric Campo, join us. Ric started his cybersecurity journey in the Royal Australian Air Force. With a decade of dedicated experience as an Application Security Engineer and Penetration Tester, he currently serves as a Principal Security consultant at Galah Cyber. Ric also strongly believes in the power of the community in AppSec. He focuses on writing blogs that will help the community in the long term. He's also been an OWASP Sydney chapter leader for several years. During the podcast, he'll share a funny story about how he became involved with the chapter. Ric has organized multiple meetups and has also presented at the OWASP 20th-anniversary event. Throughout his career in application security, Ric has worn multiple hats: serving as both a cybersecurity consultant and an in-house application security engineer. This unique perspective prompted us to challenge him on their differences, unique challenges, and reasons behind his preference for the consultant role. Dive right in!

Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.

Today, we’re excited to have an amazing guest, Laura Bell Main, join us.

With over 20 years in software development and application security, Laura is the co-founder and CEO of SafeStack, an online education platform that offers secure development training for fast-moving companies.

Laura is also a well-known keynote speaker and has spoken at high-profile events like BlackHat USA, NDC, and OSCON. With her love of speaking and being heavily invested in the community, Laura also hosts her own podcast, Build Amazing Things (securely), where she collects various stories from AppSec professionals.

More than that, she is a regular writer for a range of technology and business publications and is the co-author of “Agile Application Security” and “Security for Everyone.”

If you want to learn practical advice on how to adapt an efficient and enjoyable Lego approach to training programs for your teams and build a great security-minded tech team, tune into our conversation. By the end of the podcast, you'll have an answer to the question: can developers and security training really co-exist?

Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room. Today we’re excited to have an amazing guest,  Anmol Agarwal, join us. Anmol is a security researcher at Nokia, focused on securing AI and Machine Learning in 6G and securing 5G.

She also holds a doctoral degree in cybersecurity analytics from George Washington University. Her research was focused on adversarial machine learning and Federated Learning. Anmol is also an active speaker and has spoken at various conferences and events including SecureWorld, Pacific Hackers Conference, and Bridges in Tech.

In her free time, she enjoys giving back to the community and is an active industry mentor for Women in CyberSecurity and WCAPS. As you can see, Anmol is a true expert in adversarial machine learning, so we have decided to challenge her on its current state and how she sees its evolution in the future.

Dive right in!

Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room. Today, we're joined by an amazing guest, Olivia Rose. You can find Olivia on LinkedIn: https://www.linkedin.com/in/oliviaros... Olivia is an executive leader with more than 20 years of dedicated experience, having served as the former CISO at Amplitude and Mailchimp and currently as the Founder of the Rose CISO Group: https://www.rosecisogroup.com/ Her company offers virtual Chief Information Security Officer (CISO) services, boardroom and leadership communications, assessment services, keynote speaking, event presentations, and career and executive coaching. Olivia is a frequently requested speaker on cybersecurity at events like BSides or RSA, as well as on podcasts. In her free time, she enjoys mentoring young women and minorities interested in pursuing a career in cybersecurity. At Cyversity, Olivia launched and now leads the mentorship program with over 500 participants. In the upcoming episode, Olivia will share with us the dos and don'ts of the AppSec vendor CISO relationship, including why you should never make jokes when talking to CISOs and precious tips for breaking into the cyber world.

Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room. Today, we're joined by an amazing guest, Harsh Modi. You can find Harsh on LinkedIn: https://www.linkedin.com/in/neighborhoodpenetrationtester/ With over 8 years of dedicated experience as an Offensive Security Engineer and Penetration Tester, Harsh has honed an exceptional skill set in identifying and mitigating security vulnerabilities. Currently, he is an independent consultant and a Lead Security Architect at Bell. Harsh is also an enthusiastic security researcher and has presented his research at various conferences such as OWASP Vancouver, BSides Vancouver, Edmonton, Calgary and others, where he shared invaluable insights on different topics ranging from pentesting Android applications to car hacking. With all his experience in pentesting and offensive security, we decided to challenge him on the actual value of pentesting programs. Dive right in!

Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room. Today, we're joined by an amazing guest, Dustin Lehr. You can find Dustin on LinkedIn: https://www.linkedin.com/in/dustinlehr/ Dustin is an accomplished software engineer turned information security leader, currently serving as Senior Director of Platform Security / Deputy CISO at Fivetran. He possesses an enormous wealth of experience in application security and is a strong community leader, organizing the online meetup 'Let's Talk Software Security,' where everyone passionate about security can join for an open discussion. Dustin is also the author of the 'Security Champion Program Success Guide,' a valuable resource for organizations and individuals passionate about security, aiming to build or improve their security champion program. He is a strong advocate for its benefits, so we decided to challenge him on whether this program is actually useful. Dive right in to find out the results! Referenced: - Let's Talk Software Security! Meet-up: https://www.meetup.com/lets-talk-software-security/ - Security Champion Program Success Guide: https://securitychampionsuccessguide.org/

Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room. Today, we're joined by an amazing guest, Sandesh Mysore Anand. You can find Sandesh on LinkedIn: https://www.linkedin.com/in/anandsandesh/ With more than 12 years of experience in security and working as a head of security at Razorpay, India's leading financial platform for payments & banking, Sandesh is now a founder of Seezo, a Threat Modeling tool. Its goal is to solve product security problems using Gen AI. He is also the author of the 'Boring AppSec' newsletter, a great resource for application security professionals. There, He recently published an article reflecting on whether Gen AI can supercharge your AppSec program. We found it very interesting, and we decided to challenge him a bit about this topic. Referenced: Seezo: https://seezo.io/ The article “Gen AI can supercharge your AppSec program “: https://boringappsec.substack.com/p/edition-25-gen-ai-can-supercharge Boring AppSec newsletter: https://substack.com/@boringappsec

Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room. Today we’re excited to have an amazing guest, Mel Reyes, joining us. Mel has navigated through two IPOs, three M&As, worked with several startups, Pepsi, Mercedes, and accumulated a bunch of patents along the way. With more than 30 years of experience in various leadership, advising, and coaching roles, he enjoys building and empowering security teams within organizations.  He's heavily invested in the cybersecurity community and has built his own, The Fellowship of Digital Guardians: https://fdg.institute/ That’s why we’re extremely excited to talk with him today about investment in security training within the organizations. Tune in and discover whether it's a necessary or overrated expense.

Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room. Today, we're joined by an amazing guest, James Berthoty. James has been in technology for over 10 years across engineering and security. An early advocate for DevSecOps, he has a passion for driving security teams as contributors to products. With all his experience, he's currently building latio.tech, a platform helping organizations find the best security tools. In our latest episode with Tristan Kalos, we challenged James about his recent article on ASPM. We discussed what's right and wrong with its current state, what’s missing from Gartner's perspective, and what ASPM might look like in the future. Curious? Dive right in!

Today, we're excited to have an amazing guest, Malav Vyas, joining us. Malav is a security researcher at Palo Alto Networks, passionate about exploiting and securing systems. Security research is an important part of our day-to-day at Escape. That's why we were very curious when Malav reached out to us and brought up the topic of SCADA systems. In our latest episode with Tristan Kalos, we challenged Malav on whether APIs introduce more security risks than benefits to SCADA systems, how hard it is to secure SCADA, and what their key future challenges are.

Today we’re excited to have an amazing guest, Derek Fisher, joining us. 

Derek is a cybersecurity leader, a speaker on various cybersecurity topics and author of the famous “The Application Security Handbook.”  Having been a developer before shifting to application security more than a decade ago, Derek has had the unique opportunity of seeing the industry from the perspective of someone who builds the software that needs to be secured. 

In our latest episode with Tristan Kalos, we challenged Derek on whether threat modeling is the future of cybersecurity or just another buzzword. We discussed how to do threat modeling right (and wrong), what’s wrong with its current state, and what its future might look like.

Curious? Dive right in! 

Today we’re excited to have an amazing guest, Jeevan Singh, Senior Staff Security Engineer at Rippling, joining us.  Jeevan is responsible for a wide variety of tasks, including architecting security solutions and working with development teams to resolve security vulnerabilities. With over 15 years of experience in various development and leadership roles, he enjoys building security culture within organizations.  That’s why we’re extremely excited to talk with him today about the top-down vs. bottom-up approach to security. Throughout our talk, we had a chance to challenge him on his vision, opinions, and ask some "spicy" questions!

Today, we're revealing our first episode with Aleksandr Krasnov, the principal security engineer at Meta, who challenges the effectiveness of existing DAST tools with us.

Aleksandr Krasnov is the principal security engineer at Meta, responsible for all things security at Instagram and WhatsApp. Previously, he was responsible for AppSec and offensive security at Thinkific and served as a product security engineer at Dropbox, Palo Alto Networks, and other companies.

Throughout his career, Alek used multiple security tools, including Dynamic Application Security Testing (DAST) tools. As we began discussing this podcast with him, he immediately raised a topic we strongly agree with: the scarcity of effective DAST tools in the market.

In our conversation, Alek shares:

• Why organizations shouldn't only focus on shift left
• The value of defending left, but attacking right, and why DAST is a part of this strategy
• Why he thinks Nuclei stands out in open-source dynamic testing tools
• The criteria he considers when evaluating DAST tools and what would elevate a tool to the status of a dominant player
• His recommendations to AppSec engineers on how they should deal with the current limitations of the DAST
• How to drive efficient collaboration between engineers and the security team when it comes to dynamic testing
• Whether DAST is adapted to smaller or larger orgs and what's impact when security sits within engineering or finance
• What to do when SAST or SCA are not enough, why he considers Semgrep among the next generation of vendors, and why custom rules must become an essential part of DAST
• What the future of DAST tools look like

Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room. Tomorrow, we're revealing our first episode with Aleksandr Krasnov, the principal security engineer at Meta, who challenges the effectiveness of existing DAST tools with us. In the upcoming weeks, we'll share even more interviews with world-class security experts that address concrete appsec issues, allowing you to reflect on your approach to security practices. Stay tuned!