Explorez tous les épisodes du podcast The Application Security Podcast
| Titre | Date | Durée | |
|---|---|---|---|
| Steve Wilson -- The Developer's Playbook for Large Language Model Security: Building Secure AI Applications | 01 Oct 2024 | 00:36:32 | |
Join hosts Chris Romeo and Robert Hurlbut on the Application Security Podcast as they welcome back Steve Wilson, author of 'The Developer's Playbook for Large Language Model Security.' In this episode, they dive into critical topics such as AI hallucinations, trust, and the future of AI. Steve shares insights from his book, discusses the biggest fears surrounding AI and LLMs. He also provides practical advice on security boundaries, LLM-specific security testing tools, and the evolving landscape of AI technologies. Links: Find Steve on LinkedIn Previous Episodes:
FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |||
| Jeff Williams -- Application Detection & Response (ADR) | 24 Sep 2024 | 00:51:28 | |
Join us in this week’s episode of the Application Security Podcast where we sit down with Jeff Williams, a renowned pioneer in the field of application security. Jeff discusses ADR (Application Detection and Response), detailing its potential to revolutionize security in production environments. Listen as he shares stories from his career, including the founding of OWASP and his take on security assurance. Whether you're new to AppSec or a seasoned expert, this conversation offers valuable perspectives on the industry's evolution and the challenges ahead. Where to find Jeff: Previous Episodes: Jeff Williams – The History of OWASP FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |||
| Matt Rose -- Software Supply Chain Security Means Many Different Things to Different People | 11 Jun 2024 | 00:46:14 | |
In this episode of the Application Security Podcast, hosts Chris Romeo and Robert Hurlbut welcome Matt Rose, an experienced technical AppSec testing leader. Matt discusses his career journey and significant contributions in AppSec. The conversation delves into the nuances of software supply chain security, exploring how different perceptions affect its understanding. Matt provides insights into the XZ compromise, critiques the buzzword 'shift left,' and discusses the role of digital twins and AI in enhancing the supply chain security. He emphasizes the need for a comprehensive approach beyond SCA, the relevance of threat modeling, and the potential risks and benefits of AI in security. The discussion also touches on industry trends, the importance of understanding marketing terms, and the future directions of AppSec. Mentioned in the episode: The Application Security Program Handbook by Derek Fisher FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |||
| Thinking back, Looking forward - A Balanced Approach to Securing our Software Future | 15 Jul 2021 | 01:11:53 | |
Kevin Greene is the Director of Security Solutions at Parasoft and has extensive experience and expertise in software security, cyber research and development, and DevOps. He leverages his knowledge to create meaningful solutions and technologies to improve software security practices. Kevin and I had a conversation to discuss software security from the past and into the future. We cover how to make security easier for developers, SBOM, software minimalism, cyber resiliency, and so much more! We hope you enjoy this conversation with...Kevin Greene. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |||
| Jeevan Singh -- Threat modeling based in democracy | 11 Jun 2021 | 00:36:18 | |
Jeevan Singh is a Security Engineer Manager at Segment, where he is embedding security into all aspects of the software development process. Jeevan enjoys building security culture within organizations and educating staff on security best practices. Before life in the security space, Jeevan had a wide variety of development and leadership roles over the past 15 years. Jeevan joins us to speak about self-serve threat modeling at Segment or threat modeling based in democracy. We discuss their focus with the program, how it fits in their dev methodology and their ultimate goal with the threat modeling program. We hope you enjoy this conversation with... Jeevan Singh.
FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |||
| Dima Kotik -- Application Security and the Zen of Python | 21 May 2021 | 00:39:17 | |
Dima Kotik is an Application Security Engineer at Security Journey and has been programming in Python for years. As he was working on building out Security Journey's Secure Coding with Python content, he came across the Zen of Python, a set of guidelines for how to program in Python. He wrote a blog post about how to apply application security to the Zen of Python, and then we recorded this interview to talk about the concept in more depth. We hope you enjoy this interview with....Dima Kotik. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |||
| Dustin Lehr -- Advocating and being on the side of developers | 07 May 2021 | 00:36:34 | |
Before taking the plunge into information security leadership, Dustin Lehr spent over a decade as a software engineer and architect in a variety of industries, including retail, DoD, and even video games. This diverse background has helped him forge close partnerships with development teams, engineering leaders, and software security advocates while pursuing the organizational culture shift of building good security habits into daily work. Dustin joins us to talk about the challenges developers face with security and so much more. We hope you enjoy this conversation with...Dustin Lehr. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |||
| Aaron Rinehart -- Security Chaos Engineering | 30 Apr 2021 | 00:48:37 | |
Aaron Rinehart is expanding the possibilities of chaos engineering to cybersecurity. He began pioneering security in chaos engineering when he released ChaoSlingr during his tenure as Chief Security Architect at UnitedHealth Group (UHG). Rinehart is the O'Reilly Author on Security Chaos Engineering and has recently founded a chaos engineering startup called Verica with Casey Rosenthal from Netflix. Aaron joins us to explain what the heck security chaos engineering is. We explore the origin story of chaos engineering and security chaos engineering and how a listener starts with this new technique. We hope you enjoy this conversation with...Aaron Rinehart. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |||
| Izar Tarandach and Matt Coles-- Threat Modeling: A Practical Guide for Development Teams | 23 Apr 2021 | 00:50:05 | |
In this episode of the Application Security Podcast, we're joined by friends Izar and Matt, authors of the book "Threat Modeling: A Practical Guide for Development Teams." Izar is currently the Squarespace Principal Security Engineer. He lives in NY, where he enjoys telling people who separate security from development to get off his lawn. Matt is currently a Product & Application Security Engineer at Dell Technologies. Matt lives in Massachusetts, is an avid gamer, and enjoys time with his family when not thinking or talking to others about security. We discuss why they wrote the book, what it covers, the target audience, and how to wield the information within to threat model all the things. Robert and I both love the book, and highly recommend it, and on this episode, you'll hear why. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |||
| Charles Shirer -- The most positive person in security | 16 Apr 2021 | 00:35:44 | |
Charles is a Senior Security Consultant for Red Siege. He has over 18 years of experience in IT. In his spare time, Charles does retro gaming and works on the SECBSD open source project, a penetration testing distro. He currently works as Staff at several Security Conferences, podcasts (GrumpyHackers) (Positively Blue Team Cast), and is a part of the MentalHealthHackers DeadPixelSec NovaHackers and HackingisNotaCrime Family. Charles joins us to talk about positivity in InfoSec. If you've never seen Charle's videos, you're missing out. We'll unpack what drives his positivity and how we as infosec / appsec people can embrace a more positive approach to our world. We hope you enjoy this conversation with...Charles Shirer. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |||
| Leif Dreizler -- Tactical tips to shift engineering right | 09 Apr 2021 | 00:46:05 | |
Leif Dreizler is the manager of the Product Security team at Segment. Leif got his start in the security industry at Redspin doing security consulting work and was later an early employee at Bugcrowd. He helps organize the Bay Area OWASP Chapter, the LocoMocoSec Conference, and the AppSec California conference. Leif caught our attention when he published an article called Shifting Engineering Right: What security engineers can learn from DevSecOps. In this interview, we focus in on the tactical tips and takeaways from the article, or how you as a security person can shift engineering right. We hope you enjoy this conversation with...Leif Driezler. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |||
| Vandana Verma -- OWASP Spotlight Series | 02 Apr 2021 | 00:23:58 | |
Vandana Verma is the President of Infosec girls and Infosec Kids, a board of directors member for OWASP, and a leader for BSides Dehli. She joins us to introduce the OWASP Spotlight Series. With each video she creates, she highlights an OWASP project. We survey the projects she's covered and discuss a specific takeaway from each for the application security person. We hope you enjoy this conversation with...Vandana Verma. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |||
| Dr. Anita D’Amico -- Do certain types of developers or teams write more secure code? | 25 Mar 2021 | 00:48:33 | |
Dr. Anita D’Amico is the CEO of Code Dx, which provides Application Security Orchestration and Correlation solutions to industry and government. Her roots are in experimental psychology and human factors. Her attention is now focused on enhancing the decisions and work processes of software developers and AppSec analysts to make code more secure. Anita joins us to discuss research she has done answering the question, "do certain types of developers or teams write more secure code?" Being a security culture fanatic, this topic is near and dear for me. We hope you enjoy this conversation with...Dr. Anita D'Amico. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |||
| James Berthoty -- Is DAST Dead? And the future of API security | 31 May 2024 | 00:44:56 | |
In this episode of the Application Security Podcast, host Chris Romeo welcomes James Berthoty, a cloud security engineer with a diverse IT background, to discuss his journey into application and product security. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |||
| Alyssa Miller -- Bringing security to DevOps and the CI/CD pipeline | 18 Mar 2021 | 00:40:24 | |
Alyssa Miller is a life-long hacker, security advocate, and cybersecurity leader. She is the BISO for S&P Global ratings and has over 15 years of experience in security roles. She is heavily involved in the cybersecurity community as an international speaker, author, and advocate. Alyssa joins us to talk about bringing security to DevOps and the CI/CD pipeline. We talk about the success of the DevOps transformation, mistakes AppSec teams make with DevOps and explore the possible idea that DevSecOps is its own silo. We hope you enjoy this conversation with...Alyssa Miller. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |||
| Liran Tal — Cloud native application security, what’s a developer to do? | 09 Mar 2021 | 00:42:07 | |
Liran Tal is an application security activist and long-time proponent of open-source software. He is a member of the Node.js security working group, an OWASP project lead, author of Essential Node.js Security, and O’Reilly’s Serverless Security. He is leading the developer advocacy team at Snyk in a mission to empower developers with better dev-first security. Liran joins us to talk about cloud-native and application security. We begin by defining cloud-native and the changes it is causing. We then get into threats in a cloud-native world and the role of developers and AppSec. We hope you enjoy this conversation with…. Liran Tal. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |||
| Chris Romeo — DevSecOps Fails | 17 Feb 2021 | 00:27:35 | |
For this episode, Robert and I decided to talk about an article I wrote called "DevOps security culture: 12 fails your team can learn from". We hope you enjoy this walkthrough of the 12 fails. If we missed any, hit us up on Twitter and let us know what we should add to the list. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |||
| Jim Routh — Secure software pipelines | 10 Feb 2021 | 00:44:45 | |
Jim Routh has built software security programs at some of the biggest brands in the world. He has served as CISO or CSO six different times in his career, always staying close to his cyber and software security roots. Jim has hung up his CISO badge and now focuses on serving on boards and advising security-focused startups. Jim’s original AppSec podcast episode is our #1 listened to of all time. Having the opportunity to interact with Jim and absorb his vast wisdom and knowledge is a treat for everyone. At the end of this interview, my immediate thought was to go back and listen to this one again. Jim talks with us about the impact of DevSecOps on the CISO, security controls for a devsecops pipeline model, and “shift left” still the dominant theme for software security. We hope you enjoy this conversation with Jim Routh. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |||
| Andrew van der Stock — Taking Application Security to the Masses | 20 Jan 2021 | 00:30:41 | |
Andrew van der Stock has been around the world of Application Security for quite a long time. In 2020, he took over as the Executive Director of OWASP, and he's working from within the organization to further the mission of taking application security to the masses. We discuss Andrew's OWASP origin story and he defines OWASP and the OWASP core mission. We talk membership, the future, and drop some details about the upcoming 20th anniversary of OWASP. We hope you enjoy this conversation with Andrew van der Stock. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |||
| JC Herz and Steve Springett — SBOMs and software supply chain assurance | 12 Jan 2021 | 00:48:10 | |
JC Herz is the COO of Ion Channel, a software logistics and supply chain assurance platform for critical infrastructure. She is a visiting fellow at George Mason’s National Security Institute and co-chairs a Department of Commerce working group on software bills of materials for security-sensitive public and private sector enterprises. JC and Steve Springett join to talk all things software bill of materials. We define what an SBOM is and what it’s used for. We talk threats that SBOM counters, who started it, and what the OWASP tie in. JC concludes our time by explaining why now is the time YOU must care about SBOMS. We hope you enjoy this conversation with…. JC Herz and Steve Springett. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |||
| Brian Reed — Mobile Appsec: The Good, the Bad and the Ugly as We Head into 2021 | 06 Jan 2021 | 00:34:56 | |
Brian Reed is Chief Mobility Officer at NowSecure. Brian has over 30 years in tech and 15 years in mobile, security, and apps dating back to the birth of mobile including BlackBerry, Good Technology, BoxTone, and MicroFocus. Brian joins us to discuss mobile application security, the good, the bad, and the ugly as we head into 2021. We discuss recent issues in mobile apps, mobile firewalls, mobile vs. web, and how AppSec is different in a mobile world. We hope you enjoy this conversation with…Brian Reed. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |||
| The Threat Modeling Manifesto – Part 2 | 24 Nov 2020 | 00:24:50 | |
This is part two of the story of a diverse group of security and privacy people that love threat modeling and gathered to define threat modeling, encourage people to threat model, help them succeed, and change the world. This is our story of the Threat Modeling Manifesto. In this episode, we move on from definition to working through the values and principles that make up threat modeling, and then we ship the product. The working group of the Threat Modeling Manifesto consists of individuals with years of experience in threat modeling for security or privacy.
Other episodes on threat modeling:
FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |||
| The Threat Modeling Manifesto – Part 1 | 17 Nov 2020 | 00:25:19 | |
This is part one of the story of a diverse group of security and privacy people that love threat modeling and gathered to define threat modeling, encourage people to threat model, help them succeed, and change the world. This is our story of the Threat Modeling Manifesto. Our intention is to share a distilled version of our collective threat modeling knowledge in a way that should inform, educate, and inspire other practitioners to adopt threat modeling as well as improve security and privacy during development. We developed this Manifesto after years of experience thinking about, performing, teaching, and developing the practice of, Threat Modeling. We have diverse backgrounds as industry professionals, academics, authors, hands-on experts, and presenters. We bring together varied perspectives on threat modeling. Our ongoing conversations, which focus on the conditions and approaches that lead to the best results in threat modeling, as well as how to correct when we fail, continue to shape our ideas. The working group of the Threat Modeling Manifesto consists of individuals with years of experience in threat modeling for security or privacy.
Other episodes on threat modeling:
FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |||
| Season 7 Guests — The best of Season 7 | 26 Oct 2020 | 00:40:27 | |
This is our final episode of Season 7, and we thought we'd share some of our favorite clips with you. We've covered lots of ground, from featuring many OWASP projects to DevSecOps, penetration testing, AWS security, SameSite cookies, crypto, and that just scratches the surface. We hope you enjoy this wrap-up episode with.... A whole bunch of Season 7 guests. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |||
| Mark Curphey and Simon Bennetts -- Riding the Coat Tails of ZAP, without Open Source Funding | 21 May 2024 | 00:42:32 | |
Mark Curphey and Simon Bennetts, join Chris on the podcast to discuss the challenges of funding and sustaining major open source security projects like ZAP. Curphey shares about going fully independent and building a non-profit sustainable model for ZAP. The key is getting companies in the industry, especially companies commercializing ZAP, to properly fund its ongoing development and maintenance. Bennetts, who has led ZAP for over 15 years, shares the harsh reality that while ZAP is likely the world's most popular web scanner with millions of active users per month, very few companies contribute back financially despite making millions by building products and services on top of ZAP. Curphey and Bennetts are asking those in the industry to step up and properly fund open source projects like ZAP that are critical infrastructure, rather than freeloading off the hard work of a few individuals. Curphey's company is investing substantial funds in a "responsible marketing" model to sustain ZAP as a non-profit, with hopes others will follow this ethical example to prevent open source security going down a dangerous path. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |||
| Aviat Jean-Baptiste — The AppSec report | 13 Oct 2020 | 00:32:38 | |
Jb Aviat is CTO and co-founder at Sqreen. Prior to this, Jb worked at Apple as a reverse engineer, pentester, and developer. Jb joins us to discuss the new Application Security Report that Sqreen has released. We review what the report contains, key takeaways and conclusions, and even consider which framework/language is the most secure. We hope you enjoy this conversation with…. Jb Aviat. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |||
| Frank Rietta — The convergence of Ruby on Rails and #AppSec | 06 Oct 2020 | 00:49:33 | |
Frank Rietta is the CEO of Rietta.com, a Security Focused Web Application Firm. He is a web application security architect, expert witness, author, and speaker. Frank joins us to discuss secure coding with Ruby on Rails. We get into a discussion about RoR vs. other languages, primary threats, counters to threats, and tools available for the RoR developer to assist with security. We hope you enjoy this conversation with… Frank Rietta. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |||
| Dmitry Sotnikov – REST API Security – there is no silver bullet | 30 Sep 2020 | 00:33:23 | |
Dmitry Sotnikov serves as Chief Product Officer at 42Crunch – an enterprise API security company. He maintains https://APISecurity.io, a popular community site with daily API Security news and weekly newsletter API vulnerabilities, breaches, standards, best practices, regulations, and tools. Dmitry joins us to discuss REST API Security. We talk about the top API security threats, counters to those threats, and the details on APISecurity.IO. We hope you enjoy this conversation with … Dmitry Sotnikov. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |||
| Caroline Wong — The state of Penetration Testing | 22 Sep 2020 | 00:35:06 | |
Caroline Wong is the Chief Strategy Officer at Cobalt.io. Wong's close and practical information security knowledge stems from broad experience as a Cigital consultant, a Symantec Product Manager, and day-to-day leadership roles at eBay and Zynga. Caroline joins us to talk about penetration testing and reviews key findings from the Cobalt.io "State of Pentesting" report. We hope you enjoy Caroline Wong’s second visit to the Application Security Podcast. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |||
| Aaron Davis — LavaMoat — solving JavaScript software supply chain | 15 Sep 2020 | 00:40:08 | |
Aaron Davis is a founder, dev, and a lead security researcher at MetaMask, a popular Ethereum wallet. He introduces us to LavaMoat, an approach to solving javascript software supply chain security for node and the browser. The LavaMoat runtime prevents modifying JavaScript's primordials, limits access to the platform API, and prevents packages from corrupting other packages. We hope you enjoy this conversation with… Aaron Davis. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |||
| Anastasiia Voitova — Use Cryptography; Don’t Learn It | 10 Sep 2020 | 00:34:46 | |
Anastasiia Voitova is a software engineer who works on data security solutions at @cossacklabs, making complex crypto easy-to-use in modern software. She joins us to explore the idea of boring crypto. She caught our attention with a talk at OWASP 24 where she encouraged developers to NOT learn crypto. You'll have to listen to understand her rationale. She explains mistakes folks make with crypto, boring crypto, and how to get started implementing boring crypto. We hope you enjoy this conversation with…Anastasiia Voitova. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |||
| Michael Furman — SameSite Cookies | 03 Sep 2020 | 00:35:34 | |
Michael Furman is the Lead Security Architect at Tufin, and is responsible for the security and Security Development Lifecycle (SDL) of Tufin software products. Michael is passionate about application security for over 13 years already and evangelizes about application security at various conferences (including OWASP conferences) and security meetups. Michael joins us to break down SameSite cookies, which are all the rage in browsers these days. He describes what they are, the threats they counter, and how SameSite + the Synchronizer Token Pattern work together to counter CSRF. We hope you enjoy this conversation with…. Michael Furman. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |||
| Chris Romeo — The State of Security and the Importance of Empathy | 27 Aug 2020 | 00:43:53 | |
Application security applies to everyone, network architects included. Chris had an opportunity to join a friend's Podcast called "The Hedge." Chris talks with hosts Tom and Russ about the state of security and what network engineers need to know about security from an application perspective. They talk about the importance of empathy in all jobs, walking a mile in the shoes of those that work around you. You’ll find this episode on the Hedge site at https://rule11.tech/hedge-048/. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |||
| Neil Matatall — Content Security Policy | 04 Aug 2020 | 00:43:02 | |
Neil Matatall is a product security engineer at GitHub. He focuses on designing and engineering user experiences solutions related to authentication and account recovery. Working remotely from Hawaii, Neil is a strong believer in the future of remote work. Neil joins us for a deep-dive into Content Security Policy. We explore what it is, the purpose, and why it’s so difficult to implement. We hope you enjoy this conversation with… Neil Matatall. https://github.com/github/secure_headers FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |||
| Grant Ongers — Gamification of threat modeling | 28 Jul 2020 | 00:37:38 | |
Grant Ongers is co-founder of the bearded trio called Secure Delivery, with a philosophy and purpose for optimal delivery and security in one dynamic package. Grant's experience spans Dev, Ops, and Security, with over 30 years pushing the limits of (Info)Sec. Grant’s community involvement is global: Staff at BSides (London, Las Vegas, and Cape Town), Goon at DEF CON (USA) for nearly ten years and DC2721 co-founder, staff at BlackHat (USA and EU), and an OWASP Global Board member. Grant joins us to talk about gamification and threat modeling, and introduces me to the OWASP Cornucopia card game, which you can use to teach developers and product team members threat modeling, in a fun and engaging way. We hope you enjoy this conversation with…. Grant Ongers. @rewtd FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |||
| Devin Rudnicki -- Expanding AppSec | 14 May 2024 | 00:35:57 | |
Devon Rudnicki, the Chief Information Security Officer at Fitch Group, shares her journey of developing an application security program from scratch and advancing to the CISO role. She emphasizes the importance of collaboration, understanding the organization's business, and using metrics to drive positive change in the security program. Elon Musk - Walter Isaacson FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |||
| Elie Saad — OWASP WSTG, Cheat Sheets, and Integration | 21 Jul 2020 | 00:41:24 | |
Elie Saad is an application security engineer, leading three different OWASP projects. He focuses on helping developers own and champion security in their projects by providing guidance, tests, secure pipeline design and aiding them in applying external security measures. In this conversation, Elie educates us about the current happenings with WSTG, Cheat Sheets, and the Integration Standard. He walks us through demo’s of each project. We hope you enjoy this conversation with Elie Saad. @7hunderson FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |||
| Graham Holmes — Adversarial Machine Learning | 13 Jul 2020 | 00:45:44 | |
Graham Holmes is the founder and owner of AoP CyberSecurity, LLC whose mission is to enable organizations to “create scalable and effective strategies for trustworthy outcomes.” His career includes over 22 years as a leader at Cisco Systems, where he infamously served as my boss for a period of time, and before that he served in the US Navy as a commissioned officer for 9 years. Graham joins us to discuss adversarial machine learning. We explore the threats and attacks in an AI/ML world, and review solutions to address these challenges using trust as a foundation. Please enjoy this conversation with Graham Holmes. Its Life 3.0 https://www.amazon.com/Life-3-0-Being-Artificial-Intelligence/dp/1101946598 FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |||
| Ochaun Marshall — Securing Web applications in AWS | 07 Jul 2020 | 00:38:08 | |
Ochaun Marshall is a developer and security consultant. In his roles at Secure Ideas, he works on ongoing development projects utilizing Amazon Web Services and breaks other people's web applications. Ochaun joins us to talk about the changing tide of serverless and frustrations with AWS security. Before we got to the actual topic, we talked about how he currently works as a developer some times, and a pen tester/security person the rest of the time, and the conflict that arises from this split role. Please enjoy this conversation with…Ochaun Marshall. @OchaunM FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |||
| Drew Dennison – Security should make the computer sweat more | 30 Jun 2020 | 00:30:20 | |
Drew Dennison is the CTO & co-founder of r2c, a startup working to profoundly improve software security and reliability to safeguard human progress. Drew joins us to introduce a tool called semgrep. Semgrep is a fast source code analysis tool, potentially faster than anything you've seen before. If you want to see the live demo of semgrep, head over to the Application Security Podcast Youtube channel to see the video. We hope you enjoy this conversation with… Drew Dennison. Twitter: DrewDennison FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |||
| Aaron Guzman — IoTGoat | 23 Jun 2020 | 00:36:05 | |
Aaron Guzman specializes in IoT, embedded, and automotive security. Aaron is the Co-Author of “IoT Penetration Testing Cookbook”. He helps lead both OWASP’s Embedded Application Security and Internet of Things projects; providing practical guidance for addressing top security vulnerabilities to the embedded and IoT community. Aaron joins us to explore IoTGoat. IoTGoat is a deliberately insecure firmware created to educate software developers and security professionals with testing commonly found vulnerabilities in IoT devices. He describes what it is, where it comes from, and does a demo for us on how to put it to use. For season 7 and beyond, we’ve launched our Youtube channel, Application Security Podcast, where we post the video feeds for all episodes. You’ll want to check it out, as many interviews now have demo’s included, where we capture screen during the interview. We hope you enjoy this conversation with…Aaron Guzman. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |||
| Adam Shostack — The Jenga View of Threat Modeling | 16 Jun 2020 | 00:31:13 | |
Adam Shostack is a leading expert on threat modeling, and consultant, entrepreneur, technologist, author, and game designer. He has taught threat modeling at a wide range of commercial, non-profit, and government organizations. Adam joins us to discuss his new white paper called the Jenga View of Threat Modeling. For season 7 and beyond, we've launched our YouTube channel, Application Security Podcast, where we post the video feeds for all episodes. You’ll want to check it out, as many interviews now have demo’s included, where we capture a screen during the interview. You can grab a copy of the whitepaper on Adam’s site, https://associates.shostack.org/whitepapers. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |||
| Cindy Blake — Aligning security testing with Agile development | 09 Jun 2020 | 00:29:45 | |
Cindy Blake is the Senior Security Evangelist at GitLab. Cindy collaborates around best practices for integrated DevSecOps application security solutions with major enterprises. She is proud to introduce her new book, “10 Steps to Securing Next-Gen Software”. The book combines her cyber security experience with a background in lean and software development, and simplifies the complexities of today’s software evolution into pragmatic advice for security programs. Cindy joins us to discuss how to align security testing with Agile development. For season 7 and beyond, we’ve launched our YouTube channel, Application Security Podcast, where we post the video feeds for all episodes. You’ll want to check it out, as many interviews now have demo’s included, where we capture screen during the interview. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |||
| Jannik Hollenbach — Multijuicer: JuiceShop with a side of Kubernetes | 02 Jun 2020 | 00:19:31 | |
Jannik Hollenbach is a Security Automation Engineer at iteratec GmbH, working on and with open source security testing tools to continuously detect security vulnerabilities in the companies software and systems. He is also a member of the OWASP Juice Shop project team. Jannik joins us to discuss MultiJuicer, or how to run JuiceShop in a Kubernetes cluster, with a separate JuiceShop instance for each user. For season 7 and beyond, we’ve launched our Youtube channel, Application Security Podcast, where we post the video feeds for all episodes. You’ll want to check it out, as many interviews now have demo’s included, where we capture screens during the interview. We hope you enjoy this conversation with.. Jannik Hollenbach. Links: FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |||
| Sebastien Deleersnyder and Bart De Win — OWASP SAMM | 26 May 2020 | 00:40:13 | |
Sebastien Deleersnyder is co-founder, CEO of Toreon, and Bart De Win is a director within PwC Belgium. They work together to co-lead both the OWASP Belgium Chapter and the OWASP SAMM project. Sebastien and Bart join us to introduce OWASP SAMM 2.0. OWASP SAMM (Software Assurance Maturity Model) is the OWASP framework to help organizations assess, formulate, and implement a strategy for software security they can integrate into an existing Software Development Lifecycle (SDLC). We explore where it came from, and walk through the framework. For season 7 and beyond, we’ve launched our Youtube channel, Application Security Podcast, where we post the video feeds for all episodes. You’ll want to check it out, as many interviews now have demo’s included, where we capture a screen during the interview. We hope you enjoy this conversation with… Sebastien and Bart. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |||
| Marc French, Steve Lipner, Maya Kaczorowski, DJ Schleen, Kim Wuyts — Season Six Wrap up | 14 May 2020 | 00:25:15 | |
We’ve reached the end of season six, and here are a few of our favorite clips. Season seven is around the corner.
FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |||
| Dustin Lehr -- Culture Change through Champions and Gamification | 16 Apr 2024 | 00:45:10 | |
Dustin Lehr, Senior Director of Platform Security/Deputy CISO at Fivetran and Chief Solutions Officer at Katilyst Security, joins Robert and Chris to discuss security champions. Dustin explains the concept of security champions within the developer community, exploring the unique qualities and motivations behind developers becoming security advocates. He emphasizes the importance of fostering a security culture and leveraging gamification to engage developers effectively. They also cover the challenges of implementing security practices within the development process and how to justify the need for a champion program to engineering leadership. Dustin shares insights from his career transition from a developer to a cybersecurity professional, and he provides practical advice for organizations looking to enhance their security posture through community and culture-focused approaches. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |||
| Mark Merkow — Secure, Resilient, and Agile Software Development | 11 Apr 2020 | 00:39:53 | |
Mark Merkow works at WageWorks in Tempe, Arizona, leading application security architecture and engineering efforts in the office of the CISO. Mark has over 40 years of experience in IT in a variety of roles, including application development, systems analysis, and design, security engineering, and security management. Mark has authored or co-authored 17 books on IT and has been a contributing editor to four others. Mark joins us to discuss how application security and Agile software development methodology fit together. We hope you enjoy this conversation with… Mark Merkow. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |||
| Zsolt Imre — Fuzz testing is easy | 06 Apr 2020 | 00:37:34 | |
Zsolt is the founder and CTO of GUARDARA with more than 15 years of experience in cybersecurity, both on the offensive and defensive side. Zsolt explains fuzz testing, who does it, and why. He also helps us to understand how to deal with fuzz testing results, and how to get started doing fuzz testing on your own. We hope you enjoy this conversation with … Zolt Imre. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |||
| Adam Shostack — Remote Threat Modeling | 28 Mar 2020 | 00:31:11 | |
Adam joins us to discuss remote threat modeling, and we do a live threat modeling exercise to figure out how remote threat modeling actually works. If you want to see the screen share as we figure out remote threat modeling, check out the Youtube version of the episode. Bio: Adam Shostack is a leading expert on threat modeling, and consultant, entrepreneur, technologist, author and game designer. He has taught threat modeling at a wide range of commercial, non-profit and government organizations. He’s a member of the Black Hat Review Board, is the author of Threat Modeling: Designing for Security, and the co-author of The New School of Information Security. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |||