Folgen
-
Join Robert and Chris Romeo as they dive into the world of pen testing with their guest Philip Wiley. In this episode, Philip shares his unique journey from professional wrestling to being a renowned pen tester. Hear some great stories from his wrestling days, in-depth discussions on application security, and good advice on starting a career in cybersecurity. Whether you're interested in pen testing techniques, learning about security origin stories, or gaining insights into career development, this episode has something for everyone!
The Pentester Blueprint Starting a Career as an Ethical Hacker written by Phillip Wylie
The Web Application Hacker’s Handbook written by Dafydd Stuttard, Marcus Pinto
Where to find Phillip:Website: https://thehackermaker.com/
Podcast: https://phillipwylieshow.com/
X: https://x.com/PhillipWylie
LinkedIn: https://www.linkedin.com/in/phillipwylie/FOLLOW OUR SOCIAL MEDIA:
➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcastThanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
In this episode of the Application Security Podcast, hosts Chris Romeo and Robert Hurlbut welcome back Steve Springett, an expert in secure software development and a key figure in several OWASP projects. Steve unpacks CycloneDX and the value proposition of various BOMs. He gives us a rundown of the BOM landscape and unveils some new BOM projects that will continue to unify the security industry. Steve is a seasoned guest of the show so we learn a bit more about Steve's hobbies, providing a personal glimpse into his life outside of technology.
Links from this episode:
https://cyclonedx.org/Previous episodes with Steve Springett:
JC Herz and Steve Springett -- SBOMs and software supply chain assuranceSteve Springett — An insiders checklist for Software Composition Analysis
Steve Springett -- Dependency Check and Dependency Track
Book:
Software Transparency: Supply Chain Security in an Era of a Software-Driven Society by Chris Hughes and Tony TurnerFOLLOW OUR SOCIAL MEDIA:
➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcastThanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
Fehlende Folgen?
-
Join Irfaan Santoe and hosts Chris Romeo and Robert Hurlbut for an in-depth discussion on the maturity and strategy of Application Security programs. They delve into measuring AppSec maturity, return on investment, and communicating technical needs to business leaders. Irfaan shares his unique journey from consulting to becoming an AppSec professional, and addresses the gaps between CISOs and AppSec knowledge. This episode provides valuable insights for scaling AppSec programs and aligning them with business objectives.
FOLLOW OUR SOCIAL MEDIA:
➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcastThanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
Join Chris Romeo and Robert Hurlbut as they sit down with Andrew Van Der Stok, a leading web application security specialist and executive director at OWASP. In this episode, Andrew discusses the latest with the OWASP Top 10 Project, the importance of data collection, and the need for developer engagement. Learn about the methodology behind building the OWASP Top 10, the significance of framework security, and much more. Tune in to get vital insights that could shape the future of web application security. Don't miss this informative discussion!
Previous episodes with Andrew Van Der Stock
Andrew van der Stock — Taking Application Security to the Masses
Andrew van der Stock and Brian Glas -- The Future of the OWASP Top 10
Books mentioned in the episode:
The Crown Road by Iain Banks
Edward TufteFOLLOW OUR SOCIAL MEDIA:
➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcastThanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
In this episode of the Application Security Podcast, Chris Romeo and Robert Hurlbut welcome back Derek Fisher, an expert in hardware, software, and cybersecurity with over 25 years of experience. Derek shares his advice on cybersecurity hiring, specifically in application security, and dives into the challenges of entry-level roles in the industry. The discussion also explores the value of certifications, the necessity of lifelong learning, and the importance of networking. Tune in for valuable insights on getting noticed in cybersecurity, resume tips, and the evolving landscape of AppSec careers.
Mentioned in this episode:
The Application Security Handbook by Derek Fisher
With the Old Breed by E.B. Sledge
Cyber for Builders by Ross Haleliuk
Effective Vulnerability Management by Chris Hughes
Previous episode:
Derek Fisher – The Application Security HandbookFOLLOW OUR SOCIAL MEDIA:
➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcastThanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
Join us for a conversation with Tanya Janka, also known as SheHacksPurple, as she discusses secure guardrails, the difference between guardrails and paved roads, and how to implement both in application security.
Tanya, an award-winning public speaker and head of education at SEMGREP, shares her insights on creating secure software and teaching developers. Tanya also shares with us about her hobby farm and love for gardening.
Mentioned in this episode:
Tanya Janca – What Secure Coding Really Means
Tanya Janca – Mentoring Monday - 5 Minute AppSec
Tanya Janca and Nicole Becher – Hacking APIs and Web Services with DevSlop
The Expanse Series by James S.A. Corey
Alice and Bob Learn Application Security by Tanya Janca
FOLLOW OUR SOCIAL MEDIA:
➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcastThanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
In this episode of the Application Security Podcast, hosts Chris Romeo and Robert Hurlbut are joined by Jahanzeb Farooq to discuss his journey in cybersecurity and the challenges of building AppSec programs from scratch. Jahanzeb shares his experience working in various industries, including Siemens, Novo Nordisk, and Danske Bank, highlighting the importance of understanding developer needs and implementing the right tools.
The conversation covers the complexities of cybersecurity in the pharmaceutical and financial sectors, shedding light on regulatory requirements and the role of software in critical industries. Learn about prioritizing security education, threat modeling, and navigating digital transformation.
Mentioned in this Episode:
The Power of Habit by Charles Duhigg
FOLLOW OUR SOCIAL MEDIA:
➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcastThanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
In this episode of the Application Security Podcast, hosts Chris Romeo and Robert Hurlbut engage in a deep discussion with guest David Quisenberry about various aspects of application security. They cover David's journey into the security world, insights on building AppSec programs in small to mid-sized companies, and the importance of data-driven decision-making.
The conversation also delves into the value of mentoring, the vital role of trust with engineering teams, and the significance of mental health and community in the industry. Additionally, Chris, David and Robert share personal stories that emphasize the importance of relationships and balance in life.
Books Shared in the Episode:
SRE Engineering by Betsy Beyer, Chris Jones, Jennifer Petoff and Niall Richard Murphy
The Phoenix Project by Gene Kim, Kevin Behr and George Spafford
Security Chaos Engineering by Aaron Rinehart and Kelly Shortridge
CISO Desk Reference Guide by Bill Bonney, Gary Hayslip, Matt Stamper
Wiring the Winning Organization by Gene Kim and Dr. Steven J. Spear
The Body Keeps the Score by Bessel van der Kolk, M.D.
Intelligence Driven Incident Response by Rebekah Brown and Scott J. Roberts
Never Eat Alone by Keith Ferrazzi
Thinking Fast and Slow by Daniel Kahneman
Do Hard Things by Steve Magness
How Leaders Create and Use Networks, Whitepaper by Herminia Ibarra and Mark Lee Hunter
FOLLOW OUR SOCIAL MEDIA:
➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcastThanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
In this episode of the Application Security Podcast, hosts Chris Romeo and Robert Hurlbut welcome Matt Rose, an experienced technical AppSec testing leader. Matt discusses his career journey and significant contributions in AppSec. The conversation delves into the nuances of software supply chain security, exploring how different perceptions affect its understanding. Matt provides insights into the XZ compromise, critiques the buzzword 'shift left,' and discusses the role of digital twins and AI in enhancing the supply chain security. He emphasizes the need for a comprehensive approach beyond SCA, the relevance of threat modeling, and the potential risks and benefits of AI in security. The discussion also touches on industry trends, the importance of understanding marketing terms, and the future directions of AppSec.
Mentioned in the episode:
The Application Security Program Handbook by Derek Fisher
https://www.manning.com/books/application-security-program-handbook
Podcast Episode: Derek Fisher – The Application Security Program Handbook
https://youtu.be/DgmlHgNT-UM
Authors mentioned:
Steven E. Ambrose https://www.simonandschuster.com/authors/Stephen-E-Ambrose/1063454
Mark Frost https://en.wikipedia.org/wiki/Mark_FrostFOLLOW OUR SOCIAL MEDIA:
➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcastThanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
In this episode of the Application Security Podcast, host Chris Romeo welcomes James Berthoty, a cloud security engineer with a diverse IT background, to discuss his journey into application and product security.
The conversation spans James's career trajectory from IT operations to cloud security, his experiences with security tools like Snyk and StackHawk, and the evolving landscape of Dynamic Application Security Testing (DAST) and API security. They delve into the practical challenges of CVEs, reachability analysis, and the complexities of patching in mid-sized companies. James shares his views on the often misunderstood role of WAF and the importance of fixing issues over merely identifying them.
The discussion concludes with insights into James's initiative, Latio Tech, which aims to help security professionals evaluate and understand application security products better.
James Berthoty’s LinkedIn post: AppSec Kool-Aid Statements I Disagree With
https://www.linkedin.com/posts/james-berthoty_appsec-kool-aid-statements-i-disagree-with-activity-7166084208686256128-tb1U?utm_source=share&utm_medium=member_desktop
What is Art by Leo Tolstoy
https://www.gutenberg.org/files/64908/64908-h/64908-h.htmFOLLOW OUR SOCIAL MEDIA:
➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcastThanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
Mark Curphey and Simon Bennetts, join Chris on the podcast to discuss the challenges of funding and sustaining major open source security projects like ZAP.
Curphey shares about going fully independent and building a non-profit sustainable model for ZAP. The key is getting companies in the industry, especially companies commercializing ZAP, to properly fund its ongoing development and maintenance.
Bennetts, who has led ZAP for over 15 years, shares the harsh reality that while ZAP is likely the world's most popular web scanner with millions of active users per month, very few companies contribute back financially despite making millions by building products and services on top of ZAP.
Curphey and Bennetts are asking those in the industry to step up and properly fund open source projects like ZAP that are critical infrastructure, rather than freeloading off the hard work of a few individuals. Curphey's company is investing substantial funds in a "responsible marketing" model to sustain ZAP as a non-profit, with hopes others will follow this ethical example to prevent open source security going down a dangerous path.
FOLLOW OUR SOCIAL MEDIA:
➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcastThanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
Devon Rudnicki, the Chief Information Security Officer at Fitch Group, shares her journey of developing an application security program from scratch and advancing to the CISO role. She emphasizes the importance of collaboration, understanding the organization's business, and using metrics to drive positive change in the security program.
Elon Musk - Walter Isaacson
Steve Jobs - Walter Isaacson
The Code Breaker: Jennifer Doudna, Gene Editing, and the Future of the Human Race - Walter Isaacson
https://www.simonandschuster.com/authors/Walter-Isaacson/697650FOLLOW OUR SOCIAL MEDIA:
➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcastThanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
Dustin Lehr, Senior Director of Platform Security/Deputy CISO at Fivetran and Chief Solutions Officer at Katilyst Security, joins Robert and Chris to discuss security champions. Dustin explains the concept of security champions within the developer community, exploring the unique qualities and motivations behind developers becoming security advocates. He emphasizes the importance of fostering a security culture and leveraging gamification to engage developers effectively. They also cover the challenges of implementing security practices within the development process and how to justify the need for a champion program to engineering leadership. Dustin shares insights from his career transition from a developer to a cybersecurity professional, and he provides practical advice for organizations looking to enhance their security posture through community and culture-focused approaches.
Links:
"Maker's Schedule, Manager's Schedule" article by Paul Graham — https://www.paulgraham.com/makersschedule.html
Never Split the Difference by Chris Voss & Tahl Raz —
https://www.harpercollins.com/products/never-split-the-difference-chris-vosstahl-raz?variant=32117745385506FOLLOW OUR SOCIAL MEDIA:
➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcastThanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
Francesco Cipollone, CEO of Phoenix Security, joins Chris and Robert to discuss security and explain Application Security Posture Management (ASPM). Francesco shares his journey from developer to cybersecurity leader, revealing the origins and importance of ASPM. The discussion covers the distinction between application security and product security, the evolution of ASPM from SIEM solutions, and ASPM's role in managing asset vulnerabilities and software security holistically. Francesco emphasizes the necessity of involving the business side in security decisions and explains how ASPM enables actionable, risk-based decision-making. The episode also touches on the impact of AI on ASPM. It concludes with Francesco advocating for a stronger integration between security, development, and business teams to effectively manage software security risks.
Recommended Reading:
Cyber for Builders: The Essential Guide to Building a Cybersecurity Startup by Ross Haleliuk — https://ventureinsecurity.net/p/cyber-for-buildersFOLLOW OUR SOCIAL MEDIA:
➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcastThanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
Mukund Sarma, the Senior Director for Product Security at Chime, talks with Chris about his career path from being a software engineer to becoming a leader in application security. He explains how he focuses on building security tools that are easy for developers to use and stresses the importance of looking at application security as a part of the broader category of product security. Mukund highlights the role of collaboration over security mandates and the introduction of security scorecards for proactive risk management. He and Chris also discuss the strategic implementation of embedded security functions within development teams. Discover the potential of treating security as an enabling function for developers, fostering a culture of shared responsibility, and the innovative approaches Chime employs to secure its services with minimal friction for developers.
Links
Chime's Monocle
-- https://medium.com/life-at-chime/monocle-how-chime-creates-a-proactive-security-engineering-culture-part-1-dedd3846127f
-- https://medium.com/life-at-chime/mitigating-risky-pull-requests-with-monocle-risk-advisor-part-2-7013e1485bf2
Introduction to Overwatch
-- https://www.youtube.com/watch?v=QtZKBtw8VO4
Recommended Reading
Building Secure and Reliable Systems by Adkins, Beyer, Blankinship, Lewandowski, Oprea, Stubblefield -- https://www.oreilly.com/library/view/building-secure-and/9781492083115/
Drive by Daniel Pink -- https://www.danpink.com/books/drive/FOLLOW OUR SOCIAL MEDIA:
➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcastThanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
AppSec specialist Megan Jacquot joins Chris and Robert for a compelling conversation about community, career paths, and productive red team exercises. Megan shares her unique cybersecurity origin story, tracing her interest in the field from childhood influences through her tenure as an educator and her formal return to academia to pivot into a tech-focused career. She delves into her roles in threat intelligence and application security, emphasizing her passion for technical work, penetration testing, and bug bounty programs. Additionally, Megan highlights the importance of mentorship, her involvement with the Women in Cybersecurity (WeCyS) community, and her dedication to fostering the next generation of cybersecurity professionals.
The discussion covers assumed breach and red team engagements in cybersecurity, the significance of empathy in bug bounty interactions, tips for Call for Papers (CFP) submissions, and the value of community engagement within organizations like OWASP and DEF CON. Megan concludes with insights on the importance of difficult conversations and giving back to the cybersecurity community.
Links
Difficult Conversations (How to Discuss What Matters Most) by Douglas Stone, Bruce Patton, Sheila Heen -- https://www.stoneandheen.com/difficult-conversations
Being Henry: The Fonz...and Beyond by Henry Winkler -- https://celadonbooks.com/book/being-henry-fonz-and-beyond-henry-winkler/FOLLOW OUR SOCIAL MEDIA:
➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcastThanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
Robert is joined by Bill Sempf, an application security architect with over 20 years of experience in software development and security. Bill shares his security origins as a curious child immersed in technology, leading to his lifelong dedication to application security. They discuss CodeMash, a developer conference in Ohio, and recount Bill's presentation on the Veilid application framework, designed for privacy-driven mobile applications. Bill also explores his efforts in educating children about technology and programming, drawing on his experiences with Kidsmash and other initiatives. Additionally, they delve into the challenges of application security, particularly modern software development practices and the utility of languages like Rust for creating secure applications. Bill concludes with intriguing thoughts on application security trends and the importance of a diverse skill set for both developers and security professionals.
Helpful Links:
Bill's homepage - https://www.sempf.net/
CodeMash conference - https://codemash.org
Veilid Application Framework - https://veilid.com/
Math Without Numbers - https://www.amazon.com/Math-Without-Numbers-Milo-Beckman/dp/1524745545FOLLOW OUR SOCIAL MEDIA:
➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcastThanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
Robert and Chris talk with Hendrik Ewerlin, a threat modeling advocate and trainer. Hendrik believes you can threat model anything, and he recently applied threat modeling to the process of threat modeling itself. His conclusions are published in the document Threat Modeling of Threat Modeling, where he aims to help practitioners, in his own words, "tame the threats to the threat modeling process."
They explore the role of threat modeling in software development, emphasizing the dire consequences of overlooking this crucial process.
They discuss why threat modeling serves as a cornerstone for security, and why Hendrik stresses the importance of adopting a process that is effective, efficient, and satisfying. If you care about secure software, you will want to listen in as Hendrik emphasizes why the approach to threat modeling, as well as the process itself, is so critical to success in security.
Links:
=> Hendrik Ewerlin: https://hendrik.ewerlin.com/security/
=> Threat Modeling of Threat Modeling: https://threat-modeling.net/threat-modeling-of-threat-modeling/
Recommended Reading:
=> Steal Like An Artist and other books by Austin Kleon https://austinkleon.com/books/FOLLOW OUR SOCIAL MEDIA:
➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcastThanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
Jason Nelson, an accomplished expert in information security management, joins Chris to share insights on establishing successful threat modeling programs in data-intensive industries like finance and healthcare. Jason presents his three main pillars to consider when establishing a threat modeling program: consistency, repeatability, and efficacy. The discussion also provides a series of fascinating insights into security practices, regulatory environments, and the value of a threat modeling champion. As a threat modeling practitioner, Jason provides an essential perspective to anyone serious about application security.
FOLLOW OUR SOCIAL MEDIA:
➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcastThanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
Erik Cabetas joins Robert and Chris for a thought-provoking discussion about modern software security. They talk about the current state of vulnerabilities, the role of memory-safe languages in AppSec, and why IncludeSec takes a highly systematic approach to security assessments and bans OWASP language. Along the way, Erik shares his entry into cybersecurity and his experience consulting about hacking for TV shows and movies. The conversation doesn't end before they peek into threat modeling, software engineering architecture, and the nuances of running security programs.
Helpful Links:
Security Engineering by Ross Anderson - https://www.wiley.com/en-us/Security+Engineering%3A+A+Guide+to+Building+Dependable+Distributed+Systems%2C+3rd+Edition-p-9781119642817
New School of Information Security by Adam Shostack and Andrew Stewart - https://www.informit.com/store/new-school-of-information-security-9780132800280FOLLOW OUR SOCIAL MEDIA:
➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcastThanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- Mehr anzeigen
