Episodes

  • Brett Crawley discusses the Elevation of Privilege (EoP) card game, a powerful tool for threat modeling in software development. The discussion explores recent extensions to the game including privacy-focused suits and TRIM (Transfer, Retention/Removal, Inference, Minimization) categories. Crawley emphasizes that threat modeling shouldn't end with the game but should be an ongoing process throughout an application's lifecycle, ideally starting before implementation. He also shares insights from his book, which provides detailed examples and guidance for teams new to threat modeling using EoP.

    You can find Brett on X @brettcrawley

    Brett’s book:
    Threat Modeling Gameplay with EoP: A reference manual for spotting threats in software architecture

    Book recommendation:
    Conscious Business by Fred Kofman





    FOLLOW OUR SOCIAL MEDIA:

    ➜Twitter: @AppSecPodcast
    ➜LinkedIn: The Application Security Podcast
    ➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

    Thanks for Listening!

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  • Matin Mavaddat discusses his perspective on security as a systemic concern, developed from his background in requirements engineering and systems architecture. He introduces the concept of "anti-requirements" - defining what a system should not do - and distinguishes between "syntactic security" (addressing technical vulnerabilities that are always incorrect) and "semantic security" (context-dependent security emerging from system interactions). Mavaddat shares his perspective that security itself doesn't have independent existence but rather emerges from preventing undesirable states. The discussion concludes with practical implementation strategies, suggesting that while automated tools can handle syntactic security issues, organizations should focus more energy on semantic security by understanding business context and defining anti-requirements early in the development process.

    Mentioned in this episode:

    Matin’s article: Reframing Security: Unveiling Power Anti-Requirements

    Systems Thinking for Curious Managers by Russell Ackoff

    Antifragile by Nassim Nicholas Taleb

    The Black Swan by Nassim Nicholas Taleb

    FOLLOW OUR SOCIAL MEDIA:

    ➜Twitter: @AppSecPodcast
    ➜LinkedIn: The Application Security Podcast
    ➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

    Thanks for Listening!

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  • Missing episodes?

    Click here to refresh the feed.

  • Kayra Otaner joins the podcast today to discuss DevSecOps and answer the question, is it dead? Kayra is the Director of DevSecOps at Roche and is highly involved in the DevSecOps community. Kayra states that DevSecOps in its traditional form is “dead” and that each organization should approach its needs based on their size. Otaner introduces the concept of "security as code" and "policy as code" as more effective approaches, where security functions are codified rather than relying on traditional documentation and checklists. Finally, they discuss the emergence of Application Security Posture Management (ASPM) tools as the "SIM for AppSec," suggesting these tools, especially when enhanced with AI, could help manage the overwhelming number of security alerts and issues that currently plague development teams.

    Mentioned in this Episode:
    Books by Yuval Noah Harari

    FOLLOW OUR SOCIAL MEDIA:

    ➜Twitter: @AppSecPodcast
    ➜LinkedIn: The Application Security Podcast
    ➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

    Thanks for Listening!

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  • François Proulx shares his discovery of security vulnerabilities in build pipelines. Francois has found that attackers can exploit this often overlooked side of the software supply chain. To help address this, his team developed an open source scanner called Poutine that can identify vulnerable build pipelines at scale and provide remediation guidance. Francois has over 10 years of experience in building application security programs, he’s also the founder of the NorthSec conference in Montreal.

    Mentioned in the Episode:
    Cooking for Geeks by Jeff Potter
    Poutine
    Living Off the Pipeline project
    Grand Theft Actions Abusing Self Hosted GitHub Runners - Adnan Khan and John Stawinski

    Where to find Francois:
    LinkedIn
    X: @francoisproulx

    Previous Episodes:
    François Proulx -- Actionable Software Supply Chain Security

    FOLLOW OUR SOCIAL MEDIA:

    ➜Twitter: @AppSecPodcast
    ➜LinkedIn: The Application Security Podcast
    ➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

    Thanks for Listening!

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  • Steve Wilson, the author of 'The Developer's Playbook for Large Language Model Security’ is back to dive into topics from his book like AI hallucinations, trust, and the future of AI. Steve has been at the forefront of the explosion of activity at the intersection of AppSec, LLM, and AI. We discuss the biggest fears surrounding LLMs and AI, and explore advanced concepts like Retrieval Augmented Generation and prompt injection.

    Links:
    The Developer’s Playbook for Large Language Model Security by Steve Wilson

    Find Steve on LinkedIn

    Previous Episodes:
    Steve Wilson -- OWASP Top Ten for LLMs
    Steve Wilson and Gavin Klondike -- OWASP Top Ten for LLM Applications Release


    Two people Steve recommends you look up:
    Chris Voss, Former FBI Negotiator and author of “Never Split the Difference”

    Arshan Dabirsiaghi

    FOLLOW OUR SOCIAL MEDIA:

    ➜Twitter: @AppSecPodcast
    ➜LinkedIn: The Application Security Podcast
    ➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

    Thanks for Listening!

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  • Jeff Williams, a renowned pioneer in the field of application security is with us to discuss Application Detection and Response (ADR), detailing its potential to revolutionize security in production environments. Jeff shares stories from his career, including the founding of OWASP, and his take on security assurance. We cover many topics including; security assurance, life, basketball and plenty of AppSec as well.

    Where to find Jeff:
    LinkedIn: https://www.linkedin.com/in/planetlevel/

    Previous Episodes:
    Jeff Williams – The Tech of Runtime Security

    Jeff Williams – The History of OWASP

    FOLLOW OUR SOCIAL MEDIA:

    ➜Twitter: @AppSecPodcast
    ➜LinkedIn: The Application Security Podcast
    ➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

    Thanks for Listening!

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  • Philip Wiley shares his unique journey from professional wrestling to being a renowned pen tester. We define pen testing and the role of social engineering in ethical hacking. We talk tools of the trade, share a favorite web app pentest hack and offer good advice on starting a career in cybersecurity. Philip shares some insights from his book, ‘The Pentester Blueprint: Starting a Career as an Ethical Hacker.’ And we discuss the impact of AI on pen testing and where this field is headed in the next few years.

    The Pentester Blueprint Starting a Career as an Ethical Hacker written by Phillip Wylie

    The Web Application Hacker’s Handbook written by Dafydd Stuttard, Marcus Pinto

    Where to find Phillip:

    Website: https://thehackermaker.com/
    Podcast: https://phillipwylieshow.com/
    X: https://x.com/PhillipWylie
    LinkedIn: https://www.linkedin.com/in/phillipwylie/

    FOLLOW OUR SOCIAL MEDIA:

    ➜Twitter: @AppSecPodcast
    ➜LinkedIn: The Application Security Podcast
    ➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

    Thanks for Listening!

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  • Steve Springett, an expert in secure software development and a key figure in several OWASP projects is back. Steve unpacks CycloneDX and the value proposition of various BOMs. He gives us a rundown of the BOM landscape and unveils some new BOM projects that will continue to unify the security industry. Steve is a seasoned guest of the show so we learn a bit more about Steve's hobbies, providing a personal glimpse into his life outside of technology.


    Links from this episode:

    https://cyclonedx.org/

    Previous episodes with Steve Springett:
    JC Herz and Steve Springett -- SBOMs and software supply chain assurance

    Steve Springett — An insiders checklist for Software Composition Analysis

    Steve Springett -- Dependency Check and Dependency Track

    Book:
    Software Transparency: Supply Chain Security in an Era of a Software-Driven Society by Chris Hughes and Tony Turner



    FOLLOW OUR SOCIAL MEDIA:

    ➜Twitter: @AppSecPodcast
    ➜LinkedIn: The Application Security Podcast
    ➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

    Thanks for Listening!

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  • Irfaan Santoe joins us for an in-depth discussion on the power of strategy in Application Security. We delve into measuring AppSec maturity, return on investment, and communicating technical needs to business leaders. Irfaan shares his unique journey from consulting to becoming an AppSec professional, and addresses the gaps between CISOs and AppSec knowledge. Irfaan shares valuable insights for scaling AppSec programs and aligning them with business objectives.

    FOLLOW OUR SOCIAL MEDIA:

    ➜Twitter: @AppSecPodcast
    ➜LinkedIn: The Application Security Podcast
    ➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

    Thanks for Listening!

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  • Andrew Van Der Stok, a leading web application security specialist and executive director at OWASP joins us for this episode. We discuss the latest with the OWASP Top 10 Project, the importance of data collection, and the need for developer engagement. Andrew gives us the methodology behind building the OWASP Top 10, the significance of framework security, and much more.

    Previous episodes with Andrew Van Der Stock
    Andrew van der Stock — Taking Application Security to the Masses

    Andrew van der Stock and Brian Glas -- The Future of the OWASP Top 10

    Books mentioned in the episode:
    The Crown Road by Iain Banks

    Edward Tufte

    FOLLOW OUR SOCIAL MEDIA:

    ➜Twitter: @AppSecPodcast
    ➜LinkedIn: The Application Security Podcast
    ➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

    Thanks for Listening!

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  • Derek Fisher, an expert in hardware, software, and cybersecurity with over 25 years of experience is back on the podcast. Derek shares his advice on cybersecurity hiring, specifically in application security, and dives into the challenges of entry-level roles in the industry. We discuss the value of certifications, the necessity of lifelong learning, and the importance of networking. Listen along for good advice on getting noticed in cybersecurity, resume tips, and the evolving landscape of AppSec careers.

    Mentioned in this episode:
    The Application Security Handbook by Derek Fisher

    With the Old Breed by E.B. Sledge

    Cyber for Builders by Ross Haleliuk

    Effective Vulnerability Management by Chris Hughes


    Previous episode:
    Derek Fisher – The Application Security Handbook



    FOLLOW OUR SOCIAL MEDIA:

    ➜Twitter: @AppSecPodcast
    ➜LinkedIn: The Application Security Podcast
    ➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

    Thanks for Listening!

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  • Tanya Janka, also known as SheHacksPurple, discusses secure guardrails, the difference between guardrails and paved roads, and how to implement both in application security. Tanya is an award-winning public speaker and head of education at SEMGREP and the best-selling author of ‘Alice and Bob Learn Application Security’. Tanya shares her insights on creating secure software and teaching developers in this episode.

    Mentioned in this episode:

    Tanya Janca – What Secure Coding Really Means

    Tanya Janca – Mentoring Monday - 5 Minute AppSec

    Tanya Janca and Nicole Becher – Hacking APIs and Web Services with DevSlop

    The Expanse Series by James S.A. Corey

    Alice and Bob Learn Application Security by Tanya Janca

    FOLLOW OUR SOCIAL MEDIA:

    ➜Twitter: @AppSecPodcast
    ➜LinkedIn: The Application Security Podcast
    ➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

    Thanks for Listening!

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  • Jahanzeb Farooq discusses his journey in cybersecurity and the challenges of building AppSec programs from scratch. Jahanzeb shares his experience working in various industries, including Siemens, Novo Nordisk, and Danske Bank, highlighting the importance of understanding developer needs and implementing the right tools. The conversation covers the complexities of cybersecurity in the pharmaceutical and financial sectors, shedding light on regulatory requirements and the role of software in critical industries. Learn about prioritizing security education, threat modeling, and navigating digital transformation.

    Mentioned in this Episode:

    The Power of Habit by Charles Duhigg



    FOLLOW OUR SOCIAL MEDIA:

    ➜Twitter: @AppSecPodcast
    ➜LinkedIn: The Application Security Podcast
    ➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

    Thanks for Listening!

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  • David Quisenberry shares about his journey into the security world, insights on building AppSec programs in small to mid-sized companies, and the importance of data-driven decision-making. The conversation delves into the value of mentoring and why it's important to build real relationships with the people you work with, the vital role of trust with engineering teams, and the significance of mental health and community in the industry.

    Books Shared in the Episode:

    SRE Engineering by Betsy Beyer, Chris Jones, Jennifer Petoff and Niall Richard Murphy
    The Phoenix Project by Gene Kim, Kevin Behr and George Spafford
    Security Chaos Engineering by Aaron Rinehart and Kelly Shortridge
    CISO Desk Reference Guide by Bill Bonney, Gary Hayslip, Matt Stamper
    Wiring the Winning Organization by Gene Kim and Dr. Steven J. Spear
    The Body Keeps the Score by Bessel van der Kolk, M.D.
    Intelligence Driven Incident Response by Rebekah Brown and Scott J. Roberts
    Never Eat Alone by Keith Ferrazzi
    Thinking Fast and Slow by Daniel Kahneman
    Do Hard Things by Steve Magness
    How Leaders Create and Use Networks, Whitepaper by Herminia Ibarra and Mark Lee Hunter



    FOLLOW OUR SOCIAL MEDIA:

    ➜Twitter: @AppSecPodcast
    ➜LinkedIn: The Application Security Podcast
    ➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

    Thanks for Listening!

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  • Matt Rose, an experienced technical AppSec testing leader discusses his career journey and significant contributions in AppSec. The conversation delves into the nuances of software supply chain security and exploring how different perceptions affect its understanding. Matt provides insights into the XZ compromise, critiques the buzzword 'shift left,' and discusses the role of digital twins and AI in enhancing the supply chain security. He emphasizes the need for a comprehensive approach beyond SCA, the relevance of threat modeling, and the potential risks and benefits of AI in security.

    Mentioned in the episode:

    The Application Security Program Handbook by Derek Fisher
    https://www.manning.com/books/application-security-program-handbook

    Podcast Episode: Derek Fisher – The Application Security Program Handbook
    https://youtu.be/DgmlHgNT-UM

    Authors mentioned:
    Steven E. Ambrose https://www.simonandschuster.com/authors/Stephen-E-Ambrose/1063454
    Mark Frost https://en.wikipedia.org/wiki/Mark_Frost

    FOLLOW OUR SOCIAL MEDIA:

    ➜Twitter: @AppSecPodcast
    ➜LinkedIn: The Application Security Podcast
    ➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

    Thanks for Listening!

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  • James Berthoty, a cloud security engineer with a diverse IT background, discusses his journey into application and product security. James highlights his career trajectory from IT operations to cloud security, his experiences with security tools like Snyk and StackHawk, and the evolving landscape of Dynamic Application Security Testing (DAST) and API security. They delve into the practical challenges of CVEs, reachability analysis, and the complexities of patching in mid-sized companies. James shares his views on the often misunderstood role of WAF and the importance of fixing issues over merely identifying them.

    James Berthoty’s LinkedIn post: AppSec Kool-Aid Statements I Disagree With

    What is Art by Leo Tolstoy

    FOLLOW OUR SOCIAL MEDIA:

    ➜Twitter: @AppSecPodcast
    ➜LinkedIn: The Application Security Podcast
    ➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

    Thanks for Listening!

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  • Mark Curphey and Simon Bennetts, join Chris on the podcast to discuss the challenges of funding and sustaining major open source security projects like ZAP.

    Curphey shares about going fully independent and building a non-profit sustainable model for ZAP. The key is getting companies in the industry, especially companies commercializing ZAP, to properly fund its ongoing development and maintenance.

    Bennetts, who has led ZAP for over 15 years, shares the harsh reality that while ZAP is likely the world's most popular web scanner with millions of active users per month, very few companies contribute back financially despite making millions by building products and services on top of ZAP.

    Curphey and Bennetts are asking those in the industry to step up and properly fund open source projects like ZAP that are critical infrastructure, rather than freeloading off the hard work of a few individuals. Curphey's company is investing substantial funds in a "responsible marketing" model to sustain ZAP as a non-profit, with hopes others will follow this ethical example to prevent open source security going down a dangerous path.

    FOLLOW OUR SOCIAL MEDIA:

    ➜Twitter: @AppSecPodcast
    ➜LinkedIn: The Application Security Podcast
    ➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

    Thanks for Listening!

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  • Devon Rudnicki, the Chief Information Security Officer at Fitch Group, shares her journey of developing an application security program from scratch and advancing to the CISO role. She emphasizes the importance of collaboration, understanding the organization's business, and using metrics to drive positive change in the security program.

    Elon Musk - Walter Isaacson
    Steve Jobs - Walter Isaacson
    The Code Breaker: Jennifer Doudna, Gene Editing, and the Future of the Human Race - Walter Isaacson
    https://www.simonandschuster.com/authors/Walter-Isaacson/697650

    FOLLOW OUR SOCIAL MEDIA:

    ➜Twitter: @AppSecPodcast
    ➜LinkedIn: The Application Security Podcast
    ➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

    Thanks for Listening!

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  • Dustin Lehr, Senior Director of Platform Security/Deputy CISO at Fivetran and Chief Solutions Officer at Katilyst Security, joins Robert and Chris to discuss security champions. Dustin explains the concept of security champions within the developer community, exploring the unique qualities and motivations behind developers becoming security advocates. He emphasizes the importance of fostering a security culture and leveraging gamification to engage developers effectively. They also cover the challenges of implementing security practices within the development process and how to justify the need for a champion program to engineering leadership. Dustin shares insights from his career transition from a developer to a cybersecurity professional, and he provides practical advice for organizations looking to enhance their security posture through community and culture-focused approaches.

    Links:
    "Maker's Schedule, Manager's Schedule" article by Paul Graham — https://www.paulgraham.com/makersschedule.html

    Never Split the Difference by Chris Voss & Tahl Raz —
    https://www.harpercollins.com/products/never-split-the-difference-chris-vosstahl-raz?variant=32117745385506

    FOLLOW OUR SOCIAL MEDIA:

    ➜Twitter: @AppSecPodcast
    ➜LinkedIn: The Application Security Podcast
    ➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

    Thanks for Listening!

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  • Francesco Cipollone, CEO of Phoenix Security, joins Chris and Robert to discuss security and explain Application Security Posture Management (ASPM). Francesco shares his journey from developer to cybersecurity leader, revealing the origins and importance of ASPM. The discussion covers the distinction between application security and product security, the evolution of ASPM from SIEM solutions, and ASPM's role in managing asset vulnerabilities and software security holistically. Francesco emphasizes the necessity of involving the business side in security decisions and explains how ASPM enables actionable, risk-based decision-making. The episode also touches on the impact of AI on ASPM. It concludes with Francesco advocating for a stronger integration between security, development, and business teams to effectively manage software security risks.

    Recommended Reading:
    Cyber for Builders: The Essential Guide to Building a Cybersecurity Startup by Ross Haleliuk — https://ventureinsecurity.net/p/cyber-for-builders

    FOLLOW OUR SOCIAL MEDIA:

    ➜Twitter: @AppSecPodcast
    ➜LinkedIn: The Application Security Podcast
    ➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

    Thanks for Listening!

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~