))
Chris Romeo and Robert Hurlbut dig into the tips, tricks, projects, and tactics that make various application security professionals successful. They cover all facets of application security, from threat modeling and OWASP to DevOps+security and security champions. They approach these stories in an educational light, explaining the details in a way those new to the discipline can understand. Chris Romeo is the CEO of Devici and a General Partner at Kerr Ventures, and Robert Hurlbut is a Prin ...
…
continue reading
1
Javan Rasokat and Andra Lezza -- When Chatbots Go Rogue - Lessons Learned from Building and Defending LLM Applications
47:31
47:31
Play later
Play later
Lists
Like
Liked
47:31
Andra Lezza and Javan Rasokat discuss the complexities of securing AI and LLM applications. With years of experience in Application Security (AppSec), Andra and Javan share their journey and lessons from their DEF CON talk on building and defending LLMs. They explore critical vulnerabilities, prompt injection, hallucinations, and the importance of …
…
continue reading
1
Jim Routh -- The CISO Transition to the rest of life
49:36
49:36
Play later
Play later
Lists
Like
Liked
49:36
Former CISO Jim Routh discusses his perspective on retirement and career fulfillment in cybersecurity. Rather than viewing retirement as simply stopping work, Routh describes his three-filter approach: working only with people he respects and admires, doing only work he finds fulfilling, and controlling when he works. He shares valuable lessons lea…
…
continue reading
1
Henrik Plate -- OWASP Top 10 Open Source Risks
38:26
38:26
Play later
Play later
Lists
Like
Liked
38:26
Henrik Plate joins us to discuss the OWASP Top 10 Open Source Risks, a guide highlighting critical security and operational challenges in using open source dependencies. The list includes risks like known vulnerabilities, compromised legitimate packages, name confusion attacks, and unmaintained software, providing developers and organizations a fra…
…
continue reading
1
Tanya Janca -- A Secure SDLC from a Developer's Perspective
48:54
48:54
Play later
Play later
Lists
Like
Liked
48:54
Security expert Tanya Janca discusses her new book "Alice and Bob Learn Secure Coding" and shares insights on making security accessible to developers. In this engaging conversation, she explores how security professionals can better connect with developers through threat modeling, maintaining empathy, and creating inclusive learning environments. …
…
continue reading
1
Mehran Koushkebaghi -- Security as a Systemic Concern: How to develop Anti-Requirements
45:08
45:08
Play later
Play later
Lists
Like
Liked
45:08
Mehran Koushkebaghi, a seasoned engineering expert, delves into the intricacies of systemic security. He draws parallels between civil engineering and IT systems, and explains the importance of holistic thinking in security design. Discover the difference between semantic and syntactic vulnerabilities and understand how anti-requirements play a cri…
…
continue reading
1
Kalyani Pawar -- Shaping AppSec at Startups
39:52
39:52
Play later
Play later
Lists
Like
Liked
39:52
Kalyani Pawar shares critical strategies for integrating security early and effectively in AppSec for startups. She recommends that startups begin focusing on AppSec around the 30-employee mark, with an ideal ratio of one AppSec professional per 10 engineers as the company grows. Pawar emphasizes the importance of building a security culture throug…
…
continue reading
Milan Williams discusses the importance of application security metrics and how to make them both meaningful and actionable. She explains that metrics are crucial for tracking progress in what can often feel like an overwhelming security landscape, and they're valuable for career advancement and securing resources. We discuss metrics categories and…
…
continue reading
1
MO Sadek -- Building an AppSec Program from Scratch
48:50
48:50
Play later
Play later
Lists
Like
Liked
48:50
Mo Sadek shares his unique journey of building an Application Security program from scratch at Roblox. Mo discusses his unconventional path, including temporarily joining the infrastructure team to truly understand engineering challenges. He emphasizes that security isn't about mandating rules, but about making processes easier and more secure by d…
…
continue reading
1
Brett Crawley -- Threat Modeling Gameplay with EoP
45:28
45:28
Play later
Play later
Lists
Like
Liked
45:28
Brett Crawley discusses the Elevation of Privilege (EoP) card game, a powerful tool for threat modeling in software development. The discussion explores recent extensions to the game including privacy-focused suits and TRIM (Transfer, Retention/Removal, Inference, Minimization) categories. Crawley emphasizes that threat modeling shouldn't end with …
…
continue reading
1
Matin Mavaddat - Understanding Security as a Systemic Concern: The Role of Anti-Requirements
50:20
50:20
Play later
Play later
Lists
Like
Liked
50:20
Matin Mavaddat discusses his perspective on security as a systemic concern, developed from his background in requirements engineering and systems architecture. He introduces the concept of "anti-requirements" - defining what a system should not do - and distinguishes between "syntactic security" (addressing technical vulnerabilities that are always…
…
continue reading
Kayra Otaner joins the podcast today to discuss DevSecOps and answer the question, is it dead? Kayra is the Director of DevSecOps at Roche and is highly involved in the DevSecOps community. Kayra states that DevSecOps in its traditional form is “dead” and that each organization should approach its needs based on their size. Otaner introduces the co…
…
continue reading
1
François Proulx - Arbitrary Code Execution 0-day in Build Pipeline of Popular Open Source Packages
45:31
45:31
Play later
Play later
Lists
Like
Liked
45:31
François Proulx shares his discovery of security vulnerabilities in build pipelines. Francois has found that attackers can exploit this often overlooked side of the software supply chain. To help address this, his team developed an open source scanner called Poutine that can identify vulnerable build pipelines at scale and provide remediation guida…
…
continue reading
1
Steve Wilson -- The Developer's Playbook for Large Language Model Security: Building Secure AI Applications
36:32
36:32
Play later
Play later
Lists
Like
Liked
36:32
Steve Wilson, the author of 'The Developer's Playbook for Large Language Model Security’ is back to dive into topics from his book like AI hallucinations, trust, and the future of AI. Steve has been at the forefront of the explosion of activity at the intersection of AppSec, LLM, and AI. We discuss the biggest fears surrounding LLMs and AI, and exp…
…
continue reading
1
Jeff Williams -- Application Detection & Response (ADR)
51:28
51:28
Play later
Play later
Lists
Like
Liked
51:28
Jeff Williams, a renowned pioneer in the field of application security is with us to discuss Application Detection and Response (ADR), detailing its potential to revolutionize security in production environments. Jeff shares stories from his career, including the founding of OWASP, and his take on security assurance. We cover many topics including;…
…
continue reading
1
Phillip Wylie -- Pen Testing from Somebody who Knows about Pen Testing
52:08
52:08
Play later
Play later
Lists
Like
Liked
52:08
Philip Wiley shares his unique journey from professional wrestling to being a renowned pen tester. We define pen testing and the role of social engineering in ethical hacking. We talk tools of the trade, share a favorite web app pentest hack and offer good advice on starting a career in cybersecurity. Philip shares some insights from his book, ‘The…
…
continue reading
1
Steve Springett -- Software and System Transparency
48:13
48:13
Play later
Play later
Lists
Like
Liked
48:13
Steve Springett, an expert in secure software development and a key figure in several OWASP projects is back. Steve unpacks CycloneDX and the value proposition of various BOMs. He gives us a rundown of the BOM landscape and unveils some new BOM projects that will continue to unify the security industry. Steve is a seasoned guest of the show so we l…
…
continue reading
1
Irfaan Santoe -- The Power of Strategy in AppSec
40:14
40:14
Play later
Play later
Lists
Like
Liked
40:14
Irfaan Santoe joins us for an in-depth discussion on the power of strategy in Application Security. We delve into measuring AppSec maturity, return on investment, and communicating technical needs to business leaders. Irfaan shares his unique journey from consulting to becoming an AppSec professional, and addresses the gaps between CISOs and AppSec…
…
continue reading
