Chris Romeo and Robert Hurlbut dig into the tips, tricks, projects, and tactics that make various application security professionals successful. They cover all facets of application security, from threat modeling and OWASP to DevOps+security and security champions. They approach these stories in an educational light, explaining the details in a way those new to the discipline can understand. Chris Romeo is the CEO of Devici and a General Partner at Kerr Ventures, and Robert Hurlbut is a Prin ...
…
continue reading
Chris Romeo And Robert Hurlbut Podcasts
1
Francesco Cipollone - Agentic AI Manifesto
33:19
33:19
Play later
Play later
Lists
Like
Liked
33:19
Francesco Cipollone, the CEO of Phoenix Security, shares his extensive experience in AI and security, discussing the crucial difference between true AI agents and glorified chatbots. Learn why Phoenix Security utilizes six different LLMs instead of a single super agent. Understand the sobering economics behind AI implementation and the importance o…
…
continue reading
1
Simon Gibbs & Devika Gibbs -- Building Bridges with Games
36:03
36:03
Play later
Play later
Lists
Like
Liked
36:03
Simon and Devika Gibbs, the innovative minds behind Cybersec Games, join us on the episode today. Discover how the Gibbs duo are revolutionizing the way we teach and learn security concepts through interactive gaming. Learn about their journey from developing stationary for agile teams to delving into the world of threat modeling games like Elevati…
…
continue reading
1
Akansha Shukla - Modern AppSec: Securing APIs with Threat Modeling and DevSecOps
35:35
35:35
Play later
Play later
Lists
Like
Liked
35:35
Our guest today is Akansha Shukla, an information security professional with over 10 years of experience in application security, DevSecOps, and API security. We’re discussing why API security remains one of the least mature areas of AppSec today and exploring the challenges developers face when securing APIs. Akansha shares her insights on incorpo…
…
continue reading
The European Union's Cyber Resilience Act is set to revolutionize how we approach product security worldwide. In this episode, we sit down with application security expert Nariman Aga-Tagiyev to break down everything you need to know about this legislation. Nariman has over 20 years of software development experience and today he’s sharing his expe…
…
continue reading
1
Marisa Fagan - Measuring Security Culture
50:05
50:05
Play later
Play later
Lists
Like
Liked
50:05
Marisa Fagan, Head of Product at Katilyst and veteran security culture expert joins us today to share practical strategies for building and scaling security champions programs that actually work, from designing effective pilots to avoiding common pitfalls that can derail your initiatives. Learn how to motivate developers using the SAPs model (Statu…
…
continue reading
1
Aram Hovsepyan -- Your Security Dashboard is Lying to You: The Science of Metrics
40:52
40:52
Play later
Play later
Lists
Like
Liked
40:52
Aram Hovsepyan joins the podcast today to chat about the misconceptions behind common security metrics. Aram tells us how total vulnerability counts and CVSS scores can be misleading and he introduces us to the Goal Question Metric framework, this framework is a better approach to building truly effective security dashboards. Learn about the critic…
…
continue reading
1
Sean Varga -- OWASP Top 10 for AppSec Sales
47:13
47:13
Play later
Play later
Lists
Like
Liked
47:13
We’re discussing the intersections of application security (AppSec) and sales strategy with our guest, Sean Varga. Sean shares the unique challenges and best practices in AppSec sales, like the importance of empathy, understanding customer needs, and community participation. Learn about the OWASP top 10 for AppSec Sales and discover how to achieve …
…
continue reading
1
Sarah-Jane Madden -- What AI means for AppSec
37:59
37:59
Play later
Play later
Lists
Like
Liked
37:59
Sarah Jane Madden joins us to discuss the evolving role of AI in software development. We reflect on the changes and challenges posed by AI, including the potential for over-reliance and the misconception that traditional software engineering practices like the SDLC are obsolete. The conversation explores the nuances of AI-generated code, emphasizi…
…
continue reading
1
Dag Flachet -- Kaizen for your Appsec Program
35:54
35:54
Play later
Play later
Lists
Like
Liked
35:54
Dag Flachet joins us to discuss the concept of Kaizen and its application in improving application security. Dag shares his journey into the world of security, emphasizing the importance of iterative, small-step improvements. The conversation delves into how organizations can effectively implement maturity models to enhance their security programs,…
…
continue reading
1
Javan Rasokat and Andra Lezza -- When Chatbots Go Rogue - Lessons Learned from Building and Defending LLM Applications
47:31
47:31
Play later
Play later
Lists
Like
Liked
47:31
Andra Lezza and Javan Rasokat discuss the complexities of securing AI and LLM applications. With years of experience in Application Security (AppSec), Andra and Javan share their journey and lessons from their DEF CON talk on building and defending LLMs. They explore critical vulnerabilities, prompt injection, hallucinations, and the importance of …
…
continue reading
1
Jim Routh -- The CISO Transition to the rest of life
49:36
49:36
Play later
Play later
Lists
Like
Liked
49:36
Former CISO Jim Routh discusses his perspective on retirement and career fulfillment in cybersecurity. Rather than viewing retirement as simply stopping work, Routh describes his three-filter approach: working only with people he respects and admires, doing only work he finds fulfilling, and controlling when he works. He shares valuable lessons lea…
…
continue reading
1
Henrik Plate -- OWASP Top 10 Open Source Risks
38:26
38:26
Play later
Play later
Lists
Like
Liked
38:26
Henrik Plate joins us to discuss the OWASP Top 10 Open Source Risks, a guide highlighting critical security and operational challenges in using open source dependencies. The list includes risks like known vulnerabilities, compromised legitimate packages, name confusion attacks, and unmaintained software, providing developers and organizations a fra…
…
continue reading
1
Tanya Janca -- A Secure SDLC from a Developer's Perspective
48:54
48:54
Play later
Play later
Lists
Like
Liked
48:54
Security expert Tanya Janca discusses her new book "Alice and Bob Learn Secure Coding" and shares insights on making security accessible to developers. In this engaging conversation, she explores how security professionals can better connect with developers through threat modeling, maintaining empathy, and creating inclusive learning environments. …
…
continue reading
1
Mehran Koushkebaghi -- Security as a Systemic Concern: How to develop Anti-Requirements
45:08
45:08
Play later
Play later
Lists
Like
Liked
45:08
Mehran Koushkebaghi, a seasoned engineering expert, delves into the intricacies of systemic security. He draws parallels between civil engineering and IT systems, and explains the importance of holistic thinking in security design. Discover the difference between semantic and syntactic vulnerabilities and understand how anti-requirements play a cri…
…
continue reading
1
Kalyani Pawar -- Shaping AppSec at Startups
39:52
39:52
Play later
Play later
Lists
Like
Liked
39:52
Kalyani Pawar shares critical strategies for integrating security early and effectively in AppSec for startups. She recommends that startups begin focusing on AppSec around the 30-employee mark, with an ideal ratio of one AppSec professional per 10 engineers as the company grows. Pawar emphasizes the importance of building a security culture throug…
…
continue reading
Milan Williams discusses the importance of application security metrics and how to make them both meaningful and actionable. She explains that metrics are crucial for tracking progress in what can often feel like an overwhelming security landscape, and they're valuable for career advancement and securing resources. We discuss metrics categories and…
…
continue reading
1
MO Sadek -- Building an AppSec Program from Scratch
48:50
48:50
Play later
Play later
Lists
Like
Liked
48:50
Mo Sadek shares his unique journey of building an Application Security program from scratch at Roblox. Mo discusses his unconventional path, including temporarily joining the infrastructure team to truly understand engineering challenges. He emphasizes that security isn't about mandating rules, but about making processes easier and more secure by d…
…
continue reading
