Chris Romeo and Robert Hurlbut dig into the tips, tricks, projects, and tactics that make various application security professionals successful. They cover all facets of application security, from threat modeling and OWASP to DevOps+security and security champions. They approach these stories in an educational light, explaining the details in a way those new to the discipline can understand. Chris Romeo is the CEO of Devici and a General Partner at Kerr Ventures, and Robert Hurlbut is a Prin ...
…
continue reading
1
David Quisenberry -- Building Security, People, and Programs
56:54
56:54
Play later
Play later
Lists
Like
Liked
56:54
In this episode of the Application Security Podcast, hosts Chris Romeo and Robert Hurlbut engage in a deep discussion with guest David Quisenberry about various aspects of application security. They cover David's journey into the security world, insights on building AppSec programs in small to mid-sized companies, and the importance of data-driven …
…
continue reading
1
Matt Rose -- Software Supply Chain Security Means Many Different Things to Different People
46:14
46:14
Play later
Play later
Lists
Like
Liked
46:14
In this episode of the Application Security Podcast, hosts Chris Romeo and Robert Hurlbut welcome Matt Rose, an experienced technical AppSec testing leader. Matt discusses his career journey and significant contributions in AppSec. The conversation delves into the nuances of software supply chain security, exploring how different perceptions affect…
…
continue reading
1
James Berthoty -- Is DAST Dead? And the future of API security
44:56
44:56
Play later
Play later
Lists
Like
Liked
44:56
In this episode of the Application Security Podcast, host Chris Romeo welcomes James Berthoty, a cloud security engineer with a diverse IT background, to discuss his journey into application and product security. The conversation spans James's career trajectory from IT operations to cloud security, his experiences with security tools like Snyk and …
…
continue reading
1
Mark Curphey and Simon Bennetts -- Riding the Coat Tails of ZAP, without Open Source Funding
42:32
42:32
Play later
Play later
Lists
Like
Liked
42:32
Mark Curphey and Simon Bennetts, join Chris on the podcast to discuss the challenges of funding and sustaining major open source security projects like ZAP. Curphey shares about going fully independent and building a non-profit sustainable model for ZAP. The key is getting companies in the industry, especially companies commercializing ZAP, to prop…
…
continue reading
Devon Rudnicki, the Chief Information Security Officer at Fitch Group, shares her journey of developing an application security program from scratch and advancing to the CISO role. She emphasizes the importance of collaboration, understanding the organization's business, and using metrics to drive positive change in the security program. Elon Musk …
…
continue reading
1
Dustin Lehr -- Culture Change through Champions and Gamification
45:10
45:10
Play later
Play later
Lists
Like
Liked
45:10
Dustin Lehr, Senior Director of Platform Security/Deputy CISO at Fivetran and Chief Solutions Officer at Katilyst Security, joins Robert and Chris to discuss security champions. Dustin explains the concept of security champions within the developer community, exploring the unique qualities and motivations behind developers becoming security advocat…
…
continue reading
1
Francesco Cipollone -- Application Security Posture Management and the Power of Working with the Business
38:11
38:11
Play later
Play later
Lists
Like
Liked
38:11
Francesco Cipollone, CEO of Phoenix Security, joins Chris and Robert to discuss security and explain Application Security Posture Management (ASPM). Francesco shares his journey from developer to cybersecurity leader, revealing the origins and importance of ASPM. The discussion covers the distinction between application security and product securit…
…
continue reading
1
Mukund Sarma -- Developer Tools that Solve Security Problems
46:32
46:32
Play later
Play later
Lists
Like
Liked
46:32
Mukund Sarma, the Senior Director for Product Security at Chime, talks with Chris about his career path from being a software engineer to becoming a leader in application security. He explains how he focuses on building security tools that are easy for developers to use and stresses the importance of looking at application security as a part of the…
…
continue reading
1
Meghan Jacquot -- Assumed Breach Red Team Engagements for AppSec
40:55
40:55
Play later
Play later
Lists
Like
Liked
40:55
AppSec specialist Megan Jacquot joins Chris and Robert for a compelling conversation about community, career paths, and productive red team exercises. Megan shares her unique cybersecurity origin story, tracing her interest in the field from childhood influences through her tenure as an educator and her formal return to academia to pivot into a tec…
…
continue reading
1
Bill Sempf -- Development, Security, and Teaching the Next Generation
39:44
39:44
Play later
Play later
Lists
Like
Liked
39:44
Robert is joined by Bill Sempf, an application security architect with over 20 years of experience in software development and security. Bill shares his security origins as a curious child immersed in technology, leading to his lifelong dedication to application security. They discuss CodeMash, a developer conference in Ohio, and recount Bill's pre…
…
continue reading
1
Hendrik Ewerlin -- Threat Modeling of Threat Modeling
33:50
33:50
Play later
Play later
Lists
Like
Liked
33:50
Robert and Chris talk with Hendrik Ewerlin, a threat modeling advocate and trainer. Hendrik believes you can threat model anything, and he recently applied threat modeling to the process of threat modeling itself. His conclusions are published in the document Threat Modeling of Threat Modeling, where he aims to help practitioners, in his own words,…
…
continue reading
1
Jason Nelson -- Three Pillars of Threat Modeling Success: Consistency, Repeatability, and Efficacy
53:52
53:52
Play later
Play later
Lists
Like
Liked
53:52
Jason Nelson, an accomplished expert in information security management, joins Chris to share insights on establishing successful threat modeling programs in data-intensive industries like finance and healthcare. Jason presents his three main pillars to consider when establishing a threat modeling program: consistency, repeatability, and efficacy. …
…
continue reading
1
Erik Cabetas -- Cracking Codes on Screen and in Contests: An Expert's View on Hacking, Vulnerabilities, and the Evolution of Cybersecurity Language
51:12
51:12
Play later
Play later
Lists
Like
Liked
51:12
Erik Cabetas joins Robert and Chris for a thought-provoking discussion about modern software security. They talk about the current state of vulnerabilities, the role of memory-safe languages in AppSec, and why IncludeSec takes a highly systematic approach to security assessments and bans OWASP language. Along the way, Erik shares his entry into cyb…
…
continue reading
1
Justin Collins -- Enabling the Business to Move Faster, Securely
47:19
47:19
Play later
Play later
Lists
Like
Liked
47:19
Justin Collins of Gusto joins Robert and Chris for a practical conversation about running security teams in an engineering-minded organization. Justin shares his experience leading product security teams, the importance of aligning security with business goals, and the challenges arising from the intersection of product security and emerging techno…
…
continue reading
1
Kyle Kelly -- The Dumpster Fire of Software Supply Chain Security
41:17
41:17
Play later
Play later
Lists
Like
Liked
41:17
Kyle Kelly joins Chris to explore the wild west of software supply chain security. Kyle, author of the CramHacks newsletter, sheds light on the complicated and often misunderstood world of software supply chain security. He brings unique insights into the challenges, issues, and potential solutions in this constantly growing field. From his experie…
…
continue reading
Chris Hughes, co-founder of Aquia, joins Chris and Robert on the Application Security Podcast to discuss points from his recent book Software Transparency: Supply Chain Security in an Era of a Software-Driven Society, co-authored with Tony Turner. The conversation touches on the U.S. government in the software supply chain, the definition and benef…
…
continue reading
1
Jay Bobo & Darylynn Ross -- App Sec Is Dead. Product Security Is the Future.
52:25
52:25
Play later
Play later
Lists
Like
Liked
52:25
Jay Bobo and Darylynn Ross from CoverMyMeds join Chris to explain their assertion that 'AppSec is Dead.' They discuss the differences between product and application security, emphasizing the importance of proper security practices and effective communication with senior leaders, engineers, and other stakeholders. Jay proposes that product security…
…
continue reading