Chris Romeo and Robert Hurlbut dig into the tips, tricks, projects, and tactics that make various application security professionals successful. They cover all facets of application security, from threat modeling and OWASP to DevOps+security and security champions. They approach these stories in an educational light, explaining the details in a way those new to the discipline can understand. Chris Romeo is the CEO of Devici and a General Partner at Kerr Ventures, and Robert Hurlbut is a Prin ...
…
continue reading
1
Dustin Lehr -- Culture Change through Champions and Gamification
45:10
45:10
Play later
Play later
Lists
Like
Liked
45:10
Dustin Lehr, Senior Director of Platform Security/Deputy CISO at Fivetran and Chief Solutions Officer at Katilyst Security, joins Robert and Chris to discuss security champions. Dustin explains the concept of security champions within the developer community, exploring the unique qualities and motivations behind developers becoming security advocat…
…
continue reading
1
Francesco Cipollone -- Application Security Posture Management and the Power of Working with the Business
38:11
38:11
Play later
Play later
Lists
Like
Liked
38:11
Francesco Cipollone, CEO of Phoenix Security, joins Chris and Robert to discuss security and explain Application Security Posture Management (ASPM). Francesco shares his journey from developer to cybersecurity leader, revealing the origins and importance of ASPM. The discussion covers the distinction between application security and product securit…
…
continue reading
1
Mukund Sarma -- Developer Tools that Solve Security Problems
46:32
46:32
Play later
Play later
Lists
Like
Liked
46:32
Mukund Sarma, the Senior Director for Product Security at Chime, talks with Chris about his career path from being a software engineer to becoming a leader in application security. He explains how he focuses on building security tools that are easy for developers to use and stresses the importance of looking at application security as a part of the…
…
continue reading
1
Meghan Jacquot -- Assumed Breach Red Team Engagements for AppSec
40:55
40:55
Play later
Play later
Lists
Like
Liked
40:55
AppSec specialist Megan Jacquot joins Chris and Robert for a compelling conversation about community, career paths, and productive red team exercises. Megan shares her unique cybersecurity origin story, tracing her interest in the field from childhood influences through her tenure as an educator and her formal return to academia to pivot into a tec…
…
continue reading
1
Bill Sempf -- Development, Security, and Teaching the Next Generation
39:44
39:44
Play later
Play later
Lists
Like
Liked
39:44
Robert is joined by Bill Sempf, an application security architect with over 20 years of experience in software development and security. Bill shares his security origins as a curious child immersed in technology, leading to his lifelong dedication to application security. They discuss CodeMash, a developer conference in Ohio, and recount Bill's pre…
…
continue reading
1
Hendrik Ewerlin -- Threat Modeling of Threat Modeling
33:50
33:50
Play later
Play later
Lists
Like
Liked
33:50
Robert and Chris talk with Hendrik Ewerlin, a threat modeling advocate and trainer. Hendrik believes you can threat model anything, and he recently applied threat modeling to the process of threat modeling itself. His conclusions are published in the document Threat Modeling of Threat Modeling, where he aims to help practitioners, in his own words,…
…
continue reading
1
Jason Nelson -- Three Pillars of Threat Modeling Success: Consistency, Repeatability, and Efficacy
53:52
53:52
Play later
Play later
Lists
Like
Liked
53:52
Jason Nelson, an accomplished expert in information security management, joins Chris to share insights on establishing successful threat modeling programs in data-intensive industries like finance and healthcare. Jason presents his three main pillars to consider when establishing a threat modeling program: consistency, repeatability, and efficacy. …
…
continue reading
1
Erik Cabetas -- Cracking Codes on Screen and in Contests: An Expert's View on Hacking, Vulnerabilities, and the Evolution of Cybersecurity Language
51:12
51:12
Play later
Play later
Lists
Like
Liked
51:12
Erik Cabetas joins Robert and Chris for a thought-provoking discussion about modern software security. They talk about the current state of vulnerabilities, the role of memory-safe languages in AppSec, and why IncludeSec takes a highly systematic approach to security assessments and bans OWASP language. Along the way, Erik shares his entry into cyb…
…
continue reading
1
Justin Collins -- Enabling the Business to Move Faster, Securely
47:19
47:19
Play later
Play later
Lists
Like
Liked
47:19
Justin Collins of Gusto joins Robert and Chris for a practical conversation about running security teams in an engineering-minded organization. Justin shares his experience leading product security teams, the importance of aligning security with business goals, and the challenges arising from the intersection of product security and emerging techno…
…
continue reading
1
Kyle Kelly -- The Dumpster Fire of Software Supply Chain Security
41:17
41:17
Play later
Play later
Lists
Like
Liked
41:17
Kyle Kelly joins Chris to explore the wild west of software supply chain security. Kyle, author of the CramHacks newsletter, sheds light on the complicated and often misunderstood world of software supply chain security. He brings unique insights into the challenges, issues, and potential solutions in this constantly growing field. From his experie…
…
continue reading
Chris Hughes, co-founder of Aquia, joins Chris and Robert on the Application Security Podcast to discuss points from his recent book Software Transparency: Supply Chain Security in an Era of a Software-Driven Society, co-authored with Tony Turner. The conversation touches on the U.S. government in the software supply chain, the definition and benef…
…
continue reading
1
Jay Bobo & Darylynn Ross -- App Sec Is Dead. Product Security Is the Future.
52:25
52:25
Play later
Play later
Lists
Like
Liked
52:25
Jay Bobo and Darylynn Ross from CoverMyMeds join Chris to explain their assertion that 'AppSec is Dead.' They discuss the differences between product and application security, emphasizing the importance of proper security practices and effective communication with senior leaders, engineers, and other stakeholders. Jay proposes that product security…
…
continue reading
1
Eitan Worcel -- Is AI a Security Champion?
48:41
48:41
Play later
Play later
Lists
Like
Liked
48:41
Eitan Worcel joins the Application Security Podcast, to talk automated code fixes and the role of artificial intelligence in application security. We start with a thought-provoking discussion about the consistency and reliability of AI-generated responses in fixing vulnerabilities like Cross-Site Scripting (XSS). The conversation highlights a futur…
…
continue reading
Bjorn Kimminich, the driving force behind the OWASP Juice Shop project, joins Chris and Robert to discuss all things Juice Shop. The OWASP Juice Shop is a deliberately vulnerable web application that serves as an invaluable training tool for security professionals and enthusiasts. Bjorn provides a comprehensive overview of the latest features and c…
…
continue reading
1
Arshan Dabirsiaghi -- Security Startups, AI Influencing AppSec, and Pixee/Codemodder.io
57:36
57:36
Play later
Play later
Lists
Like
Liked
57:36
Arshan Dabirsiaghi of Pixee joins Robert and Chris to discuss startups, AI in appsec, and Pixee's Codemodder.io. The conversation begins with a focus on the unrealistic expectations placed on developers regarding security. Arshan points out that even with training, developers may not remember or apply security measures effectively, especially in co…
…
continue reading
1
Dr. Jared Demott -- Cloud Security & Bug Bounty
44:29
44:29
Play later
Play later
Lists
Like
Liked
44:29
Chris and Robert are thrilled to have an insightful conversation with Dr. Jared Demott, a seasoned expert in the field of cybersecurity. The discussion traverses a range of topics, from controversial opinions on application security to the practical aspects of managing bug bounty programs in large corporations like Microsoft. We dive into the techn…
…
continue reading
1
Katharina Koerner -- Security as Responsible AI
50:40
50:40
Play later
Play later
Lists
Like
Liked
50:40
Dr. Katharina Koerner, a renowned advisor and community builder with expertise in privacy by design and responsible AI, joins Chris and Robert to delve into the intricacies of responsible AI in this episode of the Application Security Podcast. She explores how security intersects with AI, discusses the ethical implications of AI's integration into …
…
continue reading