))
Chris Romeo and Robert Hurlbut dig into the tips, tricks, projects, and tactics that make various application security professionals successful. They cover all facets of application security, from threat modeling and OWASP to DevOps+security and security champions. They approach these stories in an educational light, explaining the details in a way those new to the discipline can understand. Chris Romeo is the CEO of Devici and a General Partner at Kerr Ventures, and Robert Hurlbut is a Prin ...
…
continue reading
Chris Romeo is going on a journey. A journey to understand threat modeling at the deepest levels. He thought he understood threat modeling but realized he could go deeper. Chris shares his findings and talks with some of the best-known experts in the space to experience continuous learning. Join along for the ride -- you will learn something. Chris Romeo is the CEO of Devici (THE Threat Modeling Company) and a General Partner at Kerr Ventures.
…
continue reading
1
Brett Crawley -- Threat Modeling Gameplay with EoP
45:28
45:28
Play later
Play later
Lists
Like
Liked
45:28
Brett Crawley discusses the Elevation of Privilege (EoP) card game, a powerful tool for threat modeling in software development. The discussion explores recent extensions to the game including privacy-focused suits and TRIM (Transfer, Retention/Removal, Inference, Minimization) categories. Crawley emphasizes that threat modeling shouldn't end with …
…
continue reading
1
Matin Mavaddat - Understanding Security as a Systemic Concern: The Role of Anti-Requirements
50:20
50:20
Play later
Play later
Lists
Like
Liked
50:20
Matin Mavaddat discusses his perspective on security as a systemic concern, developed from his background in requirements engineering and systems architecture. He introduces the concept of "anti-requirements" - defining what a system should not do - and distinguishes between "syntactic security" (addressing technical vulnerabilities that are always…
…
continue reading
Kayra Otaner joins the podcast today to discuss DevSecOps and answer the question, is it dead? Kayra is the Director of DevSecOps at Roche and is highly involved in the DevSecOps community. Kayra states that DevSecOps in its traditional form is “dead” and that each organization should approach its needs based on their size. Otaner introduces the co…
…
continue reading
1
François Proulx - Arbitrary Code Execution 0-day in Build Pipeline of Popular Open Source Packages
45:31
45:31
Play later
Play later
Lists
Like
Liked
45:31
François Proulx shares his discovery of security vulnerabilities in build pipelines. Francois has found that attackers can exploit this often overlooked side of the software supply chain. To help address this, his team developed an open source scanner called Poutine that can identify vulnerable build pipelines at scale and provide remediation guida…
…
continue reading
1
Steve Wilson -- The Developer's Playbook for Large Language Model Security: Building Secure AI Applications
36:32
36:32
Play later
Play later
Lists
Like
Liked
36:32
Steve Wilson, the author of 'The Developer's Playbook for Large Language Model Security’ is back to dive into topics from his book like AI hallucinations, trust, and the future of AI. Steve has been at the forefront of the explosion of activity at the intersection of AppSec, LLM, and AI. We discuss the biggest fears surrounding LLMs and AI, and exp…
…
continue reading
1
Jeff Williams -- Application Detection & Response (ADR)
51:28
51:28
Play later
Play later
Lists
Like
Liked
51:28
Jeff Williams, a renowned pioneer in the field of application security is with us to discuss Application Detection and Response (ADR), detailing its potential to revolutionize security in production environments. Jeff shares stories from his career, including the founding of OWASP, and his take on security assurance. We cover many topics including;…
…
continue reading
1
Phillip Wylie -- Pen Testing from Somebody who Knows about Pen Testing
52:08
52:08
Play later
Play later
Lists
Like
Liked
52:08
Philip Wiley shares his unique journey from professional wrestling to being a renowned pen tester. We define pen testing and the role of social engineering in ethical hacking. We talk tools of the trade, share a favorite web app pentest hack and offer good advice on starting a career in cybersecurity. Philip shares some insights from his book, ‘The…
…
continue reading
1
Steve Springett -- Software and System Transparency
48:13
48:13
Play later
Play later
Lists
Like
Liked
48:13
Steve Springett, an expert in secure software development and a key figure in several OWASP projects is back. Steve unpacks CycloneDX and the value proposition of various BOMs. He gives us a rundown of the BOM landscape and unveils some new BOM projects that will continue to unify the security industry. Steve is a seasoned guest of the show so we l…
…
continue reading
1
Gavin Klondike -- Threat modeling for large language model applications
51:01
51:01
Play later
Play later
Lists
Like
Liked
51:01
In this episode of the Threat Modeling Podcast, host Chris Romeo takes listeners on a journey through the intricate world of threat modeling. Joined by senior security consultant Gavin Klondike, the episode delves into Gavin's experiences and insights into threat modeling, particularly in the context of artificial intelligence and machine learning.…
…
continue reading
1
Irfaan Santoe -- The Power of Strategy in AppSec
40:14
40:14
Play later
Play later
Lists
Like
Liked
40:14
Irfaan Santoe joins us for an in-depth discussion on the power of strategy in Application Security. We delve into measuring AppSec maturity, return on investment, and communicating technical needs to business leaders. Irfaan shares his unique journey from consulting to becoming an AppSec professional, and addresses the gaps between CISOs and AppSec…
…
continue reading
1
Andrew Van Der Stock -- The New OWASP Top Ten
51:51
51:51
Play later
Play later
Lists
Like
Liked
51:51
Andrew Van Der Stok, a leading web application security specialist and executive director at OWASP joins us for this episode. We discuss the latest with the OWASP Top 10 Project, the importance of data collection, and the need for developer engagement. Andrew gives us the methodology behind building the OWASP Top 10, the significance of framework s…
…
continue reading
1
Derek Fisher -- Hiring in Cyber/AppSec
1:01:45
1:01:45
Play later
Play later
Lists
Like
Liked
1:01:45
Derek Fisher, an expert in hardware, software, and cybersecurity with over 25 years of experience is back on the podcast. Derek shares his advice on cybersecurity hiring, specifically in application security, and dives into the challenges of entry-level roles in the industry. We discuss the value of certifications, the necessity of lifelong learnin…
…
continue reading
Tanya Janka, also known as SheHacksPurple, discusses secure guardrails, the difference between guardrails and paved roads, and how to implement both in application security. Tanya is an award-winning public speaker and head of education at SEMGREP and the best-selling author of ‘Alice and Bob Learn Application Security’. Tanya shares her insights o…
…
continue reading
1
Jahanzeb Farooq -- Launching and executing an AppSec program
49:44
49:44
Play later
Play later
Lists
Like
Liked
49:44
Jahanzeb Farooq discusses his journey in cybersecurity and the challenges of building AppSec programs from scratch. Jahanzeb shares his experience working in various industries, including Siemens, Novo Nordisk, and Danske Bank, highlighting the importance of understanding developer needs and implementing the right tools. The conversation covers the…
…
continue reading
1
David Quisenberry -- Building Security, People, and Programs
56:54
56:54
Play later
Play later
Lists
Like
Liked
56:54
David Quisenberry shares about his journey into the security world, insights on building AppSec programs in small to mid-sized companies, and the importance of data-driven decision-making. The conversation delves into the value of mentoring and why it's important to build real relationships with the people you work with, the vital role of trust wit…
…
continue reading
1
Matt Rose -- Software Supply Chain Security Means Many Different Things to Different People
46:14
46:14
Play later
Play later
Lists
Like
Liked
46:14
Matt Rose, an experienced technical AppSec testing leader discusses his career journey and significant contributions in AppSec. The conversation delves into the nuances of software supply chain security and exploring how different perceptions affect its understanding. Matt provides insights into the XZ compromise, critiques the buzzword 'shift left…
…
continue reading
1
James Berthoty -- Is DAST Dead? And the future of API security
44:56
44:56
Play later
Play later
Lists
Like
Liked
44:56
James Berthoty, a cloud security engineer with a diverse IT background, discusses his journey into application and product security. James highlights his career trajectory from IT operations to cloud security, his experiences with security tools like Snyk and StackHawk, and the evolving landscape of Dynamic Application Security Testing (DAST) and A…
…
continue reading
1
Mark Curphey and Simon Bennetts -- Riding the Coat Tails of ZAP, without Open Source Funding
42:32
42:32
Play later
Play later
Lists
Like
Liked
42:32
Mark Curphey and Simon Bennetts, join Chris on the podcast to discuss the challenges of funding and sustaining major open source security projects like ZAP. Curphey shares about going fully independent and building a non-profit sustainable model for ZAP. The key is getting companies in the industry, especially companies commercializing ZAP, to prop…
…
continue reading
