))
Chris Romeo and Robert Hurlbut dig into the tips, tricks, projects, and tactics that make various application security professionals successful. They cover all facets of application security, from threat modeling and OWASP to DevOps+security and security champions. They approach these stories in an educational light, explaining the details in a way those new to the discipline can understand. Chris Romeo is the CEO of Devici and a General Partner at Kerr Ventures, and Robert Hurlbut is a Prin ...
…
continue reading
1
Brad Geesaman - Redefining AppSec with AI: Shrinking Toil, Expanding Impact - How LLMs are able to reduce toil in triage-heavy AppSec workflows
42:19
42:19
Afspil senere
Afspil senere
Lister
Like
Liked
42:19
Brad Geesaman, Principal Security Engineer at Ghost, joins the podcast today to explore how AI and large language models are transforming the world of application security. The discussion starts with the concept of "toil"—the repetitive, exhausting work that drains AppSec teams as they struggle to keep up with mountains of security findings and ale…
…
continue reading
1
OWASP Candidate Debate - 2025 Edition
1:08:09
1:08:09
Afspil senere
Afspil senere
Lister
Like
Liked
1:08:09
In this special episode of the Application Security Podcast we meet nine of the OWASP Board of Directors candidates. Each candidate discusses their unique qualifications, experiences, and vision for OWASP's future. Topics include enhancing OWASP's impact, improving outreach and education, securing funding, and engaging local chapters. Don't miss th…
…
continue reading
1
Francesco Cipollone - Agentic AI Manifesto
33:19
33:19
Afspil senere
Afspil senere
Lister
Like
Liked
33:19
Francesco Cipollone, the CEO of Phoenix Security, shares his extensive experience in AI and security, discussing the crucial difference between true AI agents and glorified chatbots. Learn why Phoenix Security utilizes six different LLMs instead of a single super agent. Understand the sobering economics behind AI implementation and the importance o…
…
continue reading
1
Simon Gibbs & Devika Gibbs -- Building Bridges with Games
36:03
36:03
Afspil senere
Afspil senere
Lister
Like
Liked
36:03
Simon and Devika Gibbs, the innovative minds behind Cybersec Games, join us on the episode today. Discover how the Gibbs duo are revolutionizing the way we teach and learn security concepts through interactive gaming. Learn about their journey from developing stationary for agile teams to delving into the world of threat modeling games like Elevati…
…
continue reading
1
Akansha Shukla - Modern AppSec: Securing APIs with Threat Modeling and DevSecOps
35:35
35:35
Afspil senere
Afspil senere
Lister
Like
Liked
35:35
Our guest today is Akansha Shukla, an information security professional with over 10 years of experience in application security, DevSecOps, and API security. We’re discussing why API security remains one of the least mature areas of AppSec today and exploring the challenges developers face when securing APIs. Akansha shares her insights on incorpo…
…
continue reading
The European Union's Cyber Resilience Act is set to revolutionize how we approach product security worldwide. In this episode, we sit down with application security expert Nariman Aga-Tagiyev to break down everything you need to know about this legislation. Nariman has over 20 years of software development experience and today he’s sharing his expe…
…
continue reading
1
Marisa Fagan - Measuring Security Culture
50:05
50:05
Afspil senere
Afspil senere
Lister
Like
Liked
50:05
Marisa Fagan, Head of Product at Katilyst and veteran security culture expert joins us today to share practical strategies for building and scaling security champions programs that actually work, from designing effective pilots to avoiding common pitfalls that can derail your initiatives. Learn how to motivate developers using the SAPs model (Statu…
…
continue reading
1
Aram Hovsepyan -- Your Security Dashboard is Lying to You: The Science of Metrics
40:52
40:52
Afspil senere
Afspil senere
Lister
Like
Liked
40:52
Aram Hovsepyan joins the podcast today to chat about the misconceptions behind common security metrics. Aram tells us how total vulnerability counts and CVSS scores can be misleading and he introduces us to the Goal Question Metric framework, this framework is a better approach to building truly effective security dashboards. Learn about the critic…
…
continue reading
1
Sean Varga -- OWASP Top 10 for AppSec Sales
47:13
47:13
Afspil senere
Afspil senere
Lister
Like
Liked
47:13
We’re discussing the intersections of application security (AppSec) and sales strategy with our guest, Sean Varga. Sean shares the unique challenges and best practices in AppSec sales, like the importance of empathy, understanding customer needs, and community participation. Learn about the OWASP top 10 for AppSec Sales and discover how to achieve …
…
continue reading
1
Sarah-Jane Madden -- What AI means for AppSec
37:59
37:59
Afspil senere
Afspil senere
Lister
Like
Liked
37:59
Sarah Jane Madden joins us to discuss the evolving role of AI in software development. We reflect on the changes and challenges posed by AI, including the potential for over-reliance and the misconception that traditional software engineering practices like the SDLC are obsolete. The conversation explores the nuances of AI-generated code, emphasizi…
…
continue reading
1
Dag Flachet -- Kaizen for your Appsec Program
35:54
35:54
Afspil senere
Afspil senere
Lister
Like
Liked
35:54
Dag Flachet joins us to discuss the concept of Kaizen and its application in improving application security. Dag shares his journey into the world of security, emphasizing the importance of iterative, small-step improvements. The conversation delves into how organizations can effectively implement maturity models to enhance their security programs,…
…
continue reading
1
Javan Rasokat and Andra Lezza -- When Chatbots Go Rogue - Lessons Learned from Building and Defending LLM Applications
47:31
47:31
Afspil senere
Afspil senere
Lister
Like
Liked
47:31
Andra Lezza and Javan Rasokat discuss the complexities of securing AI and LLM applications. With years of experience in Application Security (AppSec), Andra and Javan share their journey and lessons from their DEF CON talk on building and defending LLMs. They explore critical vulnerabilities, prompt injection, hallucinations, and the importance of …
…
continue reading
1
Jim Routh -- The CISO Transition to the rest of life
49:36
49:36
Afspil senere
Afspil senere
Lister
Like
Liked
49:36
Former CISO Jim Routh discusses his perspective on retirement and career fulfillment in cybersecurity. Rather than viewing retirement as simply stopping work, Routh describes his three-filter approach: working only with people he respects and admires, doing only work he finds fulfilling, and controlling when he works. He shares valuable lessons lea…
…
continue reading
1
Henrik Plate -- OWASP Top 10 Open Source Risks
38:26
38:26
Afspil senere
Afspil senere
Lister
Like
Liked
38:26
Henrik Plate joins us to discuss the OWASP Top 10 Open Source Risks, a guide highlighting critical security and operational challenges in using open source dependencies. The list includes risks like known vulnerabilities, compromised legitimate packages, name confusion attacks, and unmaintained software, providing developers and organizations a fra…
…
continue reading
1
Tanya Janca -- A Secure SDLC from a Developer's Perspective
48:54
48:54
Afspil senere
Afspil senere
Lister
Like
Liked
48:54
Security expert Tanya Janca discusses her new book "Alice and Bob Learn Secure Coding" and shares insights on making security accessible to developers. In this engaging conversation, she explores how security professionals can better connect with developers through threat modeling, maintaining empathy, and creating inclusive learning environments. …
…
continue reading
1
Mehran Koushkebaghi -- Security as a Systemic Concern: How to develop Anti-Requirements
45:08
45:08
Afspil senere
Afspil senere
Lister
Like
Liked
45:08
Mehran Koushkebaghi, a seasoned engineering expert, delves into the intricacies of systemic security. He draws parallels between civil engineering and IT systems, and explains the importance of holistic thinking in security design. Discover the difference between semantic and syntactic vulnerabilities and understand how anti-requirements play a cri…
…
continue reading
1
Kalyani Pawar -- Shaping AppSec at Startups
39:52
39:52
Afspil senere
Afspil senere
Lister
Like
Liked
39:52
Kalyani Pawar shares critical strategies for integrating security early and effectively in AppSec for startups. She recommends that startups begin focusing on AppSec around the 30-employee mark, with an ideal ratio of one AppSec professional per 10 engineers as the company grows. Pawar emphasizes the importance of building a security culture throug…
…
continue reading
Milan Williams discusses the importance of application security metrics and how to make them both meaningful and actionable. She explains that metrics are crucial for tracking progress in what can often feel like an overwhelming security landscape, and they're valuable for career advancement and securing resources. We discuss metrics categories and…
…
continue reading
1
MO Sadek -- Building an AppSec Program from Scratch
48:50
48:50
Afspil senere
Afspil senere
Lister
Like
Liked
48:50
Mo Sadek shares his unique journey of building an Application Security program from scratch at Roblox. Mo discusses his unconventional path, including temporarily joining the infrastructure team to truly understand engineering challenges. He emphasizes that security isn't about mandating rules, but about making processes easier and more secure by d…
…
continue reading
1
Brett Crawley -- Threat Modeling Gameplay with EoP
45:28
45:28
Afspil senere
Afspil senere
Lister
Like
Liked
45:28
Brett Crawley discusses the Elevation of Privilege (EoP) card game, a powerful tool for threat modeling in software development. The discussion explores recent extensions to the game including privacy-focused suits and TRIM (Transfer, Retention/Removal, Inference, Minimization) categories. Crawley emphasizes that threat modeling shouldn't end with …
…
continue reading
1
Matin Mavaddat - Understanding Security as a Systemic Concern: The Role of Anti-Requirements
50:20
50:20
Afspil senere
Afspil senere
Lister
Like
Liked
50:20
Matin Mavaddat discusses his perspective on security as a systemic concern, developed from his background in requirements engineering and systems architecture. He introduces the concept of "anti-requirements" - defining what a system should not do - and distinguishes between "syntactic security" (addressing technical vulnerabilities that are always…
…
continue reading
Kayra Otaner joins the podcast today to discuss DevSecOps and answer the question, is it dead? Kayra is the Director of DevSecOps at Roche and is highly involved in the DevSecOps community. Kayra states that DevSecOps in its traditional form is “dead” and that each organization should approach its needs based on their size. Otaner introduces the co…
…
continue reading
1
François Proulx - Arbitrary Code Execution 0-day in Build Pipeline of Popular Open Source Packages
45:31
45:31
Afspil senere
Afspil senere
Lister
Like
Liked
45:31
François Proulx shares his discovery of security vulnerabilities in build pipelines. Francois has found that attackers can exploit this often overlooked side of the software supply chain. To help address this, his team developed an open source scanner called Poutine that can identify vulnerable build pipelines at scale and provide remediation guida…
…
continue reading
1
Steve Wilson -- The Developer's Playbook for Large Language Model Security: Building Secure AI Applications
36:32
36:32
Afspil senere
Afspil senere
Lister
Like
Liked
36:32
Steve Wilson, the author of 'The Developer's Playbook for Large Language Model Security’ is back to dive into topics from his book like AI hallucinations, trust, and the future of AI. Steve has been at the forefront of the explosion of activity at the intersection of AppSec, LLM, and AI. We discuss the biggest fears surrounding LLMs and AI, and exp…
…
continue reading
1
Jeff Williams -- Application Detection & Response (ADR)
51:28
51:28
Afspil senere
Afspil senere
Lister
Like
Liked
51:28
Jeff Williams, a renowned pioneer in the field of application security is with us to discuss Application Detection and Response (ADR), detailing its potential to revolutionize security in production environments. Jeff shares stories from his career, including the founding of OWASP, and his take on security assurance. We cover many topics including;…
…
continue reading
