Shows
The Elephant in AppSecWhy AppSec Is breaking: Vibe Coding, DevSecOps backlogs & the new OWASP Top 10 (with Tanya Janca)Today, I’m joined once again by Tanya Janca for her second appearance on the podcast. Her first episode was a hit, so we figured: why not record another? And the timing couldn’t be better, as Tanya has just embarked on a brand-new chapter in her career this year. In our first conversation, I highlighted many of Tanya’s accomplishments, and she’s only added to the list since then. Most notably, she’s been deeply involved in shaping key components of the newly released OWASP Top 10.In this episode, we dive into the initiatives she’s focusing on in her ne...
2025-11-1351 min
The Elephant in AppSecCan We Make AI Agents Smarter Than Security Teams? with Anshuman BhartiyaToday, I’m excited to welcome Anshuman Bhartiya, an AppSec tech lead at Lyft. Before that, he worked as a security engineer at companies like Thirty Madison, Intuit, and Atlassian.Anshuman is also a fellow podcaster and co-host of the Boring AppSec podcast, alongside one of my previous guests, Sandesh Mysore Anand.Recently, he’s been experimenting extensively with building AI agents for both offensive and defensive security, and he’s documenting his findings at anshumanbhartiya.com(link in the description).In this episode, we dive into the challenges of building effective AI agents...
2025-09-2532 min
Absolute AppSecEpisode 294 - w/ Anshuman Bhartiya - AppSec in the Age of AIJust in time for AppSec sweeps week, Anshuman Bhartiya is joining Seth Law (sethlaw on social media) and Ken Johnson (cktricky) on the Absolute AppSec podcast! With over a decade in the security industry, Anshuman Bhartiya brings a wealth of knowledge to the table, in web application penetration testing and product security for major enterprises (EMC, Intuit, Atlassian, Lytx, etc). As the current Tech Lead for Application Security at Lyft and co-host of The Boring AppSec Podcast, Anshuman has a wealth of knowledge on AppSec topics. Read more about Anshuman’s work in the AppSec community at his webpage here: ht...
2025-08-1900 min
The Elephant in AppSecWhy AppSec isn’t just for tech — Surprising Insights ⎜ Olga DzięgielewskaToday, I’m joined by Olga Dzięgielewska, Senior Manager of InfoSec Application Security at Philip Morris International. With over 10 years of experience in secure code reviews, a PhD in IT Security, and now leading global AppSec teams, Olga specializes in secure development practices, IT assurance, ethical hacking, API security and SAP security, driving security initiatives across multiple international locations.In this episode, we tackle common misconceptions about application security and exploring the unique challenges faced by the manufacturing sector compared to tech companies.We also discuss how to ensure a seamless dig...
2025-06-1739 min
The Elephant in AppSecAre Traditional WAFs Dead? The Impact of OpenAPI Specs on Web Security with Nathan ByrdToday, I’m joined by Nathan Byrd, a Principal AppSec Architect at Applied Systems. Nathan’s journey is truly unique: before joining Applied Systems, he spent an impressive 24 years at Mastercard, where he rose from a software engineer to a Principal AppSec Architect. That’s the longest tenure we’ve seen from anyone on the podcast!Nathan is passionate about building things, whether it’s his early days as an internet fan, building projects with Raspberry Pi Pico, or more recently, creating OAShield (away shield). This open-source project helps generate WAF config files based on OpenAPI specs, which we dive into...
2025-06-0640 min
The Elephant in AppSecFinding AppSec tools that developers love — is it possible? with Linda FayToday I’m joined by Linda Fay, a seasoned leader in Application Security with over 13 years of experience. She’s led large-scale security programs, most recently as Director of Product Security Engineering, where she secured thousands of applications and delivered major cost savings. Now working as an independent consultant, she helps organizations improve their AppSec posture and explore the intersection of AI and security. Linda also leads the OWASP Nashville chapter and is deeply involved with WiCyS, mentoring the next generation of women in cybersecurity.In this episode, we dive into whether it’s possible to find AppSec tools that d...
2025-05-3032 min
The Elephant in AppSecDAST Tools: Can We Change the AppSec Community Perception? with Chris LindseyToday, I’m joined by Chris Lindsey, who, at the time of recording, was an AppSec Evangelist at Mend. Formerly an AppSec Architect, Chris brings over 15 years of direct security experience and more than 35 years of leadership in programming, software, solutions, and security architecture.For several years, Chris built and led an entire application security program, including oversight of security processes, procedures, tools, compliance, training, developer communication, code reviews, application inventory gathering, and risk analysis.Chris also is a seasoned speaker and the host of the Secrets of AppSec Champions podcast.In this ep...
2025-04-1040 min
The Elephant in AppSecHow Psychology Really Shapes AppSec Wins & Fails ⎢ Curtis KoenigToday, I’m joined by Curtis Koenig, a seasoned application security leader managing AppSec programs for global brands. At Gen Inc., he secures all products through CI/CD integration, secure coding, and a bug bounty program. Previously, at Booking.com and Snap Inc., he scaled security operations, enhanced authentication systems, and streamlined compliance processes. With expertise in secure development and threat modeling, Curtis is a recognized authority in enterprise application security.In this episode, we explore how insights from neuroscience align with the decisions developers and security professionals make about securing applications. We also discuss how storytelling through metrics ca...
2025-03-2850 min
The Elephant in AppSecThe Open Source Security Crisis: Is Trust the Weakest Link in Supply Chain? with François ProulxWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the roomToday, I’m joined by François Proulx, Senior Product Security Engineer at BoostSecurity, where he leads the Supply Chain research team. With over 10 years of experience in building AppSec programs for both large corporations like Intel and innovative startups, François has been at the forefront of the DevSecOps movement.He’s also one of the maintainers of the "poutine" security scanner, which detects misconfigurations and vulnerabilities in build pipelines. Be sure to check it out...
2025-03-1944 min
The Elephant in AppSecAre we truly managing Third-Party risks, or just playing security theater? ⎢Rachel CurranWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the roomToday, I’m joined by Rachel Curran, co-founder and CEO of Locktivity—a third-party risk management platform. She’s also the former Director of Risk and Compliance and Head of Infosec at Logik Systems.With over a decade of experience leading security and GRC initiatives, Rachel has built SOC 2 and security programs from the ground up, helping companies achieve security maturity. She’s also a frequent speaker at security conferences about this topic. Beyond her work in cybersecurity, Rachel co-hosts @shedoest...
2025-03-1450 min
The Elephant in AppSecHyped or Helpful? The Truth About Reachability & Developer Buy-In ⎢ Nir ValtmanWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.Today, I’m joined by Nir Valtman, CEO & co-founder of Arnicaan ASPM platform with a pipelineless approach. Before founding Arnica, Nir led product and data security at Finastra, established security at Kabbage as CISO, and headed application security at NCR. He’s also a well-known speaker at top security conferences, including Black Hat, Defcon, RSA, BSides, and OWASP.In this episode, we unpack the reachability hype-why every vend...
2025-03-0642 min
The Elephant in AppSecDevSecOps vs. Reality: What You REALLY Need to Succeed!Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.Today, I’m joined by Iman Ilbag, a DevSecOps Engineer at KPN, one of the leading telecom providers in the Netherlands.Previously, as the sole DevSecOps Engineer at Snappfood, he secured 70+ projects and trained hundreds of security champions. Iman transitioned from engineering to DevOps and Application Security, and has also worked on penetration testing and infrastructure security for both startups and larger enterprises.He’s passionate about security automation and open-source security, always look...
2025-02-2838 min
The Elephant in AppSecUnpacking Opengrep—A Deep Dive with Its Backing TeamsWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.Recently, Opengrep made headlines as a new open-source project based on a fork of Semgrep Community Edition, with the goal of democratizing SAST.As you know, I'm always ready to dive into controversial topics on The Elephant in AppSec, and this episode is no exception. But before we jump in, full disclosure: I’m staying neutral in this conversation. I’ve had the privilege of collaborating with incredible people on both sides of the discussion, and I’m here to exp...
2025-02-1933 min
The Elephant in AppSecIs There a Secret to Mastering Threat Modeling at Scale? Ashwini Siddhi (GoDaddy)Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.Today, I’m thrilled to be joined by Ashwini Siddhi, Director, Security Engineering at GoDaddy. With a background in electronics engineering, Ashwini discovered her true passion in cybersecurity and has since become a distinguished leader in the AppSec space. Her expertise spans multiple domains, with Threat Modeling standing out as a key area of specialization.Recently elected to the OWASP Foundation’s Board of Directors, Ashwini is not just a technical expert—she’s...
2025-02-1441 min
The Elephant in AppSecCan You Really Quantify AppSec ROI? Here’s the Truth! ⎜Irfaan SantoeWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today, I’m joined by Irfaan Santoe, a seasoned security leader who has worn many hats—from CISO to Global Head of Application Security, and now Founder and CTO of RiskApp.
Beyond his leadership roles, Irfaan is a dedicated community
builder. He leads the OWASP Netherlands Chapter, created the OWASP Security Champions Guide, and co-hosts the re:invent security podcast, a live in-person show where industry leaders share how they’re reshaping security.
In this episode, we tac...
2025-02-0353 min
The Elephant in AppSecHow to Fix API Security Before It’s Too Late ⎜ Confidence StaveleyWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today, I’m joined by a true force in cybersecurity. With over a decade of experience, Confidence Staveley has dedicated her career to helping organizations build secure, innovative products. She’s the founder of MerkleFence, where she serves as Director of Application Security for various companies, and the author of the Amazon bestseller API Security for White Hat Hackers.
Confidence is known for making cybersecurity concepts accessible to diverse audiences, as seen in her popular YouTube series, "API Kitchen" @SisiNe...
2025-01-2846 min
The Elephant in AppSecThe Untold Benefits of Continuous Threat Modeling You Didn’t Know About ⎜Izar TarandachWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today, I’m joined by Izar Tarandach, a Senior Product Security Architect with extensive security experience at Datadog, Squarespace, and several other companies. Izar is also a renowned speaker and the co-author of Threat Modeling: A Practical Guide for Development Teams by O'Reilly. He’s a member of the Threat Modeling Manifesto Group and the leader behind the OWASP pytm Pythonic framework for threat modeling tool.
Izar is also a fellow podcaster, and I hope we ge...
2025-01-2042 min
The Elephant in AppSecWhat does “collaborate with engineering” actually mean in AppSec? ⎜Koen Hendrix (Zendesk)Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today, I’m joined by Koen Hendrix, Director of Product Security at Zendesk. With over a decade of experience in the tech and gaming industries, Koen has been instrumental in building and scaling global security teams, integrating security into agile environments, and driving innovation in product security processes. Known for fostering strong relationships with global Product and Engineering leaders, he brings a wealth of expertise to today’s conversation.
In this episode we discuss why non-negotiable security practices must be c...
2025-01-1546 min
The Elephant in AppSecIs your organization mature enough for its first AppSec hire?⎢Akira BrandToday, I'm joined by Akira Brand, the AVP of Application Security at PRA Group. With nearly five years of experience in the security space, Akira has a diverse background, starting as a Developer Relations Engineer and transitioning into an Application Security role.
Passionate about education and Infosec, Akira has established herself as a distinguished public speaker, co-hosting the AppSec Weekly Podcast for several years and sharing her expertise as a cybersecurity instructor at Katilyst.
Akira is also a professional opera singer. You can hear her singing at her Elephant in AppSec conference talk!
...
2024-12-2451 min
The Elephant in AppSecAre we overlooking Kubernetes security in the race to deploy applications - Raunaq AroraWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today, we’re joined by Raunaq Arora, Lead Application Security Engineer at Chipotle. Raunaq’s journey into security was almost accidental, starting as a developer who quickly developed a knack for breaking and building secure applications.
Now, his expertise lies in securing Kubernetes environments at scale and aligning security strategies with business priorities. Last year, he took the RSA Conference stage to share how his team built a secure Kubernetes environment by integrating CIS controls into SDLC pipelines—turning securi...
2024-12-1945 min
The Elephant in AppSecIs it actually realistic to see everyone as the greatest ally in security? - Alina YakubenkoWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today, I’m excited to have Alina Yakubenko on the show. Alina, Senior Application Security Engineer at Toast, Inc and former developer and QA Engineer., is dedicated to empowering developers to integrate security into their everyday practices. Passionate about building a culture of security awareness, she works to ensure that security is a core component of development processes, helping teams build safer, more resilient applications.
In this episode, we dive into a thought-provoking question: is it truly realistic to se...
2024-12-1655 min
The Elephant in AppSecCan DevSecOps Maturity Models Fail? The Hidden Gaps in AppSec Programs ⎜Timo PagelWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today, I’m thrilled to welcome a true expert in DevSecOps, Timo Pagel! With over 20 years of experience in security strategy, web development, and DevSecOps architecture, Timo brings a wealth of knowledge to the table.
As a freelance consultant and university lecturer, he’s passionate about training the next generation of AppSec professionals while actively contributing to the Open Source community as the leader of the OWASP DevSecOps Maturity Model (DSOMM) project: https://dsomm.owasp.org/
In this episode, Timo...
2024-12-1143 min
The Elephant in AppSecRisk, Product Management, and Supply Chain Security: Is There a Connection? ⎜Jesus CuadradoWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today, I’m thrilled to welcome Jesus Cuadrado to the show! Jesus is the Chief Product Officer at Xygeni, an ASPM platform focused on improving software supply chain security. With over a decade of experience in product management, he’s now leading the charge in creating user-friendly security tools while tackling critical challenges like ensuring reliable software updates and integrating zero-trust principles into product strategies.
In this episode, we’ll dive into the intersection of produc...
2024-12-0449 min
The Elephant in AppSecHow hard is it to make DevSecOps work in a Hybrid Cloud? ⎜Michael TayoWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today, I’m thrilled to welcome Michael Tayo to the show! As the Information Security Lead at EDX Markets, Michael advises C-suite leaders and drives strategies to protect critical infrastructure in institutional crypto markets. With prior roles in Financial Services and Tempus AI, Michael brings a wealth of experience in cloud security and risk management.
He’s also the founder of CyberSHIELD, a platform empowering security professionals with training and resources, and The Ghetto Flower, a creative agency uplifting unde...
2024-12-0249 min
The Elephant in AppSecIs It Possible to Maximize the Effectiveness of Security Champions? ⎜ Magdalena ModricWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today, I’m thrilled to welcome Magdalena Modric to the show! Magdalena is an AppSec Program Strategist at Secure Code Warrior, where she’s been empowering developers in the German-speaking market to build secure applications since 2018.
Beyond her professional expertise, Magdalena is also a talented violinist—a wonderful reminder of how many AppSec professionals channel their passion into music and creativity outside of work.
In this episode, Magdalena and I dive into the critic...
2024-11-2546 min
The Elephant in AppSecHacker Turned Policy Builder: What They Don’t Want You to KnowWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today, I’m thrilled to welcome Patrick Mathieu to the podcast! Patrick is currently a Senior Manager of Product Security at DoorDash, but his impact on the cybersecurity world spans years.
Fifteen years ago, he founded Hackfest.ca, Canada's largest bilingual infosec conference and hacking community. Beyond Hackfest, Patrick is a sought-after speaker at cybersecurity conferences worldwide and the host of Securite.fm, a popular podcast on all things sec...
2024-11-1555 min
The Elephant in AppSecWhy Is Transforming Company Culture for Product Security So Challenging? ⎜ Ariel ShinWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today, I’m super excited to have Ariel Shin on the podcast! Ariel started as a pentester, moved into appsec, and now she’s a Security Engineering Manager at Datadog. Before that, she led the Product Security team at Twilio, where she led an effort to democratize vulnerability management across the company, which had a significant impact on reducing risk.
She’s also a regular speaker at conferences, and I actually got to meet her in per...
2024-10-3047 min
The Elephant in AppSecThe API Governance Problem: Why Your API Security Is at Risk (And How to Fix It) ⎜Akansha ShuklaWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today, I’m excited to welcome Akansha Shukla, a cybersecurity expert with over 10 years of experience, currently specializing in API security at ABN AMRO, one of the largest banks in the Netherlands. Akansha has a strong background in application security, DevSecOps, threat modeling, and vulnerability assessments.
Beyond her work at the bank, Akansha enjoys sharing her knowledge and runs her own blog focused on API security. She’s also a no...
2024-10-2342 min
The Elephant in AppSecAI Chatbots: Security Disaster or Can We Build Them Securely? ⎜Ante Gojsalic & Benjamin DulieuWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today, I have two incredible guests with me: Ante Gojsalic and Benjamin Dulieu.
Ben is a Chief Information Security Officer at Duck Creek Technologies, an Insurance SaaS provider supporting the end-to-end insurance process for many of the world’s largest carriers. A former U.S. Marine Corps Captain, Ben transitioned into cybersecurity leadership in 2016, leading Cyber and Technology Risk Management at Brown Brothers Harriman before taking on his current role, where he oversees cybersecurity, privacy, and IT infrastructure strategies.
An...
2024-10-1549 min
The Elephant in AppSecOpen Source vs. Commercial Software: The Ultimate Showdown⎜Kyle KellyWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today, my guest is Kyle Kelly, Tech Lead for Supply Chain Security Research at Semgrep and the founder of the CramHacks weekly newsletter. You can subscribe here 👉 cramhacks.com
With a background in consulting and research, he specializes in supply chain security, using his expertise to shape the insights he shares.
Through CramHacks, he empowers readers to take an active role in software security and deepen their understanding of supply chain vulnerabilities.
In this episode, Kyle shares when you sho...
2024-10-1048 min
The Elephant in AppSecPrivacy vs. Application Security: Can They Truly Coexist? | Kim WuytsWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today, my guest is Kim Wuyts, a leading privacy engineering expert with over 15 years of experience in security and privacy. Before joining PwC Belgium as Manager of Cyber & Privacy, Kim was a senior researcher at KU Leuven, where she led the development and extension of LINDDUN, a popular privacy threat modeling framework.
Kim is also a co-author of the Threat Modeling Manifesto, program co-chair of the International Workshop on Privacy Engineering (IWPE), and a member of ENISA’s working gr...
2024-10-0145 min
The Elephant in AppSecFrom PhD to AppSec: How to Bridge the Gap Between Research & Security Tools | Diego SempreboniWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today, I’m joined by Diego Sempreboni, a Senior Application Security Engineer at Pleo. Diego earned his PhD in Computer Science, specializing in security, at King’s College London. After realizing his passion lay in solving real-world problems, he transitioned from academia to product and application security, gaining valuable experience in various fintech companies in the UK.
In this episode, we discuss the key differences between academia and engineering in security and why vendors should focus on creating tools that...
2024-09-2442 min
The Elephant in AppSecAppSec for Startups: Critical or Overlooked? | Rob PicardWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today, my guest is Rob Picard. Rob started his career as a pentester and went on to become an early security hire at both Robinhood and Vanta, where he helped establish scalable security programs. He is now leading Observa, a security consulting firm focused on helping startups build strong security foundations.
Rob frequently participates in podcasts, sharing his expertise on how startups can develop security programs, often with an AppSec focus.
In this episode, Rob discusses when startups should...
2024-09-2049 min
The Elephant in AppSecWhat are the risks associated with open source? | Kaiwen JiangWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today, my guest is Kaiwen Jiang, an Application Security Engineer at a financial services company in the UK. Her primary areas of focus are . She was previously a cybersecurity consultant at Deloitte.
Kaiwen also runs a blog, AppSec Kiki, where she shares her knowledge with the community, and she’s an active participant in London’s OWASP community meetups!
In this first episode of Season 2, Kaiwen shared insights on why open-source security in the supply chain has become such a ho...
2024-09-1239 minThe Elephant in AppSecSeason 2 The Elephant in AppSec Podcast TrailerGet ready for more bold opinions starting next week! 🔥
2024-09-0601 min
The OWASP Podcast Seriesep2024-08 OWASP Projects RoundupThe August episode is a review of projects from a recent OWASP project showcase. We talk to the leaders of the OWASP pytm, OWASP Developer Guide, OWASP State of AppSec Survey Project. Get up on the latest news and update on these OWASP projects.
OWASP pytm:
- https://owasp.org/www-project-pytm/
- https://github.com/izar/pytm
OWASP Develper Guide:
- https://owasp.org/www-project-developer-guide/
- https://github.com/OWASP/www-project-developer-guide
OWASP AppSec Survey Project:
- https://owasp.org/www-project-state-of-appsec-survey/
2024-08-3036 min
The OWASP Podcast Seriesep2024-07 Safety belts for AppSec with Lisa PlaggemierAfter a long and unplanned pause, the OWASP podast is back with a home run of an episode. We have Lisa Plaggemier as our guest who reprises her eloquent keynote topic from AppSec DC. All hope isn't lost, we are making progress - just look at safety in the auto industry to understand where we are and where we're going.
Links:
Lisa's keynote from AppSec DC
https://www.youtube.com/watch?v=Rirxc1OXR4Q&list=PLpr-xdpM8wG_3eyVQxB0oXqVJwlNKs85x&index=38&ab_channel=OWASPFoundation
Kubikle web series
https://kubikleseries.com/
Convene Seattle 2024 event
https://staysafeonline.org/programs/events/convene-seattle-2024/
2024-07-1232 min
Expert Insights Podcast#39 - Finding The Right AppSec Solution (Frank Catucci, Invicti)Organizations should prioritize complete coverage, accurate results, and speed when choosing an application security (AppSec) solution, Frank Catucci, CTO at Invicti tells Expert Insights. Catucci is CTO at Invicti – an application security testing provider with more than 3,500 global clients. Guest: Frank Catucci, CTO at Invicti This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit podcasts.expertinsights.com
2024-06-2524 minThe Elephant in AppSecWe Don’t Let the Bad Guys Win: Is It Possible with All Third-Party Apps in Oil & Gas? ⎜Catharina "DD" BudihartoWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today, we have an amazing guest, Catharina "DD" Budiharto, joining us.
DD has extensive experience in cybersecurity, having worked for several years with multiple Oil and Gas companies. She also served as the chairperson for the American Petroleum Institute (API) IT Security Sub-Committee.
Currently, DD is the founder of Cyberpoint Advisory, which offers Fractional CISO services to help SMBs protect their assets from cyber at...
2024-06-2048 min
The Elephant in AppSecWhy “shift-left” isn’t good enough ⎪Chris RomeoWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today, we have an amazing guest, Chris Romeo, joining us.
Chris has 26 years of experience in cybersecurity, having worked for 11 years at CISCO, founded his own security education company, Security Journey, and now Devici, an AI-infused collaborative threat modeling tool.
Chris is a sought-after speaker at numerous global application security conferences.
He is also the author of a weekly newsletter, The Reasonable AppSec, where he shares the top 5 security articles worth your time.
Chris hosts not one but three...
2024-06-0755 min
The Elephant in AppSecWhat are the Non-Human Identity challenges? ⎪Andrew Wilder and Amir ShakedWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
We have two incredible guests with us: Andrew Wilder and Amir Shaked.
Andrew is the Retained Chief Security Officer at Community Veterinary Partners and the former Regional CISO for Nestle, where he spent 18 years shaping cybersecurity across the Americas, Asia, and Europe.
Amir is the VP of Research and Development at Oasis Security, specializing in Non-Human Identity Management. With a background in software development, Amir transitioned to cybersecurity, contributing to companies like PerimeterX and Human in R&D and...
2024-05-2344 min
The Elephant in AppSecAPI Security: Are Vendors Just Blowing Smoke? ⎪David HomoneyWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today, we have an amazing guest, David Homoney, join us.
David is the newly appointed Sales Engineer at Apiiro. Before stepping into this role, he made significant contributions as a Technical Solutions Architect II for Application, API, and Workload Security at World Wide Technology (WWT), a leading global technology provider and integrator.
With an impressive 30-year career in network and system administration, David has established himself as one the strong voices in the field of API security. He's not...
2024-05-2157 min
The Boring AppSec PodcastS1E10 - Future Security PredictionsWelcome to the Boring AppSec Podcast! In Episode 10, we discuss some security predictions that we hope to see in the near future. Some of them are:
AI agents - different kinds - activity based and/or persona based
Security talent is going to get better, hiring is important
AI powered security engineers - up leveling junior engineers
AI code review assistants - GPT4-o et al
Company consolidations happening in the security industry - D&R space
ASPM predictions and how AI agents will help evolve this space
CISA’s guidance on building secure by default frameworks
Automated re...
2024-05-2050 minThe Boring AppSec PodcastS1E09 - IncidentsWelcome to the Boring AppSec Podcast! In Episode 9, we discuss incidents. Both Sandesh and I share 2 incidents each and the lessons learnt from them. Tune in!
References mentioned in the episode:
Log4j - https://www.cisa.gov/news-events/news/apache-log4j-vulnerability-guidance
Incident runbook - https://engineering.razorpay.com/how-an-incident-transformed-razorpay-improving-the-5-why-rca-format-378de299b9a2
Contacting Anshuman
LinkedIn: https://www.linkedin.com/in/anshumanbhartiya/
Twitter: https://twitter.com/anshuman_bh
Website: https://anshumanbhartiya.com/
Instagram: https://www.instagram.com/anshuman.bhartiya/
YouTube: https://www.youtube.com/@AnshumanBhartiya
Contacting Sandesh
LinkedIn: https://www.linkedin.com/in/anandsandesh/
Twitter: https://twitter.com/JubbaOnJeans/
Website: https:/
2024-05-1337 min
The Elephant in AppSecThe Truth About Software Supply Chain Risks ⎪Cassie CrossleyWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today, we’re excited to have an amazing guest, Cassie Crossley, join us.
Cassie is the Vice President, Supply Chain Security in the global Cybersecurity & Product Security Office at Schneider Electric.
Starting from a development background, she moved through different roles like technical support, technical documentation, and software development project management. She led compliance, policy, and governance and gradually transitioned into her high-level Product security role.
Cassie is also the author of the Software Supply Chain security book that ha...
2024-05-1047 min
The Elephant in AppSecHow secure are your digital wallets? ⎪Max Imbiel (Bitpanda)Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today we’re excited to have an amazing guest, Max Imbiel, join us.
Max is the driving force behind “Ahead Security,” an agency specializing in vCISO activities, and currently serves as the CISO at BitPanda, an online crypto trading platform.
Max’s career began in IT and software development and took him through various industries, with the last one being finance. His notable leadership roles include Deputy CISO at UniCredit Bank and, most recently, Deputy Group CISO at N26. Max is a...
2024-04-2952 min
The Elephant in AppSecHow security research can earn you $20m in tokens ⎪Swan BeaujardWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today we’re excited to have an amazing guest, Swan Beaujard, join us.
Swan is a security software engineer at Escape, specializing in Dynamic Application Security Testing. He is a core contributor to a lot of open-source projects related to GraphQL security and is passionate about machine learning and reverse engineering.
He presented his contributions and research at several international security conferences like BSides Oslo: • BSides Oslo 2023
This year, Swan published his new research detailing scanning and analysis of the 1 million...
2024-04-2929 minThe Boring AppSec PodcastS1E08 - Bug Bounties Part 2Welcome to the Boring AppSec Podcast! In Episode 8, we continue discussing bug bounties from where we left off in Episode 3. We discuss how to build mature bug bounty programs, how to start a program, how to convince stake holders to start a program, differences and similarities between vulnerability disclosure programs and bug bounty programs among other things. Tune in!
Contacting Anshuman
LinkedIn: https://www.linkedin.com/in/anshumanbhartiya/
Twitter: https://twitter.com/anshuman_bh
Website: https://anshumanbhartiya.com/
Instagram: https://www.instagram.com/anshuman.bhartiya/
YouTube: https://www.youtube.com/@AnshumanBhartiya
Contacting Sandesh
LinkedIn: https://www.linkedin.com/in/anandsandesh/
Twitter: https://twitter.com/JubbaOnJeans/
Website:
2024-04-2245 minThe Boring AppSec PodcastS1E07 - Hiring in SecurityWelcome to the Boring AppSec Podcast! In Episode 7, we discuss how to hire the right security folks on a security engineering team. We go over the interviewing process, what to look out for, how to compose a team, and also share some of our experiences of interviewing including some tips on what a candidate can/should do if they want to get noticed by hiring managers and recruiters.
Contacting Anshuman
LinkedIn: https://www.linkedin.com/in/anshumanbhartiya/
Twitter: https://twitter.com/anshuman_bh
Website: https://anshumanbhartiya.com/
Instagram: https://www.instagram.com/anshuman.bhartiya/
YouTube: https://www.youtube.com/@AnshumanBhartiya
Contactin...
2024-04-1554 min
The Elephant in AppSecSecuring cloud native applications: how hard is it? ⎪Mihir ShahWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today we’re excited to have an amazing guest, Mihir Shah, join us.
Mihir Shah is a Senior Staff Application Security Engineer at ForgeRock, specializing in architecting secure cloud-based Identity & Access Management services hosted using Kubernetes and Google Cloud Platform.
He is also the author of the Cloud Native Software Security Handbook, a comprehensive guide on securing cloud-native applications and services.
...
2024-04-1256 minThe Boring AppSec PodcastS1E06 - Vulnerability ManagementWelcome to the Boring AppSec Podcast! In Episode 6, we discuss the art of Vulnerability Management. What it means, what are some of the problems we've seen as practitioners, what are some ways we've considered to make the process of managing vulnerabilities easy.
References:
We will try and add information about all the references we make here. Please enter rabbit holes at will :)
Gitlab's Security Handbook - https://handbook.gitlab.com/handbook/security/
Contacting Anshuman
LinkedIn: https://www.linkedin.com/in/anshumanbhartiya/
Twitter: https://twitter.com/anshuman_bh
Website: https://ans...
2024-04-0856 minThe Boring AppSec PodcastS1E05 - Threat ModelingWelcome to the Boring AppSec Podcast! In Episode 5, we dig deep into what threat modeling is from a practitioner's perspective. We compare it with design reviews and discuss when/how/why of threat modeling. In the end, we wrap up by talking about how Gen AI could help threat modeling significantly.
References:
We will try and add information about all the references we make here. Please enter rabbit holes at will :)
Threat modeling manifesto - Threatmodelingmanifesto.org
STRIDE framework - https://en.wikipedia.org/wiki/STRIDE_(security)
Tools for threat modeling
http...
2024-04-011h 01
The Elephant in AppSecAre custom security tests a product security superpower? ⎜Keshav Malik (LinkedIn)Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today we’re excited to have an amazing guest, Keshav Malik, join us.
Keshav is a Senior Product Security Engineer at LinkedIn. With experience in information security and a passion for automation, Keshav brings a unique blend of expertise to the table.
Keshav is also a dedicated tech enthusiast and deeply passionate about contributing to the community. He actively writes custom security rules for various applications like Semgrep and has built several projects like QuickXSS, a bash script automating XSS...
2024-04-0123 minThe Boring AppSec PodcastS1E04 - Running a lean AppSec teamWelcome to the Boring AppSec Podcast! In Episode 4, we discuss how lean AppSec teams run and operate. We share our experiences of having worked in engineering heavy organizations where the "engineer : appsec-engineer" ratio is far from ideal and scaling the AppSec team becomes very important to be able to reasonably manage risk.
References:
We will try and add information about all the references we make here. Please enter rabbit holes at will :)
Soft skills are important - https://www.softsideofcyber.com/
Bhadra, the vulnerability management platform built and open sourced by Razor P...
2024-03-251h 09
The Elephant in AppSecThe art and science of product security ⎥Jacob Salassi (Snowflake)Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today we’re excited to have an amazing guest, Jacob Salassi, join us.
Jacob is the Director of Product Security and Regulatory Expansion at Snowflake, where he has played a pivotal role in guiding the company through its pre- and post-IPO phases.
With over 15 years of experience, initially in software engineering before transitioning to security, Jacob is a sought-after speaker at numerous conferences and podcasts, sharing his wealth of insights with others.
Jacob has a deep passion for cycling, and...
2024-03-2149 minThe Boring AppSec PodcastS1E03 - Bug BountiesWelcome to the Boring AppSec Podcast! In Episode 3, we discuss all things bug bounties. The researcher side as well as the program owner's side. Enter at your own will as we have a lot of hot takes.
References:
We will try and add information about all the references we make here. Please enter rabbit holes at will :)
Bug Bounty Platforms
Bugcrowd - https://www.bugcrowd.com/
HackerOne - https://www.hackerone.com/
Intigrity - https://www.intigriti.com/
Synack - https://www.synack.com/
2. Vulnerability Disclosure Process - https://www.cisa.go...
2024-03-181h 11The Boring AppSec PodcastS1E02 - First Security HireWelcome to the Boring AppSec Podcast! In Episode 2, we discuss what a first security hire responsibilities are. How do they prioritize? What do they prioritize?
References:
We will try and add information about all the references we make here. Please enter rabbit holes at will :)
Building a product security program
Some blogs on getting SOC2 certifications without too much redtape - RunReveal, Fly.io
Tracking Meaningful Security Product Metrics
Build vs Buy Framework
OpenAI Sora
LLM Agents Can Autonomously Hack Websites
Arcanum Information Security
SecGPT in https://chat.openai.com/gpts
Conta...
2024-03-111h 07
The Elephant in AppSecSecurity Consultant vs. In-House Engineer: The Showdown⎜Ric CampoWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today we’re excited to have an amazing guest, Ric Campo, join us.
Ric started his cybersecurity journey in the Royal Australian Air Force. With a decade of dedicated experience as an Application Security Engineer and Penetration Tester, he currently serves as a Principal Security consultant at Galah Cyber.
Ric also strongly believes in the power of the community in AppSec. He focuses on writing blogs that will help the community in the long term. He's also been an OWA...
2024-03-0540 minThe Boring AppSec PodcastS1E01 - Asset InventoryWelcome to the Boring AppSec Podcast! In Episode 1, we discuss software inventories. What they are, why we need them, and what are our favorite ways to build them.
References:
We will try and add information about all the references we make here. Please enter rabbit holes at will :)
Cartography - https://github.com/lyft/cartography
GenAI + Cartography
https://shinobi.security/#how-it-works
https://github.com/samvas-codes/cspm-gpt
Commercial asset inventory mentioned on the show: https://www.jupiterone.com/
Talk by Sandesh and Satyaki on automating asset inventory generation at Razorpay: https://www.youtube.com/watch?v=8q42...
2024-03-0444 min
The Elephant in AppSecDevelopers and security training: can they co-exist?⎜Laura Bell MainWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today, we’re excited to have an amazing guest, Laura Bell Main, join us.
With over 20 years in software development and application security, Laura is the co-founder and CEO of SafeStack, an online education platform that offers secure development training for fast-moving companies.
Laura is also a well-known keynote speaker and has spoken at high-profile events like BlackHat USA, NDC, and OSCON. With her love of speaking an...
2024-02-2933 min
The Elephant in AppSecAdversarial machine learning: what is it and are we ready? ⎜Anmol AgarwalWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today we’re excited to have an amazing guest, Anmol Agarwal, join us.
Anmol is a security researcher at Nokia, focused on securing AI and Machine Learning in 6G and securing 5G.
She also holds a doctoral degree in cybersecurity analytics from George Washington University. Her research was focused on adversarial machine learning and Federated Learning.
Anmol is also an active speaker and has spoken at various conferences and events including SecureWorld, Pacific Hackers Conference, and Bridges in...
2024-02-2337 min
The Elephant in AppSecAppSec vendors and CISOs: a love - hate relationship? ⎜Olivia RoseWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today, we're joined by an amazing guest, Olivia Rose.
You can find Olivia on LinkedIn: https://www.linkedin.com/in/oliviaros...
Olivia is an executive leader with more than 20 years of dedicated experience, having served as the former CISO at Amplitude and Mailchimp and currently as the Founder of the Rose CISO Group: https://www.rosecisogroup.com/
Her company offers virtual Chief Information Security Officer (CISO) services, boardroom and leadership communications, assessment services, keynote speaking, event presentations, and career...
2024-02-1552 min
The Elephant in AppSecPentesting: What are the actual benefits?⎥Harsh ModiWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today, we're joined by an amazing guest, Harsh Modi.
You can find Harsh on LinkedIn: https://www.linkedin.com/in/neighborhoodpenetrationtester/
With over 8 years of dedicated experience as an Offensive Security Engineer and Penetration Tester, Harsh has honed an exceptional skill set in identifying and mitigating security vulnerabilities. Currently, he is an independent consultant and a Lead Security Architect at Bell.
Harsh is also an enthusiastic security researcher and has presented his research at various conferences such as OWASP V...
2024-02-0854 min
The Elephant in AppSecSecurity champion program: A must or completely useless? ⎥Dustin LehrWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today, we're joined by an amazing guest, Dustin Lehr.
You can find Dustin on LinkedIn: https://www.linkedin.com/in/dustinlehr/
Dustin is an accomplished software engineer turned information security leader, currently serving as Senior Director of Platform Security / Deputy CISO at Fivetran. He possesses an enormous wealth of experience in application security and is a strong community leader, organizing the online meetup 'Let's Talk Software Security,' where everyone passionate about security can join for an open discussion.
...
2024-02-0145 min
The Elephant in AppSecIs Gen AI your new AppSec weapon?Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today, we're joined by an amazing guest, Sandesh Mysore Anand.
You can find Sandesh on LinkedIn: https://www.linkedin.com/in/anandsandesh/
With more than 12 years of experience in security and working as a head of security at Razorpay, India's leading financial platform for payments & banking, Sandesh is now a founder of Seezo, a Threat Modeling tool. Its goal is to solve product security problems using Gen AI.
He is also the author of the 'Boring AppSec' newsletter, a...
2024-01-2635 min
The Elephant in AppSecSecurity training: Necessary investment or overrated expense?⎥Mel ReyesWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today we’re excited to have an amazing guest, Mel Reyes, joining us.
Mel has navigated through two IPOs, three M&As, worked with several startups, Pepsi, Mercedes, and accumulated a bunch of patents along the way. With more than 30 years of experience in various leadership, advising, and coaching roles, he enjoys building and empowering security teams within organizations.
He's heavily invested in the cybersecurity community and has built his own, The Fellowship of Digital Guardians: https://fdg.institute/
That...
2024-01-2648 min
The Elephant in AppSecWhat is ASPM: A breakdown of the current state and its futureWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today, we're joined by an amazing guest, James Berthoty. James has been in technology for over 10 years across engineering and security. An early advocate for DevSecOps, he has a passion for driving security teams as contributors to products. With all his experience, he's currently building latio.tech, a platform helping organizations find the best security tools.
In our latest episode with Tristan Kalos, we challenged James about his recent article on ASPM. We discussed what's right and wrong with...
2024-01-1140 min
The Elephant in AppSecLack of effective DAST tools⎥Aleksandr Krasnov (Meta, Thinkific, Dropbox)Today, we're revealing our first episode with Aleksandr Krasnov, the principal security engineer at Meta, who challenges the effectiveness of existing DAST tools with us.
Aleksandr Krasnov is the principal security engineer at Meta, responsible for all things security at Instagram and WhatsApp. Previously, he was responsible for AppSec and offensive security at Thinkific and served as a product security engineer at Dropbox, Palo Alto Networks, and other companies.
Throughout his career, Alek used multiple security tools, including Dynamic Application Security Testing (DAST) tools. As we began discussing this...
2023-11-3043 minThe Elephant in AppSecThe Elephant in AppSec Podcast Trailer | EscapeWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Tomorrow, we're revealing our first episode with Aleksandr Krasnov, the principal security engineer at Meta, who challenges the effectiveness of existing DAST tools with us.
In the upcoming weeks, we'll share even more interviews with world-class security experts that address concrete appsec issues, allowing you to reflect on your approach to security practices.
Stay tuned!
2023-11-2901 min
Secured by Galah Cyber with Cole CornfordAn Agnostic Approach to AppSec: Ken Johnson on Navigating the Future with AIKen Johnson is co-founder of Dryrun Security and co-host of the Apsolute AppSec podcast. Ken has many years experience working in AppSec in a variety of roles, including CTO of nVisium and Application Security Engineer at GitHub. Ken chats with Cole Cornford about taking an agnostic approach to AppSec, transitioning from being an employee to a founder, how AI might change cybersecurity, and plenty more.Secured by Galah Cyber with Cole Cornford website Timestamps9:10 - When Ken started running AppSec conferences.12:00 - Ken: an “agnostic approach” to appsec really resonated with people.14:30 - Ken: “by nat...
2023-08-1648 minDayOne.FMAn Agnostic Approach to AppSec: Ken Johnson on Navigating the Future with AIKen Johnson is co-founder of Dryrun Security and co-host of the Apsolute AppSec podcast. Ken has many years experience working in AppSec in a variety of roles, including CTO of nVisium and Application Security Engineer at GitHub. Ken chats with Cole Cornford about taking an agnostic approach to AppSec, transitioning from being an employee to a founder, how AI might change cybersecurity, and plenty more.Secured by Galah Cyber with Cole Cornford website Timestamps9:10 - When Ken started running AppSec conferences.12:00 - Ken: an “agnostic approach” to appsec really resonated with people.14:30 - Ken: “by nat...
2023-08-1648 min
The OWASP Podcast SeriesYou've got some Kubernetes in my AppSec!In this episode, I speak with Jimmy Mesta, the project leader of the new OWASP Kubernetes Top 10. Beyond covering the actual Kubernetes Top 10 project, we cover how AppSec has expanded to cover other areas. You not only have to ensure that your application is secure, you need to ensure the security of the environment in which it runs. That environment is increasing becoming Kubernetes so what better than talk to someone who's protected Kubernetes clusters for years and trained many others to harden their clusters.
Show Links:
- OWASP Kubernetes Top 10: https://owasp.org/www-project-kubernetes-top-ten/
- Kubernetes Top 10 Github repo...
2022-11-2841 min
Purple Squad SecurityEpisode 60 – Tabletop D&D with Ken Johnson & Seth Law from Absolute AppSecThe hiatus is over! Welcome back everyone to the latest episode of the Purple Squad Security podcast! In this episode we have Ken Johnson and Seth Law from the Absolute AppSec Podcast joining me for the latest session of Tabletop D&D. Enjoy!
Some links of interest:
Absolute AppSec
Website
Twitter
Seth's Twitter Account: @sethlaw
Ken's Twitter Account: @cktricky
Want to hear about a new Infosec con? If you're in and around the Waterloo region area in October, why not check out Cyber City! This is Waterloo region's premier information security conference. Tickets are on sal...
2019-09-011h 08
The OWASP Podcast Series2019 Global AppSec Conference DC w/ Ben PickOWASP supports a global conference in North America each year, bringing together the projects, teams and chapters who make this one of the largest security tribes in the world. In this episode of the DevSecOps Podcast Series, I speak with Ben Pick one of the organizers of the conference about what's important about this type of gathering and what you can expect when attending.
https://dc.globalappsec.org/
2019-08-2420 min
The Application Security PodcastTanya Janca — Mentoring Monday — 5 Minute AppSecTanya Janca is excited about mentoring. She's started a hashtag on Twitter for mentors to find mentee's, and for mentee's to search for mentors. Mentoring is such an essential part of growing our community, so if you are not mentoring anyone today, I can only ask, why not? Here is Tanya's take on mentoring and her advice on how to get involved with #MentoringMonday.5 Minute AppSec is an AppSec Podcast experiment with micro-content. Hit us up on Twitter and tell us what you think, @AppSecPodcast.FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The...
2019-05-2005 min
The OWASP Podcast SeriesTel Aviv and the 2019 Global AppSec ConferenceWhen I think of Tel Aviv, I imagine a robust, young culture, living a good, fun life. Not only is the culture conducive to a young life style, its tech industry continues to gain traction. As Wired Magazine said last August, "Israeli startups have always been high on Silicon Valley shopping lists, but Tel Aviv is beginning to shake off its reputation as Europe’s exit capital." Zebra, the medical diagnostics company, MyHeritage online family tree service, Via ride sharing service, and the Waze navigation app, as well as dozens of other influencial start-ups call Tel Aviv home. This places Te...
2019-05-0118 min
The OWASP Podcast SeriesWhat's In Store for the AppSec Cali Conference w/ Richard GreenbergAs if there aren't enough reasons to go to Southern California in the middle of a New York winter, AppSec Cali opens it's doors for its 6th Annual OWASP conference on January 22, 2019. In this broadcast, I speak with Richard Greenberg, one of the core organizers of the conference, talking about why people come, what they can expect to see and why he continues to help produce the conference year after year.
For a transcript of this broadcast, go to DevSecOpsDays.com and click on "Podcasts".
2019-01-1519 min
The OWASP Podcast Series2018 AppSec EU London - Conference PreviewIn this episode, I speak with the organizing committee of 2018 AppSec EU, hearing about what's planned and why you should consider attending this international conference in London.
2018-06-1922 min
Application Security PodCastModSecurity and #AppSec (S02E19) – Application Security PodCastOn this weeks episode of the #AppSec Podcast, Robert and Chris are joined by Tin Zaw, an advocate for ModSecurity. He dives into its background, the use of rules, and the many advantages. Rate us on iTunes and provide a positive comment, please!
The post ModSecurity and #AppSec (S02E19) – Application Security PodCast appeared first on Security Journey Podcasts.
2017-10-1700 min
The OWASP Podcast SeriesAppSec EU 2017, Belfast Keynote Preview with Jaya Baloo"Why does OWASP even exist? Why do we even have this idea of understanding common issues, common problems. There are resources to help us do it better next time. I feel we are not learning at the curve where we should be, considering the resources available to us." -- Jaya Baloo
As CISO of KPN, the largest telecom in the Netherlands, Jaya Baloo has a lot on her mind, but maybe not what you'd think. In this free wheeling discussion, we begin with what Jaya will be talking about during her keynote at AppSec EU 2017 in Belfast, and then move...
2017-03-2217 min
The OWASP Podcast SeriesAppSec EU 2017 Belfast - What to ExpectIn mid-May I'll be joining the organizing team of AppSec EU 2017 in Belfast for a week of security and DevOps sessions. Listen in as Gary Robinson, Michelle Simpson and Owen Pendlebury talk about what's planned for the week.
2017-02-1820 min
The OWASP Podcast SeriesShannon Lietz - Keynote Preview for AppSec EU 2017, BelfastShannon Lietz, DevSecOps Lead at Intuit, will be giving a keynote presentation at AppSec EU 2017, Belfast. I talked with Shannon about what she will be presenting and why she is so excited to return to Ireland.
2017-01-1709 min
The OWASP Podcast Series2016 AppSec USA: The Core Rule Set Project w/ Chaim SandersThe OWASP ModSecurity Core Rule Set Project's goal is to provide an easily "pluggable" set of generic attack detection rules that provide a base level of protection for any web application. Chaim Sanders,Ryan Barnett, Christian Folini and Walter Hop are the team coordinating the project.
During 2016 AppSec USA, I spoke with Chaim about the purpose of the project, the work work done in the past year, the upcoming release and what the team hopes to accomplish in 2017.
https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
2016-10-1209 min
The OWASP Podcast SeriesAppSec USA 2016 Pre-Conference UpdateFrom October 11 - 14, 2016, appsec professionals from around the world will gather in Washington DC to participate in one of this year's main OWASP events, AppSec USA 2016. In this broadcast, I speak with three organizers of the event (Andrew Weidenhamer, Mike McCabe, Patrick Cooley )to get insight as to what to anticipate at the conference, the unique qualities of an AppSec USA event, and a sneak peek at the sessions that will be given over the 4 day event.
2016-09-0916 min
The OWASP Podcast SeriesAppSec Europe 2016 - What To ExpectWhat can you expect when you attend AppSec EU 2016 in Rome at the end of June? I talk with Bart de Win and Matteo Meucci, conference chair, to see who is coming, why you should and what to expect when AppSec EU goes to one of the world's greatest cities.
Registration is open: https://2016.appsec.eu/
2016-05-2511 min
The OWASP Podcast SeriesAppSec USA 2015 Overview with Ben Hagen and Michael CoatesThis year's AppSec USA Conference will be held in San Francisco, September 22 - 25. I spoke with Ben Hagen and Michael Coates, organizers of the event, to see how the planning is going and what will be special about this event.
https://2015.appsecusa.org/
2015-06-2418 min
The OWASP Podcast Series2015 AppSec California Post Mortem with Richard Greenberg and Neil MatatallWhat does it take to put on a successful conference? How much work is involved? In this segment, I sit down with Neil Matatall and Richard Greenberg, co-organizers of AppSec California 2015. We talk about how they came up with the idea and what resources were needed to pull off such a successful event.
About Richard Greenberg
Richard Greenberg, CISSP, a recognized leader in Information Security, is President of the Los Angeles Chapter of OWASP. His day job is Information Security Officer for the Los Angeles County Department of Public Health.
2015-02-1725 min
The OWASP Podcast SeriesAppSec USA 2014, Denver - Damon Edwards, Matt Tesauro, Eoin Keary, Martin KnoblochI was able to get a quick update from Damon, Matt, Eoin and Martin this week at AppSec USA 2014 Denver. They each have a different perspective on what is going with OWASP in different parts of the world. Have a listen...
2014-09-1913 min
The OWASP Podcast SeriesWait! Wait! Don't pwn me! from AppSec Europe 2014It's become a regular thing at AppSec: test the experts on their knowledge of current software security news events. This session was recorded at AppSec Europe 2014 with panelists Chris Eng, Matt Tesauro and Josh Corman.
If you'd like to play along, you can view the gameshow slide deck. Looking forward to seeing you at our next AppSec session of "Wait Wait! Don't pwn me!"
2014-07-1832 min
The OWASP Podcast Series2014 AppSec APAC - Post Mortem (English)In March 2014, Rio Okada and his team in Japan organized the first AppSec APAC event in Japan. I called Rio to ask how the event went. Joining the conversation with me and Rio is Robert Dracea, Tobias Gondrom and Jerry Hoff. During our call we talked about what made the event so successful and how that success might be used in future AppSec events. Have a listen.
2014-04-0118 min
The OWASP Podcast Series2014 AppSec APAC - History and Overview (Japanese and English)I was able to have a wonderful conversation with Riotaro Okada and Robert Dracea this morning, talking about the upcoming AppSec APAC conference in Tokyo. This interview is unique, in that we have the English and Japanese responses integrated into the conversation.
This is the first event of its kind in Japan and you can tell the locals are very excited about the possibilities, from internationally recognized speakers to showing visitors the hospitality of Japan. We begin the discussion with how the Tokyo OWASP chapter was started and how it led to the AppSec APAC Conference.
Riotaro Okada Researcher
2014-02-2017 min
The OWASP Podcast SeriesAppSec Europe 2014 - What To Expect with Host Adrian WincklesThe planning for AppSec Europe 2014, Cambridge is in full swing. I caught up with conference manager Adrian Winckles to see how things are shaping up.
2014-02-1907 min
The OWASP Podcast SeriesAppSec APAC 2014 with Tobias Gondrom – What To ExpectThe OWASP team in Japan are putting the finishing touches on the big AppSec APAC Conference that is being held in March 2014. I spoke with Tobias Gondrom, keynote speaker for the conference, and asked him to fill us in on why this conference is unique and why you should consider attending.
2014-01-1407 min
The OWASP Podcast SeriesAppSec USA 2013 - Larry Conklin and the Code Review Book Project"I am a developer and one of the things I hate are code reviews." -- Larry Conklin
Larry Conklin is a developer and as a developer, he HATES code reviews. Because of this, he now heads the OWASP "Code Review Book" project which is creating a definitive guideline that allows companies to proceed with code reviews based upon technical facts, not emotions or intuition. I spoke with Larry at AppSec USA 2014. Dennis Groves was also there, so you'll hear him interject with a question in the middle of the program.
About Larry Conklin
Larry Conklin's current emphasis is...
2014-01-1310 min
The OWASP Podcast SeriesAppSec USA 2013: Jim Manico - Life after OWASP Podcasting"For an organization to really mature around application security, they need to be building security into their software from day one." -- Jim Manico
Jim Manico started the OWASP podcast series in 2008. In that time, he has recorded close to 100 interviews to keep the community updated on the lastest project development within OWASP. As Jim reaches his 100th episode, he reminisces about how the series was started, what his original vision was and what he's going to do now that he has passed the reins over and moves on to other projects. We start with a question about the origins...
2014-01-0713 min
The OWASP Podcast SeriesAppSec USA 2013: Zed Attack Proxy Project with Simon Bennetts"You can't automate all tests. There are a lot of things you can't find automatically. You have to have somebody who knows what they are looking for." -- Simon Bennetts
In today's segment, I talk with Simon Bennetts, project lead for the OWASP Zed Attack Proxy Project or "ZAP" for short. Simon is working on a user friendly tool for integrated penetration testing of web applications. Our discussion took place at AppSec USA 2013. We begin with an overview of the ZAP project and talk about how it came about.
About Simon Bennetts
Simon Bennetts (a.k.a. Psiinon...
2013-12-1310 min
The OWASP Podcast SeriesAppSec USA 2013 - The OWASP Application Security CISO Guide with Marco Morana and Tobias Gondrom"The CISCO Guide provides guidance and visibility to CISOs on how to initiate an application security program, how to make the business case, how to manage the risks of applications and how to measure the those risks. The guide is structured as a journey, because application security is not a destination, it is a journey." Marco Marona
Marco Marona, is the coordinator of the OWASP Application Security Guide For CISOs Project and Tobias Gondrom is the project lead for the OWASP CISO Survey. They have combined resources to provide us when a CISO framework for implementing an application security program...
2013-12-0227 min
The OWASP Podcast SeriesAppSec USA 2013 - The Purpose of OWASP, an Interview with Co-Founder Dennis GrovesMany people in the OWASP community don't know Dennis Groves... and that's a surprise since he is one of the co-founders of the movement. I was able to catch up with Dennis at AppSec USA in New York City (November 19, 2013) and we had an interesting discussion about the beginnings of OWASP and what he sees in the future.
Highlights of our Discussion
* The event that triggered the inspiration for OWASP
* The original purpose of OWASP
* The use of OWASP as a de facto standard
* Future vision for OWASP
* The dilemma of community obligation
About Dennis Groves
...
2013-11-2618 min
The OWASP Podcast SeriesAppSec USA 2013 - OWASP Panel on Using Components with Known VulnerabilitiesLast week at AppSec USA in New York City (November 20, 2013), I moderated a panel with Jeff Williams and Ryan Berg talking about the latest addition to the OWASP Top 10, Using Components with Known Vulnerabilities. This is the full recording of that session.
2013-11-2648 min
The OWASP Podcast SeriesAppSec USA 2013 - Wait, Wait... Don't Pwn Me!On today's segment, we're going to take a different approach from our normal format. I was at the AppSec USA Conference in New York City last week and was asked to chair a panel for the game show "Wait, wait... don't pwn me!". This is the full recording of the session. As you listen, keep in mind, every situation described within the game is true. Let's start first with the introductions of Chris Eng, Josh Corman and Space Rogue.
2013-11-2541 min