Shows
ITSPmagazineBuilding a Real Security Culture: Why Most AppSec Champion Programs Fall Short | AppSec Contradictions: 7 Truths We Keep Ignoring — Episode 5 | A Musing On the Future of Cybersecurity with Sean Martin and TAPE9 | Read by TAPE9Most organizations have security champions. Few have a real security culture.In this episode of AppSec Contradictions, Sean Martin explores why AppSec awareness efforts stall, why champion programs struggle to gain traction, and what leaders can do to turn intent into impact.🔍 In this episode:Why compliance training doesn’t build cultureThe data showing champion programs lack leadership and incentive alignmentHow developers, AppSec teams, and business leaders each contribute to the gapInsights from OWASP, ENISA, and Forrester on what’s missingSean’s Take:When security culture is treated as a checkbox...
2025-11-0602 min
Cloud Security PodcastAI is already breaking the Silos Between AppSec & CloudSecThe silos between Application Security and Cloud Security are officially breaking down, and AI is the primary catalyst. In this episode, Tejas Dakve, Senior Manager, Application Security, Bloomberg Industry Group and Aditya Patel, VP of Cybersecurity Architecture discuss how the AI-driven landscape is forcing a fundamental change in how we secure our applications and infrastructure.The conversation explores why traditional security models and gates are "absolutely impossible" to maintain against the sheer speed and volume of AI-generated code . Learn why traditional threat modeling is no longer a one-time event, how the lines between AppSec and...
2025-11-041h 11
The Elephant in AppSecCan We Make AI Agents Smarter Than Security Teams? with Anshuman BhartiyaToday, I’m excited to welcome Anshuman Bhartiya, an AppSec tech lead at Lyft. Before that, he worked as a security engineer at companies like Thirty Madison, Intuit, and Atlassian.Anshuman is also a fellow podcaster and co-host of the Boring AppSec podcast, alongside one of my previous guests, Sandesh Mysore Anand.Recently, he’s been experimenting extensively with building AI agents for both offensive and defensive security, and he’s documenting his findings at anshumanbhartiya.com(link in the description).In this episode, we dive into the challenges of building effective AI agents...
2025-09-2532 min
The Elephant in AppSecWhy DevSecOps isn't enough without deep cloud context with Anjali Singh ShuklaToday I’m joined by Anjali Singh Shukla, Senior Security Engineer Cloud at Flipkart. She bridges the worlds of Cloud Security and DevSecOps, having led audits and defense strategies across AWS, Azure, and GCP, with a strong focus on Kubernetes and container security. Beyond building secure pipelines, Anjali designs training programs and speaks at global conferences like Black Hat and OWASP. Most recently at OWASP AppSec Days Singapore, she showed how attackers exploit AWS EKS misconfigurations and how to defend against them.In this episode, we dive into why DevSecOps alone isn’t enou...
2025-09-2432 min
The Elephant in AppSecLatin America’s AppSec Culture: What’s Lost (and Found) in Translation?Today, I’m joined by Max Alejandro Gómez-Sánchez Vergaray, Defensive Cybersecurity Manager at Banco de Crédito BCP. With a background in software engineering, Max transitioned into AppSec and has become a leading voice in promoting DevSecOps awareness and building robust AppSec programs using SAMM across Latin America and beyond. He actively contributes to OWASP projects like Cornucopia and regularly offers free workshops in Spanish on secure design for digital products. If you’d like to join a future session, check out the link below!In this episode, we dive into AppSec in Latin America, with a focus o...
2025-09-0537 min
Absolute AppSecEpisode 294 - w/ Anshuman Bhartiya - AppSec in the Age of AIJust in time for AppSec sweeps week, Anshuman Bhartiya is joining Seth Law (sethlaw on social media) and Ken Johnson (cktricky) on the Absolute AppSec podcast! With over a decade in the security industry, Anshuman Bhartiya brings a wealth of knowledge to the table, in web application penetration testing and product security for major enterprises (EMC, Intuit, Atlassian, Lytx, etc). As the current Tech Lead for Application Security at Lyft and co-host of The Boring AppSec Podcast, Anshuman has a wealth of knowledge on AppSec topics. Read more about Anshuman’s work in the AppSec community at his webpage here: ht...
2025-08-1900 min
The Elephant in AppSecWhy Your Security Program Might Be Failing Before It Even Starts with Sean FinleyToday, I’m joined by Sean Finley, an experienced Information and Application Security leader with deep expertise in AppSec, security operations, vulnerability management, and governance.Sean’s AppSec career started at GEICO, one of the most recognizable names in U.S. insurance. He made the leap from business analyst to the company’s very first AppSec engineer, teaching himself everything along the way.In this episode, we explore what inspired that transition, how to spot red flags that doom security programs before they start, and why Sean believes there are far better investments than SAST.We also dive i...
2025-08-0839 min
The Elephant in AppSecHow to Fix the Lack of Clear Guidance in Building Effective Security Programs | Luís FontesToday's episode features Luís Fontes, who, after five years working with various technologies as a full-stack developer, transitioned to the AppSec world. Luís worked as an AppSec engineer at major companies like Checkmarx and then moved to IOVLabs (RSK) and the cryptocurrency space. Nowadays, Luís works at Xapo, a crypto bank, and is an expert in both product security and blockchain security.In today’s conversation, Luís explains why he believes we still lack clear guidance on how to build and manage effective security programs, and how he decided to create...
2025-07-1735 min
The Elephant in AppSecAI Security: Do You Need a Dedicated Vendor? | Insights with James BerthotyWelcome to Season 4 of The Elephant in AppSec! Get ready for a season packed with even spicier takes! Today's episode features none other than James Berthoty, a security engineer turned founder and CEO of Latio. James is always ready to share his unfiltered opinions, and I’ve had the pleasure of chatting with him for last couple of years. Over the past few months, there were a lot of discussions around AI security, and I invited him on the show before his new report even hit the public to discuss hi...
2025-07-1045 min
The Elephant in AppSecWhy AppSec isn’t just for tech — Surprising Insights ⎜ Olga DzięgielewskaToday, I’m joined by Olga Dzięgielewska, Senior Manager of InfoSec Application Security at Philip Morris International. With over 10 years of experience in secure code reviews, a PhD in IT Security, and now leading global AppSec teams, Olga specializes in secure development practices, IT assurance, ethical hacking, API security and SAP security, driving security initiatives across multiple international locations.In this episode, we tackle common misconceptions about application security and exploring the unique challenges faced by the manufacturing sector compared to tech companies.We also discuss how to ensure a seamless dig...
2025-06-1739 min
The Elephant in AppSecAre Traditional WAFs Dead? The Impact of OpenAPI Specs on Web Security with Nathan ByrdToday, I’m joined by Nathan Byrd, a Principal AppSec Architect at Applied Systems. Nathan’s journey is truly unique: before joining Applied Systems, he spent an impressive 24 years at Mastercard, where he rose from a software engineer to a Principal AppSec Architect. That’s the longest tenure we’ve seen from anyone on the podcast!Nathan is passionate about building things, whether it’s his early days as an internet fan, building projects with Raspberry Pi Pico, or more recently, creating OAShield (away shield). This open-source project helps generate WAF config files based on OpenAPI specs, which we dive into...
2025-06-0640 min
Cybersecurity UncomplicatedWhat Is AppSec & How to Start Your Career Without a Degree - Cybersecurity Uncomplicated Episode 16The NEW Cybersecurity Podcast, Cybersecurity Uncomplicated with Cyber Queen. Whether you’re starting from scratch, already trying to break in, or feeling overwhelmed by the endless resources and advice out there, this cybersecurity podcast is for you..🔏🚀In this episode of Cybersecurity Uncomplicated, I chat with Lyght, an Application Security Engineer, to break down what it really means to work in Application Security (AppSec) today. 🔐💻From bridging the gap between security and developers to navigating the competitive AppSec job market, Lyght shares powerful insights from his own journey and offers advice for anyone looking to break into...
2025-06-011h 02
The Elephant in AppSecFinding AppSec tools that developers love — is it possible? with Linda FayToday I’m joined by Linda Fay, a seasoned leader in Application Security with over 13 years of experience. She’s led large-scale security programs, most recently as Director of Product Security Engineering, where she secured thousands of applications and delivered major cost savings. Now working as an independent consultant, she helps organizations improve their AppSec posture and explore the intersection of AI and security. Linda also leads the OWASP Nashville chapter and is deeply involved with WiCyS, mentoring the next generation of women in cybersecurity.In this episode, we dive into whether it’s possible to find AppSec tools that d...
2025-05-3032 min
ITSPmagazineTurning AppSec into a Workflow, Not a Roadblock – Building Security Programs That Teams Actually Want to Use | An OWASP AppSec Global 2025 Conversation with Spyros Gasteratos | On Location Coverage with Sean Martin and Marco CiappelliDuring the upcoming OWASP Global AppSec EU in Barcelona, Spyros Gasteratos, long-time OWASP contributor and co-founder of Smithy, to explore how automation, collaboration, and community resources are shaping the future of application security. Spyros shares the foundation of his talk at OWASP AppSec Global: building a DevSecOps program from scratch using existing community tools—blending technical guidance with a celebration of open-source achievements.Spyros emphasizes that true progress in security stems not from an ever-growing stack of tools, but from aligning the humans behind them. According to him, security failures often stem from fragmented information and misaligned in...
2025-05-2917 min
On Location With Sean Martin And Marco CiappelliTurning AppSec into a Workflow, Not a Roadblock – Building Security Programs That Teams Actually Want to Use | An OWASP AppSec Global 2025 Conversation with Spyros Gasteratos | On Location Coverage with Sean Martin and Marco CiappelliDuring the upcoming OWASP Global AppSec EU in Barcelona, Spyros Gasteratos, long-time OWASP contributor and co-founder of Smithy, to explore how automation, collaboration, and community resources are shaping the future of application security. Spyros shares the foundation of his talk at OWASP AppSec Global: building a DevSecOps program from scratch using existing community tools—blending technical guidance with a celebration of open-source achievements.Spyros emphasizes that true progress in security stems not from an ever-growing stack of tools, but from aligning the humans behind them. According to him, security failures often stem from fragmented information and misaligned in...
2025-05-2917 min
The Elephant in AppSecWhat Most Security Teams Miss: An Engineering Manager’s Take on AppSec with Desmond LampteyToday’s episode is a special one. I’m joined by Desmond Lamptey, a Software Engineering Manager at a large financial organization.I first came across Desmond during his talk on API Security at APIDays Paris—and honestly, it was one of the best talks I’ve seen. Not only because of the insights, but also the dad jokes.That talk made me curious: What drives a seasoned engineer like Desmond to speak about security with such passion? And more importantly, what does he think security teams get wrong when it comes to their co...
2025-05-2739 min
The Elephant in AppSecCompliance in Cyber: Can Regulation and Innovation coexist?⎜Chris HughesToday, I’m joined by Chris Hughes, the CEO & Co-Founder of Aquia, a cybersecurity consulting firm supporting secure digital transformation for U.S. federal, state, and defense agencies. He previously served as a Cyber Innovation Fellow at CISA.Chris is also the co-author of Software Transparency and Effective Vulnerability Management (Wiley) books, and hosts the Resilient Cyber podcast and Substack. He's also a frequent speaker and commentator on AppSec, software supply chain security, and DevSecOps.In this episode, we unpack why compliance doesn’t equal security- but in its absence, the state of cybersecurity would be worse. We explore how...
2025-05-2338 min
The Elephant in AppSecThe Future of Product Security: Quality Engineering or something more? with Michael NovackToday, I’m joined by Michael Novak, a seasoned Application Security Architect turned Technical Product Manager. At the time of this recording, he was still working hands-on in AppSec! Having started his career as a Java software engineer, Michael knows firsthand the challenges developers face when it comes to building secure applications.Outside of his technical roles, Michael has created several educational games — most notably Byte Club, a strategic card game that turns complex cybersecurity concepts into fun, accessible learning experiences. He also gives back to the community by mentoring students in technology and cybersecurity through his work...
2025-05-1635 min
The Elephant in AppSecAI, Speed, and Startup Chaos: Is ‘Minimum Viable Security’ the Fix? ⎜ Kalyani PawarToday, I’m joined by Kalyani Pawar, an Application Security Engineer at Zipline and a seasoned AppSec expert with a deep commitment to the startup ecosystem. Beyond her day job, she actively advises startups and VCs on what really matters in application security. Kalyani is also the co-host of the Application Security Weekly podcast and a speaker at top conferences like DEFCON, BSides SF, and RSA.She’s been a driving force behind the scenes too, serving on reviewer boards for DEFCON, WiCyS, and several BSides chapters—helping shape high-impact security content for the community.I...
2025-05-0250 min
Resilient CyberResilient Cyber w/ Varun Badhwar - AI for AppSec - Beyond the BuzzwordsIn this episode, we sit down with Varun Badhwar, Founder and CEO of Endor Labs, to discuss the state of AI for AppSec and move beyond the buzzwords. We discussed the rapid adoption of AI-driven development, its implications for AppSec, and how AppSec can leverage AI to address longstanding challenges and mitigate organizational risks at scale.Varun and I dove into a lot of great topics, such as:The rise of GenAI and LLMs and their broad implications on CybersecurityThe dominant use case of AI-driven development with Copilots and LLM w...
2025-04-1126 min
The Elephant in AppSecDAST Tools: Can We Change the AppSec Community Perception? with Chris LindseyToday, I’m joined by Chris Lindsey, who, at the time of recording, was an AppSec Evangelist at Mend. Formerly an AppSec Architect, Chris brings over 15 years of direct security experience and more than 35 years of leadership in programming, software, solutions, and security architecture.For several years, Chris built and led an entire application security program, including oversight of security processes, procedures, tools, compliance, training, developer communication, code reviews, application inventory gathering, and risk analysis.Chris also is a seasoned speaker and the host of the Secrets of AppSec Champions podcast.In this ep...
2025-04-1040 minResilient CyberResilient Cyber w/ Jit - Agentic AI for AppSec is HereIn this episode, we sit down with David Melamed and Shai Horovitz of the Jit team. We discussed Agentic AI for AppSec and how security teams use it to get real work done.We covered a lot of key topics, including:What some of the systemic problems facing AppSec are, even before the widespread adoption of AI, such as vulnerability prioritization, security technical debt and being outnumbered exponentially by Developers.The surge of interest and investment in AI and agentic workflows for AppSec, and why AppSec is an appealing space for this sort of i...
2025-04-0828 min
The Elephant in AppSecSecure Coding — Can we make it happen? with Tanya JancaToday, I’m joined by someone many of you will instantly recognize — Tanya Janca, also known as She Hacks Purple and a key community leader at Semgrep.With nearly three decades in IT, Tanya has earned countless awards, including OWASP Lifetime Distinguished Member and Hacker of the Year. She’s spoken on stages around the world and trained thousands of software developers and security professionals along the way.Her first book was one of the earliest I read on application security — and honestly, her work gets mentioned more than almost anyone else’s by guests, season aft...
2025-04-0341 min
The Elephant in AppSecHow Psychology Really Shapes AppSec Wins & Fails ⎢ Curtis KoenigToday, I’m joined by Curtis Koenig, a seasoned application security leader managing AppSec programs for global brands. At Gen Inc., he secures all products through CI/CD integration, secure coding, and a bug bounty program. Previously, at Booking.com and Snap Inc., he scaled security operations, enhanced authentication systems, and streamlined compliance processes. With expertise in secure development and threat modeling, Curtis is a recognized authority in enterprise application security.In this episode, we explore how insights from neuroscience align with the decisions developers and security professionals make about securing applications. We also discuss how storytelling through metrics ca...
2025-03-2850 min
The Elephant in AppSecThe Open Source Security Crisis: Is Trust the Weakest Link in Supply Chain? with François ProulxWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the roomToday, I’m joined by François Proulx, Senior Product Security Engineer at BoostSecurity, where he leads the Supply Chain research team. With over 10 years of experience in building AppSec programs for both large corporations like Intel and innovative startups, François has been at the forefront of the DevSecOps movement.He’s also one of the maintainers of the "poutine" security scanner, which detects misconfigurations and vulnerabilities in build pipelines. Be sure to check it out...
2025-03-1944 min
The Elephant in AppSecAre we truly managing Third-Party risks, or just playing security theater? ⎢Rachel CurranWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the roomToday, I’m joined by Rachel Curran, co-founder and CEO of Locktivity—a third-party risk management platform. She’s also the former Director of Risk and Compliance and Head of Infosec at Logik Systems.With over a decade of experience leading security and GRC initiatives, Rachel has built SOC 2 and security programs from the ground up, helping companies achieve security maturity. She’s also a frequent speaker at security conferences about this topic. Beyond her work in cybersecurity, Rachel co-hosts @shedoest...
2025-03-1450 min
The Elephant in AppSecHyped or Helpful? The Truth About Reachability & Developer Buy-In ⎢ Nir ValtmanWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.Today, I’m joined by Nir Valtman, CEO & co-founder of Arnicaan ASPM platform with a pipelineless approach. Before founding Arnica, Nir led product and data security at Finastra, established security at Kabbage as CISO, and headed application security at NCR. He’s also a well-known speaker at top security conferences, including Black Hat, Defcon, RSA, BSides, and OWASP.In this episode, we unpack the reachability hype-why every vend...
2025-03-0642 min
The Elephant in AppSecDevSecOps vs. Reality: What You REALLY Need to Succeed!Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.Today, I’m joined by Iman Ilbag, a DevSecOps Engineer at KPN, one of the leading telecom providers in the Netherlands.Previously, as the sole DevSecOps Engineer at Snappfood, he secured 70+ projects and trained hundreds of security champions. Iman transitioned from engineering to DevOps and Application Security, and has also worked on penetration testing and infrastructure security for both startups and larger enterprises.He’s passionate about security automation and open-source security, always look...
2025-02-2838 min
The Elephant in AppSecUnpacking Opengrep—A Deep Dive with Its Backing TeamsWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.Recently, Opengrep made headlines as a new open-source project based on a fork of Semgrep Community Edition, with the goal of democratizing SAST.As you know, I'm always ready to dive into controversial topics on The Elephant in AppSec, and this episode is no exception. But before we jump in, full disclosure: I’m staying neutral in this conversation. I’ve had the privilege of collaborating with incredible people on both sides of the discussion, and I’m here to exp...
2025-02-1933 min
The Elephant in AppSecIs There a Secret to Mastering Threat Modeling at Scale? Ashwini Siddhi (GoDaddy)Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.Today, I’m thrilled to be joined by Ashwini Siddhi, Director, Security Engineering at GoDaddy. With a background in electronics engineering, Ashwini discovered her true passion in cybersecurity and has since become a distinguished leader in the AppSec space. Her expertise spans multiple domains, with Threat Modeling standing out as a key area of specialization.Recently elected to the OWASP Foundation’s Board of Directors, Ashwini is not just a technical expert—she’s...
2025-02-1441 min
The Elephant in AppSecCan You Really Quantify AppSec ROI? Here’s the Truth! ⎜Irfaan SantoeWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today, I’m joined by Irfaan Santoe, a seasoned security leader who has worn many hats—from CISO to Global Head of Application Security, and now Founder and CTO of RiskApp.
Beyond his leadership roles, Irfaan is a dedicated community
builder. He leads the OWASP Netherlands Chapter, created the OWASP Security Champions Guide, and co-hosts the re:invent security podcast, a live in-person show where industry leaders share how they’re reshaping security.
In this episode, we tac...
2025-02-0353 min
The Elephant in AppSecHow to Fix API Security Before It’s Too Late ⎜ Confidence StaveleyWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today, I’m joined by a true force in cybersecurity. With over a decade of experience, Confidence Staveley has dedicated her career to helping organizations build secure, innovative products. She’s the founder of MerkleFence, where she serves as Director of Application Security for various companies, and the author of the Amazon bestseller API Security for White Hat Hackers.
Confidence is known for making cybersecurity concepts accessible to diverse audiences, as seen in her popular YouTube series, "API Kitchen" @SisiNe...
2025-01-2846 min
The Elephant in AppSecThe Untold Benefits of Continuous Threat Modeling You Didn’t Know About ⎜Izar TarandachWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today, I’m joined by Izar Tarandach, a Senior Product Security Architect with extensive security experience at Datadog, Squarespace, and several other companies. Izar is also a renowned speaker and the co-author of Threat Modeling: A Practical Guide for Development Teams by O'Reilly. He’s a member of the Threat Modeling Manifesto Group and the leader behind the OWASP pytm Pythonic framework for threat modeling tool.
Izar is also a fellow podcaster, and I hope we ge...
2025-01-2042 min
The Elephant in AppSecWhat does “collaborate with engineering” actually mean in AppSec? ⎜Koen Hendrix (Zendesk)Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today, I’m joined by Koen Hendrix, Director of Product Security at Zendesk. With over a decade of experience in the tech and gaming industries, Koen has been instrumental in building and scaling global security teams, integrating security into agile environments, and driving innovation in product security processes. Known for fostering strong relationships with global Product and Engineering leaders, he brings a wealth of expertise to today’s conversation.
In this episode we discuss why non-negotiable security practices must be c...
2025-01-1546 minResilient CyberResilient Cyber w/ Greg Martin - Agentic AI and AppSecWe’ve heard a ton of excitement about AI Agents, Agentic AI, and its potential for Cybersecurity. This ranges in areas such as GRC, SecOps, and Application Security (AppSec).That is why I was excited to sit down with Ghost Security Co-Founder/CEO Greg Martin.In this episode, we sit down with Ghost Security CEO and Co-Founder Greg Martin to chat about Agentic AI and AppSec. Agentic AI is one of the hottest trends going into 2025, and we will discuss what it is, its role in AppSec, and what system industry challenges it may help ta...
2025-01-1027 min
The Elephant in AppSecIs your organization mature enough for its first AppSec hire?⎢Akira BrandToday, I'm joined by Akira Brand, the AVP of Application Security at PRA Group. With nearly five years of experience in the security space, Akira has a diverse background, starting as a Developer Relations Engineer and transitioning into an Application Security role.
Passionate about education and Infosec, Akira has established herself as a distinguished public speaker, co-hosting the AppSec Weekly Podcast for several years and sharing her expertise as a cybersecurity instructor at Katilyst.
Akira is also a professional opera singer. You can hear her singing at her Elephant in AppSec conference talk!
...
2024-12-2451 min
The Elephant in AppSecAre we overlooking Kubernetes security in the race to deploy applications - Raunaq AroraWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today, we’re joined by Raunaq Arora, Lead Application Security Engineer at Chipotle. Raunaq’s journey into security was almost accidental, starting as a developer who quickly developed a knack for breaking and building secure applications.
Now, his expertise lies in securing Kubernetes environments at scale and aligning security strategies with business priorities. Last year, he took the RSA Conference stage to share how his team built a secure Kubernetes environment by integrating CIS controls into SDLC pipelines—turning securi...
2024-12-1945 min
The Elephant in AppSecIs it actually realistic to see everyone as the greatest ally in security? - Alina YakubenkoWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today, I’m excited to have Alina Yakubenko on the show. Alina, Senior Application Security Engineer at Toast, Inc and former developer and QA Engineer., is dedicated to empowering developers to integrate security into their everyday practices. Passionate about building a culture of security awareness, she works to ensure that security is a core component of development processes, helping teams build safer, more resilient applications.
In this episode, we dive into a thought-provoking question: is it truly realistic to se...
2024-12-1655 min
The Elephant in AppSecCan DevSecOps Maturity Models Fail? The Hidden Gaps in AppSec Programs ⎜Timo PagelWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today, I’m thrilled to welcome a true expert in DevSecOps, Timo Pagel! With over 20 years of experience in security strategy, web development, and DevSecOps architecture, Timo brings a wealth of knowledge to the table.
As a freelance consultant and university lecturer, he’s passionate about training the next generation of AppSec professionals while actively contributing to the Open Source community as the leader of the OWASP DevSecOps Maturity Model (DSOMM) project: https://dsomm.owasp.org/
In this episode, Timo...
2024-12-1143 min
The Elephant in AppSecRisk, Product Management, and Supply Chain Security: Is There a Connection? ⎜Jesus CuadradoWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today, I’m thrilled to welcome Jesus Cuadrado to the show! Jesus is the Chief Product Officer at Xygeni, an ASPM platform focused on improving software supply chain security. With over a decade of experience in product management, he’s now leading the charge in creating user-friendly security tools while tackling critical challenges like ensuring reliable software updates and integrating zero-trust principles into product strategies.
In this episode, we’ll dive into the intersection of produc...
2024-12-0449 min
The Elephant in AppSecHow hard is it to make DevSecOps work in a Hybrid Cloud? ⎜Michael TayoWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today, I’m thrilled to welcome Michael Tayo to the show! As the Information Security Lead at EDX Markets, Michael advises C-suite leaders and drives strategies to protect critical infrastructure in institutional crypto markets. With prior roles in Financial Services and Tempus AI, Michael brings a wealth of experience in cloud security and risk management.
He’s also the founder of CyberSHIELD, a platform empowering security professionals with training and resources, and The Ghetto Flower, a creative agency uplifting unde...
2024-12-0249 min
The Elephant in AppSecIs It Possible to Maximize the Effectiveness of Security Champions? ⎜ Magdalena ModricWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today, I’m thrilled to welcome Magdalena Modric to the show! Magdalena is an AppSec Program Strategist at Secure Code Warrior, where she’s been empowering developers in the German-speaking market to build secure applications since 2018.
Beyond her professional expertise, Magdalena is also a talented violinist—a wonderful reminder of how many AppSec professionals channel their passion into music and creativity outside of work.
In this episode, Magdalena and I dive into the critic...
2024-11-2546 min
The Elephant in AppSecHacker Turned Policy Builder: What They Don’t Want You to KnowWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today, I’m thrilled to welcome Patrick Mathieu to the podcast! Patrick is currently a Senior Manager of Product Security at DoorDash, but his impact on the cybersecurity world spans years.
Fifteen years ago, he founded Hackfest.ca, Canada's largest bilingual infosec conference and hacking community. Beyond Hackfest, Patrick is a sought-after speaker at cybersecurity conferences worldwide and the host of Securite.fm, a popular podcast on all things sec...
2024-11-1555 min
The Elephant in AppSecWhy Is Transforming Company Culture for Product Security So Challenging? ⎜ Ariel ShinWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today, I’m super excited to have Ariel Shin on the podcast! Ariel started as a pentester, moved into appsec, and now she’s a Security Engineering Manager at Datadog. Before that, she led the Product Security team at Twilio, where she led an effort to democratize vulnerability management across the company, which had a significant impact on reducing risk.
She’s also a regular speaker at conferences, and I actually got to meet her in per...
2024-10-3047 min
Dirty South Security PodcastEp.06 - AppSec Dead, Rise of ASPM, Threat Modeling in AppSec, Recommendations for AppSec FutureWelcome to another episode of The Dirty South Cybersecurity Podcast! 🎙️ In this episode, your hosts Tony and Q0PHI dive deep into the world of Application Security (AppSec). They tackle the burning question: Is AppSec dead? 🤔Join the discussion as they explore the rise of Application Security Posture Management (ASPM) and debate whether ASPM is the new AppSec. Discover the latest trends, insights, and expert opinions on how organizations can stay ahead in the ever-evolving cybersecurity landscape.🔒 Topics Covered:The current state of AppSecIntroduction to ASPMComparing AppSec and ASPMFuture...
2024-10-2835 min
The Elephant in AppSecThe API Governance Problem: Why Your API Security Is at Risk (And How to Fix It) ⎜Akansha ShuklaWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today, I’m excited to welcome Akansha Shukla, a cybersecurity expert with over 10 years of experience, currently specializing in API security at ABN AMRO, one of the largest banks in the Netherlands. Akansha has a strong background in application security, DevSecOps, threat modeling, and vulnerability assessments.
Beyond her work at the bank, Akansha enjoys sharing her knowledge and runs her own blog focused on API security. She’s also a no...
2024-10-2342 min
The Elephant in AppSecAI Chatbots: Security Disaster or Can We Build Them Securely? ⎜Ante Gojsalic & Benjamin DulieuWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today, I have two incredible guests with me: Ante Gojsalic and Benjamin Dulieu.
Ben is a Chief Information Security Officer at Duck Creek Technologies, an Insurance SaaS provider supporting the end-to-end insurance process for many of the world’s largest carriers. A former U.S. Marine Corps Captain, Ben transitioned into cybersecurity leadership in 2016, leading Cyber and Technology Risk Management at Brown Brothers Harriman before taking on his current role, where he oversees cybersecurity, privacy, and IT infrastructure strategies.
An...
2024-10-1549 min
The Elephant in AppSecOpen Source vs. Commercial Software: The Ultimate Showdown⎜Kyle KellyWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today, my guest is Kyle Kelly, Tech Lead for Supply Chain Security Research at Semgrep and the founder of the CramHacks weekly newsletter. You can subscribe here 👉 cramhacks.com
With a background in consulting and research, he specializes in supply chain security, using his expertise to shape the insights he shares.
Through CramHacks, he empowers readers to take an active role in software security and deepen their understanding of supply chain vulnerabilities.
In this episode, Kyle shares when you sho...
2024-10-1048 min
The Elephant in AppSecPrivacy vs. Application Security: Can They Truly Coexist? | Kim WuytsWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today, my guest is Kim Wuyts, a leading privacy engineering expert with over 15 years of experience in security and privacy. Before joining PwC Belgium as Manager of Cyber & Privacy, Kim was a senior researcher at KU Leuven, where she led the development and extension of LINDDUN, a popular privacy threat modeling framework.
Kim is also a co-author of the Threat Modeling Manifesto, program co-chair of the International Workshop on Privacy Engineering (IWPE), and a member of ENISA’s working gr...
2024-10-0145 min
The Elephant in AppSecFrom PhD to AppSec: How to Bridge the Gap Between Research & Security Tools | Diego SempreboniWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today, I’m joined by Diego Sempreboni, a Senior Application Security Engineer at Pleo. Diego earned his PhD in Computer Science, specializing in security, at King’s College London. After realizing his passion lay in solving real-world problems, he transitioned from academia to product and application security, gaining valuable experience in various fintech companies in the UK.
In this episode, we discuss the key differences between academia and engineering in security and why vendors should focus on creating tools that...
2024-09-2442 min
The Elephant in AppSecAppSec for Startups: Critical or Overlooked? | Rob PicardWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today, my guest is Rob Picard. Rob started his career as a pentester and went on to become an early security hire at both Robinhood and Vanta, where he helped establish scalable security programs. He is now leading Observa, a security consulting firm focused on helping startups build strong security foundations.
Rob frequently participates in podcasts, sharing his expertise on how startups can develop security programs, often with an AppSec focus.
In this episode, Rob discusses when startups should...
2024-09-2049 min
The Elephant in AppSecWhat are the risks associated with open source? | Kaiwen JiangWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today, my guest is Kaiwen Jiang, an Application Security Engineer at a financial services company in the UK. Her primary areas of focus are . She was previously a cybersecurity consultant at Deloitte.
Kaiwen also runs a blog, AppSec Kiki, where she shares her knowledge with the community, and she’s an active participant in London’s OWASP community meetups!
In this first episode of Season 2, Kaiwen shared insights on why open-source security in the supply chain has become such a ho...
2024-09-1239 minThe Elephant in AppSecSeason 2 The Elephant in AppSec Podcast TrailerGet ready for more bold opinions starting next week! 🔥
2024-09-0601 minThe Elephant in AppSecWe Don’t Let the Bad Guys Win: Is It Possible with All Third-Party Apps in Oil & Gas? ⎜Catharina "DD" BudihartoWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today, we have an amazing guest, Catharina "DD" Budiharto, joining us.
DD has extensive experience in cybersecurity, having worked for several years with multiple Oil and Gas companies. She also served as the chairperson for the American Petroleum Institute (API) IT Security Sub-Committee.
Currently, DD is the founder of Cyberpoint Advisory, which offers Fractional CISO services to help SMBs protect their assets from cyber at...
2024-06-2048 min
The Elephant in AppSecWhy “shift-left” isn’t good enough ⎪Chris RomeoWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today, we have an amazing guest, Chris Romeo, joining us.
Chris has 26 years of experience in cybersecurity, having worked for 11 years at CISCO, founded his own security education company, Security Journey, and now Devici, an AI-infused collaborative threat modeling tool.
Chris is a sought-after speaker at numerous global application security conferences.
He is also the author of a weekly newsletter, The Reasonable AppSec, where he shares the top 5 security articles worth your time.
Chris hosts not one but three...
2024-06-0755 min
The Elephant in AppSecWhat are the Non-Human Identity challenges? ⎪Andrew Wilder and Amir ShakedWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
We have two incredible guests with us: Andrew Wilder and Amir Shaked.
Andrew is the Retained Chief Security Officer at Community Veterinary Partners and the former Regional CISO for Nestle, where he spent 18 years shaping cybersecurity across the Americas, Asia, and Europe.
Amir is the VP of Research and Development at Oasis Security, specializing in Non-Human Identity Management. With a background in software development, Amir transitioned to cybersecurity, contributing to companies like PerimeterX and Human in R&D and...
2024-05-2344 min
The Elephant in AppSecAPI Security: Are Vendors Just Blowing Smoke? ⎪David HomoneyWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today, we have an amazing guest, David Homoney, join us.
David is the newly appointed Sales Engineer at Apiiro. Before stepping into this role, he made significant contributions as a Technical Solutions Architect II for Application, API, and Workload Security at World Wide Technology (WWT), a leading global technology provider and integrator.
With an impressive 30-year career in network and system administration, David has established himself as one the strong voices in the field of API security. He's not...
2024-05-2157 min
The Boring AppSec PodcastS1E10 - Future Security PredictionsWelcome to the Boring AppSec Podcast! In Episode 10, we discuss some security predictions that we hope to see in the near future. Some of them are:
AI agents - different kinds - activity based and/or persona based
Security talent is going to get better, hiring is important
AI powered security engineers - up leveling junior engineers
AI code review assistants - GPT4-o et al
Company consolidations happening in the security industry - D&R space
ASPM predictions and how AI agents will help evolve this space
CISA’s guidance on building secure by default frameworks
Automated re...
2024-05-2050 minThe Boring AppSec PodcastS1E09 - IncidentsWelcome to the Boring AppSec Podcast! In Episode 9, we discuss incidents. Both Sandesh and I share 2 incidents each and the lessons learnt from them. Tune in!
References mentioned in the episode:
Log4j - https://www.cisa.gov/news-events/news/apache-log4j-vulnerability-guidance
Incident runbook - https://engineering.razorpay.com/how-an-incident-transformed-razorpay-improving-the-5-why-rca-format-378de299b9a2
Contacting Anshuman
LinkedIn: https://www.linkedin.com/in/anshumanbhartiya/
Twitter: https://twitter.com/anshuman_bh
Website: https://anshumanbhartiya.com/
Instagram: https://www.instagram.com/anshuman.bhartiya/
YouTube: https://www.youtube.com/@AnshumanBhartiya
Contacting Sandesh
LinkedIn: https://www.linkedin.com/in/anandsandesh/
Twitter: https://twitter.com/JubbaOnJeans/
Website: https:/
2024-05-1337 min
The Elephant in AppSecThe Truth About Software Supply Chain Risks ⎪Cassie CrossleyWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today, we’re excited to have an amazing guest, Cassie Crossley, join us.
Cassie is the Vice President, Supply Chain Security in the global Cybersecurity & Product Security Office at Schneider Electric.
Starting from a development background, she moved through different roles like technical support, technical documentation, and software development project management. She led compliance, policy, and governance and gradually transitioned into her high-level Product security role.
Cassie is also the author of the Software Supply Chain security book that ha...
2024-05-1047 min
The Elephant in AppSecHow secure are your digital wallets? ⎪Max Imbiel (Bitpanda)Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today we’re excited to have an amazing guest, Max Imbiel, join us.
Max is the driving force behind “Ahead Security,” an agency specializing in vCISO activities, and currently serves as the CISO at BitPanda, an online crypto trading platform.
Max’s career began in IT and software development and took him through various industries, with the last one being finance. His notable leadership roles include Deputy CISO at UniCredit Bank and, most recently, Deputy Group CISO at N26. Max is a...
2024-04-2952 min
The Elephant in AppSecHow security research can earn you $20m in tokens ⎪Swan BeaujardWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today we’re excited to have an amazing guest, Swan Beaujard, join us.
Swan is a security software engineer at Escape, specializing in Dynamic Application Security Testing. He is a core contributor to a lot of open-source projects related to GraphQL security and is passionate about machine learning and reverse engineering.
He presented his contributions and research at several international security conferences like BSides Oslo: • BSides Oslo 2023
This year, Swan published his new research detailing scanning and analysis of the 1 million...
2024-04-2929 minThe Boring AppSec PodcastS1E08 - Bug Bounties Part 2Welcome to the Boring AppSec Podcast! In Episode 8, we continue discussing bug bounties from where we left off in Episode 3. We discuss how to build mature bug bounty programs, how to start a program, how to convince stake holders to start a program, differences and similarities between vulnerability disclosure programs and bug bounty programs among other things. Tune in!
Contacting Anshuman
LinkedIn: https://www.linkedin.com/in/anshumanbhartiya/
Twitter: https://twitter.com/anshuman_bh
Website: https://anshumanbhartiya.com/
Instagram: https://www.instagram.com/anshuman.bhartiya/
YouTube: https://www.youtube.com/@AnshumanBhartiya
Contacting Sandesh
LinkedIn: https://www.linkedin.com/in/anandsandesh/
Twitter: https://twitter.com/JubbaOnJeans/
Website:
2024-04-2245 minThe Boring AppSec PodcastS1E07 - Hiring in SecurityWelcome to the Boring AppSec Podcast! In Episode 7, we discuss how to hire the right security folks on a security engineering team. We go over the interviewing process, what to look out for, how to compose a team, and also share some of our experiences of interviewing including some tips on what a candidate can/should do if they want to get noticed by hiring managers and recruiters.
Contacting Anshuman
LinkedIn: https://www.linkedin.com/in/anshumanbhartiya/
Twitter: https://twitter.com/anshuman_bh
Website: https://anshumanbhartiya.com/
Instagram: https://www.instagram.com/anshuman.bhartiya/
YouTube: https://www.youtube.com/@AnshumanBhartiya
Contactin...
2024-04-1554 min
The Elephant in AppSecSecuring cloud native applications: how hard is it? ⎪Mihir ShahWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today we’re excited to have an amazing guest, Mihir Shah, join us.
Mihir Shah is a Senior Staff Application Security Engineer at ForgeRock, specializing in architecting secure cloud-based Identity & Access Management services hosted using Kubernetes and Google Cloud Platform.
He is also the author of the Cloud Native Software Security Handbook, a comprehensive guide on securing cloud-native applications and services.
...
2024-04-1256 minThe Boring AppSec PodcastS1E06 - Vulnerability ManagementWelcome to the Boring AppSec Podcast! In Episode 6, we discuss the art of Vulnerability Management. What it means, what are some of the problems we've seen as practitioners, what are some ways we've considered to make the process of managing vulnerabilities easy.
References:
We will try and add information about all the references we make here. Please enter rabbit holes at will :)
Gitlab's Security Handbook - https://handbook.gitlab.com/handbook/security/
Contacting Anshuman
LinkedIn: https://www.linkedin.com/in/anshumanbhartiya/
Twitter: https://twitter.com/anshuman_bh
Website: https://ans...
2024-04-0856 minThe Boring AppSec PodcastS1E05 - Threat ModelingWelcome to the Boring AppSec Podcast! In Episode 5, we dig deep into what threat modeling is from a practitioner's perspective. We compare it with design reviews and discuss when/how/why of threat modeling. In the end, we wrap up by talking about how Gen AI could help threat modeling significantly.
References:
We will try and add information about all the references we make here. Please enter rabbit holes at will :)
Threat modeling manifesto - Threatmodelingmanifesto.org
STRIDE framework - https://en.wikipedia.org/wiki/STRIDE_(security)
Tools for threat modeling
http...
2024-04-011h 01
The Elephant in AppSecAre custom security tests a product security superpower? ⎜Keshav Malik (LinkedIn)Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today we’re excited to have an amazing guest, Keshav Malik, join us.
Keshav is a Senior Product Security Engineer at LinkedIn. With experience in information security and a passion for automation, Keshav brings a unique blend of expertise to the table.
Keshav is also a dedicated tech enthusiast and deeply passionate about contributing to the community. He actively writes custom security rules for various applications like Semgrep and has built several projects like QuickXSS, a bash script automating XSS...
2024-04-0123 minThe Boring AppSec PodcastS1E04 - Running a lean AppSec teamWelcome to the Boring AppSec Podcast! In Episode 4, we discuss how lean AppSec teams run and operate. We share our experiences of having worked in engineering heavy organizations where the "engineer : appsec-engineer" ratio is far from ideal and scaling the AppSec team becomes very important to be able to reasonably manage risk.
References:
We will try and add information about all the references we make here. Please enter rabbit holes at will :)
Soft skills are important - https://www.softsideofcyber.com/
Bhadra, the vulnerability management platform built and open sourced by Razor P...
2024-03-251h 09
The Elephant in AppSecThe art and science of product security ⎥Jacob Salassi (Snowflake)Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today we’re excited to have an amazing guest, Jacob Salassi, join us.
Jacob is the Director of Product Security and Regulatory Expansion at Snowflake, where he has played a pivotal role in guiding the company through its pre- and post-IPO phases.
With over 15 years of experience, initially in software engineering before transitioning to security, Jacob is a sought-after speaker at numerous conferences and podcasts, sharing his wealth of insights with others.
Jacob has a deep passion for cycling, and...
2024-03-2149 min
Code to CloudDecoding AppSec in the Cloud Age: A Conversation with Sean Wright of FeaturespaceThis episode features an interview with Sean Wright. Sean is Head of Application Security at Featurespace, the world leader in Enterprise Financial Crime prevention for fraud and Anti-Money Laundering. He is an experienced application security engineer, having started his career as a software developer. His expertise is in web based application security with a special interest in TLS related subjects. And on this episode, Sean and host Andy Schneider discuss navigating AppSec in the cloud age, finding and leveraging security champions, and Sean’s take on open source as it relates to supply chain risks with third party software libr...
2024-03-2139 minThe Boring AppSec PodcastS1E03 - Bug BountiesWelcome to the Boring AppSec Podcast! In Episode 3, we discuss all things bug bounties. The researcher side as well as the program owner's side. Enter at your own will as we have a lot of hot takes.
References:
We will try and add information about all the references we make here. Please enter rabbit holes at will :)
Bug Bounty Platforms
Bugcrowd - https://www.bugcrowd.com/
HackerOne - https://www.hackerone.com/
Intigrity - https://www.intigriti.com/
Synack - https://www.synack.com/
2. Vulnerability Disclosure Process - https://www.cisa.go...
2024-03-181h 11The Boring AppSec PodcastS1E02 - First Security HireWelcome to the Boring AppSec Podcast! In Episode 2, we discuss what a first security hire responsibilities are. How do they prioritize? What do they prioritize?
References:
We will try and add information about all the references we make here. Please enter rabbit holes at will :)
Building a product security program
Some blogs on getting SOC2 certifications without too much redtape - RunReveal, Fly.io
Tracking Meaningful Security Product Metrics
Build vs Buy Framework
OpenAI Sora
LLM Agents Can Autonomously Hack Websites
Arcanum Information Security
SecGPT in https://chat.openai.com/gpts
Conta...
2024-03-111h 07
The Elephant in AppSecSecurity Consultant vs. In-House Engineer: The Showdown⎜Ric CampoWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today we’re excited to have an amazing guest, Ric Campo, join us.
Ric started his cybersecurity journey in the Royal Australian Air Force. With a decade of dedicated experience as an Application Security Engineer and Penetration Tester, he currently serves as a Principal Security consultant at Galah Cyber.
Ric also strongly believes in the power of the community in AppSec. He focuses on writing blogs that will help the community in the long term. He's also been an OWA...
2024-03-0540 minThe Boring AppSec PodcastS1E01 - Asset InventoryWelcome to the Boring AppSec Podcast! In Episode 1, we discuss software inventories. What they are, why we need them, and what are our favorite ways to build them.
References:
We will try and add information about all the references we make here. Please enter rabbit holes at will :)
Cartography - https://github.com/lyft/cartography
GenAI + Cartography
https://shinobi.security/#how-it-works
https://github.com/samvas-codes/cspm-gpt
Commercial asset inventory mentioned on the show: https://www.jupiterone.com/
Talk by Sandesh and Satyaki on automating asset inventory generation at Razorpay: https://www.youtube.com/watch?v=8q42...
2024-03-0444 min
The Elephant in AppSecDevelopers and security training: can they co-exist?⎜Laura Bell MainWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today, we’re excited to have an amazing guest, Laura Bell Main, join us.
With over 20 years in software development and application security, Laura is the co-founder and CEO of SafeStack, an online education platform that offers secure development training for fast-moving companies.
Laura is also a well-known keynote speaker and has spoken at high-profile events like BlackHat USA, NDC, and OSCON. With her love of speaking an...
2024-02-2933 min
The Elephant in AppSecAdversarial machine learning: what is it and are we ready? ⎜Anmol AgarwalWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today we’re excited to have an amazing guest, Anmol Agarwal, join us.
Anmol is a security researcher at Nokia, focused on securing AI and Machine Learning in 6G and securing 5G.
She also holds a doctoral degree in cybersecurity analytics from George Washington University. Her research was focused on adversarial machine learning and Federated Learning.
Anmol is also an active speaker and has spoken at various conferences and events including SecureWorld, Pacific Hackers Conference, and Bridges in...
2024-02-2337 min
The Elephant in AppSecAppSec vendors and CISOs: a love - hate relationship? ⎜Olivia RoseWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today, we're joined by an amazing guest, Olivia Rose.
You can find Olivia on LinkedIn: https://www.linkedin.com/in/oliviaros...
Olivia is an executive leader with more than 20 years of dedicated experience, having served as the former CISO at Amplitude and Mailchimp and currently as the Founder of the Rose CISO Group: https://www.rosecisogroup.com/
Her company offers virtual Chief Information Security Officer (CISO) services, boardroom and leadership communications, assessment services, keynote speaking, event presentations, and career...
2024-02-1552 min
The Elephant in AppSecPentesting: What are the actual benefits?⎥Harsh ModiWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today, we're joined by an amazing guest, Harsh Modi.
You can find Harsh on LinkedIn: https://www.linkedin.com/in/neighborhoodpenetrationtester/
With over 8 years of dedicated experience as an Offensive Security Engineer and Penetration Tester, Harsh has honed an exceptional skill set in identifying and mitigating security vulnerabilities. Currently, he is an independent consultant and a Lead Security Architect at Bell.
Harsh is also an enthusiastic security researcher and has presented his research at various conferences such as OWASP V...
2024-02-0854 min
The Elephant in AppSecSecurity champion program: A must or completely useless? ⎥Dustin LehrWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today, we're joined by an amazing guest, Dustin Lehr.
You can find Dustin on LinkedIn: https://www.linkedin.com/in/dustinlehr/
Dustin is an accomplished software engineer turned information security leader, currently serving as Senior Director of Platform Security / Deputy CISO at Fivetran. He possesses an enormous wealth of experience in application security and is a strong community leader, organizing the online meetup 'Let's Talk Software Security,' where everyone passionate about security can join for an open discussion.
...
2024-02-0145 min
The Elephant in AppSecIs Gen AI your new AppSec weapon?Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today, we're joined by an amazing guest, Sandesh Mysore Anand.
You can find Sandesh on LinkedIn: https://www.linkedin.com/in/anandsandesh/
With more than 12 years of experience in security and working as a head of security at Razorpay, India's leading financial platform for payments & banking, Sandesh is now a founder of Seezo, a Threat Modeling tool. Its goal is to solve product security problems using Gen AI.
He is also the author of the 'Boring AppSec' newsletter, a...
2024-01-2635 min
The Elephant in AppSecSecurity training: Necessary investment or overrated expense?⎥Mel ReyesWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today we’re excited to have an amazing guest, Mel Reyes, joining us.
Mel has navigated through two IPOs, three M&As, worked with several startups, Pepsi, Mercedes, and accumulated a bunch of patents along the way. With more than 30 years of experience in various leadership, advising, and coaching roles, he enjoys building and empowering security teams within organizations.
He's heavily invested in the cybersecurity community and has built his own, The Fellowship of Digital Guardians: https://fdg.institute/
That...
2024-01-2648 min
The Elephant in AppSecWhat is ASPM: A breakdown of the current state and its futureWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today, we're joined by an amazing guest, James Berthoty. James has been in technology for over 10 years across engineering and security. An early advocate for DevSecOps, he has a passion for driving security teams as contributors to products. With all his experience, he's currently building latio.tech, a platform helping organizations find the best security tools.
In our latest episode with Tristan Kalos, we challenged James about his recent article on ASPM. We discussed what's right and wrong with...
2024-01-1140 min
Ink8r (in·cu·ba·tor) PodcastEpisode #38 - Practicality in Protection: Implementing an AppSec ProgramIn this episode of our podcast, we sit down with Jeevan Singh, a distinguished leader in the field of Application Security (AppSec), to delve into the intricate world of securing software applications. The discussion highlights the perils and challenges faced by organizations in today’s digital landscape, emphasizing the growing sophistication of cyber threats and the vital importance of robust AppSec programs.Jeevan articulates how he approaches implementing AppSec programs through a crawl, walk, run progression, which helps to address cultural gaps that may exist between security teams and developers. He stresses the need for a paradigm sh...
2024-01-0443 min
The Elephant in AppSecLack of effective DAST tools⎥Aleksandr Krasnov (Meta, Thinkific, Dropbox)Today, we're revealing our first episode with Aleksandr Krasnov, the principal security engineer at Meta, who challenges the effectiveness of existing DAST tools with us.
Aleksandr Krasnov is the principal security engineer at Meta, responsible for all things security at Instagram and WhatsApp. Previously, he was responsible for AppSec and offensive security at Thinkific and served as a product security engineer at Dropbox, Palo Alto Networks, and other companies.
Throughout his career, Alek used multiple security tools, including Dynamic Application Security Testing (DAST) tools. As we began discussing this...
2023-11-3043 min
DevSecOps Podcast#30 - AppSec challengesIn this milestone episode, we dive deep into the ever-evolving landscape of Application Security (AppSec) with two distinguished guests, Simon Price and Idan Elor. As we celebrate our podcast's end of season, join us in unraveling the intricate web of challenges that organizations face in securing their applications. Our guest, Simon Price, brings a wealth of experience from the frontlines of AppSec. As a seasoned security professional, Price shares real-world anecdotes and sheds light on the emerging threats that keep AppSec professionals up at night. From the latest attack vectors to the importance of secure coding practices, Price guides us...
2023-11-3046 minThe Elephant in AppSecThe Elephant in AppSec Podcast Trailer | EscapeWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Tomorrow, we're revealing our first episode with Aleksandr Krasnov, the principal security engineer at Meta, who challenges the effectiveness of existing DAST tools with us.
In the upcoming weeks, we'll share even more interviews with world-class security experts that address concrete appsec issues, allowing you to reflect on your approach to security practices.
Stay tuned!
2023-11-2901 min
Secured by Galah Cyber with Cole CornfordBridging the Divide: How Communication Can Unite Developers and AppSec with Jeanette GillJeanette Gill is Principal Customer Success Manager at Secure Code Warrior. Jeanette comes from a non-technical background, having worked in the aviation industry for over a decade. When she made the leap into AppSec, it was her communication skills and focus on providing a great experience for customers which proved invaluable. Jeanette chats with Cole Cornford about some common misconceptions about AppSec, the sometimes uneasy relationship between developers and AppSec, the potential for AI to change our industry, and plenty more.Secured by Galah Cyber with Cole Cornford website 7:30 - Jeanette’s career ba...
2023-11-221h 00DayOne.FMBridging the Divide: How Communication Can Unite Developers and AppSec with Jeanette GillJeanette Gill is Principal Customer Success Manager at Secure Code Warrior. Jeanette comes from a non-technical background, having worked in the aviation industry for over a decade. When she made the leap into AppSec, it was her communication skills and focus on providing a great experience for customers which proved invaluable. Jeanette chats with Cole Cornford about some common misconceptions about AppSec, the sometimes uneasy relationship between developers and AppSec, the potential for AI to change our industry, and plenty more.Secured by Galah Cyber with Cole Cornford website 7:30 - Jeanette’s career ba...
2023-11-221h 00
DevSecOps Podcast#27 - AppSec em alto nívelNeste emocionante episódio, mergulhamos fundo no mundo da Segurança de Aplicações (AppSec) com um convidado especial, Ben Hur do Guia de AppSec. Junte-se a nós enquanto exploramos os fundamentos e desafios críticos relacionados à proteção de aplicações em um ambiente digital em constante evolução. AppSec é mais do que apenas uma camada de segurança - é uma mentalidade que permeia o desenvolvimento de software desde o início. Ben Hur compartilha sua experiência e insights valiosos sobre como as organizações podem adotar práticas de AppSec de alto nível para proteger suas aplicações de man...
2023-10-2556 min
Secured by Galah Cyber with Cole CornfordAn Agnostic Approach to AppSec: Ken Johnson on Navigating the Future with AIKen Johnson is co-founder of Dryrun Security and co-host of the Apsolute AppSec podcast. Ken has many years experience working in AppSec in a variety of roles, including CTO of nVisium and Application Security Engineer at GitHub. Ken chats with Cole Cornford about taking an agnostic approach to AppSec, transitioning from being an employee to a founder, how AI might change cybersecurity, and plenty more.Secured by Galah Cyber with Cole Cornford website Timestamps9:10 - When Ken started running AppSec conferences.12:00 - Ken: an “agnostic approach” to appsec really resonated with people.14:30 - Ken: “by nat...
2023-08-1648 minDayOne.FMAn Agnostic Approach to AppSec: Ken Johnson on Navigating the Future with AIKen Johnson is co-founder of Dryrun Security and co-host of the Apsolute AppSec podcast. Ken has many years experience working in AppSec in a variety of roles, including CTO of nVisium and Application Security Engineer at GitHub. Ken chats with Cole Cornford about taking an agnostic approach to AppSec, transitioning from being an employee to a founder, how AI might change cybersecurity, and plenty more.Secured by Galah Cyber with Cole Cornford website Timestamps9:10 - When Ken started running AppSec conferences.12:00 - Ken: an “agnostic approach” to appsec really resonated with people.14:30 - Ken: “by nat...
2023-08-1648 min
The Cyberman ShowLevel Up Your #AppSec Skills with Jeevan Singh of Twillio #54Send us a textToday i had the opportunity to speak with Jeevan Singh on Appsec. Jeevan is the Head of Product Security @twillio. We discussed, basics of appsec, threat modelling, implementing appsec for digital first businesses, scaling appsec, AppDoS, how beginners can learn AppSec and how AI will impact appsec. Listen to him on the latest episode of cybermanshow Support the showGoogle Drive link for Podcast content:https://drive.google.com/drive/folders/10vmcQ-oqqFDPojywrfYousPcqhvisnkoMy Profile on LinkedIn: https://www.linkedin.com/in/prashantmishra11/Youtube Channnel : https://w...
2023-07-3038 min
Everything CyberEp. 9 - AppSec Future Trends & 2022 Recap
Application Security (AppSec) has been one of the fastest-growing fields in Cybersecurity. From being a niche area that certain companies perform to one of the most innovative fronts of Cyber, AppSec certainly saw a fair share of growth.
In this video, Cole Cornford, a popular face in the AppSec space, is joining us as a guest speaker to share his thoughts on future trends in 2023 and a recap of the current year.
Timestamps:
00:00 - Start
02:47 - Shoutouts
06:47 - 2022 AppSec Trends
13:29 - Impactful AppSec Vulns
14:32 - Grave digging
22:31 - 2022 Technology Recap
30:13 - Implications of AI in AppSec
37:02 - 2023 Trends for Ap...
2023-07-1849 min
The Application Security PodcastFarshad Abasi -- Three Models for Deploying AppSec ResourcesFarshad Abasi shares three models for deploying resources within application security teams:The Dedicated AppSec Person Model involves assigning an AppSec person to work with each team. Farshad shares his experience of working with developers and the challenges faced in getting them to understand and implement threat modeling. He also discusses the transition from waterfall to Agile and how it affected threat modeling.The Federated Model: A security consultant attends weekly standups and sprint planning sessions in this model. They work with a checklist to quickly determine if any user stories could be security...
2023-07-1009 min
Redefining CyberSecurityAppSec Village At DEF CON 30 | Chats On The Road | A Conversation With Chris Kubecka, Liora Herman, And Erez Yalon | Black Hat 2022 And DEF CON 30 Las Vegas Event Coverage | Redefining CyberSecurity Podcast With Sean Martin And Marco CiappelliApplications run the world. They provide an interface to the rest of the technologies and data we create, share, and make decisions with. Sometimes these interfaces come in the form of a user interface (UX), sometimes in the form of an API. In both cases, they offer a path to the systems and information we hold dear to us.In this Chats on the Road to DEF CON, we connect with the co-founders and organizers of the AppSec Village along with their keynote speaker at the village this year. This is a conversation about the real-world that...
2022-08-0426 min
Reimagining Cyber - real world perspectives on cybersecurityBuilding Better AppSec Teams: Communications, Collaborations and Cloud - Ep 32Kristen Bell, Senior Manager of Application Security Engineering at GuidePoint Security, is back, sharing her insights into “Building better AppSec teams: Communication, collaboration, and culture.” Two weeks ago, Bell joined the Reimagining Cyber team, Rob Aragao and Stan Wisseman, to share her perspective on “Governing a better AppSec program by empowering dev teams.” Collaboration is KeyTo build a better AppSec team, Bell explains the importance of collaboration. Many developers have a bad taste in their mouths when it comes to automation. Developing a multi-phased approach where you can share each step and mitigate any barriers to adoption (for example, many dev...
2022-04-1119 min