Kalyani Pawar shares critical strategies for integrating security early and effectively in AppSec for startups. She recommends that startups begin focusing on AppSec around the 30-employee mark, with an ideal ratio of one AppSec professional per 10 engineers as the company grows. Pawar emphasizes the importance of building a security culture through "culture as code" - implementing automated guardrails and checkpoints that make security an integral part of the development process. She advises startups to prioritize visibility into their systems, conduct pentests, develop thoughtful policies, and carefully vet third-party tools and open-source solutions. Ultimately, Pawar's approach is about making security a collaborative, integrated effort that doesn't impede innovation but instead supports the startup's long-term success and safety.

Kalyani’s Book recommendation: 

The Alignment Problem by Brian Christian 

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Milan Williams discusses the importance of application security metrics and how to make them both meaningful and actionable. She explains that metrics are crucial for tracking progress in what can often feel like an overwhelming security landscape, and they're valuable for career advancement and securing resources. We discuss metrics categories and several specific metrics that are good to track.  Milan shares important principles on the importance of making metrics actionable through storytelling and relating security impacts to real-world consequences for users. 

Milan's Book Recommendation:

Quiet Influence: The Introvert’s Guide to Making a Difference by Jennifer Kahnweiler 

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mo Sadek shares his unique journey of building an Application Security program from scratch at Roblox. Mo discusses his unconventional path, including temporarily joining the infrastructure team to truly understand engineering challenges. He emphasizes that security isn't about mandating rules, but about making processes easier and more secure by default. Mo shares his insights on how to build effective cross-team security relationships and approaches for gaining leadership buy-in. 

Mo's Book Recommendation: I Have No Mouth and I Must Scream by Harlan Ellison 

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Brett Crawley discusses the Elevation of Privilege (EoP) card game, a powerful tool for threat modeling in software development. The discussion explores recent extensions to the game including privacy-focused suits and TRIM (Transfer, Retention/Removal, Inference, Minimization) categories. Crawley emphasizes that threat modeling shouldn't end with the game but should be an ongoing process throughout an application's lifecycle, ideally starting before implementation. He also shares insights from his book, which provides detailed examples and guidance for teams new to threat modeling using EoP.

You can find Brett on X @brettcrawley

Brett’s book:
Threat Modeling Gameplay with EoP: A reference manual for spotting threats in software architecture

Book recommendation:
Conscious Business by Fred Kofman

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Matin Mavaddat discusses his perspective on security as a systemic concern, developed from his background in requirements engineering and systems architecture. He introduces the concept of "anti-requirements" - defining what a system should not do - and distinguishes between "syntactic security" (addressing technical vulnerabilities that are always incorrect) and "semantic security" (context-dependent security emerging from system interactions). Mavaddat shares his perspective that security itself doesn't have independent existence but rather emerges from preventing undesirable states. The discussion concludes with practical implementation strategies, suggesting that while automated tools can handle syntactic security issues, organizations should focus more energy on semantic security by understanding business context and defining anti-requirements early in the development process.

Mentioned in this episode:

Matin’s article: Reframing Security: Unveiling Power Anti-Requirements  

Systems Thinking for Curious Managers by Russell Ackoff

Antifragile by Nassim Nicholas Taleb

The Black Swan by Nassim Nicholas Taleb

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Kayra Otaner joins the podcast today to discuss DevSecOps and answer the question, is it dead? Kayra is the Director of DevSecOps at Roche and is highly involved in the DevSecOps community. Kayra states that DevSecOps in its traditional form is “dead” and that each organization should approach its needs based on their size. Otaner introduces the concept of "security as code" and "policy as code" as more effective approaches, where security functions are codified rather than relying on traditional documentation and checklists. Finally, they discuss the emergence of Application Security Posture Management (ASPM) tools as the "SIM for AppSec," suggesting these tools, especially when enhanced with AI, could help manage the overwhelming number of security alerts and issues that currently plague development teams.

Mentioned in this Episode:
Books by Yuval Noah Harari  

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

François Proulx shares his discovery of security vulnerabilities in build pipelines. Francois has found that attackers can exploit this often overlooked side of the software supply chain. To help address this, his team developed an open source scanner called Poutine that can identify vulnerable build pipelines at scale and provide remediation guidance. Francois has over 10 years of experience in building application security programs, he’s also the founder of the NorthSec conference in Montreal.

Mentioned in the Episode:
Cooking for Geeks by Jeff Potter
Poutine
Living Off the Pipeline project
Grand Theft Actions Abusing Self Hosted GitHub Runners - Adnan Khan and John Stawinski

Where to find Francois:
LinkedIn
X: @francoisproulx

Previous Episodes:
François Proulx -- Actionable Software Supply Chain Security

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Steve Wilson, the author of 'The Developer's Playbook for Large Language Model Security’ is back to dive into topics from his book like AI hallucinations, trust, and the future of AI.  Steve has been at the forefront of the explosion of activity at the intersection of AppSec, LLM, and AI. We discuss the biggest fears surrounding LLMs and AI, and explore advanced concepts like Retrieval Augmented Generation and prompt injection.

Links:
The Developer’s Playbook for Large Language Model Security by Steve Wilson

Find Steve on LinkedIn

Previous Episodes:
Steve Wilson -- OWASP Top Ten for LLMs
Steve Wilson and Gavin Klondike -- OWASP Top Ten for LLM Applications Release

Two people Steve recommends you look up:
Chris Voss, Former FBI Negotiator and author of “Never Split the Difference”

Arshan Dabirsiaghi

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Jeff Williams, a renowned pioneer in the field of application security is with us to discuss Application Detection and Response (ADR), detailing its potential to revolutionize security in production environments. Jeff shares stories from his career, including the founding of OWASP, and his take on security assurance. We cover many topics including; security assurance,  life, basketball and plenty of AppSec as well. 

Where to find Jeff:
LinkedIn: https://www.linkedin.com/in/planetlevel/ 

Previous Episodes:
Jeff Williams – The Tech of Runtime Security

Jeff Williams – The History of OWASP

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Philip Wiley shares his unique journey from professional wrestling to being a renowned pen tester. We define pen testing and the role of social engineering in ethical hacking. We talk tools of the trade, share a favorite web app pentest hack and offer good advice on starting a career in cybersecurity. Philip shares some insights from his book, ‘The Pentester Blueprint: Starting a Career as an Ethical Hacker.’ And we discuss the impact of AI on pen testing and where this field is headed in the next few years.

The Pentester Blueprint Starting a Career as an Ethical Hacker written by Phillip Wylie

The Web Application Hacker’s Handbook written by Dafydd Stuttard, Marcus Pinto

Where to find Phillip:

Website:  https://thehackermaker.com/
Podcast: https://phillipwylieshow.com/
X: https://x.com/PhillipWylie
LinkedIn: https://www.linkedin.com/in/phillipwylie/

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Steve Springett, an expert in secure software development and a key figure in several OWASP projects is back. Steve unpacks CycloneDX and the value proposition of various BOMs. He gives us a rundown of the BOM landscape and unveils some new BOM projects that will continue to unify the security industry. Steve is a seasoned guest of the show so we learn a bit more about Steve's hobbies, providing a personal glimpse into his life outside of technology. 

Links from this episode:

https://cyclonedx.org/

Previous episodes with Steve Springett:
JC Herz and Steve Springett -- SBOMs and software supply chain assurance

Steve Springett — An insiders checklist for Software Composition Analysis

Steve Springett -- Dependency Check and Dependency Track

Book:
Software Transparency: Supply Chain Security in an Era of a Software-Driven Society by Chris Hughes and Tony Turner

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~