Chris and Robert deconstruct world-class Application Security experts, digging deep to find the tools, tactics, projects, and tricks that make them successful. Each episode begins with the guest's security origin story or how they got started in Application Security. Topics range from DevOps+security, secure coding, OWASP, threat modeling, security culture, and anything else they can think of regarding application security. Chris Romeo (@edgeroute) is the CEO of Security Journey, and Robert Hurlbut (@roberthurlbut) is a Principal Application Security Architect focused on Threat Modeling at Aquia.
Matin Mavaddat discusses his perspective on security as a systemic concern, developed from his background in requirements engineering and systems architecture. He introduces the concept of "anti-requirements" - defining what a system should not do - and distinguishes between "syntactic security" (addressing technical vulnerabilities that are always incorrect) and "semantic security" (context-dependent security emerging from system interactions). Mavaddat shares his perspective that security itself doesn't have independent existence but rather emerges from preventing undesirable states. The discussion concludes with practical implementation strategies, suggesting that while automated tools can handle syntactic security issues, organizations should focus more energy on semantic security by understanding business context and defining anti-requirements early in the development process.
Mentioned in this episode:
Matin’s article: Reframing Security: Unveiling Power Anti-Requirements
Systems Thinking for Curious Managers by Russell Ackoff
Antifragile by Nassim Nicholas Taleb
The Black Swan by Nassim Nicholas Taleb
FOLLOW OUR SOCIAL MEDIA:
➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Kayra Otaner joins the podcast today to discuss DevSecOps and answer the question, is it dead? Kayra is the Director of DevSecOps at Roche and is highly involved in the DevSecOps community. Kayra states that DevSecOps in its traditional form is “dead” and that each organization should approach its needs based on their size. Otaner introduces the concept of "security as code" and "policy as code" as more effective approaches, where security functions are codified rather than relying on traditional documentation and checklists. Finally, they discuss the emergence of Application Security Posture Management (ASPM) tools as the "SIM for AppSec," suggesting these tools, especially when enhanced with AI, could help manage the overwhelming number of security alerts and issues that currently plague development teams.
Mentioned in this Episode:
Books by Yuval Noah Harari
FOLLOW OUR SOCIAL MEDIA:
➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
François Proulx shares his discovery of security vulnerabilities in build pipelines. Francois has found that attackers can exploit this often overlooked side of the software supply chain. To help address this, his team developed an open source scanner called Poutine that can identify vulnerable build pipelines at scale and provide remediation guidance. Francois has over 10 years of experience in building application security programs, he’s also the founder of the NorthSec conference in Montreal.
Mentioned in the Episode:
Cooking for Geeks by Jeff Potter
Poutine
Living Off the Pipeline project
Grand Theft Actions Abusing Self Hosted GitHub Runners - Adnan Khan and John Stawinski
Where to find Francois:
LinkedIn
X: @francoisproulx
Previous Episodes:
François Proulx -- Actionable Software Supply Chain Security
FOLLOW OUR SOCIAL MEDIA:
➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Steve Wilson, the author of 'The Developer's Playbook for Large Language Model Security’ is back to dive into topics from his book like AI hallucinations, trust, and the future of AI. Steve has been at the forefront of the explosion of activity at the intersection of AppSec, LLM, and AI. We discuss the biggest fears surrounding LLMs and AI, and explore advanced concepts like Retrieval Augmented Generation and prompt injection.
Links:
The Developer’s Playbook for Large Language Model Security by Steve Wilson
Find Steve on LinkedIn
Previous Episodes:
Steve Wilson -- OWASP Top Ten for LLMs
Steve Wilson and Gavin Klondike -- OWASP Top Ten for LLM Applications Release
Two people Steve recommends you look up:
Chris Voss, Former FBI Negotiator and author of “Never Split the Difference”
FOLLOW OUR SOCIAL MEDIA:
➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Jeff Williams, a renowned pioneer in the field of application security is with us to discuss Application Detection and Response (ADR), detailing its potential to revolutionize security in production environments. Jeff shares stories from his career, including the founding of OWASP, and his take on security assurance. We cover many topics including; security assurance, life, basketball and plenty of AppSec as well.
Where to find Jeff:
LinkedIn: https://www.linkedin.com/in/planetlevel/
Previous Episodes:
Jeff Williams – The Tech of Runtime Security
Jeff Williams – The History of OWASP
FOLLOW OUR SOCIAL MEDIA:
➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Philip Wiley shares his unique journey from professional wrestling to being a renowned pen tester. We define pen testing and the role of social engineering in ethical hacking. We talk tools of the trade, share a favorite web app pentest hack and offer good advice on starting a career in cybersecurity. Philip shares some insights from his book, ‘The Pentester Blueprint: Starting a Career as an Ethical Hacker.’ And we discuss the impact of AI on pen testing and where this field is headed in the next few years.
The Pentester Blueprint Starting a Career as an Ethical Hacker written by Phillip Wylie
The Web Application Hacker’s Handbook written by Dafydd Stuttard, Marcus Pinto
Where to find Phillip:
Website: https://thehackermaker.com/
Podcast: https://phillipwylieshow.com/
X: https://x.com/PhillipWylie
LinkedIn: https://www.linkedin.com/in/phillipwylie/
FOLLOW OUR SOCIAL MEDIA:
➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Steve Springett, an expert in secure software development and a key figure in several OWASP projects is back. Steve unpacks CycloneDX and the value proposition of various BOMs. He gives us a rundown of the BOM landscape and unveils some new BOM projects that will continue to unify the security industry. Steve is a seasoned guest of the show so we learn a bit more about Steve's hobbies, providing a personal glimpse into his life outside of technology.
Links from this episode:
https://cyclonedx.org/
Previous episodes with Steve Springett:
JC Herz and Steve Springett -- SBOMs and software supply chain assurance
Steve Springett — An insiders checklist for Software Composition Analysis
Steve Springett -- Dependency Check and Dependency Track
Book:
Software Transparency: Supply Chain Security in an Era of a Software-Driven Society by Chris Hughes and Tony Turner
FOLLOW OUR SOCIAL MEDIA:
➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Irfaan Santoe joins us for an in-depth discussion on the power of strategy in Application Security. We delve into measuring AppSec maturity, return on investment, and communicating technical needs to business leaders. Irfaan shares his unique journey from consulting to becoming an AppSec professional, and addresses the gaps between CISOs and AppSec knowledge. Irfaan shares valuable insights for scaling AppSec programs and aligning them with business objectives.
FOLLOW OUR SOCIAL MEDIA:
➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Andrew Van Der Stok, a leading web application security specialist and executive director at OWASP joins us for this episode. We discuss the latest with the OWASP Top 10 Project, the importance of data collection, and the need for developer engagement. Andrew gives us the methodology behind building the OWASP Top 10, the significance of framework security, and much more.
Previous episodes with Andrew Van Der Stock
Andrew van der Stock — Taking Application Security to the Masses
Andrew van der Stock and Brian Glas -- The Future of the OWASP Top 10
Books mentioned in the episode:
The Crown Road by Iain Banks
Edward Tufte
FOLLOW OUR SOCIAL MEDIA:
➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Derek Fisher, an expert in hardware, software, and cybersecurity with over 25 years of experience is back on the podcast. Derek shares his advice on cybersecurity hiring, specifically in application security, and dives into the challenges of entry-level roles in the industry. We discuss the value of certifications, the necessity of lifelong learning, and the importance of networking. Listen along for good advice on getting noticed in cybersecurity, resume tips, and the evolving landscape of AppSec careers.
Mentioned in this episode:
The Application Security Handbook by Derek Fisher
With the Old Breed by E.B. Sledge
Cyber for Builders by Ross Haleliuk
Effective Vulnerability Management by Chris Hughes
Previous episode:
Derek Fisher – The Application Security Handbook
FOLLOW OUR SOCIAL MEDIA:
➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Tanya Janka, also known as SheHacksPurple, discusses secure guardrails, the difference between guardrails and paved roads, and how to implement both in application security. Tanya is an award-winning public speaker and head of education at SEMGREP and the best-selling author of ‘Alice and Bob Learn Application Security’. Tanya shares her insights on creating secure software and teaching developers in this episode.
Mentioned in this episode:
Tanya Janca – What Secure Coding Really Means
Tanya Janca – Mentoring Monday - 5 Minute AppSec
Tanya Janca and Nicole Becher – Hacking APIs and Web Services with DevSlop
The Expanse Series by James S.A. Corey
Alice and Bob Learn Application Security by Tanya Janca
FOLLOW OUR SOCIAL MEDIA:
➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Your feedback is valuable to us. Should you encounter any bugs, glitches, lack of functionality or other problems, please email us on [email protected] or join Moon.FM Telegram Group where you can talk directly to the dev team who are happy to answer any queries.