The Secure Developer

Securing And Defending Like Brazilian Jiu-Jitsu With Jeremiah Grossman

Feb 4, 2025

Jeremiah Grossman, an application security pioneer and former CEO of WhiteHat Security, shares insights from his extensive career, including his influence on OWASP. The discussion reveals the evolution of web application security, highlighting past vulnerabilities like SQL injection and the complexities of modern compliance. Jeremiah emphasizes the need to align developer incentives with security priorities, while also navigating the emerging challenges posed by AI-generated code. He draws fascinating parallels between Brazilian Jiu-Jitsu and cybersecurity, advocating for continuous learning and collaboration.

36:57

Creator website

Episode guests

Jeremiah Grossman

AI Summary

AI Chapters

Episode notes

Podcast summary created with Snipd AI

Quick takeaways

Investment in cybersecurity defense far surpasses that of attackers, emphasizing the need for cost imbalance to improve security outcomes.

The current misalignment of developer incentives focusing on speed over security presents a significant barrier to creating more secure applications.

Deep dives

Cost Discrepancies in Cyber Defense

Defending against cyber adversaries is significantly more costly compared to the investment made by the attackers. It is estimated that defense spending is often a thousand times greater than what adversaries invest in their attacks, which highlights a systemic issue in how resources are allocated for cybersecurity. If new innovations can be introduced such that it costs adversaries substantially more to breach security than the cost of defense, there may be potential for improved security outcomes. Achieving an imbalance in cost-effectiveness between attackers and defenders could be a key strategy in strengthening overall cybersecurity.

Intro

2min

The Evolution of Web Application Security

13min

The Impact of Compliance on Cybersecurity Practices

2min

Aligning Incentives for Secure Software Development

2min

Navigating AI in Cybersecurity

14min

Parallel Lessons from Brazilian Jiu-Jitsu and Cybersecurity

4min

Episode Summary

Join Jeremiah Grossman, application security pioneer and former CEO of WhiteHat Security, as he reflects on decades of innovation in the industry, from the early days of OWASP to today’s AI-driven development landscape. Explore critical discussions about the escalating costs of security, aligning developer incentives, and the future challenges posed by AI-generated vulnerabilities. Packed with insights, this episode dives deep into the strategies and frameworks shaping the way we build and secure modern software.

Show Notes

In this episode of The Secure Developer, we sit down with Jeremiah Grossman, a pioneer in application security and former CEO of WhiteHat Security. Jeremiah shares fascinating insights from his decades of experience shaping the security landscape, including the origins of the OWASP project and his role in raising awareness about critical vulnerabilities like SQL injection and cross-site scripting.

The conversation delves into how the industry has evolved over the past two decades, from the early days when nearly every application was riddled with vulnerabilities to today’s more robust frameworks and heightened security awareness. Despite these advancements, Jeremiah and Danny discuss why security spending remains high while organizations continue to struggle with improving their overall security posture.

Key topics include:

The misalignment of incentives in software development that prioritizes speed over security.
The emerging role of cyber insurance in shaping organizational security practices.
The challenges of unknown assets and their contribution to breaches, highlighting the importance of asset inventory and attack surface management.
The impact of AI on software development, particularly the risks and opportunities presented by AI-generated code and new attack surfaces.

Jeremiah also shares his thoughts on aligning incentives for secure development, including innovative approaches like developer performance metrics and reward structures for secure coding. The episode concludes with a look at Jeremiah’s current focus on venture capital and fostering innovation in security, as well as his personal passion for Brazilian jiu-jitsu and its parallels with the security industry.

This episode is a deep dive into the critical challenges and opportunities facing modern security professionals, offering actionable insights and thought-provoking discussions for developers, CISOs, and security practitioners alike.

Links

Follow Us

Remember Everything You Learn from Podcasts

Save insights instantly, chat with episodes, and build lasting knowledge - all powered by AI.

The Secure Developer

Securing And Defending Like Brazilian Jiu-Jitsu With Jeremiah Grossman

Episode guests

Podcast summary created with Snipd AI

Quick takeaways

Deep dives

Cost Discrepancies in Cyber Defense

Improvements in Security Education

Challenges in Security Incentives

Future Directions in Cybersecurity

Remember Everything You Learn from Podcasts