The Application Security Podcast

Simon and Devika Gibbs, the innovative minds behind Cybersec Games, join us on the episode today. Discover how the Gibbs duo are revolutionizing the way we teach and learn security concepts through interactive gaming. Learn about their journey from developing stationary for agile teams to delving into the world of threat modeling games like Elevation of Privilege. We talk about the power of gamification in cybersecurity education, and get the inside scoop on their Cybersecurity Game Challenge, which invites creative minds to bring their game ideas to life. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Our guest today is Akansha Shukla, an information security professional with over 10 years of experience in application security, DevSecOps, and API security. We’re discussing why API security remains one of the least mature areas of AppSec today and exploring the challenges developers face when securing APIs. Akansha shares her insights on incorporating APIs into threat modeling exercises, the ongoing struggles with API discovery and inventory management, and the authorization challenges highlighted in the OWASP API Security Top 10. The conversation also touches on whether "shift left" is truly dead and why we still haven't solved basic security problems like input validation despite having the frameworks to address them.FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The European Union's Cyber Resilience Act is set to revolutionize how we approach product security worldwide. In this episode, we sit down with application security expert Nariman Aga-Tagiyev to break down everything you need to know about this legislation. Nariman has over 20 years of software development experience and today he’s sharing his expertise with us. Learn what the EU CRA is and why it matters for global software companies, key compliance requirements, and how OWASP SAMM can help you.FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Marisa Fagan, Head of Product at Katilyst and a security culture expert, shares her insights on building effective security champions programs. She emphasizes the importance of management buy-in and using the SAPs model to motivate developers. Marisa discusses the common pitfalls that can derail initiatives and reveals a blueprint for sustainable security culture. Topics include integrating privacy and accessibility programs, measuring success through key metrics, and fostering collaboration between development and security teams to enhance overall security awareness.

In this episode, Aram Hovsepyan, an OWASP core team member and entrepreneur known for his work on security metrics, unravels the fallacies behind conventional security metrics like vulnerability counts and CVSS scores. He introduces the Goal Question Metric framework, urging organizations to create dashboards that genuinely reflect security readiness. Aram discusses critical metrics that matter, including the often-overlooked mean time to resolution, and emphasizes the need for precise, reliable data to enhance overall security posture.

We’re discussing the intersections of application security (AppSec) and sales strategy with our guest, Sean Varga. Sean shares the unique challenges and best practices in AppSec sales, like the importance of empathy, understanding customer needs, and community participation. Learn about the OWASP top 10 for AppSec Sales and discover how to achieve success by aligning with customer goals, maintaining detailed living documents, and fostering strong partnerships. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Sarah-Jane Madden, a speaker at OWASP Barcelona, dives into the evolving impact of AI on software development. She discusses the misconceptions surrounding AI, stressing that traditional engineering practices remain crucial. Madden emphasizes the importance of maintaining foundational coding skills while integrating AI responsibly. The conversation highlights the balance between leveraging AI for efficiency and the need for ongoing engagement with coding quality. With personal anecdotes, she warns against over-reliance on AI tools, promoting a thoughtful approach to their use.

Dag Flachet joins us to discuss the concept of Kaizen and its application in improving application security. Dag shares his journey into the world of security, emphasizing the importance of iterative, small-step improvements. The conversation delves into how organizations can effectively implement maturity models to enhance their security programs, the limitations of compliance-focused frameworks like ISO 27,000 and SOC 2, and the practical application of Kaizen principles. They also explore the evolution and future updates of OWASP SAM, and the importance of empowering development teams through a bottom-up approach in security enhancement. Dag is the co-founder of Codific, a professor and board member at the Geneva Business School, and an active member of the OWASP Barcelona Chapter and the OWASP SAMM community. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Andra Lezza and Javan Rasokat discuss the complexities of securing AI and LLM applications. With years of experience in Application Security (AppSec), Andra and Javan share their journey and lessons from their DEF CON talk on building and defending LLMs. They explore critical vulnerabilities, prompt injection, hallucinations, and the importance of data security. This discussion sheds light on the evolving landscape of AI and LLM security, offering practical advice for developers and security professionals alike. Javan’s blog article: Adversarial Misuse of Generative AIJavan’s recommendation for the TLDR newsletterAndra's book recommendation: The Cuckoo’s Egg by Cliff StollFOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Former CISO Jim Routh discusses his perspective on retirement and career fulfillment in cybersecurity. Rather than viewing retirement as simply stopping work, Routh describes his three-filter approach: working only with people he respects and admires, doing only work he finds fulfilling, and controlling when he works. He shares valuable lessons learned about which post-retirement opportunities truly bring satisfaction and explains why he avoids certain roles. Routh emphasizes the importance of cybersecurity professionals taking ownership of their career development, recommending they focus on developing two specific skills annually rather than using tenure to guide career moves. The article written by Jim, published on LinkedIn:CISO Transition Check out previous episodes with Jim:Jim’s original AppSec podcast episode is our #1 listened to of all time.Jim Routh -- Selling #AppSec Up The ChainAnd Jim Routh — Secure Software PipelinesFOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~