The Application Security Podcast

Kayra Otaner joins the podcast today to discuss DevSecOps and answer the question, is it dead? Kayra is the Director of DevSecOps at Roche and is highly involved in the DevSecOps community. Kayra states that DevSecOps in its traditional form is “dead” and that each organization should approach its needs based on their size. Otaner introduces the concept of "security as code" and "policy as code" as more effective approaches, where security functions are codified rather than relying on traditional documentation and checklists. Finally, they discuss the emergence of Application Security Posture Management (ASPM) tools as the "SIM for AppSec," suggesting these tools, especially when enhanced with AI, could help manage the overwhelming number of security alerts and issues that currently plague development teams.Mentioned in this Episode:Books by Yuval Noah Harari  FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

François Proulx, a senior product security engineer at Boost Security and founder of the NorthSec conference, reveals alarming vulnerabilities in build pipelines of popular open-source packages. He introduces his open source scanner, Poutine, designed to pinpoint these weaknesses. The discussion touches on zero-day exploits, supply chain attacks, and the critical role of security architecture. Proulx also emphasizes the importance of threat modeling and educational initiatives for developers to enhance security practices.

Steve Wilson, author of 'The Developer's Playbook for Large Language Model Security,' dives into the complexities of AI and security. He discusses AI hallucinations and the crucial need for trust in AI applications. Steve shares insights on supply chain vulnerabilities and the importance of strict oversight and testing tools. He also explores the interplay between personal hobbies and security strategies, emphasizing innovative approaches in AppSec leveraging AI to enhance vulnerability management. Expect practical tips for building secure AI applications!

In this conversation with Jeff Williams, a co-founder of OWASP and a trailblazer in application security, listeners dive into the transformative power of Application Detection and Response (ADR). Jeff emphasizes ADR's role in real-time monitoring and response to vulnerabilities, contrasting it with traditional security techniques. He shares insights on the evolution of security testing and the importance of community building. The discussion also explores the intersection of AI and AppSec, addressing both its potential benefits and challenges in enhancing security.

Philip Wiley shares his unique journey from professional wrestling to being a renowned pen tester. We define pen testing and the role of social engineering in ethical hacking. We talk tools of the trade, share a favorite web app pentest hack and offer good advice on starting a career in cybersecurity. Philip shares some insights from his book, ‘The Pentester Blueprint: Starting a Career as an Ethical Hacker.’ And we discuss the impact of AI on pen testing and where this field is headed in the next few years.The Pentester Blueprint Starting a Career as an Ethical Hacker written by Phillip WylieThe Web Application Hacker’s Handbook written by Dafydd Stuttard, Marcus PintoWhere to find Phillip:Website:  https://thehackermaker.com/Podcast: https://phillipwylieshow.com/X: https://x.com/PhillipWylieLinkedIn: https://www.linkedin.com/in/phillipwylie/FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Steve Springett, an expert in secure software development and key figure in multiple OWASP projects, shares insights on CycloneDX and the importance of software transparency. He discusses the evolving landscape of Software Bills of Materials (SBOMs) and their critical role in security and inventory management. Steve also reflects on personal interests outside of tech, such as automotive modifications and Formula One. His humorous anecdotes and deep knowledge blend seamlessly, making for an engaging and informative conversation.

In this engaging discussion, Irfaan Santoe, an AppSec professional with a consulting background, delves into the intricacies of Application Security strategies. He emphasizes the importance of measuring program maturity and conveying ROI to business leaders. Santoe explores the communication gaps between CISOs and AppSec initiatives, offering insights on how to bridge them. The conversation also touches on balancing security with practical business operations, making a compelling case for strategic investments in cybersecurity that align with business objectives.

Join Chris Romeo and Robert Hurlbut in a captivating discussion with Andrew Van Der Stok, the executive director at OWASP. They delve into the latest developments in the OWASP Top 10 Project, emphasizing the significance of data collection and developer engagement. Learn about the methodology behind building the OWASP Top 10, the importance of framework security, and get insights that could shape the future of web application security.

Derek Fisher, an expert in hardware, software, and cybersecurity with over 25 years of experience is back on the podcast. Derek shares his advice on cybersecurity hiring, specifically in application security, and dives into the challenges of entry-level roles in the industry. We discuss the value of certifications, the necessity of lifelong learning, and the importance of networking. Listen along for good advice on getting noticed in cybersecurity, resume tips, and the evolving landscape of AppSec careers.Mentioned in this episode:The Application Security Handbook by Derek FisherWith the Old Breed by E.B. SledgeCyber for Builders by Ross HaleliukEffective Vulnerability Management by Chris HughesPrevious episode:Derek Fisher – The Application Security HandbookFOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Award-winning public speaker Tanya Janca discusses secure guardrails in application security, emphasizing the importance of guiding individuals back to secure practices. She also shares insights on implementing security guardrails in software development and fostering collaboration between software developers and security professionals.