The Application Security Podcast

MO Sadek, a security transformation leader with experience at Roblox, shares his unconventional journey into application security. He discusses the importance of communication and collaboration in building effective security programs. Mo emphasizes that security should simplify processes rather than complicate them. He also reflects on his unique background, bridging gaps between infrastructure and security. With insights on fostering cross-team relationships and leadership buy-in, he highlights shared responsibility in enhancing organizational security.

Brett Crawley discusses the Elevation of Privilege (EoP) card game, a powerful tool for threat modeling in software development. The discussion explores recent extensions to the game including privacy-focused suits and TRIM (Transfer, Retention/Removal, Inference, Minimization) categories. Crawley emphasizes that threat modeling shouldn't end with the game but should be an ongoing process throughout an application's lifecycle, ideally starting before implementation. He also shares insights from his book, which provides detailed examples and guidance for teams new to threat modeling using EoP.You can find Brett on X @brettcrawleyBrett’s book: Threat Modeling Gameplay with EoP: A reference manual for spotting threats in software architectureBook recommendation:Conscious Business by Fred KofmanFOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Matin Mavaddat discusses his perspective on security as a systemic concern, developed from his background in requirements engineering and systems architecture. He introduces the concept of "anti-requirements" - defining what a system should not do - and distinguishes between "syntactic security" (addressing technical vulnerabilities that are always incorrect) and "semantic security" (context-dependent security emerging from system interactions). Mavaddat shares his perspective that security itself doesn't have independent existence but rather emerges from preventing undesirable states. The discussion concludes with practical implementation strategies, suggesting that while automated tools can handle syntactic security issues, organizations should focus more energy on semantic security by understanding business context and defining anti-requirements early in the development process.Mentioned in this episode:Matin’s article: Reframing Security: Unveiling Power Anti-Requirements  Systems Thinking for Curious Managers by Russell AckoffAntifragile by Nassim Nicholas TalebThe Black Swan by Nassim Nicholas TalebFOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Kayra Otaner joins the podcast today to discuss DevSecOps and answer the question, is it dead? Kayra is the Director of DevSecOps at Roche and is highly involved in the DevSecOps community. Kayra states that DevSecOps in its traditional form is “dead” and that each organization should approach its needs based on their size. Otaner introduces the concept of "security as code" and "policy as code" as more effective approaches, where security functions are codified rather than relying on traditional documentation and checklists. Finally, they discuss the emergence of Application Security Posture Management (ASPM) tools as the "SIM for AppSec," suggesting these tools, especially when enhanced with AI, could help manage the overwhelming number of security alerts and issues that currently plague development teams.Mentioned in this Episode:Books by Yuval Noah Harari  FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

François Proulx, a senior product security engineer at Boost Security and founder of the NorthSec conference, reveals alarming vulnerabilities in build pipelines of popular open-source packages. He introduces his open source scanner, Poutine, designed to pinpoint these weaknesses. The discussion touches on zero-day exploits, supply chain attacks, and the critical role of security architecture. Proulx also emphasizes the importance of threat modeling and educational initiatives for developers to enhance security practices.

Steve Wilson, author of 'The Developer's Playbook for Large Language Model Security,' dives into the complexities of AI and security. He discusses AI hallucinations and the crucial need for trust in AI applications. Steve shares insights on supply chain vulnerabilities and the importance of strict oversight and testing tools. He also explores the interplay between personal hobbies and security strategies, emphasizing innovative approaches in AppSec leveraging AI to enhance vulnerability management. Expect practical tips for building secure AI applications!

In this conversation with Jeff Williams, a co-founder of OWASP and a trailblazer in application security, listeners dive into the transformative power of Application Detection and Response (ADR). Jeff emphasizes ADR's role in real-time monitoring and response to vulnerabilities, contrasting it with traditional security techniques. He shares insights on the evolution of security testing and the importance of community building. The discussion also explores the intersection of AI and AppSec, addressing both its potential benefits and challenges in enhancing security.

Philip Wiley shares his unique journey from professional wrestling to being a renowned pen tester. We define pen testing and the role of social engineering in ethical hacking. We talk tools of the trade, share a favorite web app pentest hack and offer good advice on starting a career in cybersecurity. Philip shares some insights from his book, ‘The Pentester Blueprint: Starting a Career as an Ethical Hacker.’ And we discuss the impact of AI on pen testing and where this field is headed in the next few years.The Pentester Blueprint Starting a Career as an Ethical Hacker written by Phillip WylieThe Web Application Hacker’s Handbook written by Dafydd Stuttard, Marcus PintoWhere to find Phillip:Website:  https://thehackermaker.com/Podcast: https://phillipwylieshow.com/X: https://x.com/PhillipWylieLinkedIn: https://www.linkedin.com/in/phillipwylie/FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Steve Springett, an expert in secure software development and key figure in multiple OWASP projects, shares insights on CycloneDX and the importance of software transparency. He discusses the evolving landscape of Software Bills of Materials (SBOMs) and their critical role in security and inventory management. Steve also reflects on personal interests outside of tech, such as automotive modifications and Formula One. His humorous anecdotes and deep knowledge blend seamlessly, making for an engaging and informative conversation.

In this engaging discussion, Irfaan Santoe, an AppSec professional with a consulting background, delves into the intricacies of Application Security strategies. He emphasizes the importance of measuring program maturity and conveying ROI to business leaders. Santoe explores the communication gaps between CISOs and AppSec initiatives, offering insights on how to bridge them. The conversation also touches on balancing security with practical business operations, making a compelling case for strategic investments in cybersecurity that align with business objectives.