The Application Security Podcast

Joern Freydank is a Lead Cyber Security Engineer with more than 20 years of experience. He is currently establishing the Threat Modeling Program at a major insurance company. Joern joins us to talk about security design anti-patterns. He defines the term, explains security debt, reviews the categories of anti-patterns, and walks us through the example of a common role misconception. We hope you enjoy this conversation with...Joern Freydank.For more from Joern, check out his talk, Security Design Anti-Patterns -- Creating Awareness to Limit Security Debt, from Global AppSec:  https://youtu.be/o_Wq7Ga4M-0FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Ken Toler is a principal consultant at Kudelski Security and is passionate about building and optimizing application security programs that stick through strong adoption and ease of use. Ken has spent considerable time on all sides of the security aisle from playing defense and managing security teams to offense by breaking applications and reviewing code. Ken is also the host and creator of the Relating to DevSecOps podcast that focuses on forging strong relationships between engineers, operations, and security through collaboration, understanding, skill-sharing, and healthy debate. Ken joins us to talk about all things Blockchain and AppSec. We define Blockchain, discuss the connections between cloud, appsec, and blockchain, common architecture failures, pen testing, and even dive into smart contracts. We hope you enjoy this conversation with...Ken Toler.Links from the episode:Secureum Videoshttps://www.youtube.com/c/SecureumVideos/videosBLOCKCHAIN SECURITY: A NEED FOR TODAY’S BUSINESSES (COMPLETE GUIDE FOR BEGINNERS)https://www.blockchain-council.org/blockchain/blockchain-security-a-need-for-todays-businesses-complete-guide-for-beginners/The Rust Programming Languagehttps://doc.rust-lang.org/book/Blockchain Security @ Kudelskihttps://kudelskisecurity.com/services/applied-security/blockchain-security/FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Jeroen Willemsen is a passionate, hands-on security architect with a knack for mobile security and security automation. As a "jack of all trades," he has been involved with various OWASP projects and has developed various trainings. He has spent over 10 years as a full-stack developer and has worked as a (security) architect, security lead, and risk manager.Ben de Haan is a Freelance Security consultant and engineer. Ben's specialties are architecting and implementing cloud security and building secure CI/CD environments in Agile, DevOps, and SRE cultures. Ben believes security should be built-in and can be scaled to meet these modern ways of working. Outside of regular work, Ben enjoys hosting security trainings or workshops, and he's an AWS NL Meetup regular.Jeroen and Ben join us to speak about their OWASP project, Wrong Secrets. We discuss the problems secrets bring into applications and explore how you can use Wrong Secrets to bolster your knowledge of what not to do with secrets. We hope you enjoy this conversation with... Jereon and Ben.Explore these helpful resources mentioned during the interview:https://owasp.org/www-project-wrongse...https://xebia.com/secure-deployment-1...github; https://github.com/commjoen/wrongsecretsfree heroku dyno hosted version; https://wrongsecrets.herokuapp.com/FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Adam is a leading expert on threat modeling, and a consultant, expert witness, author and game designer. He has decades of experience delivering security. His experience ranges across the business world from founding startups to nearly a decade at Microsoft. While not consulting or training, Shostack serves as an advisor to a variety of companies and academic institutions. Adam joins us to talk about fast, cheap, and good threat models. We discuss how Adam defines these categories, the weight of threat modeling, questionnaires/requirements, expertise, and how to make threat modeling conversational. We hope you enjoy this conversation with...Adam Shostack.FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Loren Kohnfelder has over 20 years of experience in the security industry. At Microsoft, he was a key contributor to STRIDE, the industry’s first formalized proactive security process methodology, and also program-managed the .NET platform security effort. At Google, he worked as a software engineer on the Security team and as a founding member of the Privacy team. Loren joins us to talk about his new book, Designing Secure Software. We start the conversation geeking out about his work to create STRIDE and digital certificates. We then discuss facets of the book, like secure software, security design review, and what he would implement if he could only do one thing to improve software security. We hope you enjoy this conversation with...Loren Kohnfelder.FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Ochaun Marshall is an Application Security Consultant. In his roles of secure ideas, he works on on-going development projects utilizing Amazon web services and breaks other people's web applications. Ochaun joins us to talk about SAST and IaC, static application security testing and infrastructure as code. We talk about what they are, how they work, the security benefits, some of the tools that make them possible, and we finish our conversation talking about developer empathy and why Ochaun has developer empathy as a result of some of the experiences that he has as a developer and as a security person. We hope that you enjoy this episode with...Ochaun Marshall.FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Simon Bennetts is the OWASP Zed Attack Proxy (ZAP) Project Leader and a Distinguished Engineer at StackHawk, a company that uses ZAP to help users fix application security bugs before they hit production. He has talked about and demonstrated ZAP at conferences all over the world. Prior to making a move into security, he was a developer for 25 years and strongly believes that you cannot build secure web applications without knowing how to attack them.Simon joins us for the second time to refresh our knowledge of Zap, explain how to use Zap as an automation tool in your pipeline, and what he knows about rolling Zap out across an Enterprise. We hope you enjoy this conversation with....Simon Bennetts.FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Timo Pagel has been in the IT industry for over fifteen years. After a system administrator and web developer career, he advises customers as a DevSecOps consultant and trainer. His focus is on security test automation for software and infrastructure and assessment of complex applications in the cloud. In his spare time, he teaches “Web and Application Security” at various universities. Timo joins us to talk about the OWASP DevSecOps Maturity Model or DSOMM. We explore maturity models, this specific one, how you can use it, and how to get started. We hope you enjoy this conversation with...Timo Pagel.FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mazin Ahmed is a security engineer that specializes in AppSec and offensive security. He is passionate about information security and has previously found vulnerabilities in Facebook, Twitter, Linkedin, and Oracle, to name a few. Mazin is the developer of several popular open-source security tools that have been integrated into security testing frameworks and distributions. Mazin also built FullHunt.io, the next-generation continuous attack surface security platform. He is also passionate about cloud security, where he has been running dozens of experiments in the cloud security world. Mazin joins us to introduce Infrastructure as Code and TerraForm and discuss the security benefits IaC brings to our cloud environments. We hope you enjoy this conversation with...Mazin Ahmed.FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Dr. James Ransome is the Chief Scientist for CyberPhos, an early-stage cybersecurity startup. He is also a member of the board of directors for the Bay Area Chief Security Officer Council and serves as an adviser to ForAllSecure and Resilient Software Security.Dr. Ransome's career includes leadership positions in the private and public sectors. He has served in three chief information security officer and four chief security officer roles before taking on Chief Product Security Officer roles over the last 11 years.  During this time, he has been building and enhancing developer-centric, self-sustaining, and scalable software security programs that are holistic, cost-effective, and operationally relevant. Brook S.E. Schoenfield is the author of Secrets Of A Cyber Security Architect (Auerbach, 2019) and Securing Systems: Applied Security Architecture and Threat Models(CRC Press, 2015). Building In Security At Agile Speed (with James Ransome, Auerbach, 2021), focuses on software security for continuous development practices and DevOps. Brook helps clients with their software security and secure design practices. He mentors technical leaders to effectively deliver security strategy. He consults as a technical leader for True Positives, LLC and SEC Consult America’s holistic security architecture services. https://www.amazon.com/Building-Security-at-Agile-Speed/dp/0367433265/ref=sr_1_1?dchild=1&keywords=building+in+security+at+agile+speed&qid=1631297374&sr=8-1FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~