The Application Security Podcast

Josh Grossman has over 15 years of experience in IT Risk and Application Security consulting, and he has also worked as a software developer. He currently works as CTO for Bounce Security, where he focuses on helping organizations build secure products by providing value-driven Application Security support and guidance.In his spare time, he is very involved with OWASP. He is on the OWASP Israel chapter board, he is a co-leader of the OWASP Application Security Verification Standard project, and he has contributed to various other projects as well, including the Top 10 Risks, Top Ten Proactive Controls and JuiceShop projects. We hope you enjoy this conversation with...Josh Grossman.FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Alex Mor is a passionate cybersecurity defender or breaker depending on the time of day, providing expert technical guidance to product teams and building security in their platforms. Alex joins us to talk about application risk profiling. He defines what this concept is to help us understand it. Then we talk about how can you do application risk profiling at scale? Whether you have ten applications or 1500 applications? How do you bring this together and gain real true security value from this idea of profiling your applications? We hope you enjoyed this conversation with Alex Mor.FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Brenna Leath is currently the Head of Product Security for a data analytics company where she sets the application security strategy for R&D and leads a team of security architects. Brenna originally joined us to talk about EO 14028 and the implications for private sector programs, BUT, we were chatting about security champions and product security leads, and we changed our focus to cover these topics instead. We hope you enjoy this conversation with...Brenna Leath.FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Will Ratner is a software security professional with extensive experience building and implementing security solutions across a myriad of industries including banking, media, construction, and information technology. In his current role at Atlassian, Will focuses on improving the vulnerability management process by building highly scalable and automated solutions for the enterprise. Will joins us to discuss a centralized approach he built for container scanning. We explore the challenges and lessons learned, building a scalable, enterprise-grade solution, and how to build something that developers will see value in. We hope you enjoy this conversation with...Will Ratner.FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Neil Matatall is an engineer with a background in security. He has previously worked at GitHub and Twitter and is a co-founder of Loco Moco Product Security Conference. Neil joins us for his second visit, to discuss account security at scale. He describes the underlying principles behind security at scale, how he worked to build a sign-in analysis feature, and how attacks were detected. We ended the conversation with an authentication lightning round, with Neil responding to various statements about authentication off the cuff! We hope you enjoy this episode with Neil Matatall.Check out our previous conversation with Neil Matatall. https://www.buzzsprout.com/1730684/8122595-neil-matatall-content-security-policyFOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Joern Freydank is a Lead Cyber Security Engineer with more than 20 years of experience. He is currently establishing the Threat Modeling Program at a major insurance company. Joern joins us to talk about security design anti-patterns. He defines the term, explains security debt, reviews the categories of anti-patterns, and walks us through the example of a common role misconception. We hope you enjoy this conversation with...Joern Freydank.For more from Joern, check out his talk, Security Design Anti-Patterns -- Creating Awareness to Limit Security Debt, from Global AppSec:  https://youtu.be/o_Wq7Ga4M-0FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Ken Toler is a principal consultant at Kudelski Security and is passionate about building and optimizing application security programs that stick through strong adoption and ease of use. Ken has spent considerable time on all sides of the security aisle from playing defense and managing security teams to offense by breaking applications and reviewing code. Ken is also the host and creator of the Relating to DevSecOps podcast that focuses on forging strong relationships between engineers, operations, and security through collaboration, understanding, skill-sharing, and healthy debate. Ken joins us to talk about all things Blockchain and AppSec. We define Blockchain, discuss the connections between cloud, appsec, and blockchain, common architecture failures, pen testing, and even dive into smart contracts. We hope you enjoy this conversation with...Ken Toler.Links from the episode:Secureum Videoshttps://www.youtube.com/c/SecureumVideos/videosBLOCKCHAIN SECURITY: A NEED FOR TODAY’S BUSINESSES (COMPLETE GUIDE FOR BEGINNERS)https://www.blockchain-council.org/blockchain/blockchain-security-a-need-for-todays-businesses-complete-guide-for-beginners/The Rust Programming Languagehttps://doc.rust-lang.org/book/Blockchain Security @ Kudelskihttps://kudelskisecurity.com/services/applied-security/blockchain-security/FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Jeroen Willemsen is a passionate, hands-on security architect with a knack for mobile security and security automation. As a "jack of all trades," he has been involved with various OWASP projects and has developed various trainings. He has spent over 10 years as a full-stack developer and has worked as a (security) architect, security lead, and risk manager.Ben de Haan is a Freelance Security consultant and engineer. Ben's specialties are architecting and implementing cloud security and building secure CI/CD environments in Agile, DevOps, and SRE cultures. Ben believes security should be built-in and can be scaled to meet these modern ways of working. Outside of regular work, Ben enjoys hosting security trainings or workshops, and he's an AWS NL Meetup regular.Jeroen and Ben join us to speak about their OWASP project, Wrong Secrets. We discuss the problems secrets bring into applications and explore how you can use Wrong Secrets to bolster your knowledge of what not to do with secrets. We hope you enjoy this conversation with... Jereon and Ben.Explore these helpful resources mentioned during the interview:https://owasp.org/www-project-wrongse...https://xebia.com/secure-deployment-1...github; https://github.com/commjoen/wrongsecretsfree heroku dyno hosted version; https://wrongsecrets.herokuapp.com/FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Adam is a leading expert on threat modeling, and a consultant, expert witness, author and game designer. He has decades of experience delivering security. His experience ranges across the business world from founding startups to nearly a decade at Microsoft. While not consulting or training, Shostack serves as an advisor to a variety of companies and academic institutions. Adam joins us to talk about fast, cheap, and good threat models. We discuss how Adam defines these categories, the weight of threat modeling, questionnaires/requirements, expertise, and how to make threat modeling conversational. We hope you enjoy this conversation with...Adam Shostack.FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Loren Kohnfelder has over 20 years of experience in the security industry. At Microsoft, he was a key contributor to STRIDE, the industry’s first formalized proactive security process methodology, and also program-managed the .NET platform security effort. At Google, he worked as a software engineer on the Security team and as a founding member of the Privacy team. Loren joins us to talk about his new book, Designing Secure Software. We start the conversation geeking out about his work to create STRIDE and digital certificates. We then discuss facets of the book, like secure software, security design review, and what he would implement if he could only do one thing to improve software security. We hope you enjoy this conversation with...Loren Kohnfelder.FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~