The Application Security Podcast

Join Chris Romeo and Robert Hurlbut in a captivating discussion with Andrew Van Der Stok, the executive director at OWASP. They delve into the latest developments in the OWASP Top 10 Project, emphasizing the significance of data collection and developer engagement. Learn about the methodology behind building the OWASP Top 10, the importance of framework security, and get insights that could shape the future of web application security.

Derek Fisher, an expert in hardware, software, and cybersecurity with over 25 years of experience is back on the podcast. Derek shares his advice on cybersecurity hiring, specifically in application security, and dives into the challenges of entry-level roles in the industry. We discuss the value of certifications, the necessity of lifelong learning, and the importance of networking. Listen along for good advice on getting noticed in cybersecurity, resume tips, and the evolving landscape of AppSec careers.Mentioned in this episode:The Application Security Handbook by Derek FisherWith the Old Breed by E.B. SledgeCyber for Builders by Ross HaleliukEffective Vulnerability Management by Chris HughesPrevious episode:Derek Fisher – The Application Security HandbookFOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Award-winning public speaker Tanya Janca discusses secure guardrails in application security, emphasizing the importance of guiding individuals back to secure practices. She also shares insights on implementing security guardrails in software development and fostering collaboration between software developers and security professionals.

Jahanzeb Farooq discusses his journey in cybersecurity and the challenges of building AppSec programs from scratch. Jahanzeb shares his experience working in various industries, including Siemens, Novo Nordisk, and Danske Bank, highlighting the importance of understanding developer needs and implementing the right tools. The conversation covers the complexities of cybersecurity in the pharmaceutical and financial sectors, shedding light on regulatory requirements and the role of software in critical industries. Learn about prioritizing security education, threat modeling, and navigating digital transformation.Mentioned in this Episode:The Power of Habit by Charles DuhiggFOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

David Quisenberry shares about his journey into the security world, insights on building AppSec programs in small to mid-sized companies, and the importance of data-driven decision-making. The conversation delves into the value of mentoring and why it's important to build real relationships with the people you work with, the vital role of trust with engineering teams, and the significance of mental health and community in the industry. Books Shared in the Episode:SRE Engineering by Betsy Beyer, Chris Jones, Jennifer Petoff and Niall Richard Murphy  The Phoenix Project by Gene Kim, Kevin Behr and George Spafford Security Chaos Engineering by Aaron Rinehart and Kelly Shortridge CISO Desk Reference Guide by Bill Bonney, Gary Hayslip, Matt Stamper Wiring the Winning Organization by Gene Kim and Dr. Steven J. Spear The Body Keeps the Score by Bessel van der Kolk, M.D. Intelligence Driven Incident Response by Rebekah Brown and Scott J. Roberts Never Eat Alone by Keith Ferrazzi  Thinking Fast and Slow by Daniel Kahneman Do Hard Things by Steve Magness How Leaders Create and Use Networks, Whitepaper by Herminia Ibarra and Mark Lee HunterFOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Matt Rose takes listeners on a journey through the intricate world of software supply chain security. He highlights how perceptions vary across the industry and critiques the buzzword 'shift left.' The discussion dives into the roles of digital twins and AI, revealing their potential risks and benefits. Emphasizing threat modeling as a crucial early step, Matt argues for a comprehensive security approach. The conversation also touches on industry trends, the pitfalls of jargon, and the importance of navigating current and emerging security challenges.

James Berthoty, a cloud security engineer with a rich IT background and founder of Latio Tech, dives into the evolving landscape of application security. He critiques traditional DAST tools, emphasizing their limitations with modern applications and the pressing need for advanced API security solutions. The conversation explores the ongoing challenges of software patching and how AI can streamline these processes. With a focus on actively engaging in open-source sustainability, Berthoty advocates for a proactive approach to security over mere identification of issues.

Mark Curphey and Simon Bennetts, join Chris on the podcast to discuss the challenges of funding and sustaining major open source security projects like ZAP. Curphey shares about going fully independent and building a non-profit sustainable model for ZAP. The key is getting companies in the industry, especially companies commercializing ZAP, to properly fund its ongoing development and maintenance.Bennetts, who has led ZAP for over 15 years, shares the harsh reality that while ZAP is likely the world's most popular web scanner with millions of active users per month, very few companies contribute back financially despite making millions by building products and services on top of ZAP. Curphey and Bennetts are asking those in the industry to step up and properly fund open source projects like ZAP that are critical infrastructure, rather than freeloading off the hard work of a few individuals. Curphey's company is investing substantial funds in a "responsible marketing" model to sustain ZAP as a non-profit, with hopes others will follow this ethical example to prevent open source security going down a dangerous path.FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Devon Rudnicki, the Chief Information Security Officer at Fitch Group, shares her journey of developing an application security program from scratch and advancing to the CISO role. She emphasizes the importance of collaboration, understanding the organization's business, and using metrics to drive positive change in the security program.Elon Musk - Walter IsaacsonSteve Jobs - Walter IsaacsonThe Code Breaker: Jennifer Doudna, Gene Editing, and the Future of the Human Race - Walter Isaacsonhttps://www.simonandschuster.com/authors/Walter-Isaacson/697650FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Dustin Lehr, Senior Director of Platform Security/Deputy CISO at Fivetran and Chief Solutions Officer at Katilyst Security, joins Robert and Chris to discuss security champions. Dustin explains the concept of security champions within the developer community, exploring the unique qualities and motivations behind developers becoming security advocates. He emphasizes the importance of fostering a security culture and leveraging gamification to engage developers effectively. They also cover the challenges of implementing security practices within the development process and how to justify the need for a champion program to engineering leadership. Dustin shares insights from his career transition from a developer to a cybersecurity professional, and he provides practical advice for organizations looking to enhance their security posture through community and culture-focused approaches.Links:"Maker's Schedule, Manager's Schedule" article by Paul Graham — https://www.paulgraham.com/makersschedule.htmlNever Split the Difference by Chris Voss & Tahl Raz —https://www.harpercollins.com/products/never-split-the-difference-chris-vosstahl-raz?variant=32117745385506FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~