The Application Security Podcast

Neil Smithline joins this week to discuss one of the new items on the OWASP Top 10 List, Insufficient Logging and Monitoring. You can find Neil on Twitter @neilsmithineFOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Jim Routh joins the podcast to discuss selling #AppSec up the chain. Jim has built five successful software security programs in his career and serves as a CISO now. Jim shares his real-world experience with successfully selling #AppSec to senior management (as well as many other pieces of wisdom for running an AppSec program).You can find Jim on Twitter @jmrouth01FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Chris and Robert go over a plethora of recommendations they have accumulated over their years of experience in the industry.Chris’s recommendations1. Book: Agile Application Security: Enabling Security in a Continuous Delivery Pipelineby Laura Bell (Author),‎ Michael Brunton-Spall (Author),‎ Rich Smith (Author),‎ Jim Bird (Author)https://amzn.com/14919388462. Website: Iron GeekAdrian Crenshaw records many major, non-commercial security conferences and posts the talks to Youtubehttp://www.irongeek.com/3. Book: The DevOps Handbook: How to Create World-Class Agility, Reliability, and Security in Technology Organizationsby Gene Kim  (Author),‎ Patrick Debois  (Author),‎ John Willis (Author),‎ Jez Humble  (Author)https://amzn.com/1942788002 4. News Source: The RegisterNews site, but has great sources and a bit of British humor attached to technology failureshttp://www.theregister.co.uk/security/5. Blog: TechBeaconhttps://www.techbeacon.com6. Book: Threat Modeling: Designing for Securityby Adam Shostack  (Author)https://amzn.com/11188099987. Book: The Tangled Web: A Guide to Securing Modern Web Applicationsby Michal Zalewski  (Author)https://amzn.com/B006FZ3UNI8. Book: Start with Why: How Great Leaders Inspire Everyone to Take Actionby Simon Sinek  (Author)Not a security book, but a good approach for those trying to change a security culturehttps://amzn.com/B002Q6XUE4Robert’s Recommendations1. Books by Martin Fowler (Author)He wrote many books on understanding Architecture.https://martinfowler.com/books/2. Book: Software Security: Building Security Inby Gary McGraw (Author)http://a.co/5EIlu4h3. Book: Core Software Security: Security at the Sourceby James Ransome (Author) and Anmol Misra (Author)http://a.co/hEwCflz4. Book: Threat Modeling: Designing for Securityby Adam Shostack  (Author)https://amzn.com/11188099985. Websites: Troy Hunthttps://www.troyhunt.com/https://haveibeenpwned.com/6. Conferences: #AppSec USA, , B-Sides, Source, Convergehttps://2018.appsecusa.org/http://www.securitybsides.comhttps://sourceconference.com/https://www.convergeconference.org/7. Website: Google AlertsUse this to be notified about specific topics you want to learn about.https://www.google.com/alerts8. Book: The Checklist Manifesto: How to Get Things Rightby Atul Gawande (Author)http://a.co/dirHpwq9. Book Securing Systems: Applied Security ArchitecFOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Magen Wu works through the topic of burnout and mental health in security. She gives examples of handling this and recognizing if people around you are burning out.You can find her on Twitter @infosec_tottieAdditional information on this topic:Jack Daniel often speaks on this topic of burnoutYoutube: The Causes of and Solutions for Security BurnoutYoutube: Infosec Survival Skills: Being Productive, Coping with Stress, & Preventing BurnoutArticle: Becoming jaded with Security BSides’ Jack DanielFOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Katy Anton joins this week to discuss number four on the OWASP Top 10. She dives into what XXE is, how to deal with it, and other new items on the OWASP Top 10 2017. You can find Katy on Twitter  @KatyAntonFOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pete Chestna is an advocate for SAST, DAST, and IAST tools and a passionate #AppSec enthusiast. Pete shared A moving quote during this episode: "an #AppSec program is the byproduct of building secure developers.” #TruthPete describes the differences between SAST, DAST, IAST, and RASP. The struggles developers encounter using new tools, false positives and how to reduce them, and advice for building an #AppSec program from scratch versus adding tools to a mature program.You can find Pete on Twitter @PeteChestna.Additional information on this topic:TechBeacon learning article for more details on the differences between AppSec testing toolsSAST, DAST, IAST, and RASP: Pros, cons and how to chooseFOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Irene Michlin operates at the intersection of security and agility. She teaches about incremental threat modeling and how to make threat modeling when living in an Agile or DevOps world.Irene ends the discussion by saying that her goal when working with a team on threat modeling is that they all conclude, “We are not making it worse.”You can find Irene on Twitter @IreneMichlin, and check out Irene’s talk on Incremental Threat Modeling last year at AppSec EU.FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Bill Sempf joins to talk about insecure deserialization. We do a deep dive and contextual review of the generalities of deserialization and the specifics of how it applies to “.NET.” Bill begins his journey to understand these vulnerabilities and provides some hints and tips for looking for them in your code.FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Security champions are the hands and feet of any well-equipped product security team. Robert and Chris introduce security champions, where to find them, why you need them, and how to set up a beginning champion program from scratch.Here are a few other resources that we’ve written about Security Champions:Do you have Security Champions in your company?Information security needs community: 6 ways to build up your teamsFOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Robert and Chris interview Kevin Greene from Mitre. We discuss an article Kevin wrote about shifting left and exploring codifying intuitions and new projects at Mitre that will bolster the knowledge of your developers and testers. Kevin brings up the need for accurate results from the SAST and DAST tools on the market. He brings an exciting perspective, focusing on research and development at DHS.Kevin’s article on Dark ReadingCAWEATT&CKFOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~