The Application Security Podcast

Katy Anton joins this week to discuss number four on the OWASP Top 10. She dives into what XXE is, how to deal with it, and other new items on the OWASP Top 10 2017. You can find Katy on Twitter  @KatyAntonFOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pete Chestna is an advocate for SAST, DAST, and IAST tools and a passionate #AppSec enthusiast. Pete shared A moving quote during this episode: "an #AppSec program is the byproduct of building secure developers.” #TruthPete describes the differences between SAST, DAST, IAST, and RASP. The struggles developers encounter using new tools, false positives and how to reduce them, and advice for building an #AppSec program from scratch versus adding tools to a mature program.You can find Pete on Twitter @PeteChestna.Additional information on this topic:TechBeacon learning article for more details on the differences between AppSec testing toolsSAST, DAST, IAST, and RASP: Pros, cons and how to chooseFOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Irene Michlin operates at the intersection of security and agility. She teaches about incremental threat modeling and how to make threat modeling when living in an Agile or DevOps world.Irene ends the discussion by saying that her goal when working with a team on threat modeling is that they all conclude, “We are not making it worse.”You can find Irene on Twitter @IreneMichlin, and check out Irene’s talk on Incremental Threat Modeling last year at AppSec EU.FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Bill Sempf joins to talk about insecure deserialization. We do a deep dive and contextual review of the generalities of deserialization and the specifics of how it applies to “.NET.” Bill begins his journey to understand these vulnerabilities and provides some hints and tips for looking for them in your code.FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Security champions are the hands and feet of any well-equipped product security team. Robert and Chris introduce security champions, where to find them, why you need them, and how to set up a beginning champion program from scratch.Here are a few other resources that we’ve written about Security Champions:Do you have Security Champions in your company?Information security needs community: 6 ways to build up your teamsFOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Robert and Chris interview Kevin Greene from Mitre. We discuss an article Kevin wrote about shifting left and exploring codifying intuitions and new projects at Mitre that will bolster the knowledge of your developers and testers. Kevin brings up the need for accurate results from the SAST and DAST tools on the market. He brings an exciting perspective, focusing on research and development at DHS.Kevin’s article on Dark ReadingCAWEATT&CKFOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

This is the conclusion of Season 02 for the AppSec PodCast. This episode focuses on all the OWASP goodness we’ve experienced this year. You’ll hear our favorite clips and explanations from a season full of OWASP.With the publication of this episode, season 02 is a wrap, and on to season 03, which will roll out in March.FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

This is the final interview from the #AppSecUSA Conference in Orlando, and Brian Andrzejewski joins Chris and Robert.He talks about containers, their usage within #AppSec, and orchestrations.FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Tin Zaw, an advocate for ModSecurity, joins Robert and Chris.He dives into its background, the use of rules, and the many advantages.FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Aditya Gupta joins Robert and Chris.They speak with him about the many facets of IoT and some of its effects on pen testing, training, and mobile application security.FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~