The Application Security Podcast

Irene Michlin operates at the intersection of security and agility. She teaches about incremental threat modeling and how to make threat modeling when living in an Agile or DevOps world.Irene ends the discussion by saying that her goal when working with a team on threat modeling is that they all conclude, “We are not making it worse.”You can find Irene on Twitter @IreneMichlin, and check out Irene’s talk on Incremental Threat Modeling last year at AppSec EU.FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Bill Sempf joins to talk about insecure deserialization. We do a deep dive and contextual review of the generalities of deserialization and the specifics of how it applies to “.NET.” Bill begins his journey to understand these vulnerabilities and provides some hints and tips for looking for them in your code.FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Security champions are the hands and feet of any well-equipped product security team. Robert and Chris introduce security champions, where to find them, why you need them, and how to set up a beginning champion program from scratch.Here are a few other resources that we’ve written about Security Champions:Do you have Security Champions in your company?Information security needs community: 6 ways to build up your teamsFOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Robert and Chris interview Kevin Greene from Mitre. We discuss an article Kevin wrote about shifting left and exploring codifying intuitions and new projects at Mitre that will bolster the knowledge of your developers and testers. Kevin brings up the need for accurate results from the SAST and DAST tools on the market. He brings an exciting perspective, focusing on research and development at DHS.Kevin’s article on Dark ReadingCAWEATT&CKFOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

This is the conclusion of Season 02 for the AppSec PodCast. This episode focuses on all the OWASP goodness we’ve experienced this year. You’ll hear our favorite clips and explanations from a season full of OWASP.With the publication of this episode, season 02 is a wrap, and on to season 03, which will roll out in March.FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

This is the final interview from the #AppSecUSA Conference in Orlando, and Brian Andrzejewski joins Chris and Robert.He talks about containers, their usage within #AppSec, and orchestrations.FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Tin Zaw, an advocate for ModSecurity, joins Robert and Chris.He dives into its background, the use of rules, and the many advantages.FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Aditya Gupta joins Robert and Chris.They speak with him about the many facets of IoT and some of its effects on pen testing, training, and mobile application security.FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Chris and Robert talk to Jim Manico and Katy Anton about the OWASP Proactive Controls project. We have discussed this before, and they are looking for feedback on the upcoming update.FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

We talk about the future of the OWASP Top 10. We do this by meeting the new project leadership team, understanding the process for how they do governance now and into the future, and how they deal with provided feedback. We look behind the curtain at how they make decisions and use the data and feedback provided.Side note, at the AppSec USA closing, the OWASP T10 leaders did announce that A7 and A10 from the OWASP Top 10 RC1 have been removed.FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~