The Application Security Podcast

This is our second interview at ISC2 Security Congress. We are joined by Glenn Leifheit (@gleifhe), an InfoSec and Development Evangelist at Microsoft. Microsoft is the grandparent to almost every secure development lifecycle across the industry.This is an in-depth discussion about how actually to do SDL. Glenn shares some things during this conversation that I’ve never heard about the internals of Microsoft’s SDL process in public. You will take something away from this conversation to apply to your program.Enjoy!FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mike Landeck joins Robert and me. Mike is a Cyber security evangelist, AppSec junky & Docker Security geek, and can be found on Twitter @MikeLandeck.We interviewed Mike in person at the ISC2 Security Congress event in Orlando, Florida. We discussed his latest talk on breach fatigue, the need to reach outside the echo chamber of security, Twitter as a news source for security, secure coding, and many other things.Please enjoy, and search for something you can apply directly into your day-to-day life!FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

On this two-part episode of the Application Security PodCast, Robert and I speak with Daniel Ramsbrock about Web App Penetration testing. In part two, we focus on the process of pen testing and web app pen testing.I (Chris) connected with Daniel through the RVASec security conference in Richmond, Virginia. Daniel has been in security for over ten years, focusing most of that time on application security. He spent two years as a full-time consultant at Cigital and is now doing independent AppSec consulting through his company, Enigma Technologies. We hope you enjoy it!FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

On this two-part episode of the Application Security PodCast, Robert and I speak with Daniel Ramsbrock about Web App Penetration testing. In part one, we focus on the difference between pen testing and web app pen testing, where pen testing fits your development methodology (waterfall, agile, and DevOps), and why someone should care about it.I (Chris) connected with Daniel through the RVASec security conference in Richmond, Virginia. Daniel has been in security for over ten years, focusing most of that time on application security. He spent two years as a full-time consultant at Cigital and is now doing independent AppSec consulting through his company, Enigma Technologies. We hope you enjoy it!FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Robert and I are joined today by Matt Clapham. Matt “makes products more secure” I mean, hey, his Twitter handle is @ProdSec.The topic of this interview is what Matt calls development security maturity. This concept is based on Matt’s research and his talk at RSA. Matt created a simple process to measure the maturity of development security by looking at five key behaviors. We cover the what and why of development security, the five key behaviors, and scoring and reporting. In conclusion, we discuss how to make the results of an assessment actionable.Matt’s RSA slides are a great resource to review in conjunction with the interview: str-w05-estimating-development-security-maturity-in-about-an-hour-final.pdfBio: Matt Clapham makes products more secure. His career is a rare blend of both product development and enterprise operations. He is currently a Principal of Product Development Security at GE Healthcare. Matt previously worked as a Software Tester, IT Policy Author, and Security Advisor to all things games at Microsoft. He is familiar with the security foibles of the Industrial Device Internet of Things and how to overcome them. Matt is a frequent speaker and author of magazine articles on IT, security, games, or some combination thereof. He holds degrees in engineering and music from the University of Michigan.FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Welcome to the first of many interviews on the #AppSec Podcast. In this episode, Robert and I interview Elena Elkina (@el0chka) on privacy. We cover privacy, data protection, and customer data protection. This is a quick chat for around 20 minutes. In the future, we’ll dive deeper into the crossroads of security and privacy.Elena is a Senior Global Privacy & Data Protection Management Executive. She has worked with financial and healthcare institutions, software and internet companies, major law firms, and the government sector on both international and domestic levels. She co-founded Women in Security and Privacy, a non-profit organization focusing on advancing women in security and privacy. She is also a board member for Leading Women in Technology, a non-profit organization dedicated to unlocking the potential of female professionals who advise technology businesses.We hope you enjoy this conversation with Elena about privacy and data protection!FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

In this episode, we talk about product development methodologies and the impact of security. We explore how to apply security activities to waterfall and Agile and discuss the pros and cons. We’ve both had experience with these methodologies and freely share what we’ve seen work and what we’ve seen fail. This applies whether you are new to security or have been doing security for decades. If you have anything to add, share your wisdom by catching us @AppSecPodcast on Twitter!FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

On this episode of the Application Security PodCast, we continue our journey through the foundations of application security. We explore the activities of the secure development life cycle. We cover requirements, secure design, secure coding, 3rd party SW, static analysis, vulnerability scanning, and others.FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

In the inaugural episode of the Application Security PodCast, Robert and I introduce ourselves to the audience, explain our journeys into the security world, and answer the burning question, “What the heck is application security?”The key takeaways from this episode are:Application security is:foundationalrequired by customersa worthy investmenta people issue supported by toolsFOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~