The Application Security Podcast

Arshan Dabirsiaghi, Co-founder of Pixee, discusses startups, AI in appsec, and Codemodder.io. They explore unrealistic expectations on developers regarding security, the dynamic nature of startups, and the future of AI in application security.

Chris and Robert are thrilled to have an insightful conversation with Dr. Jared Demott, a seasoned expert in the field of cybersecurity. The discussion traverses a range of topics, from controversial opinions on application security to the practical aspects of managing bug bounty programs in large corporations like Microsoft.We dive into the technicalities of bug bounty programs, exploring how companies like Microsoft handle the influx of reports and the importance of such programs in a comprehensive security strategy. Dr. Demott provides valuable insights into the evolution of bug classes and the never-ending challenge of addressing significant bug types, emphasizing that no bug class can ever be fully eradicated.This episode is a must-listen for anyone interested in the nuances of software security, the realities of cybersecurity employment, and the ongoing challenges in bug mitigation. Join us for an enlightening journey into the heart of application security with Dr. Jared Demott.Links:Microsoft Security Response Center MSRC: https://www.microsoft.com/en-us/msrcFOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Dr. Katharina Koerner, a renowned advisor and community builder with expertise in privacy by design and responsible AI, joins Chris and Robert to delve into the intricacies of responsible AI in this episode of the Application Security Podcast. She explores how security intersects with AI, discusses the ethical implications of AI's integration into daily life, and emphasizes the importance of educating ourselves about AI risk management frameworks. She also highlights the crucial role of AI security engineers, the ethical debates around using AI in education, and the significance of international AI governance. This discussion is a deep dive into AI, privacy, security, and ethics, offering valuable insights for tech professionals, policymakers, and individuals.Links:UNESCO Recommendation on the Ethics of Artificial Intelligence:  https://www.unesco.org/en/artificial-intelligence?hub=32618OECD AI Principles: https://oecd.ai/en/ai-principlesWhite House Blueprint for an AI Bill of Rights: https://www.whitehouse.gov/ostp/ai-bill-of-rights/NIST AI Risk Management Framework: https://www.nist.gov/itl/ai-risk-management-frameworkNIST Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations: https://csrc.nist.gov/pubs/ai/100/2/e2023/ipdMicrosoft Responsible AI Standard, v2: https://www.microsoft.com/en-us/ai/principles-and-approach==> Microsoft Failure Modes in Machine Learning: https://learn.microsoft.com/en-us/security/engineering/failure-modes-in-machine-learningENISA Securing Machine Learning Algorithms: https://www.enisa.europa.eu/publications/securing-machine-learning-algorithmsGoogle Secure AI Framework (SAIF): https://developers.google.com/machine-learning/resources/saif==> Google Why Red Teams Play a Central Role in Helping Organizations Secure AI Systems: https://services.google.com/fh/files/blogs/google_ai_red_team_digital_final.pdfRecommended Book:The Ethical Algorithm: The Science of Socially Aware Algorithm Design  by Michael Kearns and Aaron Roth: https://global.oup.com/academic/product/the-ethical-algorithm-9780190948207?cc=us&lang=en&FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

For Security Pros & Business Leaders | Strategic Insights & Leadership Lessons🔒🌟 When Ray Espinoza joined Chris and Robert on the Application Security Podcast, he gave a treasure trove of insights for both security professionals and business leaders alike! Whether you're deep in the trenches of information security or steering the ship in business leadership, this episode is packed with valuable takeaways. Dive in to discover why this is a must-listen for professionals across the spectrum. 🌟🔒For Security Professionals:1. CISO Insights: Gain a glimpse into the strategic mind of a Chief Information Security Officer. Learn from their real-world experiences and challenges in aligning security with business goals.2. Career Development: Get inspired by the speaker's career journey and learn the importance of mentorship in your professional growth.3. Data-Driven Security: Embrace a data-driven approach to security solutions, focusing on tangible results and measurable outcomes.For Business Leaders:1. Strategic Security Understanding: Learn how information security is integral to overall business strategy and decision-making.2. Universal Risk Management: Gain insights into risk management strategies applicable across various business aspects.3. Communication & Relationship Building: Enhance your skills in effective communication and professional relationship building.4. Leadership & Mentorship: Absorb valuable lessons in guiding and inspiring your team, crucial for effective leadership.5. Adaptability in Leadership: Understand the importance of flexibility and adaptability in today's rapidly evolving business landscape.6. Data-Driven Decisions: Embrace the power of data in driving efficient and accountable business processes.Why Listen?👉 For security pros, this is your chance to deepen your understanding of strategic security management and enhance your interpersonal skills.👉 For business leaders, this episode offers a unique perspective on how security strategies impact broader business objectives and leadership practices.Don't Miss Out!🎧 Tune in now for an enlightening discussion filled with actionable insights. Whether you're an aspiring CISO, a seasoned security professional, or a business leader looking to broaden your horizons, this podcast has something for everyone. 👍 Like, Share, and Subscribe for more insightful content!💬 Drop your thoughts and takeaways in the comments below!#SecurityLeadership #BusinessStrategy #RiskManagement #CareerGrowth #DataDrivenDecisions #LeadershipSkills---Remember, your engagement helps us bring more such content. So, hit that like button, share with your network, and subscribe for more insightful episodes! 🌟🔊📈Ray's Book Recommendation:Extreme Ownership by Jocko Willink and Leif Babinhttps://echelonfront.com/books/extreme-ownership/FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Chris John Riley discusses the Minimum Viable Secure Product (MVSP) checklist for B2B software, targeting startups and organizations creating new applications. MVSP includes controls for business operations, application design, implementation, and operational controls. It emphasizes regular third-party penetration testing and evolutionary updates to keep up with cybersecurity changes. The future of MVSP focuses on evolving controls and industry feedback. The importance of application security and book recommendations are also discussed.

Steve Wilson and Gavin Klondike are part of the core team for the OWASP Top 10 for Large Language Model Applications project. They join Robert and Chris to discuss the implementation and potential challenges of AI, and present the OWASP Top Ten for LLM version 1.0. Steve and Gavin provide insights into the issues of prompt injection, insecure output handling, training data poisoning, and others. Specifically, they emphasize the significance of understanding the risk of allowing excessive agency to LLMs and the role of secure plugin designs in mitigating vulnerabilities.The conversation dives deep into the importance of secure supply chains in AI development, looking at the potential risks associated with downloading anonymous models from community-sharing platforms like Huggingface. The discussion also highlights the potential threat implications of hallucinations, where AI produces results based on what it thinks it's expected to produce and tends to please people, rather than generating factually accurate results. Wilson and Klondike also discuss how certain standard programming principles, such as 'least privilege', can be applied to AI development. They encourage developers to conscientiously manage the extent of privileges they give to their models to avert discrepancies and miscommunications from excessive agency. They conclude the discussion with a forward-looking perspective on how the OWASP Top Ten for LLM Applications will develop in the future.Links:OWASP Top Ten for LLM Applications project homepage:https://owasp.org/www-project-top-10-for-large-language-model-applications/OWASP Top Ten for LLM Applications summary PDF: https://owasp.org/www-project-top-10-for-large-language-model-applications/assets/PDF/OWASP-Top-10-for-LLMs-2023-slides-v1_1.pdfFOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Tanya Janca, also known as SheHacksPurple, joins the Application Security Podcast again to discuss secure coding, threat modeling, education, and other topics in the AppSec world. With a rich background spanning over 25 years in IT, coding, and championing cybersecurity, Tanya delves into the essence of secure coding.Tanya highlights the difference between teaching developers about vulnerabilities and teaching them the practices to avoid these vulnerabilities in the first place. Instead of focusing on issues like SQL injection, she emphasizes the importance of proactive measures like input validation and always using parameterized queries. She believes teaching developers how to build secure applications is more effective than merely pointing out vulnerabilities.She also explains the importance of a secure system development life cycle (SDLC). Software companies often state "We take your security seriously." Tanya believes the phrase should only be used by companies that have a secure SDLC in place. Without it, the phrase is rendered meaningless.Discussing the intersection of coding and threat modeling, Tanya shares personal anecdotes that underscore the need to view systems with a critical eye, always anticipating potential vulnerabilities and threats. She recounts her initial reactions during threat modeling sessions, where she is surprised by the myriad ways applications can be exploited.One of her most crucial takeaways for developers is the principle of distrust and verification. Tanya stresses that when writing code, developers should not trust any input or connection blindly. Everything received should be validated to ensure its integrity and safety. This practice, she believes, not only ensures the security of applications but also makes the lives of incident responders easier.Toward the end of the podcast, Tanya recommends This is How They Tell Me the World Ends," which offers a deep dive into the zero-day industry. She lauds the book for its meticulous research and compelling narrative. The episode wraps up with Tanya encouraging listeners to stay connected with her work and to anticipate her upcoming book.Links:Alice and Bob Learn Application Security by Tanya Janca     https://www.wiley.com/en-us/Alice+and+Bob+Learn+Application+Security-p-9781119687405This is How They Tell Me the World Ends by Nicole Perlroth     https://thisishowtheytellmetheworldends.com/WeHackPurple     https://wehackpurple.com/FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Hasan Yasar believes that everyone shares the responsibility of creating a secure environment, and this can only be achieved by working collaboratively. He underscores the idea that security is not an isolated endeavor but a collective effort, urging everyone to come together and build a world where safety and security are paramount.Yasar also shares his thoughts about education and security. He highlights the need for integrating security concepts right from the foundational levels of teaching programming languages. By introducing concepts like input validation and sanitization early on, students can be better equipped to handle security challenges in their professional lives. Yasar also mentions the importance of bridging the gap between real-world problems and academic research. By organizing workshops and connecting researchers with real-world challenges, there's an opportunity to create more awareness and solutions that are grounded in practicality.He contrasts the challenges faced in developing complex systems like simulators with those of web applications. In the context of simulators, every aspect, from memory management to user interface, needs to be meticulously crafted, keeping both safety and security in mind. This holistic approach ensures that safety and security are intertwined, ensuring a robust system. On the other hand, with web applications, developers often only see the tip of the iceberg, unaware of the underlying dependencies, making security a more challenging endeavor.Hasan Yasar introduces Chris and Robert to the concept of "actionable SBOM" (Software Bill of Materials). He passionately argues against viewing the SBOM as just a static file tucked away in repositories. Instead, Yasar champions the idea that it should be actively integrated into the infrastructure as code. This ensures that when deploying tools like Docker containers, there's a consistent alignment between the software components and their documented versions in the SBOM.Yasar further underscores the importance of real-time monitoring of the SBOM, especially in a production environment. This proactive approach not only keeps track of the software components but also alerts organizations to new vulnerabilities as they arise. By integrating the SBOM with vulnerability management tools, organizations can maintain a secure environment, ensuring timely updates and patches when potential threats are detected.The podcast also touches upon the challenges of maintaining an actionable SBOM in fast-paced development environments, where software updates can occur multiple times a day. However, Yasar remains optimistic. He believes that with the right mindset and tools, it's entirely possible to keep the SBOM updated and relevant, making it an invaluable asset in the ever-evolving world of software development and security.Links:Software Transparency: Supply Chain Security in an Era of a Software-Driven Society by Chris Hughes, Tony Turnerhttps://www.amazon.com/dp/1394158483?ref_=cm_sw_r_cp_ud_dp_PHSFCKCRM7Q8KZ41RDXTCybersecurity First Principles: A Reboot of Strategy and Tactics  by Rick Howardhttps://www.amazon.com/Cybersecurity-First-Principles-Strategy-Tactics/dp/1394173083Carnegie Mellon UniversiFOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Varun Badhwar, a luminary in the cyber security industry, joins Chris and Robert to discuss scanning with context, SBOM plus VEX, and the developer productivity tax. The integration of SBOM plus VEX aims to streamline the vulnerability management process, ensuring that only relevant and critical threats are addressed. They also emphasize the importance of 'Scanning with Context' to avoid false positives and irrelevant findings.

The Application Security Podcast presents the OWASP Board of Directors Debate for the 2023 elections. This is a unique and engaging discussion among six candidates vying for a position on the board. Throughout the debate, candidates address pressing questions about their priorities as potential board members, the future direction of OWASP, and strategies for community growth and vendor neutrality. Topics such as vendor agnosticism, the allocation of profits from global OWASP events, and the importance of community involvement are among the critical issues discussed.The questions presented by Chris and Robert include:What experience do you have running an organization like OWASP? Have you been a C-level exec? Have you served on a Board of Directors? What hard decisions about the strategic direction of an organization have you personally made?What are your priorities as a board member, and what should not be on the board's agenda?How do you envision maintaining the legacy of OWASP's open-source projects in the future, especially compared to organizations like the Linux Foundation, which has successfully nurtured community engagement and secured funding for project sustainability?The individual paid memberships are in a steady decline year over year. What is your plan to increase the number of paid members of OWASP?How do you plan on remaining vendor agnostic and maintaining the open-source character of the org without becoming an incubator for companies?With the individual events happening around the globe under the OWASP brand, what should happen with the profit from those events? Should it become part of the Global OWASP bank account?For those interested in the future of OWASP and the perspectives of its potential leaders, this debate offers valuable insights. We want to invite all application security professionals to tune in and listen to the complete discussion to gain a deeper understanding of the candidates' visions and strategies for the advancement of OWASP in the coming years.Chris concludes with this message: "I can't stress enough the importance of your active participation in the upcoming board elections. These elections play a pivotal role, and you, as a valued member of the OWASP community, have the power to shape our organization's future. I want to remind you that there's a dedicated candidate page for each contender, complete with videos where they lay out their platforms and provide written answers to various questions. You must be informed. As an OWASP member, I urge you to exercise your right to vote. The voting period for the board of directors will open on October 15 and run until October 30. I genuinely believe that voting isn't just a right—it's a responsibility. Your vote will help determine the next generation of leaders who will steer OWASP in the coming years."Links:OWASP Global Board Candidates webpage:  https://owasp.org/www-board-candidates/FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~