The Application Security Podcast

Jay Bobo and Darylynn Ross discuss the shift from application security to product security. They emphasize the importance of effective communication and integrating security within development teams. The podcast challenges the current state of penetration testing and encourages a holistic approach to product security.

Eitan Worcel joins the Application Security Podcast, to talk automated code fixes and the role of artificial intelligence in application security. We start with a thought-provoking discussion about the consistency and reliability of AI-generated responses in fixing vulnerabilities like Cross-Site Scripting (XSS). The conversation highlights a future where AI on one side writes code while AI on the other side fixes it, raising questions about the outcomes of such a scenario.The discussion shifts to the human role in using AI for automated code fixes. Human oversight is important in setting policies or rules to guide AI, as opposed to letting it run wild on the entire code base. This controlled approach, akin to a 'controlled burn,' aims at deploying AI in a way that's beneficial and manageable, without overwhelming developers with excessive changes or suggestions.We also explore the efficiency gains expected from AI in automating tedious tasks like fixing code vulnerabilities. We compare this to the convenience of household robots like Roomba, imagining a future where AI takes care of repetitive tasks, enhancing developer productivity. However, we also address potential pitfalls, such as AI's tendency to 'hallucinate' or generate inaccurate solutions, underscoring the need for caution and proper validation of AI-generated fixes.This episode offers a balanced perspective on the integration of AI in application security, highlighting both its promising potential and the challenges that need to be addressed. Join us as we unravel the complexities and future of AI in AppSec, understanding how it can revolutionize the field while remaining vigilant about its limitations.Recommended Reading from Eitan: The Hard Thing About Hard Things by Ben Horowitz - https://www.harpercollins.com/products/the-hard-thing-about-hard-things-ben-horowitz?variant=32122118471714FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Bjorn Kimminich, the driving force behind the OWASP Juice Shop project, joins Chris and Robert to discuss all things Juice Shop. The OWASP Juice Shop is a deliberately vulnerable web application that serves as an invaluable training tool for security professionals and enthusiasts. Bjorn provides a comprehensive overview of the latest features and challenges introduced in the Juice Shop, underscoring the project's commitment to simulating real-world security scenarios.Key highlights include the introduction of coding challenges, where users must identify and fix code vulnerabilities. This interactive approach enhances the learning experience and bridges the gap between theoretical knowledge and practical application. Additionally, Bjorn delves into the integration of Web3 and smart contracts within the Juice Shop, reflecting the project's adaptation to emerging technologies in the blockchain domain. This integration poses new challenges and learning opportunities, making the Juice Shop a continually relevant and evolving platform for cybersecurity training.The episode concludes with an acknowledgment of the project's maintenance efforts and the introduction of a novel cheating detection mechanism. This system assesses the patterns and speed of challenge completions, ensuring the integrity of the learning process. Bjorn's discussion also highlights the inclusion of 'shenanigan' challenges, adding a layer of fun and creativity to the application. The significant impact of the Juice Shop on the cybersecurity community, as a tool for honing skills and understanding complex security vulnerabilities, is evident throughout the discussion, marking this episode as an essential watch for those in the field.Links:OWASP Juice Shop - https://owasp.org/www-project-juice-shop/Pwning OWASP Juice Shop by Björn Kimminich. The official companion guide to the OWASP Juice Shop - https://leanpub.com/juice-shop"OWASP Juice Shop Jingle" by Brian Johnson of 7 Minute Security - https://soundcloud.com/braimee/owasp-juice-shop-jingleFOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Arshan Dabirsiaghi, Co-founder of Pixee, discusses startups, AI in appsec, and Codemodder.io. They explore unrealistic expectations on developers regarding security, the dynamic nature of startups, and the future of AI in application security.

Chris and Robert are thrilled to have an insightful conversation with Dr. Jared Demott, a seasoned expert in the field of cybersecurity. The discussion traverses a range of topics, from controversial opinions on application security to the practical aspects of managing bug bounty programs in large corporations like Microsoft.We dive into the technicalities of bug bounty programs, exploring how companies like Microsoft handle the influx of reports and the importance of such programs in a comprehensive security strategy. Dr. Demott provides valuable insights into the evolution of bug classes and the never-ending challenge of addressing significant bug types, emphasizing that no bug class can ever be fully eradicated.This episode is a must-listen for anyone interested in the nuances of software security, the realities of cybersecurity employment, and the ongoing challenges in bug mitigation. Join us for an enlightening journey into the heart of application security with Dr. Jared Demott.Links:Microsoft Security Response Center MSRC: https://www.microsoft.com/en-us/msrcFOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Dr. Katharina Koerner, a renowned advisor and community builder with expertise in privacy by design and responsible AI, joins Chris and Robert to delve into the intricacies of responsible AI in this episode of the Application Security Podcast. She explores how security intersects with AI, discusses the ethical implications of AI's integration into daily life, and emphasizes the importance of educating ourselves about AI risk management frameworks. She also highlights the crucial role of AI security engineers, the ethical debates around using AI in education, and the significance of international AI governance. This discussion is a deep dive into AI, privacy, security, and ethics, offering valuable insights for tech professionals, policymakers, and individuals.Links:UNESCO Recommendation on the Ethics of Artificial Intelligence:  https://www.unesco.org/en/artificial-intelligence?hub=32618OECD AI Principles: https://oecd.ai/en/ai-principlesWhite House Blueprint for an AI Bill of Rights: https://www.whitehouse.gov/ostp/ai-bill-of-rights/NIST AI Risk Management Framework: https://www.nist.gov/itl/ai-risk-management-frameworkNIST Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations: https://csrc.nist.gov/pubs/ai/100/2/e2023/ipdMicrosoft Responsible AI Standard, v2: https://www.microsoft.com/en-us/ai/principles-and-approach==> Microsoft Failure Modes in Machine Learning: https://learn.microsoft.com/en-us/security/engineering/failure-modes-in-machine-learningENISA Securing Machine Learning Algorithms: https://www.enisa.europa.eu/publications/securing-machine-learning-algorithmsGoogle Secure AI Framework (SAIF): https://developers.google.com/machine-learning/resources/saif==> Google Why Red Teams Play a Central Role in Helping Organizations Secure AI Systems: https://services.google.com/fh/files/blogs/google_ai_red_team_digital_final.pdfRecommended Book:The Ethical Algorithm: The Science of Socially Aware Algorithm Design  by Michael Kearns and Aaron Roth: https://global.oup.com/academic/product/the-ethical-algorithm-9780190948207?cc=us&lang=en&FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

For Security Pros & Business Leaders | Strategic Insights & Leadership Lessons🔒🌟 When Ray Espinoza joined Chris and Robert on the Application Security Podcast, he gave a treasure trove of insights for both security professionals and business leaders alike! Whether you're deep in the trenches of information security or steering the ship in business leadership, this episode is packed with valuable takeaways. Dive in to discover why this is a must-listen for professionals across the spectrum. 🌟🔒For Security Professionals:1. CISO Insights: Gain a glimpse into the strategic mind of a Chief Information Security Officer. Learn from their real-world experiences and challenges in aligning security with business goals.2. Career Development: Get inspired by the speaker's career journey and learn the importance of mentorship in your professional growth.3. Data-Driven Security: Embrace a data-driven approach to security solutions, focusing on tangible results and measurable outcomes.For Business Leaders:1. Strategic Security Understanding: Learn how information security is integral to overall business strategy and decision-making.2. Universal Risk Management: Gain insights into risk management strategies applicable across various business aspects.3. Communication & Relationship Building: Enhance your skills in effective communication and professional relationship building.4. Leadership & Mentorship: Absorb valuable lessons in guiding and inspiring your team, crucial for effective leadership.5. Adaptability in Leadership: Understand the importance of flexibility and adaptability in today's rapidly evolving business landscape.6. Data-Driven Decisions: Embrace the power of data in driving efficient and accountable business processes.Why Listen?👉 For security pros, this is your chance to deepen your understanding of strategic security management and enhance your interpersonal skills.👉 For business leaders, this episode offers a unique perspective on how security strategies impact broader business objectives and leadership practices.Don't Miss Out!🎧 Tune in now for an enlightening discussion filled with actionable insights. Whether you're an aspiring CISO, a seasoned security professional, or a business leader looking to broaden your horizons, this podcast has something for everyone. 👍 Like, Share, and Subscribe for more insightful content!💬 Drop your thoughts and takeaways in the comments below!#SecurityLeadership #BusinessStrategy #RiskManagement #CareerGrowth #DataDrivenDecisions #LeadershipSkills---Remember, your engagement helps us bring more such content. So, hit that like button, share with your network, and subscribe for more insightful episodes! 🌟🔊📈Ray's Book Recommendation:Extreme Ownership by Jocko Willink and Leif Babinhttps://echelonfront.com/books/extreme-ownership/FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Chris John Riley discusses the Minimum Viable Secure Product (MVSP) checklist for B2B software, targeting startups and organizations creating new applications. MVSP includes controls for business operations, application design, implementation, and operational controls. It emphasizes regular third-party penetration testing and evolutionary updates to keep up with cybersecurity changes. The future of MVSP focuses on evolving controls and industry feedback. The importance of application security and book recommendations are also discussed.

Steve Wilson and Gavin Klondike are part of the core team for the OWASP Top 10 for Large Language Model Applications project. They join Robert and Chris to discuss the implementation and potential challenges of AI, and present the OWASP Top Ten for LLM version 1.0. Steve and Gavin provide insights into the issues of prompt injection, insecure output handling, training data poisoning, and others. Specifically, they emphasize the significance of understanding the risk of allowing excessive agency to LLMs and the role of secure plugin designs in mitigating vulnerabilities.The conversation dives deep into the importance of secure supply chains in AI development, looking at the potential risks associated with downloading anonymous models from community-sharing platforms like Huggingface. The discussion also highlights the potential threat implications of hallucinations, where AI produces results based on what it thinks it's expected to produce and tends to please people, rather than generating factually accurate results. Wilson and Klondike also discuss how certain standard programming principles, such as 'least privilege', can be applied to AI development. They encourage developers to conscientiously manage the extent of privileges they give to their models to avert discrepancies and miscommunications from excessive agency. They conclude the discussion with a forward-looking perspective on how the OWASP Top Ten for LLM Applications will develop in the future.Links:OWASP Top Ten for LLM Applications project homepage:https://owasp.org/www-project-top-10-for-large-language-model-applications/OWASP Top Ten for LLM Applications summary PDF: https://owasp.org/www-project-top-10-for-large-language-model-applications/assets/PDF/OWASP-Top-10-for-LLMs-2023-slides-v1_1.pdfFOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Tanya Janca, also known as SheHacksPurple, joins the Application Security Podcast again to discuss secure coding, threat modeling, education, and other topics in the AppSec world. With a rich background spanning over 25 years in IT, coding, and championing cybersecurity, Tanya delves into the essence of secure coding.Tanya highlights the difference between teaching developers about vulnerabilities and teaching them the practices to avoid these vulnerabilities in the first place. Instead of focusing on issues like SQL injection, she emphasizes the importance of proactive measures like input validation and always using parameterized queries. She believes teaching developers how to build secure applications is more effective than merely pointing out vulnerabilities.She also explains the importance of a secure system development life cycle (SDLC). Software companies often state "We take your security seriously." Tanya believes the phrase should only be used by companies that have a secure SDLC in place. Without it, the phrase is rendered meaningless.Discussing the intersection of coding and threat modeling, Tanya shares personal anecdotes that underscore the need to view systems with a critical eye, always anticipating potential vulnerabilities and threats. She recounts her initial reactions during threat modeling sessions, where she is surprised by the myriad ways applications can be exploited.One of her most crucial takeaways for developers is the principle of distrust and verification. Tanya stresses that when writing code, developers should not trust any input or connection blindly. Everything received should be validated to ensure its integrity and safety. This practice, she believes, not only ensures the security of applications but also makes the lives of incident responders easier.Toward the end of the podcast, Tanya recommends This is How They Tell Me the World Ends," which offers a deep dive into the zero-day industry. She lauds the book for its meticulous research and compelling narrative. The episode wraps up with Tanya encouraging listeners to stay connected with her work and to anticipate her upcoming book.Links:Alice and Bob Learn Application Security by Tanya Janca     https://www.wiley.com/en-us/Alice+and+Bob+Learn+Application+Security-p-9781119687405This is How They Tell Me the World Ends by Nicole Perlroth     https://thisishowtheytellmetheworldends.com/WeHackPurple     https://wehackpurple.com/FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~