The Application Security Podcast

Have you ever considered using an SBOM to inform your threat modeling? Tony Turner has. Tony joins us to discuss SBOMs, threat modeling, and the importance of Cyber Informed Engineering. Tony delves into the SBOM (Software Bill of Materials) concept, highlighting their value proposition in identifying vulnerabilities, demonstrating compliance with software licenses, and informing M&A activities and incident response indicators related to cyberattacks. We also explore the integration of SBOMs into the system engineering process and security engineering.Tony further introduces the concept of Consequence-Driven Cyber Informed Engineering, which emphasizes understanding the potential consequences of cyberattacks on critical infrastructure rather than just on individuals or individual businesses. We discuss the four-step process of consequence-driven CIE. The conversation also addresses the challenges in communicating SBOM information, the importance of demanding transparency from suppliers, and the need to place trust in trusted third-party attestations.Follow up:- Research tools for integrating SBOMs into threat modeling- Explore methods of communicating SBOM information- Investigate Cyber Informed Engineering and Consequence-Driven principles in more detailFOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Christian Frichot, an AppSec hacker, security leader, and developer of hcltm. He discusses the DevOps threat modeling tool he dreamed up and built. The tech was created to fit into developers' workflows and leverage tools they are familiar with. hcltm is designed to drive valuable change and be updated and maintained easily by software engineers. It is a developer-centric software product not heavily opinionated on diagramming, allowing users to employ their preferred methods for threat modeling. The solution is still evolving, and Frichot is open to user feedback and suggestions to improve it. He encourages people to try hcltm and see if it fits their threat modeling needs, as everyone approaches the process differently.Critical actions for you to take from this episode:Try out hcltm: familiarize yourself with the hcltm threat modeling tool, which uses HashiCorp Configuration Language (HCL) to help manage threat models alongside software code in a developer-friendly way.Integrate threat modeling into your workflow: As a developer or security professional, explore ways to incorporate threat modeling into your current processes, such as using hcltm to manage threat models in a software repo and updating the model with each change.Improve communication and collaboration: learn from Christian's experience and focus on building relationships and networks in the security community and improving communication and influencing skills.FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Zohar Shachar joins us to discuss the bug bounty process from both sides. Zohar has spent time as a bug bounty hunter and shares wisdom on avoiding bug bounty-causing issues for your AppSec posture. We hope you enjoy this conversation with...Zohar Shachar.FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Sarah-Jane Madden is the Chief Information Security Officer of Sensing Technology Group. - part of Fortive. She has over 20 years of software experience, from the most formal environments to ‘let’s fix it in production’ type teams. She has been a longtime advocate of deliberate application security as a partnership with product management and believes security does not have to be an overhead. Sarah-Jane joins us to discuss her talk at OWASP Dublin, "Far from green fields — introducing Threat Modeling to established teams." She shares lessons learned from her 3-year journey and is transparent with the mistakes she made along the way. We hope you enjoy this conversation with...Sarah-jane Madden.FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Jet Anderson's passion is teaching today's software developers to write secure code as part of modern DevOps pipelines, at speed and scale, without missing a beat. He's been a software engineer for over 25 years and believes fixing security bugs is better than finding them. Jet joins us to discuss software or security engineer first, how fixing security bugs is better than just finding them, and the Code Doctor security training program he built and deployed. We hope you enjoy this conversation with...Jet Anderson.FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

James Mckee is a developer (MCPDEA) and security advocate (CISSP) whose biggest responsibility is leading developer security practices. He sets the standards and procedures for the practice's operations and leads all client engagement efforts concerning security. He also takes the lead in ensuring that company staff (developers specifically) are properly trained and following best practices concerning application security. Currently, he is responsible for training and providing product guidance for developers worldwide. James joins us to discuss offensive application security for developers. We also get into the role of security professionals in reaching developers outside of the security echo chamber. We hope you enjoy this conversation with...James Mckee.FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Derek is the author of “The Application Security Handbook.” He is a university instructor at Temple University, where he teaches software development security to undergraduate and graduate students. He is a speaker on topics in the cybersecurity space and has led security teams, large and small, at organizations in the healthcare and financial industries. Derek joins us to unpack the goals of an application security program, what is cutting edge in application security programs today, the role of open source vs. commercial, and guidance such as "decentralized application security." "enablement instead of gates; application security as a service," and "stop chasing the shiny new tool." We hope you enjoy this conversation with...Derek Fisher.Find the book at https://www.manning.com/books/application-security-program-handbookFOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Rob van der Veer has a 30-year background in software engineering, building AI businesses, creating software, and assessing software. He is a senior director at the Software Improvement Group, where he established practices for AI, security, and privacy. Rob is involved in several standardization initiatives like OWASP SAMM, ENISA, CIP, and AI security & privacy guide. He leads the writing group for the new ISO standard on AI engineering: 5338. Rob co-leads the OWASP integration project, with openCRE.org as a key result, aiming to create alignment in the standards landscape. Rob joins us to introduce the OWASP AI Security and Privacy Guide. We cover Rob's observations on how AI engineering differs from regular software engineering, typical software engineering pitfalls for AI engineers, the new guide's scope, threats introduced with AI, and mitigations that orgs and teams can use to build a secure AI system. We hope you enjoy this conversation with...Rob van der Veer.Show Notes:Visit the OWASP Security & Privacy Guide here --> https://owasp.org/www-project-ai-security-and-privacy-guide/FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Robyn Lundin started working in tech after a coding boot camp as a developer for a small startup. She then discovered her passion for security, pivoted into pentesting for NCC Group, and now works as a Senior Product Security Engineer for Slack. Robyn joins us to discuss the role of penetration testing within the application security realm. Robyn provides actionable guidance you can apply directly to your application pen testing program. We hope you enjoy this conversation with....Robyn Lundin.FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Michael Bargury, CTO of Zenity, discusses low-code/no-code security and the OWASP top ten. They explore the power and risks of low code and no code platforms, the positive aspects and importance of security in these platforms, challenges of ensuring security for business users, data leakage and issues with local no code platforms, and the importance of understanding the security implications and taking responsibility.