The Boring AppSec Podcast

In this episode, we talk to Casey Ellis, Founder & Advisor @Bugcrowd.Casey shares his personal journey through health challenges and his insights into the cybersecurity landscape. He discusses the evolution of the bug bounty industry, the importance of secure design, and the role of AI in both enhancing and complicating security measures. Casey emphasizes the need for accountability and the potential of crowdsourcing in security, while also addressing the challenges of implementing effective standards. The conversation concludes with reflections on the future of AI in security and the necessity for focused problem-solving in the industry.Key Takeaways- The bug bounty industry has transformed lives and created new opportunities.- Founding a company involves learning from both successes and failures.- The cybersecurity industry often focuses on quick wins rather than fundamental problems.- Secure by design is essential for addressing root causes of vulnerabilities.- Crowdsourcing can enhance accountability in security practices.- Standards like ASVS are important but can be complex to implement.- AI is both a tool and a threat in the cybersecurity landscape.- Focusing on specific problems is key to leveraging AI effectively.Tune in to find out more! Contacting Casey* LinkedIn: https://www.linkedin.com/in/caseyjohnellis/* Bugcrowd: https://www.bugcrowd.com/Contacting Anshuman* LinkedIn: ⁠⁠⁠⁠https://www.linkedin.com/in/anshumanbhartiya/* X: ⁠⁠⁠⁠https://x.com/anshuman_bh* Website: ⁠⁠⁠⁠https://anshumanbhartiya.com/* ⁠⁠⁠⁠Instagram: ⁠⁠⁠https://www.instagram.com/anshuman.bhartiya Contacting Sandesh* LinkedIn: ⁠⁠⁠⁠https://www.linkedin.com/in/anandsandesh/* X: ⁠⁠⁠⁠https://x.com/JubbaOnJeans* Website: ⁠⁠⁠⁠https://boringappsec.substack.com/

In Season 2 Episode 10, we talk to Vivek Ramachandran, Founder  @SquareXTeam  .In this episode, Vivek shares his journey in cybersecurity, discussing the evolution of content creation, the importance of building for a global audience, and navigating the Indian cybersecurity market. He emphasizes the need for browser security, the challenges of local markets, and the significance of personal relationships in business. In this conversation, Vivek Ramachandran shares insights on the challenges faced by founders, particularly in breaking into the U.S. market. He emphasizes the importance of building a strong advisor network and engaging in technical conversations. The discussion also delves into the evolving landscape of cybersecurity, highlighting the impact of AI on both attackers and defenders. Vivek offers valuable advice for new startup founders, stressing the need for patience, understanding the responsibilities of fundraising, and focusing on fundamental skills.Key Takeaways- The browser is now considered the new endpoint for security.- Pentester Academy was born out of a need to share knowledge.- Content creation has evolved significantly over the years. Today's audience prefers bite-sized, impactful content.- Founders should think globally from the start.- Cybersecurity in India is often driven by compliance rather than necessity.- Technical founders must adapt to market needs and customer relationships.- Design partnerships can help startups gain traction in local markets. Founders often give up after a few rejections.- Building an advisor network is essential for success.- AI is changing the dynamics of cybersecurity.- Raising funds is a responsibility, not a success metric.- Focus on fundamentals to stay relevant in tech.- Learning by doing is becoming too easy with AI.- Engage with your target market to build credibility.Tune in to find out more! Contacting Vivek* LinkedIn: https://www.linkedin.com/in/vivekramachandran/* SquareX: https://www.sqrx.com/ Contacting Anshuman* LinkedIn: ⁠⁠⁠⁠https://www.linkedin.com/in/anshumanbhartiya/* X: ⁠⁠⁠⁠https://x.com/anshuman_bh* Website: ⁠⁠⁠⁠https://anshumanbhartiya.com/* ⁠⁠⁠⁠Instagram: ⁠⁠⁠https://www.instagram.com/anshuman.bhartiya Contacting Sandesh* LinkedIn: ⁠⁠⁠⁠https://www.linkedin.com/in/anandsandesh/* X: ⁠⁠⁠⁠https://x.com/JubbaOnJeans* Website: ⁠⁠⁠⁠https://boringappsec.substack.com/

In Season 2 Episode 9, we talk to Ali Mesdaq, Founder & CEO @ Amplify Security.We discuss the evolution of security tools, the importance of customer validation, and the role of AI agents in enhancing security practices. Ali shares insights on building a positive security culture within organizations and how Amplify Security differentiates itself in a competitive market. The conversation emphasizes the need for collaboration between security and development teams, the challenges of addressing known and unknown vulnerabilities, and the future of AI in cybersecurity.Key Takeaways- Amplify helps coders secure their code effectively.- Customer validation is crucial for startup confidence.- Security tools should enhance developer experience.- AI agents can automate security fixes intelligently.- Contextual understanding is vital for security solutions.- Developers should approve code changes for security fixes.- A positive security culture fosters collaboration.- AI can help prioritize and manage vulnerabilities.- The future of security involves AI-driven solutions.- Security issues must be addressed in a timely manner.Tune in to find out more! Contacting Ali* LinkedIn: https://www.linkedin.com/in/amesdaq/* Akto: https://amplify.security/Contacting Anshuman* LinkedIn: ⁠⁠⁠⁠https://www.linkedin.com/in/anshumanbhartiya/* X: ⁠⁠⁠⁠https://x.com/anshuman_bh* Website: ⁠⁠⁠⁠https://anshumanbhartiya.com/* ⁠⁠⁠⁠Instagram: ⁠⁠⁠https://www.instagram.com/anshuman.bhartiya Contacting Sandesh* LinkedIn: ⁠⁠⁠⁠https://www.linkedin.com/in/anandsandesh/* X: ⁠⁠⁠⁠https://x.com/JubbaOnJeans* Website: ⁠⁠⁠⁠https://boringappsec.substack.com/

In Season 2 Episode 8, we talk to Ankita Gupta, Co-Founder & CEO @ Akto.ioAnkita shares her unique journey into the cybersecurity space, discussing her diverse background and the inception of her API security company. She emphasizes the importance of understanding customer needs, the role of co-founders in a startup's success, and the surprising maturity of buyers in the cybersecurity industry. Ankita also delves into marketing strategies for cybersecurity startups, highlighting the need for differentiation and continuous iteration in messaging. In this conversation, Ankita discusses various aspects of marketing strategies for enterprise SaaS, the challenges of building a brand in a competitive market, and the importance of API security. She emphasizes the need for startups to identify specific problems within their target market and how LLMs can significantly enhance API security. The discussion also touches on the necessity of experimentation and iteration in integrating AI into products.Key Takeaways- Understanding customer needs is crucial for product development.- A strong co-founder relationship is vital for startup success.- Buyers in cybersecurity are more mature than in other industries.- Marketing should focus on product differentiation.- Iterate marketing positioning continuously based on feedback.- Networking is important, but building a customer base is essential.- Cybersecurity tools are often purchased through structured processes. Social media is crucial for enterprise SaaS marketing.- Branding requires a clear representation of the product's value.- API security is a growing concern that needs addressing.- LLMs can revolutionize the way API security is approached.- It's essential to iterate and experiment with AI technologies.- The market for API security is significant, even if not immediately recognized.- Startups should not shy away from basic use cases with LLMs.Tune in to find out more! Contacting Ankita* LinkedIn: https://www.linkedin.com/in/ankita-gupta-89214515/* Akto: https://www.akto.io/Contacting Anshuman* LinkedIn: ⁠⁠⁠⁠https://www.linkedin.com/in/anshumanbhartiya/* X: ⁠⁠⁠⁠https://x.com/anshuman_bh* Website: ⁠⁠⁠⁠https://anshumanbhartiya.com/* ⁠⁠⁠⁠Instagram: ⁠⁠⁠https://www.instagram.com/anshuman.bhartiya Contacting Sandesh* LinkedIn: ⁠⁠⁠⁠https://www.linkedin.com/in/anandsandesh/* X: ⁠⁠⁠⁠https://x.com/JubbaOnJeans* Website: ⁠⁠⁠⁠https://boringappsec.substack.com/

In Season 2 Episode 7, we talk to Jonathan Cran, Founder @ Stealth.Jonathan is a seasoned security industry veteran, discussing the evolution of AI in security, the challenges of adopting AI technologies in enterprises, and the future of attack surface management. We explore the role of AI agents, the importance of context in security solutions, and provide insights for cybersecurity entrepreneurs looking to navigate the rapidly changing landscape of technology and security.Key Takeaways- AI agents are still in early development stages.- Consistency is crucial for AI adoption in enterprises.- Automation can significantly enhance security processes.- Contextual understanding is key for effective risk scoring.- Generative AI can both solve security problems and create new ones.- The demand for automated remediation solutions is growing.- Attack surface management is evolving with new technologies.- Understanding vulnerabilities requires a comprehensive approach.- Entrepreneurs should focus on market problems, not just technology.- Investors prioritize team, timing, and traction when evaluating startups.Tune in to find out more! Contacting Jonathan* LinkedIn: https://www.linkedin.com/in/jcran/Contacting Anshuman* LinkedIn: ⁠⁠⁠⁠https://www.linkedin.com/in/anshumanbhartiya/* X: ⁠⁠⁠⁠https://x.com/anshuman_bh* Website: ⁠⁠⁠⁠https://anshumanbhartiya.com/* ⁠⁠⁠⁠Instagram: ⁠⁠⁠https://www.instagram.com/anshuman.bhartiya Contacting Sandesh* LinkedIn: ⁠⁠⁠⁠https://www.linkedin.com/in/anandsandesh/* X: ⁠⁠⁠⁠https://x.com/JubbaOnJeans* Website: ⁠⁠⁠⁠https://boringappsec.substack.com/

In Season 2 Episode 6, we talk to Vibhav Sreekanti, Co-Founder & CTO @ProphetSecurity  .We discuss the evolving landscape of AI in cybersecurity, the skepticism surrounding generative AI, and the importance of experimentation with AI agents. Vibhav shares insights on building specialized agents for security operations, the challenges of deploying AI in production, and the critical need for security in AI infrastructure. The conversation emphasizes the necessity of asking tough questions about data security and the role of AI in enhancing security operations. We discuss the evolving landscape of security operations, focusing on the role of AI agents and the challenges faced by SOAR platforms. We explore the importance of centralized authentication, the need for human oversight in AI applications, and the lessons learned from Vibhav's startup journey, emphasizing the significance of team dynamics and market readiness.Key Takeaways- Vibhav has spent his career at startups, focusing on building products and teams.- Keeping up with AI advancements requires active engagement on platforms like Twitter.- Hands-on experimentation with new tools is crucial for understanding their applicability.- Skepticism in AI is warranted due to past over-promises in the industry.- Generative AI can enhance security operations if implemented thoughtfully.- AI agents should be used selectively based on the problem at hand.- Building a suite of specialized agents can lead to more effective outcomes.- Security practices for distributed systems apply to agentic architectures as well.- Data security and handling are paramount when using third-party AI models.- Implementing gateways for AI interactions can help enforce security policies.- Centralized authentication and authorization using OPA is compelling.- SOAR platforms have not lived up to their promises, leading to alert fatigue.- AI agents can enhance investigative tasks in security operations.- Human oversight is essential in AI-driven security solutions.- The importance of team dynamics cannot be overstated in startups.- Understanding market dynamics is crucial for startup success.- Being too early in a market can be as detrimental as being wrong.- Feedback loops are vital for improving AI systems in security.- The alert is just the beginning of incident response.- The journey of AI agents in security is still in its infancy.Tune in to find out more!Contacting Vibhav* LinkedIn: https://www.linkedin.com/in/vibhavs/* Prophet Security: https://www.prophetsecurity.ai/Contacting Anshuman* LinkedIn: ⁠⁠⁠⁠https://www.linkedin.com/in/anshumanbhartiya/* X: ⁠⁠⁠⁠https://x.com/anshuman_bh* Website: ⁠⁠⁠⁠https://anshumanbhartiya.com/* ⁠⁠⁠⁠Instagram: ⁠⁠⁠https://www.instagram.com/anshuman.bhartiyaContacting Sandesh* LinkedIn: ⁠⁠⁠⁠https://www.linkedin.com/in/anandsandesh/* X: ⁠⁠⁠⁠https://x.com/JubbaOnJeans* Website: ⁠⁠⁠⁠https://boringappsec.substack.com/

In Season 2 Episode 5, we talk to Drew Dennison, Co-Founder & CTO @ Semgrep. We discuss the evolution of Semgrep as a code security tool, its focus on custom rules, and the importance of open source in democratizing application security. Drew shares insights from his entrepreneurial journey, the challenges faced in the early days of Semgrep, and the lessons learned from working in both the defense and civilian sectors of cybersecurity. The conversation highlights the shifting paradigms in application security, emphasizing the need for comprehensive coverage and the integration of modern development practices. In this conversation, Drew discusses the evolving landscape of cybersecurity, emphasizing the importance of custom rules in data security, the convergence of various security practices, and the role of open source in driving community engagement. He also explores the integration of AI and LLMs in code security, highlighting the potential for these technologies to enhance security processes while maintaining the necessity of human oversight. The discussion culminates in insights about the future of Semgrep Assistant and the balance between automation and human expertise in security. Key Takeaways - Semgrep is a code security tool focused on custom rules. - The importance of understanding user problems in product development. - Open source tools can democratize access to security solutions. - The evolution of static analysis tools has improved user experience. - Insights from the defense sector highlight the asymmetry in cybersecurity. - Companies often overlook basic security hygiene in favor of advanced solutions. - The modern application stack requires a holistic security approach. - 100% code coverage is now achievable with modern tools. - Community contributions enhance the effectiveness of open source projects. - The architecture of software development has shifted towards microservices. User data doesn't go any deeper than this in our stack. - The convergence of static analysis, software composition analysis, and secret scanning is notable. - At the technology level, we think of it as all basically the same problem. - We always knew we wanted to have an enterprise component for it. - We recognized early that LLMs were going to be the future of security. - Generative AI can help automate rule writing and prioritization. - Contextualization in security is essential for effective rule application. - The Semgrep Assistant aims to enhance developer trust and confidence. - AI will complement human roles rather than replace them in security. - Automation in security processes is crucial, similar to aviation. Tune in to find out more! Contacting Drew * LinkedIn: https://www.linkedin.com/in/drewdennison/ * Semgrep: https://semgrep.dev/ Contacting Anshuman * LinkedIn: ⁠⁠⁠⁠https://www.linkedin.com/in/anshumanbhartiya/ * X: ⁠⁠⁠⁠https://x.com/anshuman_bh * Website: ⁠⁠⁠⁠https://anshumanbhartiya.com/ * ⁠⁠⁠⁠Instagram: ⁠⁠⁠https://www.instagram.com/anshuman.bhartiya Contacting Sandesh * LinkedIn: ⁠⁠⁠⁠https://www.linkedin.com/in/anandsandesh/ * X: ⁠⁠⁠⁠https://x.com/JubbaOnJeans * Website: ⁠⁠⁠⁠https://boringappsec.substack.com/

In Season 2 Episode 4, we talk to Varun Badhwar, Founder & CEO @ Endor Labs. We discuss the current state of application security, the challenges faced by development teams, and the importance of integrating security into the software development lifecycle. Varun shares insights from his previous experiences in building and acquiring cybersecurity companies, emphasizing the need for effective compliance strategies and the balance between platform solutions and best-of-breed tools. In this conversation, Varun Badhwar discusses the evolving landscape of cybersecurity, emphasizing the importance of compliance, product usability, and the integration of AI technologies like LLMs in vulnerability management. He highlights the need for a user-centric approach in AppSec, the challenges of providing context to engineers, and the future implications of AI in security governance. Key Takeaways - Endor Labs aims to make AppSec more engaging and effective. - Many existing AppSec tools create friction between teams. - The future of software development will involve AI-generated code. - Understanding the software supply chain is crucial for security. - Acquisitions in cybersecurity often fail due to integration issues. - Founders must empathize with practitioner pain to build effective products. - Compliance often drives security priorities in organizations. - Effective integration of tools can enhance security outcomes. - The industry needs to focus on enabling faster business operations. - Balancing platform capabilities with best-of-breed tools is essential. - Compliance is essential for sales enablement in cybersecurity. - First-time founders should focus on product and distribution. - User experience and developer experience are critical in AppSec products. - Contextual information is vital for engineers to make informed decisions. - Automation can help reduce noise in security alerts. - Reachability analysis improves visibility in code dependencies. - Impact assessment is crucial for effective vulnerability remediation. - LLMs can assist in reasoning but need rules for effective application. - AI governance is a growing concern in the software development space. - The industry must adapt to the rapid advancements in AI technology. Tune in to find out more! Contacting Varun * LinkedIn: https://www.linkedin.com/in/vbadhwar/ * Endor Labs: https://www.endorlabs.com/ Contacting Anshuman * LinkedIn: ⁠⁠⁠⁠https://www.linkedin.com/in/anshumanbhartiya/ * X: ⁠⁠⁠⁠https://x.com/anshuman_bh * Website: ⁠⁠⁠⁠https://anshumanbhartiya.com/ * ⁠⁠⁠⁠Instagram: ⁠⁠⁠https://www.instagram.com/anshuman.bhartiya Contacting Sandesh * LinkedIn: ⁠⁠⁠⁠https://www.linkedin.com/in/anandsandesh/ * X: ⁠⁠⁠⁠https://x.com/JubbaOnJeans * Website: ⁠⁠⁠⁠https://boringappsec.substack.com/

In Season 2 Episode 3, we interview Robert Wood, Founder & CEO @ SideKick Security. We discuss Rob's journey from working at Cigital to starting his own consulting firm, the challenges of point solutions in cybersecurity, and the importance of soft skills in the industry. Rob shares insights on platformization versus services, tailoring security programs to unique needs, and building a security data lake to enhance data sharing and collaboration among teams. The conversation emphasizes the need for effective communication and community engagement in cybersecurity. Key Takeaways - Sidekick Security aims to address the challenges of siloed point solutions in cybersecurity. - Rob emphasizes the importance of soft skills alongside technical skills in cybersecurity roles. - Platformization can help reduce silos, but unique security needs must be considered. - Every security program is unique and should be approached accordingly. - Building a security data lake can enhance data sharing and collaboration among teams. - Effective communication is crucial for security professionals to succeed. - Engaging with the community is essential for growth in the cybersecurity field. - Regulation and governance discussions are crucial as new technologies emerge. Tune in to find out more! Contacting Robert * LinkedIn: https://www.linkedin.com/in/holycyberbatman/ * SideKick Security: https://sidekicksecurity.io/ Contacting Anshuman * LinkedIn: ⁠⁠⁠⁠https://www.linkedin.com/in/anshumanbhartiya/ * X: ⁠⁠⁠⁠https://x.com/anshuman_bh * Website: ⁠⁠⁠⁠https://anshumanbhartiya.com/ * ⁠⁠⁠⁠Instagram: ⁠⁠⁠https://www.instagram.com/anshuman.bhartiya Contacting Sandesh * LinkedIn: ⁠⁠⁠⁠https://www.linkedin.com/in/anandsandesh/ * X: ⁠⁠⁠⁠https://x.com/JubbaOnJeans * Website: ⁠⁠⁠⁠https://boringappsec.substack.com/

In Season 2 Episode 2, we interview Dustin Lehr, Co-Founder, Chief Product & Technology Officer at Katilyst. We discuss the significance of security champions in application security. We explore the cultural aspects of implementing security champions programs, the challenges of maintaining engagement, and the importance of leadership support. The conversation delves into measuring the success of these programs, the role of behavioral science, and the impact of effective training and gamification in enhancing security awareness within organizations. Dustin discusses the Octalysis framework, which identifies eight core human motivators that can be leveraged in gamification and cybersecurity culture. He emphasizes the importance of building relationships within organizations to change perceptions of security teams and foster a collaborative environment. Dustin also shares insights on the intersection of creativity and cybersecurity, his motivations for starting a company, and the role of AI in enhancing human interactions rather than replacing them. Key Takeaways - Security champions programs are crucial for fostering a security culture. - Engagement and leadership support are key to program success. - Measuring success can be challenging but is essential. - Behavioral science plays a significant role in security engagement. - Gamification can enhance training but must be used wisely. - Curiosity can drive initial engagement but must be sustained. - Training should be relevant and tailored to the audience. - Creating empathy between teams improves security outcomes. - Deep gamification focuses on understanding human drives. - Starting a company is about helping others, not just profit. - AI can augment human interactions but cannot replace them. - Security teams should focus on providing value and support. - Human connection is essential in cybersecurity. - The importance of community and collaboration in security efforts. Tune in to find out more! Contacting Dustin * LinkedIn: https://www.linkedin.com/in/dustinlehr/ * Security Champion Success Guide: https://securitychampionsuccessguide.org/ Contacting Anshuman * LinkedIn: ⁠⁠⁠⁠https://www.linkedin.com/in/anshumanbhartiya/ * X: ⁠⁠⁠⁠https://x.com/anshuman_bh * Website: ⁠⁠⁠⁠https://anshumanbhartiya.com/ * ⁠⁠⁠⁠Instagram: ⁠⁠⁠https://www.instagram.com/anshuman.bhartiya Contacting Sandesh * LinkedIn: ⁠⁠⁠⁠https://www.linkedin.com/in/anandsandesh/ * X: ⁠⁠⁠⁠https://x.com/JubbaOnJeans * Website: ⁠⁠⁠⁠https://boringappsec.substack.com/