The Boring AppSec Podcast

Harry Wetherald, Co-Founder and CEO of Maze, shares his expertise in AI and machine learning, particularly in the realm of vulnerability management. He delves into the concept of agentic AI, which allows AI to independently analyze vulnerabilities, massively enhancing efficiency. The conversation highlights the critical need for context engineering to tailor AI solutions for diverse organizations. Harry also discusses the hurdles of achieving reliable AI systems and emphasizes the importance of clear pricing strategies to improve customer experience and budget predictability.

In this episode, we talk to Surag Patel (CEO @ Pixee) and Arshan Dabirsiaghi (CTO @ Pixee). We discuss the transformative approach that Pixee is taking in application security. We explore the shift from traditional security tools that merely detect vulnerabilities to a model that emphasizes automated remediation. The discussion covers the evolving role of AppSec professionals, the integration of AI agents to scale coverage, the importance of trust in automated fixes, and the challenges of navigating a crowded security market. We also touch on the future of security in design specifications and the need for a comprehensive approach to security that includes all stakeholders in the software development lifecycle.Key Takeaways- The traditional model of security tools is being challenged.- Pixee aims to automate not just detection but also remediation.- AI agents can help scale coverage in application security.- The role of AppSec professionals will evolve with AI integration.- Trust is crucial for developers to accept automated fixes.- Developers want tools that reduce their workload, not add to it.- Contextual understanding is key for accurate vulnerability triage.- The security market is not saturated; there are still many unsolved problems.- Integrating security into design specifications is the future.- A comprehensive approach to security is necessary for effective risk management.Tune in to find out more! Contacting Surag & Arshan* Surag's LinkedIn: https://www.linkedin.com/in/suragpatel/* Arshan's LinkedIn: https://www.linkedin.com/in/arshan-dabirsiaghi/* Pixee: https://www.pixee.ai/Contacting Anshuman* LinkedIn: ⁠⁠⁠⁠https://www.linkedin.com/in/anshumanbhartiya/* X: ⁠⁠⁠⁠https://x.com/anshuman_bh* Website: ⁠⁠⁠⁠https://anshumanbhartiya.com/* ⁠⁠⁠⁠Instagram: ⁠⁠⁠https://www.instagram.com/anshuman.bhartiya Contacting Sandesh* LinkedIn: ⁠⁠⁠⁠https://www.linkedin.com/in/anandsandesh/* X: ⁠⁠⁠⁠https://x.com/JubbaOnJeans* Website: ⁠⁠⁠⁠https://boringappsec.substack.com/

In this episode, we talk to Ken Johnson, Co-Founder & CTO @ DryRun Security. Ken discusses the evolution of application security, focusing on the role of AI and LLMs in enhancing security practices. He emphasizes the importance of context engineering over traditional prompt engineering, the challenges of consistency and repeatability in LLM outputs, and the ethical considerations surrounding AI in security. The discussion also highlights the need for orchestration in AI applications and the future potential of AI in the security landscape.Key Takeaways- DryRun Security utilizes AI to enhance code security.- Context engineering is crucial for effective AI applications.- LLMs can augment security practices but require careful orchestration.- Consistency in LLM outputs is a significant challenge.- Ethical considerations in AI are becoming increasingly important.- Finding the right balance in using LLMs is essential.- Community collaboration is vital for advancing AI solutions.- Orchestration is a key factor in AI performance.- AI will not replace jobs but will change how we work.Tune in to find out more! Contacting Ken* LinkedIn: https://www.linkedin.com/in/cktricky/* DryRun Security: https://www.dryrun.security/Contacting Anshuman* LinkedIn: ⁠⁠⁠⁠https://www.linkedin.com/in/anshumanbhartiya/* X: ⁠⁠⁠⁠https://x.com/anshuman_bh* Website: ⁠⁠⁠⁠https://anshumanbhartiya.com/* ⁠⁠⁠⁠Instagram: ⁠⁠⁠https://www.instagram.com/anshuman.bhartiya Contacting Sandesh* LinkedIn: ⁠⁠⁠⁠https://www.linkedin.com/in/anandsandesh/* X: ⁠⁠⁠⁠https://x.com/JubbaOnJeans* Website: ⁠⁠⁠⁠https://boringappsec.substack.com/

In this episode, we talk to Casey Ellis, Founder & Advisor @Bugcrowd.Casey shares his personal journey through health challenges and his insights into the cybersecurity landscape. He discusses the evolution of the bug bounty industry, the importance of secure design, and the role of AI in both enhancing and complicating security measures. Casey emphasizes the need for accountability and the potential of crowdsourcing in security, while also addressing the challenges of implementing effective standards. The conversation concludes with reflections on the future of AI in security and the necessity for focused problem-solving in the industry.Key Takeaways- The bug bounty industry has transformed lives and created new opportunities.- Founding a company involves learning from both successes and failures.- The cybersecurity industry often focuses on quick wins rather than fundamental problems.- Secure by design is essential for addressing root causes of vulnerabilities.- Crowdsourcing can enhance accountability in security practices.- Standards like ASVS are important but can be complex to implement.- AI is both a tool and a threat in the cybersecurity landscape.- Focusing on specific problems is key to leveraging AI effectively.Tune in to find out more! Contacting Casey* LinkedIn: https://www.linkedin.com/in/caseyjohnellis/* Bugcrowd: https://www.bugcrowd.com/Contacting Anshuman* LinkedIn: ⁠⁠⁠⁠https://www.linkedin.com/in/anshumanbhartiya/* X: ⁠⁠⁠⁠https://x.com/anshuman_bh* Website: ⁠⁠⁠⁠https://anshumanbhartiya.com/* ⁠⁠⁠⁠Instagram: ⁠⁠⁠https://www.instagram.com/anshuman.bhartiya Contacting Sandesh* LinkedIn: ⁠⁠⁠⁠https://www.linkedin.com/in/anandsandesh/* X: ⁠⁠⁠⁠https://x.com/JubbaOnJeans* Website: ⁠⁠⁠⁠https://boringappsec.substack.com/

In Season 2 Episode 10, we talk to Vivek Ramachandran, Founder  @SquareXTeam  .In this episode, Vivek shares his journey in cybersecurity, discussing the evolution of content creation, the importance of building for a global audience, and navigating the Indian cybersecurity market. He emphasizes the need for browser security, the challenges of local markets, and the significance of personal relationships in business. In this conversation, Vivek Ramachandran shares insights on the challenges faced by founders, particularly in breaking into the U.S. market. He emphasizes the importance of building a strong advisor network and engaging in technical conversations. The discussion also delves into the evolving landscape of cybersecurity, highlighting the impact of AI on both attackers and defenders. Vivek offers valuable advice for new startup founders, stressing the need for patience, understanding the responsibilities of fundraising, and focusing on fundamental skills.Key Takeaways- The browser is now considered the new endpoint for security.- Pentester Academy was born out of a need to share knowledge.- Content creation has evolved significantly over the years. Today's audience prefers bite-sized, impactful content.- Founders should think globally from the start.- Cybersecurity in India is often driven by compliance rather than necessity.- Technical founders must adapt to market needs and customer relationships.- Design partnerships can help startups gain traction in local markets. Founders often give up after a few rejections.- Building an advisor network is essential for success.- AI is changing the dynamics of cybersecurity.- Raising funds is a responsibility, not a success metric.- Focus on fundamentals to stay relevant in tech.- Learning by doing is becoming too easy with AI.- Engage with your target market to build credibility.Tune in to find out more! Contacting Vivek* LinkedIn: https://www.linkedin.com/in/vivekramachandran/* SquareX: https://www.sqrx.com/ Contacting Anshuman* LinkedIn: ⁠⁠⁠⁠https://www.linkedin.com/in/anshumanbhartiya/* X: ⁠⁠⁠⁠https://x.com/anshuman_bh* Website: ⁠⁠⁠⁠https://anshumanbhartiya.com/* ⁠⁠⁠⁠Instagram: ⁠⁠⁠https://www.instagram.com/anshuman.bhartiya Contacting Sandesh* LinkedIn: ⁠⁠⁠⁠https://www.linkedin.com/in/anandsandesh/* X: ⁠⁠⁠⁠https://x.com/JubbaOnJeans* Website: ⁠⁠⁠⁠https://boringappsec.substack.com/

In Season 2 Episode 9, we talk to Ali Mesdaq, Founder & CEO @ Amplify Security.We discuss the evolution of security tools, the importance of customer validation, and the role of AI agents in enhancing security practices. Ali shares insights on building a positive security culture within organizations and how Amplify Security differentiates itself in a competitive market. The conversation emphasizes the need for collaboration between security and development teams, the challenges of addressing known and unknown vulnerabilities, and the future of AI in cybersecurity.Key Takeaways- Amplify helps coders secure their code effectively.- Customer validation is crucial for startup confidence.- Security tools should enhance developer experience.- AI agents can automate security fixes intelligently.- Contextual understanding is vital for security solutions.- Developers should approve code changes for security fixes.- A positive security culture fosters collaboration.- AI can help prioritize and manage vulnerabilities.- The future of security involves AI-driven solutions.- Security issues must be addressed in a timely manner.Tune in to find out more! Contacting Ali* LinkedIn: https://www.linkedin.com/in/amesdaq/* Akto: https://amplify.security/Contacting Anshuman* LinkedIn: ⁠⁠⁠⁠https://www.linkedin.com/in/anshumanbhartiya/* X: ⁠⁠⁠⁠https://x.com/anshuman_bh* Website: ⁠⁠⁠⁠https://anshumanbhartiya.com/* ⁠⁠⁠⁠Instagram: ⁠⁠⁠https://www.instagram.com/anshuman.bhartiya Contacting Sandesh* LinkedIn: ⁠⁠⁠⁠https://www.linkedin.com/in/anandsandesh/* X: ⁠⁠⁠⁠https://x.com/JubbaOnJeans* Website: ⁠⁠⁠⁠https://boringappsec.substack.com/

In Season 2 Episode 8, we talk to Ankita Gupta, Co-Founder & CEO @ Akto.ioAnkita shares her unique journey into the cybersecurity space, discussing her diverse background and the inception of her API security company. She emphasizes the importance of understanding customer needs, the role of co-founders in a startup's success, and the surprising maturity of buyers in the cybersecurity industry. Ankita also delves into marketing strategies for cybersecurity startups, highlighting the need for differentiation and continuous iteration in messaging. In this conversation, Ankita discusses various aspects of marketing strategies for enterprise SaaS, the challenges of building a brand in a competitive market, and the importance of API security. She emphasizes the need for startups to identify specific problems within their target market and how LLMs can significantly enhance API security. The discussion also touches on the necessity of experimentation and iteration in integrating AI into products.Key Takeaways- Understanding customer needs is crucial for product development.- A strong co-founder relationship is vital for startup success.- Buyers in cybersecurity are more mature than in other industries.- Marketing should focus on product differentiation.- Iterate marketing positioning continuously based on feedback.- Networking is important, but building a customer base is essential.- Cybersecurity tools are often purchased through structured processes. Social media is crucial for enterprise SaaS marketing.- Branding requires a clear representation of the product's value.- API security is a growing concern that needs addressing.- LLMs can revolutionize the way API security is approached.- It's essential to iterate and experiment with AI technologies.- The market for API security is significant, even if not immediately recognized.- Startups should not shy away from basic use cases with LLMs.Tune in to find out more! Contacting Ankita* LinkedIn: https://www.linkedin.com/in/ankita-gupta-89214515/* Akto: https://www.akto.io/Contacting Anshuman* LinkedIn: ⁠⁠⁠⁠https://www.linkedin.com/in/anshumanbhartiya/* X: ⁠⁠⁠⁠https://x.com/anshuman_bh* Website: ⁠⁠⁠⁠https://anshumanbhartiya.com/* ⁠⁠⁠⁠Instagram: ⁠⁠⁠https://www.instagram.com/anshuman.bhartiya Contacting Sandesh* LinkedIn: ⁠⁠⁠⁠https://www.linkedin.com/in/anandsandesh/* X: ⁠⁠⁠⁠https://x.com/JubbaOnJeans* Website: ⁠⁠⁠⁠https://boringappsec.substack.com/

In Season 2 Episode 7, we talk to Jonathan Cran, Founder @ Stealth.Jonathan is a seasoned security industry veteran, discussing the evolution of AI in security, the challenges of adopting AI technologies in enterprises, and the future of attack surface management. We explore the role of AI agents, the importance of context in security solutions, and provide insights for cybersecurity entrepreneurs looking to navigate the rapidly changing landscape of technology and security.Key Takeaways- AI agents are still in early development stages.- Consistency is crucial for AI adoption in enterprises.- Automation can significantly enhance security processes.- Contextual understanding is key for effective risk scoring.- Generative AI can both solve security problems and create new ones.- The demand for automated remediation solutions is growing.- Attack surface management is evolving with new technologies.- Understanding vulnerabilities requires a comprehensive approach.- Entrepreneurs should focus on market problems, not just technology.- Investors prioritize team, timing, and traction when evaluating startups.Tune in to find out more! Contacting Jonathan* LinkedIn: https://www.linkedin.com/in/jcran/Contacting Anshuman* LinkedIn: ⁠⁠⁠⁠https://www.linkedin.com/in/anshumanbhartiya/* X: ⁠⁠⁠⁠https://x.com/anshuman_bh* Website: ⁠⁠⁠⁠https://anshumanbhartiya.com/* ⁠⁠⁠⁠Instagram: ⁠⁠⁠https://www.instagram.com/anshuman.bhartiya Contacting Sandesh* LinkedIn: ⁠⁠⁠⁠https://www.linkedin.com/in/anandsandesh/* X: ⁠⁠⁠⁠https://x.com/JubbaOnJeans* Website: ⁠⁠⁠⁠https://boringappsec.substack.com/

In Season 2 Episode 6, we talk to Vibhav Sreekanti, Co-Founder & CTO @ProphetSecurity  .We discuss the evolving landscape of AI in cybersecurity, the skepticism surrounding generative AI, and the importance of experimentation with AI agents. Vibhav shares insights on building specialized agents for security operations, the challenges of deploying AI in production, and the critical need for security in AI infrastructure. The conversation emphasizes the necessity of asking tough questions about data security and the role of AI in enhancing security operations. We discuss the evolving landscape of security operations, focusing on the role of AI agents and the challenges faced by SOAR platforms. We explore the importance of centralized authentication, the need for human oversight in AI applications, and the lessons learned from Vibhav's startup journey, emphasizing the significance of team dynamics and market readiness.Key Takeaways- Vibhav has spent his career at startups, focusing on building products and teams.- Keeping up with AI advancements requires active engagement on platforms like Twitter.- Hands-on experimentation with new tools is crucial for understanding their applicability.- Skepticism in AI is warranted due to past over-promises in the industry.- Generative AI can enhance security operations if implemented thoughtfully.- AI agents should be used selectively based on the problem at hand.- Building a suite of specialized agents can lead to more effective outcomes.- Security practices for distributed systems apply to agentic architectures as well.- Data security and handling are paramount when using third-party AI models.- Implementing gateways for AI interactions can help enforce security policies.- Centralized authentication and authorization using OPA is compelling.- SOAR platforms have not lived up to their promises, leading to alert fatigue.- AI agents can enhance investigative tasks in security operations.- Human oversight is essential in AI-driven security solutions.- The importance of team dynamics cannot be overstated in startups.- Understanding market dynamics is crucial for startup success.- Being too early in a market can be as detrimental as being wrong.- Feedback loops are vital for improving AI systems in security.- The alert is just the beginning of incident response.- The journey of AI agents in security is still in its infancy.Tune in to find out more!Contacting Vibhav* LinkedIn: https://www.linkedin.com/in/vibhavs/* Prophet Security: https://www.prophetsecurity.ai/Contacting Anshuman* LinkedIn: ⁠⁠⁠⁠https://www.linkedin.com/in/anshumanbhartiya/* X: ⁠⁠⁠⁠https://x.com/anshuman_bh* Website: ⁠⁠⁠⁠https://anshumanbhartiya.com/* ⁠⁠⁠⁠Instagram: ⁠⁠⁠https://www.instagram.com/anshuman.bhartiyaContacting Sandesh* LinkedIn: ⁠⁠⁠⁠https://www.linkedin.com/in/anandsandesh/* X: ⁠⁠⁠⁠https://x.com/JubbaOnJeans* Website: ⁠⁠⁠⁠https://boringappsec.substack.com/

In Season 2 Episode 5, we talk to Drew Dennison, Co-Founder & CTO @ Semgrep. We discuss the evolution of Semgrep as a code security tool, its focus on custom rules, and the importance of open source in democratizing application security. Drew shares insights from his entrepreneurial journey, the challenges faced in the early days of Semgrep, and the lessons learned from working in both the defense and civilian sectors of cybersecurity. The conversation highlights the shifting paradigms in application security, emphasizing the need for comprehensive coverage and the integration of modern development practices. In this conversation, Drew discusses the evolving landscape of cybersecurity, emphasizing the importance of custom rules in data security, the convergence of various security practices, and the role of open source in driving community engagement. He also explores the integration of AI and LLMs in code security, highlighting the potential for these technologies to enhance security processes while maintaining the necessity of human oversight. The discussion culminates in insights about the future of Semgrep Assistant and the balance between automation and human expertise in security. Key Takeaways - Semgrep is a code security tool focused on custom rules. - The importance of understanding user problems in product development. - Open source tools can democratize access to security solutions. - The evolution of static analysis tools has improved user experience. - Insights from the defense sector highlight the asymmetry in cybersecurity. - Companies often overlook basic security hygiene in favor of advanced solutions. - The modern application stack requires a holistic security approach. - 100% code coverage is now achievable with modern tools. - Community contributions enhance the effectiveness of open source projects. - The architecture of software development has shifted towards microservices. User data doesn't go any deeper than this in our stack. - The convergence of static analysis, software composition analysis, and secret scanning is notable. - At the technology level, we think of it as all basically the same problem. - We always knew we wanted to have an enterprise component for it. - We recognized early that LLMs were going to be the future of security. - Generative AI can help automate rule writing and prioritization. - Contextualization in security is essential for effective rule application. - The Semgrep Assistant aims to enhance developer trust and confidence. - AI will complement human roles rather than replace them in security. - Automation in security processes is crucial, similar to aviation. Tune in to find out more! Contacting Drew * LinkedIn: https://www.linkedin.com/in/drewdennison/ * Semgrep: https://semgrep.dev/ Contacting Anshuman * LinkedIn: ⁠⁠⁠⁠https://www.linkedin.com/in/anshumanbhartiya/ * X: ⁠⁠⁠⁠https://x.com/anshuman_bh * Website: ⁠⁠⁠⁠https://anshumanbhartiya.com/ * ⁠⁠⁠⁠Instagram: ⁠⁠⁠https://www.instagram.com/anshuman.bhartiya Contacting Sandesh * LinkedIn: ⁠⁠⁠⁠https://www.linkedin.com/in/anandsandesh/ * X: ⁠⁠⁠⁠https://x.com/JubbaOnJeans * Website: ⁠⁠⁠⁠https://boringappsec.substack.com/