The Boring AppSec Podcast

Welcome to the Boring AppSec Podcast! In Episode 4, we discuss how lean AppSec teams run and operate. We share our experiences of having worked in engineering heavy organizations where the "engineer : appsec-engineer" ratio is far from ideal and scaling the AppSec team becomes very important to be able to reasonably manage risk. References: We will try and add information about all the references we make here. Please enter rabbit holes at will :)  Soft skills are important - ⁠⁠⁠https://www.softsideofcyber.com/ Bhadra, the vulnerability management platform built and open sourced by Razor Pay - https://github.com/razorpay/bhadra Devin - https://www.cognition-labs.com/introd... Seezo (Automating design reviews) - https://seezo.io/ Contacting Anshuman LinkedIn: ⁠⁠⁠⁠https://www.linkedin.com/in/anshumanbhartiya/⁠⁠⁠⁠  Twitter: ⁠⁠⁠⁠https://twitter.com/anshuman_bh⁠⁠⁠⁠  Website: ⁠⁠⁠⁠https://anshumanbhartiya.com/⁠⁠⁠⁠ Instagram: ⁠⁠⁠https://www.instagram.com/anshuman.bhartiya/⁠⁠⁠  YouTube: ⁠⁠⁠https://www.youtube.com/@AnshumanBhartiya⁠⁠⁠    Contacting Sandesh LinkedIn: ⁠⁠⁠⁠https://www.linkedin.com/in/anandsandesh/⁠⁠⁠⁠  Twitter: ⁠⁠⁠⁠https://twitter.com/JubbaOnJeans/⁠⁠⁠⁠  Website: ⁠⁠⁠⁠https://boringappsec.substack.com/⁠⁠⁠⁠ 

Welcome to the Boring AppSec Podcast! In Episode 3, we discuss all things bug bounties. The researcher side as well as the program owner's side. Enter at your own will as we have a lot of hot takes. References: We will try and add information about all the references we make here. Please enter rabbit holes at will :)  ⁠Bug Bounty Platforms Bugcrowd - https://www.bugcrowd.com/  HackerOne - https://www.hackerone.com/  Intigrity - https://www.intigriti.com/  Synack - https://www.synack.com/  2. Vulnerability Disclosure Process - https://www.cisa.gov/coordinated-vulnerability-disclosure-process  3. Google’s Project Zero vulnerability disclosure policy - https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-faq.html   4. CVSS Calculator - https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator   5. Handling A Bug Bounty program From A Blue Team Perspective - https://www.youtube.com/watch?v=Vgy150R4bRw&t=0s 6. Consumer Bug Bounty Panel - https://www.youtube.com/watch?v=Y8X6pV7rdbA&t=0s Contacting Anshuman LinkedIn: ⁠⁠⁠https://www.linkedin.com/in/anshumanbhartiya/⁠⁠⁠  Twitter: ⁠⁠⁠https://twitter.com/anshuman_bh⁠⁠⁠  Website: ⁠⁠⁠https://anshumanbhartiya.com/⁠⁠⁠ Instagram: ⁠⁠https://www.instagram.com/anshuman.bhartiya/⁠⁠  YouTube: ⁠⁠https://www.youtube.com/@AnshumanBhartiya⁠⁠    Contacting Sandesh LinkedIn: ⁠⁠⁠https://www.linkedin.com/in/anandsandesh/⁠⁠⁠  Twitter: ⁠⁠⁠https://twitter.com/JubbaOnJeans/⁠⁠⁠  Website: ⁠⁠⁠https://boringappsec.substack.com/⁠⁠⁠ 

Welcome to the Boring AppSec Podcast! In Episode 2, we discuss what a first security hire responsibilities are. How do they prioritize? What do they prioritize? References: We will try and add information about all the references we make here. Please enter rabbit holes at will :)  Building a product security program Some blogs on getting SOC2 certifications without too much redtape - ⁠RunReveal⁠, Fly.io⁠ Tracking Meaningful Security Product Metrics Build vs Buy Framework OpenAI Sora LLM Agents Can Autonomously Hack Websites Arcanum Information Security SecGPT in https://chat.openai.com/gpts Contacting Anshuman LinkedIn: ⁠⁠https://www.linkedin.com/in/anshumanbhartiya/⁠⁠  Twitter: ⁠⁠https://twitter.com/anshuman_bh⁠⁠  Website: ⁠⁠https://anshumanbhartiya.com/⁠⁠ Instagram: ⁠https://www.instagram.com/anshuman.bhartiya/⁠  YouTube: ⁠https://www.youtube.com/@AnshumanBhartiya⁠    Contacting Sandesh LinkedIn: ⁠⁠https://www.linkedin.com/in/anandsandesh/⁠⁠  Twitter: ⁠⁠https://twitter.com/JubbaOnJeans/⁠⁠  Website: ⁠⁠https://boringappsec.substack.com/⁠⁠ 

Welcome to the Boring AppSec Podcast! In Episode 1, we discuss software inventories. What they are, why we need them, and what are our favorite ways to build them.  References: We will try and add information about all the references we make here. Please enter rabbit holes at will :)  Cartography - ⁠https://github.com/lyft/cartography⁠  GenAI + Cartography ⁠https://shinobi.security/#how-it-works⁠  ⁠https://github.com/samvas-codes/cspm-gpt⁠  Commercial asset inventory mentioned on the show: ⁠https://www.jupiterone.com/⁠  Talk by Sandesh and Satyaki on automating asset inventory generation at Razorpay: ⁠https://www.youtube.com/watch?v=8q42Pw9F44k&ab_channel=HasgeekTV⁠  XKCD about too many standards - ⁠https://m.xkcd.com/927/⁠  Arvind Narayanan on Gen AI chatbots and rock-paper-scissors: ⁠https://x.com/random_walker/status/1755684956502728969?s=20⁠    Emily Oster on parenting - ⁠https://emilyoster.net/⁠ . She has now moved her newsletter away from Substack. You can sign up at ⁠https://parentdata.org/⁠  Contacting Anshuman LinkedIn: ⁠https://www.linkedin.com/in/anshumanbhartiya/⁠  Twitter: ⁠https://twitter.com/anshuman_bh⁠  Website: ⁠https://anshumanbhartiya.com/⁠ Instagram: https://www.instagram.com/anshuman.bhartiya/  YouTube: https://www.youtube.com/@AnshumanBhartiya    Contacting Sandesh LinkedIn: ⁠https://www.linkedin.com/in/anandsandesh/⁠  Twitter: ⁠https://twitter.com/JubbaOnJeans/⁠  Website: ⁠https://boringappsec.substack.com/⁠