The Application Security Podcast’s Episode List2018-08-24T04:54:42+00:00

Episodes List

2411, 2020

The Threat Modeling Manifesto – Part 2

This is part two of the story of a diverse group of security and privacy people that love threat modeling and gathered to define threat modeling, encourage people to threat model, help them succeed, and change the world. This is our story of the Threat Modeling Manifesto. In this episode, we move on from definition to working through the values and principles that make up threat modeling, and then we ship the product.

The working group of the Threat Modeling Manifesto consists of individuals with years of experience in threat modeling for security or privacy.

Other episodes on threat modeling:

1711, 2020

The Threat Modeling Manifesto – Part 1

This is part one of the story of a diverse group of security and privacy people that love threat modeling and gathered to define threat modeling, encourage people to threat model, help them succeed, and change the world. This is our story of the Threat Modeling Manifesto.

Our intention is to share a distilled version of our collective threat modeling knowledge in a way that should inform, educate, and inspire other practitioners to adopt threat modeling as well as improve security and privacy during development.

We developed this Manifesto after years of experience thinking about, performing, teaching, and developing the practice of, Threat Modeling. We have diverse backgrounds as industry professionals, academics, authors, hands-on experts, and presenters. We bring together varied perspectives on threat modeling. Our ongoing conversations, which focus on the conditions and approaches that lead to the best results in threat modeling, as well as how to correct when we fail, continue to shape our ideas.

The working group of the Threat Modeling Manifesto consists of individuals with years of experience in threat modeling for security or privacy.

Other episodes on threat modeling:

2610, 2020

Season 7 Guests — The best of Season 7

This is our final episode of Season 7, and we thought we’d share some of our favorite clips with you. We’ve covered lots of ground, from featuring many OWASP projects to DevSecOps, penetration testing, AWS security, SameSite cookies, crypto, and that just scratches the surface. We hope you enjoy this wrap-up episode with…. A whole bunch of Season 7 guests.

1310, 2020

Aviat Jean-Baptiste — The AppSec report

Jb Aviat is CTO and co-founder at Sqreen. Prior to this, Jb worked at Apple as a reverse engineer, pentester, and developer. Jb joins us to discuss the new Application Security Report that Sqreen has released. We review what the report contains, key takeaways and conclusions, and even consider which framework/language is the most secure. We hope you enjoy this conversation with…. Jb Aviat.

610, 2020

Frank Rietta — The convergence of Ruby on Rails and #AppSec

Frank Rietta is the CEO of Rietta.com, a Security Focused Web Application Firm. He is a web application security architect, expert witness, author, and speaker. Frank joins us to discuss secure coding with Ruby on Rails. We get into a discussion about RoR vs. other languages, primary threats, counters to threats, and tools available for the RoR developer to assist with security. We hope you enjoy this conversation with… Frank Rietta.

3009, 2020

Dmitry Sotnikov – REST API Security – there is no silver bullet

Dmitry Sotnikov serves as Chief Product Officer at 42Crunch – an enterprise API security company. He maintains https://APISecurity.io, a popular community site with daily API Security news and weekly newsletter API vulnerabilities, breaches, standards, best practices, regulations, and tools. Dmitry joins us to discuss REST API Security. We talk about the top API security threats, counters to those threats, and the details on APISecurity.IO. We hope you enjoy this conversation with … Dmitry Sotnikov.

2209, 2020

Caroline Wong — The state of Penetration Testing

Caroline Wong is the Chief Strategy Officer at Cobalt.io. Wong’s close and practical information security knowledge stems from broad experience as a Cigital consultant, a Symantec Product Manager, and day-to-day leadership roles at eBay and Zynga. Caroline joins us to talk about penetration testing and reviews key findings from the Cobalt.io “State of Pentesting” report. We hope you enjoy Caroline Wong’s second visit to the Application Security Podcast.

Caroline’s first appearance on the show is found here.

1509, 2020

Aaron Davis — LavaMoat — solving JavaScript software supply chain

Aaron Davis is a founder, dev, and a lead security researcher at MetaMask, a popular Ethereum wallet. He introduces us to LavaMoat, an approach to solving javascript software supply chain security for node and the browser. The LavaMoat runtime prevents modifying JavaScript’s primordials, limits access to the platform API, and prevents packages from corrupting other packages. We hope you enjoy this conversation with… Aaron Davis.

https://github.com/LavaMoat/lavamoat

1009, 2020

Anastasiia Voitova — Use Cryptography; Don’t Learn It

Anastasiia Voitova is a software engineer who works on data security solutions at @cossacklabs, making complex crypto easy-to-use in modern software. She joins us to explore the idea of boring crypto. She caught our attention with a talk at OWASP 24 where she encouraged developers to NOT learn crypto. You’ll have to listen to understand her rationale. She explains mistakes folks make with crypto, boring crypto, and how to get started implementing boring crypto. We hope you enjoy this conversation with…Anastasiia Voitova.

309, 2020

Michael Furman — SameSite Cookies

Michael Furman is the Lead Security Architect at Tufin, and is responsible for the security and Security Development Lifecycle (SDL) of Tufin software products. Michael is passionate about application security for over 13 years already and evangelizes about application security at various conferences (including OWASP conferences) and security meetups. Michael joins us to break down SameSite cookies, which are all the rage in browsers these days. He describes what they are, the threats they counter, and how SameSite + the Synchronizer Token Pattern work together to counter CSRF. We hope you enjoy this conversation with…. Michael Furman.

2708, 2020

Chris Romeo — The State of Security and the Importance of Empathy

Application security applies to everyone, network architects included. Chris had an opportunity to join a friend’s Podcast called “The Hedge.” Chris talks with hosts Tom and Russ about the state of security and what network engineers need to know about security from an application perspective. They talk about the importance of empathy in all jobs, walking a mile in the shoes of those that work around you.

You’ll find this episode on the Hedge site at https://rule11.tech/hedge-048/.

906, 2020

Cindy Blake — Aligning security testing with Agile development

Cindy Blake is the Senior Security Evangelist at GitLab. Cindy collaborates around best practices for integrated DevSecOps application security solutions with major enterprises. She is proud to introduce her new book, “10 Steps to Securing Next-Gen Software”. The book combines her cyber security experience with a background in lean and software development, and simplifies the complexities of today’s software evolution into pragmatic advice for security programs. Cindy joins us to discuss how to align security testing with Agile development.
For season 7 and beyond, we’ve launched our YouTube channel, Application Security Podcast, where we post the video feeds for all episodes. You’ll want to check it out, as many interviews now have demo’s included, where we capture screen during the interview.
Audio only feed:
206, 2020

Jannik Hollenbach — Multijuicer: JuiceShop with a side of Kubernetes

Jannik Hollenbach is a Security Automation Engineer at iteratec GmbH, working on and with open source security testing tools to continuously detect security vulnerabilities in the companies software and systems. He is also a member of the OWASP Juice Shop project team. Jannik joins us to discuss MultiJuicer, or how to run JuiceShop in a Kubernetes cluster, with a separate JuiceShop instance for each user.
For season 7 and beyond, we’ve launched our Youtube channel, Application Security Podcast, where we post the video feeds for all episodes. You’ll want to check it out, as many interviews now have demo’s included, where we capture screens during the interview.
We hope you enjoy this conversation with.. Jannik Hollenbach.
Links:
Audio only feed:
2605, 2020

Sebastien Deleersnyder and Bart De Win — OWASP SAMM

Sebastien Deleersnyder is co-founder, CEO of Toreon, and Bart De Win is a director within PwC Belgium. They work together to co-lead both the OWASP Belgium Chapter and the OWASP SAMM project. Sebastien and Bart join us to introduce OWASP SAMM 2.0. OWASP SAMM (Software Assurance Maturity Model) is the OWASP framework to help organizations assess, formulate, and implement a strategy for software security they can integrate into an existing Software Development Lifecycle (SDLC). We explore where it came from, and walk through the framework.
For season 7 and beyond, we’ve launched our Youtube channel, Application Security Podcast, where we post the video feeds for all episodes. You’ll want to check it out, as many interviews now have demo’s included, where we capture a screen during the interview.
We hope you enjoy this conversation with… Sebastien and Bart.
Audio only feed:
1405, 2020

Marc French, Steve Lipner, Maya Kaczorowski, DJ Schleen, Kim Wuyts — Season Six Wrap up

We’ve reached the end of season six, and here are a few of our favorite clips. Season seven is around the corner.

1104, 2020

Mark Merkow — Secure, Resilient, and Agile Software Development

Mark Merkow works at WageWorks in Tempe, Arizona, leading application security architecture and engineering efforts in the office of the CISO.

Mark has over 40 years of experience in IT in a variety of roles, including application development, systems analysis, and design, security engineering, and security management. Mark has authored or co-authored 17 books on IT and has been a contributing editor to four others.

Mark joins us to discuss how application security and Agile software development methodology fit together. We hope you enjoy this conversation with… Mark Merkow.

604, 2020

Zsolt Imre — Fuzz testing is easy

Zsolt is the founder and CTO of GUARDARA with more than 15 years of experience in cybersecurity, both on the offensive and defensive side. Zsolt explains fuzz testing, who does it, and why. He also helps us to understand how to deal with fuzz testing results, and how to get started doing fuzz testing on your own. We hope you enjoy this conversation with … Zolt Imre.

2803, 2020

Adam Shostack — Remote Threat Modeling

Adam joins us to discuss remote threat modeling, and we do a live threat modeling exercise to figure out how remote threat modeling actually works. If you want to see the screen share as we figure out remote threat modeling, check out the Youtube version of the episode.

Bio: Adam Shostack is a leading expert on threat modeling, and consultant, entrepreneur, technologist, author and game designer. He has taught threat modeling at a wide range of commercial, non-profit and government organizations. He’s a member of the Black Hat Review Board, is the author of Threat Modeling: Designing for Security, and the co-author of The New School of Information Security.

2303, 2020

Kim Wuyts — Privacy Threat Modeling

Kim Wuyts is a postdoctoral researcher at the Department of Computer Science at KU Leuven (Belgium). She has more than 10 years of experience in security and privacy in software engineering. Kim is one of the main forces behind the development and extension of LINDDUN, a privacy threat modeling framework that provides systematic support to elicit and mitigate privacy threats in software systems. Kim joins us to explain the difference between security and privacy and introduce us to LINDDUN and how to use it.

1503, 2020

John Martin — Preventing a Cyberpocalypse

John Martin has owned responsibilities ranging from Software Supply Chain to DevSecOps Security Champions to Cloud Security Monitoring. His career spans the years between Blue-Box MF generators, through the era of automated hacks, and into our modern age of industrialized paranoia. He is a frequent speaker on the topic of commercial software security and a contributor to many SAFECode and CSA efforts. John joins us to discuss the prevention of a cyberpocalypse. You heard it correctly. Now tune in to learn what a cyberpocalypse is and why you need to care about it. We hope you enjoy this conversation with John Martin.

2002, 2020

Jeremy Long — It’s dependency check, not checker

Jeremy Long is a principal engineer specializing in securing the SDLC. Jeremy is the founder and project lead for the OWASP dependency-check project; a software composition analysis tool that identifies known vulnerable 3rd party libraries. Jeremy joins us to share the origin story of dependency check, the problems it solves, the number of companies that use it, how to integrate it, and the future of the project.

1302, 2020

Alyssa Miller — Experiences with DevOps + Automation and beyond

Alyssa is a hacker, security evangelist, cybersecurity professional and international public speaker with almost 15 years of experience in the security industry. A former developer, her background is application security, not only conducting technical assessments but also helping develop complete security programs.
Alyssa joins us to share her take on DevOps, automation, and beyond. She also shares a great story about how she got domain admin in 3 minutes.
802, 2020

Vandana Verma — Support each other

Vandana Verma is a passionate advocate for application security. From serving on the OWASP Board to running various groups promoting security to organizing conferences, she is engaged in making the global application security community a better place.
She manages the @Infosecgirls organization and is a leader for the @OWASPBangalore chapter. Vandana joins us to discuss her work so far on the OWASP Board, to discuss her AppSec DC keynote on diversity, and to catch us up on InfoSecGirls and WIA.
3001, 2020

DJ Schleen — DevOps: The Sec is Silent

DJ Schleen is a seasoned DevSecOps advocate at Sonatype and provides thought leadership to organizations looking to integrate security into their DevOps practices. He encourages organizations to deeply integrate a culture of security and trust into their core values and product development journey.
DJ joins us to talk about the philosophy of DevOps and flow, DevSecOps and silos, and the DevSecOps reference architectures. We hope you enjoy this conversation with… DJ Schleen.
2401, 2020

Niels Tanis — 3rd Party Risk in a .NET World

Niels Tanis has a background in .NET development, pen-testing, and security consultancy. He has experience breaking, defending and building secure applications. Neils joins us to continue our .NET conversation from last year. This time around we focus on the 3rd party risk we pull into our applications by using third party libraries in a .NET world.

Go to Top