The Application Security Podcast’s Episode List2018-08-24T04:54:42+00:00

Episodes List

3006, 2020

Drew Dennison – Security should make the computer sweat more

Drew Dennison is the CTO & co-founder of r2c, a startup working to profoundly improve software security and reliability to safeguard human progress. Drew joins us to introduce a tool called semgrep. Semgrep is a fast source code analysis tool, potentially faster than anything you’ve seen before.
If you want to see the live demo of semgrep, head over to the Application Security Podcast Youtube channel to see the video.
We hope you enjoy this conversation with… Drew Dennison.
Twitter: DrewDennison
2306, 2020

Aaron Guzman — IoTGoat

Aaron Guzman specializes in IoT, embedded, and automotive security. Aaron is the Co-Author of “IoT Penetration Testing Cookbook”. He helps lead both OWASP’s Embedded Application Security and Internet of Things projects; providing practical guidance for addressing top security vulnerabilities to the embedded and IoT community. Aaron joins us to explore IoTGoat. IoTGoat is a deliberately insecure firmware created to educate software developers and security professionals with testing commonly found vulnerabilities in IoT devices. He describes what it is, where it comes from, and does a demo for us on how to put it to use.

For season 7 and beyond, we’ve launched our Youtube channel, Application Security Podcast, where we post the video feeds for all episodes. You’ll want to check it out, as many interviews now have demo’s included, where we capture screen during the interview. We hope you enjoy this conversation with…Aaron Guzman

1606, 2020

Adam Shostack — The Jenga View of Threat Modeling

Adam Shostack is a leading expert on threat modeling, and consultant, entrepreneur, technologist, author, and game designer. He has taught threat modeling at a wide range of commercial, non-profit, and government organizations. Adam joins us to discuss his new white paper called the Jenga View of Threat Modeling.
For season 7 and beyond, we’ve launched our YouTube channel, Application Security Podcast, where we post the video feeds for all episodes. You’ll want to check it out, as many interviews now have demo’s included, where we capture a screen during the interview.
You can grab a copy of the whitepaper on Adam’s site, https://associates.shostack.org/whitepapers.

Audio only feed:
906, 2020

Cindy Blake — Aligning security testing with Agile development

Cindy Blake is the Senior Security Evangelist at GitLab. Cindy collaborates around best practices for integrated DevSecOps application security solutions with major enterprises. She is proud to introduce her new book, “10 Steps to Securing Next-Gen Software”. The book combines her cyber security experience with a background in lean and software development, and simplifies the complexities of today’s software evolution into pragmatic advice for security programs. Cindy joins us to discuss how to align security testing with Agile development.
For season 7 and beyond, we’ve launched our YouTube channel, Application Security Podcast, where we post the video feeds for all episodes. You’ll want to check it out, as many interviews now have demo’s included, where we capture screen during the interview.
Audio only feed:
206, 2020

Jannik Hollenbach — Multijuicer: JuiceShop with a side of Kubernetes

Jannik Hollenbach is a Security Automation Engineer at iteratec GmbH, working on and with open source security testing tools to continuously detect security vulnerabilities in the companies software and systems. He is also a member of the OWASP Juice Shop project team. Jannik joins us to discuss MultiJuicer, or how to run JuiceShop in a Kubernetes cluster, with a separate JuiceShop instance for each user.
For season 7 and beyond, we’ve launched our Youtube channel, Application Security Podcast, where we post the video feeds for all episodes. You’ll want to check it out, as many interviews now have demo’s included, where we capture screens during the interview.
We hope you enjoy this conversation with.. Jannik Hollenbach.
Links:
Audio only feed:
2605, 2020

Sebastien Deleersnyder and Bart De Win — OWASP SAMM

Sebastien Deleersnyder is co-founder, CEO of Toreon, and Bart De Win is a director within PwC Belgium. They work together to co-lead both the OWASP Belgium Chapter and the OWASP SAMM project. Sebastien and Bart join us to introduce OWASP SAMM 2.0. OWASP SAMM (Software Assurance Maturity Model) is the OWASP framework to help organizations assess, formulate, and implement a strategy for software security they can integrate into an existing Software Development Lifecycle (SDLC). We explore where it came from, and walk through the framework.
For season 7 and beyond, we’ve launched our Youtube channel, Application Security Podcast, where we post the video feeds for all episodes. You’ll want to check it out, as many interviews now have demo’s included, where we capture a screen during the interview.
We hope you enjoy this conversation with… Sebastien and Bart.
Audio only feed:
1405, 2020

Marc French, Steve Lipner, Maya Kaczorowski, DJ Schleen, Kim Wuyts — Season Six Wrap up

We’ve reached the end of season six, and here are a few of our favorite clips. Season seven is around the corner.

1104, 2020

Mark Merkow — Secure, Resilient, and Agile Software Development

Mark Merkow works at WageWorks in Tempe, Arizona, leading application security architecture and engineering efforts in the office of the CISO.

Mark has over 40 years of experience in IT in a variety of roles, including application development, systems analysis, and design, security engineering, and security management. Mark has authored or co-authored 17 books on IT and has been a contributing editor to four others.

Mark joins us to discuss how application security and Agile software development methodology fit together. We hope you enjoy this conversation with… Mark Merkow.

604, 2020

Zsolt Imre — Fuzz testing is easy

Zsolt is the founder and CTO of GUARDARA with more than 15 years of experience in cybersecurity, both on the offensive and defensive side. Zsolt explains fuzz testing, who does it, and why. He also helps us to understand how to deal with fuzz testing results, and how to get started doing fuzz testing on your own. We hope you enjoy this conversation with … Zolt Imre.

2803, 2020

Adam Shostack — Remote Threat Modeling

Adam joins us to discuss remote threat modeling, and we do a live threat modeling exercise to figure out how remote threat modeling actually works. If you want to see the screen share as we figure out remote threat modeling, check out the Youtube version of the episode.

Bio: Adam Shostack is a leading expert on threat modeling, and consultant, entrepreneur, technologist, author and game designer. He has taught threat modeling at a wide range of commercial, non-profit and government organizations. He’s a member of the Black Hat Review Board, is the author of Threat Modeling: Designing for Security, and the co-author of The New School of Information Security.

2303, 2020

Kim Wuyts — Privacy Threat Modeling

Kim Wuyts is a postdoctoral researcher at the Department of Computer Science at KU Leuven (Belgium). She has more than 10 years of experience in security and privacy in software engineering. Kim is one of the main forces behind the development and extension of LINDDUN, a privacy threat modeling framework that provides systematic support to elicit and mitigate privacy threats in software systems. Kim joins us to explain the difference between security and privacy and introduce us to LINDDUN and how to use it.

1503, 2020

John Martin — Preventing a Cyberpocalypse

John Martin has owned responsibilities ranging from Software Supply Chain to DevSecOps Security Champions to Cloud Security Monitoring. His career spans the years between Blue-Box MF generators, through the era of automated hacks, and into our modern age of industrialized paranoia. He is a frequent speaker on the topic of commercial software security and a contributor to many SAFECode and CSA efforts. John joins us to discuss the prevention of a cyberpocalypse. You heard it correctly. Now tune in to learn what a cyberpocalypse is and why you need to care about it. We hope you enjoy this conversation with John Martin.

2002, 2020

Jeremy Long — It’s dependency check, not checker

Jeremy Long is a principal engineer specializing in securing the SDLC. Jeremy is the founder and project lead for the OWASP dependency-check project; a software composition analysis tool that identifies known vulnerable 3rd party libraries. Jeremy joins us to share the origin story of dependency check, the problems it solves, the number of companies that use it, how to integrate it, and the future of the project.

1302, 2020

Alyssa Miller — Experiences with DevOps + Automation and beyond

Alyssa is a hacker, security evangelist, cybersecurity professional and international public speaker with almost 15 years of experience in the security industry. A former developer, her background is application security, not only conducting technical assessments but also helping develop complete security programs.
Alyssa joins us to share her take on DevOps, automation, and beyond. She also shares a great story about how she got domain admin in 3 minutes.
802, 2020

Vandana Verma — Support each other

Vandana Verma is a passionate advocate for application security. From serving on the OWASP Board to running various groups promoting security to organizing conferences, she is engaged in making the global application security community a better place.
She manages the @Infosecgirls organization and is a leader for the @OWASPBangalore chapter. Vandana joins us to discuss her work so far on the OWASP Board, to discuss her AppSec DC keynote on diversity, and to catch us up on InfoSecGirls and WIA.
3001, 2020

DJ Schleen — DevOps: The Sec is Silent

DJ Schleen is a seasoned DevSecOps advocate at Sonatype and provides thought leadership to organizations looking to integrate security into their DevOps practices. He encourages organizations to deeply integrate a culture of security and trust into their core values and product development journey.
DJ joins us to talk about the philosophy of DevOps and flow, DevSecOps and silos, and the DevSecOps reference architectures. We hope you enjoy this conversation with… DJ Schleen.
2401, 2020

Niels Tanis — 3rd Party Risk in a .NET World

Niels Tanis has a background in .NET development, pen-testing, and security consultancy. He has experience breaking, defending and building secure applications. Neils joins us to continue our .NET conversation from last year. This time around we focus on the 3rd party risk we pull into our applications by using third party libraries in a .NET world.

1601, 2020

Maya Kaczorowski — Container and Orchestration Security

Maya is a Product Manager in Security & Privacy at Google, focused on container security. She previously worked on encryption at rest and encryption key management. Maya has a Master’s in mathematics, focusing on cryptography and game theory. Maya joins us to discuss how containers improve security, a high-level threat model of containers and orchestration, and tips for enhancing security as you role out containers and Kubernetes.

901, 2020

Geoff Hill — AppSec, DevSecOps, and Diplomacy

Geoffrey Hill is an AppSec DevSecOps leader and Architect. Geoff joins us to discuss his experiences rolling out DevSecOps in both Agile and non-Agile practicing shops. We hope you enjoy this conversation with…Geoff Hill.

301, 2020

Erez Yalon — The OWASP API Security Project

Erez Yalon heads the security research group at Checkmarx. With vast defender and attacker experience and as an independent security researcher, he brings invaluable knowledge and skills to the table. Erez joins us to speak about the new OWASP API Security Project, and more specifically, the new API Security Top 10. We hope you enjoy this conversation with … Erez Yalon.

Find the Document on the OWASP GitHub: https://github.com/OWASP/API-Security

2012, 2019

Steve Lipner — The Past, Present, and Future of SDL

Steve Lipner is a pioneer in cybersecurity, approaching 50 years’ experience. He retired in 2015 from Microsoft where he was the creator and long-time leader of Microsoft’s Security Development Lifecycle (SDL) team. While at Microsoft, Steve also created initiatives to encourage industry adoption of secure development practices and the SDL and served as a member and chair of the SAFECode board. Steve joins us to talk about all things SDL, and I must say, I was super excited for this interview, with way too many questions for someone who was there on day 1 of Secure Development Lifecycle. We hope you enjoy this conversation with…Steve Lipner.
1612, 2019

David Kosorok — The Three Pillars of an AppSec Program: Prevent, Detect, and React

David Kosorok is a code security expert, software tester, father of 9, and a self-described major nerd. David is the Director of AppSec at Align Tech, and a fellow member of the Raleigh Durham tech community. David joins us to speak about the three pillars of building an application security program: Prevent, Detect, and React. When we think the program, we’ve never heard anyone relate a program this way, and thought you needed to hear about a different approach to program building. We hope you enjoy this conversation with…. David Kosorok.

112, 2019

Chris and Robert: A Taste of Hi-5

As the hosts of the Application Security Podcast, we get the opportunity from time to time to mix it up. This week we gather a few security articles, share a summary, and offer our opinions (for what our opinions are worth). The source of the articles is Hi-5,  a weekly newsletter containing five security articles that are worth your time. We scour the Interwebs looking for the best articles on application and product security and share those with you. You can subscribe to Hi-5 on the Security Journey website.

Hit us up on Twitter and let us know if you like this format and if we should do more of this type of content. We hope you enjoy this episode with, Chris and Robert.

These are the articles:

Interest In Secure Design Practices Is Increasing Leading To Two Predictions

Developers mentoring other developers: practices I’ve seen work well

7 Web Application Security Best Practices

2111, 2019

Bill Dougherty — INCLUDES NO DIRT, practical threat modeling for healthcare and beyond

Bill Dougherty is the vice president of IT and security at Omada Health, where he leads a team responsible for all aspects of internal IT including SaaS strategy, end-user support, vendor management, operational security and compliance. Bill along with Patrick Curry created the INCLUDES NO DIRT approach to threat modeling, which takes threat modeling to the next level, beyond STRIDE, and goes head on with a more modern set of real-world security considerations. We hope you enjoy this conversation with, Bill Dougherty.

Find Bill on Twitter @bdognet.

For an article about the methodology, see INCLUDES NO DIRT: A Practical Threat Modeling Approach for Digital Healthcare and Beyond 

For the paper that describes the methodology and how to implement, see INCLUDES NO DIRT

1011, 2019

Marc French — The AppSec CISO

Marc French is a security person, firearms geek, scuba guy, lousy golfer, and an aspiring blacksmith. We met Marc in the hallway at the Boston Application Security Conference. Marc has extensive experience as a CISO but came from the world of AppSec to the exec suite, which is not the normal path. We discuss what is a CISO, and what does a CISO actually do, the role of AppSec in the life of the CISO, and tips Marc has for those that wish to become a CISO someday. We hope you enjoy this conversation with Marc French.