Neil Matatall — Content Security Policy
Podcast: Play in new window | Download
Subscribe: Apple Podcasts | Android | Email | Google Podcasts | Stitcher | TuneIn | Spotify | RSS | More
Grant Ongers — Gamification of threat modeling
Podcast: Play in new window | Download
Subscribe: Apple Podcasts | Android | Email | Google Podcasts | Stitcher | TuneIn | Spotify | RSS | More
Elie Saad — OWASP WSTG, Cheat Sheets, and Integration
Podcast: Play in new window | Download
Subscribe: Apple Podcasts | Android | Email | Google Podcasts | Stitcher | TuneIn | Spotify | RSS | More
Graham Holmes — Adversarial Machine Learning
Graham Holmes is the founder and owner of AoP CyberSecurity, LLC whose mission is to enable organizations to “create scalable and effective strategies for trustworthy outcomes.” His career includes over 22 years as a leader at Cisco Systems, where he infamously served as my boss for a period of time, and before that he served in the US Navy as a commissioned officer for 9 years. Graham joins us to discuss adversarial machine learning. We explore the threats and attacks in an AI/ML world, and review solutions to address these challenges using trust as a foundation. Please enjoy this conversation with Graham Holmes.
Podcast: Play in new window | Download
Subscribe: Apple Podcasts | Android | Email | Google Podcasts | Stitcher | TuneIn | Spotify | RSS | More
Ochaun Marshall — Securing Web applications in AWS
Podcast: Play in new window | Download
Subscribe: Apple Podcasts | Android | Email | Google Podcasts | Stitcher | TuneIn | Spotify | RSS | More
Drew Dennison – Security should make the computer sweat more
Podcast: Play in new window | Download
Subscribe: Apple Podcasts | Android | Email | Google Podcasts | Stitcher | TuneIn | Spotify | RSS | More
Aaron Guzman — IoTGoat
Aaron Guzman specializes in IoT, embedded, and automotive security. Aaron is the Co-Author of “IoT Penetration Testing Cookbook”. He helps lead both OWASP’s Embedded Application Security and Internet of Things projects; providing practical guidance for addressing top security vulnerabilities to the embedded and IoT community. Aaron joins us to explore IoTGoat. IoTGoat is a deliberately insecure firmware created to educate software developers and security professionals with testing commonly found vulnerabilities in IoT devices. He describes what it is, where it comes from, and does a demo for us on how to put it to use.
For season 7 and beyond, we’ve launched our Youtube channel, Application Security Podcast, where we post the video feeds for all episodes. You’ll want to check it out, as many interviews now have demo’s included, where we capture screen during the interview. We hope you enjoy this conversation with…Aaron Guzman
Podcast: Play in new window | Download
Subscribe: Apple Podcasts | Android | Email | Google Podcasts | Stitcher | TuneIn | Spotify | RSS | More
Adam Shostack — The Jenga View of Threat Modeling
Podcast: Play in new window | Download
Subscribe: Apple Podcasts | Android | Email | Google Podcasts | Stitcher | TuneIn | Spotify | RSS | More
Cindy Blake — Aligning security testing with Agile development
Podcast: Play in new window | Download
Subscribe: Apple Podcasts | Android | Email | Google Podcasts | Stitcher | TuneIn | Spotify | RSS | More
Jannik Hollenbach — Multijuicer: JuiceShop with a side of Kubernetes
Podcast: Play in new window | Download
Subscribe: Apple Podcasts | Android | Email | Google Podcasts | Stitcher | TuneIn | Spotify | RSS | More
Sebastien Deleersnyder and Bart De Win — OWASP SAMM
Podcast: Play in new window | Download
Subscribe: Apple Podcasts | Android | Email | Google Podcasts | Stitcher | TuneIn | Spotify | RSS | More
Marc French, Steve Lipner, Maya Kaczorowski, DJ Schleen, Kim Wuyts — Season Six Wrap up
We’ve reached the end of season six, and here are a few of our favorite clips. Season seven is around the corner.
- S06E01 — Marc French — The AppSec CISO
- What are some tips for someone who wants to become a CISO? Is there such a thing as a CISO school?
- S06E05 — Steve Lipner — The Past, Present, and Future of SDL
- Lipner is a giant in the industry and someone that I’ve looked up to for years. After some setup, I ask him for a definition of SDL.
- S06E08 — Maya Kaczorowski — Container and Orchestration Security
- Containers are not a security tool. Do you agree or disagree? The philosophy of container security.
- S06E10 — DJ Schleen — DevOps: The Sec is Silent
- DevOps/DevSecOps Unicorns.
- S06E15 — Kim Wuyts — Privacy Threat Modeling
- We walk through the LINDUN privacy threat modeling framework, step by step.
Podcast: Play in new window | Download
Subscribe: Apple Podcasts | Android | Email | Google Podcasts | Stitcher | TuneIn | Spotify | RSS | More
Mark Merkow — Secure, Resilient, and Agile Software Development
Mark Merkow works at WageWorks in Tempe, Arizona, leading application security architecture and engineering efforts in the office of the CISO.
Mark has over 40 years of experience in IT in a variety of roles, including application development, systems analysis, and design, security engineering, and security management. Mark has authored or co-authored 17 books on IT and has been a contributing editor to four others.
Mark joins us to discuss how application security and Agile software development methodology fit together. We hope you enjoy this conversation with… Mark Merkow.
Podcast: Play in new window | Download
Subscribe: Apple Podcasts | Android | Email | Google Podcasts | Stitcher | TuneIn | Spotify | RSS | More
Zsolt Imre — Fuzz testing is easy
Zsolt is the founder and CTO of GUARDARA with more than 15 years of experience in cybersecurity, both on the offensive and defensive side. Zsolt explains fuzz testing, who does it, and why. He also helps us to understand how to deal with fuzz testing results, and how to get started doing fuzz testing on your own. We hope you enjoy this conversation with … Zolt Imre.
Podcast: Play in new window | Download
Subscribe: Apple Podcasts | Android | Email | Google Podcasts | Stitcher | TuneIn | Spotify | RSS | More
Adam Shostack — Remote Threat Modeling
Adam joins us to discuss remote threat modeling, and we do a live threat modeling exercise to figure out how remote threat modeling actually works. If you want to see the screen share as we figure out remote threat modeling, check out the Youtube version of the episode.
Bio: Adam Shostack is a leading expert on threat modeling, and consultant, entrepreneur, technologist, author and game designer. He has taught threat modeling at a wide range of commercial, non-profit and government organizations. He’s a member of the Black Hat Review Board, is the author of Threat Modeling: Designing for Security, and the co-author of The New School of Information Security.
Podcast: Play in new window | Download
Subscribe: Apple Podcasts | Android | Email | Google Podcasts | Stitcher | TuneIn | Spotify | RSS | More
Kim Wuyts — Privacy Threat Modeling
Kim Wuyts is a postdoctoral researcher at the Department of Computer Science at KU Leuven (Belgium). She has more than 10 years of experience in security and privacy in software engineering. Kim is one of the main forces behind the development and extension of LINDDUN, a privacy threat modeling framework that provides systematic support to elicit and mitigate privacy threats in software systems. Kim joins us to explain the difference between security and privacy and introduce us to LINDDUN and how to use it.
Podcast: Play in new window | Download
Subscribe: Apple Podcasts | Android | Email | Google Podcasts | Stitcher | TuneIn | Spotify | RSS | More
John Martin — Preventing a Cyberpocalypse
John Martin has owned responsibilities ranging from Software Supply Chain to DevSecOps Security Champions to Cloud Security Monitoring. His career spans the years between Blue-Box MF generators, through the era of automated hacks, and into our modern age of industrialized paranoia. He is a frequent speaker on the topic of commercial software security and a contributor to many SAFECode and CSA efforts. John joins us to discuss the prevention of a cyberpocalypse. You heard it correctly. Now tune in to learn what a cyberpocalypse is and why you need to care about it. We hope you enjoy this conversation with John Martin.
Podcast: Play in new window | Download
Subscribe: Apple Podcasts | Android | Email | Google Podcasts | Stitcher | TuneIn | Spotify | RSS | More
Jeremy Long — It’s dependency check, not checker
Jeremy Long is a principal engineer specializing in securing the SDLC. Jeremy is the founder and project lead for the OWASP dependency-check project; a software composition analysis tool that identifies known vulnerable 3rd party libraries. Jeremy joins us to share the origin story of dependency check, the problems it solves, the number of companies that use it, how to integrate it, and the future of the project.
Podcast: Play in new window | Download
Subscribe: Apple Podcasts | Android | Email | Google Podcasts | Stitcher | TuneIn | Spotify | RSS | More
Alyssa Miller — Experiences with DevOps + Automation and beyond
Podcast: Play in new window | Download
Subscribe: Apple Podcasts | Android | Email | Google Podcasts | Stitcher | TuneIn | Spotify | RSS | More
Vandana Verma — Support each other
Podcast: Play in new window | Download
Subscribe: Apple Podcasts | Android | Email | Google Podcasts | Stitcher | TuneIn | Spotify | RSS | More
DJ Schleen — DevOps: The Sec is Silent
Podcast: Play in new window | Download
Subscribe: Apple Podcasts | Android | Email | Google Podcasts | Stitcher | TuneIn | Spotify | RSS | More
Niels Tanis — 3rd Party Risk in a .NET World
Niels Tanis has a background in .NET development, pen-testing, and security consultancy. He has experience breaking, defending and building secure applications. Neils joins us to continue our .NET conversation from last year. This time around we focus on the 3rd party risk we pull into our applications by using third party libraries in a .NET world.
Podcast: Play in new window | Download
Subscribe: Apple Podcasts | Android | Email | Google Podcasts | Stitcher | TuneIn | Spotify | RSS | More
Maya Kaczorowski — Container and Orchestration Security
Maya is a Product Manager in Security & Privacy at Google, focused on container security. She previously worked on encryption at rest and encryption key management. Maya has a Master’s in mathematics, focusing on cryptography and game theory. Maya joins us to discuss how containers improve security, a high-level threat model of containers and orchestration, and tips for enhancing security as you role out containers and Kubernetes.
Podcast: Play in new window | Download
Subscribe: Apple Podcasts | Android | Email | Google Podcasts | Stitcher | TuneIn | Spotify | RSS | More
Geoff Hill — AppSec, DevSecOps, and Diplomacy
Geoffrey Hill is an AppSec DevSecOps leader and Architect. Geoff joins us to discuss his experiences rolling out DevSecOps in both Agile and non-Agile practicing shops. We hope you enjoy this conversation with…Geoff Hill.
Podcast: Play in new window | Download
Subscribe: Apple Podcasts | Android | Email | Google Podcasts | Stitcher | TuneIn | Spotify | RSS | More
Erez Yalon — The OWASP API Security Project
Erez Yalon heads the security research group at Checkmarx. With vast defender and attacker experience and as an independent security researcher, he brings invaluable knowledge and skills to the table. Erez joins us to speak about the new OWASP API Security Project, and more specifically, the new API Security Top 10. We hope you enjoy this conversation with … Erez Yalon.
Find the Document on the OWASP GitHub: https://github.com/OWASP/API-Security
Podcast: Play in new window | Download
Subscribe: Apple Podcasts | Android | Email | Google Podcasts | Stitcher | TuneIn | Spotify | RSS | More
