Neil Matatall is a product security engineer at GitHub. He focuses on designing and engineering user experiences solutions related to authentication and account recovery. Working remotely from Hawaii, Neil is a strong believer in the future of remote work. Neil joins us for a deep-dive into Content Security Policy. We explore what it is, the purpose, and why it’s so difficult to implement.
We hope you enjoy this conversation with… Neil Matatall.
Grant Ongers is co-founder of the bearded trio called Secure Delivery, with a philosophy and purpose for optimal delivery and security in one dynamic package.
Grant’s experience spans Dev, Ops, and Security, with over 30 years pushing the limits of (Info)Sec. Grant’s community involvement is global: Staff at BSides (London, Las Vegas, and Cape Town), Goon at DEF CON (USA) for nearly ten years and DC2721 co-founder, staff at BlackHat (USA and EU), and an OWASP Global Board member.
Grant joins us to talk about gamification and threat modeling, and introduces me to the OWASP Cornucopia card game, which you can use to teach developers and product team members threat modeling, in a fun and engaging way.
We hope you enjoy this conversation with…. Grant Ongers. @rewtd
Elie Saad is an application security engineer, leading three different OWASP projects. He focuses on helping developers own and champion security in their projects by providing guidance, tests, secure pipeline design and aiding them in applying external security measures.
In this conversation, Elie educates us about the current happenings with WSTG, Cheat Sheets, and the Integration Standard. He walks us through demo’s of each project.
We hope you enjoy this conversation with Elie Saad. @7hunderson
Graham Holmes is the founder and owner of AoP CyberSecurity, LLC whose mission is to enable organizations to “create scalable and effective strategies for trustworthy outcomes.” His career includes over 22 years as a leader at Cisco Systems, where he infamously served as my boss for a period of time, and before that he served in the US Navy as a commissioned officer for 9 years. Graham joins us to discuss adversarial machine learning. We explore the threats and attacks in an AI/ML world, and review solutions to address these challenges using trust as a foundation. Please enjoy this conversation with Graham Holmes.
Ochaun Marshall is a developer and security consultant. In his roles at Secure Ideas, he works on ongoing development projects utilizing Amazon Web Services and breaks other people’s web applications. Ochaun joins us to talk about the changing tide of serverless and frustrations with AWS security. Before we got to the actual topic, we talked about how he currently works as a developer some times, and a pen tester/security person the rest of the time, and the conflict that arises from this split role. Please enjoy this conversation with…Ochaun Marshall.
Drew Dennison is the CTO & co-founder of r2c, a startup working to profoundly improve software security and reliability to safeguard human progress. Drew joins us to introduce a tool called semgrep. Semgrep is a fast source code analysis tool, potentially faster than anything you’ve seen before.
If you want to see the live demo of semgrep, head over to the Application Security Podcast Youtube channel to see the video.
We hope you enjoy this conversation with… Drew Dennison.
Aaron Guzman specializes in IoT, embedded, and automotive security. Aaron is the Co-Author of “IoT Penetration Testing Cookbook”. He helps lead both OWASP’s Embedded Application Security and Internet of Things projects; providing practical guidance for addressing top security vulnerabilities to the embedded and IoT community. Aaron joins us to explore IoTGoat. IoTGoat is a deliberately insecure firmware created to educate software developers and security professionals with testing commonly found vulnerabilities in IoT devices. He describes what it is, where it comes from, and does a demo for us on how to put it to use.
For season 7 and beyond, we’ve launched our Youtube channel, Application Security Podcast, where we post the video feeds for all episodes. You’ll want to check it out, as many interviews now have demo’s included, where we capture screen during the interview. We hope you enjoy this conversation with…Aaron Guzman
Adam Shostack is a leading expert on threat modeling, and consultant, entrepreneur, technologist, author, and game designer. He has taught threat modeling at a wide range of commercial, non-profit, and government organizations. Adam joins us to discuss his new white paper called the Jenga View of Threat Modeling.
For season 7 and beyond, we’ve launched our YouTube channel, Application Security Podcast, where we post the video feeds for all episodes. You’ll want to check it out, as many interviews now have demo’s included, where we capture a screen during the interview.
Cindy Blake is the Senior Security Evangelist at GitLab. Cindy collaborates around best practices for integrated DevSecOps application security solutions with major enterprises. She is proud to introduce her new book, “10 Steps to Securing Next-Gen Software”. The book combines her cyber security experience with a background in lean and software development, and simplifies the complexities of today’s software evolution into pragmatic advice for security programs. Cindy joins us to discuss how to align security testing with Agile development.
For season 7 and beyond, we’ve launched our YouTube channel, Application Security Podcast, where we post the video feeds for all episodes. You’ll want to check it out, as many interviews now have demo’s included, where we capture screen during the interview.
Jannik Hollenbach is a Security Automation Engineer at iteratec GmbH, working on and with open source security testing tools to continuously detect security vulnerabilities in the companies software and systems. He is also a member of the OWASP Juice Shop project team. Jannik joins us to discuss MultiJuicer, or how to run JuiceShop in a Kubernetes cluster, with a separate JuiceShop instance for each user.
For season 7 and beyond, we’ve launched our Youtube channel, Application Security Podcast, where we post the video feeds for all episodes. You’ll want to check it out, as many interviews now have demo’s included, where we capture screens during the interview.
We hope you enjoy this conversation with.. Jannik Hollenbach.
Sebastien Deleersnyder is co-founder, CEO of Toreon, and Bart De Win is a director within PwC Belgium. They work together to co-lead both the OWASP Belgium Chapter and the OWASP SAMM project. Sebastien and Bart join us to introduce OWASP SAMM 2.0. OWASP SAMM (Software Assurance Maturity Model) is the OWASP framework to help organizations assess, formulate, and implement a strategy for software security they can integrate into an existing Software Development Lifecycle (SDLC). We explore where it came from, and walk through the framework.
For season 7 and beyond, we’ve launched our Youtube channel, Application Security Podcast, where we post the video feeds for all episodes. You’ll want to check it out, as many interviews now have demo’s included, where we capture a screen during the interview.
We hope you enjoy this conversation with… Sebastien and Bart.
Mark Merkow works at WageWorks in Tempe, Arizona, leading application security architecture and engineering efforts in the office of the CISO.
Mark has over 40 years of experience in IT in a variety of roles, including application development, systems analysis, and design, security engineering, and security management. Mark has authored or co-authored 17 books on IT and has been a contributing editor to four others.
Mark joins us to discuss how application security and Agile software development methodology fit together. We hope you enjoy this conversation with… Mark Merkow.
Zsolt is the founder and CTO of GUARDARA with more than 15 years of experience in cybersecurity, both on the offensive and defensive side. Zsolt explains fuzz testing, who does it, and why. He also helps us to understand how to deal with fuzz testing results, and how to get started doing fuzz testing on your own. We hope you enjoy this conversation with … Zolt Imre.
Adam joins us to discuss remote threat modeling, and we do a live threat modeling exercise to figure out how remote threat modeling actually works. If you want to see the screen share as we figure out remote threat modeling, check out the Youtube version of the episode.
Bio: Adam Shostack is a leading expert on threat modeling, and consultant, entrepreneur, technologist, author and game designer. He has taught threat modeling at a wide range of commercial, non-profit and government organizations. He’s a member of the Black Hat Review Board, is the author of Threat Modeling: Designing for Security, and the co-author of The New School of Information Security.
Kim Wuyts is a postdoctoral researcher at the Department of Computer Science at KU Leuven (Belgium). She has more than 10 years of experience in security and privacy in software engineering. Kim is one of the main forces behind the development and extension of LINDDUN, a privacy threat modeling framework that provides systematic support to elicit and mitigate privacy threats in software systems. Kim joins us to explain the difference between security and privacy and introduce us to LINDDUN and how to use it.
John Martin has owned responsibilities ranging from Software Supply Chain to DevSecOps Security Champions to Cloud Security Monitoring. His career spans the years between Blue-Box MF generators, through the era of automated hacks, and into our modern age of industrialized paranoia. He is a frequent speaker on the topic of commercial software security and a contributor to many SAFECode and CSA efforts. John joins us to discuss the prevention of a cyberpocalypse. You heard it correctly. Now tune in to learn what a cyberpocalypse is and why you need to care about it. We hope you enjoy this conversation with John Martin.
Jeremy Long is a principal engineer specializing in securing the SDLC. Jeremy is the founder and project lead for the OWASP dependency-check project; a software composition analysis tool that identifies known vulnerable 3rd party libraries. Jeremy joins us to share the origin story of dependency check, the problems it solves, the number of companies that use it, how to integrate it, and the future of the project.
Alyssa is a hacker, security evangelist, cybersecurity professional and international public speaker with almost 15 years of experience in the security industry. A former developer, her background is application security, not only conducting technical assessments but also helping develop complete security programs.
Alyssa joins us to share her take on DevOps, automation, and beyond. She also shares a great story about how she got domain admin in 3 minutes.
Vandana Verma is a passionate advocate for application security. From serving on the OWASP Board to running various groups promoting security to organizing conferences, she is engaged in making the global application security community a better place.
She manages the @Infosecgirls organization and is a leader for the @OWASPBangalore chapter. Vandana joins us to discuss her work so far on the OWASP Board, to discuss her AppSec DC keynote on diversity, and to catch us up on InfoSecGirls and WIA.
DJ Schleen is a seasoned DevSecOps advocate at Sonatype and provides thought leadership to organizations looking to integrate security into their DevOps practices. He encourages organizations to deeply integrate a culture of security and trust into their core values and product development journey.
DJ joins us to talk about the philosophy of DevOps and flow, DevSecOps and silos, and the DevSecOps reference architectures. We hope you enjoy this conversation with… DJ Schleen.
Niels Tanis has a background in .NET development, pen-testing, and security consultancy. He has experience breaking, defending and building secure applications. Neils joins us to continue our .NET conversation from last year. This time around we focus on the 3rd party risk we pull into our applications by using third party libraries in a .NET world.
Maya is a Product Manager in Security & Privacy at Google, focused on container security. She previously worked on encryption at rest and encryption key management. Maya has a Master’s in mathematics, focusing on cryptography and game theory. Maya joins us to discuss how containers improve security, a high-level threat model of containers and orchestration, and tips for enhancing security as you role out containers and Kubernetes.
Geoffrey Hill is an AppSec DevSecOps leader and Architect. Geoff joins us to discuss his experiences rolling out DevSecOps in both Agile and non-Agile practicing shops. We hope you enjoy this conversation with…Geoff Hill.
Erez Yalon heads the security research group at Checkmarx. With vast defender and attacker experience and as an independent security researcher, he brings invaluable knowledge and skills to the table. Erez joins us to speak about the new OWASP API Security Project, and more specifically, the new API Security Top 10. We hope you enjoy this conversation with … Erez Yalon.