Chris Romeo — DevSecOps Fails
For this episode, Robert and I decided to talk about an article I wrote called “DevOps security culture: 12 fails your team can learn from“. We hope you enjoy this walkthrough of the 12 fails. If we missed any, hit us up on Twitter and let us know what we should add to the list.
Podcast: Play in new window | Download
Subscribe: Apple Podcasts | Google Podcasts | Spotify | iHeartRadio | Stitcher | Email | TuneIn | RSS | More
Jim Routh — Secure software pipelines
Jim Routh has built software security programs at some of the biggest brands in the world. He has served as CISO or CSO six different times in his career, always staying close to his cyber and software security roots. Jim has hung up his CISO badge and now focuses on serving on boards and advising security-focused startups. Jim’s original AppSec podcast episode is our #1 listened to of all time. Having the opportunity to interact with Jim and absorb his vast wisdom and knowledge is a treat for everyone. At the end of this interview, my immediate thought was to go back and listen to this one again. Jim talks with us about the impact of DevSecOps on the CISO, security controls for a devsecops pipeline model, and “shift left” still the dominant theme for software security. We hope you enjoy this conversation with Jim Routh.
Podcast: Play in new window | Download
Subscribe: Apple Podcasts | Google Podcasts | Spotify | iHeartRadio | Stitcher | Email | TuneIn | RSS | More
Andrew van der Stock — Taking Application Security to the Masses
Andrew van der Stock has been around the world of Application Security for quite a long time. In 2020, he took over as the Executive Director of OWASP, and he’s working from within the organization to further the mission of taking application security to the masses. We discuss Andrew’s OWASP origin story and he defines OWASP and the OWASP core mission. We talk membership, the future, and drop some details about the upcoming 20th anniversary of OWASP. We hope you enjoy this conversation with Andrew van der Stock.
Podcast: Play in new window | Download
Subscribe: Apple Podcasts | Google Podcasts | Spotify | iHeartRadio | Stitcher | Email | TuneIn | RSS | More
JC Herz and Steve Springett — SBOMs and software supply chain assurance
JC Herz is the COO of Ion Channel, a software logistics and supply chain assurance platform for critical infrastructure. She is a visiting fellow at George Mason’s National Security Institute and co-chairs a Department of Commerce working group on software bills of materials for security-sensitive public and private sector enterprises. JC and Steve Springett join to talk all things software bill of materials. We define what an SBOM is and what it’s used for. We talk threats that SBOM counters, who started it, and what the OWASP tie in. JC concludes our time by explaining why now is the time YOU must care about SBOMS. We hope you enjoy this conversation with…. JC Herz and Steve Springett.
Podcast: Play in new window | Download
Subscribe: Apple Podcasts | Google Podcasts | Spotify | iHeartRadio | Stitcher | Email | TuneIn | RSS | More
Brian Reed — Mobile Appsec: The Good, the Bad and the Ugly as We Head into 2021
Brian Reed is Chief Mobility Officer at NowSecure. Brian has over 30 years in tech and 15 years in mobile, security, and apps dating back to the birth of mobile including BlackBerry, Good Technology, BoxTone, and MicroFocus. Brian joins us to discuss mobile application security, the good, the bad, and the ugly as we head into 2021. We discuss recent issues in mobile apps, mobile firewalls, mobile vs. web, and how AppSec is different in a mobile world. We hope you enjoy this conversation with…Brian Reed.
Podcast: Play in new window | Download
Subscribe: Apple Podcasts | Google Podcasts | Spotify | iHeartRadio | Stitcher | Email | TuneIn | RSS | More
The Threat Modeling Manifesto – Part 2
This is part two of the story of a diverse group of security and privacy people that love threat modeling and gathered to define threat modeling, encourage people to threat model, help them succeed, and change the world. This is our story of the Threat Modeling Manifesto. In this episode, we move on from definition to working through the values and principles that make up threat modeling, and then we ship the product.
The working group of the Threat Modeling Manifesto consists of individuals with years of experience in threat modeling for security or privacy.
- Zoe Braiterman
- Adam Shostack
- Jonathan Marcil
- Stephen de Vries
- Irene Michlin
- Kim Wuyts
- Robert Hurlbut
- Brook S.E. Schoenfield
- Fraser Scott
- Matthew Coles
- Chris Romeo
- Alyssa Miller
- Izar Tarandach
- Avi Douglen
- Marc French
Other episodes on threat modeling:
- The Threat Modeling Manifesto – Part 1
- Adam Shostack — Remote Threat Modeling
- Kim Wuyts — Privacy Threat Modeling
- Izar Tarandach — Command line threat modeling with pytm
- Stephen de Vries — Threat Modeling with a bit of #Startup
Podcast: Play in new window | Download
Subscribe: Apple Podcasts | Google Podcasts | Spotify | iHeartRadio | Stitcher | Email | TuneIn | RSS | More
The Threat Modeling Manifesto – Part 1
This is part one of the story of a diverse group of security and privacy people that love threat modeling and gathered to define threat modeling, encourage people to threat model, help them succeed, and change the world. This is our story of the Threat Modeling Manifesto.
Our intention is to share a distilled version of our collective threat modeling knowledge in a way that should inform, educate, and inspire other practitioners to adopt threat modeling as well as improve security and privacy during development.
We developed this Manifesto after years of experience thinking about, performing, teaching, and developing the practice of, Threat Modeling. We have diverse backgrounds as industry professionals, academics, authors, hands-on experts, and presenters. We bring together varied perspectives on threat modeling. Our ongoing conversations, which focus on the conditions and approaches that lead to the best results in threat modeling, as well as how to correct when we fail, continue to shape our ideas.
The working group of the Threat Modeling Manifesto consists of individuals with years of experience in threat modeling for security or privacy.
- Zoe Braiterman
- Adam Shostack
- Jonathan Marcil
- Stephen de Vries
- Irene Michlin
- Kim Wuyts
- Robert Hurlbut
- Brook S.E. Schoenfield
- Fraser Scott
- Matthew Coles
- Chris Romeo
- Alyssa Miller
- Izar Tarandach
- Avi Douglen
- Marc French
Other episodes on threat modeling:
Podcast: Play in new window | Download
Subscribe: Apple Podcasts | Google Podcasts | Spotify | iHeartRadio | Stitcher | Email | TuneIn | RSS | More
Season 7 Guests — The best of Season 7
This is our final episode of Season 7, and we thought we’d share some of our favorite clips with you. We’ve covered lots of ground, from featuring many OWASP projects to DevSecOps, penetration testing, AWS security, SameSite cookies, crypto, and that just scratches the surface. We hope you enjoy this wrap-up episode with…. A whole bunch of Season 7 guests.
Podcast: Play in new window | Download
Subscribe: Apple Podcasts | Google Podcasts | Spotify | iHeartRadio | Stitcher | Email | TuneIn | RSS | More
Aviat Jean-Baptiste — The AppSec report
Jb Aviat is CTO and co-founder at Sqreen. Prior to this, Jb worked at Apple as a reverse engineer, pentester, and developer. Jb joins us to discuss the new Application Security Report that Sqreen has released. We review what the report contains, key takeaways and conclusions, and even consider which framework/language is the most secure. We hope you enjoy this conversation with…. Jb Aviat.
Podcast: Play in new window | Download
Subscribe: Apple Podcasts | Google Podcasts | Spotify | iHeartRadio | Stitcher | Email | TuneIn | RSS | More
Frank Rietta — The convergence of Ruby on Rails and #AppSec
Frank Rietta is the CEO of Rietta.com, a Security Focused Web Application Firm. He is a web application security architect, expert witness, author, and speaker. Frank joins us to discuss secure coding with Ruby on Rails. We get into a discussion about RoR vs. other languages, primary threats, counters to threats, and tools available for the RoR developer to assist with security. We hope you enjoy this conversation with… Frank Rietta.
Podcast: Play in new window | Download
Subscribe: Apple Podcasts | Google Podcasts | Spotify | iHeartRadio | Stitcher | Email | TuneIn | RSS | More
Dmitry Sotnikov – REST API Security – there is no silver bullet
Dmitry Sotnikov serves as Chief Product Officer at 42Crunch – an enterprise API security company. He maintains https://APISecurity.io, a popular community site with daily API Security news and weekly newsletter API vulnerabilities, breaches, standards, best practices, regulations, and tools. Dmitry joins us to discuss REST API Security. We talk about the top API security threats, counters to those threats, and the details on APISecurity.IO. We hope you enjoy this conversation with … Dmitry Sotnikov.
Podcast: Play in new window | Download
Subscribe: Apple Podcasts | Google Podcasts | Spotify | iHeartRadio | Stitcher | Email | TuneIn | RSS | More
Caroline Wong — The state of Penetration Testing
Caroline Wong is the Chief Strategy Officer at Cobalt.io. Wong’s close and practical information security knowledge stems from broad experience as a Cigital consultant, a Symantec Product Manager, and day-to-day leadership roles at eBay and Zynga. Caroline joins us to talk about penetration testing and reviews key findings from the Cobalt.io “State of Pentesting” report. We hope you enjoy Caroline Wong’s second visit to the Application Security Podcast.
Caroline’s first appearance on the show is found here.
Podcast: Play in new window | Download
Subscribe: Apple Podcasts | Google Podcasts | Spotify | iHeartRadio | Stitcher | Email | TuneIn | RSS | More
Aaron Davis — LavaMoat — solving JavaScript software supply chain
Aaron Davis is a founder, dev, and a lead security researcher at MetaMask, a popular Ethereum wallet. He introduces us to LavaMoat, an approach to solving javascript software supply chain security for node and the browser. The LavaMoat runtime prevents modifying JavaScript’s primordials, limits access to the platform API, and prevents packages from corrupting other packages. We hope you enjoy this conversation with… Aaron Davis.
https://github.com/LavaMoat/lavamoat
Podcast: Play in new window | Download
Subscribe: Apple Podcasts | Google Podcasts | Spotify | iHeartRadio | Stitcher | Email | TuneIn | RSS | More
Anastasiia Voitova — Use Cryptography; Don’t Learn It
Anastasiia Voitova is a software engineer who works on data security solutions at @cossacklabs, making complex crypto easy-to-use in modern software. She joins us to explore the idea of boring crypto. She caught our attention with a talk at OWASP 24 where she encouraged developers to NOT learn crypto. You’ll have to listen to understand her rationale. She explains mistakes folks make with crypto, boring crypto, and how to get started implementing boring crypto. We hope you enjoy this conversation with…Anastasiia Voitova.
Podcast: Play in new window | Download
Subscribe: Apple Podcasts | Google Podcasts | Spotify | iHeartRadio | Stitcher | Email | TuneIn | RSS | More
Michael Furman — SameSite Cookies
Michael Furman is the Lead Security Architect at Tufin, and is responsible for the security and Security Development Lifecycle (SDL) of Tufin software products. Michael is passionate about application security for over 13 years already and evangelizes about application security at various conferences (including OWASP conferences) and security meetups. Michael joins us to break down SameSite cookies, which are all the rage in browsers these days. He describes what they are, the threats they counter, and how SameSite + the Synchronizer Token Pattern work together to counter CSRF. We hope you enjoy this conversation with…. Michael Furman.
Podcast: Play in new window | Download
Subscribe: Apple Podcasts | Google Podcasts | Spotify | iHeartRadio | Stitcher | Email | TuneIn | RSS | More
Chris Romeo — The State of Security and the Importance of Empathy
Application security applies to everyone, network architects included. Chris had an opportunity to join a friend’s Podcast called “The Hedge.” Chris talks with hosts Tom and Russ about the state of security and what network engineers need to know about security from an application perspective. They talk about the importance of empathy in all jobs, walking a mile in the shoes of those that work around you.
You’ll find this episode on the Hedge site at https://rule11.tech/hedge-048/.
Podcast: Play in new window | Download
Subscribe: Apple Podcasts | Google Podcasts | Spotify | iHeartRadio | Stitcher | Email | TuneIn | RSS | More
Neil Matatall — Content Security Policy
Podcast: Play in new window | Download
Subscribe: Apple Podcasts | Google Podcasts | Spotify | iHeartRadio | Stitcher | Email | TuneIn | RSS | More
Grant Ongers — Gamification of threat modeling
Podcast: Play in new window | Download
Subscribe: Apple Podcasts | Google Podcasts | Spotify | iHeartRadio | Stitcher | Email | TuneIn | RSS | More
Elie Saad — OWASP WSTG, Cheat Sheets, and Integration
Podcast: Play in new window | Download
Subscribe: Apple Podcasts | Google Podcasts | Spotify | iHeartRadio | Stitcher | Email | TuneIn | RSS | More
Graham Holmes — Adversarial Machine Learning
Graham Holmes is the founder and owner of AoP CyberSecurity, LLC whose mission is to enable organizations to “create scalable and effective strategies for trustworthy outcomes.” His career includes over 22 years as a leader at Cisco Systems, where he infamously served as my boss for a period of time, and before that he served in the US Navy as a commissioned officer for 9 years. Graham joins us to discuss adversarial machine learning. We explore the threats and attacks in an AI/ML world, and review solutions to address these challenges using trust as a foundation. Please enjoy this conversation with Graham Holmes.
Podcast: Play in new window | Download
Subscribe: Apple Podcasts | Google Podcasts | Spotify | iHeartRadio | Stitcher | Email | TuneIn | RSS | More
Ochaun Marshall — Securing Web applications in AWS
Podcast: Play in new window | Download
Subscribe: Apple Podcasts | Google Podcasts | Spotify | iHeartRadio | Stitcher | Email | TuneIn | RSS | More
Drew Dennison – Security should make the computer sweat more
Podcast: Play in new window | Download
Subscribe: Apple Podcasts | Google Podcasts | Spotify | iHeartRadio | Stitcher | Email | TuneIn | RSS | More
Aaron Guzman — IoTGoat
Aaron Guzman specializes in IoT, embedded, and automotive security. Aaron is the Co-Author of “IoT Penetration Testing Cookbook”. He helps lead both OWASP’s Embedded Application Security and Internet of Things projects; providing practical guidance for addressing top security vulnerabilities to the embedded and IoT community. Aaron joins us to explore IoTGoat. IoTGoat is a deliberately insecure firmware created to educate software developers and security professionals with testing commonly found vulnerabilities in IoT devices. He describes what it is, where it comes from, and does a demo for us on how to put it to use.
For season 7 and beyond, we’ve launched our Youtube channel, Application Security Podcast, where we post the video feeds for all episodes. You’ll want to check it out, as many interviews now have demo’s included, where we capture screen during the interview. We hope you enjoy this conversation with…Aaron Guzman
Podcast: Play in new window | Download
Subscribe: Apple Podcasts | Google Podcasts | Spotify | iHeartRadio | Stitcher | Email | TuneIn | RSS | More
Adam Shostack — The Jenga View of Threat Modeling
Podcast: Play in new window | Download
Subscribe: Apple Podcasts | Google Podcasts | Spotify | iHeartRadio | Stitcher | Email | TuneIn | RSS | More
Cindy Blake — Aligning security testing with Agile development
Podcast: Play in new window | Download
Subscribe: Apple Podcasts | Google Podcasts | Spotify | iHeartRadio | Stitcher | Email | TuneIn | RSS | More
