The Application Security Podcast’s Episode List2018-08-24T04:54:42+00:00

Episodes List

106, 2019

Björn Kimminich — The new JuiceShop, GSOC, and Open Security Summit

Björn Kimminich is the project leader for OWASP JuiceShop. This is his second visit to the podcast, and we discuss new features in JuiceShop, including XSS in jingle promo video, marketing campaign coupon hacking, GDPR related features and challenges, working 2FA with TOTP, and the DLP failure challenges. Then we get into the cool new things that will come as a result of the GSoC, where a developer will add new functionality to the JS where new vulns can be hidden. We end discussing the upcoming Open Security Summit from OWASP.

2605, 2019

Björn Kimminich — JuiceShop — 5 minute AppSec

Björn Kimminich is the project leader for OWASP JuiceShop. He created JuiceShop out of necessity, after reviewing all the available vulnerable web apps years ago, and not finding what he needed. OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security training, awareness demos, CTFs, and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire OWASP Top Ten along with many other security flaws found in real-world applications!

2105, 2019

Nancy Gariché and Tanya Janca — DevSlop, the movement

Nancy Gariché and Tanya Janca are two of the project leaders for the OWASP DevSlop Project. As we learn more about DevSlop, we realize that it is much more than a project: it’s a movement. DevSlop is about the learning and sharing of four awesome women and is a platform for them to share what they’ve learned with the community.

DevSlop consists of four different modules:

  1. Patty – An Azure DevSecOps pipeline
  2. Pixi-CRS & Pixi-CRS-ZAP are two Circle-CI pipelines that demonstrate adding a WAF to your pipeline for automatic tuning before moving your apps to prod
  3. Pixi is an intentionally vulnerable app and consists of a vulnerable web app and API service,
  4. The DevSlop Show, a video streaming series where project members build things live, interview members of the OWASP and InfoSec community, and learn where they fit into DevOps.

We hope you enjoy.

Find Nancy, Tanya, and DevSlop on Twitter.

2005, 2019

Tanya Janca — Mentoring Monday — 5 Minute AppSec

Tanya Janca is excited about mentoring. She’s started a hashtag on Twitter for mentors to find mentee’s, and for mentee’s to search for mentors. Mentoring is such an essential part of growing our community, so if you are not mentoring anyone today, I can only ask, why not? Here is Tanya’s take on mentoring and her advice on how to get involved with #MentoringMonday.

5 Minute AppSec is an AppSec Podcast experiment with micro-content. Hit us up on Twitter and tell us what you think, @AppSecPodcast.

1305, 2019

Matt Clapham — A perspective on appsec from the world of medical software

Matt Clapham is a product security person, as a developer, security engineer, advisor,  and manager. He began his career as a software tester, which led him down the path of figuring out how to break things.   Matt lives in the medical software world and visited the Healthcare Information and Management Systems Society (HIMSS) conference. Matt shares his perspectives on application/cybersecurity through the eyes of the healthcare industry. There is much for us to understand by viewing how other segments approach security and privacy. Matt believes in stepping outside the echo chamber and experiencing how other industries see security, and he achieved that by visiting this non-security conference and sharing his experiences with us. (And if he visits your booth at an event, you better know how your companies make a secure product or solution!)

605, 2019

Jon McCoy — Hacker outreach

Jon McCoy is a security engineer, a developer, and a hacker; and a passionate OWASP advocate. Maybe even a hacker first. Jon has a passion to connect people and break down barriers between hackers and corporate folks. Jon explains the idea of hacker outreach and breaks down what we can expect if we venture to the DefCon event in Las Vegas.  Jon also remembered a cautionary tale of Robert’s Fitbit out at a DefCon event. Jon is someone we can all learn from about giving back to our community.

105, 2019

Omer Levi Hevroni — K8s can keep a secret?

Omer Levi Hevroni has written extensively on the topic of Kubernetes and secrets, and he’s a super dev. He’s the author of a tool for secrets management called Kamus. Kamus is an open source, GitOps, zero-trust secrets encryption and decryption solution for Kubernetes applications. Kamus enables users to easily encrypt secrets that can be decrypted only by the application running on Kubernetes. The encryption is done using strong encryption providers (currently supported: Azure KeyVault, Google Cloud KMS, and AES).

Find Omer on Twitter to converse about all things K8s and secrets.

Show notes:

2404, 2019

Izar Tarandach — Command line threat modeling with pytm

Izar Tarandach is a threat modeling pioneer, seen as one of the movers and shakers in the threat modeling world. Izar leads a small team that develops the pytm tool, which is self-described as a “A Pythonic framework for threat modeling”. The GitHub page goes on to say define your system in Python using the elements and properties described in the pytm framework. Based on your definition, pytm can generate, a Data Flow Diagram (DFD), a Sequence Diagram and most important of all, threats to your system.

Reach out to Izar on Twitter and visit the pytm GitHub page to download and try this tool out for yourself!

1304, 2019

Simon Bennetts — OWASP ZAP: past, present, and future

Simon Bennetts is the project leader for OWASP ZAP. Simon joined Robert at CodeMash to talk about the origin of ZAP, the new heads up display, and ZAP API.

ZAP is an OWASP FlagShip Project and is available here:

804, 2019

Bill Sempf — Growing AppSec People and KidzMash

Robert meets up with Bill Sempf at the CodeMash conference and discusses how to grow AppSec people. Developers can transform into application security people. They also cover how to inspire the next generation of cybersecurity people (kids) through the example of KidzMash.

3103, 2019

Georgia Weidman — Mobile, IoT, and Pen Testing

Georgia Weidman (@georgiaweidman) met with Robert at CodeMash to discuss her origin story, mobile, IoT, penetration testing, and details about her various companies.

If you’ve never seen Georgia’s book on penetration testing, we recommend you grab a copy.

To sign up for the <Hi/5> newsletter mentioned at the start of this week’s show, visit

2502, 2019

Season 4 Finale (S04E27)

Here it is. The finale of season four. Thanks to everyone who listens in and remember, if there’s any people you want us to interview on the podcast, tweet at us @AppSecPodcast

102, 2019

Rapid Threat Model Prototyping Process (S04E26)

On this episode, Chris and Robert are joined by Geoff Hill to talk about Rapid Threat Model Prototyping Process.

You can find Geoff on Twitter @Tutamantic_Sec

1101, 2019

AppSec in Israel and Three Talks to watch from AppSec USA(S04E23)

On this episode, Chris is joined by Josh Grossman, Avi Douglen, and Ofer Maor at AppSec USA. They discuss the AppSec group in Israel and a few important talks you should watch from AppSec USA this year.

You can find Josh on Twitter @JoshCGrossman

You can find Avi on Twitter @sec_tigger

You can find Ofer on Twitter @OferMaor

101, 2019

OWASP IoT Top 10 (S04E22)

On this episode, Chris and Robert are joined by Daniel Miessler to talk about the upcoming Top 10 list for IoT.

You can find Daniel on Twitter @DanielMiessler

IoT Project

1812, 2018

SecOps Makes Developers Lives Easier (S04E21)

On this episode, Chris is joined by Travis McPeak to talk about SecOps and the ways it can help make a developers life easier.

You can find Travis on Twitter @travismcpeak

1012, 2018

Security Culture Hacking: Disrupting the Security Status Quo (S04E20)

On this week, we listen in on the #AppSecUSA talk by Chris about Security Culture Hacking.

You can find Chris on Twitter @edgeroute



312, 2018

The Extremely Unabridged History of SQLi and XSS(S04E19)

On this episode, Jim Manico joins again to talk about the ways that AppSec has changed over the years and give us an in-depth look at the history of SQL Injection and XSS.

You can find Jim on Twitter @manicode

1911, 2018

The Joy of the Vulnerable Web: JuiceShop(S04E17)

Bjorn Kimminich joins to talk about JuiceShop on this weeks episode. He dives into what JuiceShop is and some of the use cases for it.

You can find Bjorn on Twitter @bkimminich

JuiceShop’s Twitter

JuiceShop Demo


1311, 2018

iGoat and iOS Mobile Pen Testing (S04E16)

On this episode, Chris is at AppSec USA and is joined by Swaroop to talk about iGoat. They discuss how iGoat relates to WebGoat and how they can be used for pen testing.

You can find Swaroop on Twitter @swaroopsy

511, 2018

Two Sides to a Bug Bounty: The Researcher and The Program (S04E15)

On this episode, Chris and Robert talk with Adam and John from HackerOne about Bug Bounty. They dive into bug bounty from the programming side and the security researcher side to show how you can put these pieces together to be successful with bug bounty.

You can find Adam on Twitter @SushiHack and Jon @jon_bottarini



3010, 2018

What You Require, You Must Also Retire (S04E14)

Chris talks with Erlend Oftedal about what the Norway Chapter of OWASP and continues on into what retire.js is and how it works.

You can find Erlend on Twitter @webtonull