The Application Security Podcast’s Episode List2018-08-24T04:54:42+00:00

Episodes List

1601, 2020

Maya Kaczorowski — Container and Orchestration Security

Maya is a Product Manager in Security & Privacy at Google, focused on container security. She previously worked on encryption at rest and encryption key management. Maya has a Master’s in mathematics, focusing on cryptography and game theory. Maya joins us to discuss how containers improve security, a high-level threat model of containers and orchestration, and tips for enhancing security as you role out containers and Kubernetes.

901, 2020

Geoff Hill — AppSec, DevSecOps, and Diplomacy

Geoffrey Hill is an AppSec DevSecOps leader and Architect. Geoff joins us to discuss his experiences rolling out DevSecOps in both Agile and non-Agile practicing shops. We hope you enjoy this conversation with…Geoff Hill.

301, 2020

Erez Yalon — The OWASP API Security Project

Erez Yalon heads the security research group at Checkmarx. With vast defender and attacker experience and as an independent security researcher, he brings invaluable knowledge and skills to the table. Erez joins us to speak about the new OWASP API Security Project, and more specifically, the new API Security Top 10. We hope you enjoy this conversation with … Erez Yalon.

Find the Document on the OWASP GitHub:

2012, 2019

Steve Lipner — The Past, Present, and Future of SDL

Steve Lipner is a pioneer in cybersecurity, approaching 50 years’ experience. He retired in 2015 from Microsoft where he was the creator and long-time leader of Microsoft’s Security Development Lifecycle (SDL) team. While at Microsoft, Steve also created initiatives to encourage industry adoption of secure development practices and the SDL and served as a member and chair of the SAFECode board. Steve joins us to talk about all things SDL, and I must say, I was super excited for this interview, with way too many questions for someone who was there on day 1 of Secure Development Lifecycle. We hope you enjoy this conversation with…Steve Lipner.
1612, 2019

David Kosorok — The Three Pillars of an AppSec Program: Prevent, Detect, and React

David Kosorok is a code security expert, software tester, father of 9, and a self-described major nerd. David is the Director of AppSec at Align Tech, and a fellow member of the Raleigh Durham tech community. David joins us to speak about the three pillars of building an application security program: Prevent, Detect, and React. When we think the program, we’ve never heard anyone relate a program this way, and thought you needed to hear about a different approach to program building. We hope you enjoy this conversation with…. David Kosorok.

112, 2019

Chris and Robert: A Taste of Hi-5

As the hosts of the Application Security Podcast, we get the opportunity from time to time to mix it up. This week we gather a few security articles, share a summary, and offer our opinions (for what our opinions are worth). The source of the articles is Hi-5,  a weekly newsletter containing five security articles that are worth your time. We scour the Interwebs looking for the best articles on application and product security and share those with you. You can subscribe to Hi-5 on the Security Journey website.

Hit us up on Twitter and let us know if you like this format and if we should do more of this type of content. We hope you enjoy this episode with, Chris and Robert.

These are the articles:

Interest In Secure Design Practices Is Increasing Leading To Two Predictions

Developers mentoring other developers: practices I’ve seen work well

7 Web Application Security Best Practices

2111, 2019

Bill Dougherty — INCLUDES NO DIRT, practical threat modeling for healthcare and beyond

Bill Dougherty is the vice president of IT and security at Omada Health, where he leads a team responsible for all aspects of internal IT including SaaS strategy, end-user support, vendor management, operational security and compliance. Bill along with Patrick Curry created the INCLUDES NO DIRT approach to threat modeling, which takes threat modeling to the next level, beyond STRIDE, and goes head on with a more modern set of real-world security considerations. We hope you enjoy this conversation with, Bill Dougherty.

Find Bill on Twitter @bdognet.

For an article about the methodology, see INCLUDES NO DIRT: A Practical Threat Modeling Approach for Digital Healthcare and Beyond 

For the paper that describes the methodology and how to implement, see INCLUDES NO DIRT

1011, 2019

Marc French — The AppSec CISO

Marc French is a security person, firearms geek, scuba guy, lousy golfer, and an aspiring blacksmith. We met Marc in the hallway at the Boston Application Security Conference. Marc has extensive experience as a CISO but came from the world of AppSec to the exec suite, which is not the normal path. We discuss what is a CISO, and what does a CISO actually do, the role of AppSec in the life of the CISO, and tips Marc has for those that wish to become a CISO someday. We hope you enjoy this conversation with Marc French.

2610, 2019

Season 5 Finale — A cross section of #AppSec

Threat modeling, secrets, mentoring, self-care, program building, and much more. Clips from Georgia Weidman, Simon Bennetts, Izar Tarandach, Omer Levi Hevroni, Tanya Janca, Björn Kimminich, Caroline Wong, Adam Shostack, Steve Springett, Matt McGrath, Brook Schoenfield, and Ronnie Flathers.

2809, 2019

Ronnie Flathers — Security programs big and small

Ronnie Flathers is a security guy, a pentester, and a researcher. In this conversation, we explore his experiences in building application security programs. He’s had the opportunity to program build inside of companies big and small.

1509, 2019

Brook Schoenfield — Security is a messy problem

Brook Schoenfield is a Master Security Architect @IOActive and author of Securing Systems, as well as an industry leader in security architecture and threat modeling, and a friend.

“We have a static analysis tool. Why do we need a program?” This is what Brook overheard at one point in his past, from a company CTO, and it sums up the program issue. The CTO was trying to drive a technical strategy for an entire company, and security was just one piece of that. A mandate or a tool would have made life so easy.

Brook takes us on a journey based on his experience building programs, with advice, stories, comments, and quotes. We talk about architecture, culture, mindset, tools, compilers and so much more.

Catch Brook’s next book, “Secrets of a Cyber Security Architect” which arrives in Fall 2019.

Here is Brook’s first book on Amazon: Securing Systems: Applied Security Architecture and Threat Models




509, 2019

Liran Tal — The state of open source software security

Liran Tal is a Developer Advocate @snyksec and is the author of Essential Node.js Security. He takes #opensource and protecting the #web very seriously.

Liran and I start by geeking out about BBS’s in the days of old. SYSOP page, anyone? Then we go into the state of open source security based on the report that Liran contributed heavily to and discuss many of the key takeaways from that report, including the developer response to open source security, security vulnerability rates in docker containers, and the length of time that vulnerabilities lie dormant in open source. We close out with the three things Liran would do to improve open source security if he could only do three things.
2708, 2019

Steve Springett — An insiders checklist for Software Composition Analysis

Steve Springett is a technologist, husband, father, entrepreneur, and tequila aficionado. He is the creator of the OWASP @DependencyTrack and @CycloneDX_Spec. In this conversation, we begin with the problem of software supply chain risk and the failures of commercial Software Composition Analysis tools. We then go through an extensive list of criteria for purchasing a software composition analysis tool. I have never seen a list like this ever shared anywhere in the industry. Steve is definitely in the know when it comes to these types of tools, and this is a detailed checklist of what he looks for in a tool.  We end with a 60-second update on Dependency Track.

2508, 2019

Steve Springett — OWASP Dependency Track — 5 Minute AppSec

The question is for Steve Springett, in regards to Software Composition Analysis / Software Supply Chain and OWASP Dependency Track.

1908, 2019

Elissa Shevinsky — Static Analysis early and often

Elissa Shevinsky is CEO at Faster Than Light. She’s had a storied career as an entrepreneur with Brave, Everyday Health, and Geekcorps. We discuss Elissa’s origin story, security startups, and the value of mentoring to her career. Then we get into Static Analysis and how we make security easier for people so that security gets done. 

1408, 2019

Elissa Shevinsky — Be Kind, Security People — 5 Minute AppSec

Robert asks Elissa Shevinsky, why should people be nice, or why is niceness important in security?

508, 2019

Matt McGrath — Security coaches

Matt McGrath is an old school Java developer that made the transition into security. Matt has had success in rolling out a programmatic approach to security improvement called security coaching.

A security coach is much more than a wellness or life coach for your developers. They have some commonalities, but the security coach is thinking about how you help the developer want to get better at security. In his experience, developers are not going to kick and scream away from security but will embrace it when asked.

The job description for a good coach does not require a development background. The biggest thing you need is a passion for security. Communication is one of the most important things for a coach to have as well, and technical skills do not hurt.

We hope you enjoy this conversation with Matt McGrath.

Our sponsor for this episode is Security Journey. Security Journey knows that building security culture takes time and planning. Our belts are carefully designed to help you build security culture from the ground up.

2907, 2019

Erez Yalon and Liora Herman – The Application Security Village @ DefCon

Erez Yalon and Liora Herman are both passionate security professionals. They joined forces to create the AppSec Village, an event at DefCon in Las Vegas. If you are in Vegas for BH/DC, stop by the village and say hi to Robert, who will be in attendance as well.

2907, 2019

Erez Yalon – AppSec Village – 5 Minute AppSec

It’s BlackHat and DefCon season, so we asked a question of Erez Yalon; why did you start the AppSec Village?

1907, 2019

Tommy Ross — The BSA Framework for Secure Software

Tommy Ross serves as Senior Director, Policy with BSA | The Software Alliance. In this role, he works with BSA members to develop and advance global policy positions on a range of key issues, with a focus on cybersecurity, privacy, and market access barriers. Tommy is one of the coordinators/collaborators on the BSA Framework for Secure Software.  This document caught our attention when it came out a few months ago, as it is a reliable representation of all the pieces an organization needs for software security. Tommy shares with us some of the background stories on how this document came to be, and also walks through the various pieces contained within.

If you’d like to comment or collaborate on this document, it is available in the review form at

The PDF is available on the BSA website:

1007, 2019

Adam Shostack — Threat modeling layer 8 and conflict modeling

Adam Shostack is a leading expert on threat modeling, and a consultant, entrepreneur, technologist, author and game designer. He’s a member of the BlackHat Review Board and helped create the CVE and many other things. He currently helps many organizations improve their security via Shostack & Associates, and advises startups. Adam is known for his work with threat modeling. In this episode, we take threat modeling to a whole new level as we explore the idea of threat modeling layer 8 or human beings, and explore the concept of conflict modeling.

You’ll find Adam’s conflict modeling work on GitHub.

907, 2019

Adam Shostack – Threat Modeling – 5 Minute AppSec

If you’ve done anything with threat modeling, you’ve heard of Adam Shostack. We asked him the question, “why would anyone threat model?”.

107, 2019

Zoe Braiterman — AI, ML, AppSec, and a dose of data protection

Zoe Braiterman is an Innovation Intelligence Strategist focused on both the Machine and Human and also the OWASP WIA Chair. We explore the intersection of application security with artificial intelligence and machine learning and end up discussing data protection. Zoe approaches AppSec from a different angle, and her perspectives get us thinking about the importance of appsec in the future of autonomous everything.

1406, 2019

Caroline Wong — Self-care and self-aware for security people

Caroline Wong has had a long career in security, starting with eBay and leading to her role today at Cobalt.IO as Chief Strategist. Caroline shares her explanation of self-care and tells her story about how neglecting self-care led to problems. She offers ideas about how to better approach self-care as a security professional, work-life balance, and ways for approaching a successful career in security.

Go to Top