The Application Security Podcast
Chris Romeo and Robert Hurlbut dig into the tips, tricks, projects, and tactics that make various application security professionals successful. They cover all facets of application security, from threat modeling and OWASP to DevOps+security and security champions. They approach these stories in an educational light, explaining the details in a way those new to the discipline can understand. Chris Romeo is the CEO of Devici and a General Partner at Kerr Ventures, and Robert Hurlbut is a Principal Application Security Architect focused on Threat Modeling at Aquia.
Episodes
285 episodes
Javan Rasokat and Andra Lezza -- When Chatbots Go Rogue - Lessons Learned from Building and Defending LLM Applications
Andra Lezza and Javan Rasokat discuss the complexities of securing AI and LLM applications. With years of experience in Application Security (AppSec), Andra and Javan share their journey and lessons from their DEF CON talk on building and defen...
•
Season 12
•
Episode 8
•
47:31
Jim Routh -- The CISO Transition to the rest of life
Former CISO Jim Routh discusses his perspective on retirement and career fulfillment in cybersecurity. Rather than viewing retirement as simply stopping work, Routh describes his three-filter approach: working only with people he respects and a...
•
Season 12
•
Episode 7
•
49:36
Henrik Plate -- OWASP Top 10 Open Source Risks
Henrik Plate joins us to discuss the OWASP Top 10 Open Source Risks, a guide highlighting critical security and operational challenges in using open source dependencies. The list includes risks like known vulnerabilities, compromised legitimate...
•
Season 12
•
Episode 6
•
38:26
Tanya Janca -- A Secure SDLC from a Developer's Perspective
Security expert Tanya Janca discusses her new book "Alice and Bob Learn Secure Coding" and shares insights on making security accessible to developers. In this engaging conversation, she explores how security professionals can better connect wi...
•
Season 12
•
Episode 5
•
48:54
Mehran Koushkebaghi -- Security as a Systemic Concern: How to develop Anti-Requirements
Mehran Koushkebaghi, a seasoned engineering expert, delves into the intricacies of systemic security. He draws parallels between civil engineering and IT systems, and explains the importance of holistic thinking in security design. Discover the...
•
Season 12
•
Episode 4
•
45:08
Kalyani Pawar -- Shaping AppSec at Startups
Kalyani Pawar shares critical strategies for integrating security early and effectively in AppSec for startups. She recommends that startups begin focusing on AppSec around the 30-employee mark, with an ideal ratio of one AppSec professional pe...
•
Season 12
•
Episode 3
•
39:52
Milan Williams -- AppSec Metrics
Milan Williams discusses the importance of application security metrics and how to make them both meaningful and actionable. She explains that metrics are crucial for tracking progress in what can often feel like an overwhelming security landsc...
•
Season 12
•
Episode 2
•
36:16
MO Sadek -- Building an AppSec Program from Scratch
Mo Sadek shares his unique journey of building an Application Security program from scratch at Roblox. Mo discusses his unconventional path, including temporarily joining the infrastructure team to truly understand engineering challenges. He em...
•
Season 12
•
Episode 1
•
48:50
Brett Crawley -- Threat Modeling Gameplay with EoP
Brett Crawley discusses the Elevation of Privilege (EoP) card game, a powerful tool for threat modeling in software development. The discussion explores recent extensions to the game including privacy-focused suits and TRIM (Transfer, Retention...
•
Season 11
•
Episode 29
•
45:28
Matin Mavaddat - Understanding Security as a Systemic Concern: The Role of Anti-Requirements
Matin Mavaddat discusses his perspective on security as a systemic concern, developed from his background in requirements engineering and systems architecture. He introduces the concept of "anti-requirements" - defining what a system should not...
•
Season 11
•
Episode 28
•
50:20
Kayra Otaner -- DevSecOps
Kayra Otaner joins the podcast today to discuss DevSecOps and answer the question, is it dead? Kayra is the Director of DevSecOps at Roche and is highly involved in the DevSecOps community. Kayra states that DevSecOps in its traditional form is...
•
Season 11
•
Episode 27
•
32:46
François Proulx - Arbitrary Code Execution 0-day in Build Pipeline of Popular Open Source Packages
François Proulx shares his discovery of security vulnerabilities in build pipelines. Francois has found that attackers can exploit this often overlooked side of the software supply chain. To help address this, his team developed an open source ...
•
Season 11
•
Episode 26
•
45:31
Steve Wilson -- The Developer's Playbook for Large Language Model Security: Building Secure AI Applications
Steve Wilson, the author of 'The Developer's Playbook for Large Language Model Security’ is back to dive into topics from his book like AI hallucinations, trust, and the future of AI. Steve has been at the forefront of the explosion of ac...
•
Season 11
•
Episode 24
•
36:32
Jeff Williams -- Application Detection & Response (ADR)
Jeff Williams, a renowned pioneer in the field of application security is with us to discuss Application Detection and Response (ADR), detailing its potential to revolutionize security in production environments. Jeff shares stories from his ca...
•
Season 11
•
Episode 23
•
51:28
Phillip Wylie -- Pen Testing from Somebody who Knows about Pen Testing
Philip Wiley shares his unique journey from professional wrestling to being a renowned pen tester. We define pen testing and the role of social engineering in ethical hacking. We talk tools of the trade, share a favorite web app pentest hack an...
•
Season 11
•
Episode 22
•
52:08
Steve Springett -- Software and System Transparency
Steve Springett, an expert in secure software development and a key figure in several OWASP projects is back. Steve unpacks CycloneDX and the value proposition of various BOMs. He gives us a rundown of the BOM landscape and unveils some new BOM...
•
Season 11
•
Episode 21
•
48:13
Irfaan Santoe -- The Power of Strategy in AppSec
Irfaan Santoe joins us for an in-depth discussion on the power of strategy in Application Security. We delve into measuring AppSec maturity, return on investment, and communicating technical needs to business leaders. Irfaan shares his unique j...
•
Season 11
•
Episode 20
•
40:14
Andrew Van Der Stock -- The New OWASP Top Ten
Andrew Van Der Stok, a leading web application security specialist and executive director at OWASP joins us for this episode. We discuss the latest with the OWASP Top 10 Project, the importance of data collection, and the need for developer eng...
•
Season 11
•
Episode 19
•
51:51
Derek Fisher -- Hiring in Cyber/AppSec
Derek Fisher, an expert in hardware, software, and cybersecurity with over 25 years of experience is back on the podcast. Derek shares his advice on cybersecurity hiring, specifically in application security, and dives into the challenges of en...
•
Season 11
•
Episode 18
•
1:01:45
Tanya Janca -- Secure Guardrails
Tanya Janka, also known as SheHacksPurple, discusses secure guardrails, the difference between guardrails and paved roads, and how to implement both in application security. Tanya is an award-winning public speaker and head of education at SEMG...
•
Season 11
•
Episode 17
•
1:04:50
Jahanzeb Farooq -- Launching and executing an AppSec program
Jahanzeb Farooq discusses his journey in cybersecurity and the challenges of building AppSec programs from scratch. Jahanzeb shares his experience working in various industries, including Siemens, Novo Nordisk, and Danske Bank, highlighting the...
•
Season 11
•
Episode 16
•
49:44
David Quisenberry -- Building Security, People, and Programs
David Quisenberry shares about his journey into the security world, insights on building AppSec programs in small to mid-sized companies, and the importance of data-driven decision-making. The conversation delves into the value of mentoring and...
•
Season 11
•
Episode 15
•
56:54
Matt Rose -- Software Supply Chain Security Means Many Different Things to Different People
Matt Rose, an experienced technical AppSec testing leader discusses his career journey and significant contributions in AppSec. The conversation delves into the nuances of software supply chain security and exploring how different perceptions a...
•
Season 11
•
Episode 14
•
46:14
James Berthoty -- Is DAST Dead? And the future of API security
James Berthoty, a cloud security engineer with a diverse IT background, discusses his journey into application and product security. James highlights his career trajectory from IT operations to cloud security, his experiences with security tool...
•
Season 11
•
Episode 13
•
44:56
Mark Curphey and Simon Bennetts -- Riding the Coat Tails of ZAP, without Open Source Funding
Mark Curphey and Simon Bennetts, join Chris on the podcast to discuss the challenges of funding and sustaining major open source security projects like ZAP. Curphey shares about going fully independent and building a non-profit sust...
•
Season 11
•
Episode 12
•
42:32