Show cover of Application Security PodCast

Application Security PodCast

Chris and Robert deconstruct world-class Application Security experts, digging deep to find the tools, tactics, projects, and tricks that make them successful. Each episode begins with the guest's security origin story or how they got started in Application Security. Topics range from DevOps+security, secure coding, OWASP, threat modeling, security culture, and anything else they can think of regarding application security. Chris Romeo (@edgeroute) is the CSO of Security Journey, and Robert Hurlbut (@roberthurlbut) is a Principal Application Security Architect focused on Threat Modeling at Aquia.


Guy Barhart-Magen -- Log4j and Incident Response
With nearly 25 years of experience in the cyber-security industry, Guy held various positions in both corporates and startups.In his role as the CTO for the cyber crisis management firm Profero, his focus is making incident response fast and scalable, harnessing the latest technologies and a cloud-native approach.Guy is the BSidesTLV chairman and CTF lead, a Public speaker in well-known global security events (SAS, t2, 44CON, BSidesLV, and several DefCon villages, to name a few), and the recipient of the Cisco “black belt” security ninja honor – Cisco’s highest cybersecurity advocate rank.Guy joins us to explore his front-row seat for the incident response with Log4j. There are many AppSec lessons to learn by understanding the greater depth of Log4J. We hope you enjoy this episode with .... Guy Barhart-Magen.
43:45 09/23/2022
Brett Smith -- Security is a Necessary Evil
Brett Smith is a Software Architect/Engineer/Developer with 20+ years of experience. Specialties: Automation, Continuous Integration/Delivery/Testing/Deployment Expertise: Linux, packaging, and tool design. Brett joins us to discuss why he hates security and shares his vast knowledge of building a secure and cutting-edge build pipeline. We hope you enjoy this conversation with...Brett Smith.
43:36 08/30/2022
Chen Gour-Arie -- The AppSec Map
Chen Gour-Arie is the Chief Architect and Co-Founder of Enso Security. With over 15 years of hands-on experience in cybersecurity and software development, Chen demonstrably bolstered the software security of dozens of global enterprise organizations across multiple industry verticals. An enthusiastic builder, he has focused his career on building tools to optimize and accelerate security testing and all related workflows. Ken joins us to introduce the AppSec Map and provides a live demo of the catalog and what AppSec practitioners can use it for. We hope you enjoy this conversation with...Chen Gour-Arie.
33:37 08/16/2022
Dominique Righetto -- OWASP Secure Headers
Dominique Righetto is an AppSec enthusiast and OWASP projects contributor. Dominique joins us to discuss the OWASP Secure Headers project. We discuss headers at a high level and then dive into all the goodies you'll find within the project, from awareness, guidance, and a test suite that can be integrated into your CI/CD pipeline to test your security headers. We hope you enjoy this conversation with...Dominique Righetto.
27:53 08/09/2022
Hillel Solow -- How to do AppSec without a security team
Hillel Solow is Chairman of the Board at ProtectOnce, where he helps guide product and security strategy. Hillel is a serial entrepreneur in the cybersecurity space, but his favorite thing is still writing code at 2 am. Hillel joins us to discuss how to do appsec without a security team. We explore the building blocks of an appsec program, and what appsec looks like for companies of different sizes, from startup to midsize to enterprise.  Then dive into Hillel's most important advice for companies who can't afford a security person. We hope you enjoy this conversation with… Hillel Solow. 
33:52 07/25/2022
Chris Romeo -- The Security Journey Story
In this episode of the Application Security Podcast, Chris Romeo walks through the origin story of Security Journey and shares some experiences taking a security startup from bootstrap to acquisition. Chris talks about how and why he started the company, what defining factors made Security Journey successful and why they're being acquired now. He ends by giving an overview of what to expect from Security Journey moving forward. We hope you enjoy this conversation with…Chris Romeo.Check out these resources for more information about the acquisition!Press Release:'s Blog Post:'s Blog Post:
27:13 06/02/2022
Kristen Tan and Vaibhav Garg -- Machine Assisted Threat Modeling
In this episode of the Application Security Podcast, we talk to Kristen Tan and Vaibhav Garg from Comcast. They wrote a paper called "An Analysis of Open-source Automated Threat Modeling Tools and Their Extensibility from Security into Privacy".  They join us to share their story about what they were doing and why they did it. We hope you enjoy this conversation with...Kristen and VG.
46:17 05/10/2022
Patrick Dwyer -- CycloneDX and SBOMs
Patrick is a Senior Product Security Engineer in the Application Security team at ServiceNow. He is also Co-Leader of the OWASP CycloneDX project. A lightweight Software Bill of Materials (SBOM) standard designed for use in application security contexts and supply chain component analysis.
28:33 05/03/2022
Omer Gil and Daniel Krivelevich -- Top 10 CI/CD Security Risks
Daniel Krivelevich is a cybersecurity expert and problem solver, with 15+ years of enterprise security experience with a proven track record working with 100+ enterprises across multiple industries, with a strong orientation to Application & Cloud Security. Daniel co-Founded Cider Security as the company’s CTO. Cider is a startup focused on securing CI/CD pipelines, flows, and systems.Omer is a seasoned application and cloud security expert with over 13 years of experience across multiple security disciplines. An experienced researcher and public speaker, Omer discovered the Web Cache Deception attack vector in 2017. Omer leads research at Cider Security.We hope you enjoy this conversation with...Omer and Daniel. 
50:40 04/25/2022
Josh Grossman -- Building a High-Value AppSec Scanning Program
Josh Grossman has over 15 years of experience in IT Risk and Application Security consulting, and he has also worked as a software developer. He currently works as CTO for Bounce Security, where he focuses on helping organizations build secure products by providing value-driven Application Security support and guidance.In his spare time, he is very involved with OWASP. He is on the OWASP Israel chapter board, he is a co-leader of the OWASP Application Security Verification Standard project, and he has contributed to various other projects as well, including the Top 10 Risks, Top Ten Proactive Controls and JuiceShop projects. We hope you enjoy this conversation with...Josh Grossman.
43:00 04/19/2022
Alex Mor -- Application Risk Profiling at Scale
Alex Mor is a passionate cybersecurity defender or breaker depending on the time of day, providing expert technical guidance to product teams and building security in their platforms. Alex joins us to talk about application risk profiling. He defines what this concept is to help us understand it. Then we talk about how can you do application risk profiling at scale? Whether you have ten applications or 1500 applications? How do you bring this together and gain real true security value from this idea of profiling your applications? We hope you enjoyed this conversation with Alex Mor.
42:46 03/15/2022
Brenna Leath -- Product Security Leads: A different way of approaching Security Champions
Brenna Leath is currently the Head of Product Security for a data analytics company where she sets the application security strategy for R&D and leads a team of security architects. Brenna originally joined us to talk about EO 14028 and the implications for private sector programs, BUT, we were chatting about security champions and product security leads, and we changed our focus to cover these topics instead. We hope you enjoy this conversation with...Brenna Leath.
33:11 03/09/2022
Will Ratner -- Centralized container scanning
Will Ratner is a software security professional with extensive experience building and implementing security solutions across a myriad of industries including banking, media, construction, and information technology. In his current role at Atlassian, Will focuses on improving the vulnerability management process by building highly scalable and automated solutions for the enterprise. Will joins us to discuss a centralized approach he built for container scanning. We explore the challenges and lessons learned, building a scalable, enterprise-grade solution, and how to build something that developers will see value in. We hope you enjoy this conversation with...Will Ratner.
42:15 02/16/2022
Neil Matatall -- AppSec at Scale
Neil Matatall is an engineer with a background in security. He has previously worked at GitHub and Twitter and is a co-founder of Loco Moco Product Security Conference. Neil joins us for his second visit, to discuss account security at scale. He describes the underlying principles behind security at scale, how he worked to build a sign-in analysis feature, and how attacks were detected. We ended the conversation with an authentication lightning round, with Neil responding to various statements about authentication off the cuff! We hope you enjoy this episode with Neil Matatall.Check out our previous conversation with Neil Matatall.
39:13 02/09/2022
Joern Freydank -- Security Design Anti Patterns Limit Security Debt
Joern Freydank is a Lead Cyber Security Engineer with more than 20 years of experience. He is currently establishing the Threat Modeling Program at a major insurance company. Joern joins us to talk about security design anti-patterns. He defines the term, explains security debt, reviews the categories of anti-patterns, and walks us through the example of a common role misconception. We hope you enjoy this conversation with...Joern Freydank.For more from Joern, check out his talk, Security Design Anti-Patterns -- Creating Awareness to Limit Security Debt, from Global AppSec:
36:47 01/25/2022
Ken Toler -- Blockchain, Cloud, and #AppSec
Ken Toler is a principal consultant at Kudelski Security and is passionate about building and optimizing application security programs that stick through strong adoption and ease of use. Ken has spent considerable time on all sides of the security aisle from playing defense and managing security teams to offense by breaking applications and reviewing code. Ken is also the host and creator of the Relating to DevSecOps podcast that focuses on forging strong relationships between engineers, operations, and security through collaboration, understanding, skill-sharing, and healthy debate. Ken joins us to talk about all things Blockchain and AppSec. We define Blockchain, discuss the connections between cloud, appsec, and blockchain, common architecture failures, pen testing, and even dive into smart contracts. We hope you enjoy this conversation with...Ken Toler.Links from the episode:Secureum Videos SECURITY: A NEED FOR TODAY’S BUSINESSES (COMPLETE GUIDE FOR BEGINNERS) Rust Programming Language Security @ Kudelski
44:59 01/18/2022
Jeroen Willemsen and Ben de Haan -- Dirty little secrets
Jeroen Willemsen is a passionate, hands-on security architect with a knack for mobile security and security automation. As a "jack of all trades," he has been involved with various OWASP projects and has developed various trainings. He has spent over 10 years as a full-stack developer and has worked as a (security) architect, security lead, and risk manager.Ben de Haan is a Freelance Security consultant and engineer. Ben's specialties are architecting and implementing cloud security and building secure CI/CD environments in Agile, DevOps, and SRE cultures. Ben believes security should be built-in and can be scaled to meet these modern ways of working. Outside of regular work, Ben enjoys hosting security trainings or workshops, and he's an AWS NL Meetup regular.Jeroen and Ben join us to speak about their OWASP project, Wrong Secrets. We discuss the problems secrets bring into applications and explore how you can use Wrong Secrets to bolster your knowledge of what not to do with secrets. We hope you enjoy this conversation with... Jereon and Ben.Explore these helpful resources mentioned during the interview:; heroku dyno hosted version;
34:43 01/11/2022
Adam Shostack -- Fast, cheap and good threat models
Adam is a leading expert on threat modeling, and a consultant, expert witness, author and game designer. He has decades of experience delivering security. His experience ranges across the business world from founding startups to nearly a decade at Microsoft. While not consulting or training, Shostack serves as an advisor to a variety of companies and academic institutions. Adam joins us to talk about fast, cheap, and good threat models. We discuss how Adam defines these categories, the weight of threat modeling, questionnaires/requirements, expertise, and how to make threat modeling conversational. We hope you enjoy this conversation with...Adam Shostack.
31:22 12/15/2021
Loren Kohnfelder -- Designing Secure Software
Loren Kohnfelder has over 20 years of experience in the security industry. At Microsoft, he was a key contributor to STRIDE, the industry’s first formalized proactive security process methodology, and also program-managed the .NET platform security effort. At Google, he worked as a software engineer on the Security team and as a founding member of the Privacy team. Loren joins us to talk about his new book, Designing Secure Software. We start the conversation geeking out about his work to create STRIDE and digital certificates. We then discuss facets of the book, like secure software, security design review, and what he would implement if he could only do one thing to improve software security. We hope you enjoy this conversation with...Loren Kohnfelder.
33:42 12/07/2021
Ochaun Marshall -- IaC and SAST
Ochaun Marshall is an Application Security Consultant. In his roles of secure ideas, he works on on-going development projects utilizing Amazon web services and breaks other people's web applications. Ochaun joins us to talk about SAST and IaC, static application security testing and infrastructure as code. We talk about what they are, how they work, the security benefits, some of the tools that make them possible, and we finish our conversation talking about developer empathy and why Ochaun has developer empathy as a result of some of the experiences that he has as a developer and as a security person. We hope that you enjoy this episode with...Ochaun Marshall.
36:29 11/29/2021
Simon Bennetts -- Using OWASP Zap across an Enterprise
Simon Bennetts is the OWASP Zed Attack Proxy (ZAP) Project Leader and a Distinguished Engineer at StackHawk, a company that uses ZAP to help users fix application security bugs before they hit production. He has talked about and demonstrated ZAP at conferences all over the world. Prior to making a move into security, he was a developer for 25 years and strongly believes that you cannot build secure web applications without knowing how to attack them.Simon joins us for the second time to refresh our knowledge of Zap, explain how to use Zap as an automation tool in your pipeline, and what he knows about rolling Zap out across an Enterprise. We hope you enjoy this conversation with....Simon Bennetts.
40:00 11/10/2021
Timo Pagel -- DevSecOps Maturity Model
Timo Pagel has been in the IT industry for over fifteen years. After a system administrator and web developer career, he advises customers as a DevSecOps consultant and trainer. His focus is on security test automation for software and infrastructure and assessment of complex applications in the cloud. In his spare time, he teaches “Web and Application Security” at various universities. Timo joins us to talk about the OWASP DevSecOps Maturity Model or DSOMM. We explore maturity models, this specific one, how you can use it, and how to get started. We hope you enjoy this conversation with...Timo Pagel.
31:55 10/27/2021
Mazin Ahmed -- Terraform Security
Mazin Ahmed is a security engineer that specializes in AppSec and offensive security. He is passionate about information security and has previously found vulnerabilities in Facebook, Twitter, Linkedin, and Oracle, to name a few. Mazin is the developer of several popular open-source security tools that have been integrated into security testing frameworks and distributions. Mazin also built, the next-generation continuous attack surface security platform. He is also passionate about cloud security, where he has been running dozens of experiments in the cloud security world. Mazin joins us to introduce Infrastructure as Code and TerraForm and discuss the security benefits IaC brings to our cloud environments. We hope you enjoy this conversation with...Mazin Ahmed.
32:51 10/06/2021
James Ransome and Brook Schoenfield -- trust and verify: Building in Security at Agile Speed
Dr. James Ransome is the Chief Scientist for CyberPhos, an early-stage cybersecurity startup. He is also a member of the board of directors for the Bay Area Chief Security Officer Council and serves as an adviser to ForAllSecure and Resilient Software Security.Dr. Ransome's career includes leadership positions in the private and public sectors. He has served in three chief information security officer and four chief security officer roles before taking on Chief Product Security Officer roles over the last 11 years.  During this time, he has been building and enhancing developer-centric, self-sustaining, and scalable software security programs that are holistic, cost-effective, and operationally relevant. Brook S.E. Schoenfield is the author of Secrets Of A Cyber Security Architect (Auerbach, 2019) and Securing Systems: Applied Security Architecture and Threat Models(CRC Press, 2015). Building In Security At Agile Speed (with James Ransome, Auerbach, 2021), focuses on software security for continuous development practices and DevOps. Brook helps clients with their software security and secure design practices. He mentors technical leaders to effectively deliver security strategy. He consults as a technical leader for True Positives, LLC and SEC Consult America’s holistic security architecture services.
54:19 09/24/2021
OWASP Top 10 2021 Peer Review
Robert and I break down the OWASP Top 10 2021 Peer Review Edition. We walk through and give you our insights and highlights of the things that stand out to us and our questions. We feel it brings value to our audience's understanding of the OWASP Top 10 2021 and what it will likely look like when it comes out. We encourage you to go and do your own peer review of the document, submit your own poll requests, provide your feedback and issues on Github because together as a community, this is how we make this document better. Enjoy!
29:40 09/17/2021
Anastasiia Voitova -- Encryption is easy, key management is hard
Anastasiia Voitova is the Head of customer solutions and a security software engineer at Cossack Labs. She works on data security and encryption tools and their integration into the real world apps.
33:45 09/14/2021
Eran Kinsbruner -- DevSecOps Continuous Testing
Eran Kinsbruner is the Chief Evangelist and Senior Director at Perforce Software. His published books include the 2016 Amazon bestseller, “The Digital Quality Handbook”, “Continuous Testing for DevOps Professionals”, and “Accelerating Software Quality – ML and AI in the Age of DevOps”. Eran is a recognized influencer on continuous testing and DevOps thought leadership, an international speaker, and blogger. Eran joins us to talk about the role of testing in a secure software pipeline. We talk about the intersection of security and quality, biggest challenges in getting started, and even a brief conversation about how SAST is used to check automotive software. We hope you enjoy this conversation with...Eran Kinsbruner.
35:43 08/20/2021
Mark Loveless -- Threat modeling in a DevSecOps environment.
Mark Loveless - aka Simple Nomad - is a security researcher and hacker. He's spoken at numerous security and hacker conferences worldwide, including Blackhat, DEF CON, ShmooCon, and RSA. He's been quoted in the press including CNN, Washington Post, and the New York Times. Mark joins us to discuss his series of blog posts on Threat Modeling at GitLab. We discuss his philosophical approach, framework choice (spoiler alert, it's a pared down version of PASTA), and success stories / best practices he's seen for threat modeling success. We hope you enjoy this conversation with...Mark Loveless.
36:19 08/13/2021
Jeroen Willemsen -- Security automation with ci/cd
Jeroen Willemsen is a Principal Security Architect at Xebia. Jeroen is more or less a jack of all trades with an interest in infrastructure security, risk management, and application security. With a love for mobile security, he enjoys sharing knowledge on various security topics. Jeroen joins us to unpack security automation in a DevOps world. We discuss categories of tools, typical quick wins, potential downsides, and how dependency management specifically plays into automation. We hope you enjoy this conversation with...Jeroen Willemsen.
32:22 08/06/2021
Thinking back, Looking forward - A Balanced Approach to Securing our Software Future
Kevin Greene is the Director of Security Solutions at Parasoft and has extensive experience and expertise in software security, cyber research and development, and DevOps. He leverages his knowledge to create meaningful solutions and technologies to improve software security practices. Kevin and I had a conversation to discuss software security from the past and into the future. We cover how to make security easier for developers, SBOM, software minimalism, cyber resiliency, and so much more! We hope you enjoy this conversation with...Kevin Greene.
71:53 07/15/2021