The Application Security Podcast

EXPLORE

Society & Culture

Health & Fitness

© 2024 PodJoint

Loading...

0:00 / 0:00

Sign in

or

Don't have an account?

Sign up

Forgot password

https://is1-ssl.mzstatic.com/image/thumb/Podcasts221/v4/98/5d/a6/985da6dd-3bd2-74fc-a952-0bc4da4e3e2e/mza_1882881898752461331.jpg/600x600bb.jpg

The Application Security Podcast

Chris Romeo and Robert Hurlbut

294 episodes

2 weeks ago

Francesco Cipollone, the CEO of Phoenix Security, shares his extensive experience in AI and security, discussing the crucial difference between true AI agents and glorified chatbots. Learn why Phoenix Security utilizes six different LLMs instead of a single super agent. Understand the sobering economics behind AI implementation and the importance of adopting AI responsibly. Get practical advice on integrating AI agents to enhance, not replace, human capabilities, while touching on the Agentic...

Show more...

All content for The Application Security Podcast is the property of Chris Romeo and Robert Hurlbut and is served directly from their servers with no modification, redirects, or rehosting. The podcast is not affiliated with or endorsed by Podjoint in any way.

Francesco Cipollone, the CEO of Phoenix Security, shares his extensive experience in AI and security, discussing the crucial difference between true AI agents and glorified chatbots. Learn why Phoenix Security utilizes six different LLMs instead of a single super agent. Understand the sobering economics behind AI implementation and the importance of adopting AI responsibly. Get practical advice on integrating AI agents to enhance, not replace, human capabilities, while touching on the Agentic...

Show more...

Episodes (20/294)

The Application Security Podcast

Javan Rasokat and Andra Lezza -- When Chatbots Go Rogue - Lessons Learned from Building and Defending LLM Applications

Andra Lezza and Javan Rasokat discuss the complexities of securing AI and LLM applications. With years of experience in Application Security (AppSec), Andra and Javan share their journey and lessons from their DEF CON talk on building and defending LLMs. They explore critical vulnerabilities, prompt injection, hallucinations, and the importance of data security. This discussion sheds light on the evolving landscape of AI and LLM security, offering practical advice for developers and security ...

1 month ago

47 minutes

The Application Security Podcast

Jim Routh -- The CISO Transition to the rest of life

Former CISO Jim Routh discusses his perspective on retirement and career fulfillment in cybersecurity. Rather than viewing retirement as simply stopping work, Routh describes his three-filter approach: working only with people he respects and admires, doing only work he finds fulfilling, and controlling when he works. He shares valuable lessons learned about which post-retirement opportunities truly bring satisfaction and explains why he avoids certain roles. Routh emphasizes the importance o...

1 month ago

49 minutes

The Application Security Podcast

Henrik Plate -- OWASP Top 10 Open Source Risks

Henrik Plate joins us to discuss the OWASP Top 10 Open Source Risks, a guide highlighting critical security and operational challenges in using open source dependencies. The list includes risks like known vulnerabilities, compromised legitimate packages, name confusion attacks, and unmaintained software, providing developers and organizations a framework to assess and mitigate potential threats. Henrik offers insights on how developers and AppSec professionals can implement the guidelines. Ou...

1 month ago

38 minutes

The Application Security Podcast

Tanya Janca -- A Secure SDLC from a Developer's Perspective

Security expert Tanya Janca discusses her new book "Alice and Bob Learn Secure Coding" and shares insights on making security accessible to developers. In this engaging conversation, she explores how security professionals can better connect with developers through threat modeling, maintaining empathy, and creating inclusive learning environments. Tanya emphasizes the importance of system maintenance after deployment and shares practical advice on input validation, while highlighting how secu...

2 months ago

48 minutes

The Application Security Podcast

Mehran Koushkebaghi -- Security as a Systemic Concern: How to develop Anti-Requirements

Mehran Koushkebaghi, a seasoned engineering expert, delves into the intricacies of systemic security. He draws parallels between civil engineering and IT systems, and explains the importance of holistic thinking in security design. Discover the difference between semantic and syntactic vulnerabilities and understand how anti-requirements play a critical role in system resilience. This episode offers fresh perspectives on application security. Books recommended by Mehran: Critical System Think...

2 months ago

45 minutes

The Application Security Podcast

Kalyani Pawar -- Shaping AppSec at Startups

Kalyani Pawar shares critical strategies for integrating security early and effectively in AppSec for startups. She recommends that startups begin focusing on AppSec around the 30-employee mark, with an ideal ratio of one AppSec professional per 10 engineers as the company grows. Pawar emphasizes the importance of building a security culture through "culture as code" - implementing automated guardrails and checkpoints that make security an integral part of the development process. She advises...

2 months ago

39 minutes

The Application Security Podcast

Milan Williams -- AppSec Metrics

Milan Williams discusses the importance of application security metrics and how to make them both meaningful and actionable. She explains that metrics are crucial for tracking progress in what can often feel like an overwhelming security landscape, and they're valuable for career advancement and securing resources. We discuss metrics categories and several specific metrics that are good to track. Milan shares important principles on the importance of making metrics actionable through st...

3 months ago

36 minutes

The Application Security Podcast

MO Sadek -- Building an AppSec Program from Scratch

Mo Sadek shares his unique journey of building an Application Security program from scratch at Roblox. Mo discusses his unconventional path, including temporarily joining the infrastructure team to truly understand engineering challenges. He emphasizes that security isn't about mandating rules, but about making processes easier and more secure by default. Mo shares his insights on how to build effective cross-team security relationships and approaches for gaining leadership buy-in. Mo'...

3 months ago

48 minutes

The Application Security Podcast

Brett Crawley -- Threat Modeling Gameplay with EoP

Brett Crawley discusses the Elevation of Privilege (EoP) card game, a powerful tool for threat modeling in software development. The discussion explores recent extensions to the game including privacy-focused suits and TRIM (Transfer, Retention/Removal, Inference, Minimization) categories. Crawley emphasizes that threat modeling shouldn't end with the game but should be an ongoing process throughout an application's lifecycle, ideally starting before implementation. He also shares insights fr...

4 months ago

45 minutes

The Application Security Podcast

Matin Mavaddat - Understanding Security as a Systemic Concern: The Role of Anti-Requirements

Matin Mavaddat discusses his perspective on security as a systemic concern, developed from his background in requirements engineering and systems architecture. He introduces the concept of "anti-requirements" - defining what a system should not do - and distinguishes between "syntactic security" (addressing technical vulnerabilities that are always incorrect) and "semantic security" (context-dependent security emerging from system interactions). Mavaddat shares his perspective that security i...

5 months ago

50 minutes

The Application Security Podcast

Kayra Otaner -- DevSecOps

Kayra Otaner joins the podcast today to discuss DevSecOps and answer the question, is it dead? Kayra is the Director of DevSecOps at Roche and is highly involved in the DevSecOps community. Kayra states that DevSecOps in its traditional form is “dead” and that each organization should approach its needs based on their size. Otaner introduces the concept of "security as code" and "policy as code" as more effective approaches, where security functions are codified rather than relying on traditi...

6 months ago

32 minutes

The Application Security Podcast

François Proulx - Arbitrary Code Execution 0-day in Build Pipeline of Popular Open Source Packages

François Proulx shares his discovery of security vulnerabilities in build pipelines. Francois has found that attackers can exploit this often overlooked side of the software supply chain. To help address this, his team developed an open source scanner called Poutine that can identify vulnerable build pipelines at scale and provide remediation guidance. Francois has over 10 years of experience in building application security programs, he’s also the founder of the NorthSec conference in Montre...

6 months ago

45 minutes

The Application Security Podcast

Steve Wilson -- The Developer's Playbook for Large Language Model Security: Building Secure AI Applications

Steve Wilson, the author of 'The Developer's Playbook for Large Language Model Security’ is back to dive into topics from his book like AI hallucinations, trust, and the future of AI. Steve has been at the forefront of the explosion of activity at the intersection of AppSec, LLM, and AI. We discuss the biggest fears surrounding LLMs and AI, and explore advanced concepts like Retrieval Augmented Generation and prompt injection. Links: The Developer’s Playbook for Large Language Model Sec...

7 months ago

36 minutes

The Application Security Podcast

Jeff Williams -- Application Detection & Response (ADR)

Jeff Williams, a renowned pioneer in the field of application security is with us to discuss Application Detection and Response (ADR), detailing its potential to revolutionize security in production environments. Jeff shares stories from his career, including the founding of OWASP, and his take on security assurance. We cover many topics including; security assurance, life, basketball and plenty of AppSec as well. Where to find Jeff: LinkedIn: https://www.linkedin.com/in/planetlev...

7 months ago

51 minutes

The Application Security Podcast

Phillip Wylie -- Pen Testing from Somebody who Knows about Pen Testing

Philip Wiley shares his unique journey from professional wrestling to being a renowned pen tester. We define pen testing and the role of social engineering in ethical hacking. We talk tools of the trade, share a favorite web app pentest hack and offer good advice on starting a career in cybersecurity. Philip shares some insights from his book, ‘The Pentester Blueprint: Starting a Career as an Ethical Hacker.’ And we discuss the impact of AI on pen testing and where this field is headed in the...

7 months ago

52 minutes

The Application Security Podcast

Steve Springett -- Software and System Transparency

Steve Springett, an expert in secure software development and a key figure in several OWASP projects is back. Steve unpacks CycloneDX and the value proposition of various BOMs. He gives us a rundown of the BOM landscape and unveils some new BOM projects that will continue to unify the security industry. Steve is a seasoned guest of the show so we learn a bit more about Steve's hobbies, providing a personal glimpse into his life outside of technology. Links from this episode: https://c...

8 months ago

48 minutes

The Application Security Podcast

Irfaan Santoe -- The Power of Strategy in AppSec

Irfaan Santoe joins us for an in-depth discussion on the power of strategy in Application Security. We delve into measuring AppSec maturity, return on investment, and communicating technical needs to business leaders. Irfaan shares his unique journey from consulting to becoming an AppSec professional, and addresses the gaps between CISOs and AppSec knowledge. Irfaan shares valuable insights for scaling AppSec programs and aligning them with business objectives. FOLLOW OUR SOCIAL MEDIA: ...

9 months ago

40 minutes

The Application Security Podcast

Andrew Van Der Stock -- The New OWASP Top Ten

Andrew Van Der Stok, a leading web application security specialist and executive director at OWASP joins us for this episode. We discuss the latest with the OWASP Top 10 Project, the importance of data collection, and the need for developer engagement. Andrew gives us the methodology behind building the OWASP Top 10, the significance of framework security, and much more. Previous episodes with Andrew Van Der Stock Andrew van der Stock — Taking Application Security to the Masses Andrew...

9 months ago

51 minutes

The Application Security Podcast

Derek Fisher -- Hiring in Cyber/AppSec

Derek Fisher, an expert in hardware, software, and cybersecurity with over 25 years of experience is back on the podcast. Derek shares his advice on cybersecurity hiring, specifically in application security, and dives into the challenges of entry-level roles in the industry. We discuss the value of certifications, the necessity of lifelong learning, and the importance of networking. Listen along for good advice on getting noticed in cybersecurity, resume tips, and the evolving landscape of A...

9 months ago

1 hour 1 minute

The Application Security Podcast

Tanya Janca -- Secure Guardrails

Tanya Janka, also known as SheHacksPurple, discusses secure guardrails, the difference between guardrails and paved roads, and how to implement both in application security. Tanya is an award-winning public speaker and head of education at SEMGREP and the best-selling author of ‘Alice and Bob Learn Application Security’. Tanya shares her insights on creating secure software and teaching developers in this episode. Mentioned in this episode: Tanya Janca – What Secure Coding Really Means&...

9 months ago

1 hour 4 minutes

The Application Security Podcast

Francesco Cipollone, the CEO of Phoenix Security, shares his extensive experience in AI and security, discussing the crucial difference between true AI agents and glorified chatbots. Learn why Phoenix Security utilizes six different LLMs instead of a single super agent. Understand the sobering economics behind AI implementation and the importance of adopting AI responsibly. Get practical advice on integrating AI agents to enhance, not replace, human capabilities, while touching on the Agentic...