Today, I’m excited to be joined by Terry O’Daniel, former global head of security at Amplitude, Instacart, and Netflix, and a trusted advisor in the security space. Terry thrives in high-growth environments and loves tackling complex challenges.

With a strong background in engineering and security, he builds teams that focus on solving security problems at scale through automation and instrumentation.

Terry is also a frequent public speaker and passionate advocate for product security. And recently, he joined Harvard as the Head TA for Security Lifecycle Threats.

In this episode, we break down how SLAs enforce real accountability, why security leaders are constantly under pressure, and why ignoring identity and data structures is a recipe for failure. 

We also discuss how operating under pressure can surprisingly lead to better decision-making and what the future of product security will look like.

Dive right in!

Today, I’m excited to welcome Anshuman Bhartiya, an AppSec tech lead at Lyft. Before that, he worked as a security engineer at companies like Thirty Madison, Intuit, and Atlassian.

Anshuman is also a fellow podcaster and co-host of the Boring AppSec podcast, alongside one of my previous guests, Sandesh Mysore Anand.

Recently, he’s been experimenting extensively with building AI agents for both offensive and defensive security, and he’s documenting his findings at anshumanbhartiya.com(link in the description).

In this episode, we dive into the challenges of building effective AI agents, the impact of AI on security practices, and the importance of understanding AI outputs and avoiding confirmation bias.

We also touch on the ongoing debate of build versus buy solutions and explore where the future of AI in security might be headed.

Dive right in!

Today I’m joined by Anjali Singh Shukla, Senior Security Engineer Cloud at Flipkart. She bridges the worlds of Cloud Security and DevSecOps, having led audits and defense strategies across AWS, Azure, and GCP, with a strong focus on Kubernetes and container security.

Beyond building secure pipelines, Anjali designs training programs and speaks at global conferences like Black Hat and OWASP.

Most recently at OWASP AppSec Days Singapore, she showed how attackers exploit AWS EKS misconfigurations and how to defend against them.

In this episode, we dive into why DevSecOps alone isn’t enough without a deep understanding of cloud, and the risks that come with moving fast in modern deployments. Anjali also shares her perspective on securing multi-cloud environments and weighs in on the industry’s buzz around CNAPP and CSPM and ASPM convergence.

And with that, get ready to hear Anjali’s opinions.

Today, I’m joined by Maxwell Zhou, the Founding Partner of PolarStar Cybersecurity Group, a cybersecurity firm focused on helping fintech organizations strengthen their product security. Throughout his career at Greenlight, Visa, and T-Mobile, Maxwell has specialized in penetration testing, vulnerability assessments, and secure coding practices. He’s particularly excited about building world-class security programs that scale with hyper-growth organizations.In this episode, we discuss one of Maxwell’s articles on the traits of healthy security programs, diving into what “healthy” really means. We also explore the concept of security debt, how it can lead to increased incidents over time, and the importance of having a pentesting background when it comes to understanding which vulnerabilities truly matter.Dive right in!

Today, I’m joined by Oumaima Baira, Directrice of Enterprise Security at Deloitte.

With nearly a decade of experience, she’s helped organizations strengthen their defenses — from DevSecOps and SAP application security to enterprise-wide security strategy.

She began her career in cloud engineering before moving into cyber consulting, and quickly rose through Deloitte’s leadership ranks, blending deep technical expertise with strategic vision.

Beyond her professional roles, Oumaima is an active member of the cybersecurity community. She often takes part in OWASP France chapter meetups, where we met, and international OWASP and cyber events, sharing insights and learning from peers.

She’s also a passionate advocate for women in cybersecurity, inspiring the next generation of cyber leaders to step confidently into the field.

In this episode, we explore the unique challenges and security risks of SAP systems — a business management and automation platform relied on by countless global organizations. We discuss why understanding business logic is critical to application security, and why this is especially important when it comes to securing SAP.

Oumaima also shares her perspective on global differences in security maturity and offers practical advice on preparing for crisis management with efficiency.

Dive right in!

Today, I’m joined by Max Alejandro Gómez-Sánchez Vergaray, Defensive Cybersecurity Manager at Banco de Crédito BCP. With a background in software engineering, Max transitioned into AppSec and has become a leading voice in promoting DevSecOps awareness and building robust AppSec programs using SAMM across Latin America and beyond. He actively contributes to OWASP projects like Cornucopia and regularly offers free workshops in Spanish on secure design for digital products. If you’d like to join a future session, check out the link below!In this episode, we dive into AppSec in Latin America, with a focus on Peru’s unique cybercrime laws and their impact on security awareness. Max shares insights on the cultural challenges in cybersecurity training, the complexities of translating frameworks like Cornucopia, and what can get lost in translation. We also explore building connections in remote teams and what global developers can learn from Latin America’s approach. Dive right in!

Today, I'm joined by Nariman Aga-Tagiyev, a seasoned cybersecurity architect and threat modeling coach, bringing over two decades of experience in the software development industry. 

As the founder of SecureHabits, he’s on a mission to help software manufacturers mature their secure software development lifecycle.

Nariman is a familiar face at OWASP Netherlands Chapter events and an active contributor to projects like OWASP SAMM and the Security Champions Maturity Model. His work bridges the gap between theory and practice, empowering teams to build security into their culture - not just their code.

In this episode, we dive into a memorable "battle" Nariman had at the RSA conference, where he argued both sides of the SAMM vs. BSIMM debate—mostly with himself, after BSIMM expert Caroline Wong couldn’t attend. 

We also explore why organizations often skip the foundational steps before rushing to buy security tools, why true maturity is so rare, and what the new regulatory frameworks like the Cyber Resilience Act mean for businesses in the EU.

Dive right in! 

Today, I'm joined by Marisa Fagan, a lifelong community builder and security culture enthusiast. As the Head of Product at Katilyst, Marisa leads the development of security champion programs that empower Security Champions to drive cultural change.

Previously, she served as Head of Trust Culture & Training at Atlassian and has managed security programs at Synopsys, Salesforce, and Meta.

Marisa is also an active contributor to the OWASP Security Champions guide.

In this episode, we'll dive into some of the questions Marisa didn’t have time to cover in her talk at BSides San Francisco. 

We'll also explore how security culture programs must be tailored to different teams to succeed, how to reboot struggling programs (often caused by disengaging training content) and why passion often outweighs technical skills for roles like these.

Dive right in!

And check out: https://www.katilyst.com/top10blunders

Today, I'm joined by Kevan Bard, Director of Product Security at Morningstar. With 20 years of experience in information security, Kevan has helped shape security practices across various organizations. He’s passionate about building blue team careers, with a focus on recruiting, mentoring, and staff development.When not busy cultivating kaizen, emotional intelligence, secure coding practices, and data privacy principles, Kevan enjoys building community and capturing the world through his lens.In this episode, we explore why security needs to be institutionalized to win, and how the role of Product Managers should evolve to integrate security into their processes. We’ll also discuss why storytelling is crucial in security education, and why the term ASPM is overrated—particularly because its true value isn’t being marketed effectively, especially in one-pagers that focus too heavily on bold claims.

Today, I’m joined by Sean Finley, an experienced Information and Application Security leader with deep expertise in AppSec, security operations, vulnerability management, and governance.Sean’s AppSec career started at GEICO, one of the most recognizable names in U.S. insurance. He made the leap from business analyst to the company’s very first AppSec engineer, teaching himself everything along the way.

In this episode, we explore what inspired that transition, how to spot red flags that doom security programs before they start, and why Sean believes there are far better investments than SAST.We also dive into his approach for working with engineering teams, especially when their initial designs could put the organization at risk, and how to turn “no” into a “secure yes.”Dive right in!

Today I’m joined by Jyoti Raval, a security leader with a diverse background across consulting, product security at Qualys and Harness, and now serving as Director of Cyber Security Engineering at Baker Hughes.

Jyoti is a passionate pentester and international speaker. She’s also the author of Phishing Simulation and MPT: Pentest in Action and has discovered multiple CVEs.

Beyond her technical expertise, Jyoti is committed to empowering women in cyber through InfosecGirls and leads the OWASP Pune chapter.We dive deep into the future of pentesting, exploring whether AI can truly replace human expertise or if manual assessments are still essential for context understanding. Jyoti also shares valuable insights on the mindset shift needed when transitioning into security leadership and how to navigate that challenge.

Dive right in!

Connect with Jyoti: https://www.linkedin.com/in/jyoti-raval-61565157/

Connect with Alexandra: https://www.linkedin.com/in/alexandra-charikova/

Today's episode features Luís Fontes, who, after five years working with various technologies as a full-stack developer, transitioned to the AppSec world. Luís worked as an AppSec engineer at major companies like Checkmarx and then moved to IOVLabs (RSK) and the cryptocurrency space. Nowadays, Luís works at Xapo, a crypto bank, and is an expert in both product security and blockchain security.

In today’s conversation, Luís explains why he believes we still lack clear guidance on how to build and manage effective security programs, and how he decided to create a guide to address this issue.

He also shares insights into the complexities of blockchain security and the importance of understanding business logic. Plus, we’ll discuss why he thinks SBOMs are overrated.

Dive right in!

Luis's guide: https://luisfontes19.github.io/orgsec-guide/index.html

Welcome to Season 4 of The Elephant in AppSec!

Get ready for a season packed with even spicier takes!

Today's episode features none other than James Berthoty, a security engineer turned founder and CEO of Latio.

James is always ready to share his unfiltered opinions, and I’ve had the pleasure of chatting with him for last couple of years. Over the past few months, there were a lot of discussions around AI security, and I invited him on the show before his new report even hit the public to discuss his thoughts on this very hot topic.

In today’s conversation, James unpacks why we’re seeing an executive push for AI solutions, and why practitioners should proceed with caution. He also shares why most people probably don’t need an AI security vendor and some stories about the pushback he received after publishing his report. Plus, we’ll talk about why we, as an industry, need to stay grounded in our approach to AI in security.

Dive right in!

Today, I’m joined by Olga Dzięgielewska, Senior Manager of InfoSec Application Security at Philip Morris International. With over 10 years of experience in secure code reviews, a PhD in IT Security, and now leading global AppSec teams, Olga specializes in secure development practices, IT assurance, ethical hacking, API security and SAP security, driving security initiatives across multiple international locations.

In this episode, we tackle common misconceptions about application security and exploring the unique challenges faced by the manufacturing sector compared to tech companies.

We also discuss how to ensure a seamless digital transformation, the role of cultural differences in communication and decision-making, and of course, the ever-present issue of supply chain security.

Dive right in! 

Connect with Olga: https://www.linkedin.com/in/olusia/

Connect with Alexandra: https://www.linkedin.com/in/alexandra-charikova/

This podcast is brought to you by
Escape: https://escape.tech  — Modern DAST built to test for business logic instead of missing headers

Today, I’m joined by Nathan Byrd, a Principal AppSec Architect at Applied Systems. Nathan’s journey is truly unique: before joining Applied Systems, he spent an impressive 24 years at Mastercard, where he rose from a software engineer to a Principal AppSec Architect. That’s the longest tenure we’ve seen from anyone on the podcast!Nathan is passionate about building things, whether it’s his early days as an internet fan, building projects with Raspberry Pi Pico, or more recently, creating OAShield (away shield). This open-source project helps generate WAF config files based on OpenAPI specs, which we dive into during today’s conversation.In this conversation, we explore whether traditional WAFs are becoming obsolete in the age of OpenAPI specs, how to keep them accurate, and why adopting a top-down approach to API specifications is key to enhancing security.Nathan also provides valuable advice for aspiring developers passionate about security and explains how he believes AI will play a transformative role in shaping the future of AppSec.Dive right in!

Today I’m joined by Linda Fay, a seasoned leader in Application Security with over 13 years of experience. She’s led large-scale security programs, most recently as Director of Product Security Engineering, where she secured thousands of applications and delivered major cost savings. Now working as an independent consultant, she helps organizations improve their AppSec posture and explore the intersection of AI and security. Linda also leads the OWASP Nashville chapter and is deeply involved with WiCyS, mentoring the next generation of women in cybersecurity.In this episode, we dive into whether it’s possible to find AppSec tools that developers actually like—regardless of their acronyms—and how the rapid rise of AI is reshaping the security tooling. Linda also shares her experience justifying security budgets in the absence of compliance mandates, and how she managed to save over $600K annually by streamlining AppSec tools.Dive right in! Connect with Linda: https://www.linkedin.com/in/faylinda/Connect with Alexandra: https://www.linkedin.com/in/alexandra-charikova/This podcast is brought to you byEscape: https://escape.tech — Modern DAST built to test for business logic instead of missing headers

Today’s episode is a special one. I’m joined by Desmond Lamptey, a Software Engineering Manager at a large financial organization.

I first came across Desmond during his talk on API Security at APIDays Paris—and honestly, it was one of the best talks I’ve seen. Not only because of the insights, but also the dad jokes.

That talk made me curious: What drives a seasoned engineer like Desmond to speak about security with such passion?

And more importantly, what does he think security teams get wrong when it comes to their collaboration with teams like his?

With over a decade of technical experience and a Certified Ethical Hacker certification under his belt, Desmond regularly shares his knowledge through public speaking and brings a unique developer’s perspective to security.

In this episode, we dive into his path to becoming a security champion, the challenges of engaging developers in security conversations, why he’d change the way security teams label vulnerabilities for developers, and how gamifying security education can help close the gap between devs and security teams.

Dive right in! 

Today, I’m joined by Chris Hughes, the CEO & Co-Founder of Aquia, a cybersecurity consulting firm supporting secure digital transformation for U.S. federal, state, and defense agencies. He previously served as a Cyber Innovation Fellow at CISA.Chris is also the co-author of Software Transparency and Effective Vulnerability Management (Wiley) books, and hosts the Resilient Cyber podcast and Substack. He's also a frequent speaker and commentator on AppSec, software supply chain security, and DevSecOps.In this episode, we unpack why compliance doesn’t equal security- but in its absence, the state of cybersecurity would be worse. We explore how federal cybersecurity policy shapes startup innovation, and whether the future of security will be defined more by lawyers than by security practitioners.

We also reflect on how the skillset in cybersecurity has evolved - from deep technical expertise to a growing emphasis on soft skills and communication. Dive right in! Connect with Chris: https://www.linkedin.com/in/resilientcyber/Connect with Alexandra: https://www.linkedin.com/in/alexandra-charikova/This podcast is brought to you byEscape: https://escape.tech — Modern DAST built to test for business logic MentionedCybersecurity's Delusion Problem : https://www.resilientcyber.io/p/cybersecuritys-delusion-problemSoftware Transparency: Supply Chain Security in an Era of a Software-Driven Societyhttps://www.amazon.com/Software-Transparency-Security-Software-Driven-Society/dp/1394158483Effective Vulnerability Management: Managing Risk in the Vulnerable Digital Ecosystemhttps://www.amazon.com/Effective-Vulnerability-Management-Vulnerable-Ecosystem/dp/1394221207Resilient cyber: https://www.resilientcyber.io/Cyber for Builders by Ross Haleliuk → https://www.cyberforbuilders.com

Today, I’m joined by Michael Novak, a seasoned Application Security Architect turned Technical Product Manager. At the time of this recording, he was still working hands-on in AppSec! Having started his career as a Java software engineer, Michael knows firsthand the challenges developers face when it comes to building secure applications.

Outside of his technical roles, Michael has created several educational games — most notably Byte Club, a strategic card game that turns complex cybersecurity concepts into fun, accessible learning experiences. He also gives back to the community by mentoring students in technology and cybersecurity through his work with NPower.

In today’s episode, we explore whether product security engineering should be a quality engineering, and why it needs to go even further as a true extension of technology. We dig into how security training has moved beyond fear-based tactics toward more engaging, integrated approaches—and ask what kind of timeline it takes to build genuine trust in security roles.

Dive right in!

Today, I’m joined by Eitan Worcel, CEO and co-founder of Mobb — an AI Security Assistant that fixes vulnerabilities. With over 15 years of experience in the application security field, Eitan has worn many hats, including developer, product management leader, and now startup founder.

Eitan has also shared his expertise at events such as Black Hat, BSides Las Vegas, and OWASP chapter meetings, where he discussed the application of AI in security and the relationships between developers and security teams.

In today’s episode, we explore whether all bad code should be fixed, the role of AI in code remediation, the challenges developers face in addressing vulnerabilities, and the critical importance of maintaining software quality.

We also touch on the evolution of security tools and their impact on developers' workflows.Dive right in!

Connect with Eitan: https://www.linkedin.com/in/worcel/

Connect with Alexandra: https://www.linkedin.com/in/alexandra-charikova/

This podcast is brought to you by

Escape: https://escape.tech  — Modern DAST built to test for business logic 

Mentioned

Mobb.ai - AI Security Assistant That Fixes VulnerabilitiesMatias Madou Of Secure Code Warrior On Embedding Security in Product Design and Development https://medium.com/authority-magazine/matias-madou-of-secure-code-warrior-on-embedding-security-in-product-design-and-development-29bd2f639469

Copilot amplifies insecure codebases https://snyk.io/blog/copilot-amplifies-insecure-codebases-by-replicating-vulnerabilities/

The Hard Thing About Hard Things by Ben Horowitz https://www.amazon.com/Hard-Thing-About-Things-Building/dp/0062273205