Stephen de Vries joins to discuss Threat Modeling and the unique approach that he takes by using tooling. We also discuss application security and startups.
You can find Stephen on Twitter @stephendv
Stephen is the CEO of Continuum Security. You can visit them on the web to find out more about their tool based solution for threat modeling and requirements management.
On this episode, Julien Vehent joins to discuss all things DevOps + Security. We talk through Julien’s new book, Securing DevOps and go in depth as to the journey he went through building security into DevOps at his job.
You can find Julien on Twitter @jvehent
The folks over at Manning Publications have also given a 40% discount on ALL their products to anyone who uses the AppSec Podcast specific discount code.
Discount Code: appsecpodcast18
On this episode, Chris is joined by Sean Wright to discuss the changes Google made with how they handle the HTTP Protocol. They also dive into TLS and some other pieces of crypto that relate to #AppSec.
You can find Sean on Twitter @SeanWrightSec
The conclusion of Season 3, all the best highlights, and some great advice from our guests on what you need to build an #AppSec Program.
We’ll be back in August with more episodes and more interviews.
Chris and Robert are joined by Martin Knobloch to discuss all things OWASP. They dive into the history of OWASP and some of the plans for the future.
You can find Martin on Twitter @knoblochmartin.
Devin McMasters joins Chris on this weeks episode to talk about bug bounties and how to make them successful.
You can find Devin on Twitter @DevinMcmasters
On this episode, Robert speaks with Apollo Clark about Malicious User Stories and DevOps. He discusses how to properly handle user stories in a world being taken over by DevOps.
You can find Apollo on Twitter @apolloclark
On this episode, Robert is joined by Megan Roddie at the SOURCE Conference in Boston. She talks about the how neurodiverse people can truly help an organization.
You can find her on Twitter @megan_roddie
Chase Schultz joins this week to discuss the combination of AppSec and hardware. He also dives into how the Meltdown and Spectre attacks worked.
You can find Chase on Twitter @f47h3r_B0
Jim Manico joins on this weeks episode to discuss some of the changes with the OWASP Cheat Sheets and the plans they have for the future of that project. Jim also talks about how they are looking for experts in the field to create or update some of the Cheat Sheets.
You can find Jim on Twitter @manicode
Jim Routh joins the podcast to discuss selling #AppSec up the chain. Jim has built 5 successful software security programs in his career and serves as a CISO now. Jim shares his real-world experience with how to successfully sell #AppSec to senior management (as well as many other pieces of wisdom for running an AppSec program).
You can find Jim on Twitter @jmrouth01
Magen Wu works through the topic of burnouts and mental health in the world of security. She gives some examples on how to handle this and how to recognize if people around you are burning out.
You can find her on Twitter @infosec_tottie
Additional information on this topic:
- Jack Daniel speaks often on this topic of burnout
Katy Anton joins this week to discuss number four on the OWASP Top 10. She dives into what XXE is, how to deal with it, and some of the other new items on the OWASP Top 10 2017.
You can find Katy on Twitter @KatyAnton
Pete Chestna is an advocate for SAST, DAST, and IAST tools and a passionate #AppSec enthusiast. A moving quote that Pete shared during this episode is “an #AppSec program is the byproduct of building secure developers.” #Truth
Pete describes the differences between SAST, DAST, IAST, and RASP, the struggles that developers encounter using new tools, false positives that occur and how to reduce them, and advice for building an #AppSec program from scratch versus adding tools to a mature program.
You can find Pete on Twitter @PeteChestna.
Additional information on this topic:
- TechBeacon learning article for more details on the differences between AppSec testing tools
Irene Michlin operates at the intersection of security and agility. She teaches about incremental threat modeling and how to do threat modeling when living in an Agile or DevOps world.
Irene ends the discussion by saying that her goal when working with a team on threat modeling is that they all conclude “We are not making it worse.”
Bill Sempf joins to talk insecure deserialization. We do a deep dive and contextual review of the generalities of deserialization, and the specifics of how it applies to “.NET”. Bill gets into his journey to understand these types of vulnerabilities and provides some hints and tips for how you can look for them in your code.
Security champions are the hands and feet of any well-equipped product security team. Robert and Chris introduce security champions, where to find them, why you need them, and how to set up a beginning champion program from scratch.
Here are a few other resources that we’ve written about Security Champions:
Ready to Discover the Latest in AppSec?
The Best Part? It’s Free to Listen!
Or subscribe with your favorite app by using the address below: