The Application Security Podcast’s Episode List2018-08-24T04:54:42+00:00

Episodes List

1204, 2018

Dependency Check and Dependency Track (S03E13) – Application Security PodCast

Steve Springett joins the show to talk Dependency Check and Dependency Track. He also discusses how they can be used to help prevent you from using components with known vulnerabilities.

OWASP Dependency Check

OWASP Dependency Track

You can find Steve on Twitter @stevespringett

604, 2018

The #OWASP Threat Modeling Project (S03E12) – Application Security PodCast

Steven Wierckx joins Robert and Chris this week to talk about the #OWASP Threat Modeling project that he’s involved in.

You can find Steven on Twitter @ihackforfun

504, 2018

The #OWASP Cheat Sheet Project (S03E11) – Application Security PodCast

Jim Manico joins on this weeks episode to discuss some of the changes with the OWASP Cheat Sheets and the plans they have for the future of that project. Jim also talks about how they are looking for experts in the field to create or update some of the Cheat Sheets.

You can find Jim on Twitter @manicode

2303, 2018

OWASP Top 10 #10: Logging (S03E10) – Application Security PodCast

Neil Smithline joins this week to discuss one one of the new items on the OWASP Top 10 List, Insufficient Logging and Monitoring.


OWASP Logging Cheat Sheet


OWASP Proactive Controls: Intrusion Detection

You can find Neil on Twitter @neilsmithine

1603, 2018

Selling #AppSec Up The Chain (S03E09) – Application Security PodCast

Jim Routh joins the podcast to discuss selling #AppSec up the chain. Jim has built 5 successful software security programs in his career and serves as a CISO now. Jim shares his real-world experience with how to successfully sell #AppSec to senior management (as well as many other pieces of wisdom for running an AppSec program).

You can find Jim on Twitter @jmrouth01

903, 2018

#AppSec Recommendations (S03E08) – Application Security PodCast

Chris and Robert go over a plethora of recommendations they have accumulated over their years of experience in the industry.
Chris’s recommendations
1. Book: Agile Application Security: Enabling Security in a Continuous Delivery Pipeline
by Laura Bell (Author),‎ Michael Brunton-Spall (Author),‎ Rich Smith (Author),‎ Jim Bird (Author)
2. Website: Iron Geek
Adrian Crenshaw records many major, non-commercial security conferences and posts the talks to Youtube
3. Book: The DevOps Handbook: How to Create World-Class Agility, Reliability, and Security in Technology Organizations
by Gene Kim  (Author),‎ Patrick Debois  (Author),‎ John Willis (Author),‎ Jez Humble  (Author)
 4. News Source: The Register
News site, but has great sources and a bit of British humor attached to technology failures
5. Blog: TechBeacon
6. Book: Threat Modeling: Designing for Security
by Adam Shostack  (Author)
7. Book: The Tangled Web: A Guide to Securing Modern Web Applications
by Michal Zalewski  (Author)
8. Book: Start with Why: How Great Leaders Inspire Everyone to Take Action
by Simon Sinek  (Author)
Not a security book, but a good approach for those trying to change a security culture
Robert’s Recommendations
1. Books by Martin Fowler (Author)
He wrote many books on understanding Architecture.
2. Book: Software Security: Building Security In
by Gary McGraw (Author)
3. Book: Core Software Security: Security at the Source
by James Ransome (Author) and Anmol Misra (Author)
4. Book: Threat Modeling: Designing for Security
by Adam Shostack  (Author)
5. Websites: Troy Hunt
6. Conferences: #AppSec USA, , B-Sides, Source, Converge
7. Website: Google Alerts
Use this to be notified about specific topics you want to learn about.
8. Book: The Checklist Manifesto: How to Get Things Right
by Atul Gawande (Author)
9. Book Securing Systems: Applied Security Architecture and Threat Models
by Brook S. E. Schoenfield (Author)
10. Book: Risk Centric Threat Modeling: Process for Attack Simulation and Threat Analysis
by Tony UcedaVelez (Author) and Marco M. Morano
203, 2018

Hustle and Flow: Dealing With Burnout in Security (S03E07) – Application Security PodCast

Magen Wu works through the topic of burnouts and mental health in the world of security. She gives some examples on how to handle this and how to recognize if people around you are burning out.

You can find her on Twitter @infosec_tottie

Additional information on this topic:

2302, 2018

OWASP Top 10 #4 XXE (S03E06) – Application Security PodCast

Katy Anton joins this week to discuss number four on the OWASP Top 10. She dives into what XXE is, how to deal with it, and some of the other new items on the OWASP Top 10 2017.

You can find Katy on Twitter  @KatyAnton

1602, 2018

SAST, DAST, and IAST. Oh My! (S03E05) – Application Security PodCast

Pete Chestna is an advocate for SAST, DAST, and IAST tools and a passionate #AppSec enthusiast. A moving quote that Pete shared during this episode is “an #AppSec program is the byproduct of building secure developers.” #Truth

Pete describes the differences between SAST, DAST, IAST, and RASP, the struggles that developers encounter using new tools, false positives that occur and how to reduce them, and advice for building an #AppSec program from scratch versus adding tools to a mature program.

You can find Pete on Twitter @PeteChestna.

Additional information on this topic:

902, 2018

We Are Not Making It Worse (S03E04) – Application Security PodCast

Irene Michlin operates at the intersection of security and agility. She teaches about incremental threat modeling and how to do threat modeling when living in an Agile or DevOps world.

Irene ends the discussion by saying that her goal when working with a team on threat modeling is that they all conclude “We are not making it worse.”

You can find Irene on Twitter @IreneMichlin, and check out Irene’s talk on Incremental Threat Modeling last year at AppSec EU.

202, 2018

Insecure Deserialization (S03E03) – Application Security PodCast

Bill Sempf joins to talk insecure deserialization. We do a deep dive and contextual review of the generalities of deserialization, and the specifics of how it applies to “.NET”. Bill gets into his journey to understand these types of vulnerabilities and provides some hints and tips for how you can look for them in your code.

2601, 2018

Security Champions (S03E02) – Application Security PodCast

Security champions are the hands and feet of any well-equipped product security team. Robert and Chris introduce security champions, where to find them, why you need them, and how to set up a beginning champion program from scratch.

Here are a few other resources that we’ve written about Security Champions:

Do you have Security Champions in your company?

Information security needs community: 6 ways to build up your teams

1901, 2018

Shifting left (S03E01) – Application Security PodCast

Welcome to season 3 of the podcast. In this episode, Robert and Chris interview Kevin Greene from Mitre. We discuss an article Kevin wrote about shifting left and explore codifying intuitions and new projects at Mitre that will bolster the knowledge of your developers and testers. Kevin brings up the lack of true results from the SAST and DAST tools on the market. He brings an interesting perspective, having focused on research and development in his time at DHS. We enjoyed the conversation, and look forward to having Kevin back again in the future!

Kevin’s article on Dark Reading



512, 2017

OWASP for everyone (S02E21) – Application Security PodCast

This is the conclusion of Season 02 for the AppSec PodCast. In this episode, we focus in on all the OWASP goodness we’ve experienced this year. You’ll hear our favorite clips and explanations from a season full of OWASP.

With the publication of this episode, season 02 is a wrap, and on to season 03 which will roll out in March. Please visit our iTunes page and give us a 5 star review!

2410, 2017

Containers Again (S02E20) – Application Security PodCast

This is the final interview from the #AppSecUSA Conference in Orlando, and Chris and Robert are joined by Brian Andrzejewski.

He talks about containers, their usage within #AppSec, and about orchestrations.

Rate us on iTunes and provide a positive comment, please!

1710, 2017

ModSecurity and #AppSec (S02E19) – Application Security PodCast

On this weeks episode of the #AppSec Podcast, Robert and Chris are joined by Tin Zaw, an advocate for ModSecurity.

He dives into its background, the use of rules, and the many advantages.

Rate us on iTunes and provide a positive comment, please!

1010, 2017

The Exploitation of IoT (S02E18) – Application Security PodCast

On this weeks episode of the #AppSec Podcast, Robert and Chris are joined by Aditya Gupta.

They speak with him about the many facets of IoT and some of its effects with pen testing, training, and mobile application security.

Rate us on iTunes and provide a positive comment, please!

310, 2017

The Future of the OWASP Proactive Controls (S02E17) – Application Security PodCast

On this episode of the Application Security Podcast, Chris and Robert talk to Jim Manico and Katy Anton about the OWASP Proactive Controls project.

This is something we have talked about before, and they are looking for feedback on the update coming soon.

Rate us on iTunes and provide a positive comment, please!


2509, 2017

The Future of the OWASP Top 10 (S02E16) – Application Security PodCast

In this episode we talk about the future of the OWASP Top 10. We do this by meeting the new project leadership team, understanding the process for how they do governance now and into the future, and how they deal with provided feedback. We get a look behind the curtain about how they make decisions and how they use the data and feedback provided.

Side note, at the AppSec USA closing, the OWASP T10 leaders did announce that A7 and A10 from the OWASP Top 10 RC1 have been removed.

We hope you enjoy!

1909, 2017

Threat Modeling (S02E15) – Application Security PodCast

On this weeks episode of the #AppSec Podcast, Chris and Robert are at #AppSecUSA.

We hear a conference talk done by Robert on the topic of Threat Modeling. He goes more in depth than ever before on the show, and we hope you enjoy!

Rate us on iTunes and provide a positive comment, please!

1209, 2017

Passwords, Identity, and #AppSec (S02E14) – Application Security PodCast

On this episode, Robert and Chris talk about Passwords, something we all are familiar with.

They dive into specifics with passwords and threats that can occur with them. They also talk about how passwords interact with Identity and AppSec.

Rate us on iTunes and provide a positive comment, please!

509, 2017

Hacking APIs and Web Services with DevSlop (S02E13) – Application Security PodCast

On this weeks episode, Chris and Robert are joined by Tanya and Nicole. They talk about what APIs are, how they are used, and some of the threats involved with them.
They also look at what DevSlop and ZAP are in combination with APIs.

As always, thanks for listening, and enjoy!

2908, 2017

Agile #AppSec (S02E12) – Application Security PodCast

On this week’s episode, Robert and Chris speak with Jon Mccoy and Jonathan Marcil about using Agile #AppSec in the Secure Development Lifecycle.

They dive deeper into what is agile, how it can be used, some practical applications using security champions, and much more.

Rate us on iTunes and provide a positive comment, please!

2208, 2017

Docker Security and AppSec (S02E11) – Application Security PodCast

A listener asked for a recommendation for a PodCast or Blog post about Docker security. We looked, couldn’t find one, so we decided to create one. Robert interviews Jay Beale from Inguardians and asks what is docker, what threats does it introduce, and what are the specific tie-ins with AppSec. Enjoy!

1708, 2017

Proactive Controls, AppSec USA, and Gartners MQ on AppSec Testing (S02E10) – Application Security PodCast

Robert and I try a new format talking about a few topics per episode. We talk about changes with the Proactive Controls, AppSecUSA, and the Gartner Magic Quadrant for Application Security Testing.

We mentioned the link to OWASP Proactive Controls to review the draft and suggest updates.