On this episode, Robert speaks with Apollo Clark about Malicious User Stories and DevOps. He discusses how to properly handle user stories in a world being taken over by DevOps. You can find Apollo on Twitter @apolloclark
On this episode, Robert is joined by Megan Roddie at the SOURCE Conference in Boston. She talks about the how neurodiverse people can truly help an organization. You can find her on Twitter @megan_roddie
John Melton joins to discuss the #OWASP AppSensor project. He talks about how AppSensor works and how it can be used in your application. You can find John on Twitter @_jtmelton OWASP AppSensor Project
David Habusha joins on this weeks episode to discuss the OWASP Top 10 A9: Using components with known vulnerabilities. He also dives into the Software Composition Analysis (SCA) market. You can find David on Twitter @davidhabusha OWASP Top 10 A9
Steve Springett joins the show to talk Dependency Check and Dependency Track. He also discusses how they can be used to help prevent you from using components with known vulnerabilities. OWASP Dependency Check OWASP Dependency Track You can find Steve on Twitter @stevespringett
Jim Manico joins on this weeks episode to discuss some of the changes with the OWASP Cheat Sheets and the plans they have for the future of that project. Jim also talks about how they are looking for experts in the field to create or update some of the Cheat Sheets. You can find Jim on Twitter @manicode
Neil Smithline joins this week to discuss one one of the new items on the OWASP Top 10 List, Insufficient Logging and Monitoring. Links: OWASP Logging Cheat Sheet OWASP ASVS OWASP Proactive Controls: Intrusion Detection You can find Neil on Twitter @neilsmithine
Jim Routh joins the podcast to discuss selling #AppSec up the chain. Jim has built 5 successful software security programs in his career and serves as a CISO now. Jim shares his real-world experience with how to successfully sell #AppSec to senior management (as well as many other pieces of wisdom for running an AppSec program). You can find Jim on Twitter @jmrouth01
Chris and Robert go over a plethora of recommendations they have accumulated over their years of experience in the industry. Chris’s recommendations 1. Book: Agile Application Security: Enabling Security in a Continuous Delivery Pipeline by Laura Bell (Author), Michael Brunton-Spall (Author), Rich Smith (Author), Jim Bird (Author) https://amzn.com/1491938846 2. Website: Iron Geek Adrian Crenshaw records many major, non-commercial security conferences and posts the talks to Youtube...
Magen Wu works through the topic of burnouts and mental health in the world of security. She gives some examples on how to handle this and how to recognize if people around you are burning out. You can find her on Twitter @infosec_tottie Additional information on this topic: Jack Daniel speaks often on this topic of burnout Youtube: The Causes of and Solutions for Security Burnout Youtube: Infosec Survival Skills: Being Productive, Coping with Stress, & Preventing Burnout Article: Becoming...
Katy Anton joins this week to discuss number four on the OWASP Top 10. She dives into what XXE is, how to deal with it, and some of the other new items on the OWASP Top 10 2017. You can find Katy on Twitter @KatyAnton
Pete Chestna is an advocate for SAST, DAST, and IAST tools and a passionate #AppSec enthusiast. A moving quote that Pete shared during this episode is “an #AppSec program is the byproduct of building secure developers.” #Truth Pete describes the differences between SAST, DAST, IAST, and RASP, the struggles that developers encounter using new tools, false positives that occur and how to reduce them, and advice for building an #AppSec program from scratch versus adding tools to a mature...
With episode 4, Robert and Chris are joined by Irene Michlin who is operating at the intersection of security and agility. They discuss incremental threat modeling and how to do threat modeling when living in an Agile or DevOps world. Irene ends our discussion by saying that her goal when working with a team on threat modeling is that they all conclude “We are not making it worse.” You can find Irene on Twitter @IreneMichlin, and check out Irene’s talk on... Read More Read More
Bill Sempf joins to talk insecure deserialization. We do a deep dive and contextual review of the generalities of deserialization, and the specifics of how it applies to “.NET”. Bill gets into his journey to understand these types of vulnerabilities and provides some hints and tips for how you can look for them in your code.
Security champions are the hands and feet of any well-equipped product security team. Robert and Chris introduce security champions, where to find them, why you need them, and how to set up a beginning champion program from scratch. Here are a few other resources that we’ve written about Security Champions: Do you have Security Champions in your company? Information security needs community: 6 ways to build up your teams
Welcome to season 3 of the podcast. In this episode, Robert and Chris interview Kevin Greene from Mitre. We discuss an article Kevin wrote about shifting left and explore codifying intuitions and new projects at Mitre that will bolster the knowledge of your developers and testers. Kevin brings up the lack of true results from the SAST and DAST tools on the market. He brings an interesting perspective, having focused on research and development in his time at DHS. We... Read More Read More
This is the conclusion of Season 02 for the AppSec PodCast. In this episode, we focus in on all the OWASP goodness we’ve experienced this year. You’ll hear our favorite clips and explanations from a season full of OWASP. With the publication of this episode, season 02 is a wrap, and on to season 03 which will roll out in March. Please visit our iTunes page and give us a 5 star review!
This is the final interview from the #AppSecUSA Conference in Orlando, and Chris and Robert are joined by Brian Andrzejewski. He talks about containers, their usage within #AppSec, and about orchestrations. Rate us on iTunes and provide a positive comment, please!