The Application Security Podcast

In this episode of the Application Security Podcast, Chris Romeo and Robert Hurlbut welcome back Steve Wilson, a global leader in AI security and Chief AI and Product Officer at Exabeam, as well as founder of the OWASP Gen AI Security Project. Steve shares how his AI assistant was “hacked” using a simple phishing attack, highlighting a major shift in security—AI agents behave more like humans than traditional software. The conversation explores how this changes the threat model, why AppSec is struggling to keep up, and how organizations should approach the practical security of AI systems. They also cover the risks of autonomous agents, the expanding blast radius of failures, and what AppSec professionals can do now to adapt. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast ➜LinkedIn: The Application Security Podcast ➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Brad Geesaman, Principal Security Engineer at Ghost, joins the podcast today to explore how AI and large language models are transforming the world of application security. The discussion starts with the concept of "toil"—the repetitive, exhausting work that drains AppSec teams as they struggle to keep up with mountains of security findings and alerts. Brad shares his insights on how LLMs can provide meaningful leverage by handling the heavy lifting of triage, classification, and evidence gathering, while keeping humans firmly in the loop for final decisions. They also discuss the seismic shift happening in the AppSec market, with AI-native approaches potentially disrupting traditional security tooling. Listen along to hear more about the future of secure coding and how artificial intelligence might finally give security teams the helicopter view they need to fight fires effectively. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast ➜LinkedIn: The Application Security Podcast ➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

In this special episode of the Application Security Podcast we meet nine of the OWASP Board of Directors candidates. Each candidate discusses their unique qualifications, experiences, and vision for OWASP's future. Topics include enhancing OWASP's impact, improving outreach and education, securing funding, and engaging local chapters. Don't miss this insightful debate as these candidates share their strategies to help secure a brighter future for OWASP. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast ➜LinkedIn: The Application Security Podcast ➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Francesco Cipollone, the CEO of Phoenix Security, shares his extensive experience in AI and security, discussing the crucial difference between true AI agents and glorified chatbots. Learn why Phoenix Security utilizes six different LLMs instead of a single super agent. Understand the sobering economics behind AI implementation and the importance of adopting AI responsibly. Get practical advice on integrating AI agents to enhance, not replace, human capabilities, while touching on the Agentic AI Manifesto's key principles. This conversation is perfect for anyone navigating the AI landscape both cautiously and optimistically. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast ➜LinkedIn: The Application Security Podcast ➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Simon and Devika Gibbs, the innovative minds behind Cybersec Games, join us on the episode today. Discover how the Gibbs duo are revolutionizing the way we teach and learn security concepts through interactive gaming. Learn about their journey from developing stationary for agile teams to delving into the world of threat modeling games like Elevation of Privilege. We talk about the power of gamification in cybersecurity education, and get the inside scoop on their Cybersecurity Game Challenge, which invites creative minds to bring their game ideas to life. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast ➜LinkedIn: The Application Security Podcast ➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Our guest today is Akansha Shukla, an information security professional with over 10 years of experience in application security, DevSecOps, and API security. We’re discussing why API security remains one of the least mature areas of AppSec today and exploring the challenges developers face when securing APIs. Akansha shares her insights on incorporating APIs into threat modeling exercises, the ongoing struggles with API discovery and inventory management, and the authorization challenges highlighted in the OWASP API Security Top 10. The conversation also touches on whether "shift left" is truly dead and why we still haven't solved basic security problems like input validation despite having the frameworks to address them. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast ➜LinkedIn: The Application Security Podcast ➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The European Union's Cyber Resilience Act is set to revolutionize how we approach product security worldwide. In this episode, we sit down with application security expert Nariman Aga-Tagiyev to break down everything you need to know about this legislation. Nariman has over 20 years of software development experience and today he’s sharing his expertise with us. Learn what the EU CRA is and why it matters for global software companies, key compliance requirements, and how OWASP SAMM can help you. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast ➜LinkedIn: The Application Security Podcast ➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Marisa Fagan, Head of Product at Katilyst and veteran security culture expert joins us today to share practical strategies for building and scaling security champions programs that actually work, from designing effective pilots to avoiding common pitfalls that can derail your initiatives. Learn how to motivate developers using the SAPs model (Status, Access, Power, Stuff), why getting management buy-in is crucial before launching, and discover the metrics that truly demonstrate security culture success. Marisa reveals why most programs fail, shares her blueprint for creating sustainable security culture initiatives, and discusses the evolution beyond security champions to include privacy and accessibility programs. Resources Mentioned: • Security Champion Success Guide: https://securitychampionsuccessguide.org/ • OWASP Security Champions Guide: securitychampions.owasp.org • People-Centric Security book by Lance Hayden FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast ➜LinkedIn: The Application Security Podcast ➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Aram Hovsepyan joins the podcast today to chat about the misconceptions behind common security metrics. Aram tells us how total vulnerability counts and CVSS scores can be misleading and he introduces us to the Goal Question Metric framework, this framework is a better approach to building truly effective security dashboards. Learn about the critical qualities of good metrics and how to ensure that your metrics accurately reflect your organization's security posture and readiness. Also, discover overlooked metrics that could offer deeper insights into your application security. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast ➜LinkedIn: The Application Security Podcast ➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

We’re discussing the intersections of application security (AppSec) and sales strategy with our guest, Sean Varga. Sean shares the unique challenges and best practices in AppSec sales, like the importance of empathy, understanding customer needs, and community participation. Learn about the OWASP top 10 for AppSec Sales and discover how to achieve success by aligning with customer goals, maintaining detailed living documents, and fostering strong partnerships. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast ➜LinkedIn: The Application Security Podcast ➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Sarah Jane Madden joins us to discuss the evolving role of AI in software development. We reflect on the changes and challenges posed by AI, including the potential for over-reliance and the misconception that traditional software engineering practices like the SDLC are obsolete. The conversation explores the nuances of AI-generated code, emphasizing the importance of maintaining foundational engineering skills and a critical understanding of the tools used. Madden shares insights from her keynote at OWASP Barcelona and stresses the need for responsible and thoughtful integration of AI in development workflows. Key takeaways include leveraging AI for efficiency while avoiding complacency and ensuring a deep, ongoing engagement with code and quality practices. Previous Episode with Sarah-Jane Madden: Threat Modeling to Established Teams FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast ➜LinkedIn: The Application Security Podcast ➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Dag Flachet joins us to discuss the concept of Kaizen and its application in improving application security. Dag shares his journey into the world of security, emphasizing the importance of iterative, small-step improvements. The conversation delves into how organizations can effectively implement maturity models to enhance their security programs, the limitations of compliance-focused frameworks like ISO 27,000 and SOC 2, and the practical application of Kaizen principles. They also explore the evolution and future updates of OWASP SAM, and the importance of empowering development teams through a bottom-up approach in security enhancement. Dag is the co-founder of Codific, a professor and board member at the Geneva Business School, and an active member of the OWASP Barcelona Chapter and the OWASP SAMM community. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast ➜LinkedIn: The Application Security Podcast ➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Andra Lezza and Javan Rasokat discuss the complexities of securing AI and LLM applications. With years of experience in Application Security (AppSec), Andra and Javan share their journey and lessons from their DEF CON talk on building and defending LLMs. They explore critical vulnerabilities, prompt injection, hallucinations, and the importance of data security. This discussion sheds light on the evolving landscape of AI and LLM security, offering practical advice for developers and security professionals alike. Javan’s blog article: Adversarial Misuse of Generative AI Javan’s recommendation for the TLDR newsletter Andra's book recommendation: The Cuckoo’s Egg by Cliff Stoll FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast ➜LinkedIn: The Application Security Podcast ➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Former CISO Jim Routh discusses his perspective on retirement and career fulfillment in cybersecurity. Rather than viewing retirement as simply stopping work, Routh describes his three-filter approach: working only with people he respects and admires, doing only work he finds fulfilling, and controlling when he works. He shares valuable lessons learned about which post-retirement opportunities truly bring satisfaction and explains why he avoids certain roles. Routh emphasizes the importance of cybersecurity professionals taking ownership of their career development, recommending they focus on developing two specific skills annually rather than using tenure to guide career moves. The article written by Jim, published on LinkedIn: CISO Transition Check out previous episodes with Jim: Jim’s original AppSec podcast episode is our #1 listened to of all time. Jim Routh -- Selling #AppSec Up The Chain And Jim Routh — Secure Software Pipelines FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast ➜LinkedIn: The Application Security Podcast ➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Henrik Plate joins us to discuss the OWASP Top 10 Open Source Risks, a guide highlighting critical security and operational challenges in using open source dependencies. The list includes risks like known vulnerabilities, compromised legitimate packages, name confusion attacks, and unmaintained software, providing developers and organizations a framework to assess and mitigate potential threats. Henrik offers insights on how developers and AppSec professionals can implement the guidelines. Our discussion also includes the need for a dedicated open-source risk list, and the importance of addressing known vulnerabilities, unmaintained projects, immature software, and more. The OWASP Top 10 Open Source Risks FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast ➜LinkedIn: The Application Security Podcast ➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Security expert Tanya Janca discusses her new book "Alice and Bob Learn Secure Coding" and shares insights on making security accessible to developers. In this engaging conversation, she explores how security professionals can better connect with developers through threat modeling, maintaining empathy, and creating inclusive learning environments. Tanya emphasizes the importance of system maintenance after deployment and shares practical advice on input validation, while highlighting how security teams can build better relationships with development teams by avoiding arrogance and embracing collaboration. Tanya’s new book: Alice & Bob Learn Secure Coding Three Individuals that Tanya would like to introduce to you: Confidence Staveley https://confidencestaveley.com/ Rana Khalil https://www.linkedin.com/in/ranakhalil1 Laura Bell Main https://www.laurabellmain.com/ FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast ➜LinkedIn: The Application Security Podcast ➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mehran Khushkabaghi, a seasoned engineering expert, delves into the intricacies of systemic security. He draws parallels between civil engineering and IT systems, and explains the importance of holistic thinking in security design. Discover the difference between semantic and syntactic vulnerabilities and understand how anti-requirements play a critical role in system resilience. This episode offers fresh perspectives on application security. Books recommended by Mehran: Critical System Thinking Book by Mike Jackson The Fifth Discipline by Peter Senge Understanding Complexity on Audible read by Scott E Page Nassim Taleb books FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast ➜LinkedIn: The Application Security Podcast ➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Kalyani Pawar shares critical strategies for integrating security early and effectively in AppSec for startups. She recommends that startups begin focusing on AppSec around the 30-employee mark, with an ideal ratio of one AppSec professional per 10 engineers as the company grows. Pawar emphasizes the importance of building a security culture through "culture as code" - implementing automated guardrails and checkpoints that make security an integral part of the development process. She advises startups to prioritize visibility into their systems, conduct pentests, develop thoughtful policies, and carefully vet third-party tools and open-source solutions. Ultimately, Pawar's approach is about making security a collaborative, integrated effort that doesn't impede innovation but instead supports the startup's long-term success and safety. Kalyani’s Book recommendation: The Alignment Problem by Brian Christian FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast ➜LinkedIn: The Application Security Podcast ➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Milan Williams discusses the importance of application security metrics and how to make them both meaningful and actionable. She explains that metrics are crucial for tracking progress in what can often feel like an overwhelming security landscape, and they're valuable for career advancement and securing resources. We discuss metrics categories and several specific metrics that are good to track. Milan shares important principles on the importance of making metrics actionable through storytelling and relating security impacts to real-world consequences for users. Milan's Book Recommendation: Quiet Influence: The Introvert’s Guide to Making a Difference by Jennifer Kahnweiler FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast ➜LinkedIn: The Application Security Podcast ➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mo Sadek shares his unique journey of building an Application Security program from scratch at Roblox. Mo discusses his unconventional path, including temporarily joining the infrastructure team to truly understand engineering challenges. He emphasizes that security isn't about mandating rules, but about making processes easier and more secure by default. Mo shares his insights on how to build effective cross-team security relationships and approaches for gaining leadership buy-in. Mo's Book Recommendation: I Have No Mouth and I Must Scream by Harlan Ellison FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast ➜LinkedIn: The Application Security Podcast ➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~