The Boring AppSec Podcast

The Boring AppSec Podcast
  • 0.0 (0)
  • TECHNOLOGY
  • UPDATED WEEKLY
The Boring AppSec Podcast

In this podcast, we will talk about our experiences having worked at different companies - from startups to big enterprises, from tech companies to security companies, and from building side projects to building startups. We will talk about the good, the bad, and everything in between. So join us for some fun, some real, and some super hot takes about all things Security in the Boring AppSec Podcast.

  1. 6 DAYS AGO

    S2E7 - Jonathan Cran

    In Season 2 Episode 7, we talk to Jonathan Cran, Founder @ Stealth. Jonathan is a seasoned security industry veteran, discussing the evolution of AI in security, the challenges of adopting AI technologies in enterprises, and the future of attack surface management. We explore the role of AI agents, the importance of context in security solutions, and provide insights for cybersecurity entrepreneurs looking to navigate the rapidly changing landscape of technology and security. Key Takeaways - AI agents are still in early development stages. - Consistency is crucial for AI adoption in enterprises. - Automation can significantly enhance security processes. - Contextual understanding is key for effective risk scoring. - Generative AI can both solve security problems and create new ones. - The demand for automated remediation solutions is growing. - Attack surface management is evolving with new technologies. - Understanding vulnerabilities requires a comprehensive approach. - Entrepreneurs should focus on market problems, not just technology. - Investors prioritize team, timing, and traction when evaluating startups. Tune in to find out more! Contacting Jonathan * LinkedIn: https://www.linkedin.com/in/jcran/ Contacting Anshuman * LinkedIn: ⁠⁠⁠⁠https://www.linkedin.com/in/anshumanbhartiya/ * X: ⁠⁠⁠⁠https://x.com/anshuman_bh * Website: ⁠⁠⁠⁠https://anshumanbhartiya.com/ * ⁠⁠⁠⁠Instagram: ⁠⁠⁠https://www.instagram.com/anshuman.bhartiya Contacting Sandesh * LinkedIn: ⁠⁠⁠⁠https://www.linkedin.com/in/anandsandesh/ * X: ⁠⁠⁠⁠https://x.com/JubbaOnJeans * Website: ⁠⁠⁠⁠https://boringappsec.substack.com/

    46 min

  2. 9 FEB

    S2E6 - Vibhav Sreekanti

    In Season 2 Episode 6, we talk to Vibhav Sreekanti, Co-Founder & CTO @ProphetSecurity  . We discuss the evolving landscape of AI in cybersecurity, the skepticism surrounding generative AI, and the importance of experimentation with AI agents. Vibhav shares insights on building specialized agents for security operations, the challenges of deploying AI in production, and the critical need for security in AI infrastructure. The conversation emphasizes the necessity of asking tough questions about data security and the role of AI in enhancing security operations. We discuss the evolving landscape of security operations, focusing on the role of AI agents and the challenges faced by SOAR platforms. We explore the importance of centralized authentication, the need for human oversight in AI applications, and the lessons learned from Vibhav's startup journey, emphasizing the significance of team dynamics and market readiness. Key Takeaways - Vibhav has spent his career at startups, focusing on building products and teams. - Keeping up with AI advancements requires active engagement on platforms like Twitter. - Hands-on experimentation with new tools is crucial for understanding their applicability. - Skepticism in AI is warranted due to past over-promises in the industry. - Generative AI can enhance security operations if implemented thoughtfully. - AI agents should be used selectively based on the problem at hand. - Building a suite of specialized agents can lead to more effective outcomes. - Security practices for distributed systems apply to agentic architectures as well. - Data security and handling are paramount when using third-party AI models. - Implementing gateways for AI interactions can help enforce security policies. - Centralized authentication and authorization using OPA is compelling. - SOAR platforms have not lived up to their promises, leading to alert fatigue. - AI agents can enhance investigative tasks in security operations. - Human oversight is essential in AI-driven security solutions. - The importance of team dynamics cannot be overstated in startups. - Understanding market dynamics is crucial for startup success. - Being too early in a market can be as detrimental as being wrong. - Feedback loops are vital for improving AI systems in security. - The alert is just the beginning of incident response. - The journey of AI agents in security is still in its infancy. Tune in to find out more! Contacting Vibhav * LinkedIn: https://www.linkedin.com/in/vibhavs/ * Prophet Security: https://www.prophetsecurity.ai/ Contacting Anshuman * LinkedIn: ⁠⁠⁠⁠https://www.linkedin.com/in/anshumanbhartiya/ * X: ⁠⁠⁠⁠https://x.com/anshuman_bh * Website: ⁠⁠⁠⁠https://anshumanbhartiya.com/ * ⁠⁠⁠⁠Instagram: ⁠⁠⁠https://www.instagram.com/anshuman.bhartiya Contacting Sandesh * LinkedIn: ⁠⁠⁠⁠https://www.linkedin.com/in/anandsandesh/ * X: ⁠⁠⁠⁠https://x.com/JubbaOnJeans * Website: ⁠⁠⁠⁠https://boringappsec.substack.com/

    50 min

  3. 1 FEB

    S2E5 - Drew Dennison

    In Season 2 Episode 5, we talk to Drew Dennison, Co-Founder & CTO @ Semgrep. We discuss the evolution of Semgrep as a code security tool, its focus on custom rules, and the importance of open source in democratizing application security. Drew shares insights from his entrepreneurial journey, the challenges faced in the early days of Semgrep, and the lessons learned from working in both the defense and civilian sectors of cybersecurity. The conversation highlights the shifting paradigms in application security, emphasizing the need for comprehensive coverage and the integration of modern development practices. In this conversation, Drew discusses the evolving landscape of cybersecurity, emphasizing the importance of custom rules in data security, the convergence of various security practices, and the role of open source in driving community engagement. He also explores the integration of AI and LLMs in code security, highlighting the potential for these technologies to enhance security processes while maintaining the necessity of human oversight. The discussion culminates in insights about the future of Semgrep Assistant and the balance between automation and human expertise in security. Key Takeaways - Semgrep is a code security tool focused on custom rules. - The importance of understanding user problems in product development. - Open source tools can democratize access to security solutions. - The evolution of static analysis tools has improved user experience. - Insights from the defense sector highlight the asymmetry in cybersecurity. - Companies often overlook basic security hygiene in favor of advanced solutions. - The modern application stack requires a holistic security approach. - 100% code coverage is now achievable with modern tools. - Community contributions enhance the effectiveness of open source projects. - The architecture of software development has shifted towards microservices. User data doesn't go any deeper than this in our stack. - The convergence of static analysis, software composition analysis, and secret scanning is notable. - At the technology level, we think of it as all basically the same problem. - We always knew we wanted to have an enterprise component for it. - We recognized early that LLMs were going to be the future of security. - Generative AI can help automate rule writing and prioritization. - Contextualization in security is essential for effective rule application. - The Semgrep Assistant aims to enhance developer trust and confidence. - AI will complement human roles rather than replace them in security. - Automation in security processes is crucial, similar to aviation. Tune in to find out more! Contacting Drew * LinkedIn: https://www.linkedin.com/in/drewdennison/ * Semgrep: https://semgrep.dev/ Contacting Anshuman * LinkedIn: ⁠⁠⁠⁠https://www.linkedin.com/in/anshumanbhartiya/ * X: ⁠⁠⁠⁠https://x.com/anshuman_bh * Website: ⁠⁠⁠⁠https://anshumanbhartiya.com/ * ⁠⁠⁠⁠Instagram: ⁠⁠⁠https://www.instagram.com/anshuman.bhartiya Contacting Sandesh * LinkedIn: ⁠⁠⁠⁠https://www.linkedin.com/in/anandsandesh/ * X: ⁠⁠⁠⁠https://x.com/JubbaOnJeans * Website: ⁠⁠⁠⁠https://boringappsec.substack.com/

    42 min

  4. 27 JAN

    S2E4 - Varun Badhwar

    In Season 2 Episode 4, we talk to Varun Badhwar, Founder & CEO @ Endor Labs. We discuss the current state of application security, the challenges faced by development teams, and the importance of integrating security into the software development lifecycle. Varun shares insights from his previous experiences in building and acquiring cybersecurity companies, emphasizing the need for effective compliance strategies and the balance between platform solutions and best-of-breed tools. In this conversation, Varun Badhwar discusses the evolving landscape of cybersecurity, emphasizing the importance of compliance, product usability, and the integration of AI technologies like LLMs in vulnerability management. He highlights the need for a user-centric approach in AppSec, the challenges of providing context to engineers, and the future implications of AI in security governance. Key Takeaways - Endor Labs aims to make AppSec more engaging and effective. - Many existing AppSec tools create friction between teams. - The future of software development will involve AI-generated code. - Understanding the software supply chain is crucial for security. - Acquisitions in cybersecurity often fail due to integration issues. - Founders must empathize with practitioner pain to build effective products. - Compliance often drives security priorities in organizations. - Effective integration of tools can enhance security outcomes. - The industry needs to focus on enabling faster business operations. - Balancing platform capabilities with best-of-breed tools is essential. - Compliance is essential for sales enablement in cybersecurity. - First-time founders should focus on product and distribution. - User experience and developer experience are critical in AppSec products. - Contextual information is vital for engineers to make informed decisions. - Automation can help reduce noise in security alerts. - Reachability analysis improves visibility in code dependencies. - Impact assessment is crucial for effective vulnerability remediation. - LLMs can assist in reasoning but need rules for effective application. - AI governance is a growing concern in the software development space. - The industry must adapt to the rapid advancements in AI technology. Tune in to find out more! Contacting Varun * LinkedIn: https://www.linkedin.com/in/vbadhwar/ * Endor Labs: https://www.endorlabs.com/ Contacting Anshuman * LinkedIn: ⁠⁠⁠⁠https://www.linkedin.com/in/anshumanbhartiya/ * X: ⁠⁠⁠⁠https://x.com/anshuman_bh * Website: ⁠⁠⁠⁠https://anshumanbhartiya.com/ * ⁠⁠⁠⁠Instagram: ⁠⁠⁠https://www.instagram.com/anshuman.bhartiya Contacting Sandesh * LinkedIn: ⁠⁠⁠⁠https://www.linkedin.com/in/anandsandesh/ * X: ⁠⁠⁠⁠https://x.com/JubbaOnJeans * Website: ⁠⁠⁠⁠https://boringappsec.substack.com/

    47 min

  5. 20 JAN

    S2E3 - Robert Wood

    In Season 2 Episode 3, we interview Robert Wood, Founder & CEO @ SideKick Security. We discuss Rob's journey from working at Cigital to starting his own consulting firm, the challenges of point solutions in cybersecurity, and the importance of soft skills in the industry. Rob shares insights on platformization versus services, tailoring security programs to unique needs, and building a security data lake to enhance data sharing and collaboration among teams. The conversation emphasizes the need for effective communication and community engagement in cybersecurity. Key Takeaways - Sidekick Security aims to address the challenges of siloed point solutions in cybersecurity. - Rob emphasizes the importance of soft skills alongside technical skills in cybersecurity roles. - Platformization can help reduce silos, but unique security needs must be considered. - Every security program is unique and should be approached accordingly. - Building a security data lake can enhance data sharing and collaboration among teams. - Effective communication is crucial for security professionals to succeed. - Engaging with the community is essential for growth in the cybersecurity field. - Regulation and governance discussions are crucial as new technologies emerge. Tune in to find out more! Contacting Robert * LinkedIn: https://www.linkedin.com/in/holycyberbatman/ * SideKick Security: https://sidekicksecurity.io/ Contacting Anshuman * LinkedIn: ⁠⁠⁠⁠https://www.linkedin.com/in/anshumanbhartiya/ * X: ⁠⁠⁠⁠https://x.com/anshuman_bh * Website: ⁠⁠⁠⁠https://anshumanbhartiya.com/ * ⁠⁠⁠⁠Instagram: ⁠⁠⁠https://www.instagram.com/anshuman.bhartiya Contacting Sandesh * LinkedIn: ⁠⁠⁠⁠https://www.linkedin.com/in/anandsandesh/ * X: ⁠⁠⁠⁠https://x.com/JubbaOnJeans * Website: ⁠⁠⁠⁠https://boringappsec.substack.com/

    44 min

  6. 13 JAN

    S2E2 - Dustin Lehr

    In Season 2 Episode 2, we interview Dustin Lehr, Co-Founder, Chief Product & Technology Officer at Katilyst. We discuss the significance of security champions in application security. We explore the cultural aspects of implementing security champions programs, the challenges of maintaining engagement, and the importance of leadership support. The conversation delves into measuring the success of these programs, the role of behavioral science, and the impact of effective training and gamification in enhancing security awareness within organizations. Dustin discusses the Octalysis framework, which identifies eight core human motivators that can be leveraged in gamification and cybersecurity culture. He emphasizes the importance of building relationships within organizations to change perceptions of security teams and foster a collaborative environment. Dustin also shares insights on the intersection of creativity and cybersecurity, his motivations for starting a company, and the role of AI in enhancing human interactions rather than replacing them. Key Takeaways - Security champions programs are crucial for fostering a security culture. - Engagement and leadership support are key to program success. - Measuring success can be challenging but is essential. - Behavioral science plays a significant role in security engagement. - Gamification can enhance training but must be used wisely. - Curiosity can drive initial engagement but must be sustained. - Training should be relevant and tailored to the audience. - Creating empathy between teams improves security outcomes. - Deep gamification focuses on understanding human drives. - Starting a company is about helping others, not just profit. - AI can augment human interactions but cannot replace them. - Security teams should focus on providing value and support. - Human connection is essential in cybersecurity. - The importance of community and collaboration in security efforts. Tune in to find out more! Contacting Dustin * LinkedIn: https://www.linkedin.com/in/dustinlehr/ * Security Champion Success Guide: https://securitychampionsuccessguide.org/ Contacting Anshuman * LinkedIn: ⁠⁠⁠⁠https://www.linkedin.com/in/anshumanbhartiya/ * X: ⁠⁠⁠⁠https://x.com/anshuman_bh * Website: ⁠⁠⁠⁠https://anshumanbhartiya.com/ * ⁠⁠⁠⁠Instagram: ⁠⁠⁠https://www.instagram.com/anshuman.bhartiya Contacting Sandesh * LinkedIn: ⁠⁠⁠⁠https://www.linkedin.com/in/anandsandesh/ * X: ⁠⁠⁠⁠https://x.com/JubbaOnJeans * Website: ⁠⁠⁠⁠https://boringappsec.substack.com/

    49 min
  7. S2E1 - Jimmy Mesta

    6 JAN

    S2E1 - Jimmy Mesta

    In Season 2 Episode 1, we interview Jimmy Mesta, a seasoned expert in application security and co-founder of RAD Security. We discuss the evolution of Kubernetes, its security challenges, and the importance of understanding the complexities of cloud-native infrastructure. Jimmy shares insights from his journey of starting a company, the role of AI in security, and the nuances of investing in security startups. The conversation highlights the need for a comprehensive approach to security that encompasses both application and infrastructure aspects, as well as the importance of mentorship and community in the startup ecosystem. Key Takeaways - RAD Security aims to address real-time security for cloud-native infrastructure. - Kubernetes has evolved significantly, but security challenges remain. - Managed Kubernetes services have simplified deployment but not security. - Starting a company requires surrounding yourself with experienced mentors. - RASP solutions faced implementation challenges despite their potential. - Defining applications in a microservices architecture is complex. - AI presents both opportunities and skepticism in the security space. - Investing in startups requires trust and understanding of the founder's journey. - Efficiency in security operations is crucial for success. Tune in to find out more! Contacting Jimmy * LinkedIn: https://www.linkedin.com/in/jimmymesta/ * X: https://x.com/jimmesta Contacting Anshuman * LinkedIn: ⁠⁠⁠⁠https://www.linkedin.com/in/anshumanbhartiya/ * X: ⁠⁠⁠⁠https://x.com/anshuman_bh * Website: ⁠⁠⁠⁠https://anshumanbhartiya.com/ * ⁠⁠⁠⁠Instagram: ⁠⁠⁠https://www.instagram.com/anshuman.bhartiya Contacting Sandesh * LinkedIn: ⁠⁠⁠⁠https://www.linkedin.com/in/anandsandesh/ * X: ⁠⁠⁠⁠https://x.com/JubbaOnJeans * Website: ⁠⁠⁠⁠https://boringappsec.substack.com/

    54 min

  8. 20/05/2024

    S1E10 - Future Security Predictions

    Welcome to the Boring AppSec Podcast! In Episode 10, we discuss some security predictions that we hope to see in the near future. Some of them are: AI agents - different kinds - activity based and/or persona based Security talent is going to get better, hiring is important AI powered security engineers - up leveling junior engineers AI code review assistants - GPT4-o et al Company consolidations happening in the security industry - D&R space ASPM predictions and how AI agents will help evolve this space CISA’s guidance on building secure by default frameworks Automated red teaming Hiring security engineers vs changes in interviewing Tune in to find out more! References mentioned in the episode: OpenAI Security Bots - https://github.com/openai/openai-security-bots Build an AI Appsec Team - https://srajangupta.substack.com/p/building-an-ai-appsec-team CISA and secure design - https://www.cisa.gov/news-events/news/cisa-announces-secure-design-commitments-leading-technology-providers Awesome secure defaults - https://github.com/tldrsec/awesome-secure-defaults Slack vs MSFT teams - https://x.com/TrungTPhan/status/1640866391485194241 The Innovator's Dilemma - https://www.amazon.com/Innovators-Dilemma-Revolutionary-Change-Business/dp/0062060244 Contacting Anshuman LinkedIn: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://www.linkedin.com/in/anshumanbhartiya/⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠  Twitter: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://twitter.com/anshuman_bh⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠  Website: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://anshumanbhartiya.com/⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ Instagram: ⁠⁠⁠⁠⁠⁠⁠⁠⁠https://www.instagram.com/anshuman.bhartiya/⁠⁠⁠⁠⁠⁠⁠⁠⁠  YouTube: ⁠⁠⁠⁠⁠⁠⁠⁠⁠https://www.youtube.com/@AnshumanBhartiya⁠⁠⁠⁠⁠⁠⁠⁠⁠    Contacting Sandesh LinkedIn: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://www.linkedin.com/in/anandsandesh/⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠  Twitter: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://twitter.com/JubbaOnJeans/⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠  Website: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://boringappsec.substack.com/⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠

    51 min
See All (17)

About

In this podcast, we will talk about our experiences having worked at different companies - from startups to big enterprises, from tech companies to security companies, and from building side projects to building startups. We will talk about the good, the bad, and everything in between. So join us for some fun, some real, and some super hot takes about all things Security in the Boring AppSec Podcast.

Information

  • Creator
    The Boring AppSec Podcast
  • Years Active
    2024 - 2025
  • Episodes
    17
  • Rating
    Clean
  • Copyright
    © The Boring AppSec Podcast
  • Show Website
    The Boring AppSec Podcast

You Might Also Like

To listen to explicit episodes, sign in.

Stay up to date with this show

Sign-in or sign-up to follow shows, save episodes and get the latest updates.
Select a country or region

Africa, Middle East, and India

Asia Pacific

Europe

Latin America and the Caribbean

The United States and Canada