The Boring AppSec Podcast

The Boring AppSec Podcast
The Boring AppSec Podcast

In this podcast, we will talk about our experiences having worked at different companies - from startups to big enterprises, from tech companies to security companies, and from building side projects to building startups. We will talk about the good, the bad, and everything in between. So join us for some fun, some real, and some super hot takes about all things Security in the Boring AppSec Podcast.

Episodes

  1. 4 DAYS AGO

    S2E2 - Dustin Lehr

    In Season 2 Episode 2, we interview Dustin Lehr, Co-Founder, Chief Product & Technology Officer at Katilyst. We discuss the significance of security champions in application security. We explore the cultural aspects of implementing security champions programs, the challenges of maintaining engagement, and the importance of leadership support. The conversation delves into measuring the success of these programs, the role of behavioral science, and the impact of effective training and gamification in enhancing security awareness within organizations. Dustin discusses the Octalysis framework, which identifies eight core human motivators that can be leveraged in gamification and cybersecurity culture. He emphasizes the importance of building relationships within organizations to change perceptions of security teams and foster a collaborative environment. Dustin also shares insights on the intersection of creativity and cybersecurity, his motivations for starting a company, and the role of AI in enhancing human interactions rather than replacing them. Key Takeaways - Security champions programs are crucial for fostering a security culture. - Engagement and leadership support are key to program success. - Measuring success can be challenging but is essential. - Behavioral science plays a significant role in security engagement. - Gamification can enhance training but must be used wisely. - Curiosity can drive initial engagement but must be sustained. - Training should be relevant and tailored to the audience. - Creating empathy between teams improves security outcomes. - Deep gamification focuses on understanding human drives. - Starting a company is about helping others, not just profit. - AI can augment human interactions but cannot replace them. - Security teams should focus on providing value and support. - Human connection is essential in cybersecurity. - The importance of community and collaboration in security efforts. Tune in to find out more! Contacting Dustin * LinkedIn: https://www.linkedin.com/in/dustinlehr/ * Security Champion Success Guide: https://securitychampionsuccessguide.org/ Contacting Anshuman * LinkedIn: ⁠⁠⁠⁠https://www.linkedin.com/in/anshumanbhartiya/ * X: ⁠⁠⁠⁠https://x.com/anshuman_bh * Website: ⁠⁠⁠⁠https://anshumanbhartiya.com/ * ⁠⁠⁠⁠Instagram: ⁠⁠⁠https://www.instagram.com/anshuman.bhartiya Contacting Sandesh * LinkedIn: ⁠⁠⁠⁠https://www.linkedin.com/in/anandsandesh/ * X: ⁠⁠⁠⁠https://x.com/JubbaOnJeans * Website: ⁠⁠⁠⁠https://boringappsec.substack.com/

    49 min
  2. S2E1 - Jimmy Mesta

    6 JAN

    S2E1 - Jimmy Mesta

    In Season 2 Episode 1, we interview Jimmy Mesta, a seasoned expert in application security and co-founder of RAD Security. We discuss the evolution of Kubernetes, its security challenges, and the importance of understanding the complexities of cloud-native infrastructure. Jimmy shares insights from his journey of starting a company, the role of AI in security, and the nuances of investing in security startups. The conversation highlights the need for a comprehensive approach to security that encompasses both application and infrastructure aspects, as well as the importance of mentorship and community in the startup ecosystem. Key Takeaways - RAD Security aims to address real-time security for cloud-native infrastructure. - Kubernetes has evolved significantly, but security challenges remain. - Managed Kubernetes services have simplified deployment but not security. - Starting a company requires surrounding yourself with experienced mentors. - RASP solutions faced implementation challenges despite their potential. - Defining applications in a microservices architecture is complex. - AI presents both opportunities and skepticism in the security space. - Investing in startups requires trust and understanding of the founder's journey. - Efficiency in security operations is crucial for success. Tune in to find out more! Contacting Jimmy * LinkedIn: https://www.linkedin.com/in/jimmymesta/ * X: https://x.com/jimmesta Contacting Anshuman * LinkedIn: ⁠⁠⁠⁠https://www.linkedin.com/in/anshumanbhartiya/ * X: ⁠⁠⁠⁠https://x.com/anshuman_bh * Website: ⁠⁠⁠⁠https://anshumanbhartiya.com/ * ⁠⁠⁠⁠Instagram: ⁠⁠⁠https://www.instagram.com/anshuman.bhartiya Contacting Sandesh * LinkedIn: ⁠⁠⁠⁠https://www.linkedin.com/in/anandsandesh/ * X: ⁠⁠⁠⁠https://x.com/JubbaOnJeans * Website: ⁠⁠⁠⁠https://boringappsec.substack.com/

    54 min

  3. 20/05/2024

    S1E10 - Future Security Predictions

    Welcome to the Boring AppSec Podcast! In Episode 10, we discuss some security predictions that we hope to see in the near future. Some of them are: AI agents - different kinds - activity based and/or persona based Security talent is going to get better, hiring is important AI powered security engineers - up leveling junior engineers AI code review assistants - GPT4-o et al Company consolidations happening in the security industry - D&R space ASPM predictions and how AI agents will help evolve this space CISA’s guidance on building secure by default frameworks Automated red teaming Hiring security engineers vs changes in interviewing Tune in to find out more! References mentioned in the episode: OpenAI Security Bots - https://github.com/openai/openai-security-bots Build an AI Appsec Team - https://srajangupta.substack.com/p/building-an-ai-appsec-team CISA and secure design - https://www.cisa.gov/news-events/news/cisa-announces-secure-design-commitments-leading-technology-providers Awesome secure defaults - https://github.com/tldrsec/awesome-secure-defaults Slack vs MSFT teams - https://x.com/TrungTPhan/status/1640866391485194241 The Innovator's Dilemma - https://www.amazon.com/Innovators-Dilemma-Revolutionary-Change-Business/dp/0062060244 Contacting Anshuman LinkedIn: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://www.linkedin.com/in/anshumanbhartiya/⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠  Twitter: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://twitter.com/anshuman_bh⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠  Website: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://anshumanbhartiya.com/⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ Instagram: ⁠⁠⁠⁠⁠⁠⁠⁠⁠https://www.instagram.com/anshuman.bhartiya/⁠⁠⁠⁠⁠⁠⁠⁠⁠  YouTube: ⁠⁠⁠⁠⁠⁠⁠⁠⁠https://www.youtube.com/@AnshumanBhartiya⁠⁠⁠⁠⁠⁠⁠⁠⁠    Contacting Sandesh LinkedIn: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://www.linkedin.com/in/anandsandesh/⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠  Twitter: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://twitter.com/JubbaOnJeans/⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠  Website: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://boringappsec.substack.com/⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠

    51 min

  4. 13/05/2024

    S1E09 - Incidents

    Welcome to the Boring AppSec Podcast! In Episode 9, we discuss incidents. Both Sandesh and I share 2 incidents each and the lessons learnt from them. Tune in! References mentioned in the episode: Log4j - https://www.cisa.gov/news-events/news/apache-log4j-vulnerability-guidance Incident runbook - https://engineering.razorpay.com/how-an-incident-transformed-razorpay-improving-the-5-why-rca-format-378de299b9a2 Contacting Anshuman LinkedIn: ⁠⁠⁠⁠⁠⁠⁠⁠⁠https://www.linkedin.com/in/anshumanbhartiya/⁠⁠⁠⁠⁠⁠⁠⁠⁠  Twitter: ⁠⁠⁠⁠⁠⁠⁠⁠⁠https://twitter.com/anshuman_bh⁠⁠⁠⁠⁠⁠⁠⁠⁠  Website: ⁠⁠⁠⁠⁠⁠⁠⁠⁠https://anshumanbhartiya.com/⁠⁠⁠⁠⁠⁠⁠⁠⁠ Instagram: ⁠⁠⁠⁠⁠⁠⁠⁠https://www.instagram.com/anshuman.bhartiya/⁠⁠⁠⁠⁠⁠⁠⁠  YouTube: ⁠⁠⁠⁠⁠⁠⁠⁠https://www.youtube.com/@AnshumanBhartiya⁠⁠⁠⁠⁠⁠⁠⁠    Contacting Sandesh LinkedIn: ⁠⁠⁠⁠⁠⁠⁠⁠⁠https://www.linkedin.com/in/anandsandesh/⁠⁠⁠⁠⁠⁠⁠⁠⁠  Twitter: ⁠⁠⁠⁠⁠⁠⁠⁠⁠https://twitter.com/JubbaOnJeans/⁠⁠⁠⁠⁠⁠⁠⁠⁠  Website: ⁠⁠⁠⁠⁠⁠⁠⁠⁠https://boringappsec.substack.com/⁠⁠⁠⁠⁠⁠⁠⁠⁠

    38 min

  5. 22/04/2024

    S1E08 - Bug Bounties Part 2

    Welcome to the Boring AppSec Podcast! In Episode 8, we continue discussing bug bounties from where we left off in Episode 3. We discuss how to build mature bug bounty programs, how to start a program, how to convince stake holders to start a program, differences and similarities between vulnerability disclosure programs and bug bounty programs among other things. Tune in! Contacting Anshuman LinkedIn: ⁠⁠⁠⁠⁠⁠⁠⁠https://www.linkedin.com/in/anshumanbhartiya/⁠⁠⁠⁠⁠⁠⁠⁠  Twitter: ⁠⁠⁠⁠⁠⁠⁠⁠https://twitter.com/anshuman_bh⁠⁠⁠⁠⁠⁠⁠⁠  Website: ⁠⁠⁠⁠⁠⁠⁠⁠https://anshumanbhartiya.com/⁠⁠⁠⁠⁠⁠⁠⁠ Instagram: ⁠⁠⁠⁠⁠⁠⁠https://www.instagram.com/anshuman.bhartiya/⁠⁠⁠⁠⁠⁠⁠  YouTube: ⁠⁠⁠⁠⁠⁠⁠https://www.youtube.com/@AnshumanBhartiya⁠⁠⁠⁠⁠⁠⁠    Contacting Sandesh LinkedIn: ⁠⁠⁠⁠⁠⁠⁠⁠https://www.linkedin.com/in/anandsandesh/⁠⁠⁠⁠⁠⁠⁠⁠  Twitter: ⁠⁠⁠⁠⁠⁠⁠⁠https://twitter.com/JubbaOnJeans/⁠⁠⁠⁠⁠⁠⁠⁠  Website: ⁠⁠⁠⁠⁠⁠⁠⁠https://boringappsec.substack.com/⁠⁠⁠⁠⁠⁠⁠⁠

    46 min

  6. 15/04/2024

    S1E07 - Hiring in Security

    Welcome to the Boring AppSec Podcast! In Episode 7, we discuss how to hire the right security folks on a security engineering team. We go over the interviewing process, what to look out for, how to compose a team, and also share some of our experiences of interviewing including some tips on what a candidate can/should do if they want to get noticed by hiring managers and recruiters. Contacting Anshuman LinkedIn: ⁠⁠⁠⁠⁠⁠⁠https://www.linkedin.com/in/anshumanbhartiya/⁠⁠⁠⁠⁠⁠⁠  Twitter: ⁠⁠⁠⁠⁠⁠⁠https://twitter.com/anshuman_bh⁠⁠⁠⁠⁠⁠⁠  Website: ⁠⁠⁠⁠⁠⁠⁠https://anshumanbhartiya.com/⁠⁠⁠⁠⁠⁠⁠ Instagram: ⁠⁠⁠⁠⁠⁠https://www.instagram.com/anshuman.bhartiya/⁠⁠⁠⁠⁠⁠  YouTube: ⁠⁠⁠⁠⁠⁠https://www.youtube.com/@AnshumanBhartiya⁠⁠⁠⁠⁠⁠    Contacting Sandesh LinkedIn: ⁠⁠⁠⁠⁠⁠⁠https://www.linkedin.com/in/anandsandesh/⁠⁠⁠⁠⁠⁠⁠  Twitter: ⁠⁠⁠⁠⁠⁠⁠https://twitter.com/JubbaOnJeans/⁠⁠⁠⁠⁠⁠⁠  Website: ⁠⁠⁠⁠⁠⁠⁠https://boringappsec.substack.com/⁠⁠⁠⁠⁠⁠⁠

    55 min

  7. 08/04/2024

    S1E06 - Vulnerability Management

    Welcome to the Boring AppSec Podcast! In Episode 6, we discuss the art of Vulnerability Management. What it means, what are some of the problems we've seen as practitioners, what are some ways we've considered to make the process of managing vulnerabilities easy. References: We will try and add information about all the references we make here. Please enter rabbit holes at will :)  Gitlab's Security Handbook - https://handbook.gitlab.com/handbook/security/ Contacting Anshuman LinkedIn: ⁠⁠⁠⁠⁠⁠https://www.linkedin.com/in/anshumanbhartiya/⁠⁠⁠⁠⁠⁠  Twitter: ⁠⁠⁠⁠⁠⁠https://twitter.com/anshuman_bh⁠⁠⁠⁠⁠⁠  Website: ⁠⁠⁠⁠⁠⁠https://anshumanbhartiya.com/⁠⁠⁠⁠⁠⁠ Instagram: ⁠⁠⁠⁠⁠https://www.instagram.com/anshuman.bhartiya/⁠⁠⁠⁠⁠  YouTube: ⁠⁠⁠⁠⁠https://www.youtube.com/@AnshumanBhartiya⁠⁠⁠⁠⁠    Contacting Sandesh LinkedIn: ⁠⁠⁠⁠⁠⁠https://www.linkedin.com/in/anandsandesh/⁠⁠⁠⁠⁠⁠  Twitter: ⁠⁠⁠⁠⁠⁠https://twitter.com/JubbaOnJeans/⁠⁠⁠⁠⁠⁠  Website: ⁠⁠⁠⁠⁠⁠https://boringappsec.substack.com/⁠⁠⁠⁠⁠⁠

    57 min

  8. 01/04/2024

    S1E05 - Threat Modeling

    Welcome to the Boring AppSec Podcast! In Episode 5, we dig deep into what threat modeling is from a practitioner's perspective. We compare it with design reviews and discuss when/how/why of threat modeling. In the end, we wrap up by talking about how Gen AI could help threat modeling significantly. References: We will try and add information about all the references we make here. Please enter rabbit holes at will :)  Threat modeling manifesto - Threatmodelingmanifesto.org STRIDE framework - https://en.wikipedia.org/wiki/STRIDE_(security)  Tools for threat modeling ⁠https://learn.microsoft.com/en-us/azure/security/develop/threat-modeling-tool⁠ ⁠https://www.iriusrisk.com/threat-modeling/freemium⁠ ⁠https://owasp.org/www-project-threat-dragon/⁠ ⁠https://excalidraw.com/⁠ ⁠https://www.securitycompass.com/sdelements/⁠ Talks on threat modeling https://www.youtube.com/watch?v=KGy_KCRUGd4⁠  ⁠https://www.youtube.com/watch?v=wVSyqFdO-D8⁠  Articles - https://www.scaletozero.com/episodes/understanding-threat-modeling-with-jeevan-singh/  Gen AI related threat modeling tools/companies Stride GPT- https://stridegpt.streamlit.app/ Nullify - https://www.nullify.ai/ Remysec - https://www.remysec.com/ Seezo - https://seezo.io/ https://www.sarahtavel.com/p/ai-startups-sell-work-not-software  https://github.com/captn3m0/ideas  Contacting Anshuman LinkedIn: ⁠⁠⁠⁠⁠https://www.linkedin.com/in/anshumanbhartiya/⁠⁠⁠⁠⁠  Twitter: ⁠⁠⁠⁠⁠https://twitter.com/anshuman_bh⁠⁠⁠⁠⁠  Website: ⁠⁠⁠⁠⁠https://anshumanbhartiya.com/⁠⁠⁠⁠⁠ Instagram: ⁠⁠⁠⁠https://www.instagram.com/anshuman.bhartiya/⁠⁠⁠⁠  YouTube: ⁠⁠⁠⁠https://www.youtube.com/@AnshumanBhartiya⁠⁠⁠⁠    Contacting Sandesh LinkedIn: ⁠⁠⁠⁠⁠https://www.linkedin.com/in/anandsandesh/⁠⁠⁠⁠⁠  Twitter: ⁠⁠⁠⁠⁠https://twitter.com/JubbaOnJeans/⁠⁠⁠⁠⁠  Website: ⁠⁠⁠⁠⁠https://boringappsec.substack.com/⁠⁠⁠⁠⁠

    1h 2m

  9. 25/03/2024

    S1E04 - Running a lean AppSec team

    Welcome to the Boring AppSec Podcast! In Episode 4, we discuss how lean AppSec teams run and operate. We share our experiences of having worked in engineering heavy organizations where the "engineer : appsec-engineer" ratio is far from ideal and scaling the AppSec team becomes very important to be able to reasonably manage risk. References: We will try and add information about all the references we make here. Please enter rabbit holes at will :)  Soft skills are important - ⁠⁠⁠https://www.softsideofcyber.com/ Bhadra, the vulnerability management platform built and open sourced by Razor Pay - https://github.com/razorpay/bhadra Devin - https://www.cognition-labs.com/introd... Seezo (Automating design reviews) - https://seezo.io/ Contacting Anshuman LinkedIn: ⁠⁠⁠⁠https://www.linkedin.com/in/anshumanbhartiya/⁠⁠⁠⁠  Twitter: ⁠⁠⁠⁠https://twitter.com/anshuman_bh⁠⁠⁠⁠  Website: ⁠⁠⁠⁠https://anshumanbhartiya.com/⁠⁠⁠⁠ Instagram: ⁠⁠⁠https://www.instagram.com/anshuman.bhartiya/⁠⁠⁠  YouTube: ⁠⁠⁠https://www.youtube.com/@AnshumanBhartiya⁠⁠⁠    Contacting Sandesh LinkedIn: ⁠⁠⁠⁠https://www.linkedin.com/in/anandsandesh/⁠⁠⁠⁠  Twitter: ⁠⁠⁠⁠https://twitter.com/JubbaOnJeans/⁠⁠⁠⁠  Website: ⁠⁠⁠⁠https://boringappsec.substack.com/⁠⁠⁠⁠

    1h 10m

  10. 18/03/2024

    S1E03 - Bug Bounties

    Welcome to the Boring AppSec Podcast! In Episode 3, we discuss all things bug bounties. The researcher side as well as the program owner's side. Enter at your own will as we have a lot of hot takes. References: We will try and add information about all the references we make here. Please enter rabbit holes at will :)  ⁠Bug Bounty Platforms Bugcrowd - https://www.bugcrowd.com/  HackerOne - https://www.hackerone.com/  Intigrity - https://www.intigriti.com/  Synack - https://www.synack.com/  2. Vulnerability Disclosure Process - https://www.cisa.gov/coordinated-vulnerability-disclosure-process  3. Google’s Project Zero vulnerability disclosure policy - https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-faq.html   4. CVSS Calculator - https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator   5. Handling A Bug Bounty program From A Blue Team Perspective - https://www.youtube.com/watch?v=Vgy150R4bRw&t=0s 6. Consumer Bug Bounty Panel - https://www.youtube.com/watch?v=Y8X6pV7rdbA&t=0s Contacting Anshuman LinkedIn: ⁠⁠⁠https://www.linkedin.com/in/anshumanbhartiya/⁠⁠⁠  Twitter: ⁠⁠⁠https://twitter.com/anshuman_bh⁠⁠⁠  Website: ⁠⁠⁠https://anshumanbhartiya.com/⁠⁠⁠ Instagram: ⁠⁠https://www.instagram.com/anshuman.bhartiya/⁠⁠  YouTube: ⁠⁠https://www.youtube.com/@AnshumanBhartiya⁠⁠    Contacting Sandesh LinkedIn: ⁠⁠⁠https://www.linkedin.com/in/anandsandesh/⁠⁠⁠  Twitter: ⁠⁠⁠https://twitter.com/JubbaOnJeans/⁠⁠⁠  Website: ⁠⁠⁠https://boringappsec.substack.com/⁠⁠⁠

    1h 11m

  11. 11/03/2024

    S1E02 - First Security Hire

    Welcome to the Boring AppSec Podcast! In Episode 2, we discuss what a first security hire responsibilities are. How do they prioritize? What do they prioritize? References: We will try and add information about all the references we make here. Please enter rabbit holes at will :)  Building a product security program Some blogs on getting SOC2 certifications without too much redtape - ⁠RunReveal⁠, Fly.io⁠ Tracking Meaningful Security Product Metrics Build vs Buy Framework OpenAI Sora LLM Agents Can Autonomously Hack Websites Arcanum Information Security SecGPT in https://chat.openai.com/gpts Contacting Anshuman LinkedIn: ⁠⁠https://www.linkedin.com/in/anshumanbhartiya/⁠⁠  Twitter: ⁠⁠https://twitter.com/anshuman_bh⁠⁠  Website: ⁠⁠https://anshumanbhartiya.com/⁠⁠ Instagram: ⁠https://www.instagram.com/anshuman.bhartiya/⁠  YouTube: ⁠https://www.youtube.com/@AnshumanBhartiya⁠    Contacting Sandesh LinkedIn: ⁠⁠https://www.linkedin.com/in/anandsandesh/⁠⁠  Twitter: ⁠⁠https://twitter.com/JubbaOnJeans/⁠⁠  Website: ⁠⁠https://boringappsec.substack.com/⁠⁠

    1h 8m

  12. 04/03/2024

    S1E01 - Asset Inventory

    Welcome to the Boring AppSec Podcast! In Episode 1, we discuss software inventories. What they are, why we need them, and what are our favorite ways to build them.  References: We will try and add information about all the references we make here. Please enter rabbit holes at will :)  Cartography - ⁠https://github.com/lyft/cartography⁠  GenAI + Cartography ⁠https://shinobi.security/#how-it-works⁠  ⁠https://github.com/samvas-codes/cspm-gpt⁠  Commercial asset inventory mentioned on the show: ⁠https://www.jupiterone.com/⁠  Talk by Sandesh and Satyaki on automating asset inventory generation at Razorpay: ⁠https://www.youtube.com/watch?v=8q42Pw9F44k&ab_channel=HasgeekTV⁠  XKCD about too many standards - ⁠https://m.xkcd.com/927/⁠  Arvind Narayanan on Gen AI chatbots and rock-paper-scissors: ⁠https://x.com/random_walker/status/1755684956502728969?s=20⁠    Emily Oster on parenting - ⁠https://emilyoster.net/⁠ . She has now moved her newsletter away from Substack. You can sign up at ⁠https://parentdata.org/⁠  Contacting Anshuman LinkedIn: ⁠https://www.linkedin.com/in/anshumanbhartiya/⁠  Twitter: ⁠https://twitter.com/anshuman_bh⁠  Website: ⁠https://anshumanbhartiya.com/⁠ Instagram: https://www.instagram.com/anshuman.bhartiya/  YouTube: https://www.youtube.com/@AnshumanBhartiya    Contacting Sandesh LinkedIn: ⁠https://www.linkedin.com/in/anandsandesh/⁠  Twitter: ⁠https://twitter.com/JubbaOnJeans/⁠  Website: ⁠https://boringappsec.substack.com/⁠

    45 min
  • 12 Episodes

About

In this podcast, we will talk about our experiences having worked at different companies - from startups to big enterprises, from tech companies to security companies, and from building side projects to building startups. We will talk about the good, the bad, and everything in between. So join us for some fun, some real, and some super hot takes about all things Security in the Boring AppSec Podcast.

Information

  • Creator
    The Boring AppSec Podcast
  • Years Active
    2024 - 2025
  • Episodes
    12
  • Rating
    Clean
  • Copyright
    © The Boring AppSec Podcast
  • Show Website
    The Boring AppSec Podcast

To listen to explicit episodes, sign in.

Stay up to date with this show

Sign-in or sign-up to follow shows, save episodes and get the latest updates.
Select a country or region

Africa, Middle East, and India

Asia Pacific

Europe

Latin America and the Caribbean

The United States and Canada