The Application Security Podcast Chris Romeo and Robert Hurlbut

What is zero trust, and how does it impact the world of applications and application security? We dive deep into zero trust with Joshua Wells, a seasoned cybersecurity expert with over ten years of experience. Joshua explores the intricacies of zero trust, a cybersecurity model that dictates no user or machine is trusted by default and must be authenticated every time.
Listen in as Joshua discusses his journey from aspiring to be an NFL player to becoming a leading voice in cybersecurity. He shares insights on how zero trust operates in different domains, including architectural security, endpoint detection, mobile device management, and risk assessment. He also touches on its implementation across various government bodies and private organizations.
Further, Joshua sheds light on the challenges of implementing zero trust, such as the need for a mix of different security tools and the stress of smaller teams when handling this robust framework. The episode also covers important considerations for Application Security (AppSec) professionals in a zero-trust environment and the role of attribute-based access control within this model.
Don't miss this enlightening discussion on cybersecurity's current landscape and future direction. Whether you're a cybersecurity professional, a tech enthusiast, or simply keen on understanding how your data is being kept secure, this episode will surely provide invaluable insights.
FOLLOW OUR SOCIAL MEDIA:
➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Jeevan Singh, the director of product security at Twilio, discusses the future of application security engineers. Singh highlights the importance of embedding security into all aspects of software development and the need for a strong security culture within organizations. He also explains the skills required for a senior application security engineer, such as application security, software development, and teaching skills. Singh underscores the importance of empathy and influence, emphasizing that soft skills can significantly affect adequate application security. He also discusses the impact of AI, particularly OpenAI's GPT, in supporting the work of security engineers by providing valuable insights and information. Singh concludes by urging application security engineers to broaden their skills, particularly in software development, to ensure they can effectively handle the industry's evolving demands.

Five takeaways:
The future of application security engineering requires a blend of skills: Application Security (AppSec), software development, and teaching skills. Communicating and teaching others about security best practices is becoming as important as technical know-how.The role of application security engineers is evolving: They are expected to identify and fix security issues and embed security considerations into the entire software development process. They are also tasked with educating other staff on security best practices.Empathy and influence are crucial soft skills for application security engineers: It's essential to understand the perspectives of various stakeholders, from developers to executives, and influence them to prioritize security. This involves presenting data effectively and advocating for security measures.Future demand for application security engineers is anticipated. As organizations increasingly realize the importance of securing their applications, there will be a growing need for professionals in this field. This is particularly the case for startups and smaller organizations.Scaling application security efforts requires a team-based approach: To keep pace with growing engineering teams and increasing security demands, application security efforts must be scaled. This could involve creating "security champions" within development teams, implementing automated tools, and involving executive leadership to incentivize security improvements.Jeevan's first appearance on the Application Security Podcast was entitled Jeevan Singh -- Threat modeling based in democracy.
FOLLOW OUR SOCIAL MEDIA:
➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Have you ever considered using an SBOM to inform your threat modeling? Tony Turner has. Tony joins us to discuss SBOMs, threat modeling, and the importance of Cyber Informed Engineering. 

Tony delves into the SBOM (Software Bill of Materials) concept, highlighting their value proposition in identifying vulnerabilities, demonstrating compliance with software licenses, and informing M&A activities and incident response indicators related to cyberattacks. We also explore the integration of SBOMs into the system engineering process and security engineering.

Tony further introduces the concept of Consequence-Driven Cyber Informed Engineering, which emphasizes understanding the potential consequences of cyberattacks on critical infrastructure rather than just on individuals or individual businesses. We discuss the four-step process of consequence-driven CIE. The conversation also addresses the challenges in communicating SBOM information, the importance of demanding transparency from suppliers, and the need to place trust in trusted third-party attestations.

Follow up:

- Research tools for integrating SBOMs into threat modeling
- Explore methods of communicating SBOM information
- Investigate Cyber Informed Engineering and Consequence-Driven principles in more detail
FOLLOW OUR SOCIAL MEDIA:
➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Christian Frichot, an AppSec hacker, security leader, and developer of hcltm. He discusses the DevOps threat modeling tool he dreamed up and built. The tech was created to fit into developers' workflows and leverage tools they are familiar with. hcltm is designed to drive valuable change and be updated and maintained easily by software engineers. It is a developer-centric software product not heavily opinionated on diagramming, allowing users to employ their preferred methods for threat modeling. The solution is still evolving, and Frichot is open to user feedback and suggestions to improve it. He encourages people to try hcltm and see if it fits their threat modeling needs, as everyone approaches the process differently.

Critical actions for you to take from this episode:
Try out hcltm: familiarize yourself with the hcltm threat modeling tool, which uses HashiCorp Configuration Language (HCL) to help manage threat models alongside software code in a developer-friendly way.Integrate threat modeling into your workflow: As a developer or security professional, explore ways to incorporate threat modeling into your current processes, such as using hcltm to manage threat models in a software repo and updating the model with each change.Improve communication and collaboration: learn from Christian's experience and focus on building relationships and networks in the security community and improving communication and influencing skills.FOLLOW OUR SOCIAL MEDIA:
➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Zohar Shachar joins us to discuss the bug bounty process from both sides. Zohar has spent time as a bug bounty hunter and shares wisdom on avoiding bug bounty-causing issues for your AppSec posture. We hope you enjoy this conversation with...Zohar Shachar.
FOLLOW OUR SOCIAL MEDIA:
➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Sarah-Jane Madden is the Chief Information Security Officer of Sensing Technology Group. - part of Fortive. She has over 20 years of software experience, from the most formal environments to ‘let’s fix it in production’ type teams. She has been a longtime advocate of deliberate application security as a partnership with product management and believes security does not have to be an overhead. Sarah-Jane joins us to discuss her talk at OWASP Dublin, "Far from green fields — introducing Threat Modeling to established teams." She shares lessons learned from her 3-year journey and is transparent with the mistakes she made along the way. We hope you enjoy this conversation with...Sarah-jane Madden.
FOLLOW OUR SOCIAL MEDIA:
➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~