The Future of Application Security is a podcast for ambitious leaders who want to build a modern and effective AppSec program. Doing application security right is really hard and we want to help other experts build the future of AppSec by curating the best industry insights, tips and resources.
EP 52 — Gen’s Curtis Koenig on Speaking the Language of Why Security Matters
In this episode of the Future of Application Security, Harshil speaks with Curtis Koenig, Head of Application Security at Gen, a multinational software company that provides cybersecurity software and services. They discuss why it's key to be able to articulate why security matters and how it impacts business goals, and what Curtis has learned about how different industries approach risk. They also talk about how security can help engineering be more efficient by speaking their language, various metrics that can assess your training and communication, and what the future of LLMs and security looks like.
Curtis's background in various industries and what he's learned about how culture, goals, and risk vary.
How learning about a company's culture and goals first can help you translate how security matters to them.
How to create a security strategy roadmap, how often to revisit those goals, and how to incorporate frameworks to sell across the business.
How security can help engineering be more efficient by speaking their language and translating information into actionable tasks.
What metrics to track that can help you learn more about how well your training and operations are working.
How LLMs are helping with software development today, and why they can introduce more security issues if developers aren't thinking wisely about using it.
EP 51 — Ping Identity’s Arthur Loris on How to Tell Better Stories About Your Product Security Success
In this episode of the Future of Application Security, Harshil speaks with Arthur Loris, Senior Manager, Product Security at Ping Identity, a company that provides self-hosted identity access management (IAM) solutions. They discuss what product security constitutes at Ping Identity, the biggest challenge to great product security, and how security teams need more strategic, tactical plans to achieve their goals. They also talk about better approaches to risk remediation and why it's more effective to tell the story about how your security efforts improved the organization instead of just generating tickets.
How Ping Identity defines product security.
The biggest challenge to product security, which involves building good partnerships with the engineering team.
How security teams can be better messengers of tasks that are created by the threat landscape.
A better approach to risk remediation and how to to think about it at scale.
Better ways of measuring your security efforts, and why telling a story about your impact — like how much money you saved — is more effective than simply generating tickets.
How security teams can flatten the learning curve when understanding the development process.
What the future of product security will look like, and why it should include an increased focus on strategy.
EP 50 — DryRun Security’s James Wickett on Aligning Incentives and Speaking the Same Language with Developers and Security
In this special episode of the Future of Application Security, recorded at the Developers & Security are Friends Day, Eric speaks with James Wickett, co-founder and CEO of DryRun Security, a company that provides security products for developers. They discuss the misaligned incentives between developers and security and how teams can learn how to speak the same language to increase value. They also talk about how the SLIDE Model helps with context analysis, why you should focus less on control and more on context and composition in your security, and how organizations can close their knowledge gaps.
Some of the frictions between security and developers, including how incentives are often misaligned and how each team has a different focus.
How to talk the same language so that security and developers can build relationships that bring value to their organizations.
What the SLIDE Model is and how it can help you better understand the context of your security actions and your priorities.
How organizations can fill in their knowledge gaps and why it's key to return to first principles in a world of automation and tooling.
How security impacts an organization through control, composition, and context, and why organizations should lessen their dependence on control.
How security is like barbeque, and why Oklahoma is a great analogy for a DevSec model.
EP 49 — Semgrep’s Colleen Dai on Building Security Strategies and Relationships with Other Teams
In this special episode of the Future of Application Security, recorded at the Developers & Security are Friends Day, Eric speaks with Colleen Dai, Senior Security Researcher at Semgrep, an open source static analysis tool. They discuss strategies security teams can take to reduce false positives, use secure defaults to eliminate bug classes, and reduce complexity in security decision-making. They also talk about ways to build the relationships between security, developers, and engineers, which includes aligning on goals, communication, and recognition.
Colleen's background and what her security research role at Semgrep entails.
How to use secure defaults to eliminate bug classes and reduce the complexity in security decisions.
How to reduce false positives by writing rules and checks, especially ones that are customized to your organization.
How to better align the goals of security and developers by focusing on creating good software — and good software is secure software.
How to build relationships with engineers through communication and recognition, not just talking through Jira tickets.
Why security and developers still struggle with cross-site scripting and how it can be fixed.
EP 48 — Chaotic Good’s Johnathan Kuskos on Testing for Functionality, Priorities, and Better Incident Response
In this special episode of the Future of Application Security, recorded at the Developers & Security are Friends Day, Eric speaks with Johnathan Kuskos, Founder of Chaotic Good Information Security, a boutique professional services company. They discuss what it's like to be a pen tester, some of the unusual things found during testing, and how the 15 Minutes Rule helps you not waste time during your testing. They also talk about the tradeoffs of security when it comes to “good, fast, or cheap,” simple ways to determine priorities, and how to strengthen relationships between security and developers.
How security and developers can close divides through better communication and more forward thinking.
Why security can't necessarily have an approach that's good, fast, and cheap, but how they make compromises to have a bit of all three.
How to determine your security priorities, and how to perform a smoke test to see where security overlaps with other departments to identify those priorities.
Some of the stranger things found during pen testing, including a git folder on a website.
Why vulnerability and exploitability are two different things, and how to assess both.
How the 15 Minutes Rules can help you assess as much functionality as possible, and why it sometimes exposes more gaps in playbooks and incident response than intended.
EP 47 — Manicode Security’s Jim Manico on Addressing OWASP Top Ten Issues Through Better Security and Developer Partnerships
In this special episode of the Future of Application Security, recorded at the Developers & Security are Friends Day, Eric speaks with Jim Manico, Founder and CEO of Manicode Security, a secure coding education firm. They discuss the various challenges around certain items on the OWASP Top Ten list, including server side request forgery and access control, and how security and developers can partner for better logging and alerting. They also talk about the courses Jim offers and why the biggest one in demand today is AI and security.
What are the biggest changes in the OWASP Top Ten, and the challenges that accompany two of the list’s issues: server side request forgery and access control.
What issue is Jim surprised to see on the OWASP Top Ten.
How developers and security can work more closely together to create a better approach to logging and alerting.
Why the best approach to DevOps is to have it as a service and a liaison team, not as a merger of individuals from across the organization.
Why training on AI and security is increasing in demand today.
How security professionals and developers are like professional wrestling superstars.
Awesome podcast! Hot