253 episodes

Chris Romeo and Robert Hurlbut dig into the tips, tricks, projects, and tactics that make various application security professionals successful. They cover all facets of application security, from threat modeling and OWASP to DevOps+security and security champions. They approach these stories in an educational light, explaining the details in a way those new to the discipline can understand. Chris Romeo is the CEO of Devici and a General Partner at Kerr Ventures, and Robert Hurlbut is a Principal Application Security Architect focused on Threat Modeling at Aquia.

The Application Security Podcast Chris Romeo and Robert Hurlbut

    • Technology

Chris Romeo and Robert Hurlbut dig into the tips, tricks, projects, and tactics that make various application security professionals successful. They cover all facets of application security, from threat modeling and OWASP to DevOps+security and security champions. They approach these stories in an educational light, explaining the details in a way those new to the discipline can understand. Chris Romeo is the CEO of Devici and a General Partner at Kerr Ventures, and Robert Hurlbut is a Principal Application Security Architect focused on Threat Modeling at Aquia.

    Jason Nelson -- Three Pillars of Threat Modeling Success: Consistency, Repeatability, and Efficacy

    Jason Nelson -- Three Pillars of Threat Modeling Success: Consistency, Repeatability, and Efficacy

    Jason Nelson, an accomplished expert in information security management, joins Chris to share insights on establishing successful threat modeling programs in data-intensive industries like finance and healthcare. Jason presents his three main pillars to consider when establishing a threat modeling program: consistency, repeatability, and efficacy. The discussion also provides a series of fascinating insights into security practices, regulatory environments, and the value of a threat modeling champion. As a threat modeling practitioner, Jason provides an essential perspective to anyone serious about application security.
    FOLLOW OUR SOCIAL MEDIA:
    ➜Twitter: @AppSecPodcast
    ➜LinkedIn: The Application Security Podcast
    ➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
    Thanks for Listening!
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    • 53 min
    Erik Cabetas -- Cracking Codes on Screen and in Contests: An Expert's View on Hacking, Vulnerabilities, and the Evolution of Cybersecurity Language

    Erik Cabetas -- Cracking Codes on Screen and in Contests: An Expert's View on Hacking, Vulnerabilities, and the Evolution of Cybersecurity Language

    Erik Cabetas joins Robert and Chris for a thought-provoking discussion about modern software security. They talk about the current state of vulnerabilities, the role of memory-safe languages in AppSec, and why IncludeSec takes a highly systematic approach to security assessments and bans OWASP language. Along the way, Erik shares his entry into cybersecurity and his experience consulting about hacking for TV shows and movies. The conversation doesn't end before they peek into threat modeling, software engineering architecture, and the nuances of running security programs.

    Helpful Links:
    Security Engineering by Ross Anderson - https://www.wiley.com/en-us/Security+Engineering%3A+A+Guide+to+Building+Dependable+Distributed+Systems%2C+3rd+Edition-p-9781119642817

    New School of Information Security by Adam Shostack and Andrew Stewart - https://www.informit.com/store/new-school-of-information-security-9780132800280
    FOLLOW OUR SOCIAL MEDIA:
    ➜Twitter: @AppSecPodcast
    ➜LinkedIn: The Application Security Podcast
    ➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
    Thanks for Listening!
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    • 51 min
    Justin Collins -- Enabling the Business to Move Faster, Securely

    Justin Collins -- Enabling the Business to Move Faster, Securely

    Justin Collins of Gusto joins Robert and Chris for a practical conversation about running security teams in an engineering-minded organization. Justin shares his experience leading product security teams, the importance of aligning security with business goals, and the challenges arising from the intersection of product security and emerging technologies like GenAI.

    They also discuss the concept of security partners and the future of AI applications in the field of cybersecurity. And he doesn’t finish before sharing insights into the role of GRC and privacy in the current security landscape. Find out why Justin believes that above all, security should align with the goals of a business, tailored to the business itself, its situation, and its resources.

    Book Recommendation:
    The DevOps Handbook by Gene Kim et al.
    https://itrevolution.com/product/the-devops-handbook-second-edition/


    FOLLOW OUR SOCIAL MEDIA:
    ➜Twitter: @AppSecPodcast
    ➜LinkedIn: The Application Security Podcast
    ➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
    Thanks for Listening!
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    • 47 min
    Kyle Kelly -- The Dumpster Fire of Software Supply Chain Security

    Kyle Kelly -- The Dumpster Fire of Software Supply Chain Security

    Kyle Kelly joins Chris to explore the wild west of software supply chain security. Kyle, author of the CramHacks newsletter, sheds light on the complicated and often misunderstood world of software supply chain security. He brings unique insights into the challenges, issues, and potential solutions in this constantly growing field. From his experiences in sectors like cybersecurity and security research, he adapts a critical perspective on the state of the software supply chain, suggesting it is in a 'dumpster fire' state. We'll dissect that incendiary claim and discuss the influence of open-source policies, the role of GRC, and the importance of build reproducibility. From starters to experts, anyone with even a mild interest in software security and its future will find this conversation enlightening.

    Links:
    CramHacks - https://www.cramhacks.com/

    Solve for Happy by Mo Gawdat - https://www.panmacmillan.com/authors/mo-gawdat/solve-for-happy/9781509809950


    FOLLOW OUR SOCIAL MEDIA:
    ➜Twitter: @AppSecPodcast
    ➜LinkedIn: The Application Security Podcast
    ➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
    Thanks for Listening!
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    • 41 min
    Chris Hughes -- Software Transparency

    Chris Hughes -- Software Transparency

    Chris Hughes, co-founder of Aquia, joins Chris and Robert on the Application Security Podcast to discuss points from his recent book Software Transparency: Supply Chain Security in an Era of a Software-Driven Society, co-authored with Tony Turner. The conversation touches on the U.S. government in the software supply chain, the definition and benefits of software transparency, the concept of a software bill of materials (SBOM), and the growth of open-source software.

    The episode also covers crucial topics like compliance versus real security in software startups, the role of SOC 2 in setting security baselines, and the importance of threat modeling in understanding software supply chain risks. They also talk about the imbalance between software suppliers and consumers in terms of information transparency and the burden on developers and engineers to handle vulnerability lists with little context.

    As an expert in the field, Chris touches on the broader challenges facing the cybersecurity community, including the pitfalls of overemphasizing technology at the expense of building strong relationships and trust. He advocates for a more holistic approach to security, one that prioritizes people over technology.

    Links

    Software Transparency: Supply Chain Security in an Era of a Software-Driven Society by Chris Hughes and Tony Turner
    https://www.wiley.com/en-us/Software+Transparency%3A+Supply+Chain+Security+in+an+Era+of+a+Software+Driven+Society-p-9781394158492

    Application Security Program Handbook by Derek Fisher https://www.simonandschuster.com/books/Application-Security-Program-Handbook/Derek-Fisher/9781633439818

    Agile Application Security by Laura Bell, Michael Brunton-Spall, Rich Smith, Jim Bird
    https://www.oreilly.com/library/view/agile-application-security/9781491938836/

    CNCF Catalog of Supply Chain Compromises
    https://github.com/cncf/tag-security/blob/main/supply-chain-security/compromises/README.md


    FOLLOW OUR SOCIAL MEDIA:
    ➜Twitter: @AppSecPodcast
    ➜LinkedIn: The Application Security Podcast
    ➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
    Thanks for Listening!
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    • 39 min
    Jay Bobo & Darylynn Ross -- App Sec Is Dead. Product Security Is the Future.

    Jay Bobo & Darylynn Ross -- App Sec Is Dead. Product Security Is the Future.

    Jay Bobo and Darylynn Ross from CoverMyMeds join Chris to explain their assertion that 'AppSec is Dead.' They discuss the differences between product and application security, emphasizing the importance of proper security practices and effective communication with senior leaders, engineers, and other stakeholders. Jay proposes that product security requires a holistic approach and cautions against the current state of penetration testing in web applications. Darylynn encourages AppSec engineers to broaden their scope beyond individual applications to product security. With enlightening insights and practical advice, this episode thoughtfully challenges AppSec professionals with new ideas about application and product security.

    Links:
    Jay recommends:
    How to Measure Anything in Cybersecurity Risk, 2nd Edition
    by Douglas W. Hubbard, Richard Seiersen
    https://www.wiley.com/en-us/How+to+Measure+Anything+in+Cybersecurity+Risk%2C+2nd+Edition-p-9781119892311

    Darylynn recommends:
    Kristin Hannah: https://kristinhannah.com/
    FOLLOW OUR SOCIAL MEDIA:
    ➜Twitter: @AppSecPodcast
    ➜LinkedIn: The Application Security Podcast
    ➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
    Thanks for Listening!
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    • 52 min

Top Podcasts In Technology

Lex Fridman
Wes Bos & Scott Tolinski - Full Stack JavaScript Web Developers
Jack Rhysider
Cool Zone Media
DC Rainmaker & DesFit
BG2Pod

You Might Also Like

Izar Tarandach, Matt Coles, and Chris Romeo
se-radio@computer.org
David Spark, Mike Johnson, and Andy Ellis
Tromzo
CISO Series
Johannes B. Ullrich