255 episodes

Chris Romeo and Robert Hurlbut dig into the tips, tricks, projects, and tactics that make various application security professionals successful. They cover all facets of application security, from threat modeling and OWASP to DevOps+security and security champions. They approach these stories in an educational light, explaining the details in a way those new to the discipline can understand. Chris Romeo is the CEO of Devici and a General Partner at Kerr Ventures, and Robert Hurlbut is a Principal Application Security Architect focused on Threat Modeling at Aquia.

The Application Security Podcast Chris Romeo and Robert Hurlbut

    • Technology
    • 5.0 • 35 Ratings

Chris Romeo and Robert Hurlbut dig into the tips, tricks, projects, and tactics that make various application security professionals successful. They cover all facets of application security, from threat modeling and OWASP to DevOps+security and security champions. They approach these stories in an educational light, explaining the details in a way those new to the discipline can understand. Chris Romeo is the CEO of Devici and a General Partner at Kerr Ventures, and Robert Hurlbut is a Principal Application Security Architect focused on Threat Modeling at Aquia.

    Bill Sempf -- Development, Security, and Teaching the Next Generation

    Bill Sempf -- Development, Security, and Teaching the Next Generation

    Robert is joined by Bill Sempf, an application security architect with over 20 years of experience in software development and security. Bill shares his security origins as a curious child immersed in technology, leading to his lifelong dedication to application security. They discuss CodeMash, a developer conference in Ohio, and recount Bill's presentation on the Veilid application framework, designed for privacy-driven mobile applications. Bill also explores his efforts in educating children about technology and programming, drawing on his experiences with Kidsmash and other initiatives. Additionally, they delve into the challenges of application security, particularly modern software development practices and the utility of languages like Rust for creating secure applications. Bill concludes with intriguing thoughts on application security trends and the importance of a diverse skill set for both developers and security professionals.

    Helpful Links:

    Bill's homepage - https://www.sempf.net/
    CodeMash conference - https://codemash.org
    Veilid Application Framework - https://veilid.com/

    Math Without Numbers - https://www.amazon.com/Math-Without-Numbers-Milo-Beckman/dp/1524745545


    FOLLOW OUR SOCIAL MEDIA:
    ➜Twitter: @AppSecPodcast
    ➜LinkedIn: The Application Security Podcast
    ➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
    Thanks for Listening!
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    • 39 min
    Hendrik Ewerlin -- Threat Modeling of Threat Modeling

    Hendrik Ewerlin -- Threat Modeling of Threat Modeling

    Robert and Chris talk with Hendrik Ewerlin, a threat modeling advocate and trainer. Hendrik believes you can threat model anything, and he recently applied threat modeling to the process of threat modeling itself. His conclusions are published in the document Threat Modeling of Threat Modeling, where he aims to help practitioners, in his own words, "tame the threats to the threat modeling process."

    They explore the role of threat modeling in software development, emphasizing the dire consequences of overlooking this crucial process.
    They discuss why threat modeling serves as a cornerstone for security, and why Hendrik stresses the importance of adopting a process that is effective, efficient, and satisfying. If you care about secure software, you will want to listen in as Hendrik emphasizes why the approach to threat modeling, as well as the process itself, is so critical to success in security.

    Links:
    => Hendrik Ewerlin: https://hendrik.ewerlin.com/security/
    => Threat Modeling of Threat Modeling: https://threat-modeling.net/threat-modeling-of-threat-modeling/

    Recommended Reading:
    => Steal Like An Artist and other books by Austin Kleon https://austinkleon.com/books/
    FOLLOW OUR SOCIAL MEDIA:
    ➜Twitter: @AppSecPodcast
    ➜LinkedIn: The Application Security Podcast
    ➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
    Thanks for Listening!
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    • 33 min
    Jason Nelson -- Three Pillars of Threat Modeling Success: Consistency, Repeatability, and Efficacy

    Jason Nelson -- Three Pillars of Threat Modeling Success: Consistency, Repeatability, and Efficacy

    Jason Nelson, an accomplished expert in information security management, joins Chris to share insights on establishing successful threat modeling programs in data-intensive industries like finance and healthcare. Jason presents his three main pillars to consider when establishing a threat modeling program: consistency, repeatability, and efficacy. The discussion also provides a series of fascinating insights into security practices, regulatory environments, and the value of a threat modeling champion. As a threat modeling practitioner, Jason provides an essential perspective to anyone serious about application security.
    FOLLOW OUR SOCIAL MEDIA:
    ➜Twitter: @AppSecPodcast
    ➜LinkedIn: The Application Security Podcast
    ➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
    Thanks for Listening!
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    • 53 min
    Erik Cabetas -- Cracking Codes on Screen and in Contests: An Expert's View on Hacking, Vulnerabilities, and the Evolution of Cybersecurity Language

    Erik Cabetas -- Cracking Codes on Screen and in Contests: An Expert's View on Hacking, Vulnerabilities, and the Evolution of Cybersecurity Language

    Erik Cabetas joins Robert and Chris for a thought-provoking discussion about modern software security. They talk about the current state of vulnerabilities, the role of memory-safe languages in AppSec, and why IncludeSec takes a highly systematic approach to security assessments and bans OWASP language. Along the way, Erik shares his entry into cybersecurity and his experience consulting about hacking for TV shows and movies. The conversation doesn't end before they peek into threat modeling, software engineering architecture, and the nuances of running security programs.

    Helpful Links:
    Security Engineering by Ross Anderson - https://www.wiley.com/en-us/Security+Engineering%3A+A+Guide+to+Building+Dependable+Distributed+Systems%2C+3rd+Edition-p-9781119642817

    New School of Information Security by Adam Shostack and Andrew Stewart - https://www.informit.com/store/new-school-of-information-security-9780132800280
    FOLLOW OUR SOCIAL MEDIA:
    ➜Twitter: @AppSecPodcast
    ➜LinkedIn: The Application Security Podcast
    ➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
    Thanks for Listening!
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    • 51 min
    Justin Collins -- Enabling the Business to Move Faster, Securely

    Justin Collins -- Enabling the Business to Move Faster, Securely

    Justin Collins of Gusto joins Robert and Chris for a practical conversation about running security teams in an engineering-minded organization. Justin shares his experience leading product security teams, the importance of aligning security with business goals, and the challenges arising from the intersection of product security and emerging technologies like GenAI.

    They also discuss the concept of security partners and the future of AI applications in the field of cybersecurity. And he doesn’t finish before sharing insights into the role of GRC and privacy in the current security landscape. Find out why Justin believes that above all, security should align with the goals of a business, tailored to the business itself, its situation, and its resources.

    Book Recommendation:
    The DevOps Handbook by Gene Kim et al.
    https://itrevolution.com/product/the-devops-handbook-second-edition/


    FOLLOW OUR SOCIAL MEDIA:
    ➜Twitter: @AppSecPodcast
    ➜LinkedIn: The Application Security Podcast
    ➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
    Thanks for Listening!
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    • 47 min
    Kyle Kelly -- The Dumpster Fire of Software Supply Chain Security

    Kyle Kelly -- The Dumpster Fire of Software Supply Chain Security

    Kyle Kelly joins Chris to explore the wild west of software supply chain security. Kyle, author of the CramHacks newsletter, sheds light on the complicated and often misunderstood world of software supply chain security. He brings unique insights into the challenges, issues, and potential solutions in this constantly growing field. From his experiences in sectors like cybersecurity and security research, he adapts a critical perspective on the state of the software supply chain, suggesting it is in a 'dumpster fire' state. We'll dissect that incendiary claim and discuss the influence of open-source policies, the role of GRC, and the importance of build reproducibility. From starters to experts, anyone with even a mild interest in software security and its future will find this conversation enlightening.

    Links:
    CramHacks - https://www.cramhacks.com/

    Solve for Happy by Mo Gawdat - https://www.panmacmillan.com/authors/mo-gawdat/solve-for-happy/9781509809950


    FOLLOW OUR SOCIAL MEDIA:
    ➜Twitter: @AppSecPodcast
    ➜LinkedIn: The Application Security Podcast
    ➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
    Thanks for Listening!
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    • 41 min

Customer Reviews

5.0 out of 5
35 Ratings

35 Ratings

obacker19 ,

Empowering, insightful and actionable! 🔥

Whether you’re well established as an AppSec innovator, or just getting started as a catalyst for change - this is a must-listen podcast for you! Chris and Robert do an incredible job leading conversations that cover a huge breadth of topics related to the ins and outs of staying on the cutting edge of data security and privacy - with leaders who’ve actually experienced success themselves. Highly recommend listening and subscribing!

mjdecap ,

Best AppSec Podcast

Interesting subjects and interviews. These guys know their stuff. Aren’t afraid to admit when they don’t know a lot about a topic. Just like me we are all here to learn from experts in the field of AppSec. They ask the most interesting and relevant questions of their guests.

Keep up the great work!!

holysheetman ,

awesome and very informative!

Proud to give you a 5-star review! Well worth it!

Top Podcasts In Technology

Lex Fridman Podcast
Lex Fridman
All-In with Chamath, Jason, Sacks & Friedberg
All-In Podcast, LLC
No Priors: Artificial Intelligence | Machine Learning | Technology | Startups
Conviction | Pod People
Hard Fork
The New York Times
Acquired
Ben Gilbert and David Rosenthal
TED Radio Hour
NPR

You Might Also Like

CISO Series Podcast
David Spark, Mike Johnson, and Andy Ellis
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
Johannes B. Ullrich
Hacking Humans
N2K Networks
The Security Table
Izar Tarandach, Matt Coles, and Chris Romeo
Cyber Security Headlines
CISO Series
Future of Application Security
Tromzo