Secrets of AppSec Champions

Chris Lindsey

Join host Chris Lindsey as he digs into the world of Application Security with experts from leading enterprises. Each episode is theme based, so it's more conversational and topic based instead of the general interview style. Our focus is growing your knowledge, providing useful tips and advice. With Chris' development background of 35 years, 15+ years of secure coding and 3+ years running an application security program for large enterprise, the conversations will be deep and provide a lot of good takeaway's that you can use almost immediately.

  1. Building Security Programs That Actually Scale – with Bonnie Viteri | Secrets of AppSec Champions 🎙️

    4天前

    Building Security Programs That Actually Scale – with Bonnie Viteri | Secrets of AppSec Champions 🎙️

    Building great security programs takes more than checklists and best practices—it takes vision, collaboration, and adaptability. In this episode, Bonnie Viteri, Principal Technical Security Engineer at Yahoo, shares how to build scalable, resilient programs that evolve, survive leadership turnover, and actually provide value to the business. 🔔 Subscribe for more practical AppSec insights:https://www.youtube.com/channel/UCLgzXoXJ-TGO-y7Eh9quDUQ?sub_confirmation=1 Chapters:00:00 – Start with the End: Vision-Driven Program Design01:08 – Meet Bonnie Viteri: From Behavioral Psychology to Cybersecurity02:10 – Foundation First: Mission, Vision, and Cross-Team Buy-In04:07 – Designing Security Documents with Developers, Not for Them06:00 – Metrics, Failure, and the Power of Feedback Loops08:25 – People, Process, or Tech? Defining the Program Purpose09:31 – Five-Year Plans and Building for Scale12:26 – Implementation: Ownership, Handoffs, and Real-World Use14:15 – Documentation That Survives Team Turnover16:51 – Centralizing Knowledge and Making It Discoverable18:30 – Program Optimization Through Onboarding and Culture20:48 – Keeping Programs Alive via Security Champions & Internal Comms22:25 – Case Study: API Security Documentation That Worked25:19 – Reporting Program Value in Business Language27:03 – Best Advice: "Your Fire Isn’t My Fire"29:11 – Worst Advice: “You’d Be Bored as a Manager”29:58 – Final Thoughts: Build, Fail Fast, Pivot Smarter What You’ll Learn:- How to build and scale a security program across teams- Why collaboration and early buy-in matter- Strategies for long-term documentation and program handoff- How to connect program value to business language and executive metrics- Real-world case study of API security success at scale 📺 Watch Next:▶️ Secrets of AppSec Champions Podcast: https://www.youtube.com/playlist?list=PLR-uH0PJFszFcbMJ29AfAcWIJAPbBJaC7▶️ Our Customers’ Success Stories & Reviews: https://youtube.com/playlist?list=PLR-uH0PJFszHDC0p6CBEvccqx1uNx8fpT&si=SUI6d31ResR51434▶️ OWASP Top 10 LLM is Dead: Here's Why: https://youtu.be/Wet1tkt1eAw?si=NTUef42qt1WzcHbn▶️ Mend.io Product Overview Demo: https://youtu.be/HfZ3uK-Eg5c▶️ The Truth Behind Successful Security Operations Centers (SOC): https://youtu.be/XMlrxoIJVXg 🌐 Connect with Us:🔗 Website: https://www.mend.io🐦 Twitter: https://twitter.com/mend_io📘 Facebook: https://www.facebook.com/mendappsec💼 LinkedIn: https://www.linkedin.com/company/2440656 📜 Disclaimer:This video is for educational purposes only. Mend.io is not responsible for any security decisions made based on this content. #appsecurity #cybersecurity #cybersecurityexperts  Mend.io, formerly known as Whitesource, has over a decade of experience helping global organizations build world-class AppSec programs that reduce risk and accelerate development -– using tools built into the technologies that software and security teams already love. Our automated technology protects organizations from supply chain and malicious package attacks, vulnerabilities in open source and custom code, and open-source license risks. With a proven track record of successfully meeting complex and large-scale application security needs, Mend.io is the go-to technology for the world’s most demanding development and security teams. The company has more than 1,000 customers, including 25 percent of the Fortune 100, and manages Renovate, the open source automated dependency update project. For more information, visit www.mend.io, the Mend.io blog, and Mend.io on LinkedIn and Twitter.

    31 分钟
  2. Risk Mitigation and Cybersecurity Strategy with Samuel Brown | Secrets of AppSec Champions Podcast🎙️

    7月17日

    Risk Mitigation and Cybersecurity Strategy with Samuel Brown | Secrets of AppSec Champions Podcast🎙️

    As cyber threats evolve, so must the strategies to prevent them. In this episode, Samuel Brown—CEO of PacketX and retired U.S. Army CW4—shares mission-critical insights on risk mitigation, layered security, and why backups and plans on paper aren't enough. From ransomware recovery to real-world network defense, this conversation is packed with hard-earned lessons for AppSec professionals and business leaders alike. 🔔 Subscribe for real-world insights and actionable AppSec stories:https://www.youtube.com/channel/UCLgzXoXJ-TGO-y7Eh9quDUQ?sub_confirmation=1 Chapters:00:00 – What Real Risk Mitigation Requires00:55 – Meet Samuel Brown: CEO of PacketX & U.S. Army Veteran02:43 – Risk Identification, Tiering, and Business Impact04:28 – Ransomware Lessons: Why Tested Backups Matter07:01 – Data vs. Devices: Smart Prioritization Decisions08:13 – Ransomware Response: Steps to Contain and Recover09:44 – Real-World Example: Website Compromise and Layered Security11:14 – MFA and Role-Based Access: Core to Risk Reduction13:47 – CAC Cards & Military Insights on Access Control16:44 – Firewalls, Segmentation & Vendor Diversity20:42 – Patch Management: Fixing Without Rebreaking23:58 – Least Privilege: Why Admin Rights Are Dangerous26:33 – Why Small Businesses Are Easy Targets28:27 – Simple Risk Monitoring Tips for Any Company30:43 – Best & Worst Advice in Cybersecurity32:47 – Closing Thoughts & Call to Subscribe What You’ll Learn:- How to build a real, tested risk mitigation plan- Why backups fail without proper testing- Critical layers of defense: from firewalls to user training- How military cybersecurity practices apply to private business- The one mindset that can prevent massive breaches 📺 Watch Next:▶️ Secrets of AppSec Champions Podcast: https://www.youtube.com/playlist?list=PLR-uH0PJFszFcbMJ29AfAcWIJAPbBJaC7▶️ Our Customers’ Success Stories & Reviews: https://youtube.com/playlist?list=PLR-uH0PJFszHDC0p6CBEvccqx1uNx8fpT&si=SUI6d31ResR51434▶️ OWASP Top 10 LLM is Dead: Here's Why: https://youtu.be/Wet1tkt1eAw?si=NTUef42qt1WzcHbn▶️ Mend.io Product Overview Demo: https://youtu.be/HfZ3uK-Eg5c▶️ The Truth Behind Successful Security Operations Centers (SOC): https://youtu.be/XMlrxoIJVXg 🌐 Connect with Us:🔗 Website: https://www.mend.io🐦 Twitter: https://twitter.com/mend_io📘 Facebook: https://www.facebook.com/mendappsec💼 LinkedIn: https://www.linkedin.com/company/2440656 📜 Disclaimer:This video is for educational purposes only. Mend.io is not responsible for any security decisions made based on this content. #Cybersecurity #RiskMitigation #AppSec #Infosec Mend.io, formerly known as Whitesource, has over a decade of experience helping global organizations build world-class AppSec programs that reduce risk and accelerate development - using tools built into the technologies that software and security teams already love. Our automated technology protects organizations from supply chain and malicious package attacks, vulnerabilities in open source and custom code, and open-source license risks. With a proven track record of successfully meeting complex and large-scale application security needs, Mend.io is the go-to technology for the world’s most demanding development and security teams. The company has more than 1,000 customers, including 25 percent of the Fortune 100, and manages Renovate, the open source automated dependency update project. For more information, visit www.mend.io, the Mend.io blog, and Mend.io on LinkedIn and Twitter.

    32 分钟
  3. From Developer to Cybersecurity Without Certs – Ed Urbasius' Story | Secrets of AppSec Champions 🎙️

    7月3日

    From Developer to Cybersecurity Without Certs – Ed Urbasius' Story | Secrets of AppSec Champions 🎙️

    As the cybersecurity industry grows, more professionals are breaking into security from nontraditional backgrounds. In this episode, Edvinous Urbasius, a former developer turned cybersecurity consultant, shares his unfiltered story of how he got into the field without certifications—and what he learned on the job in a SOC. 🔔 Subscribe for real-world insights and actionable AppSec stories:https://www.youtube.com/channel/UCLgzXoXJ-TGO-y7Eh9quDUQ?sub_confirmation=1 Chapters:00:00 You Don’t Need Certifications to Start in Cybersecurity00:56 Meet Edvinas: His Journey from Developer to Cybersecurity03:50 The Cyber Attack That Sparked His Career Shift07:01 Lessons Learned from Phishing Attacks and System Failures11:02 Inside the SOC: Learning Logs, Alerts, and Triage on the Job15:12 How Curiosity and Google Became His Cyber Tools20:52 AI, Critical Thinking & Real-World Threat Detection24:09 Peer Mentorship and Growing Through Collaboration26:49 Why Coding Experience Helps in Cybersecurity Roles31:49 Final Advice: Be So Good They Can’t Ignore You What You’ll Learn: - How to enter cybersecurity without a degree or certifications- What working in a SOC actually looks like- Why developer skills are a hidden advantage in security- The power of curiosity, Google, and collaboration in learning fast 📺 Watch Next:▶️ Secrets of AppSec Champions Podcast: https://www.youtube.com/playlist?list=PLR-uH0PJFszFcbMJ29AfAcWIJAPbBJaC7▶️ Our Customers’ Success Stories & Reviews: https://youtube.com/playlist?list=PLR-uH0PJFszHDC0p6CBEvccqx1uNx8fpT&si=SUI6d31ResR51434▶️ OWASP Top 10 LLM is Dead: Here's Why: https://youtu.be/Wet1tkt1eAw?si=NTUef42qt1WzcHbn▶️ Mend.io Product Overview Demo: https://youtu.be/HfZ3uK-Eg5c▶️ The Truth Behind Successful Security Operations Centers (SOC): https://youtu.be/XMlrxoIJVXg 🌐 Connect with Us:🔗 Website: https://www.mend.io🐦 Twitter: https://twitter.com/mend_io📘 Facebook: https://www.facebook.com/mendappsec💼 LinkedIn: https://www.linkedin.com/company/2440656 📜 Disclaimer:This video is for educational purposes only. Mend.io is not responsible for any security decisions made based on this content. #CyberSecurityCareers #SOCAnalyst #AppSec #Infosec #DeveloperToCybersecurity #SecretsOfAppSecChampions

    31 分钟

  4. 2月4日

    The Truth Behind Successful Security Operations Centers (SOC)

    In this eye-opening episode, Reanna Schultz, an experienced Security Operations Center (SOC) team leader, pulls back the curtain on what makes a modern SOC truly effective. Drawing from her six-year journey through various cybersecurity roles, she reveals how SOCs serve as an organization's first line of defense against cyber threats.  The discussion covers essential insights on building a SOC from scratch, the value of managed security service providers (MSSPs), and how AI is reshaping the threat landscape. Schultz emphasizes that successful SOCs aren't just about technical capabilities – they're about building transparent communication, fostering the right team culture, and maintaining strong relationships across the organization.  Whether you're working in a smaller company considering your first SOC or an enterprise looking to enhance your security operations, this episode provides practical insights on evolving your security posture for 2025 and beyond. Key topics with timestamps: 00:00 Reanna Schultz: Leading Expertise in Security Operations  06:29 Evaluating Security Alerts and Tribal Knowledge  07:33 Identifying Security Gaps with the Pyramid of Pain  13:23 Splunk: Central Big Data Platform for Security Analysis  14:48 Detecting Compromises Through Network Traffic Visibility  20:19 Enhancing Security: Utilizing Both MSSP and SOC  21:06 Affordable Security Solutions: Exploring the MSSP Route  26:31 Balancing Passion with Career Advancement Challenges  30:35 Leading Effectively by Cultivating Passion and Growth  32:21 Integrating Passions: Enhancing Cybersecurity Collaboration

    34 分钟

  5. 1月7日

    Supply Chain Security with Cassie Crossley

    In Episode 11 of Secrets of AppSec Champions, Chris Lindsey and Cassie Crossley delve into the intricate world of supply chain security. Cassie Crossley, Vice President of Supply Chain Security at Schneider Electric, brings her extensive experience in software development and security to the fore, emphasizing the importance of following secure development practices. She advocates for the separation of build and development environments to avoid outdated methods and stresses the significance of modern frameworks like Google's Salsa platform and the NIST Secure Software Development Framework (SSDF), despite its lack of certification measures. Crossley also discusses the unique challenges of maintaining provenance for older software, especially open-source projects, and highlights the crucial role of developer education in preventing vulnerabilities introduced by unverified code snippets. Chris Lindsey raises pertinent concerns about access control complexities within production environments and underscores the need for rigorous security measures to ensure the integrity of devices and software. The conversation shifts to the potential threats posed by AI, with both speakers stressing the importance of embedding security into AI-generated code from the outset. They explore global supply chain security issues, referencing Cisco’s audits and the effectiveness of zero-trust policies. Crossley also addresses the impact of legislative measures like California's connected devices law on both consumer and industrial devices, and how cybersecurity practices have evolved since the 80s and 90s. The episode wraps up on a personal note, with Crossley sharing her views on career growth and the importance of pursuing roles that bring personal fulfillment. She advocates for exploring opportunities within the same organization to foster both personal and professional development without losing accumulated knowledge and experience. This episode offers listeners a comprehensive overview of supply chain security, blending high-level frameworks with practical challenges, and provides valuable insights into both the technical and human aspects of the field. Key topics with timestamps: 1. Understanding Supply Chain Security and Modern Software Practices with Cassie Crossley  2. Securing Software Development: From Google Salsa to NIST SSDF Standards  3. Protecting Supply Chains: Challenges and Solutions in a Digital World  4. Cassie Crossley on Cybersecurity Challenges in Modern Supply Chains  5. The Role of AI and Secure Development in Supply Chain Integrity  6. Ensuring Safe Software: Best Practices and Emerging Threats  7. Access Control, Zero Trust, and Supply Chain Security Insights  8. Cassie Crossley Discusses Securing Legacy Systems and Modern Software  9. From AI to Software Certification: Enhancing Cybersecurity Practices  10. Navigating the Complexities of Supply Chain Security and Software Updates For more amazing application security information, please visit the following LinkedIn communities:https://www.linkedin.com/company/appsec-hive Provided by Mend.io  (https://mend.io)

    36 分钟

  6. 2024/11/26

    Bounty Programs with Michael Vance

    In this episode of "Secrets of AppSec Champions," host Chris Lindsey engages with Michael Vance, the CISO at Navient, to explore the nuances of bounty programs and their integration with traditional penetration testing. Michael discusses the journey of transitioning from a managed vulnerability disclosure program (VDP) to a full-scale bug bounty program. He highlights the importance of establishing clear policies and scopes for these programs to ensure effective and safe collaboration with external hackers. Through these structured programs, Navient was able to address resource constraints, boosting their testing capabilities threefold while reducing costs.  The conversation also delves into the historical challenges faced by companies in managing security reports, often due to mistrust and insufficient communication channels. Michael and Chris stress the value of legal, structured avenues for ethical hacking, enabling companies to receive and act on security findings without friction. They discuss the potential risks, such as the involvement of 'black hat' hackers, and how employing established platforms like Bugcrowd or HackerOne helps mitigate these concerns by vetting participants and managing the process. This approach not only enhances security but also publicly demonstrates the company's commitment to safeguarding data.  Towards the end, Michael shares invaluable advice for security practitioners: the critical need to fully understand the problems they are tasked with solving, which often involves grasping both technical and business aspects. This holistic understanding is crucial for devising effective security measures. The episode concludes with Chris thanking Michael for his insights, reaffirming the episode's focus on creating efficient, secure systems for managing and mitigating vulnerabilities through both internal efforts and external collaborations. Key Topics by time stamps: 04:40 Transitioning App Security Services: From Ethical Hacking to Testing Stream  06:43 Boosting Application Workload Capacity through Efficient Testing Measures  10:02 Establishing Policies and Rules for Ethical Hacking  14:47 Evaluating the Effectiveness of Repeated Testing  19:51 Reviving a Project and Uncovering Unexpected Flaws  21:59 Effective Security: Understanding the Problem For more amazing application security information, please visit the following LinkedIn communities:https://www.linkedin.com/company/appsec-hive Provided by Mend.io  (https://mend.io)

    24 分钟

  7. 2024/11/12

    Auditing Your Security Program

    In this episode of "Secrets of AppSec Champions," titled "Auditing Your Security Program," host Chris Lindsey converses with Roddy Bergeron, a cybersecurity fellow at SherWeb. They tackle several pressing topics in the realm of cybersecurity auditing, starting with the financial repercussions of poor data management. A friend's experience underscores the importance of sending condensed data rather than raw data to avoid increased cloud storage costs. This leads to a broader discussion about data lifecycle policies, retention, and the necessity of consulting legal teams to navigate varying regulatory requirements. They emphasize the importance of proper data integrity measures, like using tamper-proof formats and effective backup strategies such as the three, two, one methodology and worm media.  The conversation then shifts towards the evolving regulatory landscape, highlighting Cybersecurity Maturity Model Certification (CMMC) and its mandate for third-party auditors to certify companies accessing government contracts. Roddy underscores the benefits of external audits in identifying blind spots and ensuring compliance, a practice likened to the financial industry's audit requirements. He shares his rich background in government auditing, nonprofit work, and managed service providers, providing a nuanced perspective on the interconnected risks in IT environments. Roddy offers insights into key cybersecurity practices, stressing how external audits can mitigate risks, identified as crucial in a complex digital landscape.  The episode wraps up with a focus on the human element in cybersecurity. Roddy Bergeron emphasizes the need for emotional intelligence and continuous learning in incident response, pointing out that technical prowess alone is insufficient. He shares his hardest lesson: the necessity of prioritizing the human side of incident response, recognizing the profound impact of cybersecurity incidents on people's lives and careers. The conversation concludes with an invitation from Chris for listeners to subscribe and review the podcast, as they reflect on the importance of humility and ongoing improvement in the ever-evolving cybersecurity field. Key TimeStamps: 00:00 Evolving Financial Regulations: A Varied Career Perspective  04:32 Importance of Comprehensive Auditing for Business Cybersecurity  07:43 The Impact of Interconnected Systems on Liability  10:32 The Significance of Purposeful Data Collection for Security  12:18 Maximizing Security Visibility without Overload  15:26 Effective Data Management for Businesses  19:23 The Impact of Cybersecurity Legislation and CMMC  24:23 Improving Risk Posture through Third-Party Assessments  28:10 The Crucial Role of Human Empathy in Incident Response  29:10 The Importance of Employee Care During Incidents For more amazing application security information, please visit the following LinkedIn communities:https://www.linkedin.com/company/appsec-hive Provided by Mend.io  (https://mend.io)

    31 分钟

  8. 2024/10/29

    Penetration Testing - Nathaniel Shere

    In Episode 07 of Secrets of AppSec Champions, PenTesting with Nat Shere, Chris Lindsey hosts seasoned penetration tester Nathaniel Shere, who currently serves as the Technical Services Director at Craft Compliance. Nathaniel shares his journey into penetration testing, starting from his master's in cybersecurity and leading to over a decade of experience in the field. The duo delves into the pressing issues within the security industry, such as the high levels of stress, the pressure to remain updated, and the often exaggerated emphasis on industry certifications. They both agree that certifications, while useful for exposure, can sometimes be blown out of proportion, potentially watering down the actual requirements.  The discussion extends to technical aspects, highlighting the importance of error handling, visibility of dependencies, and the complexity of exploiting vulnerabilities like SQL injection. Nathaniel recounts memorable experiences, including the development of a Python script that uncovered critical security issues, and stresses the value of detecting and monitoring potential threats. The episode provides an in-depth look at the various penetration testing methodologies—white box, black box, and gray box—and the necessity of using accurate environments that mirror production settings. Both speakers emphasize the hacker's perspective in revealing security flaws and the role of secure coding practices and multi-factor authentication in strengthening security postures.  Chris and Nathaniel also touch on the ethical implications and collaborative benefits of penetration testing. Nathaniel highlights the importance of providing prioritized information to developers and the value of pen testing in offering true risk assessments. They agree on the need for external penetration testing for unbiased evaluations and recommend internal pen testers collaborate with external experts for broader exposure. Altogether, this episode offers listeners a balanced view of the technical and human elements crucial to successful penetration testing.  ❇️ Key Topics with Timestamps00:00 Career Progression in Cybersecurity Consultancy  05:03 Unexpected Access: Default Credentials and Security Breach  08:52 The Value of Penetration Testing in Development  12:19 Burp Suite: Demonstrating Data Theft Capabilities  14:59 Developers Overlooking Security Vulnerabilities: Common Mindset Mistakes  19:06 The Efficiency of Whitebox Testing in Application Assessment  21:52 Penetration Testing Reports and Web-Based Security Issues: An Internship Anecdote  26:12 The Importance of Internal and External Pen Testing  30:18 Managing Stress in Cybersecurity Career  32:50 The Value of Certifications in Security Learning  34:19 Promoting Shows: A Guide to Engaging Audiences For more amazing application security information, please visit the following LinkedIn communities:https://www.linkedin.com/company/appsec-hive Provided by Mend.io  (https://mend.io)

    35 分钟
查看全部 15 集

关于

Join host Chris Lindsey as he digs into the world of Application Security with experts from leading enterprises. Each episode is theme based, so it's more conversational and topic based instead of the general interview style. Our focus is growing your knowledge, providing useful tips and advice. With Chris' development background of 35 years, 15+ years of secure coding and 3+ years running an application security program for large enterprise, the conversations will be deep and provide a lot of good takeaway's that you can use almost immediately.

信息

  • 创作者
    Chris Lindsey
  • 活跃年份
    2024年 - 2025年
  • 单集
    15
  • 分级
    儿童适宜
  • 版权
    © Mend.io 2024
  • 节目网站
    Secrets of AppSec Champions

你可能还喜欢