Podcasts about Application security

Forbes recently reported that 81% of organizations cite AI agents as a top or high priority compared to other AI initiatives, with 51% of organizations already deploying AI agents. Building AI agents can be both rewarding and challenging, and if not built correctly, they can create major security risks. How can organization safely build agents? Tune into this podcast to get a security blueprint when building agents. Manish Kumar Yadav, Principal Security Architect, SAP Jim Rotan, VP, Head of Application Security & Automation, SAP Tatyana Sanchez, Content and Programming Coordinator, RSAC Kacy Zurkus, Director, Content, RSAC

Threat modeling is often called the foundation of secure software design—anticipating attackers, uncovering flaws, and embedding resilience before a single line of code is written. But does it really work in practice?In this episode of AppSec Contradictions, Sean Martin explores why threat modeling so often fails to deliver:It's treated as a one-time exercise, not a continuous processResearch shows teams who put risk first discover 2x more high-priority threatsYet fewer than 4 in 10 organizations use systematic threat modeling at scaleDrawing on insights from SANS, Forrester, and Gartner, Sean breaks down the gap between theory and reality—and why evolving our processes, not just our models, is the only path forward.

AI is everywhere in application security today — but instead of fixing the problem of false positives, it often makes the noise worse. In this first episode of AppSec Contradictions, Sean Martin explores why AI in application security is failing to deliver on its promises.False positives dominate AppSec programs, with analysts wasting time on irrelevant alerts, developers struggling with insecure AI-written code, and business leaders watching ROI erode. Industry experts like Forrester and Gartner warn that without strong governance, AI risks amplifying chaos instead of clarifying risk.This episode breaks down:• Why 70% of analyst time is wasted on false positives• How AI-generated code introduces new security risks• What “alert fatigue” means for developers, security teams, and business leaders• Why automating bad processes creates more noise, not less 

AI is everywhere in application security today — but instead of fixing the problem of false positives, it often makes the noise worse. In this first episode of AppSec Contradictions, Sean Martin explores why AI in application security is failing to deliver on its promises.False positives dominate AppSec programs, with analysts wasting time on irrelevant alerts, developers struggling with insecure AI-written code, and business leaders watching ROI erode. Industry experts like Forrester and Gartner warn that without strong governance, AI risks amplifying chaos instead of clarifying risk.This episode breaks down:• Why 70% of analyst time is wasted on false positives• How AI-generated code introduces new security risks• What “alert fatigue” means for developers, security teams, and business leaders• Why automating bad processes creates more noise, not less 

No episódio de hoje recebemos Leticia Pereira, especialista em CSIRT e Resposta a Incidentes, para discutir como equipes de Computer Security Incident Response Team podem se beneficiar de práticas de Application Security. Exploramos como integrar a visão de AppSec no dia a dia do CSIRT, quais informações os times de desenvolvimento podem fornecer para enriquecer a resposta a incidentes e como essa colaboração fortalece a resiliência organizacional frente a ataques.Become a supporter of this podcast: https://www.spreaker.com/podcast/devsecops-podcast--4179006/support.Apoio: Nova8, Snyk, Gold Security, Digitalwolk e PurpleBird Security.

Seth and Ken return with a new episode summarizing their experience at DEF CON 33 and all things Las Vegas over the past month. This includes panels, talks, workshops, happy hours, and even corporate (boo) events. This is followed by discussion of a few research items that came out of the conference, including James Kettle's HTTP1.1 Must Die talk. Finally, why AI is infecting Application Security.

Struggling to secure applications in the cloud? This session dives into Domain 4 of the CCSP exam—Cloud Application Security, showing you how to protect cloud apps throughout the Software Development Lifecycle (SDLC), from design to deployment.

Anthropic's Model Context Protocol (MCP) has become the standard for connecting AI agents to tools and data, but its security has lagged behind. In The New Stack Agents podcast, Tzvika Shneider, CEO of API security startup Pynt, discussed the growing risks MCP introduces. Shneider sees MCP as a natural evolution from traditional APIs to LLMs and now to AI agents. However, MCP adds complexity and vulnerability, especially as agents interact across multiple servers. Pynt's research found that 72% of MCP plugins expose high-risk operations, like code execution or accessing privileged APIs, often without proper approval or validation. The danger compounds when untrusted inputs from one agent influence another with elevated permissions. Unlike traditional APIs, MCP calls are made by non-deterministic agents, making it harder to enforce security guardrails. While MCP exploits remain rare for now, most companies lack mature security strategies for it. Shneider believes MCP merely highlights existing API vulnerabilities, and organizations are only beginning to address these risks. Learn more from The New Stack about the latest in Model Context Protocol: Model Context Protocol: A Primer for the Developers Building With MCP? Mind the Security Gaps MCP-UI Creators on Why AI Agents Need Rich User InterfacesJoin our community of newsletter subscribers to stay on top of the news and at the top of your game. 

Host Chris Hackett explores how organizations can effectively engage senior leadership in cybersecurity. Staffan Fredriksson, CISO at Regent AB, Magnus Sjolander, Senior Manager for Information Security, IT Risk & Privacy at Accenture, Mikael Lagstrom, Head of Application Security for the SE/DK team at DNV Cyber, and Maria Eriksson, NDA share perspectives on driving executive engagement. The discussion focuses on building resilience, aligning business priorities with security, and ensuring leadership support. This episode delivers actionable insights for organizations aiming to strengthen cybersecurity at the top level.

Just in time for AppSec sweeps week, Anshuman Bhartiya is joining Seth Law (sethlaw on social media) and Ken Johnson (cktricky) on the Absolute AppSec podcast! With over a decade in the security industry, Anshuman Bhartiya brings a wealth of knowledge to the table, in web application penetration testing and product security for major enterprises (EMC, Intuit, Atlassian, Lytx, etc). As the current Tech Lead for Application Security at Lyft and co-host of The Boring AppSec Podcast, Anshuman has a wealth of knowledge on AppSec topics. Read more about Anshuman's work in the AppSec community at his webpage here: https://www.anshumanbhartiya.com. Join us for a wide-ranging conversation about making it in information security and AppSec.

How has application security evolved over the decades? Carl and Richard talk to Michael Howard about his experiences working in security at Microsoft. Michael discusses his current role as a member of the Red Team at Microsoft, which identifies security vulnerabilities within the organization by creating scenarios that black hats might employ, such as stealing tokens or hijacking financial transactions. The conversation examines how security continues to evolve, with improved tools, new attack surfaces, and increasingly serious attacks. It's an arms race, but one the good guys can win!

How has application security evolved over the decades? Carl and Richard talk to Michael Howard about his experiences working in security at Microsoft. Michael discusses his current role as a member of the Red Team at Microsoft, which identifies security vulnerabilities within the organization by creating scenarios that black hats might employ, such as stealing tokens or hijacking financial transactions. The conversation examines how security continues to evolve, with improved tools, new attack surfaces, and increasingly serious attacks. It's an arms race, but one the good guys can win!

At Black Hat USA 2025, Rupesh Chokshi, Senior Vice President and General Manager at Akamai Technologies, connected with ITSPmagazine's Sean Martin to discuss the dual realities shaping enterprise AI adoption—tremendous opportunity and significant risk.AI is driving a seismic transformation in business operations, with executive teams rapidly deploying proof-of-concept projects to capture competitive advantage. Yet, as Chokshi notes, many of these initiatives race ahead without fully integrating security teams into the process. While budgets for AI are expanding, funding for AI-specific security measures often lags behind, leaving organizations exposed.One of the most pressing concerns is the rise of AI bots—Akamai observes 150 billion such bots traversing networks daily. These bots scrape valuable digital content, train models on it, and, in some cases, replace direct customer interactions with summarized answers. The result? Lost marketing leads, disrupted sales funnels, and even manipulated product recommendations—all without traditional “breach” indicators.This is not just a security problem; it's a business continuity challenge. Organizations must develop strategies to block or manage scraping, including commercial agreements for content usage. Beyond this, the proliferation of conversational AI agents—whether for booking tickets, providing mortgage information, or recommending products—introduces new attack surfaces. Threat actors exploit prompt injections, jailbreaks, and code execution vulnerabilities to compromise these interfaces, risking both customer trust and brand reputation.Akamai's response includes capabilities such as Firewall for AI, providing in-line visibility and control over AI-driven sessions, and bot mitigation technologies that protect high-value content. By offering real-time threat intelligence tailored to customer environments, Akamai helps enterprises maintain agility without sacrificing protection.Chokshi's call to action is clear: every company is now an AI company, and security must be embedded from the outset. Boards should view security not as a budget line item, but as the foundation for innovation velocity, brand integrity, and long-term competitiveness.Learn more about Akamai: https://itspm.ag/akamailbwcNote: This story contains promotional content. Learn more.Guests:Rupesh Chokshi, SVP & General Manager, Application Security, Akamai | https://www.linkedin.com/in/rupeshchokshi/Hosts:Sean Martin, Co-Founder at ITSPmagazine | Website: https://www.seanmartin.comMarco Ciappelli, Co-Founder at ITSPmagazine | Website: https://www.marcociappelli.com______________________ResourcesLearn more and catch more stories from Akamai: https://www.itspmagazine.com/directory/akamaiLearn more about ITSPmagazine Brand Story Podcasts: https://www.itspmagazine.com/purchase-programsNewsletter Archive: https://www.linkedin.com/newsletters/tune-into-the-latest-podcasts-7109347022809309184/Business Newsletter Signup: https://www.itspmagazine.com/itspmagazine-business-updates-sign-upAre you interested in telling your story?https://www.itspmagazine.com/telling-your-story

Maintaining code is a lot more than keeping dependencies up to date. It involved everything from keeping old code running to changing frameworks to even changing implementation languages. Jonathan Schneider talks about the engineering considerations of refactoring and rewriting code, why code maintenance is important to appsec, and how to build confidence that adding automation to a migration results in code that has the same workflows as before. Resources https://docs.openrewrite.org https://github.com/openrewrite Then, instead of our usual news segment, we do a deep dive on some recent vulns NVIDIA's Triton Inference Server disclosed by Trail of Bits' Will Vandevanter. Will talks about the thought process and tools that go into identify potential vulns, the analysis in determining whether they're exploitable, and the disclosure process with vendors. He makes the important point that even if something doesn't turn out to be a vuln, there's still benefit to the learning process and gaining experience in seeing the different ways that devs design software. Of course, it's also more fun when you find an exploitable vuln -- which Will did here! Resources https://nvidia.custhelp.com/app/answers/detail/a_id/5687 https://github.com/triton-inference-server/server https://blog.trailofbits.com/2025/07/31/hijacking-multi-agent-systems-in-your-pajamas/ https://blog.trailofbits.com/2025/07/28/we-built-the-security-layer-mcp-always-needed/ Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-342

Maintaining code is a lot more than keeping dependencies up to date. It involved everything from keeping old code running to changing frameworks to even changing implementation languages. Jonathan Schneider talks about the engineering considerations of refactoring and rewriting code, why code maintenance is important to appsec, and how to build confidence that adding automation to a migration results in code that has the same workflows as before. Resources https://docs.openrewrite.org https://github.com/openrewrite Then, instead of our usual news segment, we do a deep dive on some recent vulns NVIDIA's Triton Inference Server disclosed by Trail of Bits' Will Vandevanter. Will talks about the thought process and tools that go into identify potential vulns, the analysis in determining whether they're exploitable, and the disclosure process with vendors. He makes the important point that even if something doesn't turn out to be a vuln, there's still benefit to the learning process and gaining experience in seeing the different ways that devs design software. Of course, it's also more fun when you find an exploitable vuln -- which Will did here! Resources https://nvidia.custhelp.com/app/answers/detail/a_id/5687 https://github.com/triton-inference-server/server https://blog.trailofbits.com/2025/07/31/hijacking-multi-agent-systems-in-your-pajamas/ https://blog.trailofbits.com/2025/07/28/we-built-the-security-layer-mcp-always-needed/ Show Notes: https://securityweekly.com/asw-342

Maintaining code is a lot more than keeping dependencies up to date. It involved everything from keeping old code running to changing frameworks to even changing implementation languages. Jonathan Schneider talks about the engineering considerations of refactoring and rewriting code, why code maintenance is important to appsec, and how to build confidence that adding automation to a migration results in code that has the same workflows as before. Resources https://docs.openrewrite.org https://github.com/openrewrite Then, instead of our usual news segment, we do a deep dive on some recent vulns NVIDIA's Triton Inference Server disclosed by Trail of Bits' Will Vandevanter. Will talks about the thought process and tools that go into identify potential vulns, the analysis in determining whether they're exploitable, and the disclosure process with vendors. He makes the important point that even if something doesn't turn out to be a vuln, there's still benefit to the learning process and gaining experience in seeing the different ways that devs design software. Of course, it's also more fun when you find an exploitable vuln -- which Will did here! Resources https://nvidia.custhelp.com/app/answers/detail/a_id/5687 https://github.com/triton-inference-server/server https://blog.trailofbits.com/2025/07/31/hijacking-multi-agent-systems-in-your-pajamas/ https://blog.trailofbits.com/2025/07/28/we-built-the-security-layer-mcp-always-needed/ Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-342

Maintaining code is a lot more than keeping dependencies up to date. It involved everything from keeping old code running to changing frameworks to even changing implementation languages. Jonathan Schneider talks about the engineering considerations of refactoring and rewriting code, why code maintenance is important to appsec, and how to build confidence that adding automation to a migration results in code that has the same workflows as before. Resources https://docs.openrewrite.org https://github.com/openrewrite Then, instead of our usual news segment, we do a deep dive on some recent vulns NVIDIA's Triton Inference Server disclosed by Trail of Bits' Will Vandevanter. Will talks about the thought process and tools that go into identify potential vulns, the analysis in determining whether they're exploitable, and the disclosure process with vendors. He makes the important point that even if something doesn't turn out to be a vuln, there's still benefit to the learning process and gaining experience in seeing the different ways that devs design software. Of course, it's also more fun when you find an exploitable vuln -- which Will did here! Resources https://nvidia.custhelp.com/app/answers/detail/a_id/5687 https://github.com/triton-inference-server/server https://blog.trailofbits.com/2025/07/31/hijacking-multi-agent-systems-in-your-pajamas/ https://blog.trailofbits.com/2025/07/28/we-built-the-security-layer-mcp-always-needed/ Show Notes: https://securityweekly.com/asw-342

Ahead of Black Hat USA 2025, Sean Martin and Marco Ciappelli sit down once again with Rupesh Chokshi, Senior Vice President and General Manager of the Application Security Group at Akamai, for a forward-looking conversation on the state of AI security. From new threat trends to enterprise missteps, Rupesh lays out three focal points for this year's security conversation: protecting generative AI at runtime, addressing the surge in AI scraper bots, and defending the APIs that serve as the foundation for AI systems.Rupesh shares that Akamai is now detecting over 150 billion AI scraping attempts—a staggering signal of the scale and sophistication of machine-to-machine activity. These scraper bots are not only siphoning off data but also undermining digital business models by bypassing monetization channels, especially in publishing, media, and content-driven sectors.While AI introduces productivity gains and operational efficiency, it also introduces new and uncharted risks. Agentic AI, where autonomous systems operate on behalf of users or other systems, is pushing cybersecurity teams to rethink their strategies. Traditional firewalls aren't enough—because these threats don't behave like yesterday's attacks. Prompt injection, toxic output, and AI-generated hallucinations are some of the issues now surfacing in enterprise environments, with over 70% of organizations already experiencing AI-related incidents.This brings the focus to the runtime. Akamai's newly launched Firewall for AI is purpose-built to detect and mitigate risks in generative AI and LLM applications—without disrupting performance. Designed to flag issues like toxic output, remote code execution, or compliance violations, it operates with real-time visibility across inputs and outputs. It's not just about defense—it's about building trust as AI moves deeper into decision-making and workflow automation.CISOs, says Rupesh, need to shift from high-level discussions to deep, tactical understanding of where and how their organizations are deploying AI. This means not only securing AI but also working hand-in-hand with the business to establish governance, drive discovery, and embed security into the fabric of innovation.Learn more about Akamai: https://itspm.ag/akamailbwcNote: This story contains promotional content. Learn more.Guests:Rupesh Chokshi, SVP & General Manager, Application Security, Akamai | https://www.linkedin.com/in/rupeshchokshi/Hosts:Sean Martin, Co-Founder at ITSPmagazine | Website: https://www.seanmartin.comMarco Ciappelli, Co-Founder at ITSPmagazine | Website: https://www.marcociappelli.com______________________ResourcesLearn more and catch more stories from Akamai: https://www.itspmagazine.com/directory/akamaiLearn more about ITSPmagazine Brand Story Podcasts: https://www.itspmagazine.com/purchase-programsNewsletter Archive: https://www.linkedin.com/newsletters/tune-into-the-latest-podcasts-7109347022809309184/Business Newsletter Signup: https://www.itspmagazine.com/itspmagazine-business-updates-sign-upAre you interested in telling your story?https://www.itspmagazine.com/telling-your-story

When new technology is introduced, people may not take advantage of the advanced capabilities. The transition to a Zero Trust methodology is causing federal leaders to abandon traditional methods of compliance.  Keith Busby from CMS sums up the problem nicely.  Some of the systems he supports serves the needs of 150 million Americans.  If they don't leverage the capabilities of the cloud, then they will never be able to move to a much more secure Zero Trust Architecture. Shane Barney from USCIS provides even more shocking numbers.  He casually mentions on his log information today is as high as 20TB!  In order to finance this transformation, Sanjay Koyani from the Department of Labor suggests that agencies take advantage of the Technology Modernization Fund. In fact, they got 15 million from the TMF to enable their digital transformation. Today's discussion provides ways to overcome the challenges of massive data sets by leveraging innovation in cloud management tools.

Innovation comes in many areas, and compliance professionals need to not only be ready for it but also embrace it. Join Tom Fox, the Voice of Compliance, as he visits with top innovative minds, thinkers, and creators in the award-winning Innovation in Compliance podcast. In this episode, host Tom Fox visits Subho Halder, the CEO & Co-Founder of Appknox, to discuss the often-overlooked yet crucial topic of mobile application security in the corporate compliance world. Halder shares his extensive background in mobile app security, including developing the first mobile malware and presenting at prestigious conferences like Black Hat and DEF CON. The conversation covers the evolving market need for specialized mobile app security tools, the unique challenges faced by mobile applications compared to web applications, and the critical importance of integrating security early in the development lifecycle—a concept known as the ‘left shift' approach. Halder also explores AI-powered cyberattacks and how Appknox is utilizing AI to develop defensive strategies. The discussion highlights regulatory blind spots in the US regarding mobile security, the challenges of managing mobile app security in large multinational corporations, and best practices for ensuring robust mobile app security. Key highlights: Market Need and Opportunity for AppKnox Appknox Security Assessment of Perplexity's Android App Regulatory Blind Spots in US Cybersecurity Frameworks Engaging with Large Multinational Companies AI-Powered Cyber Attacks and Defensive Strategies Importance of the Left Shift Approach in Mobile App Security Resources: Subho Halder on LinkedIn Appknox Appknox Resources Page Appknox Blog: Is Perplexity AI Safe to Use? Security Flaws in the Android App Tom Fox Instagram Facebook YouTube Twitter LinkedIn

In this episode, we explore the crucial role of cultivating a strong security culture to drive change in AppSec, where training and collaboration are key. Our distinguished guest, Danielle Ruderman, discusses the importance of executive support in ensuring that application development isn't just about churning out apps on time, but also about adopting a secure-by-design approach. We also dive into how to empower developers, foster psychological safety, and make security everyone's responsibility. Tune in for actionable insights on transforming your security culture within your applications team and beyond. Segment Resources: • AWS Security Blog How the unique culture of security at AWS makes a difference: https://aws.amazon.com/blogs/security/how-the-unique-culture-of-security-at-aws-makes-a-difference/ • AWS Security Blog How AWS built the Security Guardians program, a mechanism to distribute security ownership: https://aws.amazon.com/blogs/security/how-aws-built-the-security-guardians-program-a-mechanism-to-distribute-security-ownership/ • AWS Security Blog How to build a Security Guardians program to distribute security ownership (part 2): https://aws.amazon.com/blogs/security/how-to-build-your-own-security-guardians-program/ • Application Security in the AWS Well Architected Framework: https://aws.amazon.com/blogs/security/how-to-build-your-own-security-guardians-program/ • AWS Security Blog How to approach threat modeling: https://aws.amazon.com/blogs/security/how-to-approach-threat-modeling/ • GitHub: Threat Composer is a simple threat modeling tool to help humans to reduce time-to-value when threat modeling: https://github.com/awslabs/threat-composer • Workshop: Threat Modeling the right way for builders: https://catalog.workshops.aws/threatmodel/en-US Visit https://cisostoriespodcast.com for all the latest episodes! Show Notes: https://cisostoriespodcast.com/csp-213

In this On Location episode during OWASP AppSec Global 2025 in Barcelona, Starr Brown, Director of Open Source Projects and Programs at OWASP, unpacks the real engine behind the organization's impact: the projects and the people driving them forward.With over 130 active projects, OWASP continues to expand its open source contributions to improve software security across the board. While the OWASP Top 10 remains its most recognized initiative, Starr points out that it's just one among many. Other significant projects include the Application Security Verification Standard (ASVS), the Software Assurance Maturity Model (SAMM), and the increasingly popular security games like Cornucopia, which use gamification to bring security concepts into business conversations and development workflows.AI is playing an increasingly prominent role in OWASP's work. Starr highlights the GenAI Security Project as a focal point, encompassing tools and guidance for LLM use, agentic AI, red teaming, and more. The scale of community engagement is equally impressive: around 33,000 people are active on Slack, and hundreds contribute to individual initiatives, reflecting the organization's truly global and grassroots structure.Beyond tools and documentation, OWASP is influencing regulation and policy through initiatives like the AI Exchange and the Transparency Exchange. These projects connect with government entities and standards bodies such as the European Commission and CEN/CENELEC to help shape responsible governance frameworks around software, AI, and cybersecurity.Listeners also get a glimpse into what's ahead. From upcoming events in Washington, D.C., to the OWASP Community Room at DEF CON in Las Vegas, the goal is to keep fostering connections and hands-on engagement. These gatherings not only showcase flagship tools and frameworks but create space for open dialogue, prototyping, and collaboration—whether you're breaking things or building them.To get involved, Starr encourages exploring the OWASP Projects page and joining their Slack community. The conversation makes it clear: OWASP is not just a collection of tools—it's a living, breathing network of contributors shaping the future of secure software.GUEST: Starr Brown | Director of Open Source Projects and Programs at OWASP | https://www.linkedin.com/in/starr-brown-8837547/HOST: Sean Martin, Co-Founder at ITSPmagazine and Host of Redefining CyberSecurity Podcast | https://www.seanmartin.comSPONSORSManicode Security: https://itspm.ag/manicode-security-7q8iRESOURCESLearn more and catch more stories from OWASP AppSec Global 2025 Barcelona coverage: https://www.itspmagazine.com/owasp-global-appsec-barcelona-2025-application-security-event-coverage-in-catalunya-spainCatch all of our event coverage: https://www.itspmagazine.com/technology-and-cybersecurity-conference-coverageWant to tell your Brand Story Briefing as part of our event coverage? Learn More

In this On Location episode during OWASP AppSec Global 2025 in Barcelona, Josh Grossman, co-leader of the OWASP Application Security Verification Standard (ASVS) project, shares key updates and strategic thinking behind the release of ASVS version 5. This release, years in the making, reflects a renewed focus on making the standard more approachable, practical, and actionable for development teams and security leaders alike.ASVS is designed to provide a comprehensive and verifiable set of security requirements for building and maintaining secure applications. More than just a checklist, it offers a clear blueprint for what a secure application should look like—making it easier to benchmark progress, develop secure design requirements, and implement effective controls. Version 5 emphasizes accessibility, particularly by lowering the barrier to entry for organizations adopting Level 1 of the standard, reducing the threshold of required controls from nearly 50% to under 30%.One of the major shifts in this new version is the tighter focus on the application itself, moving away from system-level topics like backup policies that tend to fall outside the scope of app development teams. This makes the standard more relevant to software architects, developers, and QA engineers—providing requirements that fall within their sphere of influence, while still covering the full software lifecycle from design to deployment.Grossman explains how organizations can customize ASVS to include their internal controls and build out secure coding checklists, implementation guides, and requirements documents tailored to their environments. He also highlights how ASVS aligns with other OWASP projects, like the Cheat Sheet Series and SAMM, for both control-level guidance and organizational process development.For security leaders looking to improve their application security programs, ASVS v5 offers a foundation to build on—clear, community-driven, and extensible. And true to OWASP's spirit, the project is backed by a passionate community, from project co-leads like Grossman and Elar Lang to contributors around the world. As Grossman puts it, OWASP is about connection—people tackling similar challenges, working together to make software safer.If you're looking for a way to bring practical, standards-based security into your software lifecycle, this conversation is your starting point.GUEST: Josh Grossman | CTO of Bounce Security and co-leader of the OWASP Application Security Verification Standard (ASVS) project | https://www.linkedin.com/in/joshcgrossman/HOST: Sean Martin, Co-Founder at ITSPmagazine and Host of Redefining CyberSecurity Podcast | https://www.seanmartin.comSPONSORSManicode Security: https://itspm.ag/manicode-security-7q8iRESOURCESOWASP Application Security Verification Standard (ASVS): https://owasp.org/www-project-application-security-verification-standard/Learn more and catch more stories from OWASP AppSec Global 2025 Barcelona coverage: https://www.itspmagazine.com/owasp-global-appsec-barcelona-2025-application-security-event-coverage-in-catalunya-spainCatch all of our event coverage: https://www.itspmagazine.com/technology-and-cybersecurity-conference-coverageWant to tell your Brand Story Briefing as part of our event coverage? Learn More

A joint operation takes down Lumma infrastructure. The FTC finalizes a security settlement with GoDaddy. The Telemessage breach compromised far more U.S. officials than initially known. Twin hackers allegedly breach a major federal software provider from the inside. U.S. telecom providers fail to notify the Senate when law enforcement agencies request data from Senate-issued devices.DragonForce makes its mark on the ransomware front. A data leak threatens survivors of domestic abuse in the UK. Lexmark discloses a critical vulnerability affecting over 120 printer models. Our guest is David Holmes, CTO for Application Security at Imperva, with insights into the role of AI in bot attacks. Scammers ship stolen cash in Squishmallows. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you'll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today's guest is David Holmes, CTO for Application Security at Imperva, a Thales company, who is sharing some insights into the role of AI in bot attacks. Selected Reading Lumma infostealer's infrastructure seized during US, EU, Microsoft operation (the Record) FTC finalizes order requiring GoDaddy to secure hosting services (Bleeping Computer) Exclusive: Hacker who breached communications app used by Trump aide stole data from across US government (Reuters) By Default, Signal Doesn't Recall (Signal) Hack of Contractor Was at Root of Massive Federal Data Breach (Bloomberg) Phone companies failed to warn senators about surveillance, Wyden says - Live Updates (POLITICO) DragonForce targets rivals in a play for dominance (Sophos News) ‘Deep concern' for domestic abuse survivors as cybercriminals expected to publish confidential refuge addresses (The Record) Lexmark reporting remote code execution flaw affecting over 120 Printer Models (Beyond Machines) DOJ charges 12 more in $263 million crypto fraud takedown where money was hidden in squishmallow stuffed animals (Bitdefender) Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here's our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

George Chen heads the Cloud and Application Security functions at Dyson. In this episode, he joins host Melissa O'Leary and Alina Tan, senior program manager at Dyson, to discuss recent findings regarding dashcam security risks, which Chen and Tan recently shared at Black Hat Asia, as well as sharing a breakdown of the vulnerabilities and their impact on drivers. • For more on cybersecurity, visit us at https://cybersecurityventures.com

At RSAC Conference 2025, Rupesh Chokshi, Senior Vice President and General Manager of the Application Security Group at Akamai, joined ITSPmagazine to share critical insights into the dual role AI is playing in cybersecurity today—and what Akamai is doing about it.Chokshi lays out the landscape with clarity: while AI is unlocking powerful new capabilities for defenders, it's also accelerating innovation for attackers. From bot mitigation and behavioral DDoS to adaptive security engines, Akamai has used machine learning for over a decade to enhance protection, but the scale and complexity of threats have entered a new era.The API and Web Application Threat SurgeReferencing Akamai's latest State of the Internet report, Chokshi cites a 33% year-over-year rise in web application and API attacks—topping 311 billion threats. More than 150 billion of these were API-related. The reason is simple: APIs are the backbone of modern applications, yet many organizations lack visibility into how many they have or where they're exposed. Shadow and zombie APIs are quietly expanding attack surfaces without sufficient monitoring or defense.Chokshi shares that in early customer discovery sessions, organizations often uncover tens of thousands of APIs they weren't actively tracking—making them easy targets for business logic abuse, credential theft, and data exfiltration.Introducing Akamai's Firewall for AIAkamai is addressing another critical gap with the launch of its new Firewall for AI. Designed for both internal and customer-facing generative AI applications, this solution focuses on securing runtime environments. It detects and blocks issues like prompt injection, PII leakage, and toxic language using scalable, automated analysis at the edge—reducing friction for deployment while enhancing visibility and governance.In early testing, Akamai found that 6% of traffic to a single LLM-based customer chatbot involved suspicious activity. That volume—within just 100,000 requests—highlights the urgency of runtime protections for AI workloads.Enabling Security LeadershipChokshi emphasizes that modern security teams must engage collaboratively with business and data teams. As AI adoption outpaces security budgets, CISOs are looking for trusted, easy-to-deploy solutions that enable—not hinder—innovation. Akamai's goal: deliver scalable protections with minimal disruption, while helping security leaders shoulder the growing burden of AI risk.Learn more about Akamai: https://itspm.ag/akamailbwcNote: This story contains promotional content. Learn more.Guest: Rupesh Chokshi, SVP & General Manager, Application Security, Akamai | https://www.linkedin.com/in/rupeshchokshi/ResourcesLearn more and catch more stories from Akamai: https://www.itspmagazine.com/directory/akamaiLearn more and catch more stories from RSA Conference 2025 coverage: https://www.itspmagazine.com/rsac25______________________Keywords:sean martin, rupesh chokshi, akamai, rsac, ai, security, cisos, api, firewall, llm, brand story, brand marketing, marketing podcast, brand story podcast______________________Catch all of our event coverage: https://www.itspmagazine.com/technology-and-cybersecurity-conference-coverageWant to tell your Brand Story Briefing as part of our event coverage? Learn More 

Episode Summary: Application Paranoia S6EP1In the Season 6 premiere of Application Paranoia, hosts Colin Bell, Rob Cuddy, and Kris Duer kick off a new theme: debunking the top 10 myths about application security—one myth per episode.They warm up with some lighthearted commentary on new workplace trends like “coffee badging” and the rise of “corp core” attire before diving into a fascinating conversation with Kinny Chan, Chief Commercial Officer at Trust Stamp.Kinny shares his unique career journey from law to the cutting edge of digital identity and privacy, explaining how electronic discovery evolved from paper documents to complex digital evidence, and the challenges of handling sensitive data in litigation.The discussion then pivots to the core topic of digital identity in an age where emails, chats, and advanced AI can fake voices and images. Kinny highlights the critical role of biometrics—like facial, palm, and gait recognition—while unpacking the challenges of ensuring liveness and authenticity.The conversation tackles the limitations of current authentication methods (passwords, devices, biometrics), the risks of centralized identity systems, and the promise of decentralized solutions for greater privacy and control. Kinny also introduces Trust Stamp's innovative approach of using biometric tokens and data shards to enhance both security and user privacy.For listeners seeking practical advice, the episode covers essential tips for protecting your digital identity: monitoring your credit report to combat synthetic identity fraud, using unique email addresses, and educating children and grandparents about the dangers of deepfakes and the importance of verification.The episode concludes with Kinny's emphasis on using a combination of something you know, something you have, and something you are for strong authentication—and the urgent need to keep evolving digital identity protections as technology rapidly advances.Key Takeaways:Digital identity is increasingly complex due to new technologies and AI.Biometrics offer promise but also introduce new challenges.Decentralized identity solutions may offer better privacy and control.Practical tips: monitor credit reports, use unique emails, and educate about deepfakes and verification.

"For the first time in over a decade, bots now outnumber humans on the internet — and a growing percentage are built to defraud, disrupt, and deceive." — Tim Chang, Global VP & GM, Application Security, Thales In a sobering conversation with Technology Reseller News, Tim Chang of Thales shared key insights from the 2025 Imperva Bad Bot Report, a deep dive into the increasingly dangerous world of automated internet traffic. According to the report, 51% of all web traffic in 2024 was generated by bots, marking the first time bot traffic has surpassed human traffic. Even more concerning, 37% of all traffic is now classified as “bad bot” activity — a significant increase from 32% the previous year. Thales, a global leader in digital identity and cybersecurity with over 80,000 employees worldwide, acquired Imperva two years ago. Together, the teams behind the Imperva Threat Research division are shining a light on the surge in bot-driven attacks — from simple web scrapers to polymorphic, AI-enhanced bad bots capable of account takeovers and API abuse. Telecom Under Attack Among the most targeted sectors? Telecom and ISPs, which now account for more than half of bad bot traffic. Chang explained that this is unsurprising given the critical infrastructure telecom supports and the high volume of customer data flowing through these systems. Key takeaways from the report include: 51% of all internet traffic is now automated. 37% of global traffic comes from bad bots — a 7-point rise in one year. 40% increase in account takeover (ATO) attacks, often using stolen or brute-forced credentials. Telecom ranks as the second-most targeted vertical, just behind financial services. 55% of all telecom traffic is now made up of bad bots. Chang emphasized that these bots are increasingly using AI to evade detection, shifting IP addresses, mimicking human behavior, and attacking not just websites but APIs — which lack visual interfaces and are harder to monitor. 10 Recommendations to Reduce Risk To help organizations defend against this growing threat, Thales provides a set of 10 actionable recommendations, ranging from understanding your attack surface and deploying bot management tools, to tightening MFA usage and adopting a multi-layered defense strategy. Chang also offered a strategic reminder: don't play all your cards at once — adversaries are evolving just as quickly, and a staggered, adaptive defense is critical. Access the full 2025 Imperva Bad Bot Report: Download the Report from Thales/Imperva

All links and images for this episode can be found on CISO Series. Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark, the producer of CISO Series, and Steve Zalewski. Joining us is our sponsored guest, Eric Gold, chief evangelist, BackSlash. In this episode: Start with the culture Moving AppSec to a higher level A strategy for security Maturing the basics Thanks to our sponsor, Backslash Security Backslash offers a new approach to application security by creating a digital twin of your application, modeled into an AI-enabled App Graph. It categorizes security findings by business process, filters “triggerable” vulnerabilities, and simulates the security impact of updates. Backslash dramatically improves AppSec efficiency, eliminating legacy SAST and SCA frustration.  

At this year's RSAC Conference, the team from ThreatLocker isn't just bringing tech—they're bringing a challenge. Rob Allen, Chief Product Officer at ThreatLocker, joins Sean Martin and Marco Ciappelli for a lively pre-conference episode that previews what attendees can expect at booth #854 in the South Expo Hall.From rubber ducky hacks to reframing how we think about Zero Trust, the conversation highlights the ways ThreatLocker moves beyond the industry's typical focus on reactive detection. Allen shares how most cybersecurity approaches still default to allowing access unless a threat is known, and why that mindset continues to leave organizations vulnerable. Instead, ThreatLocker's philosophy is to “deny by default and permit by exception”—a strategy that, when managed effectively, provides maximum protection without slowing down business operations.ThreatLocker's presence at the conference will feature live demos, short presentations, and hands-on challenges—including their popular Ducky Challenge, where participants test whether their endpoint defenses can prevent a rogue USB (disguised as a keyboard) from stealing their data. If your system passes, you win the rubber ducky. If it doesn't? They (temporarily) get your data. It's a simple but powerful reminder that what you think is secure might not be.The booth won't just be about tech. The team is focused on conversations—reconnecting with customers, engaging new audiences, and exploring how the community is responding to a threat landscape that's growing more sophisticated by the day. Allen emphasizes the importance of in-person dialogue, not only to share what ThreatLocker is building but to learn how security leaders are adapting and where gaps still exist.And yes, there will be merch—high-quality socks, t-shirts, and even a few surprise giveaways dropped at hotel doors (if you resist the temptation to open the envelope before visiting the booth).For those looking to rethink endpoint protection or better understand how proactive controls can complement detection-based tools, this episode is your preview into a very different kind of cybersecurity conversation—one that starts with a challenge and ends with community.Learn more about ThreatLocker: https://itspm.ag/threatlocker-r974Guest: Rob Allen, Chief Product Officer, ThreatLocker | https://www.linkedin.com/in/threatlockerrob/ResourcesLearn more and catch more stories from ThreatLocker: https://www.itspmagazine.com/directory/threatlockerLearn more and catch more stories from RSA Conference 2025 coverage: https://www.itspmagazine.com/rsa-conference-usa-2025-rsac-san-francisco-usa-cybersecurity-event-infosec-conference-coverage______________________Keywords: rsac conference, cybersecurity, endpoint, zero trust, rubber ducky, threat detection, data exfiltration, security strategy, deny by default, permit by exception, proactive security, security demos, usb attack, cyber resilience, network control, security mindset, rsac 2025, event coverage, on location, conference____________________________Catch all of our event coverage: https://www.itspmagazine.com/technology-and-cybersecurity-conference-coverageTo see and hear more Redefining CyberSecurity content on ITSPmagazine, visit: https://www.itspmagazine.com/redefining-cybersecurity-podcastTo see and hear more Redefining Society stories on ITSPmagazine, visit:https://www.itspmagazine.com/redefining-society-podcastWant to tell your Brand Story Briefing as part of our event coverage? Learn More

The RSA Conference has long served as a meeting point for innovation and collaboration in cybersecurity—and in this pre-RSAC episode, ITSPmagazine co-founders Marco Ciappelli and Sean Martin welcome Akamai's Rupesh Chokshi to the conversation. With RSAC 2025 on the horizon, they discuss Akamai's presence at the event and dig into the challenges and opportunities surrounding AI, threat intelligence, and enterprise security.Chokshi, who leads Akamai's Application Security business, describes a landscape marked by explosive growth in web and API attacks—and a parallel shift as enterprises embrace generative AI. The double-edged nature of AI is central to the discussion: while it offers breakthrough productivity and automation, it also creates new vulnerabilities. Akamai's dual focus, says Chokshi, is both using AI to strengthen defenses and securing AI-powered applications themselves.The conversation touches on the scale and sophistication of modern threats, including an eye-opening stat: Akamai is now tracking over 500 million large language model (LLM)-driven scraping requests per day. As these threats extend from e-commerce to healthcare and beyond, Chokshi emphasizes the need for layered defense strategies and real-time adaptability.Ciappelli brings a sociological lens to the AI discussion, noting the hype-to-reality shift the industry is experiencing. “We're no longer asking if AI will change the game,” he suggests. “We're asking how to implement it responsibly—and how to protect it.”At RSAC 2025, Akamai will showcase a range of innovations, including updates to its Guardicore platform and new App & API Protection Hybrid solutions. Their booth (6245) will feature interactive demos, theater sessions, and one-on-one briefings. The Akamai team will also release a new edition of their State of the Internet report, packed with actionable threat data and insights.The episode closes with a reminder: in a world that's both accelerating and fragmenting, cybersecurity must serve not just as a barrier—but as a catalyst. “Security,” says Chokshi, “has to enable innovation, not hinder it.”⸻Keywords: RSAC 2025, Akamai, cybersecurity, generative AI, API protection, web attacks, application security, LLM scraping, Guardicore, State of the Internet report, Zero Trust, hybrid digital world, enterprise resilience, AI security, threat intelligence, prompt injection, data privacy, RSA Conference, Sean Martin, Marco Ciappelli______________________Guest: Rupesh Chokshi, SVP & GM, Akamai https://www.linkedin.com/in/rupeshchokshi/Hosts:Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber] | On ITSPmagazine:  https://www.itspmagazine.com/sean-martinMarco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society Podcast & Audio Signals Podcast | On ITSPmagazine: https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli____________________________This Episode's SponsorsAKAMAI:https://itspm.ag/akamailbwc____________________________ResourcesLearn more and catch more stories from RSA Conference 2025 coverage: https://www.itspmagazine.com/rsa-conference-usa-2025-rsac-san-francisco-usa-cybersecurity-event-infosec-conference-coverageRupesh Chokshi Session at RSAC 2025The New Attack Frontier: Research Shows Apps & APIs Are the Targets - [PART1-W09]____________________________Catch all of our event coverage: https://www.itspmagazine.com/technology-and-cybersecurity-conference-coverageTo see and hear more Redefining CyberSecurity content on ITSPmagazine, visit: https://www.itspmagazine.com/redefining-cybersecurity-podcastTo see and hear more Redefining Society stories on ITSPmagazine, visit:https://www.itspmagazine.com/redefining-society-podcastWant to tell your Brand Story Briefing as part of our event coverage? Learn More

In this Brand Story episode, Sean Martin and Marco Ciappelli sit down with Rob Allen, Chief Product Officer at ThreatLocker, to unpack how the company is reshaping endpoint security through a unique, control-first approach. Rob shares how ThreatLocker is challenging long-held assumptions about trust, visibility, and control in enterprise environments—and why the traditional “trust but verify” model is no longer good enough.From Default Permit to Default DenyThreatLocker's philosophy centers on a fundamental shift: moving from a default permit posture to a default deny stance. This approach, according to Rob, doesn't hinder operations—it creates boundaries that allow organizations to function safely and efficiently. It's not about locking systems down; it's about granting permissions with precision, so users can operate without even noticing security is present.Product Innovation Driven by Real FeedbackThe conversation highlights how customer input—and CEO Danny Jenkins' relentless presence at industry events—drives product development. New solutions like Web Control and Patch Management are designed as logical extensions of existing tools, allowing security teams to reduce risk without creating friction for end users. The addition of a software store, suggested by enterprise customers, gives users clarity on what's approved while reducing IT support tickets.Insights and the Detect DashboardRob also explains how ThreatLocker is unlocking the value of big data. With billions of data points collected every hour, their new Insights platform aggregates and analyzes cross-customer trends to better inform security decisions. Combined with the Detect Dashboard, teams now gain not only visibility but actionable intelligence—supported by polished visuals and streamlined workflows.More Than Just Tech—It's Peace of MindWhile the technology is impressive, Rob says the most rewarding feedback is simple: “ThreatLocker helps me sleep at night.” For many customers, that level of confidence is priceless. And in unexpected situations—like a blue-screen incident caused by third-party software—ThreatLocker has even been used to mitigate impacts in creative ways.Whether you're leading a global IT team or managing a growing MSP, this episode will make you think differently about how security fits into your operational strategy. Tune in to hear how ThreatLocker is turning bold ideas into real-world control.Learn more about ThreatLocker: https://itspm.ag/threatlocker-r974Note: This story contains promotional content. Learn more.Guest: Rob Allen, Chief Product Officer at ThreatLockerOn LinkedIn | https://www.linkedin.com/in/threatlockerrob/ResourcesLearn more and catch more stories from ThreatLocker: https://www.itspmagazine.com/directory/threatlockerAre you interested in telling your story?https://www.itspmagazine.com/telling-your-story

Episode SummaryIn this episode of The Secure Developer, Danny Allan sits down with Akira Brand, AVP of Application Security at PRA Group, to explore the evolving landscape of application security and AI. Akira shares her unconventional journey from opera to cybersecurity, discusses why AppSec is fundamentally a customer service role and breaks down how AI is reshaping security workflows. Tune in to hear insights on integrating security seamlessly into development, AI's role in secure coding, and the future of AppSec in a rapidly shifting tech landscape.Show NotesIn this engaging episode, The Secure Developer welcomes Akira Brand, AVP of Application Security at PRA Group, for an in-depth discussion on the intersection of AI and application security. Akira's unique background in opera and stage direction offers a fresh perspective on fostering collaboration in security teams and influencing organizational culture.Key Topics Covered:From Opera to AppSec: Akira shares her journey from classical music to cybersecurity and how her experience in stage direction translates into leading security teams.AppSec as a Customer Service Role: The importance of serving software engineers by providing security solutions that fit seamlessly into their workflows.The ‘Give Them the Pickle' Approach: How meeting developers where they are and educating them can lead to better security adoption.AI's Role in Secure Development: How AI-driven tools are transforming the way security is integrated into the software development lifecycle.Challenges in Security Culture: Why security is still an afterthought in many development processes and how to change that mindset.Future of AI in Security: The promise and risks of AI-assisted security tools and the need for standards to keep pace with rapid technological advancements.LinksPRA GroupTuring SchoolBrian HoltFrontend MastersResiliaSnyk - The Developer Security Company Follow UsOur WebsiteOur LinkedIn

How can Security Copilot help you secure your applications? Richard talks to Ari Schorr about assessing application risk with Microsoft Security Copilot - a new feature in preview in Security Copilot that focuses on application roles and entities. Ari talks about the sheer array of resources that applications depend on, and the many security risks that exist in that space - how do you even get started on the problem? Security Copilot helps to sort through potential risks and help a sysadmin focus in on the most significant risks, especially the low-hanging fruit weak authentication and unused resources. The conversation also explores some of the future potential of a tool like this to detect supply chain attacks, find ways to strengthen and simplify applications so their attack surface is smaller. It's a great time to get familiar with these tools!LinksMicrosoft Security CopilotMidnight Blizzard Attack on MicrosoftSecure Future InitiativeAssess Application Risk with Microsoft Security CopilotMicrosoft SentinelRecorded February 18, 2025

Send us a textIn this episode of Relating to DevSecOps, Ken Toler and Mike McCabe dive deep into Google's blockbuster acquisition of Wiz.io for a reported $32 billion. They explore the implications for cloud security, the consolidation of the DevSecOps tooling landscape, and how this move compares to Google's previous acquisitions like Mandiant and Chronicle. The duo debates the future of multi-cloud strategies, platform fatigue, and whether Wiz will remain the darling of the security community—or get lost in the labyrinth of Google Cloud products. With sharp insights and a dash of hot takes, they paint a picture of a cloud security ecosystem at a pivotal turning point

Organizations build and deploy applications at an unprecedented pace, but security is often an afterthought. This episode of ITSPmagazine's Brand Story features Jim Manico, founder of Manicode Security, in conversation with hosts Sean Martin and Marco Ciappelli. The discussion explores the current state of application security, the importance of developer training, and how organizations can integrate security from the ground up to drive better business outcomes.The Foundation of Secure DevelopmentJim Manico has spent decades helping engineers and architects understand and implement secure coding practices. His work with the Open Web Application Security Project (OWASP), including contributions to the OWASP Top 10 and the OWASP Cheat Sheet Series, has influenced how security is approached in software development. He emphasizes that security should not be an afterthought but a fundamental part of the development process.He highlights OWASP's role in providing documentation, security tools, and standards like the Application Security Verification Standard (ASVS), which is now in its 5.0 release. These resources help organizations build secure applications, but Manico points out that simply having the guidance available isn't enough—engineers need the right training to apply security principles effectively.Why Training MattersManico has trained thousands of engineers worldwide and sees firsthand the impact of hands-on education. He explains that developers often lack formal security training, which leads to common mistakes such as insecure authentication, improper data handling, and vulnerabilities in third-party dependencies. His training programs focus on practical, real-world applications, allowing developers to immediately integrate security into their work.Security training also helps businesses beyond just compliance. While some companies initially engage in training to meet regulatory requirements, many realize the long-term value of security in reducing risk, improving product quality, and building customer trust. Manico shares an example of a startup that embedded security from the beginning, investing heavily in training early on. That approach helped differentiate them in the market and contributed to their success as a multi-billion-dollar company.The Role of AI and Continuous LearningManico acknowledges that the speed of technological change presents challenges for security training. Frameworks, programming languages, and attack techniques evolve constantly, requiring continuous learning. He has integrated AI tools into his training workflow to help answer complex questions, identify knowledge gaps, and refine content. AI serves as an augmentation tool, not a replacement, and he encourages developers to use it as an assistant to strengthen their understanding of security concepts.Security as a Business EnablerThe conversation reinforces that secure coding is not just about avoiding breaches—it is about building better software. Organizations that prioritize security early can reduce costs, improve reliability, and increase customer confidence. Manico's approach to education is about empowering developers to think beyond compliance and see security as a critical component of software quality and business success.For organizations looking to enhance their security posture, developer training is an investment that pays off. Manicode Security offers customized training programs to meet the specific needs of teams, covering topics from secure coding fundamentals to advanced application security techniques. To learn more or schedule a session, Jim Manico can be reached at Jim@manicode.com.Tune in to the full episode to hear more insights from Jim Manico on how security training is shaping the future of application security.Learn more about Manicode: https://itspm.ag/manicode-security-7q8iNote: This story contains promotional content. Learn more.Guest: Jim Manico, Founder and Secure Coding Educator at Manicode Security | On Linkedin: https://www.linkedin.com/in/jmanico/ResourcesDownload the Course Catalog: https://itspm.ag/manicode-x684Learn more and catch more stories from Manicode Security: https://www.itspmagazine.com/directory/manicode-securityAre you interested in telling your story?https://www.itspmagazine.com/telling-your-story

Fortifying security defences with automated root cause analysis and prioritisationManaging security risk urgency across your application pipeline with real-time visibility and data visualisation capabilitiesDriving efficiency and prioritisation across your security ecosystem with practical remediation actionsThis episode is hosted by Thom Langford:https://www.linkedin.com/in/thomlangford/John Heaton-Armstrong, Experienced Cyber security Leader, Confidentialhttps://www.linkedin.com/in/johnheatonarmstrong/Danny Dresner, Professor of Cyber security, The University of Manchesterhttps://www.linkedin.com/in/danny-dresner-fciis-6382381/Tiago Rosado, Chief Information Security Officer, Asitehttps://www.linkedin.com/in/tiagorosado/Derek Maki, VP Product Management, Veracodehttps://www.linkedin.com/in/derekmaki/

At ThreatLocker Zero Trust World 2025 in Orlando, Art Ocain, VP of Cybersecurity & Incident Response at Airiam, shared valuable insights into applying zero trust principles to incident response. The conversation, hosted by Marco Ciappelli and Sean Martin, highlighted the critical role of zero trust in preparing for and managing security incidents.The Zero Trust Mindset in Incident Response Ocain discussed how zero trust methodology—embracing the principles of "assume breach" and "always verify, never trust"—can significantly enhance incident response strategies. Instead of merely securing the perimeter or endpoints, his approach involves identifying and protecting core systems through micro-segmentation and robust identity management. By securing each component individually, organizations can minimize the impact of potential breaches.For example, Ocain described a scenario where segmenting a SQL server from an application server could prevent data loss during an attack. Even if an application server is compromised, critical data remains secure, allowing quicker recovery and continuity of operations.Dynamic Containment Strategies Ocain emphasized the importance of dynamic containment when responding to incidents. Traditional methods, such as using Endpoint Detection and Response (EDR) tools, are effective for forensic analysis but may not stop active threats quickly. Instead, he advocated for an "allow list only" approach that restricts access to systems and data, effectively containing threats while maintaining critical business functions.In practice, when Ocain is called into a crisis, he often implements a deny-by-default solution to isolate compromised systems. This strategy allows him to perform forensics and bring systems back online selectively, ensuring threat actors cannot access recovered systems.Balancing Security with Business Needs A significant challenge in adopting zero trust is gaining executive buy-in. Ocain noted that executive teams often push back against zero trust measures, either out of a desire for convenience or because of misconceptions about its impact on business culture. His approach involves demonstrating real-world scenarios where zero trust could mitigate damage during breaches. By focusing on critical systems and showing the potential consequences of compromised identities or systems, Ocain effectively bridges the gap between security and business priorities.A Cultural Shift Toward Security The discussion also touched on the cultural shift required to fully integrate zero trust into an organization. Zero trust is not just a technological framework but a mindset that influences how every employee views access and security. Through scenario-driven exercises and engaging executive teams early in the process, Ocain helps organizations transition from a "department of no" mentality to a collaborative, security-first culture.Listen to the full episode to explore more strategies on implementing zero trust in incident response and how to align security initiatives with business goals.Guest: Art Ocain, VP of Cybersecurity & Incident Response at Airiam | On LinkedIn: https://www.linkedin.com/in/artocain/Hosts:Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber] | On ITSPmagazine:  https://www.itspmagazine.com/sean-martinMarco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society Podcast & Audio Signals Podcast | On ITSPmagazine: https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli____________________________This Episode's SponsorsThreatLocker: https://itspm.ag/threatlocker-r974____________________________ResourcesLearn more and catch more stories from ZTW 2025 coverage: https://www.itspmagazine.com/zero-trust-world-2025-cybersecurity-and-zero-trust-event-coverage-orlando-floridaRegister for Zero Trust World 2025: https://itspm.ag/threat5mu1____________________________Catch all of our event coverage: https://www.itspmagazine.com/technology-and-cybersecurity-conference-coverageTo see and hear more Redefining CyberSecurity content on ITSPmagazine, visit: https://www.itspmagazine.com/redefining-cybersecurity-podcastTo see and hear more Redefining Society stories on ITSPmagazine, visit:https://www.itspmagazine.com/redefining-society-podcastWant to tell your Brand Story Briefing as part of our event coverage? Learn More

Kyle Rippee, currently staff product security engineer at Tines, joins Seth and Ken for another episode of Absolute AppSec. Kyle has over a decade of experience both managing and working for Application Security teams, as well as working as a pentester, security consultant, and software engineer. Before Tines, he worked for PlanetArt (where he held the role of Director of Information Security), FloQast, Shutterfly, Atos, among other Product Development and Security Consulting firms. Join us as we discuss Kyle's path into application security as well as finding out more about the interesting things going on at Tines.

Can a misconfigured prompt spark a massive data breach?On this episode of Your AI Injection, host Deep Dhillon and Keith Hoodlet, Director of AI/ML and Application Security from Trail of Bits reveal the critical vulnerabilities hiding in your AI chat systems. Keith explains how RAG systems and other API endpoints, if not rigorously secured, can create unintended data portals, allowing hackers to extract everything from HR records to confidential strategic documents. The two navigate the complexities of prompt injection vulnerabilities, dynamic adversarial testing, and the balancing act between rapid innovation and robust security. As they discuss the human and technical factors that contribute to these risks, Deep and Keith challenge the industry to view security not as an afterthought, but as an integral feature of every AI-driven product. Tune in for a deep dive into safeguarding your digital future!Learn more about Keith here: https://www.linkedin.com/in/securingdev/and Trail of Bits here: https://www.trailofbits.com/Check out some of our related podcast episodes: Your Code Base Is Already Gen AI—Now What? with Matt Van Itallie of SemaWhy Generative AI Could Make Programming Languages Obsolete with Austin Vance of FocusedExploring Artificial General Intelligence: Intent, Intellect, and Innovation with Lucas Hendrich of the Forte Group

RJJ Software's Software Development Service This episode of The Modern .NET Show is supported, in part, by RJJ Software's Podcasting Services, whether your company is looking to elevate its UK operations or reshape its US strategy, we can provide tailored solutions that exceed expectations. Show Notes "This should be a mantra for anyone working on web applications or web APIs: you should validate any input of the application as much as possible. When you conceptualize it, all the malicious input into your application comes across in an HTTP request at some point. It's either in the URL or in the body. That's generally speaking, unless you have a supply chain attack, that's generally the vector by which your application will be attacked. Before you even start to kind of think about specific vulnerabilities, if you narrow down what is permissible input right out of the gate, then you kind of close the door on so many different vulnerabilities without even thinking about it."— Malcolm McDonald Welcome friends to The Modern .NET Show; the premier .NET podcast, focusing entirely on the knowledge, tools, and frameworks that all .NET developers should have in their toolbox. We are the go-to podcast for .NET developers worldwide, and I am your host: Jamie "GaProgMan" Taylor. In this episode, Malcolm McDonald joined us to talk about the importance of Application Security, knowing the basics of secure coding, and backing that all up with both "secure by default" designs, and subscribing to CVE notifications. "So what you find in your career is that if you set down kind of sensible default behaviour in your codebase earlier on, then everyone will follow that. You establish, kind of, best practices. It might take a little bit longer, but if you say, "this is the way we do this over here," then even yourself when you, kind of, come back to, will kind of, reproduce that path. So the initial, kind of, like first few check-ins to your source control are key to, like, establishing best practice"— Malcolm McDonald One note before we begin: some of Malcolm's audio is a little rough. Mark, our superstar editor, has done what he can, but there are parts that might be a little unclear. If you have trouble with the audio, please remember that there is a full transcription linked in the accompanying show notes. Anyway, without further ado, let's sit back, open up a terminal, type in `dotnet new podcast` and we'll dive into the core of Modern .NET. Supporting the Show If you find this episode useful in any way, please consider supporting the show by either leaving a review (check our review page for ways to do that), sharing the episode with a friend or colleague, buying the host a coffee, or considering becoming a Patron of the show. Full Show Notes The full show notes, including links to some of the things we discussed and a full transcription of this episode, can be found at: https://dotnetcore.show/season-7/grokking-application-security-malcolm-mcdonald-on-securing-your-apps/ Useful Links Malcolm on LinkedIn Grokking Application Security Hacksplaining Hash function Don't Accept The Defaults Bcrypt Supporting the show: Leave a rating or review Buy the show a coffee Become a patron Getting in Touch: Via the contact page Joining the Discord Remember to rate and review the show on Apple Podcasts, Podchaser, or wherever you find your podcasts, this will help the show's audience grow. Or you can just share the show with a friend. And don't forget to reach out via our Contact page. We're very interested in your opinion of the show, so please get in touch. You can support the show by making a monthly donation on the show's Patreon page at: https://www.patreon.com/TheDotNetCorePodcast. Music created by Mono Memory Music, licensed to RJJ Software for use in The Modern .NET Show

In this episode of The BlueHat Podcast, hosts Nic Fillingham and Wendy Zenone are joined by Jason Geffner, Principal Security Architect at Microsoft, to discuss his groundbreaking work on scaling and automating Dynamic Application Security Testing (DAST). Following on from his BlueHat 2024 session, and outlined in this MSRC blog post, Jason explains the key differences between DAST, SAST, and IAST, and dives into the challenges of scaling DAST at Microsoft's enterprise level, detailing how automation eliminates manual configuration and improves efficiency for web service testing.     In This Episode You Will Learn:     Overcoming the challenges of authenticated requests for DAST tools  The importance of API specs for DAST and how automation streamlines the process  Insights into how Microsoft uses DAST to protect its vast array of web services    Some Questions We Ask:    What's a lesson from this work that you can share with those without Microsoft's resources?  Can you explain what the transparent auth protocol is that you mentioned in the blog post?  How is your work reducing the manual effort needed to configure DAST system services?     Resources:       View Jason Geffner on LinkedIn    View Wendy Zenone on LinkedIn    View Nic Fillingham on LinkedIn     Related Blog Post: Scaling Dynamic Application Security Testing (DAST) | MSRC Blog  Related BlueHat Session Recording: BlueHat 2024: S10: How Microsoft is Scaling DAST     Related Microsoft Podcasts:       Microsoft Threat Intelligence Podcast    Afternoon Cyber Tea with Ann Johnson    Uncovering Hidden Risks          Discover and follow other Microsoft podcasts at microsoft.com/podcasts   

RJJ Software's Software Development Service This episode of The Modern .NET Show is supported, in part, by RJJ Software's Podcasting Services, whether your company is looking to elevate its UK operations or reshape its US strategy, we can provide tailored solutions that exceed expectations. Show Notes "From the very first lesson of "Hello, World" they teach us to make insecure code. So the first thing with "Hello, World" is how to output to the screen. That is fine. But the second part of "Hello, World" is: you ask them their name, you take their name. you don't validate it, and then you say "Hello," and you reflect their name back onto the screen with no output encoding. And then you just made cross-site scripting. And right from the very first lesson, we teach everyone wrong in pretty much every language, and so as a result we end up with a lot of people doing code the wrong way. Like, universities are still teaching lots of things wrong. And so I'm hoping that this book will help."— Tanya Janca Welcome friends to The Modern .NET Show; the premier .NET podcast, focusing entirely on the knowledge, tools, and frameworks that all .NET developers should have in their toolbox. We are the go-to podcast for .NET developers worldwide, and I am not your host: Jamie. I'm Delilah and I will be recording the intro for this episode because Jamie's throat infection returned, making it tough for him to record this intro. In this episode, we welcomed Tanya Janca back to the show. This conversation marks her third appearance on the show, and a slight change in focus to Secure Coding. We talk about how developers are taught to write insecure code from day one (or "Hello, World!"), about how her new book "Alice and Bob Learn Secure Coding" could help with that, the many hours of free education and learning that Tanya has created alongside the book, and how both data scientists and academics approach software development differently to some of us developers. "There are so many amazing security features in .NET. There's so many. Like, because I... I wrote about eight different frameworks and .NET by far had the absolute most different security features. And part of it, some of them are from Windows. Some of them are from C... because I wrote about C# and .NET. And to be quite honest, audience, I mixed them up quite a bit because, "what is specifically C#, and what is specifically .NET," got a bit confused in my brain. But I'm like, all of it's good. Do all of it"— Tanya Janca Anyway, without further ado, let's sit back, open up a terminal, type in `dotnet new podcast` and we'll dive into the core of Modern .NET. My voice was created using Generative AI. Supporting the Show If you find this episode useful in any way, please consider supporting the show by either leaving a review (check our review page for ways to do that), sharing the episode with a friend or colleague, buying the host a coffee, or considering becoming a Patron of the show. Full Show Notes The full show notes, including links to some of the things we discussed and a full transcription of this episode, can be found at: https://dotnetcore.show/season-7/the-security-expert-speaks-tanya-janca-on-learning-to-code-securely/ Tanya's Previous Appearances: Episode 77 - Application Security with Tanya Janca Episode 105 - More Application Securuty with Tanya Janca Useful Links Tanya's books Tanya's newsletter Hello, World Don't Accept The Defaults Semgrep Okta Pushing Left, Like a Boss: Part 1 Owasp DAST (Dynamic Application Security Testing) SAST (Static Application Security Testing) Semgrep Academy (previously known as WeHackPurple Academy) Application Security Foundations Level 1 Owasp Juice Shop OwaspHeaders.Core Owasp Top Ten Content-Security-Policy Trusted Types Jason Haddix Retrieval-Augmented Generation (aka RAG) Posting Malicious Code as an Answer Supporting the show: Leave a rating or review Buy the show a coffee Become a patron Getting in Touch: Via the contact page Joining the Discord Remember to rate and review the show on Apple Podcasts, Podchaser, or wherever you find your podcasts, this will help the show's audience grow. Or you can just share the show with a friend. And don't forget to reach out via our Contact page. We're very interested in your opinion of the show, so please get in touch. You can support the show by making a monthly donation on the show's Patreon page at: https://www.patreon.com/TheDotNetCorePodcast.

Today, I am delighted to welcome Dave Furneaux, Founder & CEO of BlueIO, an innovative, mission-driven builder capitalist investment company. Dave is a co-founder and investor in a number of innovative companies, such as Blaze (acquired by Akamai), Cybersaint (a leading Cyber Risk Management company), Greenlight Biosciences (EPA approved breakthrough RNA bio-chemical platform for clean food), Lufa Farms (a leading agricultural technology company), Lumicell (an FDA approved platform for Cancer therapy) and Virsec (a breakthrough cyber protection company). He has been a driving force behind many breakthrough technology, health, and food companies as a founder, operator, investor, and active board leader. Some notable examples include Watchfire (acquired by IBM), Skystone (acquired by Cisco Systems), Application Security (acquired by SingTel) and Aironet (acquired by Cisco Systems). Earlier in his career, Dave founded and led Kodiak Venture Partners, which went on to invest in and build companies such as Appnexus (acquired by AT&T), Channel Advisor (NYSE: ECOM), Extreme (acquired by Microchip), Enfora (acquired by Sierra Wireless), IM Logic (acquired by Symantec) and WHERE (acquired by Paypal). David believes, and we at FOX agree, that families are uniquely positioned and endowed to create, build, and innovate by putting their family capital, their entrepreneurial spirit, and creativity to work to solve the big problems our world is facing. He talks about why he has this conviction, how he sees it play out today, and why and how families play this key role in innovation and building new solutions and products. The topic of our conversation with Dave is encapsulated in a relatively new term: “Builder Capitalism”. Dave defines Builder Capitalism for our audience, describes the tenets of this investment philosophy, and outlines the mindset and skills it requires. He also paints the picture of how Builder Capitalism is manifested in reality through the activities and behaviors of entrepreneurs. Dave offers many practical tips and suggestions to the different market players who are interested in Builder Capitalism, starting with what investors need to know or do if they want to participate in this movement and allocate their capital (financial and non-financial) to Builder Capitalist ventures. He also provides his advice to entrepreneurs and founders who share this belief system and see themselves and their startups as members of this Builder Capitalism economy. Finally, Dave offers his insights into the resources available to both investors and founders to become better educated about Builder Capitalism and to be better connected into the emerging ecosystem of this rising entrepreneurial movement. This is a must-hear conversation with one of the leading thought leaders, practitioners, and innovators in the Builder Capitalism movement, who is also a family principal and leader of his own multigenerational entrepreneurial family.

In this conversation, Tanya Janca discusses the importance of secure coding in the cybersecurity landscape, sharing her journey and experiences as both a developer and educator. She emphasizes the need for software developers to understand security principles, the role of OWASP in providing resources, and the challenges of balancing user experience with security measures. Tanya also highlights the significance of validation in development and the implications of implied trust in cybersecurity practices.

In this episode of CISO Tradecraft, host G Mark Hardy explores the top 10 cybersecurity predictions for 2025. From the rise of AI influencers to new standards in encryption, Hardy discusses significant trends and changes expected in the cybersecurity landscape. The episode delves into topics such as branding, application security, browser-based security, and post-quantum cryptography, aiming to prepare listeners for future challenges and advancements in the field.   Big Thanks to our Sponsor CruiseCon - https://cruisecon.com/ CruiseCon Discount Code: CISOTRADECRAFT10   Team8 Fixing AppSec Paper - https://bunny-wp-pullzone-pqzn4foj9c.b-cdn.net/wp-content/uploads/2024/11/Fixing-AppSec-Paper.pdf Terraform and Open Policy Agent Example - https://spacelift.io/blog/terraform-best-practices#8-introduce-policy-as-code Transcripts - https://docs.google.com/document/d/1u6B2PrkJ1D14d9HjQQHSg7Fan3M6n4dy Chapters 01:19 1) AI Influencers become normalized 03:17 2) The Importance of Production Quality in Branding 05:19 3) Google and Apple Collaboration for Enhanced Security 06:28 4) Consolidation in Application Security and Vulnerability Management 08:36 5) The Rise of Models Committees 09:09 6) Formalizing the CISO Role 11:03 7) Exclusive CISO Retreats: The New Trend 12:12 8) Automating Cybersecurity Tasks with Agentic AI 13:10 9) Browser-Based Security Solutions 14:22 10) Post-Quantum Cryptography: Preparing for the Future  

Mo Sadek shares his unique journey of building an Application Security program from scratch at Roblox. Mo discusses his unconventional path, including temporarily joining the infrastructure team to truly understand engineering challenges. He emphasizes that security isn't about mandating rules, but about making processes easier and more secure by default. Mo shares his insights on how to build effective cross-team security relationships and approaches for gaining leadership buy-in. Mo's Book Recommendation: I Have No Mouth and I Must Scream by Harlan Ellison FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

How is least privilege different in 2025? Richard talks to Bailey Bercik about the ongoing efforts to minimize users, administrators, and applications' privileges in 2025. Bailey talks about the power of Entra Permissions Management to help you see what permissions are going unused on various accounts so that you can tailor rights to individual accounts without things becoming unmanageable. Artificial intelligence is a forcing function for many permission issues, with these new tools potentially creating problems when given unnecessary rights. But those same tools can help you understand where permissions are being underutilized and help protect your systems!LinksPrinciple of Least PrivilegeEnable Permission ManagementEntra Permissions ManagementMicrosoft Security CopilotCopilot in Microsoft EntraSEC545: GenAI and LLM Application SecurityHow Attackers Use Apps to Attack VideoRecorded December 16, 2024

Matthew Adams, Head of Security Enablement at Citi, joins SE Radio host Priyanka Raghavan to explore the use of large language models in threat modeling, with a special focus on Matthew's work, Stride GPT. The episode kicks off with an overview of threat modeling, its applications, and the stages of the development life cycle where it fits in. They then discuss the STRIDE methodology and strideGPT, highlighting practical examples, the technology stack behind the application, and the tool's inputs and outputs. The show concludes with tips and tricks for optimizing tool outputs and advice on other open source projects that utilize generative AI to bolster cybersecurity defenses. Brought to you by IEEE Computer Society and IEEE Software magazine.

In this episode, recorded at Kubecon NA in Salt Lake City, we spoke about about Kubernetes security with Shauli Rozen, co-founder and CEO of ARMO Security. From the challenges of runtime protection to the potential of CADR (Cloud Application Detection and Response), Shauli breaks down the gaps in traditional CSPM tools and how Kubernetes plays a central role in cloud security strategy. The episode gets into the "Four C's" of cloud security: Cloud, Cluster, Container, Code, why runtime data, powered by eBPF, is critical for modern security solutions, the rise of CADR and how Kubernetes is reshaping the landscape of DevOps and security collaboration. Guest Socials: Shauli's Linkedin Podcast Twitter - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠@CloudSecPod⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security Podcast- Youtube⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security Newsletter ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security BootCamp Questions asked: (00:00) Introduction (01:46) A bit about Shauli and ARMO (02:26) Bit about open source project Kubescape (03:59) What is Runtime Security in Kubernetes? (06:50) CDR and Application Security (08:57) What is ADR and CADR? (09:55) How is CADR different to ASPM + DAST? (12:18) Kubernetes Usage and eBPF (15:35) Does your CSPM do coverage for Kubernetes? (16:24) What to include in 2025 Cybersecurity Roadmap? (19:09) Does everyone need CADR? (21:35) Who is looking at the Kubernetes Security Logs? (23:17) The future of Kubernetes Security (25:26) The Fun Section