Podcasts about appsec

Dag Flachet joins us to discuss the concept of Kaizen and its application in improving application security. Dag shares his journey into the world of security, emphasizing the importance of iterative, small-step improvements. The conversation delves into how organizations can effectively implement maturity models to enhance their security programs, the limitations of compliance-focused frameworks like ISO 27,000 and SOC 2, and the practical application of Kaizen principles. They also explore the evolution and future updates of OWASP SAM, and the importance of empowering development teams through a bottom-up approach in security enhancement. Dag is the co-founder of Codific, a professor and board member at the Geneva Business School, and an active member of the OWASP Barcelona Chapter and the OWASP SAMM community. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Segurança em aplicações não é coisa de outro mundo. Neste episódio do Kubicast, recebemos André Esteves e Matheus Farias, duas feras do iFood que vivem o dia a dia da Application Security (AppSec) na veia! Com muito bom humor e bastante casca de produção, eles compartilham a rotina, os desafios e os aprendizados de quem realmente coloca a mão na massa para proteger sistemas em larga escala.A conversa vai de OWASP Top 10 à política de travamento de PRs, passando por burp suite, cultura dev, roles de segurança, hardening de imagens base com zero CVEs e o papel crucial dos soft skills para quem quer entrar na área. Se você acha que segurança é só sobre hacker de hoodie e terminal verde piscando, esse papo vai te mostrar a real!Links Importantes:- Andre Esteves - https://www.linkedin.com/in/andreestevespaiva/- Matheus Farias - https://www.linkedin.com/in/eu-matheus-farias-devsecops/- João Brito - https://www.linkedin.com/in/juniorjbn- Assista ao FilmeTEArapia - https://youtu.be/M4QFmW_HZh0?si=HIXBDWZJ8yPbpflMParticipe de nosso programa de acesso antecipado e tenha um ambiente mais seguro em instantes!https://getup.io/zerocveO Kubicast é uma produção da Getup, empresa especialista em Kubernetes e projetos open source para Kubernetes. Os episódios do podcast estão nas principais plataformas de áudio digital e no YouTube.com/@getupcloud.

Send us a textIn this episode of Relating to DevSecOps, Ken and Mike discuss the challenges faced by CISOs in today's security landscape, particularly the struggle to balance immediate security needs with long-term preventative strategies. They explore the disconnect between security leadership and practitioners, the urgency of addressing security issues, and the importance of understanding the root causes of vulnerabilities. The conversation emphasizes the need for CISOs to engage more deeply with their teams and to focus on effective, context-driven security solutions rather than simply reacting to the latest threats.

In this episode, we explore the crucial role of cultivating a strong security culture to drive change in AppSec, where training and collaboration are key. Our distinguished guest, Danielle Ruderman, discusses the importance of executive support in ensuring that application development isn't just about churning out apps on time, but also about adopting a secure-by-design approach. We also dive into how to empower developers, foster psychological safety, and make security everyone's responsibility. Tune in for actionable insights on transforming your security culture within your applications team and beyond. Segment Resources: • AWS Security Blog How the unique culture of security at AWS makes a difference: https://aws.amazon.com/blogs/security/how-the-unique-culture-of-security-at-aws-makes-a-difference/ • AWS Security Blog How AWS built the Security Guardians program, a mechanism to distribute security ownership: https://aws.amazon.com/blogs/security/how-aws-built-the-security-guardians-program-a-mechanism-to-distribute-security-ownership/ • AWS Security Blog How to build a Security Guardians program to distribute security ownership (part 2): https://aws.amazon.com/blogs/security/how-to-build-your-own-security-guardians-program/ • Application Security in the AWS Well Architected Framework: https://aws.amazon.com/blogs/security/how-to-build-your-own-security-guardians-program/ • AWS Security Blog How to approach threat modeling: https://aws.amazon.com/blogs/security/how-to-approach-threat-modeling/ • GitHub: Threat Composer is a simple threat modeling tool to help humans to reduce time-to-value when threat modeling: https://github.com/awslabs/threat-composer • Workshop: Threat Modeling the right way for builders: https://catalog.workshops.aws/threatmodel/en-US Visit https://cisostoriespodcast.com for all the latest episodes! Show Notes: https://cisostoriespodcast.com/csp-213

In this On Location episode during OWASP AppSec Global 2025 in Barcelona, Maria Mora, Staff Application Security Engineer and active OWASP lifetime member, shares how her experience at the OWASP AppSec Global conference in Barcelona has reaffirmed the power of community in security. While many attendees chase back-to-back talks and technical training, Maria highlights something often overlooked—connection. Whether at the member lounge ping-pong table, during late-night beach meetups, or over keynote reflections, it's the relationships and shared purpose that make this event resonate.Maria emphasizes how her own journey into OWASP began with uncertainty but evolved into a meaningful path of participation. Through volunteering, serving on the events committee, and mentoring others, she has expanded not only her technical toolkit but also her ability to collaborate and communicate—skills she notes are essential in InfoSec but rarely prioritized. By stepping into the OWASP community, she's learned that you don't need decades of experience to contribute—just a willingness to start.Keynotes and sessions this year reinforced a similar message: security isn't just about hard skills. It's about bridging academia and industry, engaging first-time attendees, and creating welcoming spaces where no one feels like an outsider. Talks like Sarah Jané's encouraged attendees to find their own ways to give back, whether by submitting to the call for papers, helping with logistics, or simply sparking hallway conversations.Maria also points to how OWASP structures participation to make it accessible. Through demo rooms, project hubs, and informal lounge chats, attendees find ways to contribute to global initiatives like the OWASP Top 10 or volunteer-led trainings. Whether it's your first conference or your tenth, there's always room to jump in.For Maria, OWASP no longer feels like a secret club—it's a growing, open collective focused on helping people bring their best selves to security. That's the power of community: not just lifting up software, but lifting up each other.And for those thinking of taking the next step, Maria reminds us that the call for papers for OWASP DC is open through June 24th. As she puts it, “We all have something valuable to share—sometimes you just need the nudge to start.”GUEST: Maria Mora | Staff Application Security Engineer and OWASP events committee member | https://www.linkedin.com/in/riamaria/HOST: Sean Martin, Co-Founder at ITSPmagazine and Host of Redefining CyberSecurity Podcast | https://www.seanmartin.comSPONSORSManicode Security: https://itspm.ag/manicode-security-7q8iRESOURCESLearn more and catch more stories from OWASP AppSec Global 2025 Barcelona coverage: https://www.itspmagazine.com/owasp-global-appsec-barcelona-2025-application-security-event-coverage-in-catalunya-spainCatch all of our event coverage: https://www.itspmagazine.com/technology-and-cybersecurity-conference-coverageWant to tell your Brand Story Briefing as part of our event coverage? Learn More

No quarto episódio da série sobre Programas de AppSec, o foco é o treinamento. Discutimos como estruturar iniciativas de capacitação para desenvolvimento seguro, abordando desde treinamentos obrigatórios até programas contínuos como Security Champions. O elenco explora o que realmente funciona na prática, como medir efetividade, engajar devs sem sobrecarregar e evitar os erros mais comuns ao tentar “evangelizar” segurança por meio da educação. Um papo direto sobre como transformar conhecimento em mudança de comportamento.

In this On Location episode during OWASP AppSec Global 2025 in Barcelona, Sean Martin connects with event speaker, Wojciech Dworakowski, to unpack a critical and underexamined issue in today's financial systems: the vulnerability of mobile-only banking apps when it comes to transaction authorization.Wojciech points out that modern banking has embraced the mobile-first model—sometimes at the cost of fundamental security principles. Most banks now concentrate transaction initiation, security configuration, and transaction authorization into a single device: the user's smartphone. While this offers unmatched convenience, it also creates a single point of failure. If an attacker successfully pairs their phone with a victim's account, they can bypass multiple layers of security, often without needing traditional credentials.The discussion explores the limitations of relying solely on biometric options like Face ID or Touch ID. These conveniences may appear secure but often weaken the overall security posture when used without additional independent verification mechanisms. Wojciech outlines how common attack strategies have shifted from stealing credit card numbers to full account takeover—enabled by social engineering and weak device-pairing controls.He proposes a “raise the bar” strategy rather than relying on a single silver-bullet solution. Suggestions include enhanced device fingerprinting, detection of emulators or rooted environments, and shared interbank databases for device reputation and account pairing anomalies. While some of these are already in motion under new EU and UK regulations, they remain fragmented.Wojciech also introduces a bold idea: giving users a slider in the app to adjust their personal balance of convenience vs. security. This kind of usability-driven approach could empower users while still offering layered defense.For CISOs, developers, and FinTech leaders, the message is clear—evaluate your app security as if attackers already know the shortcuts. Watch the full conversation to hear Wojciech's real-world examples, including a cautionary tale from his own family. Catch the episode and learn how to design financial security that's not just strong—but usable.GUEST: Wojciech Dworakowski | OWASP Poland Chapter Board Member and Managing Partner at SecuRing | https://www.linkedin.com/in/wojciechdworakowski/HOST: Sean Martin, Co-Founder at ITSPmagazine and Host of Redefining CyberSecurity Podcast | https://www.seanmartin.comSPONSORSManicode Security: https://itspm.ag/manicode-security-7q8iRESOURCESLearn more and catch more stories from OWASP AppSec Global 2025 Barcelona coverage: https://www.itspmagazine.com/owasp-global-appsec-barcelona-2025-application-security-event-coverage-in-catalunya-spainCatch all of our event coverage: https://www.itspmagazine.com/technology-and-cybersecurity-conference-coverageWant to tell your Brand Story Briefing as part of our event coverage? Learn More

In this On Location episode during OWASP AppSec Global 2025 in Barcelona, Aram Hovsepyan, an active contributor to the OWASP SAMM project, brings a critical perspective to how the industry approaches security metrics, especially in vulnerability management. His message is clear: the way we collect and use metrics needs a serious rethink if we want to make real progress in reducing risk.Too often, organizations rely on readily available tool-generated metrics—like vulnerability counts—without pausing to ask what those numbers actually mean in context. These metrics may look impressive in a dashboard or board report, but as Aram points out, they're often disconnected from business goals. Worse, they can drive the wrong behaviors, such as trying to reduce raw vulnerability counts without considering exploitability or actual impact.Aram emphasizes the importance of starting with organizational goals, formulating questions that reflect progress toward those goals, and only then identifying metrics that provide meaningful answers. It's a research-backed approach that has been known for decades but is often ignored in favor of convenience.False positives, inflated dashboards, and a lack of alignment between metrics and strategy are recurring issues. Aram notes that many tools err on the side of overreporting to avoid false negatives, which leads to overwhelming—and often irrelevant—volumes of data. In some cases, up to 80% of identified vulnerabilities may be false positives, leaving security teams drowning in noise and chasing issues that may not matter.What's missing, he argues, is a strategic lens. Vulnerability management should be one component of a broader application security program, not the centerpiece. The OWASP Software Assurance Maturity Model (SAMM) offers a framework for evaluating and improving across a range of practices—strategy, risk analysis, and threat modeling among them—that collectively support better decision-making.To move forward, organizations need to stop treating vulnerability data as a performance metric and start treating it as a signal in a larger conversation about risk, impact, and architectural choices. Aram's call to action is simple: ask better questions, use tools more purposefully, and build security strategies that actually serve the business.GUEST: Aram Hovsepyan | OWASP SAMM Project Core Team member and CEO/Founder at CODIFIC | https://www.linkedin.com/in/aramhovsep/HOST: Sean Martin, Co-Founder at ITSPmagazine and Host of Redefining CyberSecurity Podcast | https://www.seanmartin.comSPONSORSManicode Security: https://itspm.ag/manicode-security-7q8iRESOURCESLearn more and catch more stories from OWASP AppSec Global 2025 Barcelona coverage: https://www.itspmagazine.com/owasp-global-appsec-barcelona-2025-application-security-event-coverage-in-catalunya-spainCatch all of our event coverage: https://www.itspmagazine.com/technology-and-cybersecurity-conference-coverageWant to tell your Brand Story Briefing as part of our event coverage? Learn More

In this On Location episode during OWASP AppSec Global 2025 in Barcelona, Sarah-Jane Madden brings a unique lens to application security, shaped by her journey from developer to security leader and CSO. Speaking at OWASP AppSec Global, she tackles one of today's most pressing concerns: how AI is reshaping software engineering—and how we must respond without compromising core values like quality and security.Madden emphasizes that AI is only the latest in a series of major disruptions, comparing it to shifts like remote work triggered by COVID. Her message is clear: organizations must prepare for continuous change, not just chase the current trend. That means prioritizing adaptability and ensuring critical practices like application security are not sacrificed in the rush to speed up delivery.She makes the case for a layered, iterative approach to development—rejecting the outdated linear mindset. Developers, she argues, should leverage AI as an accelerator, not a replacement. Think of AI as your digital intern: handling the drudgery, automating boilerplate code, and even applying internal security standards to code before it reaches human hands. This frees developers to focus on creative problem-solving and thoughtful architecture.However, Madden cautions against blind enthusiasm. While experimentation is healthy, organizations must be discerning about outcomes. Speed is meaningless without quality, and quality includes security. She calls on developers to advocate for high standards and reminds business leaders not to fall for the allure of shortcut statistics or flashy claims that promise results without skilled labor. Her analogy of microwave dinners vs. proper cuisine illustrates the risk of prioritizing convenience over substance—especially in complex problem-solving environments.For line-of-business leaders, Madden urges realistic expectations. AI can enhance productivity, but it doesn't eliminate the need for thoughtful development. Ultimately, customers will notice if quality drops, and reputational damage is hard to undo.In closing, Madden celebrates OWASP as more than an organization—it's a source of support, camaraderie, and genuine community for those working to build secure, reliable systems. Her message? Embrace change, use tools wisely, protect your standards, and never forget the human side of engineering.GUEST: Sarah-Jane Madden | Global Director of Cyber Defense at Fortive | https://www.linkedin.com/in/sarahjanemadden/HOST: Sean Martin, Co-Founder at ITSPmagazine and Host of Redefining CyberSecurity Podcast | https://www.seanmartin.comSPONSORSManicode Security: https://itspm.ag/manicode-security-7q8iRESOURCESLearn more and catch more stories from OWASP AppSec Global 2025 Barcelona coverage: https://www.itspmagazine.com/owasp-global-appsec-barcelona-2025-application-security-event-coverage-in-catalunya-spainCatch all of our event coverage: https://www.itspmagazine.com/technology-and-cybersecurity-conference-coverageWant to tell your Brand Story Briefing as part of our event coverage? Learn More

In this On Location episode during OWASP AppSec Global 2025 in Barcelona, Starr Brown, Director of Open Source Projects and Programs at OWASP, unpacks the real engine behind the organization's impact: the projects and the people driving them forward.With over 130 active projects, OWASP continues to expand its open source contributions to improve software security across the board. While the OWASP Top 10 remains its most recognized initiative, Starr points out that it's just one among many. Other significant projects include the Application Security Verification Standard (ASVS), the Software Assurance Maturity Model (SAMM), and the increasingly popular security games like Cornucopia, which use gamification to bring security concepts into business conversations and development workflows.AI is playing an increasingly prominent role in OWASP's work. Starr highlights the GenAI Security Project as a focal point, encompassing tools and guidance for LLM use, agentic AI, red teaming, and more. The scale of community engagement is equally impressive: around 33,000 people are active on Slack, and hundreds contribute to individual initiatives, reflecting the organization's truly global and grassroots structure.Beyond tools and documentation, OWASP is influencing regulation and policy through initiatives like the AI Exchange and the Transparency Exchange. These projects connect with government entities and standards bodies such as the European Commission and CEN/CENELEC to help shape responsible governance frameworks around software, AI, and cybersecurity.Listeners also get a glimpse into what's ahead. From upcoming events in Washington, D.C., to the OWASP Community Room at DEF CON in Las Vegas, the goal is to keep fostering connections and hands-on engagement. These gatherings not only showcase flagship tools and frameworks but create space for open dialogue, prototyping, and collaboration—whether you're breaking things or building them.To get involved, Starr encourages exploring the OWASP Projects page and joining their Slack community. The conversation makes it clear: OWASP is not just a collection of tools—it's a living, breathing network of contributors shaping the future of secure software.GUEST: Starr Brown | Director of Open Source Projects and Programs at OWASP | https://www.linkedin.com/in/starr-brown-8837547/HOST: Sean Martin, Co-Founder at ITSPmagazine and Host of Redefining CyberSecurity Podcast | https://www.seanmartin.comSPONSORSManicode Security: https://itspm.ag/manicode-security-7q8iRESOURCESLearn more and catch more stories from OWASP AppSec Global 2025 Barcelona coverage: https://www.itspmagazine.com/owasp-global-appsec-barcelona-2025-application-security-event-coverage-in-catalunya-spainCatch all of our event coverage: https://www.itspmagazine.com/technology-and-cybersecurity-conference-coverageWant to tell your Brand Story Briefing as part of our event coverage? Learn More

During the upcoming OWASP Global AppSec EU in Barcelona, Spyros Gasteratos, long-time OWASP contributor and co-founder of Smithy, to explore how automation, collaboration, and community resources are shaping the future of application security. Spyros shares the foundation of his talk at OWASP AppSec Global: building a DevSecOps program from scratch using existing community tools—blending technical guidance with a celebration of open-source achievements.Spyros emphasizes that true progress in security stems not from an ever-growing stack of tools, but from aligning the humans behind them. According to him, security failures often stem from fragmented information and misaligned incentives across teams. His solution? Bring the teams together with a shared, streamlined flow of information and automate wherever possible to reduce wasted cycles and miscommunication.At the core of Spyros' philosophy is the need to turn AppSec from a blocker into a builder. Rather than overwhelming developers with endless bug reports, or security leaders with red dashboards, programs need to reflect the actual risk appetite of the business—prioritizing issues dynamically based on impact, timing, and operational goals. He challenges the one-size-fits-all approach, advocating instead for tagging systems that defer certain risks and encode organizational priorities in automation logic.A major part of that transformation lies in Smithy, the platform he's helping build. It's designed to be “Zapier for security”—an automation engine rooted in open-source standards that allows for custom workflows without creating a tangle of fragile scripts. The idea is to let teams focus on what's unique to them, while relying on battle-tested components for the rest.Looking ahead, Spyros doesn't buy into the doom-and-gloom narrative about AI limiting developer creativity. On the contrary, he argues that AI-enabled coding frees up cognitive space for better architecture and secure design thinking. In his view, creativity doesn't die—it just shifts from syntax to strategy.This episode is more than a discussion—it's a blueprint for how teams can rally around a common goal, and how OWASP's community can be the catalyst. Tune in to hear how open-source, automation, and human alignment are redefining AppSec from the ground up.GUEST: Spyros Gasteratos | OpenCRE co-lead and Founder of smithy.security | https://www.linkedin.com/in/spyr/HOST: Sean Martin, Co-Founder at ITSPmagazine and Host of Redefining CyberSecurity Podcast | https://www.seanmartin.comSPONSORSManicode Security: https://itspm.ag/manicode-security-7q8iRESOURCESSpyros' Session: A completely pluggable DevSecOps programme, for free, using community resources (https://owasp2025globalappseceu.sched.com/event/1whCB/a-completely-pluggable-devsecops-programme-for-free-using-community-resources)Learn more and catch more stories from OWASP Global AppSec EU 2025 Conference coverage: https://www.itspmagazine.com/owasp-global-appsec-barcelona-2025-application-security-event-coverage-in-catalunya-spainCatch all of our event coverage: https://www.itspmagazine.com/technology-and-cybersecurity-conference-coverageWant to tell your Brand Story Briefing as part of our event coverage? Learn More

The introduction of the Cyber Resilience Act (CRA) marks a major shift for the software industry: for the first time, manufacturers are being held accountable for the cybersecurity of their products. Olle E. Johansson, a long-time open source developer and contributor to the Asterisk PBX project, explains how this new regulation reshapes the role of software creators and introduces the need for transparency across the entire supply chain.In this episode, Johansson breaks down the complexity of today's software supply ecosystems—where manufacturers rely heavily on open source components, and end users struggle to identify vulnerabilities buried deep in third-party dependencies. With the CRA in place, the burden now falls on manufacturers to not only track but also report on the components in their products. That includes actively communicating which vulnerabilities affect users—and which do not.To make this manageable, Johansson introduces the Transparency Exchange API (TEA), a project rooted in the OWASP CycloneDX standard. What started as a simple Software Bill of Materials (SBOM) delivery mechanism has evolved into a broader platform for sharing vulnerability information, attestations, documentation, and even cryptographic data necessary for the post-quantum transition. Standardizing this API through Ecma International is a major step toward a scalable, automated supply chain security infrastructure.The episode also highlights the importance of automation and shared data formats in enabling companies to react quickly to threats like Log4j. Johansson notes that, historically, security teams spent countless hours manually assessing whether they were affected by a specific vulnerability. The Transparency Exchange API aims to change that by automating the entire feedback loop from developer to manufacturer to end user.Although still in beta, the project is gaining traction with organizations like the Apache Foundation integrating it into their release processes. Johansson emphasizes that community feedback is essential and invites listeners to engage through GitHub to help shape the project's future.For Johansson, OWASP stands for global knowledge and collaboration in application security. As Europe's regulatory influence grows, initiatives like this are essential to build a stronger, more accountable software ecosystem.GUEST: Olle E Johansson | Co-Founder, SBOM Europe | https://www.linkedin.com/in/ollejohansson/HOST:Sean Martin, Co-Founder at ITSPmagazine and Host of Redefining CyberSecurity Podcast | https://www.seanmartin.comSPONSORSManicode Security: https://itspm.ag/manicode-security-7q8iRESOURCESCycloneDX/transparency-exchange-api on GitHub: https://github.com/CycloneDX/transparency-exchange-apiVIDEO: The Cyber Resilience Act: How the EU is Reshaping Digital Product Security | With Sarah Fluchs: https://youtu.be/c30eG5kzqnYLearn more and catch more stories from OWASP AppSec Global 2025 Barcelona coverage: https://www.itspmagazine.com/owasp-global-appsec-barcelona-2025-application-security-event-coverage-in-catalunya-spainCatch all of our event coverage: https://www.itspmagazine.com/technology-and-cybersecurity-conference-coverageWant to tell your Brand Story Briefing as part of our event coverage? Learn More

Jim Manico's passion for secure coding has always been rooted in deeply technical practices—methods that matter most to developers writing code day in and day out. At OWASP Global AppSec EU 2025 Conference in Barcelona, Manico brings that same precision and care to a broader conversation around the intersection of application security and artificial intelligence.While many are still just beginning to assess how AI impacts application development, Manico has been preparing for this moment for years. Two and a half years ago, he saw a shift—traditional low-level technical bugs were being mitigated effectively by mature organizations. The new challenge? Business logic flaws and access control issues that scanners can't easily detect. This change signaled a new direction, prompting him to dive into AI security long before it became fashionable.Now, Manico is delivering AI-flavored AppSec training, helping developers understand the risks of insecure code generated by large language models. His research shows that even the best AI coding tools—from Claude to Copilot—still generate insecure code out of the box. That's where his work becomes transformative: by developing detailed, framework-specific prompts grounded in decades of secure coding knowledge, he has trained these tools to write safer code, using React, Django, Vue, and more.Beyond teaching, he's building. With 200 volunteers, he's leading the creation of the Artificial Intelligence Security Verification Standard (AISVS), a new OWASP project inspired by the well-known Application Security Verification Standard (ASVS). Generated with both AI and human collaboration, the AISVS already has a v0.1 release and aims for a major update by summer.For Manico, this isn't just a technical evolution—it's a personal renaissance. His deep catalog of secure coding techniques, once used primarily for human education, is now fueling a new generation of AI-assisted development. And he's just getting started.This episode isn't just about where AppSec is going. It's a call to developers and security professionals to rethink how we teach, how we build, and how we can use AI to enhance—not endanger—the software we create.Learn more about Manicode: https://itspm.ag/manicode-security-7q8iNote: This story contains promotional content. Learn more.Guest: Jim Manico, Founder and Secure Coding Educator at Manicode Security | On Linkedin: https://www.linkedin.com/in/jmanico/ResourcesJim's OWASP Session: https://owasp2025globalappseceu.sched.com/event/1wfpM/leveraging-ai-for-secure-react-development-with-effective-prompt-engineeringDownload the Course Catalog: https://itspm.ag/manicode-x684Learn more and catch more stories from Manicode Security: https://www.itspmagazine.com/directory/manicode-securityAre you interested in telling your story?https://www.itspmagazine.com/telling-your-storyKeywords: jim manico, sean martin, appsec, ai, owasp, securecoding, developers, aisvs, training, react, brand story, brand marketing, marketing podcast, brand story podcast

In this On Location episode during OWASP AppSec Global 2025 in Barcelona, Josh Grossman, co-leader of the OWASP Application Security Verification Standard (ASVS) project, shares key updates and strategic thinking behind the release of ASVS version 5. This release, years in the making, reflects a renewed focus on making the standard more approachable, practical, and actionable for development teams and security leaders alike.ASVS is designed to provide a comprehensive and verifiable set of security requirements for building and maintaining secure applications. More than just a checklist, it offers a clear blueprint for what a secure application should look like—making it easier to benchmark progress, develop secure design requirements, and implement effective controls. Version 5 emphasizes accessibility, particularly by lowering the barrier to entry for organizations adopting Level 1 of the standard, reducing the threshold of required controls from nearly 50% to under 30%.One of the major shifts in this new version is the tighter focus on the application itself, moving away from system-level topics like backup policies that tend to fall outside the scope of app development teams. This makes the standard more relevant to software architects, developers, and QA engineers—providing requirements that fall within their sphere of influence, while still covering the full software lifecycle from design to deployment.Grossman explains how organizations can customize ASVS to include their internal controls and build out secure coding checklists, implementation guides, and requirements documents tailored to their environments. He also highlights how ASVS aligns with other OWASP projects, like the Cheat Sheet Series and SAMM, for both control-level guidance and organizational process development.For security leaders looking to improve their application security programs, ASVS v5 offers a foundation to build on—clear, community-driven, and extensible. And true to OWASP's spirit, the project is backed by a passionate community, from project co-leads like Grossman and Elar Lang to contributors around the world. As Grossman puts it, OWASP is about connection—people tackling similar challenges, working together to make software safer.If you're looking for a way to bring practical, standards-based security into your software lifecycle, this conversation is your starting point.GUEST: Josh Grossman | CTO of Bounce Security and co-leader of the OWASP Application Security Verification Standard (ASVS) project | https://www.linkedin.com/in/joshcgrossman/HOST: Sean Martin, Co-Founder at ITSPmagazine and Host of Redefining CyberSecurity Podcast | https://www.seanmartin.comSPONSORSManicode Security: https://itspm.ag/manicode-security-7q8iRESOURCESOWASP Application Security Verification Standard (ASVS): https://owasp.org/www-project-application-security-verification-standard/Learn more and catch more stories from OWASP AppSec Global 2025 Barcelona coverage: https://www.itspmagazine.com/owasp-global-appsec-barcelona-2025-application-security-event-coverage-in-catalunya-spainCatch all of our event coverage: https://www.itspmagazine.com/technology-and-cybersecurity-conference-coverageWant to tell your Brand Story Briefing as part of our event coverage? Learn More

ArmorCode unveils Anya—the first agentic AI virtual security champion designed specifically for AppSec and product security teams. Anya brings together conversation and context to help AppSec, developers and security teams cut through the noise, prioritize risks, and make faster, smarter decisions across code, cloud, and infrastructure. Built into the ArmorCode ASPM Platform and backed by 25B findings, 285+ integrations, natural language intelligence, and role-aware insights, Anya turns complexity into clarity, helping teams scale securely and close the security skills gap. Anya is now generally available and included as part of the ArmorCode ASPM Platform. Visit https://securityweekly.com/armorcodersac to request a demo! As 'vibe coding", the practice of using AI tools with specialized coding LLMs to develop software, is making waves, what are the implications for security teams? How can this new way of developing applications be made secure? Or have the horses already left the stable? Segment Resources: https://www.backslash.security/press-releases/backslash-security-reveals-in-new-research-that-gpt-4-1-other-popular-llms-generate-insecure-code-unless-explicitly-prompted https://www.backslash.security/blog/vibe-securing-4-1-pillars-of-appsec-for-vibe-coding This segment is sponsored by Backslash. Visit https://securityweekly.com/backslashrsac to learn more about them! The rise of AI has largely mirrored the early days of open source software. With rapid adoption amongst developers who are trying to do more with less time, unmanaged open source AI presents serious risks to organizations. Brian Fox, CTO & Co-founder of Sonatype, will dive into the risks associated with open source AI and best practices to secure it. Segment Resources: https://www.sonatype.com/solutions/open-source-ai https://www.sonatype.com/blog/beyond-open-vs.-closed-understanding-the-spectrum-of-ai-transparency https://www.sonatype.com/resources/whitepapers/modern-development-in-ai-era This segment is sponsored by Sonatype. Visit https://securityweekly.com/sonatypersac to learn more about Sonatype's AI SCA solutions! The surge in AI agents is creating a vast new cyber attack surface with Non-Human Identities (NHIs) becoming a prime target. This segment will explore how SandboxAQ's AQtive Guard Discover platform addresses this challenge by providing real-time vulnerability detection and mitigation for NHIs and cryptographic assets. We'll discuss the platform's AI-driven approach to inventory, threat detection, and automated remediation, and its crucial role in helping enterprises secure their AI-driven future. To take control of your NHI security and proactively address the escalating threats posed by AI agents, visit https://securityweekly.com/sandboxaqrsac to schedule an early deployment and risk assessment. Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-332

ArmorCode unveils Anya—the first agentic AI virtual security champion designed specifically for AppSec and product security teams. Anya brings together conversation and context to help AppSec, developers and security teams cut through the noise, prioritize risks, and make faster, smarter decisions across code, cloud, and infrastructure. Built into the ArmorCode ASPM Platform and backed by 25B findings, 285+ integrations, natural language intelligence, and role-aware insights, Anya turns complexity into clarity, helping teams scale securely and close the security skills gap. Anya is now generally available and included as part of the ArmorCode ASPM Platform. Visit https://securityweekly.com/armorcodersac to request a demo! As 'vibe coding", the practice of using AI tools with specialized coding LLMs to develop software, is making waves, what are the implications for security teams? How can this new way of developing applications be made secure? Or have the horses already left the stable? Segment Resources: https://www.backslash.security/press-releases/backslash-security-reveals-in-new-research-that-gpt-4-1-other-popular-llms-generate-insecure-code-unless-explicitly-prompted https://www.backslash.security/blog/vibe-securing-4-1-pillars-of-appsec-for-vibe-coding This segment is sponsored by Backslash. Visit https://securityweekly.com/backslashrsac to learn more about them! The rise of AI has largely mirrored the early days of open source software. With rapid adoption amongst developers who are trying to do more with less time, unmanaged open source AI presents serious risks to organizations. Brian Fox, CTO & Co-founder of Sonatype, will dive into the risks associated with open source AI and best practices to secure it. Segment Resources: https://www.sonatype.com/solutions/open-source-ai https://www.sonatype.com/blog/beyond-open-vs.-closed-understanding-the-spectrum-of-ai-transparency https://www.sonatype.com/resources/whitepapers/modern-development-in-ai-era This segment is sponsored by Sonatype. Visit https://securityweekly.com/sonatypersac to learn more about Sonatype's AI SCA solutions! The surge in AI agents is creating a vast new cyber attack surface with Non-Human Identities (NHIs) becoming a prime target. This segment will explore how SandboxAQ's AQtive Guard Discover platform addresses this challenge by providing real-time vulnerability detection and mitigation for NHIs and cryptographic assets. We'll discuss the platform's AI-driven approach to inventory, threat detection, and automated remediation, and its crucial role in helping enterprises secure their AI-driven future. To take control of your NHI security and proactively address the escalating threats posed by AI agents, visit https://securityweekly.com/sandboxaqrsac to schedule an early deployment and risk assessment. Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-332

ArmorCode unveils Anya—the first agentic AI virtual security champion designed specifically for AppSec and product security teams. Anya brings together conversation and context to help AppSec, developers and security teams cut through the noise, prioritize risks, and make faster, smarter decisions across code, cloud, and infrastructure. Built into the ArmorCode ASPM Platform and backed by 25B findings, 285+ integrations, natural language intelligence, and role-aware insights, Anya turns complexity into clarity, helping teams scale securely and close the security skills gap. Anya is now generally available and included as part of the ArmorCode ASPM Platform. Visit https://securityweekly.com/armorcodersac to request a demo! As 'vibe coding", the practice of using AI tools with specialized coding LLMs to develop software, is making waves, what are the implications for security teams? How can this new way of developing applications be made secure? Or have the horses already left the stable? Segment Resources: https://www.backslash.security/press-releases/backslash-security-reveals-in-new-research-that-gpt-4-1-other-popular-llms-generate-insecure-code-unless-explicitly-prompted https://www.backslash.security/blog/vibe-securing-4-1-pillars-of-appsec-for-vibe-coding This segment is sponsored by Backslash. Visit https://securityweekly.com/backslashrsac to learn more about them! The rise of AI has largely mirrored the early days of open source software. With rapid adoption amongst developers who are trying to do more with less time, unmanaged open source AI presents serious risks to organizations. Brian Fox, CTO & Co-founder of Sonatype, will dive into the risks associated with open source AI and best practices to secure it. Segment Resources: https://www.sonatype.com/solutions/open-source-ai https://www.sonatype.com/blog/beyond-open-vs.-closed-understanding-the-spectrum-of-ai-transparency https://www.sonatype.com/resources/whitepapers/modern-development-in-ai-era This segment is sponsored by Sonatype. Visit https://securityweekly.com/sonatypersac to learn more about Sonatype's AI SCA solutions! The surge in AI agents is creating a vast new cyber attack surface with Non-Human Identities (NHIs) becoming a prime target. This segment will explore how SandboxAQ's AQtive Guard Discover platform addresses this challenge by providing real-time vulnerability detection and mitigation for NHIs and cryptographic assets. We'll discuss the platform's AI-driven approach to inventory, threat detection, and automated remediation, and its crucial role in helping enterprises secure their AI-driven future. To take control of your NHI security and proactively address the escalating threats posed by AI agents, visit https://securityweekly.com/sandboxaqrsac to schedule an early deployment and risk assessment. Show Notes: https://securityweekly.com/asw-332

Neste episódio, damos continuidade à série sobre Programa de Segurança de Aplicações com foco em como introduzir a modelagem de ameaças no ciclo de desenvolvimento seguro (SDL). Discutimos o momento ideal para aplicar essa prática, os principais métodos utilizados (como STRIDE e PASTA), os desafios mais comuns enfrentados pelas equipes e estratégias para integrar a modelagem de forma leve e eficiente no fluxo de desenvolvimento. Se você está estruturando ou amadurecendo seu programa de AppSec, este episódio é essencial!

During the upcoming OWASP Global AppSec EU in Barcelona, Kate Labunets, a cybersecurity researcher focused on human factors and usable security, takes the stage to confront a disconnect that too often holds the industry back: the gap between academic research and real-world cybersecurity practice.In her keynote, “Outside the Ivory Tower: Connecting Practice and Science,” Kate invites practitioners to reconsider their relationship with academic research—not as something removed from their daily reality, but as a vital tool that can lead to better decisions, more targeted security programs, and improved organizational resilience.Drawing from her current research, Kate shares how interviews and surveys with employees reveal the hidden motivations behind the use of shadow IT—tools and technologies adopted without formal approval. These aren't simply acts of rebellion or ignorance. They reflect misalignments between human behavior, workplace needs, and policy communication. By understanding these mindsets, organizations can move beyond one-size-fits-all training and begin designing interventions grounded in evidence.This is where science meets practice. Kate's work isn't about generating abstract theories. It's about applying research methods—like anonymous interviews and behavior-focused surveys—to surface insights that security leaders can act on. But for this to happen, researchers need access, and that depends on building trust with practitioners.The keynote also raises a critical point about time. In industries like medicine, the gap between a published discovery and its application in the real world can be 15 years. Kate argues that cybersecurity faces a similar delay, citing the example of multi-factor authentication: patented in 1998, but still not universally adopted today. Her goal is to accelerate this timeline by helping practitioners see themselves as contributors to science—not just consumers of its outcomes.By inviting companies to participate in research and engage with universities, Kate's message is clear: collaboration benefits everyone. The path to smarter, more human-aligned cybersecurity isn't gated behind academic walls. It's open to any team curious enough to ask better questions—and brave enough to challenge assumptions.GUEST: Kate Labunets | Assistant Professor (UD1) in Cyber Security at Utrecht University | https://www.linkedin.com/in/klabunets/HOSTS:Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber] | On ITSPmagazine:  https://www.itspmagazine.com/sean-martinMarco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society Podcast & Audio Signals Podcast | On ITSPmagazine: https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelliSPONSORSManicode Security: https://itspm.ag/manicode-security-7q8iRESOURCESKate's Session: https://owasp2025globalappseceu.sched.com/event/1v86U/keynote-outside-the-ivory-tower-connecting-practice-and-scienceLearn more and catch more stories from OWASP AppSec Global 2025 Barcelona coverage: https://www.itspmagazine.com/owasp-global-appsec-barcelona-2025-application-security-event-coverage-in-catalunya-spainCatch all of our event coverage: https://www.itspmagazine.com/technology-and-cybersecurity-conference-coverageWant to tell your Brand Story Briefing as part of our event coverage? Learn More

In the news, Coinbase deals with bribes and insider threat, the NCSC notes the cross-cutting problem of incentivizing secure design, we cover some research that notes the multitude of definitions for secure design, and discuss the new Cybersecurity Skills Framework from the OpenSSF and Linux Foundation. Then we share two more sponsored interviews from this year's RSAC Conference. With more types of identities, machines, and agents trying to access increasingly critical data and resources, across larger numbers of devices, organizations will be faced with managing this added complexity and identity sprawl. Now more than ever, organizations need to make sure security is not an afterthought, implementing comprehensive solutions for securing, managing, and governing both non-human and human identities across ecosystems at scale. This segment is sponsored by Okta. Visit https://securityweekly.com/oktarsac to learn more about them! At Mend.io, we believe that securing AI-powered applications requires more than just scanning for vulnerabilities in AI-generated code—it demands a comprehensive, enterprise-level strategy. While many AppSec vendors offer limited, point-in-time solutions focused solely on AI code, Mend.io takes a broader and more integrated approach. Our platform is designed to secure not just the code, but the full spectrum of AI components embedded within modern applications. By leveraging existing risk management strategies, processes, and tools, we uncover the unique risks that AI introduces—without forcing organizations to reinvent their workflows. Mend.io's solution ensures that AI security is embedded into the software development lifecycle, enabling teams to assess and mitigate risks proactively and at scale. Unlike isolated AI security startups, Mend.io delivers a single, unified platform that secures an organization's entire codebase—including its AI-driven elements. This approach maximizes efficiency, minimizes disruption, and empowers enterprises to embrace AI innovation with confidence and control. This segment is sponsored by Mend.io. Visit https://securityweekly.com/mendrsac to book a live demo! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-331

In the news, Coinbase deals with bribes and insider threat, the NCSC notes the cross-cutting problem of incentivizing secure design, we cover some research that notes the multitude of definitions for secure design, and discuss the new Cybersecurity Skills Framework from the OpenSSF and Linux Foundation. Then we share two more sponsored interviews from this year's RSAC Conference. With more types of identities, machines, and agents trying to access increasingly critical data and resources, across larger numbers of devices, organizations will be faced with managing this added complexity and identity sprawl. Now more than ever, organizations need to make sure security is not an afterthought, implementing comprehensive solutions for securing, managing, and governing both non-human and human identities across ecosystems at scale. This segment is sponsored by Okta. Visit https://securityweekly.com/oktarsac to learn more about them! At Mend.io, we believe that securing AI-powered applications requires more than just scanning for vulnerabilities in AI-generated code—it demands a comprehensive, enterprise-level strategy. While many AppSec vendors offer limited, point-in-time solutions focused solely on AI code, Mend.io takes a broader and more integrated approach. Our platform is designed to secure not just the code, but the full spectrum of AI components embedded within modern applications. By leveraging existing risk management strategies, processes, and tools, we uncover the unique risks that AI introduces—without forcing organizations to reinvent their workflows. Mend.io's solution ensures that AI security is embedded into the software development lifecycle, enabling teams to assess and mitigate risks proactively and at scale. Unlike isolated AI security startups, Mend.io delivers a single, unified platform that secures an organization's entire codebase—including its AI-driven elements. This approach maximizes efficiency, minimizes disruption, and empowers enterprises to embrace AI innovation with confidence and control. This segment is sponsored by Mend.io. Visit https://securityweekly.com/mendrsac to book a live demo! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-331

In the news, Coinbase deals with bribes and insider threat, the NCSC notes the cross-cutting problem of incentivizing secure design, we cover some research that notes the multitude of definitions for secure design, and discuss the new Cybersecurity Skills Framework from the OpenSSF and Linux Foundation. Then we share two more sponsored interviews from this year's RSAC Conference. With more types of identities, machines, and agents trying to access increasingly critical data and resources, across larger numbers of devices, organizations will be faced with managing this added complexity and identity sprawl. Now more than ever, organizations need to make sure security is not an afterthought, implementing comprehensive solutions for securing, managing, and governing both non-human and human identities across ecosystems at scale. This segment is sponsored by Okta. Visit https://securityweekly.com/oktarsac to learn more about them! At Mend.io, we believe that securing AI-powered applications requires more than just scanning for vulnerabilities in AI-generated code—it demands a comprehensive, enterprise-level strategy. While many AppSec vendors offer limited, point-in-time solutions focused solely on AI code, Mend.io takes a broader and more integrated approach. Our platform is designed to secure not just the code, but the full spectrum of AI components embedded within modern applications. By leveraging existing risk management strategies, processes, and tools, we uncover the unique risks that AI introduces—without forcing organizations to reinvent their workflows. Mend.io's solution ensures that AI security is embedded into the software development lifecycle, enabling teams to assess and mitigate risks proactively and at scale. Unlike isolated AI security startups, Mend.io delivers a single, unified platform that secures an organization's entire codebase—including its AI-driven elements. This approach maximizes efficiency, minimizes disruption, and empowers enterprises to embrace AI innovation with confidence and control. This segment is sponsored by Mend.io. Visit https://securityweekly.com/mendrsac to book a live demo! Show Notes: https://securityweekly.com/asw-331

In this episode, I sit with long-time vulnerability management and data science experts Jay Jacobs and Michael Roytman, who recently co-founded Empirical Security.We dive into the state of vulnerability management, including:How it is difficult to quantify and evaluate the effectiveness of vulnerability prioritization and scoring schemes, such as CVSS, EPSS, KEV, and proprietary vendor prioritization frameworks, and what can be done betterSystemic challenges include setbacks in the NIST National Vulnerability Database (NVD) program, the MITRE CVE funding fiasco, and the need for a more resilient vulnerability database and reporting ecosystem.Domain-specific considerations when it comes to vulnerability identifiers and vulnerability management, in areas such as AppSec, Cloud, and Configuration Management, and using data to make more effective decisionsThe overuse of the term “single pane of glass” and some alternativesEmpirical's innovative approach to “localized” models when it comes to vulnerability management, which takes unique organizational and environmental considerations into play, such as mitigating controls, threats, tooling, and more, and how they are experimenting with this new approach for the industry

All links and images for this episode can be found on CISO Series. Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Yaron Levi, CISO, Dolby. Joining us is Joey Rachid, CISO, Xerox. In this episode: It's a balancing act Choose to leave the kids' table Your team is essential Don't change CISOs midstream Huge thanks to our sponsor, Blackslash Backslash offers a new approach to application security by creating a digital twin of your application, modeled into an AI-enabled App Graph. It categorizes security findings by business process, filters “triggerable” vulnerabilities, and simulates the security impact of updates. Backslash dramatically improves AppSec efficiency, eliminating legacy SAST and SCA frustration. Learn more at https://www.backslash.security/  

At OWASP AppSec Global in Barcelona, the focus is clear: building secure software with and for the community. But it's not just about code or compliance. As Avi Douglen, OWASP Foundation board member, describes it, this gathering is a “hot tub” experience in contrast to the overwhelming scale of mega conferences. It's warm, immersive, and welcoming—designed for people who want to contribute, connect, and create.OWASP is more than just another security organization. It's a community-driven foundation that enables builders, breakers, defenders, and leaders to come together in pursuit of secure product development. This year's conference reflects that same inclusive energy. Whether you're a software engineer, architect, DevOps professional, security champion, or product manager, the sessions and networking spaces are built to meet you where you are—and help you grow.Beyond the BuzzwordsUnsurprisingly, AI will have a strong presence this year. But the conversations aren't limited to hype. Two flagship OWASP projects now focus on AI and LLMs—one on securing applications that use AI, the other on building secure AI systems themselves. Talks will unpack familiar problems in new contexts, like prompt injection mirroring the dynamics of older injection vulnerabilities. In other words: the technology shifts, but the core principles remain relevant.Diverse Tracks, Real ConversationsAttendees can engage across five curated tracks: builders, breakers, defenders, managers & culture, and project showcases. Topics range from threat modeling and DevSecOps to scaling security programs and fostering team culture. A dedicated training program, including hands-on sessions in secure coding and security champions, ensures practical takeaways—not just theory.Plus, the event embraces connection. A newcomer orientation, Women in AppSec gathering, hallway chats, evening socials, and even speed mentoring sessions all contribute to a vibrant, accessible experience where everyone—from seasoned leaders to curious newcomers—can find their place.A Truly Global CommunityWith participants flying in from all corners of the world, OWASP AppSec Global lives up to its name. The conversations, relationships, and tools that emerge from this event ripple far beyond Barcelona. If you build, secure, or manage software, this is one conference where showing up matters—not just for what you'll learn, but for who you'll meet.__________________________________Guest: Avi Douglen | Global Board of Directors at OWASP Foundation & Founder and CEO at Bounce Securityhttps://www.linkedin.com/in/avidouglen/Hosts:Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber] | On ITSPmagazine:  https://www.itspmagazine.com/sean-martinMarco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society Podcast & Audio Signals Podcast | On ITSPmagazine: https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli____________________________This Episode's SponsorsManicode Security: https://itspm.ag/manicode-security-7q8i____________________________ResourcesLearn more and catch more stories from OWASP AppSec Global 2025 Barcelona coverage: https://www.itspmagazine.com/owasp-global-appsec-barcelona-2025-application-security-event-coverage-in-catalunya-spain____________________________Catch all of our event coverage: https://www.itspmagazine.com/technology-and-cybersecurity-conference-coverageWant to tell your Brand Story Briefing as part of our event coverage? Learn More

Dive deep into the key takeaways from RSA Conference 2025 with our expert panel! Join Ashish Rajan, James Berthoty, Chris Hughes, Tanya Janca, and Francis Odum as they dissect the biggest trends, surprises, and "hot takes" from one of the world's largest cybersecurity events.In this episode, we cover:Initial reactions and the sheer scale of RSA Conference 2025.Major themes: AI's impact on cybersecurity, especially AppSec, vendor consolidation, the evolution of runtime security, and more.The rise of AI-native applications and how they're reshaping the landscape.Deep dives into Application Security (AppSec), secure coding with AI, and the future of vulnerability management.Understanding runtime security beyond DAST and its critical role.Unexpected insights and surprising takeaways from the conference floor.Guests include:⁠Chris Hughes ⁠– CEO at Aquia & host of ⁠Resilient Cyber⁠⁠James Berthoty⁠ – Cloud and AppSec engineer, known for sharp vendor analysis and engineering-first content and ⁠Latio Tech⁠⁠Tanya Janca ⁠– Founder of ⁠ She Hacks Purple⁠Francis Odum⁠ – Founder of S⁠oftware Analyst Cyber ResearchPodcast Twitter - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠@CloudSecPod⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:-⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security Podcast- Youtube⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠- ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security Newsletter ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠- ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security BootCamp⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠If you are interested in AI Cybersecurity, you can check out our sister podcast -⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ AI Cybersecurity PodcastQuestions asked:(00:00) Introduction: Unpacking the RSA Conference 2025(02:20) Meet the Experts: Panelist Introductions(03:39) RSAC First Impressions: Scale, Excitement & Attendee Numbers(07:52) Top Themes from RSA Conference 2025(16:01) AI's Evolution: Native Applications & AppSec's Transformation(33:30) Demystifying Runtime Security (Beyond DAST)(40:23) RSA Surprises & Unexpected Takeaways

When artificial intelligence can generate code, write tests, and even simulate threat models, how do we still ensure security? That's the question John Sapp Jr. and Alex Kreilein examine in this energizing conversation about trust, risk management, and the future of application security.The conversation opens with a critical concern: not just how to adopt AI securely, but how to use it responsibly. Alex underscores the importance of asking a simple question often overlooked—why do you trust this output? That mindset, he argues, is fundamental to building responsible systems, especially when models are generating code or influencing decisions at scale.Their conversation surfaces an emerging gap between automation and assurance. AI tools promise speed and performance, but that speed introduces risk if teams are too quick to assume accuracy or ignore validation. John and Alex discuss this trust gap and how the zero trust mindset—so common in network security—must now apply to AI models and agents, too.They share a key concern: technical debt is back, this time in the form of “AI security debt”—risk accumulating faster than most teams can keep up with. But it's not all gloom. They highlight real opportunities for security and development teams to reprioritize: moving away from chasing every CVE and toward higher-value work like architecture reviews and resiliency planning.The conversation then shifts to the foundation of true resilience. For Alex, resilience isn't about perfection—it's about recovery and response. He pushes for embedding threat modeling into unit testing, not just as an afterthought but as part of modern development. John emphasizes traceability and governance across the organization: ensuring the top understands what's at stake at the bottom, and vice versa.One message is clear: context matters. CVSS scores, AI outputs, scanner alerts—all of it must be interpreted through the lens of business impact. That's the art of security today.Ready to challenge your assumptions about secure AI and modern AppSec? This episode will make you question what you trust—and how you build.___________Guests: Alex Kreilein, Vice President of Product Security, Qualys | https://www.linkedin.com/in/alexkreilein/John Sapp Jr., Vice President, Information Security & CISO, Texas Mutual Insurance Company | https://www.linkedin.com/in/johnbsappjr/Hosts:Sean Martin, Co-Founder at ITSPmagazine | Website: https://www.seanmartin.comMarco Ciappelli, Co-Founder at ITSPmagazine | Website: https://www.marcociappelli.com___________Episode SponsorsThreatLocker: https://itspm.ag/threatlocker-r974Akamai: https://itspm.ag/akamailbwcBlackCloak: https://itspm.ag/itspbcwebSandboxAQ: https://itspm.ag/sandboxaq-j2enArcher: https://itspm.ag/rsaarchwebDropzone AI: https://itspm.ag/dropzoneai-641ISACA: https://itspm.ag/isaca-96808ObjectFirst: https://itspm.ag/object-first-2gjlEdera: https://itspm.ag/edera-434868___________ResourcesJP Morgan Chase Open Letter: An open letter to third-party suppliers: https://www.jpmorgan.com/technology/technology-blog/open-letter-to-our-suppliersLearn more and catch more stories from RSA Conference 2025 coverage: https://www.itspmagazine.com/rsa-conference-usa-2025-rsac-san-francisco-usa-cybersecurity-event-infosec-conference-coverageCatch all of our event coverage: https://www.itspmagazine.com/technology-and-cybersecurity-conference-coverageWant to tell your Brand Story Briefing as part of our event coverage? Learn More

We catch up on news after a week of BSidesSF and RSAC Conference. Unsurprisingly, AI in all its flavors, from agentic to gen, was inescapable. But perhaps more surprising (and more unfortunate) is how much the adoption of LLMs has increased the attack surface within orgs. The news is heavy on security issues from MCPs and a novel alignment bypass against LLMs. Not everything is genAI as we cover some secure design topics from the Airborne attack against Apple's AirPlay to more calls for companies to show how they're embracing secure design principles and practices. Apiiro CEO & Co-Founder, Idan Plotnik discusses the AI problem in AppSec. This segment is sponsored by Apiiro. Visit https://securityweekly.com/apiirorsac to learn more about them! Gen AI is being adopted faster than company's policy and data security can keep up, and as LLM's become more integrated into company systems and uses leverage more AI enabled applications, they essentially become unintentional data exfiltration points. These tools do not differentiate between what data is sensitive and proprietary and what is not. This interview will examine how the rapid adoption of Gen AI is putting sensitive company data at risk, and the data security considerations and policies organizations should implement before, if, and when their employees may seek to adopt a Gen AI tools to leverage some of their undeniable workplace benefits. Customer case studies: https://www.seclore.com/resources/customer-case-studies/ Seclore Blog: https://www.seclore.com/blog/ This segment is sponsored by Seclore. Visit https://securityweekly.com/seclorersac to learn more about them! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-329

➡ Get full visibility, risk insights, red teaming, and governance for your AI models, AI agents, RAGs, and more—so you can securely deploy AI powered applications with ul.live/mend In this episode, I speak with Bar-El Tayouri, Head of AI Security at Mend.io, about the rapidly evolving landscape of application and AI security—especially as multi-agent systems and fuzzy interfaces redefine the attack surface. We talk about: • Modern AppSec Meets AI Agents How traditional AppSec falls short when it comes to AI-era components like agents, MCP servers, system prompts, and model artifacts—and why security now depends on mapping, monitoring, and understanding this entire stack. • Threat Discovery, Simulation, and Mitigation How Mend’s AI security suite identifies unknown AI usage across an org, simulates dynamic attacks (like prompt injection via PDFs), and provides developers with precise, in-code guidance to reduce risk without slowing innovation. • Why We’re Rethinking Identity, Risk, and GovernanceWhy securing AI systems isn’t just about new threats—it’s about re-implementing old lessons: identity access, separation of duties, and system modeling. And why every CISO needs to integrate security into the dev workflow instead of relying on blunt-force blocking. Subscribe to the newsletter at:https://danielmiessler.com/subscribe Join the UL community at:https://danielmiessler.com/upgrade Follow on X:https://x.com/danielmiessler Follow on LinkedIn:https://www.linkedin.com/in/danielmiessler Chapters: 00:00 - From Game Hacking to AI Security: Barel’s Tech Journey03:51 - Why Application Security Is Still the Most Exciting Challenge04:39 - The Real AppSec Bottleneck: Prioritization, Not Detection06:25 - Explosive Growth of AI Components Inside Applications12:48 - Why MCP Servers Are a Massive Blind Spot in AI Security15:02 - Guardrails Aren’t Keeping Up With Agent Power16:15 - Why AI Security Is Maturing Faster Than Previous Tech Waves20:59 - Traditional AppSec Tools Can’t Handle AI Risk Detection26:01 - How Mend Maps, Discovers, and Simulates AI Threats34:02 - What Ideal Customers Ask For When Securing AI38:01 - Beyond Guardrails: Mend’s Guide Rails for In-Code Mitigation41:49 - Multi-Agent Systems Are the Next Security Nightmare45:47 - Final Advice for CISOs: Enable, Don’t Disable DevelopersBecome a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

We catch up on news after a week of BSidesSF and RSAC Conference. Unsurprisingly, AI in all its flavors, from agentic to gen, was inescapable. But perhaps more surprising (and more unfortunate) is how much the adoption of LLMs has increased the attack surface within orgs. The news is heavy on security issues from MCPs and a novel alignment bypass against LLMs. Not everything is genAI as we cover some secure design topics from the Airborne attack against Apple's AirPlay to more calls for companies to show how they're embracing secure design principles and practices. Apiiro CEO & Co-Founder, Idan Plotnik discusses the AI problem in AppSec. This segment is sponsored by Apiiro. Visit https://securityweekly.com/apiirorsac to learn more about them! Gen AI is being adopted faster than company's policy and data security can keep up, and as LLM's become more integrated into company systems and uses leverage more AI enabled applications, they essentially become unintentional data exfiltration points. These tools do not differentiate between what data is sensitive and proprietary and what is not. This interview will examine how the rapid adoption of Gen AI is putting sensitive company data at risk, and the data security considerations and policies organizations should implement before, if, and when their employees may seek to adopt a Gen AI tools to leverage some of their undeniable workplace benefits. Customer case studies: https://www.seclore.com/resources/customer-case-studies/ Seclore Blog: https://www.seclore.com/blog/ This segment is sponsored by Seclore. Visit https://securityweekly.com/seclorersac to learn more about them! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-329

We catch up on news after a week of BSidesSF and RSAC Conference. Unsurprisingly, AI in all its flavors, from agentic to gen, was inescapable. But perhaps more surprising (and more unfortunate) is how much the adoption of LLMs has increased the attack surface within orgs. The news is heavy on security issues from MCPs and a novel alignment bypass against LLMs. Not everything is genAI as we cover some secure design topics from the Airborne attack against Apple's AirPlay to more calls for companies to show how they're embracing secure design principles and practices. Apiiro CEO & Co-Founder, Idan Plotnik discusses the AI problem in AppSec. This segment is sponsored by Apiiro. Visit https://securityweekly.com/apiirorsac to learn more about them! Gen AI is being adopted faster than company's policy and data security can keep up, and as LLM's become more integrated into company systems and uses leverage more AI enabled applications, they essentially become unintentional data exfiltration points. These tools do not differentiate between what data is sensitive and proprietary and what is not. This interview will examine how the rapid adoption of Gen AI is putting sensitive company data at risk, and the data security considerations and policies organizations should implement before, if, and when their employees may seek to adopt a Gen AI tools to leverage some of their undeniable workplace benefits. Customer case studies: https://www.seclore.com/resources/customer-case-studies/ Seclore Blog: https://www.seclore.com/blog/ This segment is sponsored by Seclore. Visit https://securityweekly.com/seclorersac to learn more about them! Show Notes: https://securityweekly.com/asw-329

All links and images for this episode can be found on CISO Series. Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by David Spark, the producer of CISO Series, and Steve Zalewski. Joining us is Jay Jay Davey, vp of cyber security operations, Planet.  In this episode: Aligning incentives The realities of the job Delivering ROI Holistic cybersecurity Thanks to our sponsor, Backslash Security Backslash offers a new approach to application security by creating a digital twin of your application, modeled into an AI-enabled App Graph. It categorizes security findings by business process, filters “triggerable” vulnerabilities, and simulates the security impact of updates. Backslash dramatically improves AppSec efficiency, eliminating legacy SAST and SCA frustration. Learn more at www.backslash.security.

In this closing update for the day from the RSAC conference show floor, Sean Martin and Marco Ciappelli reflect on the energy, conversations, and technology shaping cybersecurity today—and what's coming next. With dozens of interviews under their belts, the duo shares what's standing out across sessions and show-floor discussions.Resilience has become a key destination, with innovation—especially around AI and quantum technologies—paving the way forward. Conversations touch on how security leaders are adjusting to new threat models, merging traditional disciplines like AppSec and DevSecOps with emerging areas such as vibe coding and container security. There's a clear sense that the dialogue has shifted: zero trust isn't just a topic; it's embedded across many conversations. AI is no longer speculative—it's embedded in discussions about GRC, automation, and security architecture.Sean brings a technical and operational lens, while Marco plans to explore the societal implications in future conversations—something noticeably less discussed this year, but still deeply relevant. With more content being edited and released over the next few days, the team invites listeners to stay tuned for articles, panels, and post-conference reflections.From San Francisco to London, Vegas, and maybe even Australia—this conversation is just getting started.___________Hosts:Sean Martin, Co-Founder at ITSPmagazine | Website: https://www.seanmartin.comMarco Ciappelli, Co-Founder at ITSPmagazine | Website: https://www.marcociappelli.com___________Episode SponsorsThreatLocker: https://itspm.ag/threatlocker-r974Akamai: https://itspm.ag/akamailbwcBlackCloak: https://itspm.ag/itspbcwebSandboxAQ: https://itspm.ag/sandboxaq-j2enArcher: https://itspm.ag/rsaarchwebDropzone AI: https://itspm.ag/dropzoneai-641ISACA: https://itspm.ag/isaca-96808ObjectFirst: https://itspm.ag/object-first-2gjlEdera: https://itspm.ag/edera-434868___________ResourcesLearn more and catch more stories from RSA Conference 2025 coverage: https://www.itspmagazine.com/rsa-conference-usa-2025-rsac-san-francisco-usa-cybersecurity-event-infosec-conference-coverage___________KEYWORDSsean martin, marco ciappelli, rsac 2025, quantum, ai, grc, devsecops, zero trust, appsec, resilience, event coverage, on location, conference___________Catch all of our event coverage: https://www.itspmagazine.com/technology-and-cybersecurity-conference-coverageWant to tell your Brand Story Briefing as part of our event coverage? Learn More

All links and images for this episode can be found on CISO Series. Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark, the producer of CISO Series, and Steve Zalewski. Joining us is our sponsored guest, Eric Gold, chief evangelist, BackSlash. In this episode: Start with the culture Moving AppSec to a higher level A strategy for security Maturing the basics Thanks to our sponsor, Backslash Security Backslash offers a new approach to application security by creating a digital twin of your application, modeled into an AI-enabled App Graph. It categorizes security findings by business process, filters “triggerable” vulnerabilities, and simulates the security impact of updates. Backslash dramatically improves AppSec efficiency, eliminating legacy SAST and SCA frustration.  

Send us a textIn this must-listen episode of Relating to DevSecOps, Ken welcomes the ever-inspiring Tanya Janca, aka SheHacksPurple—author, AppSec expert, and champion of making security usable. Together, they dig into why so many application security policies fail, why developers ignore them, and how to make them actually work. Tanya shares real-world experiences from both dev and security perspectives, plus her journey from being ignored to lobbying governments for change.From communication failures and TL;DR policy pages to leveraging wikis and code reuse, this episode is a practical masterclass in creating impactful, developer-friendly security standards.

What if your security tools are actually slowing you down? Bright Security co-founder and CEO Gadi Bashvitz shares how their team went from AI fuzzing to reshaping the way developers tackle vulnerabilities—without drowning in false positives or compliance theater. Why AppSec hasn't kept up with how engineering works today The 60x cost of fixing bugs in production What dev-first security actually looks like in the real world How Bright is helping teams fix the right issues—faster Listen to learn how Bright Security is shifting security left—without slowing teams down. Gadi: www.linkedin.com/in/bashvitz Bright Security: www.brightsec.com Jon: www.linkedin.com/in/jon-mclachlan Sasha: www.linkedin.com/in/aliaksandr-sinkevich YSecurity: www.ysecurity.io

Episode SummaryIn this episode of The Secure Developer, Danny Allan sits down with Akira Brand, AVP of Application Security at PRA Group, to explore the evolving landscape of application security and AI. Akira shares her unconventional journey from opera to cybersecurity, discusses why AppSec is fundamentally a customer service role and breaks down how AI is reshaping security workflows. Tune in to hear insights on integrating security seamlessly into development, AI's role in secure coding, and the future of AppSec in a rapidly shifting tech landscape.Show NotesIn this engaging episode, The Secure Developer welcomes Akira Brand, AVP of Application Security at PRA Group, for an in-depth discussion on the intersection of AI and application security. Akira's unique background in opera and stage direction offers a fresh perspective on fostering collaboration in security teams and influencing organizational culture.Key Topics Covered:From Opera to AppSec: Akira shares her journey from classical music to cybersecurity and how her experience in stage direction translates into leading security teams.AppSec as a Customer Service Role: The importance of serving software engineers by providing security solutions that fit seamlessly into their workflows.The ‘Give Them the Pickle' Approach: How meeting developers where they are and educating them can lead to better security adoption.AI's Role in Secure Development: How AI-driven tools are transforming the way security is integrated into the software development lifecycle.Challenges in Security Culture: Why security is still an afterthought in many development processes and how to change that mindset.Future of AI in Security: The promise and risks of AI-assisted security tools and the need for standards to keep pace with rapid technological advancements.LinksPRA GroupTuring SchoolBrian HoltFrontend MastersResiliaSnyk - The Developer Security Company Follow UsOur WebsiteOur LinkedIn

In this episode, we sit down with the Co-Founder and CPO of Seemplicity, Ravid Circus, to discuss tackling the prioritization crisis in cybersecurity and how AI is changing vulnerability management.We dove into a lot of great topics, including:The massive challenge of not just finding and managing vulnerabilities but also remediation, with Seemplicity's Year in Review report finding organizations face 48.6 million vulnerabilities annually and only 1.7% of them are critical. That still means hundreds of thousands to millions of vulnerabilities need to be remedied - and organizations struggle with this, even with the context of what to prioritize.There's a lot of excitement around AI in Cyber, including in GRC, SecOps, and, of course, AppSec and vulnerability management. How do you discern between what is hype and what can provide real outcomes?What practical steps can teams take to bridge the gap between AI's ability to find problems and security teams' ability to fix them?One of the major issues is determining who is responsible for fixing findings in the space of Remediation Operations, where Seemplicity specializes. Ravid talks about how, both technically and culturally, Seemplicity addresses this challenge of finding the fixer.What lies ahead for Seemplicity this year with RSA and beyond

In this episode, we sit down with Varun Badhwar, Founder and CEO of Endor Labs, to discuss the state of AI for AppSec and move beyond the buzzwords. We discussed the rapid adoption of AI-driven development, its implications for AppSec, and how AppSec can leverage AI to address longstanding challenges and mitigate organizational risks at scale.Varun and I dove into a lot of great topics, such as:The rise of GenAI and LLMs and their broad implications on CybersecurityThe dominant use case of AI-driven development with Copilots and LLM written code, leading to a Developer productivity boost. AppSec has struggled to keep up historically, with vulnerability backlogs getting out of control. What will the future look like now?Studies show that AI-driven development and Copilots don't inherently produce secure code, and frontier models are primarily trained on open source software, which has vulnerabilities and other risks. What are the implications of this for AppSec?How can AppSec and Cyber leverage AI and agentic workflows to address systemic security challenges? Developers and attackers are both early adopters of this technology.Navigating vulnerability prioritization, dealing with insecure design decisions and addressing factors such as transitive dependencies.The importance of integrating with developer workflows, reducing cognitive disruption and avoiding imposing a “Developer Tax” with legacy processes and tooling from security.

In this episode, we sit down with David Melamed and Shai Horovitz of the Jit team. We discussed Agentic AI for AppSec and how security teams use it to get real work done.We covered a lot of key topics, including:What some of the systemic problems facing AppSec are, even before the widespread adoption of AI, such as vulnerability prioritization, security technical debt and being outnumbered exponentially by Developers.The surge of interest and investment in AI and agentic workflows for AppSec, and why AppSec is an appealing space for this sort of investment and excitement.How the prior wave of AppSec tooling was focused on findings problems, riding the wave of shift left but how this has led to alert fatigue and overload, and how the next-era of AppSec tools will need to focus on not just finding but actually fixing problems.Some of the unique capabilities and features the Jit team has been working on, such as purpose-built agents in areas such as SecOps, AppSec and Compliance, as well as context-graphs with organizational insights to drive effective remediation.The role of Agentic AI and how it will help tackle some of the systemic challenges in the AppSec industry.Addressing concerns around privacy and security when using AI, by leveraging offerings from CSPs and integrating guardrails and controls to mitigate risks.

We take advantage of April Fools to look at some of appsec's myths, mistakes, and behaviors that lead to bad practices. It's easy to get trapped in a status quo of chasing CVEs or discussing which direction to shift security. But scrutinizing decimal points in CVSS scores or rearranging tools misses the opportunity for more strategic thinking. We satirize some worst practices in order to have a more serious discussion about a future where more software is based on secure designs. Segment resources: https://bsidessf2025.sched.com/event/1x8ST/secure-designs-ux-dragons-vuln-dungeons-application-security-weekly https://bsidessf2025.sched.com/event/1x8TU/preparing-for-dragons-dont-sharpen-swords-set-traps-gather-supplies https://www.rfc-editor.org/rfc/rfc3514.html https://www.rfc-editor.org/rfc/rfc1149.html Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-324

We take advantage of April Fools to look at some of appsec's myths, mistakes, and behaviors that lead to bad practices. It's easy to get trapped in a status quo of chasing CVEs or discussing which direction to shift security. But scrutinizing decimal points in CVSS scores or rearranging tools misses the opportunity for more strategic thinking. We satirize some worst practices in order to have a more serious discussion about a future where more software is based on secure designs. Segment resources: https://bsidessf2025.sched.com/event/1x8ST/secure-designs-ux-dragons-vuln-dungeons-application-security-weekly https://bsidessf2025.sched.com/event/1x8TU/preparing-for-dragons-dont-sharpen-swords-set-traps-gather-supplies https://www.rfc-editor.org/rfc/rfc3514.html https://www.rfc-editor.org/rfc/rfc1149.html Show Notes: https://securityweekly.com/asw-324

We take advantage of April Fools to look at some of appsec's myths, mistakes, and behaviors that lead to bad practices. It's easy to get trapped in a status quo of chasing CVEs or discussing which direction to shift security. But scrutinizing decimal points in CVSS scores or rearranging tools misses the opportunity for more strategic thinking. We satirize some worst practices in order to have a more serious discussion about a future where more software is based on secure designs. Segment resources: https://bsidessf2025.sched.com/event/1x8ST/secure-designs-ux-dragons-vuln-dungeons-application-security-weekly https://bsidessf2025.sched.com/event/1x8TU/preparing-for-dragons-dont-sharpen-swords-set-traps-gather-supplies https://www.rfc-editor.org/rfc/rfc3514.html https://www.rfc-editor.org/rfc/rfc1149.html Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-324

The cloud security landscape may have just shifted — and we're here to break it down.In this special panel episode, host Ashish Rajan is joined by an all-star group of cloud and cybersecurity experts to discuss one of the most important conversations in cloud security today: the changing nature of security architecture, SOC readiness, and how teams must evolve in a multi-cloud world.Guests include:Chris Hughes – CEO at Acqui & host of Resilient CyberJames Berthoty – Cloud and AppSec engineer, known for sharp vendor analysis and engineering-first content and Latio TechMike Privette – Founder of Return on Security, expert in cybersecurity economicsFrancis Odum – Founder of Software Analyst Cyber ResearchWe Cover:Why cloud security is now beyond CSPM and CNAPPThe impact of major market moves on enterprise cloud strategyWhat vendor lock-in really means in a multi-cloud eraHow runtime and real-time security are taking center stageThe rise of AI-SPM and AI-powered SOCsWhat CISOs and practitioners should actually be doing nowGuest Socials: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠David's Linkedin⁠Podcast Twitter - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠@CloudSecPod⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:-⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security Podcast- Youtube⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠- ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security Newsletter ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠- ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security BootCamp⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠If you are interested in AI Cybersecurity, you can check out our sister podcast -⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ AI Cybersecurity PodcastQuestions asked:(00:00) Introduction(02:05) A bit about our panelists(04:24) Current Cloud Security Landscape(09:36) Challenges with Multi-Cloud Security(18:06) Runtime Security for Cloud(23:34) Can SOC deal with CNAPP Alerts(26:23) CISO planning their cybersecurity program(32:38) Regulatory requirements in public sector(36:27) Success Metrics for Modern Cloud Security Program

LLMs are helping devs write code, but is it secure code? How are LLMs helping appsec teams? Keith Hoodlet returns to talk about where he's seen value from genAI, where it fits in with tools like source code analysis and fuzzers, and where its limitations mean we'll be relying on humans for a while. Those limitations don't mean appsec should dismiss LLMs as a tool. It means appsec should understand how things like context windows might limit a tool's security analysis to a few files, leaving a security architecture review to humans. Segment resources: https://securing.dev/posts/ai-security-reasoning-and-bias/ https://seclists.org/dailydave/2025/q1/0 https://arxiv.org/pdf/2409.16165 https://arxiv.org/pdf/2410.05229 https://nicholas.carlini.com/writing/2025/thoughts-on-future-ai.html Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-323

LLMs are helping devs write code, but is it secure code? How are LLMs helping appsec teams? Keith Hoodlet returns to talk about where he's seen value from genAI, where it fits in with tools like source code analysis and fuzzers, and where its limitations mean we'll be relying on humans for a while. Those limitations don't mean appsec should dismiss LLMs as a tool. It means appsec should understand how things like context windows might limit a tool's security analysis to a few files, leaving a security architecture review to humans. Segment resources: https://securing.dev/posts/ai-security-reasoning-and-bias/ https://seclists.org/dailydave/2025/q1/0 https://arxiv.org/pdf/2409.16165 https://arxiv.org/pdf/2410.05229 https://nicholas.carlini.com/writing/2025/thoughts-on-future-ai.html Show Notes: https://securityweekly.com/asw-323

LLMs are helping devs write code, but is it secure code? How are LLMs helping appsec teams? Keith Hoodlet returns to talk about where he's seen value from genAI, where it fits in with tools like source code analysis and fuzzers, and where its limitations mean we'll be relying on humans for a while. Those limitations don't mean appsec should dismiss LLMs as a tool. It means appsec should understand how things like context windows might limit a tool's security analysis to a few files, leaving a security architecture review to humans. Segment resources: https://securing.dev/posts/ai-security-reasoning-and-bias/ https://seclists.org/dailydave/2025/q1/0 https://arxiv.org/pdf/2409.16165 https://arxiv.org/pdf/2410.05229 https://nicholas.carlini.com/writing/2025/thoughts-on-future-ai.html Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-323

In this episode, we sit down with Investor, Advisor, Board Member, and Cybersecurity Leader Chenxi Wang to discuss the interaction of AI and Cybersecurity, what Agentic AI means for Services-as-a-Software, as well as security in the boardroomChenxi and I covered a lot of ground, including:When we discuss AI for Cybersecurity, it is usually divided into two categories: AI for Cybersecurity and Securing AI. Chenxi and I walk through the potential for each and which one she finds more interesting at the moment.Chenxi believes LLMs are fundamentally changing the nature of software development, and the industry's current state seems to support that. We discussed what this means for Developers and the cybersecurity implications when LLMs and Copilots create the majority of code and applications.LLMs and GenAI are currently being applied to various cybersecurity areas, such as SecOps, GRC, and AppSec. Chenxi and I unpack which areas AI may have the greatest impact on and the areas we see the most investment and innovation in currently.As mentioned above, there is also the need to secure AI itself, which introduces new attack vectors, such as supply chain attacks, model poisoning, prompt injection, and more. We cover how organizations are currently dealing with these new attack vectors and the potential risks.The biggest buzz of 2025 (and beyond) is Agentic AI or AI Agents, and their potential to disrupt traditional services work represents an outsized portion of cybersecurity spending and revenue. Chenxi envisions a future where Agentic AI and Services-as-a-Software may change what cyber services look like and how cyber activities are conducted within an organization.If you aren't already following Chenxi Wang on LinkedIn, I strongly recommend you do. I have a lot of connections, but she is someone when I see a post, I am sure to stop and read because she shares a TON of great insights from the boardroom, investment, cyber, startups, AI, and more.I'm thankful to have her on the show to come chat!

Just three months into 2025 and we already have several hundred CVEs for XSS and SQL injection. Appsec has known about these vulns since the late 90s. Common defenses have been known since the early 2000s. Jack Cable talks about CISA's Secure by Design principles and how they're trying to refocus businesses on addressing vuln classes and prioritizing software quality -- with security one of those important dimensions of quality. Segment Resources: https://www.cisa.gov/securebydesign https://www.cisa.gov/securebydesign/pledge https://www.cisa.gov/resources-tools/resources/product-security-bad-practices https://www.lawfaremedia.org/projects-series/reviews-essays/security-by-design https://corridor.dev Skype hangs up for good, over a million cheap Android devices may be backdoored, parallels between jailbreak research and XSS, impersonating AirTags, network reconnaissance via a memory disclosure vuln in the GFW, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-321

Former CISO Jim Routh discusses his perspective on retirement and career fulfillment in cybersecurity. Rather than viewing retirement as simply stopping work, Routh describes his three-filter approach: working only with people he respects and admires, doing only work he finds fulfilling, and controlling when he works. He shares valuable lessons learned about which post-retirement opportunities truly bring satisfaction and explains why he avoids certain roles. Routh emphasizes the importance of cybersecurity professionals taking ownership of their career development, recommending they focus on developing two specific skills annually rather than using tenure to guide career moves. The article written by Jim, published on LinkedIn:CISO Transition Check out previous episodes with Jim:Jim's original AppSec podcast episode is our #1 listened to of all time.Jim Routh -- Selling #AppSec Up The ChainAnd Jim Routh — Secure Software PipelinesFOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~