The Elephant in AppSec

Épisodes disponibles

5 sur 56

Security IDE Plugins: Can They Really Boost Your Coding Security? ⎜Jamie Scott
Today, I'm joined by Jamie Scott, a recovering cybersecurity practitioner turned founding product manager at Endor Labs. Previously, Jamie served as Product Manager of Security at Redis, where he was an active open-source contributor, and as DevSecOps Manager at Cygna Healthcare.Jamie is also a Certified Information Systems & Cloud Security Professional and continues to contribute to the cybersecurity community. He co-authored several benchmarks and volunteers as a consultant for the Center for Internet Security.In this episode, we dive into the topic of IDE plugins: Do they help you boost your coding security or just hopeful? Jamie has firsthand experience trying to roll out an IDE security program in his career and shares his perspective, leaning more towards the “hopium” side of things. He’s observed that developers often don't proactively use them, which raises the question—are these tools really effective?Dive right in!Connect with Jamie: https://www.linkedin.com/in/james-m-scott-iii/Connect with Alexandra: https://www.linkedin.com/in/alexandra-charikova/This podcast is brought to you by Escape: https://escape.tech — Modern DAST built to test for business logic instead of missing headersMentionedCIS Benchmark for NGINX: https://www.cisecurity.org/benchmark/nginxThe Challenger Sale: Taking Control of the Customer Conversation: https://www.amazon.com/Challenger-Sale-Control-Customer-Conversation/dp/1591844355Shannon Lietz (DevSecOps Lead at Intuit) Keynote in 2016 https://www.youtube.com/watch?v=ru11MSYPBBQ
--------
40:32
DAST Tools: Can We Change the AppSec Community Perception? with Chris Lindsey
Today, I’m joined by Chris Lindsey, who, at the time of recording, was an AppSec Evangelist at Mend. Formerly an AppSec Architect, Chris brings over 15 years of direct security experience and more than 35 years of leadership in programming, software, solutions, and security architecture.For several years, Chris built and led an entire application security program, including oversight of security processes, procedures, tools, compliance, training, developer communication, code reviews, application inventory gathering, and risk analysis.Chris also is a seasoned speaker and the host of the Secrets of AppSec Champions podcast.In this episode, we discuss why many still view DAST as a checkbox rather than a critical component of security—and how that perspective is changing, especially with the rise of modern DAST tools. We’ll also explore how to strategically integrate DAST with other tools in your AppSec program.If you agree with Chris that we need to stop treating DAST like a dessert, this episode is for you.Dive right in! This podcast is brought to you byEscape: https://escape.tech — Modern DAST built to test for business logic instead of missing headersMentionedChris’ article on DAST https://www.mend.io/blog/dont-treat-dast-like-dessert/Alexandra’s interviews with AppSec engineers “What’s wrong with the correct state of DAST” https://escape.tech/blog/what-is-wrong-with-the-current-state-of-dast-feedback-from-my-conversations-with-appsec-engineers/The Phoenix Project: A Novel about IT, DevOps, and Helping Your Business Win https://www.amazon.com/-/en/Gene-Kim/dp/0988262592Secrets of AppSec Champions: https://www.youtube.com/playlist?list=PLR-uH0PJFszFcbMJ29AfAcWIJAPbBJaC7
--------
40:25
Secure Coding — Can we make it happen? with Tanya Janca
Today, I’m joined by someone many of you will instantly recognize — Tanya Janca, also known as She Hacks Purple and a key community leader at Semgrep.With nearly three decades in IT, Tanya has earned countless awards, including OWASP Lifetime Distinguished Member and Hacker of the Year. She’s spoken on stages around the world and trained thousands of software developers and security professionals along the way.Her first book was one of the earliest I read on application security — and honestly, her work gets mentioned more than almost anyone else’s by guests, season after season.Now, with the release of her latest book on secure coding, we dive into a big question: Can we actually expect developers to write secure code? And if so, how do we make secure coding a foundational part of education — not an afterthought? We explore the challenges, the role of governments in promoting security standards, and the mindset shifts needed to get there.We also touch on Tanya’s passion for community, and how genuinely useful content (which isn’t always a given in security) can make all the difference in helping others learn and grow in AppSec.And with that, get ready to hear Tanya’s opinions.Dive right in!
--------
41:22
How Psychology Really Shapes AppSec Wins & Fails ⎢ Curtis Koenig
Today, I’m joined by Curtis Koenig, a seasoned application security leader managing AppSec programs for global brands. At Gen Inc., he secures all products through CI/CD integration, secure coding, and a bug bounty program. Previously, at Booking.com and Snap Inc., he scaled security operations, enhanced authentication systems, and streamlined compliance processes. With expertise in secure development and threat modeling, Curtis is a recognized authority in enterprise application security.In this episode, we explore how insights from neuroscience align with the decisions developers and security professionals make about securing applications. We also discuss how storytelling through metrics can reduce panic, drive software quality, and foster stronger team dynamics.If you’re looking to learn how an experienced AppSec leader ensures his team’s success through psychology, this episode is for you.Dive right in! Connect with Curtis: https://www.linkedin.com/in/curtisko/Connect with Alexandra: https://www.linkedin.com/in/alexandra-charikova/This podcast is brought to you byEscape: https://escape.tech — Modern DAST built to test for business logic MentionedIntent based leadership | David Marquet: https://www.youtube.com/watch?v=nzynH2BmoJMThe Tangled Web: A Guide to Securing Modern Web Applications https://www.amazon.fr/Tangled-Web-Securing-Modern-Applications/dp/1593273886Writing Secure Code, Second Edition by Michael Howard, David LeBlanc https://www.amazon.com/Writing-Secure-Second-Developer-Practices/dp/0735617228Crucial Confrontations: Tools for Resolving Broken Promises, Violated Expectations, and Bad Behavior: https://www.amazon.com/Crucial-Confrontations-Resolving-Promises-Expectations/dp/0071446524“Meditations" by Marcus Aurelius: https://www.amazon.com/Meditations-Marcus-Aurelius/dp/1503280462
--------
50:25
The Open Source Security Crisis: Is Trust the Weakest Link in Supply Chain? with François Proulx
Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the roomToday, I’m joined by François Proulx, Senior Product Security Engineer at BoostSecurity, where he leads the Supply Chain research team. With over 10 years of experience in building AppSec programs for both large corporations like Intel and innovative startups, François has been at the forefront of the DevSecOps movement.He’s also one of the maintainers of the "poutine" security scanner, which detects misconfigurations and vulnerabilities in build pipelines. Be sure to check it out on GitHub and give it a star!François is a frequent speaker and one of the founders of the NorthSec conference, where he also serves as a challenge designer for the CTF.In this episode, we dive into the critical topic of supply chain insider threats in open source projects. We discuss the importance of the “trust, but verify” mantra and how the transition from a single maintainer to a team can increase security risks.If you’re wondering about the future of automated security checks on platforms like GitHub, and the specific vulnerabilities in build pipelines, this episode is for you.And with that, get ready to hear Francois’s opinions. Dive right in! Connect with François: https://www.linkedin.com/in/francoisp/Connect with Alexandra: https://www.linkedin.com/in/alexandra-charikova/This podcast is brought to you byEscape: https://escape.tech — Modern DAST built to tests for business logic instead of missing headersMentionedArticle “Opening the Pandora’s Box: Supply Chain Insider Threats in Open Source Projects”: https://boostsecurity.io/blog/opening-pandora-box-supply-chain-insider-threats-in-oss-projectsRuss Cox at ACM SCORED: Open Source Supply Chain Security at Google https://www.youtube.com/watch?v=6H-V-0oQvCADEF CON 32 - Grand Theft Actions Abusing Self Hosted GitHub Runners - Adnan Khan, John Stawinski -> https://www.youtube.com/watch?v=5P7KatZBr_INorthSec 2024 talk “Under the Radar: 0-days in the Build Pipeline” https://www.youtube.com/watch?v=4nfsTPEOzHANorthsec conference https://nsec.io/fr/ Poutine security scanner- detects misconfigurations and vulnerabilities in the build pipelines of a repository: https://github.com/boostsecurityio/poutineDependabot: https://github.com/dependabot BoostSecurity ASPM Platform : boostsecurity.io
--------
44:49