Interview: The Soft Skills of AppSec (S01E11)

Interview: The Soft Skills of AppSec (S01E11)

We are joined by Deidre Diamond, Founder and CEO @cyber_sn & the Founder of @brain_babe. We discuss employment in the world of application security. We also dive deep into soft skills, exploring why they are foundational in the work force.Deidre explains the benefits of win-win conversation, how words and common language connect, and how to have fun, compassion, love, integrity and productivity all in one at work.

This is the mid-point of our first season of the AppSec Podcast. We’ll take next week off, and then come back with nine more episodes that drive us to the end of Season 1. Stay tuned!

Interview: PASTA: Not Just for Breakfast Anymore (S01E10)

Interview: PASTA: Not Just for Breakfast Anymore (S01E10)

This is our third interview from ISC2 Security Congress. We are joined by Tony UcedaVelez, or TonyUV, founder and CEO of VerSprite – a global security consulting firm based in Atlanta, GA. Tony leads the OWASP Atlanta Chapter and BSides Atlanta.

This is a deep dive into Tony’s experience with threat modeling. We explore the PASTA methodology he created.

Interview: An Inner Glimpse of the Microsoft SDL (S01E09)

Interview: An Inner Glimpse of the Microsoft SDL (S01E09)

This is our second interview from ISC2 Security Congress. We are joined by Glenn Leifheit (@gleifhe), an InfoSec and Development Evangelist at Microsoft. Microsoft is the grandparent to almost every secure development lifecycle across the industry.

This is an in depth discussion about how to actually do SDL. Glenn shares some things during this conversation that I’ve never heard in public before about the internals of Microsoft’s SDL process. You will take something away from this conversation that you can apply to your program.

Enjoy!

Interview: Security Must Meet the Needs of the Business (S01E08)

Interview: Security Must Meet the Needs of the Business (S01E08)

Robert and I are joined by Mike Landeck. Mike is a Cyber security evangelist, AppSec junky & Docker Security geek, and can be found on twitter @MikeLandeck.

We interviewed Mike in person at the ISC2 Security Congress event in Orlando, Florida. We discussed his latest talk on breach fatigue, the need to reach outside the echo chamber of security, twitter as a news source for security, secure coding, and a bunch of other things.

Please enjoy, and search for something you can apply directly into your day to day life!

Foundations: Web Application Pen Testing – Part 2 (S01E07)

Foundations: Web Application Pen Testing – Part 2 (S01E07)

On this two part episode of the Application Security PodCast, Robert and I speak with Daniel Ramsbrock about Web App Penetration testing. In part two, we focus on the process of pen testing and web app pen testing.

I (Chris) connected with Daniel through the RVASec security conference in Richmond, Virginia. Daniel has been in the security field for over 10 years, with most of that time focused on application security. He spent two years as a full-time consultant at Cigital, and is now doing independent appsec consulting through his company, Enigma Technologies. We hope you enjoy!

Foundations: Web Application Pen Testing – Part 1 (S01E06)

Foundations: Web Application Pen Testing – Part 1 (S01E06)

On this two part episode of the Application Security PodCast, Robert and I speak with Daniel Ramsbrock about Web App Penetration testing. In part one, we focus on the difference between pen testing and web app pen testing, where pen testing fits in you development methodology (waterfall, agile, and DevOps) and why someone should care about it.

I (Chris) connected with Daniel through the RVASec security conference in Richmond, Virginia. Daniel has been in the security field for over 10 years, with most of that time focused on application security. He spent two years as a full-time consultant at Cigital, and is now doing independent appsec consulting through his company, Enigma Technologies. We hope you enjoy!

 

Foundations: Development Security Maturity (S01E05)

Foundations: Development Security Maturity (S01E05)

Robert and I are joined today by Matt Clapham. Matt “makes products more secure”, I mean, hey, his Twitter handle is @ProdSec.

The topic of this interview is what Matt calls development security maturity. This concept is based on Matt’s research and also a talk he delivered at RSA. Matt created a simple process to measure the maturity of development security by looking at 5 key behaviors. We cover the what and why of development security, the 5 key behaviors, and scoring and reporting. As a conclusion, we discuss how to make the results of an assessment actionable.

Matt’s RSA slides are a great resource to review in conjunction with the interview: str-w05-estimating-development-security-maturity-in-about-an-hour-final.pdf

Bio: Matt Clapham makes products more secure. His career is a rare blend of both product development and enterprise operations. He is currently a Principal of Product Development Security at GE Healthcare. Matt previously worked as a Software Tester, IT Policy Author, and Security Advisor to all things games at Microsoft. He is quite familiar with security foibles of the Industrial Device Internet of Things and how to overcome them. Matt is a frequent speaker and author of magazine articles on IT, security, games or some combination thereof. He holds degrees in engineering and music from the University of Michigan.

Foundations: Privacy and Data Protection (S01E04)

Foundations: Privacy and Data Protection (S01E04)

Welcome to the first of many interviews on the #AppSec Podcast. In this episode, Robert and I interview Elena Elkina (@el0chka) on the subject of privacy. We cover the foundations of privacy, data protection, and customer data protection. This is a quick chat at around 20 minutes, in the future we’ll do a deeper dive on the crossroads of security and privacy.

Elena is a Senior Global Privacy & Data Protection Management Executive. She has worked with financial and healthcare institutions, software and internet companies, major law firms, and the government sector on both international and domestic levels. She is the co-founder of Women in Security and Privacy, a non-profit organization that focuses on advancing women in security and privacy. She is also a board member for Leading Women in Technology, a non-profit organization dedicated to unlocking the potential of female professionals who advise technology businesses.

We hope you enjoy this conversation with Elena about privacy and data protection!

Foundations: Security in the Methodology (S01E03)

Foundations: Security in the Methodology (S01E03)

On this episode we talk product development methodologies and the impact of security. We explore how to apply security activities to waterfall and Agile, and discuss the pro’s and con’s. We’ve both had experience in these methodologies, and freely share what we’ve seen work, and what we’ve seen fail. This applies whether you are brand new to security or have been doing security for decades. If you have anything to add, share your wisdom by catching us @AppSecPodcast on Twitter!

Foundations: The Activities of the Secure Development Lifecycle (S01E02)

Foundations: The Activities of the Secure Development Lifecycle (S01E02)

On this episode of the Application Security PodCast we continue our journey through the foundations of application security. We explore the activities of the secure development life cycle. We cover requirements, secure design, secure coding, 3rd party SW, static analysis, and vulnerability scanning, and a few other things.