AI Security: Do You Need a Dedicated Vendor? | Insights with James Berthoty
Welcome to Season 4 of The Elephant in AppSec! Get ready for a season packed with even spicier takes! Today's episode features none other than James Berthoty, a security engineer turned founder and CEO of Latio. James is always ready to share his unfiltered opinions, and I’ve had the pleasure of chatting with him for last couple of years. Over the past few months, there were a lot of discussions around AI security, and I invited him on the show before his new report even hit the public to discuss his thoughts on this very hot topic.In today’s conversation, James unpacks why we’re seeing an executive push for AI solutions, and why practitioners should proceed with caution. He also shares why most people probably don’t need an AI security vendor and some stories about the pushback he received after publishing his report. Plus, we’ll talk about why we, as an industry, need to stay grounded in our approach to AI in security.Dive right in!
--------
45:43
--------
45:43
Why AppSec isn’t just for tech — Surprising Insights ⎜ Olga Dzięgielewska
Today, I’m joined by Olga Dzięgielewska, Senior Manager of InfoSec Application Security at Philip Morris International. With over 10 years of experience in secure code reviews, a PhD in IT Security, and now leading global AppSec teams, Olga specializes in secure development practices, IT assurance, ethical hacking, API security and SAP security, driving security initiatives across multiple international locations.In this episode, we tackle common misconceptions about application security and exploring the unique challenges faced by the manufacturing sector compared to tech companies.We also discuss how to ensure a seamless digital transformation, the role of cultural differences in communication and decision-making, and of course, the ever-present issue of supply chain security.Dive right in! Connect with Olga: https://www.linkedin.com/in/olusia/Connect with Alexandra: https://www.linkedin.com/in/alexandra-charikova/This podcast is brought to you byEscape: https://escape.tech — Modern DAST built to test for business logic instead of missing headers
--------
39:23
--------
39:23
Are Traditional WAFs Dead? The Impact of OpenAPI Specs on Web Security with Nathan Byrd
Today, I’m joined by Nathan Byrd, a Principal AppSec Architect at Applied Systems. Nathan’s journey is truly unique: before joining Applied Systems, he spent an impressive 24 years at Mastercard, where he rose from a software engineer to a Principal AppSec Architect. That’s the longest tenure we’ve seen from anyone on the podcast!Nathan is passionate about building things, whether it’s his early days as an internet fan, building projects with Raspberry Pi Pico, or more recently, creating OAShield (away shield). This open-source project helps generate WAF config files based on OpenAPI specs, which we dive into during today’s conversation.In this conversation, we explore whether traditional WAFs are becoming obsolete in the age of OpenAPI specs, how to keep them accurate, and why adopting a top-down approach to API specifications is key to enhancing security.Nathan also provides valuable advice for aspiring developers passionate about security and explains how he believes AI will play a transformative role in shaping the future of AppSec.Dive right in!
--------
40:45
--------
40:45
Finding AppSec tools that developers love — is it possible? with Linda Fay
Today I’m joined by Linda Fay, a seasoned leader in Application Security with over 13 years of experience. She’s led large-scale security programs, most recently as Director of Product Security Engineering, where she secured thousands of applications and delivered major cost savings. Now working as an independent consultant, she helps organizations improve their AppSec posture and explore the intersection of AI and security. Linda also leads the OWASP Nashville chapter and is deeply involved with WiCyS, mentoring the next generation of women in cybersecurity.In this episode, we dive into whether it’s possible to find AppSec tools that developers actually like—regardless of their acronyms—and how the rapid rise of AI is reshaping the security tooling. Linda also shares her experience justifying security budgets in the absence of compliance mandates, and how she managed to save over $600K annually by streamlining AppSec tools.Dive right in! Connect with Linda: https://www.linkedin.com/in/faylinda/Connect with Alexandra: https://www.linkedin.com/in/alexandra-charikova/This podcast is brought to you byEscape: https://escape.tech — Modern DAST built to test for business logic instead of missing headers
--------
32:05
--------
32:05
What Most Security Teams Miss: An Engineering Manager’s Take on AppSec with Desmond Lamptey
Today’s episode is a special one. I’m joined by Desmond Lamptey, a Software Engineering Manager at a large financial organization.I first came across Desmond during his talk on API Security at APIDays Paris—and honestly, it was one of the best talks I’ve seen. Not only because of the insights, but also the dad jokes.That talk made me curious: What drives a seasoned engineer like Desmond to speak about security with such passion? And more importantly, what does he think security teams get wrong when it comes to their collaboration with teams like his?With over a decade of technical experience and a Certified Ethical Hacker certification under his belt, Desmond regularly shares his knowledge through public speaking and brings a unique developer’s perspective to security.In this episode, we dive into his path to becoming a security champion, the challenges of engaging developers in security conversations, why he’d change the way security teams label vulnerabilities for developers, and how gamifying security education can help close the gap between devs and security teams.Dive right in!