Why SAP Security Can be a Hidden Weakness for Enterprises with Oumaima Baira
Today, I’m joined by Oumaima Baira, Directrice of Enterprise Security at Deloitte. With nearly a decade of experience, she’s helped organizations strengthen their defenses — from DevSecOps and SAP application security to enterprise-wide security strategy. She began her career in cloud engineering before moving into cyber consulting, and quickly rose through Deloitte’s leadership ranks, blending deep technical expertise with strategic vision.Beyond her professional roles, Oumaima is an active member of the cybersecurity community. She often takes part in OWASP France chapter meetups, where we met, and international OWASP and cyber events, sharing insights and learning from peers. She’s also a passionate advocate for women in cybersecurity, inspiring the next generation of cyber leaders to step confidently into the field.In this episode, we explore the unique challenges and security risks of SAP systems — a business management and automation platform relied on by countless global organizations. We discuss why understanding business logic is critical to application security, and why this is especially important when it comes to securing SAP. Oumaima also shares her perspective on global differences in security maturity and offers practical advice on preparing for crisis management with efficiency.Dive right in!
--------
36:57
--------
36:57
Latin America’s AppSec Culture: What’s Lost (and Found) in Translation?
Today, I’m joined by Max Alejandro Gómez-Sánchez Vergaray, Defensive Cybersecurity Manager at Banco de Crédito BCP. With a background in software engineering, Max transitioned into AppSec and has become a leading voice in promoting DevSecOps awareness and building robust AppSec programs using SAMM across Latin America and beyond. He actively contributes to OWASP projects like Cornucopia and regularly offers free workshops in Spanish on secure design for digital products. If you’d like to join a future session, check out the link below!In this episode, we dive into AppSec in Latin America, with a focus on Peru’s unique cybercrime laws and their impact on security awareness. Max shares insights on the cultural challenges in cybersecurity training, the complexities of translating frameworks like Cornucopia, and what can get lost in translation. We also explore building connections in remote teams and what global developers can learn from Latin America’s approach. Dive right in!
--------
37:27
--------
37:27
OWASP SAMM vs BSIMM: Which Maturity Model Reigns Supreme?
Today, I'm joined by Nariman Aga-Tagiyev, a seasoned cybersecurity architect and threat modeling coach, bringing over two decades of experience in the software development industry. As the founder of SecureHabits, he’s on a mission to help software manufacturers mature their secure software development lifecycle.Nariman is a familiar face at OWASP Netherlands Chapter events and an active contributor to projects like OWASP SAMM and the Security Champions Maturity Model. His work bridges the gap between theory and practice, empowering teams to build security into their culture - not just their code.In this episode, we dive into a memorable "battle" Nariman had at the RSA conference, where he argued both sides of the SAMM vs. BSIMM debate—mostly with himself, after BSIMM expert Caroline Wong couldn’t attend. We also explore why organizations often skip the foundational steps before rushing to buy security tools, why true maturity is so rare, and what the new regulatory frameworks like the Cyber Resilience Act mean for businesses in the EU.Dive right in!
--------
46:26
--------
46:26
Security Culture: When Are We Really Creating Change? with Marisa Fagan
Today, I'm joined by Marisa Fagan, a lifelong community builder and security culture enthusiast. As the Head of Product at Katilyst, Marisa leads the development of security champion programs that empower Security Champions to drive cultural change.Previously, she served as Head of Trust Culture & Training at Atlassian and has managed security programs at Synopsys, Salesforce, and Meta.Marisa is also an active contributor to the OWASP Security Champions guide.In this episode, we'll dive into some of the questions Marisa didn’t have time to cover in her talk at BSides San Francisco. We'll also explore how security culture programs must be tailored to different teams to succeed, how to reboot struggling programs (often caused by disengaging training content) and why passion often outweighs technical skills for roles like these.Dive right in!And check out: https://www.katilyst.com/top10blunders
--------
35:13
--------
35:13
Security Wins Only When Institutionalized – Here’s Why!⎜Kevan Bard
Today, I'm joined by Kevan Bard, Director of Product Security at Morningstar. With 20 years of experience in information security, Kevan has helped shape security practices across various organizations. He’s passionate about building blue team careers, with a focus on recruiting, mentoring, and staff development.When not busy cultivating kaizen, emotional intelligence, secure coding practices, and data privacy principles, Kevan enjoys building community and capturing the world through his lens.In this episode, we explore why security needs to be institutionalized to win, and how the role of Product Managers should evolve to integrate security into their processes. We’ll also discuss why storytelling is crucial in security education, and why the term ASPM is overrated—particularly because its true value isn’t being marketed effectively, especially in one-pagers that focus too heavily on bold claims.
France