Why AppSec Is breaking: Vibe Coding, DevSecOps backlogs & the new OWASP Top 10 (with Tanya Janca)
Today, I’m joined once again by Tanya Janca for her second appearance on the podcast. Her first episode was a hit, so we figured: why not record another? And the timing couldn’t be better, as Tanya has just embarked on a brand-new chapter in her career this year. In our first conversation, I highlighted many of Tanya’s accomplishments, and she’s only added to the list since then. Most notably, she’s been deeply involved in shaping key components of the newly released OWASP Top 10.In this episode, we dive into the initiatives she’s focusing on in her new solo journey, why she decided to join the OWASP Top 10 team, her mission to create a developer-focused awareness document, and even the unexpected difficulty of naming vulnerabilities for the final list.We also chat about her take on why DevSecOps has started to lose some of its shine. Something she’ll be discussing further at the upcoming Elephant in AppSec conference.Dive right in!
--------
51:09
--------
51:09
Secure by Design: Who’s Really Responsible? with Abhijeth Dugginapeddi
Today on the show, I’m joined by Abhijeth Dugginapeddi, Director of Offensive Security at Palo Alto Networks. Before this, he built and led product and cloud security at BigCommerce, and worked on application security at Commonwealth Bank and Adobe.Abhijeth is deeply passionate about giving back to the community. He’s taught advanced web application security at UNSW, mentored through multiple outreach programs, and recently launched his first LinkedIn Learning course, “Practical Secure by Design”. He’s also been recognised in the Hall of Fame at companies like Google, Yahoo, and others for uncovering serious vulnerabilities across their platforms.In this episode, we get into the idea and the principles of secure by design, who should own it, and why security culture matters so much. We also talk about IPO readiness from a security perspective, and the real-world challenges startups face when trying to build security in.Dive right in!
--------
43:24
--------
43:24
Why Gaming Security Needs Creativity with Xavi Bertomeu
Today, I’m joined by Xavi Bertomeu, Product Security Director at Scopely. With over a decade of experience in cybersecurity, Xavi has transitioned from CISO to product security to have a more direct impact. Beyond his work in cybersecurity, Xavi is an active entrepreneur and startup founder, with ventures ranging from security solutions to platforms that transform how kids learn English.In this episode, we dive into what makes gaming security unique, why it’s crucial to monitor community feedback, and how understanding cheating practices helps address security challenges. We also discuss why creativity is essential in security to effectively engage with engineers and reflect Xavi’s personal journey: why many might see his move from CISO to product security as a step "down".Dive right in!
--------
32:05
--------
32:05
The Pressure of Security Leadership: What SLAs Actually Work? with Terry O'Daniel
Today, I’m excited to be joined by Terry O’Daniel, former global head of security at Amplitude, Instacart, and Netflix, and a trusted advisor in the security space. Terry thrives in high-growth environments and loves tackling complex challenges.With a strong background in engineering and security, he builds teams that focus on solving security problems at scale through automation and instrumentation.Terry is also a frequent public speaker and passionate advocate for product security. And recently, he joined Harvard as the Head TA for Security Lifecycle Threats.In this episode, we break down how SLAs enforce real accountability, why security leaders are constantly under pressure, and why ignoring identity and data structures is a recipe for failure. We also discuss how operating under pressure can surprisingly lead to better decision-making and what the future of product security will look like.Dive right in!
--------
44:14
--------
44:14
Can We Make AI Agents Smarter Than Security Teams? with Anshuman Bhartiya
Today, I’m excited to welcome Anshuman Bhartiya, an AppSec tech lead at Lyft. Before that, he worked as a security engineer at companies like Thirty Madison, Intuit, and Atlassian.Anshuman is also a fellow podcaster and co-host of the Boring AppSec podcast, alongside one of my previous guests, Sandesh Mysore Anand.Recently, he’s been experimenting extensively with building AI agents for both offensive and defensive security, and he’s documenting his findings at anshumanbhartiya.com(link in the description).In this episode, we dive into the challenges of building effective AI agents, the impact of AI on security practices, and the importance of understanding AI outputs and avoiding confirmation bias.We also touch on the ongoing debate of build versus buy solutions and explore where the future of AI in security might be headed.Dive right in!
France