The Elephant in AppSec

Épisodes disponibles

5 sur 83

What best drives the adoption of secure software practices? with Enrique Larios Vargas
Today, I’m joined by Enrique Larios Vargas, a Security and Learning Specialist at Adyen.Enrique has over eight years of experience designing impactful learning and enablement programs across fintech, engineering, and security. He’s also been a university lecturer in software engineering in Peru, the Netherlands, and Canada.Bringing together technical expertise and behavioral science, Enrique is passionate about helping developers move beyond compliance and build a meaningful, human-centered security culture.In this episode, we dive into his research paper, “DASP: A Framework for Driving the Adoption of Software Security Practices,” co-authored with five others (all listed in the description). The paper explores how behavioral models like COM-B can drive secure development practices.We also get into incentives and Enrique’s controversial take on why we shouldn’t call security champions “champions” anymore. He’ll even be put to the test on this topic at the upcoming Elephant in AppSec conference, where he’ll debate it with other panelists.Dive right in!
--------
38:10
--------
38:10
Why AppSec Needs More Than Just a Checkbox ⎢ Marcos Vinicius Cassel
Today, I’m joined by Marcos Vinicius Cassel, Application Security Manager at PowerSchool.With over a decade of experience in the information security space, as a CISSP, ISO 27001 Lead Auditor, and a passionate technologist, Marcos has led security initiatives across multiple industries. He also previously led the OWASP Porto Alegre Chapter, and fun fact: we first met while volunteering together at BSides SF!In this episode, we dive into the real value of certifications in application security, how they can provide structure and credibility, but shouldn’t define a professional’s entire skill set. We also unpack the balance between compliance and risk management and between privacy and innovation, and why strong communication between security and engineering teams is more essential than ever.And with that, get ready to hear Marcos’ opinions.Dive right in!
--------
42:32
--------
42:32
The Supply Chain Crisis We Created: How AI, Extensions, and Dependencies Became the New Attack Surface with Aamiruddin Syed
Today, I’m joined by Aamiruddin Syed, Senior Product Security Engineer at AGCO Corporation. Aamiruddin is the author of “Supply Chain Software Security book focusing on AI, IoT, and AppSec” and a recognized advocate for secure development. He’s a frequent speaker at major conferences, including RSA, DEFCON, and Black Hat.Fun facts: he was once ranked in the top 1% of all TryHackMe penetration testers, and a memorable milestone in his career was delivering a Cybersecurity Awareness talk to officer trainees of the Indian Army.He’s also a fellow podcaster, co-hosting the CyberGPT Pulse Podcast.In this episode, we dive into the complexities of software supply chain security, especially the risks introduced by third-party extensions, and how generative AI can strengthen defenses across the supply chain.We also explore the challenges of data quality when training AI models and discuss why strong governance is essential for secure developer practices.Dive right in!
--------
40:32
--------
40:32
Why AppSec Is breaking: Vibe Coding, DevSecOps backlogs & the new OWASP Top 10 (with Tanya Janca)
Today, I’m joined once again by Tanya Janca for her second appearance on the podcast. Her first episode was a hit, so we figured: why not record another? And the timing couldn’t be better, as Tanya has just embarked on a brand-new chapter in her career this year. In our first conversation, I highlighted many of Tanya’s accomplishments, and she’s only added to the list since then. Most notably, she’s been deeply involved in shaping key components of the newly released OWASP Top 10.In this episode, we dive into the initiatives she’s focusing on in her new solo journey, why she decided to join the OWASP Top 10 team, her mission to create a developer-focused awareness document, and even the unexpected difficulty of naming vulnerabilities for the final list.We also chat about her take on why DevSecOps has started to lose some of its shine. Something she’ll be discussing further at the upcoming Elephant in AppSec conference.Dive right in!
--------
51:09
--------
51:09
Secure by Design: Who’s Really Responsible? with Abhijeth Dugginapeddi
Today on the show, I’m joined by Abhijeth Dugginapeddi, Director of Offensive Security at Palo Alto Networks. Before this, he built and led product and cloud security at BigCommerce, and worked on application security at Commonwealth Bank and Adobe.Abhijeth is deeply passionate about giving back to the community. He’s taught advanced web application security at UNSW, mentored through multiple outreach programs, and recently launched his first LinkedIn Learning course, “Practical Secure by Design”. He’s also been recognised in the Hall of Fame at companies like Google, Yahoo, and others for uncovering serious vulnerabilities across their platforms.In this episode, we get into the idea and the principles of secure by design, who should own it, and why security culture matters so much. We also talk about IPO readiness from a security perspective, and the real-world challenges startups face when trying to build security in.Dive right in!
--------
43:24
--------
43:24