The Elephant in AppSec

• Should We Fix All Bad Code? with Eitan Worcel

  Today, I’m joined by Eitan Worcel, CEO and co-founder of Mobb — an AI Security Assistant that fixes vulnerabilities. With over 15 years of experience in the application security field, Eitan has worn many hats, including developer, product management leader, and now startup founder.Eitan has also shared his expertise at events such as Black Hat, BSides Las Vegas, and OWASP chapter meetings, where he discussed the application of AI in security and the relationships between developers and security teams.In today’s episode, we explore whether all bad code should be fixed, the role of AI in code remediation, the challenges developers face in addressing vulnerabilities, and the critical importance of maintaining software quality.We also touch on the evolution of security tools and their impact on developers' workflows.Dive right in!Connect with Eitan: https://www.linkedin.com/in/worcel/Connect with Alexandra: https://www.linkedin.com/in/alexandra-charikova/This podcast is brought to you byEscape: https://escape.tech  — Modern DAST built to test for business logic MentionedMobb.ai - AI Security Assistant That Fixes VulnerabilitiesMatias Madou Of Secure Code Warrior On Embedding Security in Product Design and Development https://medium.com/authority-magazine/matias-madou-of-secure-code-warrior-on-embedding-security-in-product-design-and-development-29bd2f639469Copilot amplifies insecure codebases https://snyk.io/blog/copilot-amplifies-insecure-codebases-by-replicating-vulnerabilities/The Hard Thing About Hard Things by Ben Horowitz https://www.amazon.com/Hard-Thing-About-Things-Building/dp/0062273205

  --------  

  37:59
• AI, Speed, and Startup Chaos: Is ‘Minimum Viable Security’ the Fix? ⎜ Kalyani Pawar

  Today, I’m joined by Kalyani Pawar, an Application Security Engineer at Zipline and a seasoned AppSec expert with a deep commitment to the startup ecosystem. Beyond her day job, she actively advises startups and VCs on what really matters in application security. Kalyani is also the co-host of the Application Security Weekly podcast and a speaker at top conferences like DEFCON, BSides SF, and RSA.She’s been a driving force behind the scenes too, serving on reviewer boards for DEFCON, WiCyS, and several BSides chapters—helping shape high-impact security content for the community.In today’s episode, we dive into her experience designing security programs from scratch across startups of all stages—and ask the big question: Can ‘Minimum Viable Security’ be the fix to all the AI-fueled chaos in startups? We also explore how VCs impact security decisions, the role of interns on security teams, and how to tackle the beast of security debt.Dive right in!

  --------  

  50:30
• Security IDE Plugins: Can They Really Boost Your Coding Security? ⎜Jamie Scott

  Today, I'm joined by Jamie Scott, a recovering cybersecurity practitioner turned founding product manager at Endor Labs. Previously, Jamie served as Product Manager of Security at Redis, where he was an active open-source contributor, and as DevSecOps Manager at Cygna Healthcare.Jamie is also a Certified Information Systems & Cloud Security Professional and continues to contribute to the cybersecurity community. He co-authored several benchmarks and volunteers as a consultant for the Center for Internet Security.In this episode, we dive into the topic of IDE plugins: Do they help you boost your coding security or just hopeful? Jamie has firsthand experience trying to roll out an IDE security program in his career and shares his perspective, leaning more towards the “hopium” side of things. He’s observed that developers often don't proactively use them, which raises the question—are these tools really effective?Dive right in!Connect with Jamie: https://www.linkedin.com/in/james-m-scott-iii/Connect with Alexandra: https://www.linkedin.com/in/alexandra-charikova/This podcast is brought to you by Escape: https://escape.tech — Modern DAST built to test for business logic instead of missing headersMentionedCIS Benchmark for NGINX: https://www.cisecurity.org/benchmark/nginxThe Challenger Sale: Taking Control of the Customer Conversation: https://www.amazon.com/Challenger-Sale-Control-Customer-Conversation/dp/1591844355Shannon Lietz (DevSecOps Lead at Intuit) Keynote in 2016 https://www.youtube.com/watch?v=ru11MSYPBBQ

  --------  

  40:32
• DAST Tools: Can We Change the AppSec Community Perception? with Chris Lindsey

  Today, I’m joined by Chris Lindsey, who, at the time of recording, was an AppSec Evangelist at Mend. Formerly an AppSec Architect, Chris brings over 15 years of direct security experience and more than 35 years of leadership in programming, software, solutions, and security architecture.For several years, Chris built and led an entire application security program, including oversight of security processes, procedures, tools, compliance, training, developer communication, code reviews, application inventory gathering, and risk analysis.Chris also is a seasoned speaker and the host of the Secrets of AppSec Champions podcast.In this episode, we discuss why many still view DAST as a checkbox rather than a critical component of security—and how that perspective is changing, especially with the rise of modern DAST tools. We’ll also explore how to strategically integrate DAST with other tools in your AppSec program.If you agree with Chris that we need to stop treating DAST like a dessert, this episode is for you.Dive right in! This podcast is brought to you byEscape: https://escape.tech  — Modern DAST built to test for business logic instead of missing headersMentionedChris’ article on DAST https://www.mend.io/blog/dont-treat-dast-like-dessert/Alexandra’s interviews with AppSec engineers “What’s wrong with the correct state of DAST” https://escape.tech/blog/what-is-wrong-with-the-current-state-of-dast-feedback-from-my-conversations-with-appsec-engineers/The Phoenix Project: A Novel about IT, DevOps, and Helping Your Business Win https://www.amazon.com/-/en/Gene-Kim/dp/0988262592Secrets of AppSec Champions: https://www.youtube.com/playlist?list=PLR-uH0PJFszFcbMJ29AfAcWIJAPbBJaC7

  --------  

  40:25
• Secure Coding — Can we make it happen? with Tanya Janca

  Today, I’m joined by someone many of you will instantly recognize — Tanya Janca, also known as She Hacks Purple and a key community leader at Semgrep.With nearly three decades in IT, Tanya has earned countless awards, including OWASP Lifetime Distinguished Member and Hacker of the Year. She’s spoken on stages around the world and trained thousands of software developers and security professionals along the way.Her first book was one of the earliest I read on application security — and honestly, her work gets mentioned more than almost anyone else’s by guests, season after season.Now, with the release of her latest book on secure coding, we dive into a big question: Can we actually expect developers to write secure code? And if so, how do we make secure coding a foundational part of education — not an afterthought? We explore the challenges, the role of governments in promoting security standards, and the mindset shifts needed to get there.We also touch on Tanya’s passion for community, and how genuinely useful content (which isn’t always a given in security) can make all the difference in helping others learn and grow in AppSec.And with that, get ready to hear Tanya’s opinions.Dive right in!

  --------  

  41:22

Fler podcasts i Teknologi

Trendiga poddar i Teknologi

Om The Elephant in AppSec