Marisa Fagan, Head of Product at Katilyst and veteran security culture expert joins us today to share practical strategies for building and scaling security champions programs that actually work, from designing effective pilots to avoiding common pitfalls that can derail your initiatives. Learn how to motivate developers using the SAPs model (Status, Access, Power, Stuff), why getting management buy-in is crucial before launching, and discover the metrics that truly demonstrate security culture success. Marisa reveals why most programs fail, shares her blueprint for creating sustainable security culture initiatives, and discusses the evolution beyond security champions to include privacy and accessibility programs. Resources Mentioned: • Security Champion Success Guide: https://securitychampionsuccessguide.org/ • OWASP Security Champions Guide: securitychampions.owasp.org • People-Centric Security book by Lance Hayden FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--------
50:05
--------
50:05
Aram Hovsepyan -- Your Security Dashboard is Lying to You: The Science of Metrics
Aram Hovsepyan joins the podcast today to chat about the misconceptions behind common security metrics. Aram tells us how total vulnerability counts and CVSS scores can be misleading and he introduces us to the Goal Question Metric framework, this framework is a better approach to building truly effective security dashboards. Learn about the critical qualities of good metrics and how to ensure that your metrics accurately reflect your organization's security posture and readiness. Also, discover overlooked metrics that could offer deeper insights into your application security.FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--------
40:52
--------
40:52
Sean Varga -- OWASP Top 10 for AppSec Sales
We’re discussing the intersections of application security (AppSec) and sales strategy with our guest, Sean Varga. Sean shares the unique challenges and best practices in AppSec sales, like the importance of empathy, understanding customer needs, and community participation. Learn about the OWASP top 10 for AppSec Sales and discover how to achieve success by aligning with customer goals, maintaining detailed living documents, and fostering strong partnerships. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--------
47:13
--------
47:13
Sarah-Jane Madden -- What AI means for AppSec
Sarah Jane Madden joins us to discuss the evolving role of AI in software development. We reflect on the changes and challenges posed by AI, including the potential for over-reliance and the misconception that traditional software engineering practices like the SDLC are obsolete. The conversation explores the nuances of AI-generated code, emphasizing the importance of maintaining foundational engineering skills and a critical understanding of the tools used. Madden shares insights from her keynote at OWASP Barcelona and stresses the need for responsible and thoughtful integration of AI in development workflows. Key takeaways include leveraging AI for efficiency while avoiding complacency and ensuring a deep, ongoing engagement with code and quality practices.Previous Episode with Sarah-Jane Madden: Threat Modeling to Established TeamsFOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--------
37:59
--------
37:59
Dag Flachet -- Kaizen for your Appsec Program
Dag Flachet joins us to discuss the concept of Kaizen and its application in improving application security. Dag shares his journey into the world of security, emphasizing the importance of iterative, small-step improvements. The conversation delves into how organizations can effectively implement maturity models to enhance their security programs, the limitations of compliance-focused frameworks like ISO 27,000 and SOC 2, and the practical application of Kaizen principles. They also explore the evolution and future updates of OWASP SAM, and the importance of empowering development teams through a bottom-up approach in security enhancement. Dag is the co-founder of Codific, a professor and board member at the Geneva Business School, and an active member of the OWASP Barcelona Chapter and the OWASP SAMM community. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Chris Romeo and Robert Hurlbut dig into the tips, tricks, projects, and tactics that make various application security professionals successful. They cover all facets of application security, from threat modeling and OWASP to DevOps+security and security champions. They approach these stories in an educational light, explaining the details in a way those new to the discipline can understand. Chris Romeo is the CEO of Devici and a General Partner at Kerr Ventures, and Robert Hurlbut is a Principal Application Security Architect focused on Threat Modeling at Aquia.
Polska