The Application Security Podcast

Epizody

• Josh Grossman--AI & SAST: Is it a match? 02.06.2026 40min

  AI coding tools are accelerating development fast, but they’re also exposing the limits of traditional AppSec tooling. Josh Grossman, CTO of Bounce Security and longtime AppSec consultant, joins the podcast to break down AGHAST, his new open-source security tool that combines static analysis with AI to uncover business logic flaws and authorization issues that traditional scanners miss. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast ➜LinkedIn: The Application Security Podcast ➜YouTub...
• Dwayne McDaniel -- Secrets Sprawl and How AI is Impacting Secrets 14.05.2026 45min

  GitGuardian found 29 million hard-coded secrets leaked in public GitHub commits in a single year, a 34% jump and the biggest spike they've ever recorded. Dwayne McDaniel joins to break down why AI coding tools, MCP servers, and a false sense of security in private repos are making the problem worse, and what it'll actually take to fix it. Check out the report here - https://www.gitguardian.com/files/the-state-of-secrets-sprawl-report-2026. Dwayne McDaniel is a Principal Developer Advocate who...
• Tanya Janca - Secure Vibe Coding 30.04.2026 47min

  AI isn’t just helping developers anymore; it’s writing the code, and that changes everything. In this episode, Tanya Janca breaks down “vibe coding,” the hidden security risks behind it, and how teams need to rethink AppSec from the ground up. If you’re building with AI, this is the wake-up call you can’t afford to miss. Tanya Janca, AKA SheHacksPurple, is an author, founder, trainer, speaker, software developer, but most of all, a nerd obsessed with security. She speaks and teaches secure co...
• Caroline Wong--The AI Cybersecurity Handbook 21.04.2026 44min

  Caroline Wong, author of The AI Cybersecurity Handbook and Chief Strategy Officer at Axari, is back! Caroline shares how AI is rapidly changing AppSec, driving massive increases in code, accelerating risk, and challenging traditional security practices. The conversation covers AI-generated code, trust and explainability, and how security teams must adapt to keep up. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast ➜LinkedIn: The Application Security Podcast ➜YouTube: https://www.youtube.com/...
• Steve Wilson--OpenClaw and Advanced AI Agents 15.04.2026 49min

  In this episode of the Application Security Podcast, Chris Romeo and Robert Hurlbut welcome back Steve Wilson, a global leader in AI security and Chief AI and Product Officer at Exabeam, as well as founder of the OWASP Gen AI Security Project. Steve shares how his AI assistant was “hacked” using a simple phishing attack, highlighting a major shift in security—AI agents behave more like humans than traditional software. The conversation explores how this changes the threat model, why AppSec i...
• Brad Geesaman - Redefining AppSec with AI: Shrinking Toil, Expanding Impact - How LLMs are able to reduce toil in triage-heavy AppSec workflows 28.10.2025 42min

  Brad Geesaman, Principal Security Engineer at Ghost, joins the podcast today to explore how AI and large language models are transforming the world of application security. The discussion starts with the concept of "toil"—the repetitive, exhausting work that drains AppSec teams as they struggle to keep up with mountains of security findings and alerts. Brad shares his insights on how LLMs can provide meaningful leverage by handling the heavy lifting of triage, classification, and evidence gat...
• OWASP Candidate Debate - 2025 Edition 15.10.2025 1h 8min

  In this special episode of the Application Security Podcast we meet nine of the OWASP Board of Directors candidates. Each candidate discusses their unique qualifications, experiences, and vision for OWASP's future. Topics include enhancing OWASP's impact, improving outreach and education, securing funding, and engaging local chapters. Don't miss this insightful debate as these candidates share their strategies to help secure a brighter future for OWASP. FOLLOW OUR SOCIAL MEDIA: ➜Twit...
• Francesco Cipollone - Agentic AI Manifesto 23.09.2025 33min

  Francesco Cipollone, the CEO of Phoenix Security, shares his extensive experience in AI and security, discussing the crucial difference between true AI agents and glorified chatbots. Learn why Phoenix Security utilizes six different LLMs instead of a single super agent. Understand the sobering economics behind AI implementation and the importance of adopting AI responsibly. Get practical advice on integrating AI agents to enhance, not replace, human capabilities, while touching on the Agentic...
• Simon Gibbs & Devika Gibbs -- Building Bridges with Games 16.09.2025 36min

  Simon and Devika Gibbs, the innovative minds behind Cybersec Games, join us on the episode today. Discover how the Gibbs duo are revolutionizing the way we teach and learn security concepts through interactive gaming. Learn about their journey from developing stationary for agile teams to delving into the world of threat modeling games like Elevation of Privilege. We talk about the power of gamification in cybersecurity education, and get the inside scoop on their Cybersecurity Game Challenge...
• Akansha Shukla - Modern AppSec: Securing APIs with Threat Modeling and DevSecOps 02.09.2025 35min

  Our guest today is Akansha Shukla, an information security professional with over 10 years of experience in application security, DevSecOps, and API security. We’re discussing why API security remains one of the least mature areas of AppSec today and exploring the challenges developers face when securing APIs. Akansha shares her insights on incorporating APIs into threat modeling exercises, the ongoing struggles with API discovery and inventory management, and the authorization challenges hig...
• Getting Ready for the EU CRA 20.08.2025 40min

  The European Union's Cyber Resilience Act is set to revolutionize how we approach product security worldwide. In this episode, we sit down with application security expert Nariman Aga-Tagiyev to break down everything you need to know about this legislation. Nariman has over 20 years of software development experience and today he’s sharing his expertise with us. Learn what the EU CRA is and why it matters for global software companies, key compliance requirements, and how OWASP SAMM can help ...
• Marisa Fagan - Measuring Security Culture 05.08.2025 50min

  Marisa Fagan, Head of Product at Katilyst and veteran security culture expert joins us today to share practical strategies for building and scaling security champions programs that actually work, from designing effective pilots to avoiding common pitfalls that can derail your initiatives. Learn how to motivate developers using the SAPs model (Status, Access, Power, Stuff), why getting management buy-in is crucial before launching, and discover the metrics that truly demonstrate security...
• Aram Hovsepyan -- Your Security Dashboard is Lying to You: The Science of Metrics 22.07.2025 40min

  Aram Hovsepyan joins the podcast today to chat about the misconceptions behind common security metrics. Aram tells us how total vulnerability counts and CVSS scores can be misleading and he introduces us to the Goal Question Metric framework, this framework is a better approach to building truly effective security dashboards. Learn about the critical qualities of good metrics and how to ensure that your metrics accurately reflect your organization's security posture and readiness. Also, disco...
• Sean Varga -- OWASP Top 10 for AppSec Sales 15.07.2025 47min

  We’re discussing the intersections of application security (AppSec) and sales strategy with our guest, Sean Varga. Sean shares the unique challenges and best practices in AppSec sales, like the importance of empathy, understanding customer needs, and community participation. Learn about the OWASP top 10 for AppSec Sales and discover how to achieve success by aligning with customer goals, maintaining detailed living documents, and fostering strong partnerships. FOLLOW OUR SOCIAL MEDIA: ➜...
• Sarah-Jane Madden -- What AI means for AppSec 09.07.2025 37min

  Sarah Jane Madden joins us to discuss the evolving role of AI in software development. We reflect on the changes and challenges posed by AI, including the potential for over-reliance and the misconception that traditional software engineering practices like the SDLC are obsolete. The conversation explores the nuances of AI-generated code, emphasizing the importance of maintaining foundational engineering skills and a critical understanding of the tools used. Madden shares insights from her ke...
• Dag Flachet -- Kaizen for your Appsec Program 17.06.2025 35min

  Dag Flachet joins us to discuss the concept of Kaizen and its application in improving application security. Dag shares his journey into the world of security, emphasizing the importance of iterative, small-step improvements. The conversation delves into how organizations can effectively implement maturity models to enhance their security programs, the limitations of compliance-focused frameworks like ISO 27,000 and SOC 2, and the practical application of Kaizen principles. They also explore ...
• Javan Rasokat and Andra Lezza -- When Chatbots Go Rogue - Lessons Learned from Building and Defending LLM Applications 18.03.2025 47min

  Andra Lezza and Javan Rasokat discuss the complexities of securing AI and LLM applications. With years of experience in Application Security (AppSec), Andra and Javan share their journey and lessons from their DEF CON talk on building and defending LLMs. They explore critical vulnerabilities, prompt injection, hallucinations, and the importance of data security. This discussion sheds light on the evolving landscape of AI and LLM security, offering practical advice for developers and security ...
• Jim Routh -- The CISO Transition to the rest of life 11.03.2025 49min

  Former CISO Jim Routh discusses his perspective on retirement and career fulfillment in cybersecurity. Rather than viewing retirement as simply stopping work, Routh describes his three-filter approach: working only with people he respects and admires, doing only work he finds fulfilling, and controlling when he works. He shares valuable lessons learned about which post-retirement opportunities truly bring satisfaction and explains why he avoids certain roles. Routh emphasizes the importance o...
• Henrik Plate -- OWASP Top 10 Open Source Risks 04.03.2025 38min

  Henrik Plate joins us to discuss the OWASP Top 10 Open Source Risks, a guide highlighting critical security and operational challenges in using open source dependencies. The list includes risks like known vulnerabilities, compromised legitimate packages, name confusion attacks, and unmaintained software, providing developers and organizations a framework to assess and mitigate potential threats. Henrik offers insights on how developers and AppSec professionals can implement the guidelines. Ou...
• Tanya Janca -- A Secure SDLC from a Developer's Perspective 26.02.2025 48min

  Security expert Tanya Janca discusses her new book "Alice and Bob Learn Secure Coding" and shares insights on making security accessible to developers. In this engaging conversation, she explores how security professionals can better connect with developers through threat modeling, maintaining empathy, and creating inclusive learning environments. Tanya emphasizes the importance of system maintenance after deployment and shares practical advice on input validation, while highlighting how secu...