AppSec Master Class

This is a mini-episode originally recorded for the BSIMM community as part of an ongoing series of metrics. We’ve decided to release this audio interview for the benefit of anybody looking to use metrics to drive the transformation of their application security program.

Sammy Migues has years of experience in coaching CISOs and AppSec Program Owners in recognizing and responding to the drivers that their company face. Together we’ll talk through the difference between good metrics and bad, using metrics to make automated decisions, and the fine art of asking the right question.

This is the AppSec Master Class Podcast, a podcast that helps you solve problems your developers are facing by building proactive capabilities.

Security Gates are the final decision point before releasing software to the next phase of development or to production. If your security gates aren’t checking into the right risks, you may be releasing insecure software. When initially created, security gates were manual meetings where a bunch of humans would make a human decision, but as security takes advantage of more automation, these security gates can be automated as well.

Meera Rao started the DevSecOps revolution at Synopsys and is an expert in intelligently integrating automated tooling into the development lifecycle. Meera discusses what it takes to integrate automation that reduces friction and enables your developers to spend more time building secure software and spend less time jumping of security speedbumps.

This is the AppSec Master Class Podcast, a podcast that helps you solve problems your developers are facing by building proactive capabilities.

One of the most common initiatives shared by successful AppSec programs is the Satellite or Security Champions program. Since most software issues are introduced by people, having a people driven solution pays huge dividends. A Security Champions program recruits, trains, and organizes a community of developers, testers, and designers to take the lead on security in individual work centers.

Brendan Sheairs has helped many firms stand up Security Champions programs and talks about the process of starting and maintaining a successful Champions Program. Brendan explains what to look for in a security champion candidate, how to train them, and how to keep Security Champions engaged.

This is the AppSec Master Class Podcast, a podcast that helps you solve problems your developers are facing by building proactive capabilities.

Design flaws can lead to vulnerabilities present in the blue prints of your application. If you’re building a house with a blue-print that doesn’t call for locks on the windows, your house will be built with a huge vulnerability. If your software is missing needed controls or has gaps in logic, attackers will be able to find those vulnerabilities that SAST and DAST scanning tools may miss.

Chandu Ketkar pioneered the Synopsys Threat Modeling Method and built the Architecture Risk Assessment Practice from the ground up. In this episode, we demystify threat modeling. Chandu explains how any company can take this informal risk assessment and problem solving exercise that we all do in our daily lives and formalize it into a repeatable practice that can be fit into any development organization.

This is the AppSec Master Class Podcast, a podcast that helps you solve problems your developers are facing by building proactive capabilities.

Congratulations on your promotion/hiring to AppSec Director! You are now in charge of application security for a small/medium/large company called Sec Co. It is now your job to evaluate the business drivers, culture, and organization features that will shape an AppSec program whose goal is to help developers build software that is harder to hack.

Sammy Migues has years of experience in coaching CISOs and AppSec Program Owners in recognizing and responding to the drivers that their company face. Together we’ll talk through recognizing Centralized and Engineering based cultures that are the biggest input into an AppSec Program’s overall shape. He will also put some landmarks on the horizon that any AppSec Professional will have to navigate by.

This is the AppSec Master Class Podcast and while every episode normally focuses on solving a specific problem or risk through the use of a built capability, this episode will focus on the problem of building an AppSec Program from scratch.

Application Security is now more important than ever. If your company is writing software but doesn’t have a plan to write it securely, it’s not secure. Companies have been learning that the hard way and have been getting the headlines to prove it. The only way to write secure software is to do so intentionally, and the best way to build that intent is with an Application Security Program.

This is the AppSec Master Class Podcast. Every other week, I’ll post an interview with an expert on how to build or improve a capability that improves application security. We’ll look at various risks that face organizations and software developers and then propose solutions that are bigger than any single piece of software.

If you’re interested in learning how to help developers write secure code, help testers find bugs, and help designers build better controls, this is the podcast for you.