The Boring AppSec Podcast

By The Boring AppSec Podcast

In this podcast, we will talk about our experiences having worked at different companies - from startups to big enterprises, from tech companies to security companies, and from building side projects ... more

· Technology

Download on the App Store

Download on the App Store

Get it on Google Play

FAQs about The Boring AppSec Podcast:

How many episodes does The Boring AppSec Podcast have?

The podcast currently has 20 episodes available.

The Boring AppSec Podcast episodes:

May 20, 2024S1E10 - Future Security Predictions
Welcome to the Boring AppSec Podcast! In Episode 10, we discuss some security predictions that we hope to see in the near future. Some of them are:
AI agents - different kinds - activity based and/or persona based

Security talent is going to get better, hiring is important

AI powered security engineers - up leveling junior engineers

AI code review assistants - GPT4-o et al

Company consolidations happening in the security industry - D&R space

ASPM predictions and how AI agents will help evolve this space

CISA’s guidance on building secure by default frameworks

Automated red teaming

Hiring security engineers vs changes in interviewing
Tune in to find out more!

References mentioned in the episode:
OpenAI Security Bots - https://github.com/openai/openai-security-bots

Build an AI Appsec Team - https://srajangupta.substack.com/p/building-an-ai-appsec-team

CISA and secure design - https://www.cisa.gov/news-events/news/cisa-announces-secure-design-commitments-leading-technology-providers

Awesome secure defaults - https://github.com/tldrsec/awesome-secure-defaults

Slack vs MSFT teams - https://x.com/TrungTPhan/status/1640866391485194241

The Innovator's Dilemma - https://www.amazon.com/Innovators-Dilemma-Revolutionary-Change-Business/dp/0062060244

Contacting Anshuman
LinkedIn: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://www.linkedin.com/in/anshumanbhartiya/⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠

Twitter: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://twitter.com/anshuman_bh⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠

Website: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://anshumanbhartiya.com/⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠

Instagram: ⁠⁠⁠⁠⁠⁠⁠⁠⁠https://www.instagram.com/anshuman.bhartiya/⁠⁠⁠⁠⁠⁠⁠⁠⁠

YouTube: ⁠⁠⁠⁠⁠⁠⁠⁠⁠https://www.youtube.com/@AnshumanBhartiya⁠⁠⁠⁠⁠⁠⁠⁠⁠
Contacting Sandesh
LinkedIn: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://www.linkedin.com/in/anandsandesh/⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠

Twitter: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://twitter.com/JubbaOnJeans/⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠

Website: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://boringappsec.substack.com/⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠
...more
51min
May 13, 2024S1E09 - Incidents
Welcome to the Boring AppSec Podcast! In Episode 9, we discuss incidents. Both Sandesh and I share 2 incidents each and the lessons learnt from them. Tune in!

References mentioned in the episode:
Log4j - https://www.cisa.gov/news-events/news/apache-log4j-vulnerability-guidance
Incident runbook - https://engineering.razorpay.com/how-an-incident-transformed-razorpay-improving-the-5-why-rca-format-378de299b9a2

Contacting Anshuman
LinkedIn: ⁠⁠⁠⁠⁠⁠⁠⁠⁠https://www.linkedin.com/in/anshumanbhartiya/⁠⁠⁠⁠⁠⁠⁠⁠⁠

Twitter: ⁠⁠⁠⁠⁠⁠⁠⁠⁠https://twitter.com/anshuman_bh⁠⁠⁠⁠⁠⁠⁠⁠⁠

Website: ⁠⁠⁠⁠⁠⁠⁠⁠⁠https://anshumanbhartiya.com/⁠⁠⁠⁠⁠⁠⁠⁠⁠

Instagram: ⁠⁠⁠⁠⁠⁠⁠⁠https://www.instagram.com/anshuman.bhartiya/⁠⁠⁠⁠⁠⁠⁠⁠

YouTube: ⁠⁠⁠⁠⁠⁠⁠⁠https://www.youtube.com/@AnshumanBhartiya⁠⁠⁠⁠⁠⁠⁠⁠
Contacting Sandesh
LinkedIn: ⁠⁠⁠⁠⁠⁠⁠⁠⁠https://www.linkedin.com/in/anandsandesh/⁠⁠⁠⁠⁠⁠⁠⁠⁠

Twitter: ⁠⁠⁠⁠⁠⁠⁠⁠⁠https://twitter.com/JubbaOnJeans/⁠⁠⁠⁠⁠⁠⁠⁠⁠

Website: ⁠⁠⁠⁠⁠⁠⁠⁠⁠https://boringappsec.substack.com/⁠⁠⁠⁠⁠⁠⁠⁠⁠
...more
38min
April 22, 2024S1E08 - Bug Bounties Part 2
Welcome to the Boring AppSec Podcast! In Episode 8, we continue discussing bug bounties from where we left off in Episode 3. We discuss how to build mature bug bounty programs, how to start a program, how to convince stake holders to start a program, differences and similarities between vulnerability disclosure programs and bug bounty programs among other things. Tune in!

Contacting Anshuman
LinkedIn: ⁠⁠⁠⁠⁠⁠⁠⁠https://www.linkedin.com/in/anshumanbhartiya/⁠⁠⁠⁠⁠⁠⁠⁠

Twitter: ⁠⁠⁠⁠⁠⁠⁠⁠https://twitter.com/anshuman_bh⁠⁠⁠⁠⁠⁠⁠⁠

Website: ⁠⁠⁠⁠⁠⁠⁠⁠https://anshumanbhartiya.com/⁠⁠⁠⁠⁠⁠⁠⁠

Instagram: ⁠⁠⁠⁠⁠⁠⁠https://www.instagram.com/anshuman.bhartiya/⁠⁠⁠⁠⁠⁠⁠

YouTube: ⁠⁠⁠⁠⁠⁠⁠https://www.youtube.com/@AnshumanBhartiya⁠⁠⁠⁠⁠⁠⁠
Contacting Sandesh
LinkedIn: ⁠⁠⁠⁠⁠⁠⁠⁠https://www.linkedin.com/in/anandsandesh/⁠⁠⁠⁠⁠⁠⁠⁠

Twitter: ⁠⁠⁠⁠⁠⁠⁠⁠https://twitter.com/JubbaOnJeans/⁠⁠⁠⁠⁠⁠⁠⁠

Website: ⁠⁠⁠⁠⁠⁠⁠⁠https://boringappsec.substack.com/⁠⁠⁠⁠⁠⁠⁠⁠
...more
46min
April 15, 2024S1E07 - Hiring in Security
Welcome to the Boring AppSec Podcast! In Episode 7, we discuss how to hire the right security folks on a security engineering team. We go over the interviewing process, what to look out for, how to compose a team, and also share some of our experiences of interviewing including some tips on what a candidate can/should do if they want to get noticed by hiring managers and recruiters.

Contacting Anshuman
LinkedIn: ⁠⁠⁠⁠⁠⁠⁠https://www.linkedin.com/in/anshumanbhartiya/⁠⁠⁠⁠⁠⁠⁠

Twitter: ⁠⁠⁠⁠⁠⁠⁠https://twitter.com/anshuman_bh⁠⁠⁠⁠⁠⁠⁠

Website: ⁠⁠⁠⁠⁠⁠⁠https://anshumanbhartiya.com/⁠⁠⁠⁠⁠⁠⁠

Instagram: ⁠⁠⁠⁠⁠⁠https://www.instagram.com/anshuman.bhartiya/⁠⁠⁠⁠⁠⁠

YouTube: ⁠⁠⁠⁠⁠⁠https://www.youtube.com/@AnshumanBhartiya⁠⁠⁠⁠⁠⁠
Contacting Sandesh
LinkedIn: ⁠⁠⁠⁠⁠⁠⁠https://www.linkedin.com/in/anandsandesh/⁠⁠⁠⁠⁠⁠⁠

Twitter: ⁠⁠⁠⁠⁠⁠⁠https://twitter.com/JubbaOnJeans/⁠⁠⁠⁠⁠⁠⁠

Website: ⁠⁠⁠⁠⁠⁠⁠https://boringappsec.substack.com/⁠⁠⁠⁠⁠⁠⁠
...more
55min
April 08, 2024S1E06 - Vulnerability Management
Welcome to the Boring AppSec Podcast! In Episode 6, we discuss the art of Vulnerability Management. What it means, what are some of the problems we've seen as practitioners, what are some ways we've considered to make the process of managing vulnerabilities easy.

References:
We will try and add information about all the references we make here. Please enter rabbit holes at will :)
Gitlab's Security Handbook - https://handbook.gitlab.com/handbook/security/

Contacting Anshuman
LinkedIn: ⁠⁠⁠⁠⁠⁠https://www.linkedin.com/in/anshumanbhartiya/⁠⁠⁠⁠⁠⁠

Twitter: ⁠⁠⁠⁠⁠⁠https://twitter.com/anshuman_bh⁠⁠⁠⁠⁠⁠

Website: ⁠⁠⁠⁠⁠⁠https://anshumanbhartiya.com/⁠⁠⁠⁠⁠⁠

Instagram: ⁠⁠⁠⁠⁠https://www.instagram.com/anshuman.bhartiya/⁠⁠⁠⁠⁠

YouTube: ⁠⁠⁠⁠⁠https://www.youtube.com/@AnshumanBhartiya⁠⁠⁠⁠⁠
Contacting Sandesh
LinkedIn: ⁠⁠⁠⁠⁠⁠https://www.linkedin.com/in/anandsandesh/⁠⁠⁠⁠⁠⁠

Twitter: ⁠⁠⁠⁠⁠⁠https://twitter.com/JubbaOnJeans/⁠⁠⁠⁠⁠⁠

Website: ⁠⁠⁠⁠⁠⁠https://boringappsec.substack.com/⁠⁠⁠⁠⁠⁠
...more
57min
April 01, 2024S1E05 - Threat Modeling
Welcome to the Boring AppSec Podcast! In Episode 5, we dig deep into what threat modeling is from a practitioner's perspective. We compare it with design reviews and discuss when/how/why of threat modeling. In the end, we wrap up by talking about how Gen AI could help threat modeling significantly.

References:
We will try and add information about all the references we make here. Please enter rabbit holes at will :)
Threat modeling manifesto - Threatmodelingmanifesto.org
STRIDE framework - https://en.wikipedia.org/wiki/STRIDE_(security)
Tools for threat modeling
⁠https://learn.microsoft.com/en-us/azure/security/develop/threat-modeling-tool⁠

⁠https://www.iriusrisk.com/threat-modeling/freemium⁠

⁠https://owasp.org/www-project-threat-dragon/⁠

⁠https://excalidraw.com/⁠

⁠https://www.securitycompass.com/sdelements/⁠
Talks on threat modeling
https://www.youtube.com/watch?v=KGy_KCRUGd4⁠

⁠https://www.youtube.com/watch?v=wVSyqFdO-D8⁠
Articles - https://www.scaletozero.com/episodes/understanding-threat-modeling-with-jeevan-singh/

Gen AI related threat modeling tools/companies
Stride GPT- https://stridegpt.streamlit.app/

Nullify - https://www.nullify.ai/

Remysec - https://www.remysec.com/

Seezo - https://seezo.io/
https://www.sarahtavel.com/p/ai-startups-sell-work-not-software

https://github.com/captn3m0/ideas

Contacting Anshuman
LinkedIn: ⁠⁠⁠⁠⁠https://www.linkedin.com/in/anshumanbhartiya/⁠⁠⁠⁠⁠

Twitter: ⁠⁠⁠⁠⁠https://twitter.com/anshuman_bh⁠⁠⁠⁠⁠

Website: ⁠⁠⁠⁠⁠https://anshumanbhartiya.com/⁠⁠⁠⁠⁠

Instagram: ⁠⁠⁠⁠https://www.instagram.com/anshuman.bhartiya/⁠⁠⁠⁠

YouTube: ⁠⁠⁠⁠https://www.youtube.com/@AnshumanBhartiya⁠⁠⁠⁠
Contacting Sandesh
LinkedIn: ⁠⁠⁠⁠⁠https://www.linkedin.com/in/anandsandesh/⁠⁠⁠⁠⁠

Twitter: ⁠⁠⁠⁠⁠https://twitter.com/JubbaOnJeans/⁠⁠⁠⁠⁠

Website: ⁠⁠⁠⁠⁠https://boringappsec.substack.com/⁠⁠⁠⁠⁠
...more
1h 2min
March 25, 2024S1E04 - Running a lean AppSec team
Welcome to the Boring AppSec Podcast! In Episode 4, we discuss how lean AppSec teams run and operate. We share our experiences of having worked in engineering heavy organizations where the "engineer : appsec-engineer" ratio is far from ideal and scaling the AppSec team becomes very important to be able to reasonably manage risk.

References:
We will try and add information about all the references we make here. Please enter rabbit holes at will :)
Soft skills are important - ⁠⁠⁠https://www.softsideofcyber.com/

Bhadra, the vulnerability management platform built and open sourced by Razor Pay - https://github.com/razorpay/bhadra

Devin - https://www.cognition-labs.com/introd...

Seezo (Automating design reviews) - https://seezo.io/
Contacting Anshuman
LinkedIn: ⁠⁠⁠⁠https://www.linkedin.com/in/anshumanbhartiya/⁠⁠⁠⁠

Twitter: ⁠⁠⁠⁠https://twitter.com/anshuman_bh⁠⁠⁠⁠

Website: ⁠⁠⁠⁠https://anshumanbhartiya.com/⁠⁠⁠⁠

Instagram: ⁠⁠⁠https://www.instagram.com/anshuman.bhartiya/⁠⁠⁠

YouTube: ⁠⁠⁠https://www.youtube.com/@AnshumanBhartiya⁠⁠⁠
Contacting Sandesh
LinkedIn: ⁠⁠⁠⁠https://www.linkedin.com/in/anandsandesh/⁠⁠⁠⁠

Twitter: ⁠⁠⁠⁠https://twitter.com/JubbaOnJeans/⁠⁠⁠⁠

Website: ⁠⁠⁠⁠https://boringappsec.substack.com/⁠⁠⁠⁠
...more
1h 10min
March 18, 2024S1E03 - Bug Bounties
Welcome to the Boring AppSec Podcast! In Episode 3, we discuss all things bug bounties. The researcher side as well as the program owner's side. Enter at your own will as we have a lot of hot takes.

References:
We will try and add information about all the references we make here. Please enter rabbit holes at will :)
⁠Bug Bounty Platforms
Bugcrowd - https://www.bugcrowd.com/

HackerOne - https://www.hackerone.com/

Intigrity - https://www.intigriti.com/

Synack - https://www.synack.com/
2. Vulnerability Disclosure Process - https://www.cisa.gov/coordinated-vulnerability-disclosure-process
3. Google’s Project Zero vulnerability disclosure policy - https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-faq.html
4. CVSS Calculator - https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
5. Handling A Bug Bounty program From A Blue Team Perspective - https://www.youtube.com/watch?v=Vgy150R4bRw&t=0s
6. Consumer Bug Bounty Panel - https://www.youtube.com/watch?v=Y8X6pV7rdbA&t=0s

Contacting Anshuman
LinkedIn: ⁠⁠⁠https://www.linkedin.com/in/anshumanbhartiya/⁠⁠⁠

Twitter: ⁠⁠⁠https://twitter.com/anshuman_bh⁠⁠⁠

Website: ⁠⁠⁠https://anshumanbhartiya.com/⁠⁠⁠

Instagram: ⁠⁠https://www.instagram.com/anshuman.bhartiya/⁠⁠

YouTube: ⁠⁠https://www.youtube.com/@AnshumanBhartiya⁠⁠
Contacting Sandesh
LinkedIn: ⁠⁠⁠https://www.linkedin.com/in/anandsandesh/⁠⁠⁠

Twitter: ⁠⁠⁠https://twitter.com/JubbaOnJeans/⁠⁠⁠

Website: ⁠⁠⁠https://boringappsec.substack.com/⁠⁠⁠
...more
1h 12min
March 11, 2024S1E02 - First Security Hire
Welcome to the Boring AppSec Podcast! In Episode 2, we discuss what a first security hire responsibilities are. How do they prioritize? What do they prioritize?

References:
We will try and add information about all the references we make here. Please enter rabbit holes at will :)
Building a product security program

Some blogs on getting SOC2 certifications without too much redtape - ⁠RunReveal⁠, Fly.io⁠

Tracking Meaningful Security Product Metrics

Build vs Buy Framework

OpenAI Sora

LLM Agents Can Autonomously Hack Websites

Arcanum Information Security

SecGPT in https://chat.openai.com/gpts
Contacting Anshuman
LinkedIn: ⁠⁠https://www.linkedin.com/in/anshumanbhartiya/⁠⁠

Twitter: ⁠⁠https://twitter.com/anshuman_bh⁠⁠

Website: ⁠⁠https://anshumanbhartiya.com/⁠⁠

Instagram: ⁠https://www.instagram.com/anshuman.bhartiya/⁠

YouTube: ⁠https://www.youtube.com/@AnshumanBhartiya⁠
Contacting Sandesh
LinkedIn: ⁠⁠https://www.linkedin.com/in/anandsandesh/⁠⁠

Twitter: ⁠⁠https://twitter.com/JubbaOnJeans/⁠⁠

Website: ⁠⁠https://boringappsec.substack.com/⁠⁠
...more
1h 8min
March 04, 2024S1E01 - Asset Inventory
Welcome to the Boring AppSec Podcast! In Episode 1, we discuss software inventories. What they are, why we need them, and what are our favorite ways to build them.

References:
We will try and add information about all the references we make here. Please enter rabbit holes at will :)
Cartography - ⁠https://github.com/lyft/cartography⁠

GenAI + Cartography
⁠https://shinobi.security/#how-it-works⁠

⁠https://github.com/samvas-codes/cspm-gpt⁠

Commercial asset inventory mentioned on the show: ⁠https://www.jupiterone.com/⁠

Talk by Sandesh and Satyaki on automating asset inventory generation at Razorpay: ⁠https://www.youtube.com/watch?v=8q42Pw9F44k&ab_channel=HasgeekTV⁠

XKCD about too many standards - ⁠https://m.xkcd.com/927/⁠

Arvind Narayanan on Gen AI chatbots and rock-paper-scissors: ⁠https://x.com/random_walker/status/1755684956502728969?s=20⁠

Emily Oster on parenting - ⁠https://emilyoster.net/⁠ . She has now moved her newsletter away from Substack. You can sign up at ⁠https://parentdata.org/⁠

Contacting Anshuman
LinkedIn: ⁠https://www.linkedin.com/in/anshumanbhartiya/⁠

Twitter: ⁠https://twitter.com/anshuman_bh⁠

Website: ⁠https://anshumanbhartiya.com/⁠

Instagram: https://www.instagram.com/anshuman.bhartiya/

YouTube: https://www.youtube.com/@AnshumanBhartiya
Contacting Sandesh
LinkedIn: ⁠https://www.linkedin.com/in/anandsandesh/⁠

Twitter: ⁠https://twitter.com/JubbaOnJeans/⁠

Website: ⁠https://boringappsec.substack.com/⁠
...more
45min

FAQs about The Boring AppSec Podcast:

How many episodes does The Boring AppSec Podcast have?

The podcast currently has 20 episodes available.