Today, I'm joined by Kavia Venkatesh, Director of Product Security at a large healthcare organization. She didn't take the traditional path into cybersecurity — she came from biotech. But that outsider lens turned out to be her edge.

With over 10 years of experience leading cybersecurity strategy for hyper-scale ecosystems, she's built many security programs from the ground up, navigating 9 acquisitions in 18 months at a large tech org, and along the way developed a rare ability to translate risk into language that executives actually act on.

Kavia is also a frequent speaker at premier global conferences, including DEF CON, BSides San Francisco, and Nullcon.

In this episode, we talked about what most security teams get completely wrong during integrations, what she'd change about how security teams show up in organizations and the "breachability mindset" that changes how you approach risk.

And much more!

Get ready, Kavia doesn't hold back her opinions. Let's dive right in!

This podcast is brought to you by Escape: https://escape.tech — Offensive security for the teams that are 100x outnumbered, combining Attack Surface Management, business-logic-aware DAST and AI pentesting solutions.

Connect with Kavia: https://www.linkedin.com/in/kaviavenkatesh/

Today, I’m joined by Jason Fernandes, VP of security and privacy at Mercari, the Japanese-born global marketplace now spanning e-commerce, FinTech, and crypto. It is this rare combination that puts him at the intersection of some of the strictest regulatory environments in tech.

He oversees everything from product and platform security to threat detection, privacy, and, since last year,  AI security and AI governance.

In this episode, we also talked about the challenges of AI governance, the lethal trifecta for AI agents, the confused deputy problem, and how to justify AI security investments to the leadership and working with FinOps teams. And much more!

Dive right in!

This podcast is brought to you by

Escape: https://escape.tech  — Offensive security for the teams that are 100x outnumbered, combining Attack Surface Management, business-logic-aware DAST and AI pentesting solutions.

Mentioned

FACADE (Google's internal fraud detection model) https://arxiv.org/abs/2412.06700

Meta Practical AI Agent Security (Rule of Two) https://ai.meta.com/blog/practical-ai-agent-security/

Simon Willison The Lethal Trifecta https://simonwillison.net/2025/Jun/16/the-lethal-trifecta/

Hiroki's AI Security blog (Mercari) https://hi120ki.github.io/blog/posts/20260103/

Anthropic  Project Vend https://www.anthropic.com/research/project-vend-2

Today, I’m joined by Sam Stepanyan,  an OWASP Global Board member and an OWASP London Chapter Leader. Sam is an Independent Application Security Consultant and Security Architect with over 20 years of experience in the IT industry.

Sam has worked for various financial services institutions in the City of London specialising in Application Security consulting, Secure Software Development Lifecycle (SDLC), developer training, source code reviews and vulnerability management. 

He is also a Subject Matter Expert in Web Application Firewalls (WAF) and SIEM systems.

In this episode, we explore why, despite OWASP being around for over 25 years, many developers are still unaware of it—and why shifting focus toward developer conferences might be key to spreading security knowledge more effectively.

We also discuss the impact of AI on modern security practices, the growing role of automated penetration testing tools, and how even small changes—like adding the word “secure” to a vibe coding prompt—can help nudge developers toward more security-conscious decisions.

Dive right in! 

This podcast is brought to you by

Escape: https://escape.tech  — Offensive security for the teams that are 100x outnumbered, combining Attack Surface Management, business-logic-aware DAST and AI pentesting solutions. 

Today, I’m joined by Amol Deshpande, a seasoned security engineer currently at Stripe, where he focuses on building secure systems at massive scale. With a background spanning product security and penetration testing at companies like Salesforce, Splunk, and Early Warning, Amol brings deep hands-on experience in securing complex, real-world platforms.

He’s also been a HackMIT judge and a long-time CTF competitor at DEF CON, giving him a very practical view of modern security challenges.

In this episode, we cover whether security must now belong in every AI strategy meeting, and how to embed it into AI development from the outset.

We also touch on how privacy concerns will only grow as agents are trained on sensitive data and why human oversight is essential for critical AI operations.

Dive right in!

Today, I’m joined by Aleksandra Kornecka, a security engineer with a global mindset. She recently transitioned from Senior AppSec Engineer to Cloud Infrastructure Security Engineer, and has a background in software testing and cognitive science — a combination that gives her a unique take on both the technical and human sides of security.As a member of the OWASP Security Champions Guide and the project's Artifact stream, Aleksandra also put efforts to collect templates, documents, and other artifacts useful to build the security champions program.In this episode, we dive into the mindset shift developers need to successfully break into security and why security champions are critical for scaling security awareness across organizations.We also explore how curiosity fuels a lasting passion for security, and unpack why Zero Trust is often misunderstood and overhyped.Dive right in!

Today, I’m joined by Gowtham Sundar, a Senior Lead Engineer - 3A Security (AI and API included as you can guess) at SPH Media and a seasoned AppSec leader with over a decade of experience across enterprise security, penetration testing, and secure product development.

In this episode, Gowtham brings a real practitioner’s point of view on what it actually takes to secure AI systems. We dive into why APIs are at the heart of AI, why securing them is non-negotiable, and why automated API discovery is becoming critical for governance as systems scale.

We also talk about how AI security is evolving at lightning speed, sometimes changing week by week, and what that means for security teams trying to keep up.
And with that, get ready to hear Gowtham’s opinions.

Dive right in!

Today, I’m joined by Enrique Larios Vargas, a Security and Learning Specialist at Adyen.

Enrique has over eight years of experience designing impactful learning and enablement programs across fintech, engineering, and security. He’s also been a university lecturer in software engineering in Peru, the Netherlands, and Canada.

Bringing together technical expertise and behavioral science, Enrique is passionate about helping developers move beyond compliance and build a meaningful, human-centered security culture.

In this episode, we dive into his research paper, “DASP: A Framework for Driving the Adoption of Software Security Practices,” co-authored with five others (all listed in the description). The paper explores how behavioral models like COM-B can drive secure development practices.

We also get into incentives and Enrique’s controversial take on why we shouldn’t call security champions “champions” anymore. He’ll even be put to the test on this topic at the upcoming Elephant in AppSec conference, where he’ll debate it with other panelists.

Dive right in!

Today, I’m joined by Marcos Vinicius Cassel, Application Security Manager at PowerSchool.

With over a decade of experience in the information security space, as a CISSP, ISO 27001 Lead Auditor, and a passionate technologist, Marcos has led security initiatives across multiple industries. 

He also previously led the OWASP Porto Alegre Chapter, and fun fact: we first met while volunteering together at BSides SF!

In this episode, we dive into the real value of certifications in application security, how they can provide structure and credibility, but shouldn’t define a professional’s entire skill set. 

We also unpack the balance between compliance and risk management and between privacy and innovation, and why strong communication between security and engineering teams is more essential than ever.

And with that, get ready to hear Marcos’ opinions.

Dive right in!

Today, I’m joined by Aamiruddin Syed, Senior Product Security Engineer at AGCO Corporation.

Aamiruddin is the author of “Supply Chain Software Security book focusing on AI, IoT, and AppSec” and a recognized advocate for secure development. He’s a frequent speaker at major conferences, including RSA, DEFCON, and Black Hat.

Fun facts: he was once ranked in the top 1% of all TryHackMe penetration testers, and a memorable milestone in his career was delivering a Cybersecurity Awareness talk to officer trainees of the Indian Army.

He’s also a fellow podcaster, co-hosting the CyberGPT Pulse Podcast.

In this episode, we dive into the complexities of software supply chain security, especially the risks introduced by third-party extensions, and how generative AI can strengthen defenses across the supply chain.

We also explore the challenges of data quality when training AI models and discuss why strong governance is essential for secure developer practices.

Dive right in!

Today, I’m joined once again by Tanya Janca for her second appearance on the podcast. Her first episode was a hit, so we figured: why not record another? And the timing couldn’t be better, as Tanya has just embarked on a brand-new chapter in her career this year. In our first conversation, I highlighted many of Tanya’s accomplishments, and she’s only added to the list since then. Most notably, she’s been deeply involved in shaping key components of the newly released OWASP Top 10.In this episode, we dive into the initiatives she’s focusing on in her new solo journey, why she decided to join the OWASP Top 10 team, her mission to create a developer-focused awareness document, and even the unexpected difficulty of naming vulnerabilities for the final list.We also chat about her take on why DevSecOps has started to lose some of its shine. Something she’ll be discussing further at the upcoming Elephant in AppSec conference.Dive right in!