Today, I’m joined by Eitan Worcel, CEO and co-founder of Mobb — an AI Security Assistant that fixes vulnerabilities. With over 15 years of experience in the application security field, Eitan has worn many hats, including developer, product management leader, and now startup founder.

Eitan has also shared his expertise at events such as Black Hat, BSides Las Vegas, and OWASP chapter meetings, where he discussed the application of AI in security and the relationships between developers and security teams.

In today’s episode, we explore whether all bad code should be fixed, the role of AI in code remediation, the challenges developers face in addressing vulnerabilities, and the critical importance of maintaining software quality.

We also touch on the evolution of security tools and their impact on developers' workflows.Dive right in!

Connect with Eitan: https://www.linkedin.com/in/worcel/

Connect with Alexandra: https://www.linkedin.com/in/alexandra-charikova/

This podcast is brought to you by

Escape: https://escape.tech  — Modern DAST built to test for business logic 

Mentioned

Mobb.ai - AI Security Assistant That Fixes VulnerabilitiesMatias Madou Of Secure Code Warrior On Embedding Security in Product Design and Development https://medium.com/authority-magazine/matias-madou-of-secure-code-warrior-on-embedding-security-in-product-design-and-development-29bd2f639469

Copilot amplifies insecure codebases https://snyk.io/blog/copilot-amplifies-insecure-codebases-by-replicating-vulnerabilities/

The Hard Thing About Hard Things by Ben Horowitz https://www.amazon.com/Hard-Thing-About-Things-Building/dp/0062273205

Today, I’m joined by Kalyani Pawar, an Application Security Engineer at Zipline and a seasoned AppSec expert with a deep commitment to the startup ecosystem. Beyond her day job, she actively advises startups and VCs on what really matters in application security.

Kalyani is also the co-host of the Application Security Weekly podcast and a speaker at top conferences like DEFCON, BSides SF, and RSA.

She’s been a driving force behind the scenes too, serving on reviewer boards for DEFCON, WiCyS, and several BSides chapters—helping shape high-impact security content for the community.

In today’s episode, we dive into her experience designing security programs from scratch across startups of all stages—and ask the big question: Can ‘Minimum Viable Security’ be the fix to all the AI-fueled chaos in startups?

We also explore how VCs impact security decisions, the role of interns on security teams, and how to tackle the beast of security debt.

Dive right in!

Today, I'm joined by Jamie Scott, a recovering cybersecurity practitioner turned founding product manager at Endor Labs. Previously, Jamie served as Product Manager of Security at Redis, where he was an active open-source contributor, and as DevSecOps Manager at Cygna Healthcare.

Jamie is also a Certified Information Systems & Cloud Security Professional and continues to contribute to the cybersecurity community. He co-authored several benchmarks and volunteers as a consultant for the Center for Internet Security.

In this episode, we dive into the topic of IDE plugins: Do they help you boost your coding security or just hopeful? Jamie has firsthand experience trying to roll out an IDE security program in his career and shares his perspective, leaning more towards the “hopium” side of things. He’s observed that developers often don't proactively use them, which raises the question—are these tools really effective?

Dive right in!

Connect with Jamie: https://www.linkedin.com/in/james-m-scott-iii/

Connect with Alexandra: https://www.linkedin.com/in/alexandra-charikova/

This podcast is brought to you by Escape: https://escape.tech — Modern DAST built to test for business logic instead of missing headers

Mentioned

CIS Benchmark for NGINX: https://www.cisecurity.org/benchmark/nginx

The Challenger Sale: Taking Control of the Customer Conversation: https://www.amazon.com/Challenger-Sale-Control-Customer-Conversation/dp/1591844355

Shannon Lietz (DevSecOps Lead at Intuit) Keynote in 2016 https://www.youtube.com/watch?v=ru11MSYPBBQ

Today, I’m joined by Chris Lindsey, who, at the time of recording, was an AppSec Evangelist at Mend. Formerly an AppSec Architect, Chris brings over 15 years of direct security experience and more than 35 years of leadership in programming, software, solutions, and security architecture.

For several years, Chris built and led an entire application security program, including oversight of security processes, procedures, tools, compliance, training, developer communication, code reviews, application inventory gathering, and risk analysis.

Chris also is a seasoned speaker and the host of the Secrets of AppSec Champions podcast.

In this episode, we discuss why many still view DAST as a checkbox rather than a critical component of security—and how that perspective is changing, especially with the rise of modern DAST tools. We’ll also explore how to strategically integrate DAST with other tools in your AppSec program.
If you agree with Chris that we need to stop treating DAST like a dessert, this episode is for you.

Dive right in!

This podcast is brought to you by

Escape: https://escape.tech  — Modern DAST built to test for business logic instead of missing headers

Mentioned

Chris’ article on DAST https://www.mend.io/blog/dont-treat-dast-like-dessert/

Alexandra’s interviews with AppSec engineers “What’s wrong with the correct state of DAST” https://escape.tech/blog/what-is-wrong-with-the-current-state-of-dast-feedback-from-my-conversations-with-appsec-engineers/

The Phoenix Project: A Novel about IT, DevOps, and Helping Your Business Win https://www.amazon.com/-/en/Gene-Kim/dp/0988262592

Secrets of AppSec Champions: https://www.youtube.com/playlist?list=PLR-uH0PJFszFcbMJ29AfAcWIJAPbBJaC7

Today, I’m joined by someone many of you will instantly recognize — Tanya Janca, also known as She Hacks Purple and a key community leader at Semgrep.

With nearly three decades in IT, Tanya has earned countless awards, including OWASP Lifetime Distinguished Member and Hacker of the Year. She’s spoken on stages around the world and trained thousands of software developers and security professionals along the way.

Her first book was one of the earliest I read on application security — and honestly, her work gets mentioned more than almost anyone else’s by guests, season after season.

Now, with the release of her latest book on secure coding, we dive into a big question: Can we actually expect developers to write secure code? And if so, how do we make secure coding a foundational part of education — not an afterthought? We explore the challenges, the role of governments in promoting security standards, and the mindset shifts needed to get there.

We also touch on Tanya’s passion for community, and how genuinely useful content (which isn’t always a given in security) can make all the difference in helping others learn and grow in AppSec.And with that, get ready to hear Tanya’s opinions.

Dive right in!

Today, I’m joined by Curtis Koenig, a seasoned application security leader managing AppSec programs for global brands. At Gen Inc., he secures all products through CI/CD integration, secure coding, and a bug bounty program. Previously, at Booking.com and Snap Inc., he scaled security operations, enhanced authentication systems, and streamlined compliance processes. With expertise in secure development and threat modeling, Curtis is a recognized authority in enterprise application security.In this episode, we explore how insights from neuroscience align with the decisions developers and security professionals make about securing applications. We also discuss how storytelling through metrics can reduce panic, drive software quality, and foster stronger team dynamics.If you’re looking to learn how an experienced AppSec leader ensures his team’s success through psychology, this episode is for you.Dive right in! Connect with Curtis: https://www.linkedin.com/in/curtisko/Connect with Alexandra: https://www.linkedin.com/in/alexandra-charikova/This podcast is brought to you byEscape: https://escape.tech — Modern DAST built to test for business logic MentionedIntent based leadership | David Marquet: https://www.youtube.com/watch?v=nzynH2BmoJMThe Tangled Web: A Guide to Securing Modern Web Applications https://www.amazon.fr/Tangled-Web-Securing-Modern-Applications/dp/1593273886Writing Secure Code, Second Edition by Michael Howard, David LeBlanc https://www.amazon.com/Writing-Secure-Second-Developer-Practices/dp/0735617228Crucial Confrontations: Tools for Resolving Broken Promises, Violated Expectations, and Bad Behavior: https://www.amazon.com/Crucial-Confrontations-Resolving-Promises-Expectations/dp/0071446524“Meditations" by Marcus Aurelius: https://www.amazon.com/Meditations-Marcus-Aurelius/dp/1503280462

Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room

Today, I’m joined by François Proulx, Senior Product Security Engineer at BoostSecurity, where he leads the Supply Chain research team. With over 10 years of experience in building AppSec programs for both large corporations like Intel and innovative startups, François has been at the forefront of the DevSecOps movement.

He’s also one of the maintainers of the "poutine" security scanner, which detects misconfigurations and vulnerabilities in build pipelines. Be sure to check it out on GitHub and give it a star!

François is a frequent speaker and one of the founders of the NorthSec conference, where he also serves as a challenge designer for the CTF.

In this episode, we dive into the critical topic of supply chain insider threats in open source projects. We discuss the importance of the “trust, but verify” mantra and how the transition from a single maintainer to a team can increase security risks.

If you’re wondering about the future of automated security checks on platforms like GitHub, and the specific vulnerabilities in build pipelines, this episode is for you.And with that, get ready to hear Francois’s opinions.

Dive right in!

Connect with François: https://www.linkedin.com/in/francoisp/

Connect with Alexandra: https://www.linkedin.com/in/alexandra-charikova/

This podcast is brought to you by

Escape: https://escape.tech  — Modern DAST built to tests for business logic instead of missing headers

Mentioned

Article “Opening the Pandora’s Box: Supply Chain Insider Threats in Open Source Projects”: https://boostsecurity.io/blog/opening-pandora-box-supply-chain-insider-threats-in-oss-projects

Russ Cox at ACM SCORED: Open Source Supply Chain Security at Google https://www.youtube.com/watch?v=6H-V-0oQvCA

DEF CON 32 - Grand Theft Actions Abusing Self Hosted GitHub Runners - Adnan Khan, John Stawinski -> https://www.youtube.com/watch?v=5P7KatZBr_I

NorthSec 2024 talk “Under the Radar: 0-days in the Build Pipeline” https://www.youtube.com/watch?v=4nfsTPEOzHA

Northsec conference https://nsec.io/fr/ 

Poutine security scanner-  detects misconfigurations and vulnerabilities in the build pipelines of a repository:  https://github.com/boostsecurityio/poutine

Dependabot: https://github.com/dependabot 

BoostSecurity ASPM Platform : boostsecurity.io 

Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the roomToday, I’m joined by Rachel Curran, co-founder and CEO of Locktivity—a third-party risk management platform. She’s also the former Director of Risk and Compliance and Head of Infosec at Logik Systems.With over a decade of experience leading security and GRC initiatives, Rachel has built SOC 2 and security programs from the ground up, helping companies achieve security maturity. She’s also a frequent speaker at security conferences about this topic. Beyond her work in cybersecurity, Rachel co-hosts @shedoestech, a show dedicated to promoting women in tech and highlighting their career journeys.In this episode, we dive into whether we’re truly managing third-party risks or simply turning a blind eye to key issues. We also explore whether we should force vendors to disclose their vulnerabilities, how to continuously evaluate dependencies on third parties, why adopting an assumed breach posture helps frame due diligence, and why education about third-party risks should be integrated into security awareness programs.

Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.

Today, I’m joined by Nir Valtman, CEO & co-founder of Arnicaan ASPM platform with a pipelineless approach. Before founding Arnica, Nir led product and data security at Finastra, established security at Kabbage as CISO, and headed application security at NCR.

He’s also a well-known speaker at top security conferences, including Black Hat, Defcon, RSA, BSides, and OWASP.

In this episode, we unpack the reachability hype-why every vendor claiming "we do reachability!" means something slightly different, and what makes Pipelineless Reachability Analysis stand out.

We’ll also discuss why reachability is critical for vulnerability prioritization, plus some eye-opening stats-like why developers prefer scan results in under 30 seconds and how 9% of detected vulnerabilities still make it into production, even after developers are notified on push.

Dive right in!

Connect with Nir: https://www.linkedin.com/in/valtmanir/

Connect with Alexandra: https://www.linkedin.com/in/alexandra-charikova/

This podcast is brought to you byEscape: https://escape.tech — API Security & DAST Platform

Mentioned in the video:

https://www.arnica.io/ - ASPM with pipelineless, developer-native approach

Nir’s Linkedin Post on reachability: https://www.linkedin.com/posts/valtmanir_reachability-appsec-security-activity-7249039515888046080-IrvvHype Cycle for Application Security, 2024: https://www.gartner.com/en/documents/5622191Defining

Reachability - is it just hype? https://pulse.latio.tech/p/reachability-matters-13

Does Reachability Matter? By James Berthoty https://pulse.latio.tech/p/does-reachability-matter

Book: Freakonomics by Steven Levitt & Stephen Dubner: https://www.amazon.com/gp/product/0063032376/ref=as_li_qf_asin_il_tl?ie=UTF8&tag=freakonomic08-20&creative=9325&linkCode=as2&creativeASIN=0063032376&linkId=f70dd7af6a315da4e8d04e7001c8e1d6

Podcast recommendation: Acquired (playbooks that built the world’s greatest companies - and how you can apply them as a founder, operator, or investor) - https://www.acquired.fm/

Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.

Today, I’m joined by Iman Ilbag, a DevSecOps Engineer at KPN, one of the leading telecom providers in the Netherlands.

Previously, as the sole DevSecOps Engineer at Snappfood, he secured 70+ projects and trained hundreds of security champions. Iman transitioned from engineering to DevOps and Application Security, and has also worked on penetration testing and infrastructure security for both startups and larger enterprises.

He’s passionate about security automation and open-source security, always looking for ways to improve security practices. I was introduced to Iman through a referral from James Berthoty, a previous podcast guest.

In this episode, we dive into why a solid understanding of DevOps is essential before implementing DevSecOps, and how the cultural aspects of security often outweigh the tools themselves.

We also explore the limitations of ASPM tools, the role of Defect Dojo in effective vulnerability management, and why selecting the right security tools is critical for success.

Dive right in!

Connect with Iman: https://www.linkedin.com/in/iman-ilbag/

Connect with Alexandra: https://www.linkedin.com/in/alexandra-charikova/

Mentioned in the video:

DefectDojo: https://www.defectdojo.org/

Escape: https://escape.tech — API Security & DAST Platform

Latio list: https://list.latio.tech/