• AppSec Builders

  • By: Datadog
  • Podcast
AppSec Builders By cover art

AppSec Builders

By: Datadog
Listen for free

  • Summary

  • AppSec Builders features practical and actionable conversations with application security experts and practitioners. Topics range from understanding and solving classes of vulnerability, building protections to efficiently scale with your business, and core best practices to strengthen your security posture. AppSec Builders is hosted by Jb Aviat, AppSec staff engineer at Datadog, former CTO and co-founder at Sqreen and Apple Red Team member. Contact us at appsecbuilders@datadoghq.com
    Copyright 2021 Datadog | AppSec Builders powered by Datadog
    Show more Show less
Episodes
  • Developers vs. Security Training with Jim Manico

    Developers vs. Security Training with Jim Manico
    Jul 9 2021
    In this episode of AppSec Builders, Jb is joined by security professional Jim Manico, founder of Manicode Security to discuss Application Security, Developers, and why they should be trained to build Secure Applications . About Jim: Linkedin: https://www.linkedin.com/in/jmanico (https://www.linkedin.com/in/jmanico) Twitter: https://twitter.com/manicode (https://twitter.com/manicode) Jim Manico is the founder of Manicode Security where he trains software developers on secure coding and security engineering. He is also the co-founder of the LocoMoco Security Conference and is an investor/advisor for Nucleus Security, BitDiscovery, Secure Circle and Inspectiv. Jim is a frequent speaker on secure software practices and is a member of the JavaOne rockstar speaker community. He is the author of https://www.amazon.com/Iron-Clad-Java-Building-Secure-Applications/dp/0071835881 ("Iron-Clad Java: Building Secure Web Applications”)  from McGraw-Hill. Transcript Intro / Outro: [00:00:02] Welcome to AppSec Builders, the podcast for Practitioners Building Modern AppSec hosted by JB Aviat. JB Aviat: [00:00:14] Welcome to this episode of AppSec Builders I am JB Aviat and I am honored to welcome Jim Manico, who, on top of being a famous, opinionated security professional, is also the founder of Many Good Security, where she trains software developers in secure coding and security Engineering he is also an investor advisor for many companies, frequent speaker on secure coding practices and a book writer with Ironclad Java Building Secure Web Applications. Jim, why don't you introduce yourself as well? Jim Manico: [00:00:50] Jean-baptiste is a pleasure to be on your podcast and your show. And like you said, I'm an opinionated application security professional. I just hope that my opinions are helpful to you and your audience. JB Aviat: [00:01:04] Opinions are always helpful, especially when they are held by smart people. So, yes, definitely. And I'm looking forward to have you sharing a bit more about that with our listeners. So, Jim, thanks a lot for joining us today. So when we are familiar with your work, we can notice that your primary focus is developers. So you train them, you write books to educate them. You contribute to a lot of OWASP resources around education. Why that focus centered on the developers? Jim Manico: [00:01:40] I believe that the application security industry traditionally has primarily been about security testing and dev ops and all these different pieces that are about assessment of the security of an application. And I do not believe that you can achieve security through testing. I believe that the only way to truly do application security is to get developers to build secure software and to utilize tools and techniques and processes that will help developers, author, secure software. And I believe that our industry places very little focus on that important specialty because it's hard to sell an idea. The idea that you must change your process, you must change your engineering capabilities and similar. It's not something that sells in the marketplace. It's education, which is not a very big part of our industry. So that's why I focus on that, because it's my specialty and it's also my belief. That's how you really do application security is to enable developers capabilities around security in some way. JB Aviat: [00:02:54] And a so you've been doing that for a while. What are the big changes that you have witnessed over the past year? Jim Manico: [00:03:01] I think the acceleration of dev ops is very interesting. Now, Dev Ops has been around for 20 years. This is about automation around the building, testing, deploying in other aspects of the SDLC. And we were doing that in the late 90s through a lot of custom scripts and similar. And I think that today there's extremely modern tool sets like Jenkins', GitHub actions and similar, where I can build a significant security centric...
    Show more Show less
    39 mins
  • Are Cloud Vendors also Security Vendors? with Sarah Young

    Are Cloud Vendors also Security Vendors? with Sarah Young
    May 14 2021
    In this episode of AppSec Builders, Jb is joined by Security Architect, Sarah Young, to discuss Cloud Security, its evolution, and its increased presence within Cloud Vendor solutions and platforms. About Sarah: Linkedin:https://www.linkedin.com/in/m1splacedsoul/ ( )https://www.linkedin.com/in/sarahyo16/ (https://www.linkedin.com/in/sarahyo16/) Twitter: https://twitter.com/_sarahyo (https://twitter.com/_sarahyo) Sarah Young is a security architect based in Melbourne, Australia who has previously worked in New Zealand and Europe and has a wealth of experience in technology working across a range of industry sectors. With a background in network and infrastructure engineering, Sarah brings deep technical knowledge to her work. She also has a penchant for cloud native technologies. Sarah is an experienced public speaker and has presented on a range of IT security and technology topics at industry events both nationally and internationally (BSides Las Vegas, The Diana Initiative, Kiwicon, PyCon AU, Container Camp AU/London, BSides Ottawa, BSides Perth, DevSecCon Boston, CHCon, KubeCon, BSides San Francisco). She is an active supporter of both local and international security and cloud native communities.   Resources: https://www.cncf.io/ (Cloud Native Computing Foundation) Transcript [00:00:02] Welcome to AppSec Builders, the podcast for Practitioners Building Modern AppSec hosted by Jb Aviat. Jb Aviat: [00:00:14] Welcome to this episode of AppSec Builders, I'm Jb Aviat and today I'm thankful to welcome Sarah Young, who is a senior program manager in Azure security. Sarah, you're very prolific in this security space which conferences, the Azure security podcast your also CNCF - Cloud Native Computing Foundation Ambassador. Sarah, I'd love to hear more about this. Sarah Young: [00:00:38] Thanks! And thank you for having me. Yeah! So many things I could say. So, yeah, I worked for Microsoft. So of course, every day I work with Azure and do Azure security as one would expect. But I've been working in security for oh. Like specifically focusing on security for the last eight or nine years now. Before I joined Microsoft, I worked with other clouds and so I got a fair bit of experience there. But with regards to CNCF I am, as you said, an ambassador and although I'm certainly not a developer, I certainly find the security aspect of cloud native stuff really, really interesting. And that's what I enjoy talking to people about. Jb Aviat: [00:01:20] Alright. And so one thing you seem to be prolific about is Kubernetes and Kubernetes is definitely something that has gone through an amazing popularity over the past years and also got a lot of security exposure because it's notoriously a complex and difficult to use in the secure way. Do you have any specific thought about that? Sarah Young: [00:01:42] Yeah, the of specifics we could go into here and I guess watching Kubernetes over the past two or three years has been really interesting because obviously there are new releases and every time there's a new release, there are updates and improvements made to it. Obviously, I focused more on that for me. I'm more interested in the security side of it. But it's really interesting if you go from the early days of Kubernetes through to now, how much it's improved. I mean, what are we on now? I think we're on twenty, twenty one or something like that. I forget the exact version. We're up to for releases at the moment. But if you go back to the early days or two, three years ago, there was some major, major security holes and Kubernetes. So there were things I mean, it didn't support RBAC or role based access control. So if you don't have roads, access control, you literally can't give people permissions, like everyone just has everything, which is a security person's nightmare. So it's been really good to actually see how it's developed over the years and how the community have addressed those things. Sarah...
    Show more Show less
    34 mins
  • Shift Everywhere with John Steven

    Shift Everywhere with John Steven
    Feb 10 2021
    In this episode of AppSec Builders, Jb is joined by security expert, John Steven, to discuss his BSIMM study findings, the fundamental shifts in AppSec, software-defined security governance, and much more. About John: Linkedin: https://www.linkedin.com/in/m1splacedsoul/ (https://www.linkedin.com/in/m1splacedsoul/) Twitter: https://twitter.com/m1splacedsoul (https://twitter.com/m1splacedsoul) Through his firm Aedify, John advises innovative security product firms as well as maturing security initiatives. John leads one such firm, ZeroNorth, as CTO. For two decades, John led technical direction at Cigital, where he rose to the position of co-CTO. He founded spin-off Codiscope as CTO in 2015. When both Cigital and Codiscope were acquired by Synopsys in 2016, John transitioned to the role of Senior Director of Security Technology and Applied Research. His expertise runs the gamut of software security—from managing security initiatives, to cloud security, to threat modeling and security architecture, to static analysis, as well as risk-based security orchestration and testing. John is keenly interested in software-defined security governance at the cadence of modern development. As a trusted adviser to security executives, he uses his unparalleled experience to build, measure, and mature security programs. He co-authors the BSIMM study and serves as co-editor of the Building Security In department of IEEE Security & Privacy magazine. John is regularly invited to speak and keynote. Resources: https://www.bsimm.com/download.html?cmp=pr-sig&utm_medium=referral (Latest BSIMM) https://www.linkedin.com/company/aedifysecurity/ (Aedify Security) https://www.concourselabs.com/ (Concourse Labs) Transcript [00:00:02] Welcome to AppSec Builders, the podcast for practitioners building modern AppSec hosted by JB Aviat. Jb Aviat: [00:00:14] So welcome to this episode of AppSec Builders. Today I'm proud to interview John Stevens. So, John is the founding principle at Aedify where he advises product security firms. John, before that, you led ZeroNorth as a CTO and before that you were leading as co-CTO at the Cigital firm. Welcome, John. John Steven: [00:00:36] Hello, how are you? Thanks for having me. Jb Aviat: [00:00:38] I'm great, thanks for joining. So John, another thing that you've done is that you co-authored BSIMM, so could you let us know what it is and how it can be a useful tool to AppSec builders? John Steven: [00:00:50] Yeah, it's worth clarifying because it's frequently misunderstood. The BSIMM is the building security in maturity model observational study. We went out and over a period of 11 years we've studied about two hundred and over two hundred firms and asked the question, what do you actually do to build your security initiative and to secure your software? And it doesn't prescribe what to do, but you can use it to look at what firms that are within your vertical or that look similar to you in terms of maturity, are doing with their time and money, and decide whether or not you want to replicate those behaviours or cut your own. Jb Aviat: [00:01:29] So you are interviewing like CISO application security practitioners, developers like every actor of the security game. John Steven: [00:01:38] Yes. Historically, the list has looked like what you described. What was interesting to us about the last two years of this study is that when we began talking with the CISO, they'd say, oh, you need to talk to the VP of Cloud on this, or actually you need to talk to the SREs and to to delivery or to the VP of engineering. The people we had to talk to fundamentally changed over the last two years. And that was a key finding that we we wrote about this year, that the people doing the work of security were shifting from the security group to the engineering, digital transformation and cloud groups. John Steven: [00:02:20] And that's a big deal, right, because there's been these phrases...
    Show more Show less
    39 mins
Management Economics
Show more Show less

What listeners say about AppSec Builders

Average customer ratings

Reviews - Please select the tabs below to change the source of reviews.

Audible.com reviews

Amazon reviews
No Reviews are Available