Avsnitt
-
Today, I’m joined by Chris Lindsey, who, at the time of recording, was an AppSec Evangelist at Mend. Formerly an AppSec Architect, Chris brings over 15 years of direct security experience and more than 35 years of leadership in programming, software, solutions, and security architecture.
For several years, Chris built and led an entire application security program, including oversight of security processes, procedures, tools, compliance, training, developer communication, code reviews, application inventory gathering, and risk analysis.
Chris also is a seasoned speaker and the host of the Secrets of AppSec Champions podcast.
In this episode, we discuss why many still view DAST as a checkbox rather than a critical component of security—and how that perspective is changing, especially with the rise of modern DAST tools. We’ll also explore how to strategically integrate DAST with other tools in your AppSec program.
If you agree with Chris that we need to stop treating DAST like a dessert, this episode is for you.Dive right in!
This podcast is brought to you by
Escape: https://escape.tech — Modern DAST built to test for business logic instead of missing headers
Mentioned
Chris’ article on DAST https://www.mend.io/blog/dont-treat-dast-like-dessert/
Alexandra’s interviews with AppSec engineers “What’s wrong with the correct state of DAST” https://escape.tech/blog/what-is-wrong-with-the-current-state-of-dast-feedback-from-my-conversations-with-appsec-engineers/
The Phoenix Project: A Novel about IT, DevOps, and Helping Your Business Win https://www.amazon.com/-/en/Gene-Kim/dp/0988262592
Secrets of AppSec Champions: https://www.youtube.com/playlist?list=PLR-uH0PJFszFcbMJ29AfAcWIJAPbBJaC7
-
Today, I’m joined by someone many of you will instantly recognize — Tanya Janca, also known as She Hacks Purple and a key community leader at Semgrep.
With nearly three decades in IT, Tanya has earned countless awards, including OWASP Lifetime Distinguished Member and Hacker of the Year. She’s spoken on stages around the world and trained thousands of software developers and security professionals along the way.
Her first book was one of the earliest I read on application security — and honestly, her work gets mentioned more than almost anyone else’s by guests, season after season.
Now, with the release of her latest book on secure coding, we dive into a big question: Can we actually expect developers to write secure code? And if so, how do we make secure coding a foundational part of education — not an afterthought? We explore the challenges, the role of governments in promoting security standards, and the mindset shifts needed to get there.
We also touch on Tanya’s passion for community, and how genuinely useful content (which isn’t always a given in security) can make all the difference in helping others learn and grow in AppSec.And with that, get ready to hear Tanya’s opinions.
Dive right in!
-
Saknas det avsnitt?
-
Today, I’m joined by Curtis Koenig, a seasoned application security leader managing AppSec programs for global brands. At Gen Inc., he secures all products through CI/CD integration, secure coding, and a bug bounty program. Previously, at Booking.com and Snap Inc., he scaled security operations, enhanced authentication systems, and streamlined compliance processes. With expertise in secure development and threat modeling, Curtis is a recognized authority in enterprise application security.In this episode, we explore how insights from neuroscience align with the decisions developers and security professionals make about securing applications. We also discuss how storytelling through metrics can reduce panic, drive software quality, and foster stronger team dynamics.If you’re looking to learn how an experienced AppSec leader ensures his team’s success through psychology, this episode is for you.Dive right in! Connect with Curtis: https://www.linkedin.com/in/curtisko/Connect with Alexandra: https://www.linkedin.com/in/alexandra-charikova/This podcast is brought to you byEscape: https://escape.tech — Modern DAST built to test for business logic MentionedIntent based leadership | David Marquet: https://www.youtube.com/watch?v=nzynH2BmoJMThe Tangled Web: A Guide to Securing Modern Web Applications https://www.amazon.fr/Tangled-Web-Securing-Modern-Applications/dp/1593273886Writing Secure Code, Second Edition by Michael Howard, David LeBlanc https://www.amazon.com/Writing-Secure-Second-Developer-Practices/dp/0735617228Crucial Confrontations: Tools for Resolving Broken Promises, Violated Expectations, and Bad Behavior: https://www.amazon.com/Crucial-Confrontations-Resolving-Promises-Expectations/dp/0071446524“Meditations" by Marcus Aurelius: https://www.amazon.com/Meditations-Marcus-Aurelius/dp/1503280462
-
Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room
Today, I’m joined by François Proulx, Senior Product Security Engineer at BoostSecurity, where he leads the Supply Chain research team. With over 10 years of experience in building AppSec programs for both large corporations like Intel and innovative startups, François has been at the forefront of the DevSecOps movement.
He’s also one of the maintainers of the "poutine" security scanner, which detects misconfigurations and vulnerabilities in build pipelines. Be sure to check it out on GitHub and give it a star!
François is a frequent speaker and one of the founders of the NorthSec conference, where he also serves as a challenge designer for the CTF.
In this episode, we dive into the critical topic of supply chain insider threats in open source projects. We discuss the importance of the “trust, but verify” mantra and how the transition from a single maintainer to a team can increase security risks.
If you’re wondering about the future of automated security checks on platforms like GitHub, and the specific vulnerabilities in build pipelines, this episode is for you.And with that, get ready to hear Francois’s opinions.
Dive right in!
Connect with François: https://www.linkedin.com/in/francoisp/
Connect with Alexandra: https://www.linkedin.com/in/alexandra-charikova/
This podcast is brought to you by
Escape: https://escape.tech — Modern DAST built to tests for business logic instead of missing headers
Mentioned
Article “Opening the Pandora’s Box: Supply Chain Insider Threats in Open Source Projects”: https://boostsecurity.io/blog/opening-pandora-box-supply-chain-insider-threats-in-oss-projects
Russ Cox at ACM SCORED: Open Source Supply Chain Security at Google https://www.youtube.com/watch?v=6H-V-0oQvCA
DEF CON 32 - Grand Theft Actions Abusing Self Hosted GitHub Runners - Adnan Khan, John Stawinski -> https://www.youtube.com/watch?v=5P7KatZBr_I
NorthSec 2024 talk “Under the Radar: 0-days in the Build Pipeline” https://www.youtube.com/watch?v=4nfsTPEOzHA
Northsec conference https://nsec.io/fr/
Poutine security scanner- detects misconfigurations and vulnerabilities in the build pipelines of a repository: https://github.com/boostsecurityio/poutine
Dependabot: https://github.com/dependabot
BoostSecurity ASPM Platform : boostsecurity.io
-
Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the roomToday, I’m joined by Rachel Curran, co-founder and CEO of Locktivity—a third-party risk management platform. She’s also the former Director of Risk and Compliance and Head of Infosec at Logik Systems.With over a decade of experience leading security and GRC initiatives, Rachel has built SOC 2 and security programs from the ground up, helping companies achieve security maturity. She’s also a frequent speaker at security conferences about this topic. Beyond her work in cybersecurity, Rachel co-hosts @shedoestech, a show dedicated to promoting women in tech and highlighting their career journeys.In this episode, we dive into whether we’re truly managing third-party risks or simply turning a blind eye to key issues. We also explore whether we should force vendors to disclose their vulnerabilities, how to continuously evaluate dependencies on third parties, why adopting an assumed breach posture helps frame due diligence, and why education about third-party risks should be integrated into security awareness programs.
-
Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today, I’m joined by Nir Valtman, CEO & co-founder of Arnicaan ASPM platform with a pipelineless approach. Before founding Arnica, Nir led product and data security at Finastra, established security at Kabbage as CISO, and headed application security at NCR.
He’s also a well-known speaker at top security conferences, including Black Hat, Defcon, RSA, BSides, and OWASP.
In this episode, we unpack the reachability hype-why every vendor claiming "we do reachability!" means something slightly different, and what makes Pipelineless Reachability Analysis stand out.
We’ll also discuss why reachability is critical for vulnerability prioritization, plus some eye-opening stats-like why developers prefer scan results in under 30 seconds and how 9% of detected vulnerabilities still make it into production, even after developers are notified on push.
Dive right in!
Connect with Nir: https://www.linkedin.com/in/valtmanir/
Connect with Alexandra: https://www.linkedin.com/in/alexandra-charikova/
This podcast is brought to you byEscape: https://escape.tech — API Security & DAST Platform
Mentioned in the video:
https://www.arnica.io/ - ASPM with pipelineless, developer-native approach
Nir’s Linkedin Post on reachability: https://www.linkedin.com/posts/valtmanir_reachability-appsec-security-activity-7249039515888046080-IrvvHype Cycle for Application Security, 2024: https://www.gartner.com/en/documents/5622191Defining
Reachability - is it just hype? https://pulse.latio.tech/p/reachability-matters-13
Does Reachability Matter? By James Berthoty https://pulse.latio.tech/p/does-reachability-matter
Book: Freakonomics by Steven Levitt & Stephen Dubner: https://www.amazon.com/gp/product/0063032376/ref=as_li_qf_asin_il_tl?ie=UTF8&tag=freakonomic08-20&creative=9325&linkCode=as2&creativeASIN=0063032376&linkId=f70dd7af6a315da4e8d04e7001c8e1d6
Podcast recommendation: Acquired (playbooks that built the world’s greatest companies - and how you can apply them as a founder, operator, or investor) - https://www.acquired.fm/
-
Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today, I’m joined by Iman Ilbag, a DevSecOps Engineer at KPN, one of the leading telecom providers in the Netherlands.
Previously, as the sole DevSecOps Engineer at Snappfood, he secured 70+ projects and trained hundreds of security champions. Iman transitioned from engineering to DevOps and Application Security, and has also worked on penetration testing and infrastructure security for both startups and larger enterprises.
He’s passionate about security automation and open-source security, always looking for ways to improve security practices. I was introduced to Iman through a referral from James Berthoty, a previous podcast guest.
In this episode, we dive into why a solid understanding of DevOps is essential before implementing DevSecOps, and how the cultural aspects of security often outweigh the tools themselves.
We also explore the limitations of ASPM tools, the role of Defect Dojo in effective vulnerability management, and why selecting the right security tools is critical for success.
Dive right in!
Connect with Iman: https://www.linkedin.com/in/iman-ilbag/
Connect with Alexandra: https://www.linkedin.com/in/alexandra-charikova/
Mentioned in the video:
DefectDojo: https://www.defectdojo.org/
Escape: https://escape.tech — API Security & DAST Platform
Latio list: https://list.latio.tech/
-
Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.Recently, Opengrep made headlines as a new open-source project based on a fork of Semgrep Community Edition, with the goal of democratizing SAST.As you know, I'm always ready to dive into controversial topics on The Elephant in AppSec, and this episode is no exception. But before we jump in, full disclosure: I’m staying neutral in this conversation. I’ve had the privilege of collaborating with incredible people on both sides of the discussion, and I’m here to explore all perspectives.I spoke with the teams behind Opengrep—Arnica, Mobb, Aikido, and Jit—to explore what inspired them to get involved, the feedback they’ve received—both positive and negative—since the launch, and what lies ahead for the project — What will Opengrep look like a year from now?By the way, if you want to dive deeper into their plans, join the Opengrep Open Roadmap session tomorrow (link in the description) or check out the next version of Opengrep, which will launch next week.Dive right in!Mentioned in the video: Opengrep repo: https://github.com/opengrep/opengrepSemgrep: https://semgrep.dev/ Opengrep roadmap session. Register here: https://lu.ma/07bivwlzJames Berthoty’s launch article: https://pulse.latio.tech/p/announcing-opengrepOWASP projects: https://owasp.org/projects/This podcast is provided by Escape: https://escape.tech
-
Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today, I’m thrilled to be joined by Ashwini Siddhi, Director, Security Engineering at GoDaddy. With a background in electronics engineering, Ashwini discovered her true passion in cybersecurity and has since become a distinguished leader in the AppSec space. Her expertise spans multiple domains, with Threat Modeling standing out as a key area of specialization.
Recently elected to the OWASP Foundation’s Board of Directors, Ashwini is not just a technical expert—she’s also a dedicated advocate for women in cybersecurity. She actively mentors aspiring security professionals through organizations like WiCyS and beyond.In this episode, we explore whether there is a secret to mastering threat modeling at scale, how AI is revolutionizing threat modeling, and the necessity of building a unified threat modeling program across organizations.
We also discuss why mentorship is essential for developing the next generation of security professionals. If you're an experienced leader looking for valuable insights on guiding and supporting emerging talent in cybersecurity, this episode is for you!
Dive right in!
Escape:https://escape.tech
Mentioned in the video:
Threat Modeling at Scale WhitePaper: https://safecode.org/wp-content/uploads/2023/06/Threat_Modeling_at_Scale_6.21.23.pdf
Threat Modeling Manifesto:https://www.threatmodelingmanifesto.org/
OWASP Threat Modeling Project: https://owasp.org/www-project-threat-model/
-
Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today, I’m joined by Irfaan Santoe, a seasoned security leader who has worn many hats—from CISO to Global Head of Application Security, and now Founder and CTO of RiskApp.
Beyond his leadership roles, Irfaan is a dedicated community builder. He leads the OWASP Netherlands Chapter, created the OWASP Security Champions Guide, and co-hosts the re:invent security podcast, a live in-person show where industry leaders share how they’re reshaping security.
In this episode, we tackle a big and often uncomfortable question: Can we actually quantify the ROI of AppSec?
Security leaders are constantly pushed to justify their budgets, but when it comes to application security, how do we measure success? Are we tracking the right metrics, or just playing a numbers game? We’ll also discuss:
- The hidden costs of delaying AppSec and why technical debt is a silent killer
- How security leaders can sell AppSec to executives and actually secure budget
- The challenge of measuring AppSec effectiveness—what metrics actually matter?
If you’ve ever struggled to prove the value of security initiatives—or just want a fresh perspective on AppSec priorities—this episode is for you.
Connect with Irfaan: https://www.linkedin.com/in/irfaansantoe
Connect with Alexandra: https://fr.linkedin.com/in/alexandra-charikova
Mentioned in the video:
Escape: https://escape.tech
Re-invent security: https://re-inventsecurity.com/
RiskApp: https://www.riskapp.com/
OWASP Security Champions Guide: https://owasp.org/www-project-security-champions-guidebook/
The CISO’s Guide for Implementing DevSecOps in the Enterprise: DevSecOps Visions from 10 European Information Security Leaders: https://www.amazon.co.uk/CISOs-Guide-Implementing-DevSecOps-Enterprise/dp/9464807571
How to Measure Anything in Cybersecurity Risk: https://www.amazon.com/How-Measure-Anything-Cybersecurity-Risk/dp/1119085292 -
Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.Today, I’m joined by a true force in cybersecurity. With over a decade of experience, Confidence Staveley has dedicated her career to helping organizations build secure, innovative products. She’s the founder of MerkleFence, where she serves as Director of Application Security for various companies, and the author of the Amazon bestseller API Security for White Hat Hackers.Confidence is known for making cybersecurity concepts accessible to diverse audiences, as seen in her popular YouTube series, "API Kitchen" @SisiNerdTV where she uses culinary metaphors to explain API security. A globally recognized leader and speaker, she’s earned accolades like Cybersecurity Woman of the World 2023, while empowering teams to innovate securely.She also leads the CyberSafe Foundation, a groundbreaking NGO focused on building a digitally inclusive and secure Africa.In this episode, we explore why proactive strategies like ethical hacking are essential, how organizations can protect against the growing risks of insecure APIs, and why compliance alone isn’t enough.Confidence shares her 2024 insights into API security, from third-party integration challenges to gaps in frameworks like the OWASP API Security Top 10, while emphasizing the importance of making security actionable for both leaders and developers.With that, get ready to hear Confidence’s opinions. Dive right in! Connect with Confidence: / confidencestaveley Connect with Alexandra: / alexandra-charikova Mentioned in the video: Escape: https://escape.tech — API Security & DAST PlatformMerkleFence: https://merklefence.com/API Security for White Hat Hackers: https://www.amazon.com/API-Security-W...CyberSafe Foundation — Confidence’s NGO dedicated to creating a digitally secure and inclusive Africa: https://www.cybersafefoundation.org/OWASP API Security Top 10: https://owasp.org/API-Security/editio...Recommended books:1. Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers by Andy Greenberg2. Talking to Strangers by Malcolm Gladwell
-
Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today, I’m joined by Izar Tarandach, a Senior Product Security Architect with extensive security experience at Datadog, Squarespace, and several other companies. Izar is also a renowned speaker and the co-author of Threat Modeling: A Practical Guide for Development Teams by O'Reilly. He’s a member of the Threat Modeling Manifesto Group and the leader behind the OWASP pytm Pythonic framework for threat modeling tool.
Izar is also a fellow podcaster, and I hope we get to flip roles one day!
In this episode, we discuss why perfectionism can hinder effective threat modeling and how Izar believes we need to strike the right balance between automation in threat modeling tools and human insight. We also explore the challenges of measuring the effectiveness of threat modeling and why metrics should focus on qualitative insights rather than just quantitative data.
If you agree with Izar’s perspective that a dev-centric approach to threat modeling can enhance security practices and want to learn how to implement security reflexes in your engineering teams—this episode is for you!
With that, get ready to hear Izar’s opinions.
Dive right in!
Connect with Izar: https://www.linkedin.com/in/izartarandach
Connect with Alexandra: https://fr.linkedin.com/in/alexandra-charikova
Mentioned in the video:
Escape: https://escape.tech
Threat Modeling: A Practical Guide for Development Teams https://www.amazon.com/Threat-Modeling-Identification-Avoidance-Secure/dp/1492056553
Threat Modeling Manifesto Group: https://www.threatmodelingmanifesto.org/OWASP pytm: https://owasp.org/www-project-pytm/
Security Table podcast: https://securitytable.buzzsprout.com/
Tanya Janca's Mentorship Monday, follow Tanya on X: https://x.com/shehackspurpleOWASP
Meet the Mentor https://sf.globalappsec.org/mentor-mentee/Threat Modeling: Designing for Security : Shostack, Adam: https://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998
Brook Schoenfield’s Threat Modeling Methods: https://brookschoenfield.com/?page_id=341
-
Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.Today, I’m joined by Koen Hendrix, Director of Product Security at Zendesk. With over a decade of experience in the tech and gaming industries, Koen has been instrumental in building and scaling global security teams, integrating security into agile environments, and driving innovation in product security processes. Known for fostering strong relationships with global Product and Engineering leaders, he brings a wealth of expertise to today’s conversation.In this episode we discuss why non-negotiable security practices must be clearly communicated to teams and where Koen thinks we need to draw the line between "secure enough" and "perfect security". We also explore how change management has become a significant challenge in security and discuss why implementing secure-by-design principles requires gradual, step-by-step improvements. If you agree with Koen’s perspective that collaboration is often overlooked in favor of tools and want to learn how to implement it effectively—this episode is for you!
-
Today, I'm joined by Akira Brand, the AVP of Application Security at PRA Group. With nearly five years of experience in the security space, Akira has a diverse background, starting as a Developer Relations Engineer and transitioning into an Application Security role.
Passionate about education and Infosec, Akira has established herself as a distinguished public speaker, co-hosting the AppSec Weekly Podcast for several years and sharing her expertise as a cybersecurity instructor at Katilyst.
Akira is also a professional opera singer. You can hear her singing at her Elephant in AppSec conference talk!
In this episode, we discuss the maturity level organizations need to achieve before hiring their first application security engineer, the latest AppSec hiring trends, and her insights on DAST from her time at a DAST vendor organization. We also touch on how early exposure to puzzles helps kids develop problem-solving skills and set the stage for a career in engineering.
Dive right in!
-
Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.Today, we’re joined by Raunaq Arora, Lead Application Security Engineer at Chipotle. Raunaq’s journey into security was almost accidental, starting as a developer who quickly developed a knack for breaking and building secure applications. Now, his expertise lies in securing Kubernetes environments at scale and aligning security strategies with business priorities. Last year, he took the RSA Conference stage to share how his team built a secure Kubernetes environment by integrating CIS controls into SDLC pipelines—turning security into the perfect burrito recipe.In this episode, we tackle the ever-growing adoption of Kubernetes and ask the hard questions: Are we racing to deploy this shiny technology while ignoring its massive security risks? Are organizations blindly treating Kubernetes like a “silver bullet,” leaving their infrastructure vulnerable? Raunaq doesn’t hold back as we explore the tools and practices needed to cut through the hype and address the real challenges of Kubernetes security.Dive right in!
Useful repos: https://ramitsurana.github.io/awesome-kubernetes/
-
Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.Today, I’m excited to have Alina Yakubenko on the show. Alina, Senior Application Security Engineer at Toast, Inc and former developer and QA Engineer., is dedicated to empowering developers to integrate security into their everyday practices. Passionate about building a culture of security awareness, she works to ensure that security is a core component of development processes, helping teams build safer, more resilient applications. In this episode, we dive into a thought-provoking question: is it truly realistic to see everyone as the greatest ally in security? We also explore the critical role of making security champions self-sufficient—especially in rapidly scaling organizations.If you're a strong advocate for security champion programs and want to learn how to scale them effectively, this episode is for you.Dive right in!
-
Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.Today, I’m thrilled to welcome a true expert in DevSecOps, Timo Pagel! With over 20 years of experience in security strategy, web development, and DevSecOps architecture, Timo brings a wealth of knowledge to the table. As a freelance consultant and university lecturer, he’s passionate about training the next generation of AppSec professionals while actively contributing to the Open Source community as the leader of the OWASP DevSecOps Maturity Model (DSOMM) project: https://dsomm.owasp.org/In this episode, Timo and I dive deep into the critical differences between popular maturity models like DSOMM and SAMM, uncover why a one-size-fits-all approach to maturity frameworks often fails, and explore the unique challenges of implementing DSOMM in startups versus large enterprises. Along the way, we tackle controversial topics like the shortcomings of many AppSec tools and whether security teams are being set up for failure by immature solutions.Dive right in!
-
Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today, I’m thrilled to welcome Jesus Cuadrado to the show! Jesus is the Chief Product Officer at Xygeni, an ASPM platform focused on improving software supply chain security. With over a decade of experience in product management, he’s now leading the charge in creating user-friendly security tools while tackling critical challenges like ensuring reliable software updates and integrating zero-trust principles into product strategies.
In this episode, we’ll dive into the intersection of product management and security, unpacking the role of software composition analysis in mitigating library risks, the use of open-source packages, and strategies for ensuring their security.
Whether you’re curious about breaking into product management in security or want a product manager’s perspective on building effective security solutions, this episode has something for you.
Dive right in!
-
Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.Today, I’m thrilled to welcome Michael Tayo to the show! As the Information Security Lead at EDX Markets, Michael advises C-suite leaders and drives strategies to protect critical infrastructure in institutional crypto markets. With prior roles in Financial Services and Tempus AI, Michael brings a wealth of experience in cloud security and risk management. He’s also the founder of CyberSHIELD, a platform empowering security professionals with training and resources, and The Ghetto Flower, a creative agency uplifting underrepresented talent. In this episode, Michael and I explore differences in security testing for on-premise and cloud environments, the importance of asset visibility and risk assessment for hybrid cloud migration, and how DevSecOps practices thrive with leadership buy-in and team collaboration.Plus, we discuss how to use security data to tell compelling stories and provide meaningful insights to stakeholders.
Dive right in!
-
Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today, I’m thrilled to welcome Magdalena Modric to the show! Magdalena is an AppSec Program Strategist at Secure Code Warrior, where she’s been empowering developers in the German-speaking market to build secure applications since 2018.
Beyond her professional expertise, Magdalena is also a talented violinist—a wonderful reminder of how many AppSec professionals channel their passion into music and creativity outside of work.
In this episode, Magdalena and I dive into the critical role of Security Champion programs in scaling security efforts effectively. We explore why metrics should focus on business outcomes rather than just training participation, and whether cultural factors are the secret ingredient to successful security practices.
And much more! If you’re interested in specific stories of companies that introduced security champion programs and scaled them, this episode is for you.
Dive right in!
- Visa fler
