วีดีโอ

I can resonate with anti-requirements and holistic systems-level security thinking. Great chat!

Can Unified Vulnerability Management Systems function as an ASPM? My thought is no, but I'm curious of what you think

This is quality content

Important topic! Steve has clearly done great work on CycloneDX and Dependency-Track - much appreciated by the community. However, in this interview, I don't believe that he adequately motivated a key use case for SBOM. Here is my attempt: Imagine that you are a CISO and a major vulnerability is released and becomes a global news story. The CIO approaches the CISO with the concern "are we affected by this vulnerability?". At present, many CISOs will have to redirect precious resources to commence a slow, largely manual, process of examining hundreds, or even thousands, of their IT solutions to provide the answers. The goal is for the CISO to always have a complete and current library of SBOMs for all enterprise IT assets, and commitments from their solution providers to rapidly provide VEX reports in response to vulns. If so, there are SBOM solutions (some appear on the site "SBOM.Solutions") that the CISO can use to answer the CIO's question very quickly, and with minimal effort. And if there is exposure, the CISO will know exactly which solution require remediation to minimize the time window for exploitation. Right Steve?

I really appreciate this podcast and I hope it goes on for a long time. It is really good stuff

Thanks for having me on your podcast! It was great chatting with you guys!

Great content! Thx for sharing your experience. I picked up Derek’s book and am looking forward to reading it.

Thank you so much for having me on! Really great discussions!

Great video gentlemen!

Great conversation 🙂 There is a Bachelors degree in Cybersecurity that Western Governors University (WGU) offers. I have it myself. It's a Bachelors of Science Cybersecurity and Information Assurance (BSCIA). They also offer a masters degree. This degree comes with multiple certifications as part of the course work including ISC2 SSCP, CCSP. It does not help with getting a job. I got into product security by having technical skills. Progression: Grocery store stocker, printer repair/salesman (after hours web master and custom ecomm creator for the company), higher ed desktop support, connected vehicle qa engineer -> devsecops engineer, real estate product security analyst->engineer->senior.

Great conversation! Thanks for having me on.

give timelines .

Chris, awesome podcast. In the introductions, the sound is only coming from the left channel (meaning the listeners can hear the sound coming through left ear). When the conversation starts, it becomes ok. I have observed this in a few podcasts.

You guys can't imagine relief I felt on hearing the AI rebuttal at min 41, I work in sales and always think this but can never say it. Another brilliant episode! Thanks gents

Why not do something like Wikipedia? A full on donation campaign every single year with a clear goal? So people know what the goal is and how much of the quota is met. I think that could intice more people to contribute.

This was a brilliant conversation Gents! Thanks for the insights. Greetings from London

Where can we learn to become a prod sec?

great to see Francesco cipollone speaking more and talking ASPM sharing a different perspective on the subject

Absolutely a pleasure 🙏🏻

amazing great podcast. well done

how did you find that password?

your videos are fantastic.. but have some issues and need SEO. then it will give you good results.. also you get a targeted audience.

I'm a purist when it comes to cybersecurity. Went from college to vuln management to appsec, and I feel the same. Product security needs to be the focus from architect to dev to devops to qa even. Appsec can probably be consultative, but I would even say that's more of a service to product security. There's far too few of us, but there are tons of product resources (ie qa, dev, architects, etc) who with just the right education in their respective area, can achieve more. Then it would just be pentesting and consulting from the purist who is cybersecurity

I said to myself "I got lucky" to have caught this on a Friday evening. Should have a ton more likes & comments - inspirational knowledge. Thank you all.

Great video! Eitan is an AppSec pioneer and what he is doing with Mobb is an incredible advancement for appsec!

Excellent guest and the ending was hilarious🤣

Wow wonderful video. All the videos on your channel are fantastic. But your video views are lower. Because your optimization is very poor. Your optimization needs to improve as soon as possible.,...

Verry nice video Sir

14:09 With the amount of GPUs deployed for AI, you can use all that compute time to crack every private key for BTC just by brute force iterating through the bits. 😅 Okay, maybe not that feasible but those H100 accelerators are pretty fast and can parallelize a lot of compute. 😊😅

11:10 - imagine if stdio.h had a vulnerability. 🤣😓🤪

Back in the day your build environment was sanitized and under configuration management. These days with so much dependencies on external packages it is a different world these days.

Wow what an episode. Thank you all for this

The letter of the law but not the spirit.... This is amazing and exactly the way to phrase this.

verry nice video sir

Wow wonderful video. All the videos on your channel are fantastic. But your video views are lower. Because your optimization is very poor. Your optimization needs to improve as soon as possible.,..................,,

Wow what an episode! Thanks for this

I know that's unrelated but Tanya would do a great Amy Winehouse impersonation

Hello, The Application Security Podcast. Just now I visited your channel. Your content is so excellent. But here is a problem: your video SEO score is too weak. That's why your channel is not growing. If you increase your video SEO score then your channel will get an active audience organically. If you want I can help you. Error we found in your TH-cam channel: 1. Title 2. Tags 3. Description 4. End Screens Our Services: 1. TH-cam Channel Optimization 2. TH-cam Video SEO 3. TH-cam Video Promotion 4. TH-cam Channel Monetization Regards, Akash Sarkar CEO at Zillion Ten Agency Digital Marketing, Lead Generation And TH-cam Expert.

Thank you for doing this!

Nice Steve! 👏👏👏

Would love to hear your views on replacing WAF for cloud native apps and plugging the capability gap with CSP native WAF. Is RASP the future or does following good testing and configuration that you describe remove the need? Also the value of tools like Aquasec.

Promo-SM

Really enjoy your videos

Thanks for having me on!

For all appsec engineers and cybersecurity enthusiasts this podcast is full of important insights ❤🎉 glad i found this podcast channel

Very insightful interview! Tony 🔝

What a great talk! Thanks for sharing all this knowledge!

I will definitely pick up this book. I've been the solo appsec analyst at my company and tasked to build out the program. It's daunting. Finally have a 2nd analyst to work alongside

Good

very great discussion