The AppSec Management Podcast

You can use sammy for free on sammy.codific.com

This episode looks at the latest developments around AI tools in Application Security. Guidance and best practices in the new context.

This is deep dive into DORA the EU Digital Operational Resilience Act. For more details refer to the Codific website: https://codific.com/summary-of-dora/

This episode covers the EN-40000 standards that serve as a provisional basis for CRA Horizontal Standards. This is the summary of resources collected on complycra.eu for the full story and presentation please refer to the website:https://complycra.eu/cra-standards/

This content is a summary of a deep dive by the Codific team. For the full coverage refer to the article on the Codific Website: https://codific.com/secure-controls-framework-a-comprehensive-overview/

This is a summary of interviews in the Codific website.For the full stories please refer to the Codific website: https://codific.com/codifics-customers-success-stories/

This is a summary of a deep dive by the Codific team.For the full article please refer to the Codific website:https://codific.com/nis-2-directive-compliance-guide-fines-scope/

This is a summary of a deep dive by Aram Hovsepyan.For the full article refer to the Codific website: https://codific.com/nist-ssdf-1-2-explained/

In this International Women’s Day interview, we speak with Kim Wuyts, a privacy engineer and privacy by design advocate with 15+ years across security and privacy. Kim helped develop LINDDUN, a privacy threat modeling framework, and regularly speaks at international security and privacy conferences.This conversation is for women who are considering cybersecurity or privacy, women already in tech who want to move into security, and anyone who wants a clearer, more realistic picture of what the work looks like.What we cover:- Why cybersecurity is bigger than “super technical” roles- What the job actually looks like day to day, and why it’s often collaborative and human- How to start small, pick a lens, and stay curious- Ways to “taste the field”, meetups, OWASP, short courses, CTFs, and shadowing security or privacy reviews- The real skill, asking better questions, not knowing everything- Confidence tips, including “I’ll get back to you” and applying before you feel 100% ready- Community and mentorship, how to find your tribeRead the press release here: https://securitybrief.co.uk/story/women-in-cybersecurity-what-it-really-looks-like-and-where-you-can-fit

This episode is based on analysis by Aram Hovsepyan.For the full story refer to his blog post here: https://codific.com/claude-code-security-will-ai-disrupt-application-security/

In this episode, Viktor Lukachyk, Security Manager at Sigma Software, joins Nicolas and Dag from Codific to break down the Cyber Resilience Act (CRA) and what it means for software and digital product companies operating in the EU.We discuss how CRA fits alongside regulations like NIS 2 and DORA, which products fall into scope, and why CRA is focused on secure by design principles rather than company level compliance.This episode is a practical discussion for security leaders, product managers, compliance teams, and engineering organizations preparing for CRA and looking for a realistic path forward.In this conversation, you will learn:- What the Cyber Resilience Act is and why it matters- Which products are in scope, and why SaaS is excluded- CRA product classifications and self assessment versus third party attestation- Key obligations such as SBOMs, vulnerability management, updates, and risk based security- Where companies are most likely to struggle with CRA compliance- The business and operational impact of CRA on product teams- How OWASP SAMM and other frameworks can help prepare for CRA- Why documentation, evidence, and structure matter more than ever- Practical first steps to get started with CRA readiness

ISO 27001, NIST CSF, NIST SSDF, CIS Critical Security Controls Framework. All these things are called frameworks. But what are they really? Why do we need them? And are they only relevant for GRC teams in large organizations? If all your tools show green dashboards, isn’t that enough to claim your software product is secure?In this episode of AppSec Science I explain why frameworks are essential for systematically managing risk across teams, business units and entire organizations. I map out the full domain of application security, from the broad world of information security all the way down to the most scoped domain, the software development lifecycle.One of the key takeaways, compliance almost never leads to real security. Strong security on the other hand will drastically reduce the effort needed to achieve compliance. And in that space, the best framework to start with by far is OWASP SAMM.

Many organizations treat Common Vulnerability Enumerations or CVEs as first class citizens. Some even enforce strict SLAs on CVE remediation times depending on their severity scores expressed with the CVSS metric.The numbers make sense as they are built on top of real and hard data. Moreover, attackers also have access to this data, so building your complete strategy around vulnerability dashboards makes absolute sense.However from a scientific perspective there are (at least) 2 key questions to investigate. First of all, do all CVEs represent actual security problems that need to be addressed? Secondly, do all critical severity CVEs equal high risk and need to be addressed immediately?In this episode of AppSec Science I zoom in into the science of CVEs and their CVSS impact scores.

"If you can’t measure it you can’t improve it.". It is hard to argue with that. But here is the catch, what are we measuring and what are we improving. Measuring the right things right is not a rocket science, but it is a science. Common sense might get you so far, but in my experience common sense is failing us. Organizations are focusing on metrics that are readily produced by tooling, but they turn out to be vanity metrics with little or no correlation with actual security. In this episode, I will unpack the key facts on the science of metrics. I will give you a framework that can help you figure out what you are trying to improve and how to measure those. Once you’ve selected your metrics I’ll help you understand the key qualities that make your metric useful or completely useless.

This episode is based on the the IBM cost of a Data Breach report, for full data refer to the report.https://www.ibm.com/reports/data-breach

This episode is based on content from the the Codific website. Voices and narrative are AI generated. For full factual acurracy refer to the Codific website. https://codific.com/application-security-insights-and-other-exciting-stories/

This content is based on an article written by Nicolas Montauban. Voices and narrative are AI generated, for full factual accuracy refer to the underlying article.https://codific.com/owasp-asvs-a-comprehensive-overview/

This podcast is based on the presentations and press releases of the OWASP and Codific team. For the latest insights check the Codific website.

This podcast is based on in depth analysis by Dr. Aram Hovsepyan. Voices and narrative are AI generated. For full factual accuracy refer to underlying article.https://codific.com/top-application-security-failures-in-fortune-500-companies/

This podcast is based on in depth analysis by Dr. Aram Hovsepyan. Voices and narrative are AI generated. For full factual accuracy refer to underlying article.https://codific.com/appsec-risk-with-cve-and-cvss/

Learn more about privacy threat modeling in this blog post: https://codific.com/privacy-threat-mo...In this podcast we had a very nice conversation with two experts in the field of privacy threat modeling, Kim Wuyts and Aram Hovsepyan. Privacy threat modeling is a process of identifying and assessing potential threats to an individual's personal information. Kim and Aram are experts in this topic and they helped to develop LINDDUN, a world-renowned methodology for privacy threat modeling. They helped us understand the importance of privacy threat modelling, how it is carried out in organizations, what are the frameworks that currently exist that facilitate it and much more!

Join us on this podcast as we convene with four leading Application Security specialists and focus on the assessment aspect of SAMM.SAMM Assessment is the process of figuring out the current security maturity for a given scope (which can be a team, a business unit or the entire organization). Software Assurance Maturity Model (SAMM) provides a clear-cut questionnaire with 90 multiple-choice questions and a list of quality criteria that represent the definition of done per question. However an objective and correct assessment is not as straightforward as it might seem. There are many issues such as who should conduct the assessment, how to ensure objective scoring, what is necessary to prepare in advance both by the interviewers and interviewees.In this engaging discussion, experts Aram Hovsepyan, Brian Glas, Rob van der Veer, and Maxim Baele discuss the process, practical implementation, best practices, tips and tricks when preparing and conducting SAMM assessments.Don't miss out on a free OWASP SAMM training led by Aram Hovsepyan: https://codific.com/the-owasp-samm-tr...In this podcast, we went over the following topics:CHAPTERS: 0:00 - 7:20 Introductions 7:21 - 18:39 Assessments by self vs internal team vs third party external team18:40 - 33:56 Interview practicalities33:57 - 46:51 How to make sure interview answers are truthful46:52 - 52:09 What shall the interviewee prepare in advance52:10 - 54:19 Using SAMM for mergers and acquisitions54:20 - 56:25 How can AI and LLMs help with SAMM assessments

In this episode, Jason Mordeno, Director of Compliance and Security at Sign In Solutions, shares how his team embedded application security directly into their SDLC using OWASP SAMM and SAMMY.Discover how Signin Solutions moved beyond ISO 27001 and SOC 2 checklists to create a behavior-driven, developer-friendly AppSec culture, resulting in improved security maturity, better risk posture, and even reduced cyber insurance premiums. Jason also reveals how SAMMY helps communicate security priorities across teams, making security a seamless part of everyday operations.Learn how you can build a resilient and scalable AppSec program with SAMMY.Related Success Story: codific.com/embedding-security-into-the-sdlc

This content is based on an article written by Nicolas Montauban. Voices and narratives are AI generated. For full factual accuracy please refer to the underlying article:https://codific.com/bsimm-building-security-in-maturity-model-a-complete-guide/

This episode is based on an article by Dr. Aram Hovsepyan and Alex Ashkov. Voices and narrative are AI generated. For full factual accuracy refer to the underlying article.https://codific.com/how-to-integrate-zap-in-gitlab/

This narrative is based on content from the Codific and AttendanceRadar Websites. For full factual accuracy please refer to the websites:Codific.comAttendanceradar.com

This content is based on an article written by Nicolas Montauban. Voices and narrative is AI generated, for full factual accuracy refer to the underlying article.https://codific.com/how-to-implement-security-defect-tracking/

This content is based on an interview with Simon Montete. Voices and narrative are AI generated. For full factual accuracy please refer to the underlying article.https://codific.com/prepare-for-cra/

This content is written by Nicolas Montauban. Voices are AI generated. For full factual accuracy refer to the underlying article:https://codific.com/dsomm-vs-samm

This content is written by Nicolas Montauban. Voices and narrative is AI generated. For full factual accuracy refer the the article: https://codific.com/owasp-dsomm-a-comprehensive-introduction

This content is written by Dr. Aram Hovsepyan.https://codific.com/requirements-driven-testing-the-best-roi-security-practiceVoices and narrative are AI generated. For full factual accuracy refer to the underlying article.

The content for this podcast is written by Dr. Aram Hovsepyan.https://codific.com/mastering-owasp-samm-security-requirements-explainedNarrative and voices are by AI, for full factual accuracy refer to the article linked.

The content of this episode is written by Dr. Aram Hovsepyan.https://codific.com/how-to-implement-owasp-samm-tooling-example-and-mistakes-to-avoidVoices and narrative are AI generated, refer to the article for full factual accuracy.

This episode is based on two articles. Voices are AI generated, for full factual accuracy refer to the articles below:https://codific.com/building-security-into-software/https://codific.com/implementing-owasp-samm

This episode is based on an article written by Michaella Masters. Voices are AI generated for full factual accuracy refer to the underlying article. https://codific.com/how-to-implement-iso-27001

This episode is based on an article written by Aram Hovsepyan. Voices are AI generated. Please refer to the underlying article for full factual accuracy.https://codific.com/what-is-cyfun-and-how-to-implement-it

This article is based on a conference talk by Aram Hovsepyan at OWASP Global Appsec Barcelona 2025.Voices are AI generated. For full factual accuracy please refer to the underlying article:https://codific.com/security-metrics-with-purpose-and-strategic-impact/There is also a free course on metrics by Aram Hovsepyan available on Thinkific.https://owaspsamm.thinkific.com/courses/metrics

This podcast is based on the following article by Nicolas Montauban. Voices are AI generated, for full factual accuracy please refer to underlying article.https://codific.com/what-is-the-ssdlc-a-guide-to-secure-development

This episode is a practical guide to OWASP SAMM. It is based on the following article:https://codific.com/how-to-implement-owasp-samm-tooling-example-and-mistakes-to-avoid/Voices by Notebook LM

This episode is an introduction to FISMA. Voices are by Notebook LM and content is based on the following article:https://codific.com/what-is-fisma-and-how-to-comply-with-it/

This episode is about the article by Aram Hovsepyan comparing the different layers in security management.https://codific.com/information-security-and-cybersecurity-understanding-the-layers/Voices by Notebook LM

This episode is a guide to contingency planning with NIST 800-34. Voices are by Notebook LM. Content is from the following article:https://codific.com/nist-800-34-contingency-planning-a-practical-guide-to-resilience/

This episode is a practical guide to NIST 800-53. Voices are by Notebook LM. Content is based on the following articles:https://codific.com/how-to-implement-nist-800-53/https://codific.com/what-is-nist-800-53-a-comprehensive-guide/

This episode is a complete introduction to NIST SSDF. Voices are by Notebook LM and content is based on this article:https://codific.com/what-is-nist-ssdf-and-how-should-you-implement-it/

This is a comprehensive introduction to OWASP SAMM.The voices are by Notebook LM based on this article by Nicolas Montauban. https://codific.com/owasp-samm-comprehensive-introduction/ Corrections:The correct business functions are:- Governance- Design- Implementation- Verification- Operations

Together with several OWASP experts we analysed the expected impact of the EU CRA regulation, industry readiness, gaps and expected fines. The voices are generated by Notebook ML based on this article:https://codific.com/cra-fines/