The Elephant in AppSec

Today, I’m joined by Jason Fernandes, VP of security and privacy at Mercari, the Japanese-born global marketplace now spanning e-commerce, FinTech, and crypto. It is this rare combination that puts him at the intersection of some of the strictest regulatory environments in tech. He oversees everything from product and platform security to threat detection, privacy, and, since last year,  AI security and AI governance. In this episode, we also talked about the challenges of AI governance, the lethal trifecta for AI agents, the confused deputy problem, and how to justify AI security investments to the leadership and working with FinOps teams. And much more! Dive right in!This podcast is brought to you byEscape: https://escape.tech  — Offensive security for the teams that are 100x outnumbered, combining Attack Surface Management, business-logic-aware DAST and AI pentesting solutions.MentionedFACADE (Google's internal fraud detection model) https://arxiv.org/abs/2412.06700Meta Practical AI Agent Security (Rule of Two) https://ai.meta.com/blog/practical-ai-agent-security/Simon Willison The Lethal Trifecta https://simonwillison.net/2025/Jun/16/the-lethal-trifecta/Hiroki's AI Security blog (Mercari) https://hi120ki.github.io/blog/posts/20260103/Anthropic  Project Vend https://www.anthropic.com/research/project-vend-2

Today, I’m joined by Sam Stepanyan,  an OWASP Global Board member and an OWASP London Chapter Leader. Sam is an Independent Application Security Consultant and Security Architect with over 20 years of experience in the IT industry.Sam has worked for various financial services institutions in the City of London specialising in Application Security consulting, Secure Software Development Lifecycle (SDLC), developer training, source code reviews and vulnerability management. He is also a Subject Matter Expert in Web Application Firewalls (WAF) and SIEM systems.In this episode, we explore why, despite OWASP being around for over 25 years, many developers are still unaware of it—and why shifting focus toward developer conferences might be key to spreading security knowledge more effectively.We also discuss the impact of AI on modern security practices, the growing role of automated penetration testing tools, and how even small changes—like adding the word “secure” to a vibe coding prompt—can help nudge developers toward more security-conscious decisions.Dive right in! This podcast is brought to you byEscape: https://escape.tech  — Offensive security for the teams that are 100x outnumbered, combining Attack Surface Management, business-logic-aware DAST and AI pentesting solutions. 

Today, I’m joined by Amol Deshpande, a seasoned security engineer currently at Stripe, where he focuses on building secure systems at massive scale. With a background spanning product security and penetration testing at companies like Salesforce, Splunk, and Early Warning, Amol brings deep hands-on experience in securing complex, real-world platforms. He’s also been a HackMIT judge and a long-time CTF competitor at DEF CON, giving him a very practical view of modern security challenges.In this episode, we cover whether security must now belong in every AI strategy meeting, and how to embed it into AI development from the outset.We also touch on how privacy concerns will only grow as agents are trained on sensitive data and why human oversight is essential for critical AI operations. Dive right in!

Today, I’m joined by Aleksandra Kornecka, a security engineer with a global mindset. She recently transitioned from Senior AppSec Engineer to Cloud Infrastructure Security Engineer, and has a background in software testing and cognitive science — a combination that gives her a unique take on both the technical and human sides of security.As a member of the OWASP Security Champions Guide and the project's Artifact stream, Aleksandra also put efforts to collect templates, documents, and other artifacts useful to build the security champions program.In this episode, we dive into the mindset shift developers need to successfully break into security and why security champions are critical for scaling security awareness across organizations.We also explore how curiosity fuels a lasting passion for security, and unpack why Zero Trust is often misunderstood and overhyped.Dive right in!

Today, I’m joined by Gowtham Sundar, a Senior Lead Engineer - 3A Security (AI and API included as you can guess) at SPH Media and a seasoned AppSec leader with over a decade of experience across enterprise security, penetration testing, and secure product development.In this episode, Gowtham brings a real practitioner’s point of view on what it actually takes to secure AI systems. We dive into why APIs are at the heart of AI, why securing them is non-negotiable, and why automated API discovery is becoming critical for governance as systems scale.We also talk about how AI security is evolving at lightning speed, sometimes changing week by week, and what that means for security teams trying to keep up.And with that, get ready to hear Gowtham’s opinions. Dive right in!

Today, I’m joined by Enrique Larios Vargas, a Security and Learning Specialist at Adyen.Enrique has over eight years of experience designing impactful learning and enablement programs across fintech, engineering, and security. He’s also been a university lecturer in software engineering in Peru, the Netherlands, and Canada.Bringing together technical expertise and behavioral science, Enrique is passionate about helping developers move beyond compliance and build a meaningful, human-centered security culture.In this episode, we dive into his research paper, “DASP: A Framework for Driving the Adoption of Software Security Practices,” co-authored with five others (all listed in the description). The paper explores how behavioral models like COM-B can drive secure development practices.We also get into incentives and Enrique’s controversial take on why we shouldn’t call security champions “champions” anymore. He’ll even be put to the test on this topic at the upcoming Elephant in AppSec conference, where he’ll debate it with other panelists.Dive right in!

Today, I’m joined by Marcos Vinicius Cassel, Application Security Manager at PowerSchool.With over a decade of experience in the information security space, as a CISSP, ISO 27001 Lead Auditor, and a passionate technologist, Marcos has led security initiatives across multiple industries. He also previously led the OWASP Porto Alegre Chapter, and fun fact: we first met while volunteering together at BSides SF!In this episode, we dive into the real value of certifications in application security, how they can provide structure and credibility, but shouldn’t define a professional’s entire skill set. We also unpack the balance between compliance and risk management and between privacy and innovation, and why strong communication between security and engineering teams is more essential than ever.And with that, get ready to hear Marcos’ opinions.Dive right in!

Today, I’m joined by Aamiruddin Syed, Senior Product Security Engineer at AGCO Corporation. Aamiruddin is the author of “Supply Chain Software Security book focusing on AI, IoT, and AppSec” and a recognized advocate for secure development. He’s a frequent speaker at major conferences, including RSA, DEFCON, and Black Hat.Fun facts: he was once ranked in the top 1% of all TryHackMe penetration testers, and a memorable milestone in his career was delivering a Cybersecurity Awareness talk to officer trainees of the Indian Army.He’s also a fellow podcaster, co-hosting the CyberGPT Pulse Podcast.In this episode, we dive into the complexities of software supply chain security, especially the risks introduced by third-party extensions, and how generative AI can strengthen defenses across the supply chain.We also explore the challenges of data quality when training AI models and discuss why strong governance is essential for secure developer practices.Dive right in!

Today, I’m joined once again by Tanya Janca for her second appearance on the podcast. Her first episode was a hit, so we figured: why not record another? And the timing couldn’t be better, as Tanya has just embarked on a brand-new chapter in her career this year. In our first conversation, I highlighted many of Tanya’s accomplishments, and she’s only added to the list since then. Most notably, she’s been deeply involved in shaping key components of the newly released OWASP Top 10.In this episode, we dive into the initiatives she’s focusing on in her new solo journey, why she decided to join the OWASP Top 10 team, her mission to create a developer-focused awareness document, and even the unexpected difficulty of naming vulnerabilities for the final list.We also chat about her take on why DevSecOps has started to lose some of its shine. Something she’ll be discussing further at the upcoming Elephant in AppSec conference.Dive right in!

Today on the show, I’m joined by Abhijeth Dugginapeddi, Director of Offensive Security at Palo Alto Networks. Before this, he built and led product and cloud security at BigCommerce, and worked on application security at Commonwealth Bank and Adobe.Abhijeth is deeply passionate about giving back to the community. He’s taught advanced web application security at UNSW, mentored through multiple outreach programs, and recently launched his first LinkedIn Learning course, “Practical Secure by Design”. He’s also been recognised in the Hall of Fame at companies like Google, Yahoo, and others for uncovering serious vulnerabilities across their platforms.In this episode, we get into the idea and the principles of secure by design, who should own it, and why security culture matters so much. We also talk about IPO readiness from a security perspective, and the real-world challenges startups face when trying to build security in.Dive right in!

Today, I’m excited to be joined by Terry O’Daniel, former global head of security at Amplitude, Instacart, and Netflix, and a trusted advisor in the security space. Terry thrives in high-growth environments and loves tackling complex challenges.With a strong background in engineering and security, he builds teams that focus on solving security problems at scale through automation and instrumentation.Terry is also a frequent public speaker and passionate advocate for product security. And recently, he joined Harvard as the Head TA for Security Lifecycle Threats.In this episode, we break down how SLAs enforce real accountability, why security leaders are constantly under pressure, and why ignoring identity and data structures is a recipe for failure. We also discuss how operating under pressure can surprisingly lead to better decision-making and what the future of product security will look like.Dive right in!

Today, I’m excited to welcome Anshuman Bhartiya, an AppSec tech lead at Lyft. Before that, he worked as a security engineer at companies like Thirty Madison, Intuit, and Atlassian.Anshuman is also a fellow podcaster and co-host of the Boring AppSec podcast, alongside one of my previous guests, Sandesh Mysore Anand.Recently, he’s been experimenting extensively with building AI agents for both offensive and defensive security, and he’s documenting his findings at anshumanbhartiya.com(link in the description).In this episode, we dive into the challenges of building effective AI agents, the impact of AI on security practices, and the importance of understanding AI outputs and avoiding confirmation bias.We also touch on the ongoing debate of build versus buy solutions and explore where the future of AI in security might be headed.Dive right in!

Today I’m joined by Anjali Singh Shukla, Senior Security Engineer Cloud at Flipkart. She bridges the worlds of Cloud Security and DevSecOps, having led audits and defense strategies across AWS, Azure, and GCP, with a strong focus on Kubernetes and container security. Beyond building secure pipelines, Anjali designs training programs and speaks at global conferences like Black Hat and OWASP. Most recently at OWASP AppSec Days Singapore, she showed how attackers exploit AWS EKS misconfigurations and how to defend against them.In this episode, we dive into why DevSecOps alone isn’t enough without a deep understanding of cloud, and the risks that come with moving fast in modern deployments. Anjali also shares her perspective on securing multi-cloud environments and weighs in on the industry’s buzz around CNAPP and CSPM and ASPM convergence.And with that, get ready to hear Anjali’s opinions.

Today, I’m joined by Maxwell Zhou, the Founding Partner of PolarStar Cybersecurity Group, a cybersecurity firm focused on helping fintech organizations strengthen their product security. Throughout his career at Greenlight, Visa, and T-Mobile, Maxwell has specialized in penetration testing, vulnerability assessments, and secure coding practices. He’s particularly excited about building world-class security programs that scale with hyper-growth organizations.In this episode, we discuss one of Maxwell’s articles on the traits of healthy security programs, diving into what “healthy” really means. We also explore the concept of security debt, how it can lead to increased incidents over time, and the importance of having a pentesting background when it comes to understanding which vulnerabilities truly matter.Dive right in!

Today, I’m joined by Oumaima Baira, Directrice of Enterprise Security at Deloitte. With nearly a decade of experience, she’s helped organizations strengthen their defenses — from DevSecOps and SAP application security to enterprise-wide security strategy. She began her career in cloud engineering before moving into cyber consulting, and quickly rose through Deloitte’s leadership ranks, blending deep technical expertise with strategic vision.Beyond her professional roles, Oumaima is an active member of the cybersecurity community. She often takes part in OWASP France chapter meetups, where we met, and international OWASP and cyber events, sharing insights and learning from peers. She’s also a passionate advocate for women in cybersecurity, inspiring the next generation of cyber leaders to step confidently into the field.In this episode, we explore the unique challenges and security risks of SAP systems — a business management and automation platform relied on by countless global organizations. We discuss why understanding business logic is critical to application security, and why this is especially important when it comes to securing SAP. Oumaima also shares her perspective on global differences in security maturity and offers practical advice on preparing for crisis management with efficiency.Dive right in!

Today, I’m joined by Max Alejandro Gómez-Sánchez Vergaray, Defensive Cybersecurity Manager at Banco de Crédito BCP. With a background in software engineering, Max transitioned into AppSec and has become a leading voice in promoting DevSecOps awareness and building robust AppSec programs using SAMM across Latin America and beyond. He actively contributes to OWASP projects like Cornucopia and regularly offers free workshops in Spanish on secure design for digital products. If you’d like to join a future session, check out the link below!In this episode, we dive into AppSec in Latin America, with a focus on Peru’s unique cybercrime laws and their impact on security awareness. Max shares insights on the cultural challenges in cybersecurity training, the complexities of translating frameworks like Cornucopia, and what can get lost in translation. We also explore building connections in remote teams and what global developers can learn from Latin America’s approach. Dive right in!

Today, I'm joined by Nariman Aga-Tagiyev, a seasoned cybersecurity architect and threat modeling coach, bringing over two decades of experience in the software development industry. As the founder of SecureHabits, he’s on a mission to help software manufacturers mature their secure software development lifecycle.Nariman is a familiar face at OWASP Netherlands Chapter events and an active contributor to projects like OWASP SAMM and the Security Champions Maturity Model. His work bridges the gap between theory and practice, empowering teams to build security into their culture - not just their code.In this episode, we dive into a memorable "battle" Nariman had at the RSA conference, where he argued both sides of the SAMM vs. BSIMM debate—mostly with himself, after BSIMM expert Caroline Wong couldn’t attend. We also explore why organizations often skip the foundational steps before rushing to buy security tools, why true maturity is so rare, and what the new regulatory frameworks like the Cyber Resilience Act mean for businesses in the EU.Dive right in! 

Today, I'm joined by Marisa Fagan, a lifelong community builder and security culture enthusiast. As the Head of Product at Katilyst, Marisa leads the development of security champion programs that empower Security Champions to drive cultural change.Previously, she served as Head of Trust Culture & Training at Atlassian and has managed security programs at Synopsys, Salesforce, and Meta.Marisa is also an active contributor to the OWASP Security Champions guide.In this episode, we'll dive into some of the questions Marisa didn’t have time to cover in her talk at BSides San Francisco. We'll also explore how security culture programs must be tailored to different teams to succeed, how to reboot struggling programs (often caused by disengaging training content) and why passion often outweighs technical skills for roles like these.Dive right in!And check out: https://www.katilyst.com/top10blunders

Today, I'm joined by Kevan Bard, Director of Product Security at Morningstar. With 20 years of experience in information security, Kevan has helped shape security practices across various organizations. He’s passionate about building blue team careers, with a focus on recruiting, mentoring, and staff development.When not busy cultivating kaizen, emotional intelligence, secure coding practices, and data privacy principles, Kevan enjoys building community and capturing the world through his lens.In this episode, we explore why security needs to be institutionalized to win, and how the role of Product Managers should evolve to integrate security into their processes. We’ll also discuss why storytelling is crucial in security education, and why the term ASPM is overrated—particularly because its true value isn’t being marketed effectively, especially in one-pagers that focus too heavily on bold claims.

Today, I’m joined by Sean Finley, an experienced Information and Application Security leader with deep expertise in AppSec, security operations, vulnerability management, and governance.Sean’s AppSec career started at GEICO, one of the most recognizable names in U.S. insurance. He made the leap from business analyst to the company’s very first AppSec engineer, teaching himself everything along the way.In this episode, we explore what inspired that transition, how to spot red flags that doom security programs before they start, and why Sean believes there are far better investments than SAST.We also dive into his approach for working with engineering teams, especially when their initial designs could put the organization at risk, and how to turn “no” into a “secure yes.”Dive right in!

Today I’m joined by Jyoti Raval, a security leader with a diverse background across consulting, product security at Qualys and Harness, and now serving as Director of Cyber Security Engineering at Baker Hughes.Jyoti is a passionate pentester and international speaker. She’s also the author of Phishing Simulation and MPT: Pentest in Action and has discovered multiple CVEs.Beyond her technical expertise, Jyoti is committed to empowering women in cyber through InfosecGirls and leads the OWASP Pune chapter.We dive deep into the future of pentesting, exploring whether AI can truly replace human expertise or if manual assessments are still essential for context understanding. Jyoti also shares valuable insights on the mindset shift needed when transitioning into security leadership and how to navigate that challenge.Dive right in!Connect with Jyoti: https://www.linkedin.com/in/jyoti-raval-61565157/Connect with Alexandra: https://www.linkedin.com/in/alexandra-charikova/

Today's episode features Luís Fontes, who, after five years working with various technologies as a full-stack developer, transitioned to the AppSec world. Luís worked as an AppSec engineer at major companies like Checkmarx and then moved to IOVLabs (RSK) and the cryptocurrency space. Nowadays, Luís works at Xapo, a crypto bank, and is an expert in both product security and blockchain security.In today’s conversation, Luís explains why he believes we still lack clear guidance on how to build and manage effective security programs, and how he decided to create a guide to address this issue.He also shares insights into the complexities of blockchain security and the importance of understanding business logic. Plus, we’ll discuss why he thinks SBOMs are overrated.Dive right in!Luis's guide: https://luisfontes19.github.io/orgsec-guide/index.html

Welcome to Season 4 of The Elephant in AppSec! Get ready for a season packed with even spicier takes! Today's episode features none other than James Berthoty, a security engineer turned founder and CEO of Latio. James is always ready to share his unfiltered opinions, and I’ve had the pleasure of chatting with him for last couple of years. Over the past few months, there were a lot of discussions around AI security, and I invited him on the show before his new report even hit the public to discuss his thoughts on this very hot topic.In today’s conversation, James unpacks why we’re seeing an executive push for AI solutions, and why practitioners should proceed with caution. He also shares why most people probably don’t need an AI security vendor and some stories about the pushback he received after publishing his report. Plus, we’ll talk about why we, as an industry, need to stay grounded in our approach to AI in security.Dive right in!

Today, I’m joined by Olga Dzięgielewska, Senior Manager of InfoSec Application Security at Philip Morris International. With over 10 years of experience in secure code reviews, a PhD in IT Security, and now leading global AppSec teams, Olga specializes in secure development practices, IT assurance, ethical hacking, API security and SAP security, driving security initiatives across multiple international locations.In this episode, we tackle common misconceptions about application security and exploring the unique challenges faced by the manufacturing sector compared to tech companies.We also discuss how to ensure a seamless digital transformation, the role of cultural differences in communication and decision-making, and of course, the ever-present issue of supply chain security.Dive right in! Connect with Olga: https://www.linkedin.com/in/olusia/Connect with Alexandra: https://www.linkedin.com/in/alexandra-charikova/This podcast is brought to you byEscape: https://escape.tech  — Modern DAST built to test for business logic instead of missing headers

Today, I’m joined by Nathan Byrd, a Principal AppSec Architect at Applied Systems. Nathan’s journey is truly unique: before joining Applied Systems, he spent an impressive 24 years at Mastercard, where he rose from a software engineer to a Principal AppSec Architect. That’s the longest tenure we’ve seen from anyone on the podcast!Nathan is passionate about building things, whether it’s his early days as an internet fan, building projects with Raspberry Pi Pico, or more recently, creating OAShield (away shield). This open-source project helps generate WAF config files based on OpenAPI specs, which we dive into during today’s conversation.In this conversation, we explore whether traditional WAFs are becoming obsolete in the age of OpenAPI specs, how to keep them accurate, and why adopting a top-down approach to API specifications is key to enhancing security.Nathan also provides valuable advice for aspiring developers passionate about security and explains how he believes AI will play a transformative role in shaping the future of AppSec.Dive right in!

Today I’m joined by Linda Fay, a seasoned leader in Application Security with over 13 years of experience. She’s led large-scale security programs, most recently as Director of Product Security Engineering, where she secured thousands of applications and delivered major cost savings. Now working as an independent consultant, she helps organizations improve their AppSec posture and explore the intersection of AI and security. Linda also leads the OWASP Nashville chapter and is deeply involved with WiCyS, mentoring the next generation of women in cybersecurity.In this episode, we dive into whether it’s possible to find AppSec tools that developers actually like—regardless of their acronyms—and how the rapid rise of AI is reshaping the security tooling. Linda also shares her experience justifying security budgets in the absence of compliance mandates, and how she managed to save over $600K annually by streamlining AppSec tools.Dive right in! Connect with Linda: https://www.linkedin.com/in/faylinda/Connect with Alexandra: https://www.linkedin.com/in/alexandra-charikova/This podcast is brought to you byEscape: https://escape.tech — Modern DAST built to test for business logic instead of missing headers

Today’s episode is a special one. I’m joined by Desmond Lamptey, a Software Engineering Manager at a large financial organization.I first came across Desmond during his talk on API Security at APIDays Paris—and honestly, it was one of the best talks I’ve seen. Not only because of the insights, but also the dad jokes.That talk made me curious: What drives a seasoned engineer like Desmond to speak about security with such passion? And more importantly, what does he think security teams get wrong when it comes to their collaboration with teams like his?With over a decade of technical experience and a Certified Ethical Hacker certification under his belt, Desmond regularly shares his knowledge through public speaking and brings a unique developer’s perspective to security.In this episode, we dive into his path to becoming a security champion, the challenges of engaging developers in security conversations, why he’d change the way security teams label vulnerabilities for developers, and how gamifying security education can help close the gap between devs and security teams.Dive right in! 

Today, I’m joined by Chris Hughes, the CEO & Co-Founder of Aquia, a cybersecurity consulting firm supporting secure digital transformation for U.S. federal, state, and defense agencies. He previously served as a Cyber Innovation Fellow at CISA.Chris is also the co-author of Software Transparency and Effective Vulnerability Management (Wiley) books, and hosts the Resilient Cyber podcast and Substack. He's also a frequent speaker and commentator on AppSec, software supply chain security, and DevSecOps.In this episode, we unpack why compliance doesn’t equal security- but in its absence, the state of cybersecurity would be worse. We explore how federal cybersecurity policy shapes startup innovation, and whether the future of security will be defined more by lawyers than by security practitioners.We also reflect on how the skillset in cybersecurity has evolved - from deep technical expertise to a growing emphasis on soft skills and communication. Dive right in! Connect with Chris: https://www.linkedin.com/in/resilientcyber/Connect with Alexandra: https://www.linkedin.com/in/alexandra-charikova/This podcast is brought to you byEscape: https://escape.tech — Modern DAST built to test for business logic MentionedCybersecurity's Delusion Problem : https://www.resilientcyber.io/p/cybersecuritys-delusion-problemSoftware Transparency: Supply Chain Security in an Era of a Software-Driven Societyhttps://www.amazon.com/Software-Transparency-Security-Software-Driven-Society/dp/1394158483Effective Vulnerability Management: Managing Risk in the Vulnerable Digital Ecosystemhttps://www.amazon.com/Effective-Vulnerability-Management-Vulnerable-Ecosystem/dp/1394221207Resilient cyber: https://www.resilientcyber.io/Cyber for Builders by Ross Haleliuk → https://www.cyberforbuilders.com

Today, I’m joined by Michael Novak, a seasoned Application Security Architect turned Technical Product Manager. At the time of this recording, he was still working hands-on in AppSec! Having started his career as a Java software engineer, Michael knows firsthand the challenges developers face when it comes to building secure applications.Outside of his technical roles, Michael has created several educational games — most notably Byte Club, a strategic card game that turns complex cybersecurity concepts into fun, accessible learning experiences. He also gives back to the community by mentoring students in technology and cybersecurity through his work with NPower.In today’s episode, we explore whether product security engineering should be a quality engineering, and why it needs to go even further as a true extension of technology. We dig into how security training has moved beyond fear-based tactics toward more engaging, integrated approaches—and ask what kind of timeline it takes to build genuine trust in security roles.Dive right in!

Today, I’m joined by Eitan Worcel, CEO and co-founder of Mobb — an AI Security Assistant that fixes vulnerabilities. With over 15 years of experience in the application security field, Eitan has worn many hats, including developer, product management leader, and now startup founder.Eitan has also shared his expertise at events such as Black Hat, BSides Las Vegas, and OWASP chapter meetings, where he discussed the application of AI in security and the relationships between developers and security teams.In today’s episode, we explore whether all bad code should be fixed, the role of AI in code remediation, the challenges developers face in addressing vulnerabilities, and the critical importance of maintaining software quality.We also touch on the evolution of security tools and their impact on developers' workflows.Dive right in!Connect with Eitan: https://www.linkedin.com/in/worcel/Connect with Alexandra: https://www.linkedin.com/in/alexandra-charikova/This podcast is brought to you byEscape: https://escape.tech  — Modern DAST built to test for business logic MentionedMobb.ai - AI Security Assistant That Fixes VulnerabilitiesMatias Madou Of Secure Code Warrior On Embedding Security in Product Design and Development https://medium.com/authority-magazine/matias-madou-of-secure-code-warrior-on-embedding-security-in-product-design-and-development-29bd2f639469Copilot amplifies insecure codebases https://snyk.io/blog/copilot-amplifies-insecure-codebases-by-replicating-vulnerabilities/The Hard Thing About Hard Things by Ben Horowitz https://www.amazon.com/Hard-Thing-About-Things-Building/dp/0062273205

Today, I’m joined by Kalyani Pawar, an Application Security Engineer at Zipline and a seasoned AppSec expert with a deep commitment to the startup ecosystem. Beyond her day job, she actively advises startups and VCs on what really matters in application security. Kalyani is also the co-host of the Application Security Weekly podcast and a speaker at top conferences like DEFCON, BSides SF, and RSA.She’s been a driving force behind the scenes too, serving on reviewer boards for DEFCON, WiCyS, and several BSides chapters—helping shape high-impact security content for the community.In today’s episode, we dive into her experience designing security programs from scratch across startups of all stages—and ask the big question: Can ‘Minimum Viable Security’ be the fix to all the AI-fueled chaos in startups? We also explore how VCs impact security decisions, the role of interns on security teams, and how to tackle the beast of security debt.Dive right in!

Today, I'm joined by Jamie Scott, a recovering cybersecurity practitioner turned founding product manager at Endor Labs. Previously, Jamie served as Product Manager of Security at Redis, where he was an active open-source contributor, and as DevSecOps Manager at Cygna Healthcare.Jamie is also a Certified Information Systems & Cloud Security Professional and continues to contribute to the cybersecurity community. He co-authored several benchmarks and volunteers as a consultant for the Center for Internet Security.In this episode, we dive into the topic of IDE plugins: Do they help you boost your coding security or just hopeful? Jamie has firsthand experience trying to roll out an IDE security program in his career and shares his perspective, leaning more towards the “hopium” side of things. He’s observed that developers often don't proactively use them, which raises the question—are these tools really effective?Dive right in!Connect with Jamie: https://www.linkedin.com/in/james-m-scott-iii/Connect with Alexandra: https://www.linkedin.com/in/alexandra-charikova/This podcast is brought to you by Escape: https://escape.tech — Modern DAST built to test for business logic instead of missing headersMentionedCIS Benchmark for NGINX: https://www.cisecurity.org/benchmark/nginxThe Challenger Sale: Taking Control of the Customer Conversation: https://www.amazon.com/Challenger-Sale-Control-Customer-Conversation/dp/1591844355Shannon Lietz (DevSecOps Lead at Intuit) Keynote in 2016 https://www.youtube.com/watch?v=ru11MSYPBBQ

Today, I’m joined by Chris Lindsey, who, at the time of recording, was an AppSec Evangelist at Mend. Formerly an AppSec Architect, Chris brings over 15 years of direct security experience and more than 35 years of leadership in programming, software, solutions, and security architecture.For several years, Chris built and led an entire application security program, including oversight of security processes, procedures, tools, compliance, training, developer communication, code reviews, application inventory gathering, and risk analysis.Chris also is a seasoned speaker and the host of the Secrets of AppSec Champions podcast.In this episode, we discuss why many still view DAST as a checkbox rather than a critical component of security—and how that perspective is changing, especially with the rise of modern DAST tools. We’ll also explore how to strategically integrate DAST with other tools in your AppSec program.If you agree with Chris that we need to stop treating DAST like a dessert, this episode is for you.Dive right in! This podcast is brought to you byEscape: https://escape.tech  — Modern DAST built to test for business logic instead of missing headersMentionedChris’ article on DAST https://www.mend.io/blog/dont-treat-dast-like-dessert/Alexandra’s interviews with AppSec engineers “What’s wrong with the correct state of DAST” https://escape.tech/blog/what-is-wrong-with-the-current-state-of-dast-feedback-from-my-conversations-with-appsec-engineers/The Phoenix Project: A Novel about IT, DevOps, and Helping Your Business Win https://www.amazon.com/-/en/Gene-Kim/dp/0988262592Secrets of AppSec Champions: https://www.youtube.com/playlist?list=PLR-uH0PJFszFcbMJ29AfAcWIJAPbBJaC7

Today, I’m joined by someone many of you will instantly recognize — Tanya Janca, also known as She Hacks Purple and a key community leader at Semgrep.With nearly three decades in IT, Tanya has earned countless awards, including OWASP Lifetime Distinguished Member and Hacker of the Year. She’s spoken on stages around the world and trained thousands of software developers and security professionals along the way.Her first book was one of the earliest I read on application security — and honestly, her work gets mentioned more than almost anyone else’s by guests, season after season.Now, with the release of her latest book on secure coding, we dive into a big question: Can we actually expect developers to write secure code? And if so, how do we make secure coding a foundational part of education — not an afterthought? We explore the challenges, the role of governments in promoting security standards, and the mindset shifts needed to get there.We also touch on Tanya’s passion for community, and how genuinely useful content (which isn’t always a given in security) can make all the difference in helping others learn and grow in AppSec.And with that, get ready to hear Tanya’s opinions.Dive right in!

Today, I’m joined by Curtis Koenig, a seasoned application security leader managing AppSec programs for global brands. At Gen Inc., he secures all products through CI/CD integration, secure coding, and a bug bounty program. Previously, at Booking.com and Snap Inc., he scaled security operations, enhanced authentication systems, and streamlined compliance processes. With expertise in secure development and threat modeling, Curtis is a recognized authority in enterprise application security.In this episode, we explore how insights from neuroscience align with the decisions developers and security professionals make about securing applications. We also discuss how storytelling through metrics can reduce panic, drive software quality, and foster stronger team dynamics.If you’re looking to learn how an experienced AppSec leader ensures his team’s success through psychology, this episode is for you.Dive right in! Connect with Curtis: https://www.linkedin.com/in/curtisko/Connect with Alexandra: https://www.linkedin.com/in/alexandra-charikova/This podcast is brought to you byEscape: https://escape.tech — Modern DAST built to test for business logic MentionedIntent based leadership | David Marquet: https://www.youtube.com/watch?v=nzynH2BmoJMThe Tangled Web: A Guide to Securing Modern Web Applications https://www.amazon.fr/Tangled-Web-Securing-Modern-Applications/dp/1593273886Writing Secure Code, Second Edition by Michael Howard, David LeBlanc https://www.amazon.com/Writing-Secure-Second-Developer-Practices/dp/0735617228Crucial Confrontations: Tools for Resolving Broken Promises, Violated Expectations, and Bad Behavior: https://www.amazon.com/Crucial-Confrontations-Resolving-Promises-Expectations/dp/0071446524“Meditations" by Marcus Aurelius: https://www.amazon.com/Meditations-Marcus-Aurelius/dp/1503280462

Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the roomToday, I’m joined by François Proulx, Senior Product Security Engineer at BoostSecurity, where he leads the Supply Chain research team. With over 10 years of experience in building AppSec programs for both large corporations like Intel and innovative startups, François has been at the forefront of the DevSecOps movement.He’s also one of the maintainers of the "poutine" security scanner, which detects misconfigurations and vulnerabilities in build pipelines. Be sure to check it out on GitHub and give it a star!François is a frequent speaker and one of the founders of the NorthSec conference, where he also serves as a challenge designer for the CTF.In this episode, we dive into the critical topic of supply chain insider threats in open source projects. We discuss the importance of the “trust, but verify” mantra and how the transition from a single maintainer to a team can increase security risks.If you’re wondering about the future of automated security checks on platforms like GitHub, and the specific vulnerabilities in build pipelines, this episode is for you.And with that, get ready to hear Francois’s opinions. Dive right in! Connect with François: https://www.linkedin.com/in/francoisp/Connect with Alexandra: https://www.linkedin.com/in/alexandra-charikova/This podcast is brought to you byEscape: https://escape.tech  — Modern DAST built to tests for business logic instead of missing headersMentionedArticle “Opening the Pandora’s Box: Supply Chain Insider Threats in Open Source Projects”: https://boostsecurity.io/blog/opening-pandora-box-supply-chain-insider-threats-in-oss-projectsRuss Cox at ACM SCORED: Open Source Supply Chain Security at Google https://www.youtube.com/watch?v=6H-V-0oQvCADEF CON 32 - Grand Theft Actions Abusing Self Hosted GitHub Runners - Adnan Khan, John Stawinski -> https://www.youtube.com/watch?v=5P7KatZBr_INorthSec 2024 talk “Under the Radar: 0-days in the Build Pipeline” https://www.youtube.com/watch?v=4nfsTPEOzHANorthsec conference https://nsec.io/fr/ Poutine security scanner-  detects misconfigurations and vulnerabilities in the build pipelines of a repository:  https://github.com/boostsecurityio/poutineDependabot: https://github.com/dependabot BoostSecurity ASPM Platform : boostsecurity.io 

Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the roomToday, I’m joined by Rachel Curran, co-founder and CEO of Locktivity—a third-party risk management platform. She’s also the former Director of Risk and Compliance and Head of Infosec at Logik Systems.With over a decade of experience leading security and GRC initiatives, Rachel has built SOC 2 and security programs from the ground up, helping companies achieve security maturity. She’s also a frequent speaker at security conferences about this topic. Beyond her work in cybersecurity, Rachel co-hosts @shedoestech, a show dedicated to promoting women in tech and highlighting their career journeys.In this episode, we dive into whether we’re truly managing third-party risks or simply turning a blind eye to key issues. We also explore whether we should force vendors to disclose their vulnerabilities, how to continuously evaluate dependencies on third parties, why adopting an assumed breach posture helps frame due diligence, and why education about third-party risks should be integrated into security awareness programs.

Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.Today, I’m joined by Nir Valtman, CEO & co-founder of Arnicaan ASPM platform with a pipelineless approach. Before founding Arnica, Nir led product and data security at Finastra, established security at Kabbage as CISO, and headed application security at NCR. He’s also a well-known speaker at top security conferences, including Black Hat, Defcon, RSA, BSides, and OWASP.In this episode, we unpack the reachability hype-why every vendor claiming "we do reachability!" means something slightly different, and what makes Pipelineless Reachability Analysis stand out.We’ll also discuss why reachability is critical for vulnerability prioritization, plus some eye-opening stats-like why developers prefer scan results in under 30 seconds and how 9% of detected vulnerabilities still make it into production, even after developers are notified on push.Dive right in! Connect with Nir: https://www.linkedin.com/in/valtmanir/Connect with Alexandra: https://www.linkedin.com/in/alexandra-charikova/This podcast is brought to you byEscape: https://escape.tech — API Security & DAST PlatformMentioned in the video:https://www.arnica.io/ - ASPM with pipelineless, developer-native approachNir’s Linkedin Post on reachability: https://www.linkedin.com/posts/valtmanir_reachability-appsec-security-activity-7249039515888046080-IrvvHype Cycle for Application Security, 2024: https://www.gartner.com/en/documents/5622191Defining Reachability - is it just hype? https://pulse.latio.tech/p/reachability-matters-13Does Reachability Matter? By James Berthoty https://pulse.latio.tech/p/does-reachability-matterBook: Freakonomics by Steven Levitt & Stephen Dubner: https://www.amazon.com/gp/product/0063032376/ref=as_li_qf_asin_il_tl?ie=UTF8&tag=freakonomic08-20&creative=9325&linkCode=as2&creativeASIN=0063032376&linkId=f70dd7af6a315da4e8d04e7001c8e1d6Podcast recommendation: Acquired (playbooks that built the world’s greatest companies - and how you can apply them as a founder, operator, or investor) - https://www.acquired.fm/

Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.Today, I’m joined by Iman Ilbag, a DevSecOps Engineer at KPN, one of the leading telecom providers in the Netherlands.Previously, as the sole DevSecOps Engineer at Snappfood, he secured 70+ projects and trained hundreds of security champions. Iman transitioned from engineering to DevOps and Application Security, and has also worked on penetration testing and infrastructure security for both startups and larger enterprises.He’s passionate about security automation and open-source security, always looking for ways to improve security practices. I was introduced to Iman through a referral from James Berthoty, a previous podcast guest.In this episode, we dive into why a solid understanding of DevOps is essential before implementing DevSecOps, and how the cultural aspects of security often outweigh the tools themselves.We also explore the limitations of ASPM tools, the role of Defect Dojo in effective vulnerability management, and why selecting the right security tools is critical for success.Dive right in! Connect with Iman: https://www.linkedin.com/in/iman-ilbag/Connect with Alexandra: https://www.linkedin.com/in/alexandra-charikova/Mentioned in the video: DefectDojo: https://www.defectdojo.org/Escape: https://escape.tech — API Security & DAST PlatformLatio list: https://list.latio.tech/

Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.Recently, Opengrep made headlines as a new open-source project based on a fork of Semgrep Community Edition, with the goal of democratizing SAST.As you know, I'm always ready to dive into controversial topics on The Elephant in AppSec, and this episode is no exception. But before we jump in, full disclosure: I’m staying neutral in this conversation. I’ve had the privilege of collaborating with incredible people on both sides of the discussion, and I’m here to explore all perspectives.I spoke with the teams behind Opengrep—Arnica, Mobb, Aikido, and Jit—to explore what inspired them to get involved, the feedback they’ve received—both positive and negative—since the launch, and what lies ahead for the project — What will Opengrep look like a year from now?By the way, if you want to dive deeper into their plans, join the Opengrep Open Roadmap session tomorrow (link in the description) or check out the next version of Opengrep, which will launch next week.Dive right in!Mentioned in the video: Opengrep repo: https://github.com/opengrep/opengrepSemgrep: https://semgrep.dev/ Opengrep roadmap session. Register here: https://lu.ma/07bivwlzJames Berthoty’s launch article: https://pulse.latio.tech/p/announcing-opengrepOWASP projects: https://owasp.org/projects/This podcast is provided by Escape: https://escape.tech

Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.Today, I’m thrilled to be joined by Ashwini Siddhi, Director, Security Engineering at GoDaddy. With a background in electronics engineering, Ashwini discovered her true passion in cybersecurity and has since become a distinguished leader in the AppSec space. Her expertise spans multiple domains, with Threat Modeling standing out as a key area of specialization.Recently elected to the OWASP Foundation’s Board of Directors, Ashwini is not just a technical expert—she’s also a dedicated advocate for women in cybersecurity. She actively mentors aspiring security professionals through organizations like WiCyS and beyond.In this episode, we explore whether there is a secret to mastering threat modeling at scale, how AI is revolutionizing threat modeling, and the necessity of building a unified threat modeling program across organizations.We also discuss why mentorship is essential for developing the next generation of security professionals. If you're an experienced leader looking for valuable insights on guiding and supporting emerging talent in cybersecurity, this episode is for you!Dive right in!Escape:https://escape.tech  Mentioned in the video: Threat Modeling at Scale WhitePaper: https://safecode.org/wp-content/uploads/2023/06/Threat_Modeling_at_Scale_6.21.23.pdfThreat Modeling Manifesto:https://www.threatmodelingmanifesto.org/OWASP Threat Modeling Project: https://owasp.org/www-project-threat-model/

Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room. Today, I’m joined by Irfaan Santoe, a seasoned security leader who has worn many hats—from CISO to Global Head of Application Security, and now Founder and CTO of RiskApp. Beyond his leadership roles, Irfaan is a dedicated community builder. He leads the OWASP Netherlands Chapter, created the OWASP Security Champions Guide, and co-hosts the re:invent security podcast, a live in-person show where industry leaders share how they’re reshaping security. In this episode, we tackle a big and often uncomfortable question: Can we actually quantify the ROI of AppSec? Security leaders are constantly pushed to justify their budgets, but when it comes to application security, how do we measure success? Are we tracking the right metrics, or just playing a numbers game? We’ll also discuss: - The hidden costs of delaying AppSec and why technical debt is a silent killer - How security leaders can sell AppSec to executives and actually secure budget- The challenge of measuring AppSec effectiveness—what metrics actually matter? If you’ve ever struggled to prove the value of security initiatives—or just want a fresh perspective on AppSec priorities—this episode is for you.Connect with Irfaan: https://www.linkedin.com/in/irfaansantoeConnect with Alexandra: https://fr.linkedin.com/in/alexandra-charikovaMentioned in the video: Escape: https://escape.techRe-invent security: https://re-inventsecurity.com/RiskApp: https://www.riskapp.com/OWASP Security Champions Guide: https://owasp.org/www-project-security-champions-guidebook/ The CISO’s Guide for Implementing DevSecOps in the Enterprise: DevSecOps Visions from 10 European Information Security Leaders: https://www.amazon.co.uk/CISOs-Guide-Implementing-DevSecOps-Enterprise/dp/9464807571How to Measure Anything in Cybersecurity Risk: https://www.amazon.com/How-Measure-Anything-Cybersecurity-Risk/dp/1119085292

Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room. Today, I’m joined by a true force in cybersecurity. With over a decade of experience, Confidence Staveley has dedicated her career to helping organizations build secure, innovative products. She’s the founder of MerkleFence, where she serves as Director of Application Security for various companies, and the author of the Amazon bestseller API Security for White Hat Hackers. Confidence is known for making cybersecurity concepts accessible to diverse audiences, as seen in her popular YouTube series, "API Kitchen" ‪@SisiNerdTV‬ where she uses culinary metaphors to explain API security. A globally recognized leader and speaker, she’s earned accolades like Cybersecurity Woman of the World 2023, while empowering teams to innovate securely. She also leads the CyberSafe Foundation, a groundbreaking NGO focused on building a digitally inclusive and secure Africa. In this episode, we explore why proactive strategies like ethical hacking are essential, how organizations can protect against the growing risks of insecure APIs, and why compliance alone isn’t enough. Confidence shares her 2024 insights into API security, from third-party integration challenges to gaps in frameworks like the OWASP API Security Top 10, while emphasizing the importance of making security actionable for both leaders and developers. With that, get ready to hear Confidence’s opinions. Dive right in! Connect with Confidence:   / confidencestaveley   Connect with Alexandra:   / alexandra-charikova   Mentioned in the video: Escape: https://escape.tech — API Security & DAST Platform MerkleFence: https://merklefence.com/ API Security for White Hat Hackers: https://www.amazon.com/API-Security-W... CyberSafe Foundation — Confidence’s NGO dedicated to creating a digitally secure and inclusive Africa: https://www.cybersafefoundation.org/ OWASP API Security Top 10: https://owasp.org/API-Security/editio... Recommended books: 1. Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers by Andy Greenberg 2. Talking to Strangers by Malcolm Gladwell

Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.  Today, I’m joined by Izar Tarandach, a Senior Product Security Architect with extensive security experience at Datadog, Squarespace, and several other companies. Izar is also a renowned speaker and the co-author of Threat Modeling: A Practical Guide for Development Teams by O'Reilly. He’s a member of the Threat Modeling Manifesto Group and the leader behind the OWASP pytm Pythonic framework for threat modeling tool. Izar is also a fellow podcaster, and I hope we get to flip roles one day! In this episode, we discuss why perfectionism can hinder effective threat modeling and how Izar believes we need to strike the right balance between automation in threat modeling tools and human insight. We also explore the challenges of measuring the effectiveness of threat modeling and why metrics should focus on qualitative insights rather than just quantitative data. If you agree with Izar’s perspective that a dev-centric approach to threat modeling can enhance security practices and want to learn how to implement security reflexes in your engineering teams—this episode is for you! With that, get ready to hear Izar’s opinions. Dive right in! Connect with Izar: https://www.linkedin.com/in/izartarandach Connect with Alexandra: https://fr.linkedin.com/in/alexandra-charikova Mentioned in the video: Escape: https://escape.tech Threat Modeling: A Practical Guide for Development Teams https://www.amazon.com/Threat-Modeling-Identification-Avoidance-Secure/dp/1492056553 Threat Modeling Manifesto Group: https://www.threatmodelingmanifesto.org/OWASP pytm: https://owasp.org/www-project-pytm/ Security Table podcast: https://securitytable.buzzsprout.com/ Tanya Janca's Mentorship Monday, follow Tanya on X: https://x.com/shehackspurpleOWASP Meet the Mentor https://sf.globalappsec.org/mentor-mentee/Threat Modeling: Designing for Security : Shostack, Adam: https://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998 Brook Schoenfield’s Threat Modeling Methods: https://brookschoenfield.com/?page_id=341

Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room. Today, I’m joined by Koen Hendrix, Director of Product Security at Zendesk. With over a decade of experience in the tech and gaming industries, Koen has been instrumental in building and scaling global security teams, integrating security into agile environments, and driving innovation in product security processes. Known for fostering strong relationships with global Product and Engineering leaders, he brings a wealth of expertise to today’s conversation. In this episode we discuss why non-negotiable security practices must be clearly communicated to teams and where Koen thinks we need to draw the line between "secure enough" and "perfect security". We also explore how change management has become a significant challenge in security and discuss why implementing secure-by-design principles requires gradual, step-by-step improvements. If you agree with Koen’s perspective that collaboration is often overlooked in favor of tools and want to learn how to implement it effectively—this episode is for you!

Today, I'm joined by Akira Brand, the AVP of Application Security at PRA Group. With nearly five years of experience in the security space, Akira has a diverse background, starting as a Developer Relations Engineer and transitioning into an Application Security role. Passionate about education and Infosec, Akira has established herself as a distinguished public speaker, co-hosting the AppSec Weekly Podcast for several years and sharing her expertise as a cybersecurity instructor at Katilyst.  Akira is also a professional opera singer. You can hear her singing at her Elephant in AppSec conference talk!  In this episode, we discuss the maturity level organizations need to achieve before hiring their first application security engineer, the latest AppSec hiring trends, and her insights on DAST from her time at a DAST vendor organization. We also touch on how early exposure to puzzles helps kids develop problem-solving skills and set the stage for a career in engineering. Dive right in! 

Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room. Today, we’re joined by Raunaq Arora, Lead Application Security Engineer at Chipotle. Raunaq’s journey into security was almost accidental, starting as a developer who quickly developed a knack for breaking and building secure applications. Now, his expertise lies in securing Kubernetes environments at scale and aligning security strategies with business priorities. Last year, he took the RSA Conference stage to share how his team built a secure Kubernetes environment by integrating CIS controls into SDLC pipelines—turning security into the perfect burrito recipe. In this episode, we tackle the ever-growing adoption of Kubernetes and ask the hard questions: Are we racing to deploy this shiny technology while ignoring its massive security risks? Are organizations blindly treating Kubernetes like a “silver bullet,” leaving their infrastructure vulnerable? Raunaq doesn’t hold back as we explore the tools and practices needed to cut through the hype and address the real challenges of Kubernetes security. Dive right in! Useful repos: https://ramitsurana.github.io/awesome-kubernetes/

Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room. Today, I’m excited to have Alina Yakubenko on the show. Alina, Senior Application Security Engineer at Toast, Inc and former developer and QA Engineer., is dedicated to empowering developers to integrate security into their everyday practices. Passionate about building a culture of security awareness, she works to ensure that security is a core component of development processes, helping teams build safer, more resilient applications. In this episode, we dive into a thought-provoking question: is it truly realistic to see everyone as the greatest ally in security? We also explore the critical role of making security champions self-sufficient—especially in rapidly scaling organizations. If you're a strong advocate for security champion programs and want to learn how to scale them effectively, this episode is for you. Dive right in!

Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room. Today, I’m thrilled to welcome a true expert in DevSecOps, Timo Pagel! With over 20 years of experience in security strategy, web development, and DevSecOps architecture, Timo brings a wealth of knowledge to the table. As a freelance consultant and university lecturer, he’s passionate about training the next generation of AppSec professionals while actively contributing to the Open Source community as the leader of the OWASP DevSecOps Maturity Model (DSOMM) project: https://dsomm.owasp.org/ In this episode, Timo and I dive deep into the critical differences between popular maturity models like DSOMM and SAMM, uncover why a one-size-fits-all approach to maturity frameworks often fails, and explore the unique challenges of implementing DSOMM in startups versus large enterprises. Along the way, we tackle controversial topics like the shortcomings of many AppSec tools and whether security teams are being set up for failure by immature solutions. Dive right in!

Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room. Today, I’m thrilled to welcome Jesus Cuadrado to the show! Jesus is the Chief Product Officer at Xygeni, an ASPM platform focused on improving software supply chain security. With over a decade of experience in product management, he’s now leading the charge in creating user-friendly security tools while tackling critical challenges like ensuring reliable software updates and integrating zero-trust principles into product strategies. In this episode, we’ll dive into the intersection of product management and security, unpacking the role of software composition analysis in mitigating library risks, the use of open-source packages, and strategies for ensuring their security. Whether you’re curious about breaking into product management in security or want a product manager’s perspective on building effective security solutions, this episode has something for you. Dive right in!