Chris Romeo and Robert Hurlbut

The Application Security Podcast

Chris Romeo and Robert Hurlbut dig into the tips, tricks, projects, and tactics that make various application security professionals successful. They cover all facets of application security, from threat modeling and OWASP to DevOps+security and security champions. They approach these stories in an educational light, explaining the details in a way those new to the discipline can understand. Chris Romeo is the CEO of Devici and a General Partner at Kerr Ventures, and Robert Hurlbut is a Principal Application Security Architect focused on Threat Modeling at Aquia.

Author

Chris Romeo and Robert Hurlbut

Category

Technology

Podcast website

appsec.buzzsprout.com

Latest episode

Jun 16, 2026

Where to listen?

Podcasts in the app Replaio Radio Coming soon

Podcasts are coming to the app soon. Install now and be the first to see a whole new take on podcasts

Get it on Google Play Install for free Android 5M+ downloads · 4.8 rating iOS soon

Episodes

Robert Hurlbut -- Blackhat Security Conference 08.08.2017

Send us Fan Mail We talk with Robert about his experiences at the Blackhat Security Conference. He will explain some of the AppSec-focused parts of the conference and more about the Alec Stamos Keynote. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast ➜LinkedIn: The Application Security Podcast ➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~...

Dave Ferguson -- The OWASP Top 10 Proactive Controls 25.07.2017

Send us Fan Mail Dave Ferguson discusses the OWASP Top 10 Proactive Controls in this episode with Chris. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast ➜LinkedIn: The Application Security Podcast ➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Jim Manico -- MORE OWASP! 04.07.2017

Send us Fan Mail We’re here today with Jim Manico, a project lead with OWASP. We dive deep into some of the projects on his plate. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast ➜LinkedIn: The Application Security Podcast ➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mike Goodwin -- The OWASP Threat Dragon 27.06.2017

Send us Fan Mail In this episode, we speak with Mike Goodwin, the founder of the OWASP Threat Dragon. We dive into what the threat dragon is and how it can work for you You can find the tool here: https://github.com/mike-goodwin/owasp-threat-dragon FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast ➜LinkedIn: The Application Security Podcast ➜YouTube: https://www.youtube.com/@ApplicationSecurityPod...

Mark Willis -- I Just Like Static Analysis. Static Analysis is My Favorite 19.06.2017

Send us Fan Mail We’re back with another episode of The Application Security Podcast. This time, we talked to Mark Willis about the many facets of static analysis and how it affects the DevOps world. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast ➜LinkedIn: The Application Security Podcast ➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~...

Eric Johnson -- Continuous Integration in .NET 14.06.2017

Send us Fan Mail Welcome back to season two of the Application Security Podcast. In this week's episode, we talk to Eric Johnson about static analysis, pen testing, continuous integration, etc. Thanks for listening! Rate us on iTunes and provide a positive comment, please! FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast ➜LinkedIn: The Application Security Podcast ➜YouTube: https://www.youtu...

Matt Clapham -- The Technical Debt Ceiling 06.06.2017

Send us Fan Mail Our topic today is technical debt and how security plays into it. Chris was at Converge Conference 2017  in Detroit, Michigan (which he says is the best security conference around) and continued the AppSec PodCast series of hallway conversations. Matt Clapham joins Chris. This is Matt’s second time on the podcast. Rate us on iTunes and provide a positive comment, please! FOLLOW OU...

Chris and Robert -- Controversy within the OWASP Top 10 RC 30.05.2017

Send us Fan Mail On this episode of the application security podcast, Robert and I jump over a wall. Just kidding. This isn’t Top Gear. This is our second episode of season two of the #AppSec PodCast. Robert and I talk about the OWASP Top 10 2017 release candidate. We walk through what the OWASP Top 10 is and what some of the controversies surround the changes made for this year. Rate us on iTunes...

Brook S.E. Schoenfield -- Security in the Design and Architecture 22.05.2017

Send us Fan Mail This episode is an interview Robert and I did with Brook Schoenfield ( @BrkSchoenfield ) during the RSA Conference 2017. Brook S.E. Schoenfield is a Distinguished Engineer at Intel Security Group. At Intel Security (including the former McAfee), Mr. Schoenfield is the senior technical leader for delivering software products that protect themselves and Intel Security’s customers. H...

Conclusion: The End…of Season 1 26.01.2017

Send us Fan Mail Good day, friends. The Application Security PodCast has concluded our first season. With many friends' help, we could record 18 episodes. We’ve done something different for this final episode of season 1. Our producer, Daniel Romeo, has collected some of our favorite clips from this season, the things that stood out to us. Enjoy! And we look forward to the release of season 2...

Rafal Los, James Jardine, and Michael Santarcangelo -- #DtSR and What Makes a Good Security Consultant? 12.01.2017

Send us Fan Mail Greetings all! We have a treat for you in this episode. The crew joins Robert and me from the Down the Security Rabbit Hole Podcast. This includes Rafal Los ( @wh1t3rabbit ), James Jardine ( @jardinesoftware ), and Michael Santarcangelo ( @catalyst ). This is a unique conversation for me because the AppSec PodCast was born from my first interview with #DtSR. I was featured on DtSR...

Adam Shostack -- Think like an Attacker or Accountant? 04.01.2017

Send us Fan Mail On this episode, Robert and I are joined by Adam Shostack ( @adamshostack ). Adam is a well-known speaker and thought leader in application security. We speak with Adam about how to connect with development teams. This all started about a year ago when Adam tackled the issue of thinking like a hacker and why he wanted people to think differently. We dive deep into this issue, but...

Jon McCoy -- The Mindset to Reverse Engineer 21.12.2016

Send us Fan Mail Today we talk to Jon McCoy (@thejonmccoy), a developer turned security person. He’s been helping developers learn more about security. We talk about reverse engineering malware and .NET security, as well as a bit of security community and the mindset to Reverse Engineer. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast ➜LinkedIn: The Application Security Podcast ➜YouTube: https:/...

Chris Romeo -- AppSec Awareness: A Blue Print for Security Culture Change 13.12.2016

Send us Fan Mail We bring you a recorded version of Chris’s security conference talk from 2016 for this episode. The talk is “AppSec Awareness, A Blue Print for Security Culture Change.” He covers The Problem Space, why we need application security, how to create sustainable security culture, and introduces the idea of Application Security Awareness. Chris had the luxury of building such a program...

Tracy Maleeff -- Natural Paranoia as a Career Path? A Transition to Security 06.12.2016

Send us Fan Mail In this episode, Robert and I are joined by Tracy Maleeff. Tracy is an InfoSec enthusiast with an MLIS degree. She has mad research and organizational skills. She co-hosts the PVCSec podcast. You can find Tracy on Twitter @InfoSecSherpa . Tracy is in the midst of a career transition. She began her career in Library Sciences and is moving into Information Security. We discussed the...

Chris Romeo -- Security Community at Any Scale 29.11.2016

Send us Fan Mail In this episode, Robert interviews Chris about the security community. Chris talks about his experiences doing security community at a large organization for 5+ years. Robert keeps pushing Chris to make this applicable to small companies as well. You’ll hear best practices for building a security community in your org, including monthly training sessions, lunch and learns, and eve...

Deidre Diamond -- The Soft Skills of AppSec 16.11.2016

Send us Fan Mail We are joined by Deidre Diamond, Founder, and CEO @cyber_sn & the Founder of @brain_babe . We discuss employment in the world of application security. We also dive deep into soft skills, exploring why they are foundational in the workforce. Deidre explains the benefits of win-win conversation, how words and everyday language connect, and how to have fun, compassion, love, inte...

Tony UcedaVelez -- PASTA: Not Just for Breakfast Anymore 08.11.2016

Send us Fan Mail This is our third interview from ISC2 Security Congress. We are joined by Tony UcedaVelez, or TonyUV, founder and CEO of VerSprite – a global security consulting firm based in Atlanta, GA. Tony leads the OWASP Atlanta Chapter and BSides Atlanta. This is a deep dive into Tony’s experience with threat modeling. We explore the PASTA methodology he created. FOLLOW OUR SOCIAL MEDIA: ➜T...

Glenn Leifheit -- An Inner Glimpse of the Microsoft SDL 02.11.2016

Send us Fan Mail This is our second interview at ISC2 Security Congress. We are joined by Glenn Leifheit ( @gleifhe ), an InfoSec and Development Evangelist at Microsoft. Microsoft is the grandparent to almost every secure development lifecycle across the industry. This is an in-depth discussion about how actually to do SDL. Glenn shares some things during this conversation that I’ve never heard a...

Mike Landeck -- Security Must Meet the Needs of the Business 25.10.2016

Send us Fan Mail Mike Landeck joins Robert and me. Mike is a Cyber security evangelist, AppSec junky & Docker Security geek, and can be found on Twitter @MikeLandeck. We interviewed Mike in person at the ISC2 Security Congress event in Orlando, Florida. We discussed his latest talk on breach fatigue, the need to reach outside the echo chamber of security, Twitter as a news source for security,...

Daniel Ramsbrock -- Web Application Pen Testing – Part 2 18.10.2016

Send us Fan Mail On this two-part episode of the Application Security PodCast, Robert and I speak with Daniel Ramsbrock about Web App Penetration testing. In part two, we focus on the process of pen testing and web app pen testing. I (Chris) connected with Daniel through the RVASec security conference in Richmond, Virginia. Daniel has been in security for over ten years, focusing most of that time...

Daniel Ramsbrock -- Web Application Pen Testing – Part 1 18.10.2016

Send us Fan Mail On this two-part episode of the Application Security PodCast, Robert and I speak with Daniel Ramsbrock about Web App Penetration testing. In part one, we focus on the difference between pen testing and web app pen testing, where pen testing fits your development methodology (waterfall, agile, and DevOps), and why someone should care about it. I (Chris) connected with Daniel throug...

Matt Clapham -- Development Security Maturity 11.10.2016

Send us Fan Mail Robert and I are joined today by Matt Clapham. Matt “makes products more secure” I mean, hey, his Twitter handle is @ProdSec . The topic of this interview is what Matt calls development security maturity. This concept is based on Matt’s research and his talk at RSA. Matt created a simple process to measure the maturity of development security by looking at five key behaviors. We c...

Elena Elkina -- Privacy and Data Protection 04.10.2016

Send us Fan Mail Welcome to the first of many interviews on the #AppSec Podcast. In this episode, Robert and I interview Elena Elkina ( @el0chka ) on privacy. We cover privacy, data protection, and customer data protection. This is a quick chat for around 20 minutes. In the future, we’ll dive deeper into the crossroads of security and privacy. Elena is a Senior Global Privacy & Data Protection...

Chris and Robert -- Security in the Methodology 26.09.2016

Send us Fan Mail In this episode, we talk about product development methodologies and the impact of security. We explore how to apply security activities to waterfall and Agile and discuss the pros and cons. We’ve both had experience with these methodologies and freely share what we’ve seen work and what we’ve seen fail. This applies whether you are new to security or have been doing security for...

Listen to the The Application Security Podcast podcast in Replaio

Radio and podcasts in one app - free, with no sign-up. Install today and do not miss the launch

Get it on Google Play

Replaio is not a podcast publisher; show names, artwork and audio belong to their authors and are distributed through public RSS feeds.