Chris Romeo and Robert Hurlbut

The Application Security Podcast

Chris Romeo and Robert Hurlbut dig into the tips, tricks, projects, and tactics that make various application security professionals successful. They cover all facets of application security, from threat modeling and OWASP to DevOps+security and security champions. They approach these stories in an educational light, explaining the details in a way those new to the discipline can understand. Chris Romeo is the CEO of Devici and a General Partner at Kerr Ventures, and Robert Hurlbut is a Principal Application Security Architect focused on Threat Modeling at Aquia.

Author

Chris Romeo and Robert Hurlbut

Category

Technology

Podcast website

appsec.buzzsprout.com

Latest episode

Jun 16, 2026

Where to listen?

Podcasts in the app Replaio Radio Coming soon

Podcasts are coming to the app soon. Install now and be the first to see a whole new take on podcasts

Get it on Google Play Install for free Android 5M+ downloads · 4.8 rating iOS soon

Episodes

Erik Cabetas -- Cracking Codes on Screen and in Contests: An Expert's View on Hacking, Vulnerabilities, and the Evolution of Cybersecurity Language 17.02.2024

Send us Fan Mail Erik Cabetas joins Robert and Chris for a thought-provoking discussion about modern software security. They talk about the current state of vulnerabilities, the role of memory-safe languages in AppSec, and why IncludeSec takes a highly systematic approach to security assessments and bans OWASP language. Along the way, Erik shares his entry into cybersecurity and his experience con...

Justin Collins -- Enabling the Business to Move Faster, Securely 06.02.2024

Send us Fan Mail Justin Collins of Gusto joins Robert and Chris for a practical conversation about running security teams in an engineering-minded organization. Justin shares his experience leading product security teams, the importance of aligning security with business goals, and the challenges arising from the intersection of product security and emerging technologies like GenAI. They also disc...

Kyle Kelly -- The Dumpster Fire of Software Supply Chain Security 30.01.2024

Send us Fan Mail Kyle Kelly joins Chris to explore the wild west of software supply chain security. Kyle, author of the CramHacks newsletter, sheds light on the complicated and often misunderstood world of software supply chain security. He brings unique insights into the challenges, issues, and potential solutions in this constantly growing field. From his experiences in sectors like cybersecurit...

Chris Hughes -- Software Transparency 20.01.2024

Send us Fan Mail Chris Hughes, co-founder of Aquia, joins Chris and Robert on the Application Security Podcast to discuss points from his recent book Software Transparency: Supply Chain Security in an Era of a Software-Driven Society, co-authored with Tony Turner. The conversation touches on the U.S. government in the software supply chain, the definition and benefits of software transparency, the...

Jay Bobo & Darylynn Ross -- App Sec Is Dead. Product Security Is the Future. 09.01.2024

Send us Fan Mail Jay Bobo and Darylynn Ross from CoverMyMeds join Chris to explain their assertion that 'AppSec is Dead.' They discuss the differences between product and application security, emphasizing the importance of proper security practices and effective communication with senior leaders, engineers, and other stakeholders. Jay proposes that product security requires a holistic ap...

Eitan Worcel -- Is AI a Security Champion? 19.12.2023

Send us Fan Mail Eitan Worcel joins the Application Security Podcast, to talk automated code fixes and the role of artificial intelligence in application security. We start with a thought-provoking discussion about the consistency and reliability of AI-generated responses in fixing vulnerabilities like Cross-Site Scripting (XSS). The conversation highlights a future where AI on one side writes cod...

Björn Kimminich -- OWASP Juice Shop 12.12.2023

Send us Fan Mail Bjorn Kimminich, the driving force behind the OWASP Juice Shop project, joins Chris and Robert to discuss all things Juice Shop. The OWASP Juice Shop is a deliberately vulnerable web application that serves as an invaluable training tool for security professionals and enthusiasts. Bjorn provides a comprehensive overview of the latest features and challenges introduced in the Juice...

Arshan Dabirsiaghi -- Security Startups, AI Influencing AppSec, and Pixee/Codemodder.io 05.12.2023

Send us Fan Mail Arshan Dabirsiaghi of Pixee joins Robert and Chris to discuss startups, AI in appsec, and Pixee's Codemodder.io. The conversation begins with a focus on the unrealistic expectations placed on developers regarding security. Arshan points out that even with training, developers may not remember or apply security measures effectively, especially in complex areas like deserializa...

Dr. Jared Demott -- Cloud Security & Bug Bounty 28.11.2023

Send us Fan Mail Chris and Robert are thrilled to have an insightful conversation with Dr. Jared Demott, a seasoned expert in the field of cybersecurity. The discussion traverses a range of topics, from controversial opinions on application security to the practical aspects of managing bug bounty programs in large corporations like Microsoft. We dive into the technicalities of bug bounty programs,...

Katharina Koerner -- Security as Responsible AI 21.11.2023

Send us Fan Mail Dr. Katharina Koerner, a renowned advisor and community builder with expertise in privacy by design and responsible AI, joins Chris and Robert to delve into the intricacies of responsible AI in this episode of the Application Security Podcast. She explores how security intersects with AI, discusses the ethical implications of AI's integration into daily life, and emphasizes t...

Ray Espinoza -- The AppSec CISO, Vendor Relationships, and Mentoring 15.11.2023

Send us Fan Mail For Security Pros & Business Leaders | Strategic Insights & Leadership Lessons 🔒🌟 When Ray Espinoza joined Chris and Robert on the Application Security Podcast, he gave a treasure trove of insights for both security professionals and business leaders alike! Whether you're deep in the trenches of information security or steering the ship in business leadership, this...

Chris John Riley -- MVSP: Minimum Viable Secure Product 07.11.2023

Send us Fan Mail Chris John Riley joins Chris and Robert to discuss the Minimum Viable Secure Product. MVSP is a minimalistic security checklist for B2B software and business process outsourcing suppliers. It was designed by a team that included experts from Google, Salesforce, Okta, and Slack. The MVSP objectives are targeted at startups and other companies creating new applications, helping such...

Steve Wilson and Gavin Klondike -- OWASP Top Ten for LLM Release 31.10.2023

Send us Fan Mail Steve Wilson and Gavin Klondike are part of the core team for the OWASP Top 10 for Large Language Model Applications project. They join Robert and Chris to discuss the implementation and potential challenges of AI, and present the OWASP Top Ten for LLM version 1.0. Steve and Gavin provide insights into the issues of prompt injection, insecure output handling, training data poisoni...

Tanya Janca -- What Secure Coding Really Means 24.10.2023

Send us Fan Mail Tanya Janca, also known as SheHacksPurple, joins the Application Security Podcast again to discuss secure coding, threat modeling, education, and other topics in the AppSec world. With a rich background spanning over 25 years in IT, coding, and championing cybersecurity, Tanya delves into the essence of secure coding. Tanya highlights the difference between teaching developers abo...

Hasan Yasar -- Actionable SBOM via DevSecOps 16.10.2023

Send us Fan Mail Hasan Yasar believes that everyone shares the responsibility of creating a secure environment, and this can only be achieved by working collaboratively. He underscores the idea that security is not an isolated endeavor but a collective effort, urging everyone to come together and build a world where safety and security are paramount. Yasar also shares his thoughts about education...

Varun Badhwar -- The Developer Productivity Tax 10.10.2023

Send us Fan Mail Varun Badhwar is a three-time founder, a luminary in the cyber security industry, and a clear communicator. He joins Chris and Robert on the Application Security Podcast to discuss scanning with context, SBOM plus VEX, and the developer productivity tax. The concept of a "Developer Productivity Tax" acknowledges the challenges developers face when bombarded with a pletho...

OWASP Board of Directors Debate 03.10.2023

Send us Fan Mail The Application Security Podcast presents the OWASP Board of Directors Debate for the 2023 elections. This is a unique and engaging discussion among six candidates vying for a position on the board. Throughout the debate, candidates address pressing questions about their priorities as potential board members, the future direction of OWASP, and strategies for community growth and v...

Itzik Alvas -- Secrets Security and Management 26.09.2023

Send us Fan Mail Itzik Alvas, Co-founder and CEO of Entro, is an expert on secrets security. Itzik joins Chris and Robert to discuss the significance of understanding and managing secrets, emphasizing the importance of knowing how many secrets an organization has, where they are located, and their potential impact. He elaborates on the three pillars of secrets management: listing and locating secr...

Harshil Parikh -- Deep Environmental and Organizational Context in Application Security 19.09.2023

Send us Fan Mail Harshil Parikh is a seasoned security leader with experience building security and compliance functions from the ground up. He notably built the security and compliance team at Medallia from scratch and led it through several transitions. He is also a conference speaker, and, most recently, he co-founded Tromzo. Harshil shares insights about AppSec, running a startup, selling effe...

Jeff Williams -- The Tech of Runtime Security 12.09.2023

Send us Fan Mail Jeff Willams of Contrast Security joins Chris and Robert on the Application Security Podcast to discuss runtime security, emphasizing the significance of Interactive Application Security Testing (IAST) in the modern DevOps landscape. After reflecting on the history of OWASP, the conversation turns to the challenges organizations face in managing their application security (AppSec)...

Mark Curphey and John Viega -- Chalk 05.09.2023

Send us Fan Mail Mark Curphey and John Viega join Chris and Robert to explain the details of Chalk, Crash Override's new tool. Mark also talks about why ZAP departed from OWASP and joined the Software Security Project, highlighting some of the value and differences of both organizations. Open Source Software is important to the industry, but Mark calls on companies to contribute to the develo...

Maril Vernon -- You Get What You Inspect, Not What You Expect 29.08.2023

Send us Fan Mail Maril Vernon is passionate about Purple teaming and joins Robert and Chris to discuss the intricacies of purple teaming in cybersecurity. She underscores the significance of fostering a collaborative environment between developers and the security team. Drawing from her experiences, Maril shares the challenge of development overlooking her remediation recommendations. She chose to...

Dan Küykendall -- Why All Application Security Products Suck 22.08.2023

Send us Fan Mail Dan Küykendall visits The Application Security Podcast to discuss his series "Why All AppSec Products Suck" and explain why software companies should understand the uses and limitations of any security tool. The series aims to highlight the limitations of each tool and to help users make informed decisions when selecting the right tools for their needs. In this field, th...

Kevin Johnson -- Samurai Swords and Zap's Departure 15.08.2023

Send us Fan Mail Kevin Johnson is the CEO of Secure Ideas. He began his career as a developer but turned toward security when he discovered that the interface for an intrusion detection system, Snort, was out of date. This led him to create BASE (Basic Analysis and Security Engine), a testament to Kevin's proactive approach. Kevin has a deep-rooted passion for open-source projects. He highlig...

Tony Quadros -- The Life of an AppSec Vendor 08.08.2023

Send us Fan Mail Tony Quadros, the AppSec Lumberjack, shares the unique career path that led him to find his passion in Application Security. The discussion delves into the work of an AppSec vendor, with Tony explaining his role and the responsibilities it entails. He emphasizes the importance of understanding the needs and environment of the customer, and whether the product he represents can ful...

Listen to the The Application Security Podcast podcast in Replaio

Radio and podcasts in one app - free, with no sign-up. Install today and do not miss the launch

Get it on Google Play

Replaio is not a podcast publisher; show names, artwork and audio belong to their authors and are distributed through public RSS feeds.