Chris Romeo and Robert Hurlbut

The Application Security Podcast

Chris Romeo and Robert Hurlbut dig into the tips, tricks, projects, and tactics that make various application security professionals successful. They cover all facets of application security, from threat modeling and OWASP to DevOps+security and security champions. They approach these stories in an educational light, explaining the details in a way those new to the discipline can understand. Chris Romeo is the CEO of Devici and a General Partner at Kerr Ventures, and Robert Hurlbut is a Principal Application Security Architect focused on Threat Modeling at Aquia.

Author

Chris Romeo and Robert Hurlbut

Category

Technology

Podcast website

appsec.buzzsprout.com

Latest episode

Jun 16, 2026

Where to listen?

Podcasts in the app Replaio Radio Coming soon

Podcasts are coming to the app soon. Install now and be the first to see a whole new take on podcasts

Get it on Google Play Install for free Android 5M+ downloads · 4.8 rating iOS soon

Episodes

Anastasiia Voitova -- Encryption is easy, key management is hard 14.09.2021

Send us Fan Mail Anastasiia Voitova is the Head of customer solutions and a security software engineer at Cossack Labs. She works on data security and encryption tools and their integration into the real world apps. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast ➜LinkedIn: The Application Security Podcast ➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~...

Eran Kinsbruner -- DevSecOps Continuous Testing 20.08.2021

Send us Fan Mail Eran Kinsbruner is the Chief Evangelist and Senior Director at Perforce Software. His published books include the 2016 Amazon bestseller, “The Digital Quality Handbook”, “Continuous Testing for DevOps Professionals”, and “Accelerating Software Quality – ML and AI in the Age of DevOps”. Eran is a recognized influencer on continuous testing and DevOps thought leadership, an internat...

Mark Loveless -- Threat modeling in a DevSecOps environment. 13.08.2021

Send us Fan Mail Mark Loveless - aka Simple Nomad - is a security researcher and hacker. He's spoken at numerous security and hacker conferences worldwide, including Blackhat, DEF CON, ShmooCon, and RSA. He's been quoted in the press including CNN, Washington Post, and the New York Times. Mark joins us to discuss his series of blog posts on Threat Modeling at GitLab. We discuss his philo...

Jeroen Willemsen -- Security automation with ci/cd 06.08.2021

Send us Fan Mail Jeroen Willemsen is a Principal Security Architect at Xebia. Jeroen is more or less a jack of all trades with an interest in infrastructure security, risk management, and application security. With a love for mobile security, he enjoys sharing knowledge on various security topics. Jeroen joins us to unpack security automation in a DevOps world. We discuss categories of tools, typi...

Thinking back, Looking forward - A Balanced Approach to Securing our Software Future 15.07.2021

Send us Fan Mail Kevin Greene is the Director of Security Solutions at Parasoft and has extensive experience and expertise in software security, cyber research and development, and DevOps. He leverages his knowledge to create meaningful solutions and technologies to improve software security practices. Kevin and I had a conversation to discuss software security from the past and into the future. W...

Jeevan Singh -- Threat modeling based in democracy 11.06.2021

Send us Fan Mail Jeevan Singh is a Security Engineer Manager at Segment, where he is embedding security into all aspects of the software development process. Jeevan enjoys building security culture within organizations and educating staff on security best practices. Before life in the security space, Jeevan had a wide variety of development and leadership roles over the past 15 years. Jeevan joins...

Dima Kotik -- Application Security and the Zen of Python 21.05.2021

Send us Fan Mail Dima Kotik is an Application Security Engineer at Security Journey and has been programming in Python for years. As he was working on building out Security Journey's Secure Coding with Python content, he came across the Zen of Python, a set of guidelines for how to program in Python. He wrote a blog post about how to apply application security to the Zen of Python, and then w...

Dustin Lehr -- Advocating and being on the side of developers 07.05.2021

Send us Fan Mail Before taking the plunge into information security leadership, Dustin Lehr spent over a decade as a software engineer and architect in a variety of industries, including retail, DoD, and even video games. This diverse background has helped him forge close partnerships with development teams, engineering leaders, and software security advocates while pursuing the organizational cul...

Aaron Rinehart -- Security Chaos Engineering 30.04.2021

Send us Fan Mail Aaron Rinehart is expanding the possibilities of chaos engineering to cybersecurity. He began pioneering security in chaos engineering when he released ChaoSlingr during his tenure as Chief Security Architect at UnitedHealth Group (UHG). Rinehart is the O'Reilly Author on Security Chaos Engineering and has recently founded a chaos engineering startup called Verica with Casey...

Izar Tarandach and Matt Coles-- Threat Modeling: A Practical Guide for Development Teams 23.04.2021

Send us Fan Mail In this episode of the Application Security Podcast, we're joined by friends Izar and Matt, authors of the book "Threat Modeling: A Practical Guide for Development Teams." Izar is currently the Squarespace Principal Security Engineer. He lives in NY, where he enjoys telling people who separate security from development to get off his lawn. Matt is currently a Produc...

Charles Shirer -- The most positive person in security 16.04.2021

Send us Fan Mail Charles is a Senior Security Consultant for Red Siege. He has over 18 years of experience in IT. In his spare time, Charles does retro gaming and works on the SECBSD open source project, a penetration testing distro. He currently works as Staff at several Security Conferences, podcasts (GrumpyHackers) (Positively Blue Team Cast), and is a part of the MentalHealthHackers DeadPixelS...

Leif Dreizler -- Tactical tips to shift engineering right 09.04.2021

Send us Fan Mail Leif Dreizler is the manager of the Product Security team at Segment. Leif got his start in the security industry at Redspin doing security consulting work and was later an early employee at Bugcrowd. He helps organize the Bay Area OWASP Chapter, the LocoMocoSec Conference, and the AppSec California conference. Leif caught our attention when he published an article called Shifting...

Vandana Verma -- OWASP Spotlight Series 02.04.2021

Send us Fan Mail Vandana Verma is the President of Infosec girls and Infosec Kids, a board of directors member for OWASP, and a leader for BSides Dehli. She joins us to introduce the OWASP Spotlight Series. With each video she creates, she highlights an OWASP project. We survey the projects she's covered and discuss a specific takeaway from each for the application security person. We hope yo...

Dr. Anita D’Amico -- Do certain types of developers or teams write more secure code? 25.03.2021

Send us Fan Mail Dr. Anita D’Amico is the CEO of Code Dx, which provides Application Security Orchestration and Correlation solutions to industry and government. Her roots are in experimental psychology and human factors. Her attention is now focused on enhancing the decisions and work processes of software developers and AppSec analysts to make code more secure. Anita joins us to discuss research...

Alyssa Miller -- Bringing security to DevOps and the CI/CD pipeline 18.03.2021

Send us Fan Mail Alyssa Miller is a life-long hacker, security advocate, and cybersecurity leader. She is the BISO for S&P Global ratings and has over 15 years of experience in security roles. She is heavily involved in the cybersecurity community as an international speaker, author, and advocate. Alyssa joins us to talk about bringing security to DevOps and the CI/CD pipeline. We talk about t...

Liran Tal — Cloud native application security, what’s a developer to do? 09.03.2021

Send us Fan Mail Liran Tal is an application security activist and long-time proponent of open-source software. He is a member of the Node.js security working group , an OWASP project lead, author of Essential Node.js Security, and O’Reilly’s Serverless Security. He is leading the developer advocacy team at Snyk in a mission to empower developers with better dev-first security. Liran joins us to t...

Chris Romeo — DevSecOps Fails 17.02.2021

Send us Fan Mail For this episode, Robert and I decided to talk about an article I wrote called "DevOps security culture: 12 fails your team can learn from". We hope you enjoy this walkthrough of the 12 fails. If we missed any, hit us up on Twitter and let us know what we should add to the list. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast ➜LinkedIn: The Application Security Podcast...

Jim Routh — Secure software pipelines 10.02.2021

Send us Fan Mail Jim Routh has built software security programs at some of the biggest brands in the world. He has served as CISO or CSO six different times in his career, always staying close to his cyber and software security roots. Jim has hung up his CISO badge and now focuses on serving on boards and advising security-focused startups. Jim’s original AppSec podcast episode is our #1 listened...

Andrew van der Stock — Taking Application Security to the Masses 20.01.2021

Send us Fan Mail Andrew van der Stock has been around the world of Application Security for quite a long time. In 2020, he took over as the Executive Director of OWASP, and he's working from within the organization to further the mission of taking application security to the masses. We discuss Andrew's OWASP origin story and he defines OWASP and the OWASP core mission. We talk membership...

JC Herz and Steve Springett — SBOMs and software supply chain assurance 12.01.2021

Send us Fan Mail JC Herz is the COO of Ion Channel, a software logistics and supply chain assurance platform for critical infrastructure. She is a visiting fellow at George Mason’s National Security Institute and co-chairs a Department of Commerce working group on software bills of materials for security-sensitive public and private sector enterprises. JC and Steve Springett join  to talk all thin...

Brian Reed — Mobile Appsec: The Good, the Bad and the Ugly as We Head into 2021 06.01.2021

Send us Fan Mail Brian Reed is Chief Mobility Officer at NowSecure. Brian has over 30 years in tech and 15 years in mobile, security, and apps dating back to the birth of mobile including BlackBerry, Good Technology, BoxTone, and MicroFocus. Brian joins us to discuss mobile application security, the good, the bad, and the ugly as we head into 2021. We discuss recent issues in mobile apps, mobile f...

The Threat Modeling Manifesto – Part 2 24.11.2020

Send us Fan Mail This is part two of the story of a diverse group of security and privacy people that love threat modeling and gathered to define threat modeling, encourage people to threat model, help them succeed, and change the world. This is our story of the Threat Modeling Manifesto. In this episode, we move on from definition to working through the values and principles that make up threat m...

The Threat Modeling Manifesto – Part 1 17.11.2020

Send us Fan Mail This is part one of the story of a diverse group of security and privacy people that love threat modeling and gathered to define threat modeling, encourage people to threat model, help them succeed, and change the world. This is our story of the Threat Modeling Manifesto. Our intention is to share a distilled version  of our collective threat modeling knowledge in a way that shoul...

Season 7 Guests — The best of Season 7 26.10.2020

Send us Fan Mail This is our final episode of Season 7, and we thought we'd share some of our favorite clips with you. We've covered lots of ground, from featuring many OWASP projects to DevSecOps, penetration testing, AWS security, SameSite cookies, crypto, and that just scratches the surface. We hope you enjoy this wrap-up episode with.... A whole bunch of Season 7 guests. FOLLOW OUR S...

Aviat Jean-Baptiste — The AppSec report 13.10.2020

Send us Fan Mail Jb Aviat is CTO and co-founder at Sqreen. Prior to this, Jb worked at Apple as a reverse engineer, pentester, and developer. Jb joins us to discuss the new Application Security Report that Sqreen has released. We review what the report contains, key takeaways and conclusions, and even consider which framework/language is the most secure. We hope you enjoy this conversation with…....

Listen to the The Application Security Podcast podcast in Replaio

Radio and podcasts in one app - free, with no sign-up. Install today and do not miss the launch

Get it on Google Play

Replaio is not a podcast publisher; show names, artwork and audio belong to their authors and are distributed through public RSS feeds.