Chris Romeo and Robert Hurlbut
The Application Security Podcast
Chris Romeo and Robert Hurlbut dig into the tips, tricks, projects, and tactics that make various application security professionals successful. They cover all facets of application security, from threat modeling and OWASP to DevOps+security and security champions. They approach these stories in an educational light, explaining the details in a way those new to the discipline can understand. Chris Romeo is the CEO of Devici and a General Partner at Kerr Ventures, and Robert Hurlbut is a Principal Application Security Architect focused on Threat Modeling at Aquia.
Author
Chris Romeo and Robert Hurlbut
Category
Podcast website
Latest episode
Jun 16, 2026
Where to listen?
Podcasts in the app Replaio Radio Coming soonPodcasts are coming to the app soon. Install now and be the first to see a whole new take on podcasts
Episodes
Alyssa Miller — Experiences with DevOps + Automation and beyond 13.02.2020 44:07
Send us Fan Mail Alyssa is a hacker, security evangelist, cybersecurity professional and international public speaker with almost 15 years of experience in the security industry. A former developer, her background is application security, not only conducting technical assessments but also helping develop complete security programs. Alyssa joins us to share her take on DevOps, automation, and beyon...
Vandana Verma — Support each other 08.02.2020 28:30
Send us Fan Mail Vandana Verma is a passionate advocate for application security. From serving on the OWASP Board to running various groups promoting security to organizing conferences, she is engaged in making the global application security community a better place. She manages the @Infosecgirls organization and is a leader for the @OWASPBangalore chapter. Vandana joins us to discuss her work so...
DJ Schleen — DevOps: The Sec is Silent 30.01.2020 37:35
Send us Fan Mail DJ Schleen is a seasoned DevSecOps advocate at Sonatype and provides thought leadership to organizations looking to integrate security into their DevOps practices. He encourages organizations to deeply integrate a culture of security and trust into their core values and product development journey. DJ joins us to talk about the philosophy of DevOps and flow, DevSecOps and silos, a...
Niels Tanis — 3rd Party Risk in a .NET World 24.01.2020 35:54
Send us Fan Mail Niels Tanis has a background in .NET development, pen-testing, and security consultancy. He has experience breaking, defending and building secure applications. Neils joins us to continue our .NET conversation from last year. This time around we focus on the 3rd party risk we pull into our applications by using third party libraries in a .NET conversation from last year. This time...
Maya Kaczorowski — Container and Orchestration Security 16.01.2020 33:31
Send us Fan Mail Maya is a Product Manager in Security & Privacy at Google, focused on container security. She previously worked on encryption at rest and encryption key management. Maya has a Master's in mathematics, focusing on cryptography and game theory. Maya joins us to discuss how containers improve security, a high-level threat model of containers and orchestration, and tips for e...
Geoff Hill — AppSec, DevSecOps, and Diplomacy 09.01.2020 36:53
Send us Fan Mail Geoffrey Hill is an AppSec DevSecOps leader and Architect. Geoff joins us to discuss his experiences rolling out DevSecOps in both Agile and non-Agile practicing shops. We hope you enjoy this conversation with...Geoff Hill. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast ➜LinkedIn: The Application Security Podcast ➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Tha...
Erez Yalon — The OWASP API Security Project 03.01.2020 36:57
Send us Fan Mail Erez Yalon heads the security research group at Checkmarx. With vast defender and attacker experience and as an independent security researcher, he brings invaluable knowledge and skills to the table. Erez joins us to speak about the new OWASP API Security Project, and more specifically, the new API Security Top 10. We hope you enjoy this conversation with … Erez Yalon. Find the D...
Steve Lipner — The Past, Present, and Future of SDL 20.12.2019 33:52
Send us Fan Mail Steve Lipner is a pioneer in cybersecurity, approaching 50 years’ experience. He retired in 2015 from Microsoft where he was the creator and long-time leader of Microsoft’s Security Development Lifecycle (SDL) team. While at Microsoft, Steve also created initiatives to encourage industry adoption of secure development practices and the SDL and served as a member and chair of the S...
David Kosorok — The Three Pillars of an AppSec Program: Prevent, Detect, and React 16.12.2019 30:30
Send us Fan Mail David Kosorok is a code security expert, software tester, father of 9, and a self-described major nerd. David is the Director of AppSec at Align Tech, and a fellow member of the Raleigh Durham tech community. David joins us to speak about the three pillars of building an application security program: Prevent, Detect, and React. When we think the program, we’ve never heard anyone r...
Chris and Robert: A Taste of Hi-5 01.12.2019 27:59
Send us Fan Mail As the hosts of the Application Security Podcast, we get the opportunity from time to time to mix it up. This week we gather a few security articles, share a summary, and offer our opinions (for what our opinions are worth). The source of the articles is Hi-5, a weekly newsletter containing five security articles that are worth your time. We scour the Interwebs looking for the be...
Bill Dougherty — INCLUDES NO DIRT, practical threat modeling for healthcare and beyond 21.11.2019 32:08
Send us Fan Mail Bill Dougherty is the vice president of IT and security at Omada Health, where he leads a team responsible for all aspects of internal IT including SaaS strategy, end-user support, vendor management, operational security and compliance. Bill along with Patrick Curry created the INCLUDES NO DIRT approach to threat modeling, which takes threat modeling to the next level, beyond STRI...
Marc French — The AppSec CISO 10.11.2019 43:48
Send us Fan Mail Marc French is a security person, firearms geek, scuba guy, lousy golfer, and an aspiring blacksmith. We met Marc in the hallway at the Boston Application Security Conference. Marc has extensive experience as a CISO but came from the world of AppSec to the exec suite, which is not the normal path. We discuss what is a CISO, and what does a CISO actually do, the role of AppSec in t...
Season 5 Finale — A cross section of #AppSec 26.10.2019 37:49
Send us Fan Mail Threat modeling, secrets, mentoring, self-care, program building, and much more. Clips from Georgia Weidman, Simon Bennetts, Izar Tarandach, Omer Levi Hevroni, Tanya Janca, Björn Kimminich, Caroline Wong, Adam Shostack, Steve Springett, Matt McGrath, Brook Schoenfield, and Ronnie Flathers. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast ➜LinkedIn: The Application Security Podcas...
Ronnie Flathers — Security programs big and small 28.09.2019 37:53
Send us Fan Mail Ronnie Flathers is a security guy, a pentester, and a researcher. In this conversation, we explore his experiences in building application security programs. He's had the opportunity to program build inside of companies big and small. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast ➜LinkedIn: The Application Security Podcast ➜YouTube: https://www.youtube.com/@ApplicationSec...
Brook Schoenfield — Security is a messy problem 15.09.2019 44:54
Send us Fan Mail Brook Schoenfield is a Master Security Architect @IOActive and author of Securing Systems, as well as an industry leader in security architecture and threat modeling, and a friend. "We have a static analysis tool. Why do we need a program?" This is what Brook overheard at one point in his past, from a company CTO, and it sums up the program issue. The CTO was trying to d...
Liran Tal — The state of open source software security 05.09.2019 34:00
Send us Fan Mail Liran Tal is a Developer Advocate @snyksec and is the author of Essential Node.js Security. He takes #opensource and protecting the #web very seriously. Liran and I start by geeking out about BBS's in the days of old. SYSOP page, anyone? Then we go into the state of open source security based on the report that Liran contributed heavily to and discuss many of the key takeaway...
Liran Tal — Open Source Security — 5 Minute AppSec 03.09.2019 2:39
Send us Fan Mail Why should someone care about open source security? FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast ➜LinkedIn: The Application Security Podcast ➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Steve Springett — An insiders checklist for Software Composition Analysis 27.08.2019 50:49
Send us Fan Mail Steve Springett is a technologist, husband, father, entrepreneur, and tequila aficionado. He is the creator of the OWASP @DependencyTrack and @CycloneDX_Spec. In this conversation, we begin with the problem of software supply chain risk and the failures of commercial Software Composition Analysis tools. We then go through an extensive list of criteria for purchasing a software com...
Steve Springett — OWASP Dependency Track — 5 Minute AppSec 25.08.2019 4:36
Send us Fan Mail The question is for Steve Springett, in regards to Software Composition Analysis / Software Supply Chain and OWASP Dependency Track. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast ➜LinkedIn: The Application Security Podcast ➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Elissa Shevinsky — Static Analysis early and often 19.08.2019 29:12
Send us Fan Mail Elissa Shevinsky is CEO at Faster Than Light. She's had a storied career as an entrepreneur with Brave, Everyday Health, and Geekcorps. We discuss Elissa's origin story, security startups, and the value of mentoring to her career. Then we get into Static Analysis and how we make security easier for people so that security gets done. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @Ap...
Elissa Shevinsky — Be Kind, Security People — 5 Minute AppSec 14.08.2019 2:18
Send us Fan Mail Robert asks Elissa Shevinsky, why should people be nice, or why is niceness important in security? FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast ➜LinkedIn: The Application Security Podcast ➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Matt McGrath — Security coaches 05.08.2019 43:53
Send us Fan Mail Matt McGrath is an old school Java developer that made the transition into security. Matt has had success in rolling out a programmatic approach to security improvement called security coaching. A security coach is much more than a wellness or life coach for your developers. They have some commonalities, but the security coach is thinking about how you help the developer want to g...
Erez Yalon and Liora Herman – The Application Security Village @ DefCon 29.07.2019 22:53
Send us Fan Mail Erez Yalon and Liora Herman are both passionate security professionals. They joined forces to create the AppSec Village, an event at DefCon in Las Vegas. If you are in Vegas for BH/DC, stop by the village and say hi to Robert, who will be in attendance as well. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast ➜LinkedIn: The Application Security Podcast ➜YouTube: https://www.youtu...
Erez Yalon – AppSec Village – 5 Minute AppSec 29.07.2019 1:30
Send us Fan Mail It's BlackHat and DefCon season, so we asked a question of Erez Yalon; why did you start the AppSec Village? FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast ➜LinkedIn: The Application Security Podcast ➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Tommy Ross — The BSA Framework for Secure Software 19.07.2019 36:58
Send us Fan Mail Tommy Ross serves as Senior Director, Policy with BSA | The Software Alliance. In this role, he works with BSA members to develop and advance global policy positions on a range of key issues, with a focus on cybersecurity, privacy, and market access barriers. Tommy is one of the coordinators/collaborators on the BSA Framework for Secure Software. This document caught our attentio...
Similar podcasts
Replaio is not a podcast publisher; show names, artwork and audio belong to their authors and are distributed through public RSS feeds.