Chris Romeo and Robert Hurlbut

The Application Security Podcast

Chris Romeo and Robert Hurlbut dig into the tips, tricks, projects, and tactics that make various application security professionals successful. They cover all facets of application security, from threat modeling and OWASP to DevOps+security and security champions. They approach these stories in an educational light, explaining the details in a way those new to the discipline can understand. Chris Romeo is the CEO of Devici and a General Partner at Kerr Ventures, and Robert Hurlbut is a Principal Application Security Architect focused on Threat Modeling at Aquia.

Author

Chris Romeo and Robert Hurlbut

Category

Technology

Podcast website

appsec.buzzsprout.com

Latest episode

Jun 16, 2026

Where to listen?

Podcasts in the app Replaio Radio Coming soon

Podcasts are coming to the app soon. Install now and be the first to see a whole new take on podcasts

Get it on Google Play Install for free Android 5M+ downloads · 4.8 rating iOS soon

Episodes

Adam Shostack — Threat modeling layer 8 and conflict modeling 10.07.2019

Send us Fan Mail Adam Shostack is a leading expert on threat modeling, and a consultant, entrepreneur, technologist, author and game designer. He's a member of the BlackHat Review Board and helped create the CVE and many other things. He currently helps many organizations improve their security via Shostack & Associates, and advises startups. Adam is known for his work with threat modelin...

Adam Shostack – Threat Modeling – 5 Minute AppSec 09.07.2019

Send us Fan Mail If you've done anything with threat modeling, you've heard of Adam Shostack. We asked him the question, "why would anyone threat model?". FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast ➜LinkedIn: The Application Security Podcast ➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Zoe Braiterman — AI, ML, AppSec, and a dose of data protection 01.07.2019

Send us Fan Mail Zoe Braiterman is an Innovation Intelligence Strategist focused on both the Machine and Human and also the OWASP WIA Chair. We explore the intersection of application security with artificial intelligence and machine learning and end up discussing data protection. Zoe approaches AppSec from a different angle, and her perspectives get us thinking about the importance of appsec in t...

Caroline Wong — Self-care and self-aware for security people 14.06.2019

Send us Fan Mail Caroline Wong has had a long career in security, starting with eBay and leading to her role today at Cobalt. IO as Chief Strategist. Caroline shares her explanation of self-care and tells her story about how neglecting self-care led to problems. She offers ideas about how to better approach self-care as a security professional, work-life balance, and ways for approaching a success...

Björn Kimminich — The new JuiceShop, GSOC, and Open Security Summit 01.06.2019

Send us Fan Mail Björn Kimminich is the project leader for OWASP JuiceShop. This is his second visit to the podcast, and we discuss new features in JuiceShop, including XSS in jingle promo video, marketing campaign coupon hacking, GDPR related features and challenges, working 2FA with TOTP, and the DLP failure challenges. Then we get into the cool new things that will come as a result of the GSoC,...

Björn Kimminich — JuiceShop — 5 minute AppSec 26.05.2019

Send us Fan Mail Björn Kimminich is the project leader for OWASP JuiceShop. He created JuiceShop out of necessity, after reviewing all the available vulnerable web apps years ago, and not finding what he needed. OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security training, awareness demos, CTFs, and as a guinea pig for security tools!...

Nancy Gariché and Tanya Janca — DevSlop, the movement 21.05.2019

Send us Fan Mail Nancy Gariché and Tanya Janca are two of the project leaders for the OWASP DevSlop Project. As we learn more about DevSlop, we realize that it is much more than a project: it's a movement. DevSlop is about the learning and sharing of four awesome women and is a platform for them to share what they’ve learned with the community. DevSlop consists of four different modules: Patt...

Tanya Janca — Mentoring Monday — 5 Minute AppSec 20.05.2019

Send us Fan Mail Tanya Janca is excited about mentoring. She's started a hashtag on Twitter for mentors to find mentee's, and for mentee's to search for mentors. Mentoring is such an essential part of growing our community, so if you are not mentoring anyone today, I can only ask, why not? Here is Tanya's take on mentoring and her advice on how to get involved with #MentoringMo...

Matt Clapham — A perspective on appsec from the world of medical software 13.05.2019

Send us Fan Mail Matt Clapham is a product security person, as a developer, security engineer, advisor,  and manager. He began his career as a software tester, which led him down the path of figuring out how to break things. Matt lives in the medical software world and visited the Healthcare Information and Management Systems Society (HIMSS) conference. Matt shares his perspectives on application/...

Jon McCoy — Hacker outreach 06.05.2019

Send us Fan Mail Jon McCoy is a security engineer, a developer, and a hacker; and a passionate OWASP advocate. Maybe even a hacker first. Jon has a passion to connect people and break down barriers between hackers and corporate folks. Jon explains the idea of hacker outreach and breaks down what we can expect if we venture to the DefCon event in Las Vegas.  Jon also remembered a cautionary tale of...

Omer Levi Hevroni — K8s can keep a secret? 01.05.2019

Send us Fan Mail Omer Levi Hevroni has written extensively on the topic of Kubernetes and secrets, and he's a super dev. He's the author of a tool for secrets management called Kamus. Kamus is an open source, GitOps, zero-trust secrets encryption and decryption solution for Kubernetes applications. Kamus enables users to easily encrypt secrets that can be decrypted only by the applicatio...

Izar Tarandach — Command line threat modeling with pytm 24.04.2019

Send us Fan Mail Izar Tarandach is a threat modeling pioneer, seen as one of the movers and shakers in the threat modeling world. Izar leads a small team that develops the pytm tool, which is self-described as a "A Pythonic framework for threat modeling". The GitHub page goes on to say define your system in Python using the elements and properties described in the pytm framework. Based o...

Simon Bennetts — OWASP ZAP: past, present, and future 13.04.2019

Send us Fan Mail Simon Bennetts is the project leader for OWASP ZAP. Simon joined Robert at CodeMash to talk about the origin of ZAP, the new heads up display, and ZAP API. ZAP is an OWASP FlagShip Project and is available here: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast ➜LinkedIn: The Application Security Podcast ➜YouTube: http...

Bill Sempf — Growing AppSec People and KidzMash 08.04.2019

Send us Fan Mail Robert meets up with Bill Sempf at the CodeMash conference and discusses how to grow AppSec people. Developers can transform into application security people. They also cover how to inspire the next generation of cybersecurity people (kids) through the example of KidzMash. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast ➜LinkedIn: The Application Security Podcast ➜YouTube: https...

Georgia Weidman — Mobile, IoT, and Pen Testing 31.03.2019

Send us Fan Mail Georgia Weidman (@georgiaweidman) met with Robert at CodeMash to discuss her origin story, mobile, IoT, penetration testing, and details about her various companies. If you've never seen Georgia's book on penetration testing, we recommend you grab a copy. http://www.nostarch.com/pentesting To sign up for the  newsletter mentioned at the start of this week's show, vi...

Conclusion: Season 4 Finale 25.02.2019

Send us Fan Mail Here it is. The finale of season four. Thanks to everyone who listens in, and remember, if there are any people you want us to interview on the podcast, tweet at us @AppSecPodcast FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast ➜LinkedIn: The Application Security Podcast ➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~...

Geoff Hill -- Rapid Threat Model Prototyping Process 01.02.2019

Send us Fan Mail Geoff Hill joins Chris and Robert to talk about Rapid Threat Model Prototyping Process. You can find Geoff on Twitter @Tutamantic_Sec FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast ➜LinkedIn: The Application Security Podcast ➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Bill Wilder -- Running Azure Securely 25.01.2019

Send us Fan Mail Bill Wilder joins Chris and Robert to talk about Running Azure Securely. You can find Bill on Twitter @codingoutloud FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast ➜LinkedIn: The Application Security Podcast ➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Matt Konda -- OWASP Glue 18.01.2019

Send us Fan Mail Matt Konda joins Chris and Robert to talk about what Glue is. You can find Matt on Twitter @mkonda OWASP Glue FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast ➜LinkedIn: The Application Security Podcast ➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Josh Grossman, Avi Douglen, and Ofer Maor -- AppSec in Israel and Three Talks to watch from AppSec USA 11.01.2019

Send us Fan Mail Josh Grossman, Avi Douglen, and Ofer Maor at AppSec USA join Chris. They discuss the AppSec group in Israel and a few critical talks you should watch from AppSec USA this year. You can find Josh on Twitter @JoshCGrossman You can find Avi on Twitter @sec_tigger You can find Ofer on Twitter @OferMaor FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast ➜LinkedIn: The Application Securi...

Daniel Miessler -- OWASP IoT Top 10 01.01.2019

Send us Fan Mail Daniel Miessler joins Chris and Robert to talk about the upcoming Top 10 list for IoT. You can find Daniel on Twitter @DanielMiessler IoT Project FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast ➜LinkedIn: The Application Security Podcast ➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Travis McPeak -- SecOps Makes Developers Lives Easier 18.12.2018

Send us Fan Mail Travis McPeak joins Chris to talk about SecOps and how it can help make a developer's life easier.  You can find Travis on Twitter @travismcpeak FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast ➜LinkedIn: The Application Security Podcast ➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Chris Romeo -- Security Culture Hacking: Disrupting the Security Status Quo 10.12.2018

Send us Fan Mail We listen in on the #AppSecUSA talk by Chris about Security Culture Hacking.  You can find Chris on Twitter @edgeroute    FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast ➜LinkedIn: The Application Security Podcast ➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Jim Manico -- The Extremely Unabridged History of SQLi and XSS 03.12.2018

Send us Fan Mail Jim Manico joins again to talk about how AppSec has changed over the years and gives us an in-depth look at the history of SQL Injection and XSS.  You can find Jim on Twitter @manicode FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast ➜LinkedIn: The Application Security Podcast ➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~...

Jeff Williams -- The History of OWASP 27.11.2018

Send us Fan Mail Chris talks with Jeff Williams about the History of OWASP and where it came from.  You can find Jeff on Twitter @planetlevel FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast ➜LinkedIn: The Application Security Podcast ➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Listen to the The Application Security Podcast podcast in Replaio

Radio and podcasts in one app - free, with no sign-up. Install today and do not miss the launch

Get it on Google Play

Replaio is not a podcast publisher; show names, artwork and audio belong to their authors and are distributed through public RSS feeds.