Josh Grossman - building Appsec programs, bridging security and developer gaps

BrakeSec Education Podcast

Bryan Brake, Amanda Berlin, and Brian Boettcher에서 제공하는 콘텐츠입니다. 에피소드, 그래픽, 팟캐스트 설명을 포함한 모든 팟캐스트 콘텐츠는 Bryan Brake, Amanda Berlin, and Brian Boettcher 또는 해당 팟캐스트 플랫폼 파트너가 직접 업로드하고 제공합니다. 누군가가 귀하의 허락 없이 귀하의 저작물을 사용하고 있다고 생각되는 경우 여기에 설명된 절차를 따르실 수 있습니다 https://ko.player.fm/legal.

1+ y ago 1:16:22

MP3•에피소드 홈

저장한 시리즈 ("피드 비활성화" status)

When? This feed was archived on October 29, 2025 22:24 (22d ago). Last successful fetch was on July 17, 2025 04:06 (4M ago)

Why? 피드 비활성화 status. 잠시 서버에 문제가 발생해 팟캐스트를 불러오지 못합니다.

What now? You might be able to find a more up-to-date version using the search function. This series will no longer be checked for updates. If you believe this to be in error, please check if the publisher's feed link below is valid and contact support to request the feed be restored or if you have any other concerns about this.

Youtube VOD: https://youtu.be/G3PxZFmDyj4

#appsec, #owasp, #ASVS, #joshGrossman, #informationsecurity, #SBOM, #supplychain, #podcast, #twitch, #brakesec, #securecoding, #Codeanalysis

Questions and topics:

1. The background to the topic, why is it something that interests you? How do you convince developers to take your course?

2. What do you think the root cause of the gap is?

3. Who is causing the gaps? ('go fast' culture, overzealous security, GRC requirements, basically everyone?)

4. Where do gaps begin? Is it the 'need' to 'move fast'?

5. What can devs do to involve security in their process? Sprint planning? SCA tools?

6. How have you seen this go wrong at organizations?

7. How important is it to have security early in the product development process?

8. What sort of challenges do you think mainstream security people face in AppSec scenarios?

9. How does Product Security differ from Application Security? (what if the product is an application?)

10. What are the key development concepts that security people need to be familiar with to effectively get involved in AppSec/ProdSec?

11.. How do you suggest a security team approach AppSec/ProdSec? Leadership buy-in Effective/valuable processes Tools should achieve a goal

12. SBOM - NTIA is asking for it, How to get dev teams to care.

13. Key takeaways?

Additional information / pertinent LInks (Would you like to know more?): BlackHat Training: https://www.blackhat.com/us-24/training/schedule/index.html#accelerated-appsec--hacking-your-product-security-programme-for-velocity-and-value-virtual-37218

https://www.walkme.com/blog/leadership-buy-in/

https://www.bouncesecurity.com/

https://www.teamgantt.com/blog/raci-chart-definition-tips-and-example

https://www.cisa.gov/sbom

SCA Tools https://chpk.medium.com/top-10-software-composition-analysis-sca-tools-for-devsecops-85bd3b7512dd

https://semgrep.dev/

https://www.linkedin.com/in/joshcgrossman

https://owasp.org/www-project-application-security-verification-standard/

https://github.com/OWASP/ASVS/tree/master/5.0

https://owasp.org/www-project-cyclonedx/

https://joshcgrossman.com/

PyCon talk about custom security testing: https://www.youtube.com/watch?v=KuNZzDjvMlg

Michal's Black Hat course - Accurate and Scalable: Web Application Bug Hunting: https://www.blackhat.com/us-24/training/schedule/index.html#accurate-and-scalable-web-application-bug-hunting-37210

https://www.blackhat.com/us-24/training/schedule/index.html#accurate-and-scalable-web-application-bug-hunting-372101705524544

ASVS website: https://owasp.org/asvs

Lightning talk I did recently about OWASP: https://www.bouncesecurity.com/eventspast#f86548cb37cb2a82728b1762bd1b7aee

Show points of Contact: Amanda Berlin: @infosystir @hackershealth Brian Boettcher: @boettcherpwned Bryan Brake: https://linkedin.com/in/brakeb Brakesec Website: https://www.brakeingsecurity.com Youtube channel: https://youtube.com/@brakeseced Twitch Channel: https://twitch.tv/brakesec

464 에피소드