
The Alice and Bob characters were invented by Ron Rivest, Adi Shamir, and Leonard Adleman in their 1978 paper "A Method for Obtaining Digital Signatures and Public-key Cryptosystems". Alice and Bob were also joined by an additional cast of characters as needed to keep the explanation of cryptographic systems lively and relatable. The famous Cryptographic couple have now ventured into Application Security. In her book, "Alice and Bob Learn Application Security", my guest today Tanya Janca, has done a fantastic job of discussing 10 topics across 3 sections to address the subject of AppSec. Tune in to the podcast as we discuss the practitioner aspects of being a security minded developer.Special Guest: Tanya Janca, CEO and Founder of We Hack PurpleTanya Janca, also known as SheHacksPurple, is the best-selling author of ‘Alice and Bob Learn Application Security’. She is also the founder of We Hack Purple, an online learning academy, community and podcast that revolves around teaching everyone to create secure software. Tanya has been coding and working in IT for over twenty years, won countless awards, and has been everywhere from startups to public service to tech giants (Microsoft, Adobe, & Nokia). She has worn many hats; startup founder, pentester, CISO, AppSec Engineer, and software developer. She is an award-winning public speaker, active blogger & streamer and has delivered hundreds of talks and trainings on 6 continents. She values diversity, inclusion, and kindness, which shines through in her countless initiatives.community.wehackpurple.comacademy.wehackpurple.comaliceandboblearn.comChecklists:Secure Design Conceptshttps://newsletter.wehackpurple.com/foundational-security-conceptsPCI-DSS for Devs!https://newsletter.wehackpurple.com/pci-dss-for-devsAPI Security Best Practiceshttps://newsletter.wehackpurple.com/api-securityApplication Security Activitieshttps://newsletter.wehackpurple.com/appsec-activitiesAzure Hardening Best Practicehttps://newsletter.wehackpurple.com/azure-hardeningError Handling and Logginghttps://newsletter.wehackpurple.com/errors-and-loggingSecure Coding Guidelineshttps://newsletter.wehackpurple.com/secure-coding-guidelinesTips For Getting Into InfoSechttps://newsletter.wehackpurple.com/getting-into-infosecWeb App Security Requirementshttps://newsletter.wehackpurple.com/web-app-security-requirementsMore Links!Check out other episodes of Security in the Fast Lane: https://www.whitehatsec.com/security-in-the-fastlane/Check out our other podcast, AppSec Stats Flash: https://www.whitehatsec.com/appsec-stats-flash/To learn more about NTT Application Security, visit us at www.whitehatsec.com
Oct 7, 2021
51 min

Special Guest: Jeremiah Grossman, Founder of WhiteHat Security and current Founder and CEO at Bit DiscoveryLinks for further reading & listening:https://www.scientificamerican.com/article/rumsfelds-wisdom/https://uxdesign.cc/the-knowns-and-unknowns-framework-for-design-thinking-6537787de2c5https://www.nasa.gov/centers/ivv/ppt/172585main_SoftwareAssuranceSymposium_OConnor.pptCheck out other episodes of Security in the Fast Lane: https://www.whitehatsec.com/security-in-the-fastlane/Check out our other podcast, AppSec Stats Flash: https://www.whitehatsec.com/appsec-stats-flash/To learn more about NTT Application Security, visit us at www.whitehatsec.com
Sep 7, 2021
36 min

Developers don’t know they are writing insecure code, so how do we hold them responsible for insecure software? At the same time security teams are buying software to find software vulnerabilities and then buying more software to mitigate those vulnerabilities. All this when the software technology inventory at organizations continues to grow while subject matter expertise on older technologies is dwindling. In this episode we identify a handful of bold steps that can clear up this logjam and create the required bid for action?Special Guest: Matias Madou, CTO and Co-Founder at Secure Code WarriorCheck out other episodes of Security in the Fast Lane: https://www.whitehatsec.com/security-in-the-fastlane/Check out our other podcast, AppSec Stats Flash: https://www.whitehatsec.com/appsec-stats-flash/To learn more about NTT Application Security, visit us at www.whitehatsec.com
Aug 11, 2021
38 min

The software community has failed to draw a line between the security of products running in production with the product requirements that shape those very products in the first place. Join us, with special Guest James Robinson, Deputy CISO at Netskope, as we talk about security and product management.Special Guest: James Robinson, Deputy CISO at NetskopeLinks for further reading & listening:OWASP Top Ten: https://owasp.org/www-project-top-ten/OWASP Abuse Case Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Abuse_Case_Cheat_Sheet.htmlCyLab Usable Privacy and Security Laboratory (CUPS): https://cups.cs.cmu.edu/Atomic Habits by James Clear: https://jamesclear.com/atomic-habitsCheck out other episodes of Security in the Fast Lane: https://www.whitehatsec.com/security-in-the-fastlane/Check out our other podcast, AppSec Stats Flash: https://www.whitehatsec.com/appsec-stats-flash/To learn more about NTT Application Security, visit us at www.whitehatsec.com
Jul 15, 2021
42 min

APIs are one of the most powerful vehicles for value exchange in the digital economy. Matt McLarty and his co-author Tiffany Wang have provided a simple yet compelling way of building APIs to maximize this value exchange. In this conversation with Matt, Setu Kulkarni explores integrating security in the 3 “ways of the API”. For the first way, the “Unbundling Way”, they conclude that organizations need to develop an API visibility strategy: CISO & System Architects to build out a baseline API inventory & network and implement tooling to update the API inventory & network organically. For the second way, the “Outside In Way”, they conclude that API exposition should be guided by customer use cases & abuse cases and that API security should be a central consideration for production readiness checks for APIs. For the third way, the “Ecosystem Way”, they conclude that organizations should set up voluntary disclosure frameworks for their API and data security practices so that the internal software development teams measures up to those standards and external partners & consumers develop the confidence they need to integrate/use your public APIs.Read this episode's accompanying blog: https://www.whitehatsec.com/blog/the-ways-of-the-api-a-useful-pattern-to-apply-to-api-security/Links for further reading & listening:https://hbr.org/2021/04/apis-arent-just-for-tech-companieshttps://www.forbes.com/sites/forbesbusinessdevelopmentcouncil/2021/03/05/de-risking-business-partnerships-in-an-application-driven-economy/https://www.amazon.com/Art-Systems-Architecting-Second/dp/0849304407https://www.oreilly.com/library/view/securing-microservice-apis/9781492027140/https://podbay.fm/p/radio-mulesoft/e/1598593948
Jun 3, 2021
41 min
