The Elephant in AppSec

New episode ??

Key learnings from my past conversation with Koen Hendrix, Director of Product Security at Zendesk — and the first guest of the current season of The Elephant in AppSec! In my episode with Koen, we covered why non-negotiable security practices must be clearly communicated to teams, how change management has become a significant challenge in security, and why collaboration is often overlooked in favor of tools. Check out the key takeaways in the carousel??? Would love to hear your thoughts!

Are we truly managing Third-Party risks? Last November, the Bank of England withdrew a controversial vulnerability disclosure rule requiring critical third parties to disclose vulnerabilities, fearing it could hand threat actors a tactical advantage. Let that sink in. If transparency is a risk, when is the right time to disclose? How do we balance the need for security with the reality of third-party dependencies? In the new episode of The Elephant in AppSec, I sit down with Rachel C., to break down the illusion of control in third-party risk management: - Should vendors be forced to disclose vulnerabilities when they're patched? - How do we continuously evaluate our reliance on third parties? - Why does an "assume breach" mindset lead to better risk decisions? - How can Product Security engineers help drive third-party security? If you deal with vendors, this conversation will challenge the way you think about third-party risk! Dive right in!

A while back, I asked what content you wanted more of—and the top request? Short, actionable takeaways from The Elephant in AppSec podcast. So here you go. Key learnings from my conversation with Iman Ilbag! We covered everything from the importance of DevOps in security, to choosing the right tools, to making security automation easier for developers. Check out the key takeaways in the carousel??? Would love to hear your thoughts!

Wondering about all reachability types out there? This episode is for you!

We've come a long way, but there's a long way to go. The cybersecurity industry is rapidly evolving but there's some key changes that would make it evolve not just faster, but better. Here's what guests of The Elephant in AppSec suggest: ?? Threat modeling assisted by AI - Ashwini Siddhi ?? Prioritize issues to not overwhelm collaborators with too much info - Confidence Staveley ?? Fewer manual steps and more automation in API security - Iman Ilbag ?? Security should be at the same level as performance - Izar Tarandach ??? ?? We need more structured advice to get security postures from A to B - Irfaan Santoe ?? Building security culture is a whole business effort, not just project managers or developers - ?? Magdalena Modric Agree with these takes? What do you think needs to change in the cyber industry? Let us know! ?? If you want to find out more, you can listen to all of their episodes out now ?? https://lnkd.in/eCXFSzdz

What do you really need to succeed in DevSecOps? Some engineers think they need better tools. In reality? They need a deeper understanding of DevOps and developers' mindset first. That’s exactly what we’re diving into in the latest episode of The Elephant in AppSec! This time, I’m joined by Iman Ilbag, DevSecOps Engineer at KPN. In this episode, we dive into - Why a solid understanding of DevOps is essential before implementing DevSecOps - How the cultural aspects of security often outweigh the tools themselves - What are the limitations of ASPM tools & the role of DefectDojo in effective vulnerability management - Why selecting the right security tools is critical for DevSecOps success! If you’re currently building or want to improve your DevSecOps program, this episode is not to miss ??

Scale isn’t just about size Many assume “scale” simply means a massive enterprise like Dell. But that’s only part of the picture. ?? Scale could mean an entirely cloud-native organization with countless AWS services—each adding complexity and reducing visibility. ?? It could mean serving government clients, navigating a web of compliance and regulations. ?? Or it could be a rapidly growing startup struggling to maintain security across expanding development teams. Understanding your organization’s scale is step one. But what comes next? In my recent podcast with Ashwini Siddhi, we explored her paper on scaling threat modeling with?Matthew Coles. One of the key aspects? Getting the right people to have skin in the game. ? Involve compliance leaders for regulatory insight ? Engage security architects to ensure technical feasibility ? Partner with central security teams to maintain a unified strategy This isn’t just about process—it’s about strategy and accountability. When stakeholders contribute, they own the outcome. That’s what makes security scalable, adaptable, and sustainable. As Ashwini puts it: "Your strategy is going to be successful only if you have representation from all pillars and all dimensions and all aspects of the organization. So they have a stake in it, and they are going to talk about it." What does “scale” mean in your organization, and how do you make sure the right people contribute? ?

?? New episode: Unpacking Opengrep Last month, Opengrep made headlines after forking Semgrep Community Edition—aiming to democratize SAST. Some backed it. Others pushed back. Either way, it sparked debate—exactly what The Elephant in AppSec is here for. I sat down with the teams behind Opengrep— Eitan Worcel ??, Eran Medan, Aviram Shmueli, Willem Delbare on The Elephant in AppSec to break it down: ?? Why they did it ?? The feedback so far—good and bad ?? Where Opengrep is headed—what can we expect a year from now? I’m staying neutral in this discussion, and my goal on the podcast is simple: to bring you conversations where people aren’t afraid to share bold opinions. Key takeaways: ?? The collaboration on Opengrep was driven by a shared vision to democratize SAST capabilities ?? The focus in the initial phase is on improving the engine's performance and capabilities ?? Skepticism from the community can be addressed through transparency and demonstrable value Tune in to the episode now and share your thoughts in the comments ??

?? Developers & security team: a match made in heaven ?? Engineering and security teams don’t have to be at odds. In fact, when they work together, they create stronger, more secure, and resilient applications. If you want to hear real stories, insights, and strategies for making this collaboration work, here’s a selection of must-listen episodes for this Valentine's day: ?? What does “collaborate with engineering” actually mean in AppSec? with Koen Hendrix ?? https://lnkd.in/ej7v_aX8 ?? Security champion program: A must or completely useless? with Dustin Lehr ?? https://lnkd.in/ejPX3S_P ?? Is it actually realistic to see everyone as the greatest ally in security? with Alina Y ???? ?? https://lnkd.in/ekqdjVBZ ??Developers and security training: can they co-exist? with Laura Bell Main ?? https://lnkd.in/emjdWxfQ ?? Is It Possible to Maximize the Effectiveness of Security Champions? with ?? Magdalena Modric ?? https://lnkd.in/ej3Zyj8x ?? Security training: Necessary investment or overrated expense with Mel Reyes ?? https://lnkd.in/e-9wkre3 Dive right in!