The Security Champions Podcast

Irfaan Santoe is the leader of the OWASP Netherlands chapter and the creator of the OWASP Security Champions Guide. He is passionate about scaling security in AppDev, DevOps, and Cloud and has helped numerous multinationals solve information security challenges. In this episode of The Security Champions Podcast, Irfaan walks through the Security Champion Program Guide. He shares the motivation behind the project, what makes this guide different, how security champions can affect real change, and more! [0:05] Welcome to The Security Champions Podcast [14:13] The Motivation Behind the OWASP Security Champions Guide [18:02] How To Get Buy-In for a New OWASP Project [21:28] Why the Champions Guide is Different[28:26] How To Make Everyone a Security Champion[32:49] Engineers are Part of the Security Team  [37:52] Facilitating Behavioral Change[41:02] How Security Champions Bring the Community TogetherEpisode Resources:OWASP Security Champions Guide - https://owasp.org/www-project-security-champions-guidebook/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Podcast sponsored by Security Journey, Secure Coding Training for Developers and Everyone in the SDLC. Learn more at securityjourney.com. FOLLOW US to stay up-to-date with new content! Twitter (twitter.com/SecurityJourney) LinkedIn (linkedin.com/company/security-journey) YouTube (youtube.com/c/securityjourney) Online (securityjourney.com) CONTACT: hello@securityjourney.com

Noah Morse is an application security engineer at Security Journey focused on building vulnerable sandboxes for our Break/Fix lessons that teach developers how to secure applications. Noah joined the podcast to share his experience attending Black Hat USA 2024. They cover some of the most popular topics from the conference, the talks that Noah attended and key takeaways to consider. Welcome to The Security Champions Podcast [0:25]AI/LLMs "That's How They're Supposed to Work" [6:24]The Scary Long Game Social Engineering Attacks That Most of Us Would Fall For [10:15]Relationships Matter in Ransomware Gangs [14:17]Privacy Intrusion Techniques [20:20]Hackers in the Media [24:05]Quantum Computers [29:50]Ransomware Groups Have Better Security Than You [32:50]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Podcast sponsored by Security Journey, Secure Coding Training for Developers and Everyone in the SDLC. Learn more at securityjourney.com. FOLLOW US to stay up-to-date with new content! Twitter (twitter.com/SecurityJourney) LinkedIn (linkedin.com/company/security-journey) YouTube (youtube.com/c/securityjourney) Online (securityjourney.com) CONTACT: hello@securityjourney.com

Michael Bargury is a security researcher passionate about all things related to cloud, SaaS and low-code security, and he spends his time finding the ways they could all go wrong. He is the co-founder and CTO of Zenity, where he helps companies secure their low-code/no-code apps and leads the OWASP No-Code/Low-Code Top 10 project.Michael joined the podcast to explain low-code/no-code solutions and discuss the best practices for optimizing security in the organizations that use them. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Podcast sponsored by Security Journey, Secure Coding Training for Developers and Everyone in the SDLC. Learn more at securityjourney.com. FOLLOW US to stay up-to-date with new content! Twitter (twitter.com/SecurityJourney) LinkedIn (linkedin.com/company/security-journey) YouTube (youtube.com/c/securityjourney) Online (securityjourney.com) CONTACT: hello@securityjourney.com

Ahmad is an entrepreneur with three successful ventures who is currently the CEO at Corgea. He led various products at Coupa after they acquired his previous venture, Riskopy. He built his current company due to frustration with the manual and inefficient processes companies take around security. Ahmad joined the podcast to discuss the use of AI in product security, offering insight into its positive and negative implications. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Podcast sponsored by Security Journey, Secure Coding Training for Developers and Everyone in the SDLC. Learn more at securityjourney.com. FOLLOW US to stay up-to-date with new content! Twitter (twitter.com/SecurityJourney) LinkedIn (linkedin.com/company/security-journey) YouTube (youtube.com/c/securityjourney) Online (securityjourney.com) CONTACT: hello@securityjourney.com

Join Micheal Burch, host of The Security Champions Podcast, as he reminisces about the standout moments from this season's conversations, from unraveling the intricacies of elegant code to exploring the human side of coding.Welcome to The Security Champions Podcast [0:15] Clip 1 - What Can We Do For Our Security Champions? [18:30]Clip 2 - Elegant Code Leads to Better Security [26:25]Clip 3 - The Human Side of Security [31:22]Clip 4 - Gamification of Champions Programs [33:53]Clip 5 - Don't be 'The House of No' [39:25]Clip 6 - Baking Security into the Company Culture [46:09]Clip 7 - How to Keep Your Security Champions [51:35]Clip 8 - Bridging the Gap Between Security and Development [55:28]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Podcast sponsored by Security Journey, Secure Coding Training for Developers and Everyone in the SDLC. Learn more at securityjourney.com. FOLLOW US to stay up-to-date with new content! Twitter (twitter.com/SecurityJourney) LinkedIn (linkedin.com/company/security-journey) YouTube (youtube.com/c/securityjourney) Online (securityjourney.com) CONTACT: hello@securityjourney.com

Derek is a multifaceted professional with expertise in information security, serving as an author, leader, speaker, and university instructor. His commitment to enhancing information security has defined his career, steering high-performing cybersecurity teams and crafting strategic initiatives that effectively mitigate risks and safeguard sensitive data. He excels in uniting teams, implementing regulatory compliance systems, and establishing comprehensive enterprise security services to ensure organizations' secure digital landscape navigation.Derek joined us to discuss the Application Security Program Handbook and how to run security champions programs effectively. Welcome to The Security Champions Podcast [0:15] The Application Security Program Handbook [12:00]The Conflict Between Development & Security [16:23]Create Guard Rails, Not Barriers [22:30]Leveraging Security Champions [28:02]Regulations Effect on Development Teams & Education [39:51]Tips & Tricks for Security Champions Programs [46:55] Episode Resources:Application Security Program Handbook~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Podcast sponsored by Security Journey, Secure Coding Training for Developers and Everyone in the SDLC. Learn more at securityjourney.com. FOLLOW US to stay up-to-date with new content! Twitter (twitter.com/SecurityJourney) LinkedIn (linkedin.com/company/security-journey) YouTube (youtube.com/c/securityjourney) Online (securityjourney.com) CONTACT: hello@securityjourney.com

Tanya Janca, also known as SheHacksPurple, is the best-selling author of 'Alice and Bob Learn Application Security' and founder of We Hack Purple. Tanya has been coding and working in IT for over 25 years, has won countless awards, and has been everywhere, from public service to tech giants, writing software, leading communities, founding companies, and 'securing all things'. Tanya joins the podcast to discuss the recipe for success for security champions programs. She touches on best practices for recruiting, engagement, education, recognition & rewards, and maintaining a champions program. Welcome to The Security Champions Podcast [0:15]Alice and Bob Learn Application Security [3:55]Why We Hack Purple? [9:10]The Recipe for Succes with Security Champions Programs [14:30]How to Engage Your Champions [25:50]What to Teach Security Champions [38:28]Recognition & Rewards to Drive Engagement [46:45]How to Maintain Your Security Champion Program [57:50]Collaboration Between Dev & Security [1:06:49] Episode Resources:Alice & Bob Learn Application SecurityWe Hack Purple Podcast~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Podcast sponsored by Security Journey, Secure Coding Training for Developers and Everyone in the SDLC. Learn more at securityjourney.com. FOLLOW US to stay up-to-date with new content! Twitter (twitter.com/SecurityJourney) LinkedIn (linkedin.com/company/security-journey) YouTube (youtube.com/c/securityjourney) Online (securityjourney.com) CONTACT: hello@securityjourney.com

Jason Haddix has had a distinguished 15-year career in cybersecurity, previously serving as the CISO of Ubisoft, Head of Trust/Security/Operations at Bugcrowd, Director of Penetration Testing at HP, and Lead Penetration Tester at Redspin. He is a hacker and bug hunter to the core and has authored many talks, speaking at cons such as BlackHat, RSA, and many more. Jason joins us to discuss best practices learned from his experience running security champion programs, the layers of application security, and how to foster collaboration between development and security teams.  Welcome to The Security Champions Podcast [0:15] AI Prevalence & Staying Secure [8:20]The Best Aspects of Security Champions Programs [16:23]The Methodology of Training Security Champions [27:01]Preventing Gaps Left by Security Tools [31:25]In-House vs. Contracted Pen-Testing [36:02]The Layers of AppSec [41:55]Bringing Development & Security Teams Together [50:52] Episode Resources:Jason Haddix on the Critical Thinking PodcastJason Haddix on the Darknet Diaries HackerOne Community Blog~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Podcast sponsored by Security Journey, Secure Coding Training for Developers and Everyone in the SDLC. Learn more at securityjourney.com. FOLLOW US to stay up-to-date with new content! Twitter (twitter.com/SecurityJourney) LinkedIn (linkedin.com/company/security-journey) YouTube (youtube.com/c/securityjourney) Online (securityjourney.com) CONTACT: hello@securityjourney.com

Ron Woerner, CISSP, CISM, is the President and Chief Security Officer at Cyber-AAA, plus a Senior Security and Risk Consultant for Forrester Research. With over 20 years of experience in IT and Security experience, Ron works with leaders worldwide to advise on security, compliance, and privacy.Ron joins to discuss how organizations should adapt tools and methodologies for their business' maturity, how to have impactful security champion mentors, and how security teams can successfully work with other teams.Welcome to The Security Champions Podcast [0:10] Ron Woerner’s Security Journey [1:20] Zero Trust Architecture [4:50]Using Tools Based On Business Maturity [10:30]Successful Security Mentorship [15:30]Episode Resources: cyber-aaa.comcybersecurity.bellevue.edu~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Podcast sponsored by Security Journey, Secure Coding Training for Developers and Everyone in the SDLC. Learn more at securityjourney.com. FOLLOW US to stay up-to-date with new content! Twitter (twitter.com/SecurityJourney) LinkedIn (linkedin.com/company/security-journey) YouTube (youtube.com/c/securityjourney) Online (securityjourney.com) CONTACT: hello@securityjourney.com

Dustin Lehr is the Sr. Director of Platform Security at Fivetran & the Co-founder and Chief Solutions Officer at Katilyst Security. Before shifting into cybersecurity leadership, Dustin spent 13 years as a software engineer and application architect in various industries. He joins us to discuss The Security Champion Program Success Guide and the inner workings of Fivetran's security champion program.Welcome to The Security Champions Podcast [0:35]The Security Champion Program Success Guide [12:38]Gamification for Learning [22:01]Insights from Fivetran's Program [33:10]What is a Security Champion? [40:30]Proving the ROI of Security Champions [46:11]Bridging the Security and Development Divide [50:02]Episode Resources:The Security Champion Program Success Guide Let's Talk Software Security! --  An online group where Dustin and others share tips, tricks, and ideas for making DevSecOps, Shift Left, and Security By Design concepts work efficiently for organizations.~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Podcast sponsored by Security Journey, Secure Coding Training for Developers and Everyone in the SDLC. Learn more at securityjourney.com. FOLLOW US to stay up-to-date with new content! Twitter (twitter.com/SecurityJourney) LinkedIn (linkedin.com/company/security-journey) YouTube (youtube.com/c/securityjourney) Online (securityjourney.com) CONTACT: hello@securityjourney.com

Kenneth Buckler, CASP, is a research analyst of information security/risk and compliance management for Enterprise Management Associates, a technology industry analyst and consulting firm. With over 15 years of experience, Ken is an author on cybersecurity topics and has spent several years working for federal contractors in cybersecurity practitioner roles. Ken joins to discuss the human side of secure coding, the important elements of secure coding practices, and how to teach a security mindset.·       Welcome to The Security Champions Podcast [0:10]·      Secure Coding Training Research [8:45]·       The Struggles with Shifting Left [13:10]·       Communicating the Importance of Secure Coding [17:20]·       Security Champions Role in Secure Coding [25:30] Episode Resources:·       Secure Coding Practices – Growing Success or Zero-Day Epidemic? January 2023 EMA Research Report ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Podcast sponsored by Security Journey, Secure Coding Training for Developers and Everyone in the SDLC. Learn more at securityjourney.com. FOLLOW US to stay up-to-date with new content! Twitter (twitter.com/SecurityJourney) LinkedIn (linkedin.com/company/security-journey) YouTube (youtube.com/c/securityjourney) Online (securityjourney.com) CONTACT: hello@securityjourney.com

Tim Brown is the CISO of SolarWinds, responsible for overseeing the company's internal IT security, product security, and security strategy. With over 25 years of experience and 18 issued patents on security-related topics, Tim is a trusted advisor for business executives, AppSec leaders, and the White House.  Tim joins to discuss the concept of elegant code and the impact elegant coding can have on an organization's security.  Welcome to The Security Champions Podcast [0:10] Takeaways from the SolarWinds Breach [7:00] The Structure of Elegant Code [15:45] When to Implement Elegant Code [21:40] Prioritization of Mitigating Vulnerabilities [34:00] Unifying Security and Development [44:15] Episode Resources: Mastering Elegant Code Part 1: Advantages and Security Benefits of Elegant CodeMastering Elegant Code Part 2: 6 Techniques for Writing Elegant Code ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Podcast sponsored by Security Journey, Secure Coding Training for Developers and Everyone in the SDLC. Learn more at securityjourney.com. FOLLOW US to stay up-to-date with new content! Twitter (twitter.com/SecurityJourney) LinkedIn (linkedin.com/company/security-journey) YouTube (youtube.com/c/securityjourney) Online (securityjourney.com) CONTACT: hello@securityjourney.com

Chris Romeo, AppSec expert and CEO of Kerr Ventures, joins to talk about The Security Champions Framework and the biggest mistake organizations make with security champion programs. Welcome to The Security Champions Podcast [0:10] Starting Cisco’s Security Champions Program [10:00] The Year of Security Champions [13:00] The Security Champions Framework [15:23] Biggest Security Champion Program Mistakes [26:00] Growing a Program from Day 1 [35:00]  Episode Resources: The Security Champions Framework (hosted on GitHub) Using the Security Champions Framework to Optimize Your Security Program~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Podcast sponsored by Security Journey, Secure Coding Training for Developers and Everyone in the SDLC. Learn more at securityjourney.com. FOLLOW US to stay up-to-date with new content! Twitter (twitter.com/SecurityJourney) LinkedIn (linkedin.com/company/security-journey) YouTube (youtube.com/c/securityjourney) Online (securityjourney.com) CONTACT: hello@securityjourney.com

Tune into our NEW show, The Security Champions Podcast, to hear conversations between appsec expert Mike Burch and leading software development and security professionals. Episodes will explore the latest news, trends, best practices, and technologies. The experts will share valuable insight and practical advice on building, maintaining, and scaling successful software security programs based on real-world guidance and experience. Stay tuned for our first episode with Chris Romeo, founder of Security Journey and leading voice in application security, threat modeling, and security champions. Remember: Security is a Journey, not a Destination. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Podcast sponsored by Security Journey, Secure Coding Training for Developers and Everyone in the SDLC. Learn more at securityjourney.com. FOLLOW US to stay up-to-date with new content! Twitter (twitter.com/SecurityJourney) LinkedIn (linkedin.com/company/security-journey) YouTube (youtube.com/c/securityjourney) Online (securityjourney.com) CONTACT: hello@securityjourney.com