Today, I’m joined by Amol Deshpande, a seasoned security engineer currently at Stripe, where he focuses on building secure systems at massive scale. With a background spanning product security and penetration testing at companies like Salesforce, Splunk, and Early Warning, Amol brings deep hands-on experience in securing complex, real-world platforms.
He’s also been a HackMIT judge and a long-time CTF competitor at DEF CON, giving him a very practical view of modern security challenges.
In this episode, we cover whether security must now belong in every AI strategy meeting, and how to embed it into AI development from the outset.
We also touch on how privacy concerns will only grow as agents are trained on sensitive data and why human oversight is essential for critical AI operations.
Dive right in!
Today, I’m joined by Aleksandra Kornecka, a security engineer with a global mindset. She recently transitioned from Senior AppSec Engineer to Cloud Infrastructure Security Engineer, and has a background in software testing and cognitive science — a combination that gives her a unique take on both the technical and human sides of security.As a member of the OWASP Security Champions Guide and the project's Artifact stream, Aleksandra also put efforts to collect templates, documents, and other artifacts useful to build the security champions program.In this episode, we dive into the mindset shift developers need to successfully break into security and why security champions are critical for scaling security awareness across organizations.We also explore how curiosity fuels a lasting passion for security, and unpack why Zero Trust is often misunderstood and overhyped.Dive right in!
Today, I’m joined by Gowtham Sundar, a Senior Lead Engineer - 3A Security (AI and API included as you can guess) at SPH Media and a seasoned AppSec leader with over a decade of experience across enterprise security, penetration testing, and secure product development.
In this episode, Gowtham brings a real practitioner’s point of view on what it actually takes to secure AI systems. We dive into why APIs are at the heart of AI, why securing them is non-negotiable, and why automated API discovery is becoming critical for governance as systems scale.
We also talk about how AI security is evolving at lightning speed, sometimes changing week by week, and what that means for security teams trying to keep up.
And with that, get ready to hear Gowtham’s opinions.
Dive right in!
Today, I’m joined by Enrique Larios Vargas, a Security and Learning Specialist at Adyen.
Enrique has over eight years of experience designing impactful learning and enablement programs across fintech, engineering, and security. He’s also been a university lecturer in software engineering in Peru, the Netherlands, and Canada.
Bringing together technical expertise and behavioral science, Enrique is passionate about helping developers move beyond compliance and build a meaningful, human-centered security culture.
In this episode, we dive into his research paper, “DASP: A Framework for Driving the Adoption of Software Security Practices,” co-authored with five others (all listed in the description). The paper explores how behavioral models like COM-B can drive secure development practices.
We also get into incentives and Enrique’s controversial take on why we shouldn’t call security champions “champions” anymore. He’ll even be put to the test on this topic at the upcoming Elephant in AppSec conference, where he’ll debate it with other panelists.
Dive right in!
Today, I’m joined by Marcos Vinicius Cassel, Application Security Manager at PowerSchool.
With over a decade of experience in the information security space, as a CISSP, ISO 27001 Lead Auditor, and a passionate technologist, Marcos has led security initiatives across multiple industries.
He also previously led the OWASP Porto Alegre Chapter, and fun fact: we first met while volunteering together at BSides SF!
In this episode, we dive into the real value of certifications in application security, how they can provide structure and credibility, but shouldn’t define a professional’s entire skill set.
We also unpack the balance between compliance and risk management and between privacy and innovation, and why strong communication between security and engineering teams is more essential than ever.
And with that, get ready to hear Marcos’ opinions.
Dive right in!
Today, I’m joined by Aamiruddin Syed, Senior Product Security Engineer at AGCO Corporation.
Aamiruddin is the author of “Supply Chain Software Security book focusing on AI, IoT, and AppSec” and a recognized advocate for secure development. He’s a frequent speaker at major conferences, including RSA, DEFCON, and Black Hat.
Fun facts: he was once ranked in the top 1% of all TryHackMe penetration testers, and a memorable milestone in his career was delivering a Cybersecurity Awareness talk to officer trainees of the Indian Army.
He’s also a fellow podcaster, co-hosting the CyberGPT Pulse Podcast.
In this episode, we dive into the complexities of software supply chain security, especially the risks introduced by third-party extensions, and how generative AI can strengthen defenses across the supply chain.
We also explore the challenges of data quality when training AI models and discuss why strong governance is essential for secure developer practices.
Dive right in!
Today, I’m joined once again by Tanya Janca for her second appearance on the podcast. Her first episode was a hit, so we figured: why not record another? And the timing couldn’t be better, as Tanya has just embarked on a brand-new chapter in her career this year. In our first conversation, I highlighted many of Tanya’s accomplishments, and she’s only added to the list since then. Most notably, she’s been deeply involved in shaping key components of the newly released OWASP Top 10.In this episode, we dive into the initiatives she’s focusing on in her new solo journey, why she decided to join the OWASP Top 10 team, her mission to create a developer-focused awareness document, and even the unexpected difficulty of naming vulnerabilities for the final list.We also chat about her take on why DevSecOps has started to lose some of its shine. Something she’ll be discussing further at the upcoming Elephant in AppSec conference.Dive right in!
Today on the show, I’m joined by Abhijeth Dugginapeddi, Director of Offensive Security at Palo Alto Networks. Before this, he built and led product and cloud security at BigCommerce, and worked on application security at Commonwealth Bank and Adobe.Abhijeth is deeply passionate about giving back to the community. He’s taught advanced web application security at UNSW, mentored through multiple outreach programs, and recently launched his first LinkedIn Learning course, “Practical Secure by Design”. He’s also been recognised in the Hall of Fame at companies like Google, Yahoo, and others for uncovering serious vulnerabilities across their platforms.In this episode, we get into the idea and the principles of secure by design, who should own it, and why security culture matters so much. We also talk about IPO readiness from a security perspective, and the real-world challenges startups face when trying to build security in.Dive right in!
Today, I’m excited to be joined by Terry O’Daniel, former global head of security at Amplitude, Instacart, and Netflix, and a trusted advisor in the security space. Terry thrives in high-growth environments and loves tackling complex challenges.
With a strong background in engineering and security, he builds teams that focus on solving security problems at scale through automation and instrumentation.
Terry is also a frequent public speaker and passionate advocate for product security. And recently, he joined Harvard as the Head TA for Security Lifecycle Threats.
In this episode, we break down how SLAs enforce real accountability, why security leaders are constantly under pressure, and why ignoring identity and data structures is a recipe for failure.
We also discuss how operating under pressure can surprisingly lead to better decision-making and what the future of product security will look like.
Dive right in!
Today, I’m excited to welcome Anshuman Bhartiya, an AppSec tech lead at Lyft. Before that, he worked as a security engineer at companies like Thirty Madison, Intuit, and Atlassian.
Anshuman is also a fellow podcaster and co-host of the Boring AppSec podcast, alongside one of my previous guests, Sandesh Mysore Anand.
Recently, he’s been experimenting extensively with building AI agents for both offensive and defensive security, and he’s documenting his findings at anshumanbhartiya.com(link in the description).
In this episode, we dive into the challenges of building effective AI agents, the impact of AI on security practices, and the importance of understanding AI outputs and avoiding confirmation bias.
We also touch on the ongoing debate of build versus buy solutions and explore where the future of AI in security might be headed.
Dive right in!
Today I’m joined by Anjali Singh Shukla, Senior Security Engineer Cloud at Flipkart. She bridges the worlds of Cloud Security and DevSecOps, having led audits and defense strategies across AWS, Azure, and GCP, with a strong focus on Kubernetes and container security.
Beyond building secure pipelines, Anjali designs training programs and speaks at global conferences like Black Hat and OWASP.
Most recently at OWASP AppSec Days Singapore, she showed how attackers exploit AWS EKS misconfigurations and how to defend against them.
In this episode, we dive into why DevSecOps alone isn’t enough without a deep understanding of cloud, and the risks that come with moving fast in modern deployments. Anjali also shares her perspective on securing multi-cloud environments and weighs in on the industry’s buzz around CNAPP and CSPM and ASPM convergence.
And with that, get ready to hear Anjali’s opinions.
Today, I’m joined by Maxwell Zhou, the Founding Partner of PolarStar Cybersecurity Group, a cybersecurity firm focused on helping fintech organizations strengthen their product security. Throughout his career at Greenlight, Visa, and T-Mobile, Maxwell has specialized in penetration testing, vulnerability assessments, and secure coding practices. He’s particularly excited about building world-class security programs that scale with hyper-growth organizations.In this episode, we discuss one of Maxwell’s articles on the traits of healthy security programs, diving into what “healthy” really means. We also explore the concept of security debt, how it can lead to increased incidents over time, and the importance of having a pentesting background when it comes to understanding which vulnerabilities truly matter.Dive right in!
Today, I’m joined by Oumaima Baira, Directrice of Enterprise Security at Deloitte.
With nearly a decade of experience, she’s helped organizations strengthen their defenses — from DevSecOps and SAP application security to enterprise-wide security strategy.
She began her career in cloud engineering before moving into cyber consulting, and quickly rose through Deloitte’s leadership ranks, blending deep technical expertise with strategic vision.
Beyond her professional roles, Oumaima is an active member of the cybersecurity community. She often takes part in OWASP France chapter meetups, where we met, and international OWASP and cyber events, sharing insights and learning from peers.
She’s also a passionate advocate for women in cybersecurity, inspiring the next generation of cyber leaders to step confidently into the field.
In this episode, we explore the unique challenges and security risks of SAP systems — a business management and automation platform relied on by countless global organizations. We discuss why understanding business logic is critical to application security, and why this is especially important when it comes to securing SAP.
Oumaima also shares her perspective on global differences in security maturity and offers practical advice on preparing for crisis management with efficiency.
Dive right in!
Today, I’m joined by Max Alejandro Gómez-Sánchez Vergaray, Defensive Cybersecurity Manager at Banco de Crédito BCP. With a background in software engineering, Max transitioned into AppSec and has become a leading voice in promoting DevSecOps awareness and building robust AppSec programs using SAMM across Latin America and beyond. He actively contributes to OWASP projects like Cornucopia and regularly offers free workshops in Spanish on secure design for digital products. If you’d like to join a future session, check out the link below!In this episode, we dive into AppSec in Latin America, with a focus on Peru’s unique cybercrime laws and their impact on security awareness. Max shares insights on the cultural challenges in cybersecurity training, the complexities of translating frameworks like Cornucopia, and what can get lost in translation. We also explore building connections in remote teams and what global developers can learn from Latin America’s approach. Dive right in!
Today, I'm joined by Nariman Aga-Tagiyev, a seasoned cybersecurity architect and threat modeling coach, bringing over two decades of experience in the software development industry.
As the founder of SecureHabits, he’s on a mission to help software manufacturers mature their secure software development lifecycle.
Nariman is a familiar face at OWASP Netherlands Chapter events and an active contributor to projects like OWASP SAMM and the Security Champions Maturity Model. His work bridges the gap between theory and practice, empowering teams to build security into their culture - not just their code.
In this episode, we dive into a memorable "battle" Nariman had at the RSA conference, where he argued both sides of the SAMM vs. BSIMM debate—mostly with himself, after BSIMM expert Caroline Wong couldn’t attend.
We also explore why organizations often skip the foundational steps before rushing to buy security tools, why true maturity is so rare, and what the new regulatory frameworks like the Cyber Resilience Act mean for businesses in the EU.
Dive right in!
Today, I'm joined by Marisa Fagan, a lifelong community builder and security culture enthusiast. As the Head of Product at Katilyst, Marisa leads the development of security champion programs that empower Security Champions to drive cultural change.
Previously, she served as Head of Trust Culture & Training at Atlassian and has managed security programs at Synopsys, Salesforce, and Meta.
Marisa is also an active contributor to the OWASP Security Champions guide.
In this episode, we'll dive into some of the questions Marisa didn’t have time to cover in her talk at BSides San Francisco.
We'll also explore how security culture programs must be tailored to different teams to succeed, how to reboot struggling programs (often caused by disengaging training content) and why passion often outweighs technical skills for roles like these.
Dive right in!
And check out: https://www.katilyst.com/top10blunders
Today, I'm joined by Kevan Bard, Director of Product Security at Morningstar. With 20 years of experience in information security, Kevan has helped shape security practices across various organizations. He’s passionate about building blue team careers, with a focus on recruiting, mentoring, and staff development.When not busy cultivating kaizen, emotional intelligence, secure coding practices, and data privacy principles, Kevan enjoys building community and capturing the world through his lens.In this episode, we explore why security needs to be institutionalized to win, and how the role of Product Managers should evolve to integrate security into their processes. We’ll also discuss why storytelling is crucial in security education, and why the term ASPM is overrated—particularly because its true value isn’t being marketed effectively, especially in one-pagers that focus too heavily on bold claims.
Today, I’m joined by Sean Finley, an experienced Information and Application Security leader with deep expertise in AppSec, security operations, vulnerability management, and governance.Sean’s AppSec career started at GEICO, one of the most recognizable names in U.S. insurance. He made the leap from business analyst to the company’s very first AppSec engineer, teaching himself everything along the way.
In this episode, we explore what inspired that transition, how to spot red flags that doom security programs before they start, and why Sean believes there are far better investments than SAST.We also dive into his approach for working with engineering teams, especially when their initial designs could put the organization at risk, and how to turn “no” into a “secure yes.”Dive right in!
Today I’m joined by Jyoti Raval, a security leader with a diverse background across consulting, product security at Qualys and Harness, and now serving as Director of Cyber Security Engineering at Baker Hughes.
Jyoti is a passionate pentester and international speaker. She’s also the author of Phishing Simulation and MPT: Pentest in Action and has discovered multiple CVEs.
Beyond her technical expertise, Jyoti is committed to empowering women in cyber through InfosecGirls and leads the OWASP Pune chapter.We dive deep into the future of pentesting, exploring whether AI can truly replace human expertise or if manual assessments are still essential for context understanding. Jyoti also shares valuable insights on the mindset shift needed when transitioning into security leadership and how to navigate that challenge.
Dive right in!
Connect with Jyoti: https://www.linkedin.com/in/jyoti-raval-61565157/
Connect with Alexandra: https://www.linkedin.com/in/alexandra-charikova/
Today's episode features Luís Fontes, who, after five years working with various technologies as a full-stack developer, transitioned to the AppSec world. Luís worked as an AppSec engineer at major companies like Checkmarx and then moved to IOVLabs (RSK) and the cryptocurrency space. Nowadays, Luís works at Xapo, a crypto bank, and is an expert in both product security and blockchain security.
In today’s conversation, Luís explains why he believes we still lack clear guidance on how to build and manage effective security programs, and how he decided to create a guide to address this issue.
He also shares insights into the complexities of blockchain security and the importance of understanding business logic. Plus, we’ll discuss why he thinks SBOMs are overrated.
Dive right in!
Luis's guide: https://luisfontes19.github.io/orgsec-guide/index.html