Podcast

This post is a result of a conversation on the Application Security Podcast. Adam Shostack joined Robert and me, and the topic was remote threat modeling. We're all living in this new world where we're working from home. The question we pose is, how will we make progress on rolling out threat modeling when we can't meet with people face to face and work directly on a whiteboard?

Everyone wants their engineering staff to be better at threat modeling. Security teams desire a world where developers practice a threat modeling mindset. A threat modeling mindset is where threat modeling is no longer a process or a tool but is instead a way of life. When developers embrace this mindset, they see threats jump off the page in both diagrams and code. They hear peers discussing a potential solution, and they can articulate the security challenges that such an approach will cause.

NOTE: This article is written based on a conversation on the Application Security Podcast with Matt McGrath, called “Security Coaches."Most developers will say security is a concern, but not always the first concern. Developers get hit by the business to deliver user stories quickly and in a state of completeness.

These are the top ten, most listened to episodes of the Application Security Podcast for calendar year 2019.

Marc Andreessen famously stated in 2011 that "software is eating the world." Now, in 2019, application programming interfaces (APIs) serve as the backbone of modern software, and they keep on devouring everything in their path, from microservices to single-page applications and mobile apps to the Internet of Things.

When building a new program, many start here, thinking we'll just create a policy and then everyone will follow along and do the right thing for security. Unfortunately, an Executive's direction is not enough to change the security culture. It does not hurt along the way to have executive buy-in, but it won't kick start the program.