Chris Romeo 00:00
Brian Reed is Chief mobility officer at NowSecure. Brian has over 30 years in tech and 15 years in mobile security and apps, dating back to the birth of mobile, including BlackBerry good technology, box tone, and microfocus. Brian joins us to discuss mobile application security, The Good, the Bad, and The Ugly as we head into 2021. We discuss recent issues and mobile applications, mobile firewalls, mobile versus the web, and how application security is different in a mobile world. We hope you enjoyed this conversation with Brian Reed. At Security Journey, we believe security is every developer's job. We work with our customers to help them build long-term sustainable security culture amongst all their developers. Our approach is to provide security education that's conversational quick, hands-on, and fun. We don't do lectures. Instead, we let the experts talk about what's important. Modules are quick, ten to twenty minutes in length; we believe in hands-on experiments builder and breaker style that allows your developers to put what they learned into action. And lastly, fun. Training doesn't have to be boring. We make it engaging and fun for the developers. Visit www.securityjourney.com to sign up for a free trial of the security dojo. Hey, folks, welcome to this episode of the application security podcast. On this episode, we're going to talk about something that we don't usually talk a whole lot about, and that is mobile and application security. We're joined by Brian Reed from NowSecure. Brian, we always jump right in; we don't give you time to catch your breath. We just say, what's your security origin story? How did you get into this crazy, wacky world that we know of as application security?
Brian Reed 01:56
That's a good question. Thanks for having me. My security origin story is I'm a biomedical engineer by trade and was writing software to do digital imaging; way back in the 80s, you can tell that I'm that old with my gray hair. I caught the bug on the coating and IT side and never was a BME anywhere in my life. I was living in Research Triangle Park. The technology was a real hotbed down there. Over a series of different companies I worked for eventually, I landed with a partner of Blackberries. That's where my mobile and my security origin comes from. If you think of a Blackberry, not only was it the first smartphone, it was also built from security on the ground up. My mobile baptism was in that highly secure-oriented world. That was when mobile was email on this cool device. If you were an executive, you had to have one. It was addictive, like SMS texting or instant messaging is today. When working with Blackberry as a partner was a big deal. We work with a lot of organizations. Eventually, we got into building apps around the BlackBerry ecosystem as it evolved and welcomed applications, and that's just it. I caught the bug over 15 years ago; it's hard to believe that Blackberry is 20 years old, and now have been working in a variety of different mobile and application and security type vendors or organizations for the last over 15 years. That's what brought me to NowSecure.
Chris Romeo 03:28
It's funny when you think about the architecture underneath Blackberry, I think BlackBerry switched to I don't know if they've moved to Android now, but I remember like, government evaluations and things, looking at the Blackberry operating system, and just being in awe about how secure it was, they did think about security from the inside out. It's almost like we've gone back a little bit in our modern-day, Android and iOS, sort of a lot of good stuff, but we've moved backward architecturally.
Brian Reed 03:58
Well, it is kind of interesting. When a system is purpose-built from the ground up to do a single thing, you can build it very efficiently. What we've done with modern mobile is we've moved from a single purpose email machine, which was the BlackBerry, into email plus some other, let's call it, system services, like BBM, with messaging and some other things into a general-purpose operating system upon which people can build all kinds of interesting experiences, which is what we call applications. The more you make it flexible to build cool new things, the more you weaken the underwriting architecture, potentially from a security and privacy perspective, if you're not careful. We went through this arc where Android was massive freedom and openness, and Apple was completely locked down and curated. Through that arc, now, they're kind of similar to each other, in where we are in in the arc, but we've also built some amazing things. Whether it's the Roomba running around your house or the ring doorbell on your house, or the fact that I can call an Uber or even more strangely, I can order McDonald's and have Uber Eats, deliver McDonald's to my house. I mean, all these things that happen now, I got a Tesla a year ago, I can summon my Tesla, I can pull it out of the driveway, it can drive itself, using a mobile app to do it, it's been amazing to see how it's all evolved. That reminds us once again the impact of the threat landscape on mobile is so crucial because you just described a world where your cars are driving down the street, using the technology on your phone as the driver or what's controlling it. If we don't get security, we're going to have big problems. It sounds like you're saying mobile is going to have a big role to play in that world of future security? I think the interesting thing about mobile as you reflect on it is mobile is the thing with you always now. Twenty years ago, you wouldn't leave the house without your keys and wallet. For a lot of people, it's just the mobile device; the mobile device is the key, the mobile device is the payment token and all the rest. We're in this digitally addictive, connected world where I have a desktop and a laptop and all that stuff. I do my higher-end work on that. Most of the rest of my life is in and around that mobile thing. That mobile thing is a walking intelligence hub. It's a walking attack vector. It's got this attack surface that's quite porous. From that perspective, that's why I'm in the business I'm in now in working with NowSecure. Because we work with companies like Uber and these big organizations who are mobile-first or going through a mobile digital transformation because they know their customers and their employees are living on it. They got to figure out how to protect themselves from these apps that just run in the wild and unpredictable space. That isn't a lockdown laptop the company gave me.
Chris Romeo 06:55
Let's jump into some of the recent issues that have occurred in the mobile space. And I know we were talking in advance about a couple of different things. Sour mint, Tik Tok, Dave, and even a study that Comcast has done. Let's go ahead and start with Sour Mint. I mean, what a great code name for vulnerability. It sounds like candy, I want to get some candy. But I know it's not candy.
Brian Reed 07:19
It does; the folks over at Sneak were doing some research, along with our CTO. They found that a third-party library that was being used was actually harvesting information off of devices and sending it back to the data collection service. That's not an uncommon thing, sadly, that we find sour mint was particularly egregious in what they were harvesting and how they were collecting it in an unknown way. Then once they found it, we went and looked at our database; we scan millions and millions of apps in the iTunes and Google Play app stores. We do that as a service. That creates a great data lake for us to understand where mobile risks are. We instantly found there are some 1500 mobile applications at risk using this particular SDK that exposes this vulnerability, this exploitable vulnerability, and Sour Mint is that example of making sure you choose carefully for your third-party libraries. This was not open-source; it was a commercial library that was in there. You roll backward this summer? We were talking about banking. I said that the mobile device is now your wallet. We see a lot of interest, especially in the younger generations in mobile, digital banking. There was recently a piece in Forbes that talked about how the millennials are either using these newfangled apps, or they're going back to the big guys like the city groups, and so on, Bank of America. The big guys have big security teams and have great bulletproof features and software. This summer, there was a breach in one of these little mobile-only banks called Dave, so the apps called Dave; I don't know why you'd call a bank Dave, and I'm not making fun of the name, but I thought that was interesting. They had a breach. That can happen when the manufacturer of the app is smaller, or maybe they have a less sophisticated security team. The big global banks have 1000s and 1000s of security people. If Dave's online mobile bank has a couple 1000 employees, how many are in security? Are they doing the right things? Do they have the right skills? That's out there. Today in the mobile world, there is no public certification that says this is a safe mobile app or not. We get these whack amole games, and you get something like Tik Tok and Tik Tok is a political hot ball. It's all kinds of stuff, and Tik Tok harvests data, like every social media app, Facebook, Twitter, and Instagram. Those guys are harvesting a lot of intelligence off your mobile device. If you're using Facebook's authenticator or any of those other authenticators, they're gaining a lot more information. You may remember earlier this year; Zoom had a little challenge. We were happy to work with Zoom when they had this massive explosion of use when we went into lockdown. They had fat-fingered their use of the Facebook social login capability. They were using the social login to provide a great feature, though when the developers encoded it, they didn't properly lock down to just use it for auth. They were sharing data back with Facebook in an unknowing way. Even when people intend to do the right thing, they still have to be careful in how they build their mobile apps, use these libraries, and so on. The consumer has to figure out how I decide which ones to use. To circle back to Tik Tok, Tik Tok is no worse than harvesting data than any of the other guys. I'm not a big social media user; I am on Twitter, I think a lot of good security people are, but I don't use Facebook; I don't use Instagram and the other guys in part because the data harvesting. Now, just because they're doing the same thing that all the other guys are, I think the bigger concerns are what's going on in the backend with the data. None of us know what goes on in the backend with the data. We know that the companies like Facebook are monetizing it. Twitter is somewhat monetizing it. But Twitter is also a communication channel that a lot of people use in a lot of ways. The story arc now is that here we are in Comscore, who releases their data, every year in the fall, Comscore has Internet Center data, and they track usage of time and data on the internet. They just released a few weeks ago their latest data that shows that 70% of all digital time is spent in mobile apps. Not on the web, not in mobile browsers. If we think about that, that's probably true. I bet everybody listening to this spends a fair amount of their day in mobile apps, depending on who you are and your age, more or less.
Chris Romeo 11:53
A couple of things that you mentioned that I want to dive into a little bit deeper there. One is architectural. One is being able to understand if there's any type of standard. Let's go there first with the standard you mentioned; there is no certification for mobile apps. Have you heard or seen anything? Are there any movements in the industry to say that we're going to do some type of security certification for these because I know, app store from Apple, Google Play, they have testing, and they have standards and things that people have to comply with? It's always a cat and mouse game because there are always new people trying to sneak stuff in and them trying to check it. But are you hearing anything in the industry that says we're going to have some type of seal of approval for an app that I can use on my phone?
Brian Reed 12:37
That's a good question, their standards, and their seal of approval. We do believe that the rise of risk and the attack surface, the rise of breaches, will align with the need for standards and the demand in some way, shape, or form for more certification. We're seeing in a couple of specific places, and then one generic. On a specific case, the federal government in the DoD is now mandating something called NIAP. NIAP is a set of standards requirements originally created by the NSA and NIST. There are many governments around the world that have also signed on to NIAP. We are seeing that federal agencies are turning to NIAP as a standard; it's a specific way you must vet a mobile application; it has 5152 points of criterion that have to pass. There is automated software like NowSecure; there are third-party testing companies you can hire to do it. That may or may not bubble into the civilian world. What we are seeing from a lot of our mobile-first companies, especially in the high-risk space, is they're looking to either industry-specific requirements. How would HIPAA evolve in healthcare to potentially affect me? In medical IoT, there are some US Federal regulations as well. We can kind of walk our way through the banks and other verticals. There are pieces of requirements, but they're generally around compliance, which isn't sort of the same as a certification. What we do see happening is the mobile security program at OWASP has grown dramatically in the last two years. We've been contributing since the OWASP, top 10 for mobile. The Osmo program now has the MSTG and the MASVS. The MSTG is the testing guide, and the MASVS is showing how to build a secure app. A lot of organizations are turning to that as a standard. I think over the next two years, we are going to see the haves and the have nots, and the haves are going to be the ones that are going to use the MSTG as a testing standard. I am willing to bet lightly in Vegas that it won't necessarily become a minimum bar, but it will become a premium bar for organizations who want to show that they're safe and secure, and private. They'll use something like the MSTG and brand themselves that they're MSTG compliant in some way, shape, or form, I think to kind of help move the ball, and it can become a competitive differentiator potentially for their business.
Chris Romeo 15:12
Even though OWASP will never provide a seal or a certification.
Brian Reed 15:16
No, it's not a seal. The nice thing about it is a good community that's been contributing to it very actively over the last couple of years. The MSTG is a very robust standard. It's a challenge to fully certify an app for everything in the MSTG. You'll find there's levels that people will look at. But it's at least a common way to say, hey, if I have passed all the MSTG tests or if I pass the level one MSTG tests, I meet a certain minimum bar criteria. That will get us, without certification, to a common defense level.
Chris Romeo 15:54
Yeah, you mentioned NIAP. So, you're making me nostalgic here. I got my start in security, doing Common Criteria and government-trusted product evaluations. I was part of the team that did the first Common Criteria evaluation from a commercial entity, working with NSA and folks from NIST and stuff. We're going back to the late 90s; it is nostalgia day.
Brian Reed 16:17
The Mobile Protection profile rolled out in 2017. It's gone through a couple of evolutions, and now there are both third-party services and commercial software like NowSecure that can certify for it, which is great.
Chris Romeo 16:29
Yeah, that's awesome. They've made a lot of changes since the days that I was rolling around there. Another question I had for you, and this is completely off the script. But from a mobile architecture perspective, I'm just wondering from your perspective, as someone who's thinking about mobile all the time, I think about an app like Facebook. We all know that Facebook is harvesting various data and pieces like that; why can't somebody write a privacy wrapper that sits around an app like Facebook or other things, and it's like a personal firewall on a per-app by per-app basis, what prevents that from being a new type of product, or a new type of market or something?
Brian Reed 17:11
I'm going to slice that into a couple of things. I think from the privacy perspective; Apple's taking the lead and evolving iOS with further and further controls and lockdowns. They are now, as part of the App Store approval process, looking at privacy more carefully. I think that containerization model, and that is the foundation of iOS, that Apple keeps layering into now around privacy plus, some of their general policies are going to help, at the operating system level, we're getting to a point where more and more privacy will be possible. Part of that, though, typically has user opt-in controls. Just because privacy is there doesn't necessarily mean the users opted in. That means we need to be smarter consumers in terms of how we configure the apps, your idea of a wrapper or container thing; there are some container technologies out there; I was part of a company called good technology that was kind of this, the de facto standard for containers. People have been trying to build wrapper technologies on and off over the years; there are some out there now that have some level of protection. The challenge usually for those is you either need to have the source code, you need to have control of the binary in order to do that. You, as the home user of a commercial Facebook app, there's really no way for you to deal with that. It's either Facebook would have to put it in there, or someone has to jump through hoops. I think some of that we just have to continue to rely on Apple and Google to continue to put controls and restrictions or options in the operating systems to help us do that.
Chris Romeo 18:57
That's part of the scary part is we're talking about putting Apple, and I'm a huge Apple person, I've got what seems like hundreds of Apple devices around me. But yet, do I trust apple? That is the question. There's been this thing with if you've seen and we're diverting from mobile now, this issue where people are alleging that Mac apps are phoning home. In Big Sur, there's been an architectural change the latest version of the operating systems so that software packages that would have blocked that type of communication in the past, those channels are going below the layer where a third party piece of software could block a network request going outside of the system. And so I guess, you know, that that's just my only, I mean, I love the fact that Apple is going to is more privacy-centric, and they're gonna be able to protect us better from the phone perspective. But I think we just got to get to a point where like, you know, who's watching the watchers is always the question.
Brian Reed 19:56
Well, I do think that Apple and Google both mean well. In working with both their teams, they both believe a lot in security and privacy, Google's come a long way in its security advancements, and I think one of the recent pieces of Gartner research some other third-party research shows that it's arguable whether iOS or Android is more secure than the other. I do think iOS has the lean on privacy, and Android has some advantages as well. But it's going to be a cat and mouse game. I think that a lot of this gets back to; I'm going to say it kind of bluntly, you can't trust anything. You got to make sure the apps themselves and the communication channels those apps are communion communicating on are hardened. If the app is doing the right thing, if the app is managing its own data the right way, if it's using safe libraries, if it's using the appropriate APIs, if it's locking itself down using advanced encryption, if it's got app hardening in it, if it's doing cert pinning and cert validation when it's communicating with backends, etc. That entire attack surface is getting continuously tested, examined, and monitored; then, it basically becomes a self-defending application that can live in any kind of these wild-oriented scenarios.
Chris Romeo 21:14
Let's change gears, and we were going to talk about mobile versus web; how mobile and web are not the same. I'd love to get your perspective on why you are saying they're not the same? How are they different? Remember that question from elementary school compare and contrast these two things?
Brian Reed 21:35
Yes. Why is the horseless carriage faster than the horse? There are a couple of fundamentals to the difference between mobile and web. I think when people come to mobile, most people who come to mobile, whether you're a developer or an IT administrator or something else, you're coming from a web or a PC-centric, native application background. There's a set of fundamental differences between mobile and web that create this different attack surface that developers and security people alike have to understand. If you think about a web app, generally, a web app has 98% of its code behind a firewall. You got layers of perimeter defense there; you're not going to put all that code if you can help it, the code, the logic, and the data, you're going to move as much of it as you can behind the webserver, which gives you more layers of protection. Now, it is sad that the web world still has one of the top vulnerabilities of cross-site scripting, but you can solve the XXS problem if you're doing the right things. When you're a web developer, then the security's there; when I'm in the browser, all I need to do is call HTTPS, and SSL turns on. The browser itself can control whether it can write the disk, the browser has its own memory, workspace, and so on. To a large extent, the web app, what's resident on the local machine, is in a sort of containerized environment. Now, some browsers have more lockdown capabilities than others. But as a general rule, as long as I'm doing the right thing, I'm keeping the most important IP behind the firewall. I'm using SSL; I'm pretty well protected. When you get to a mobile app, it's complete Wild West. If I'm a mobile application developer, I'm running on a device, an iOS or Android device, and my app is reversible. They're reversing tools that will reverse any iOS or Android app.
Chris Romeo 23:19
Yes, that's easy. It's easy to do. It's not even hard. Like anybody can grab an app from the App Store and run this program against it.
Brian Reed 23:30
Right. Frida and Daria are two examples of mobile reversing and mobile security tools that were created by the security researchers that we use in our products, and a lot of people use those commercially as well, from a research perspective and a pen-testing perspective. You can reverse it, and then they're going to model the application. What winds up happening is, as a developer, I have to understand how to build a secure connection to the backend. I have to understand how to do certificate pinning; I have to know that I need to do hostname validation, I have to know how to do encryption, I have to know how to do local data storage, I have to think consciously about what am I going to store locally or not, etc. You have the combination of most of your logic in the wild and reversible on the client to I also have to have a lot more skills when it comes to handling data in motion, data in rest, data storage, those types of topics. What we tend to find when we work with organizations, and they maybe have poorly scoring apps, it's developer ignorance, not ignorance in a bad way, ignorance as I didn't know how to do that, I didn't know how to do proper connection management, I didn't know how to do proper data storage. That makes it a challenge to build a secure app. Now you've got this attacker rich environment combined with a world where not all developers have all the security skills they need to build secure code, and that's what makes it such a breeding ground now and if you go to that ComScore data that says 70% of all traffic is mobile apps. Well, that's a rich zone for bad guys to go after. Cybercriminals, nation-states, you can assume that at scale, they are mass reversing and analyzing your apps in the App Store, if you are any kind of a target that has any kind of useful IP, or you have customers, transactional information, credit card information, PII, anything like that, your apps already been reversed and modeled somewhere by one or more cybercriminal, or government agencies, nation-states. You need to think about that, and that leads to secure coding practices that leads to using good secure third-party libraries that leads to architecture; there's a whole lot of things more than did I just create a really cool app that people have to think about with mobile that's different from web.
Chris Romeo 24:20
When we think about the core audience of people who are listening to this conversation right now that are playing in the application security space somewhere that may or may not have responsibility for mobile, but it's a good chance that their organization has mobile apps, maybe they're not the ones that are directly looking at them. But what would you recommend for those AppSec professionals? What do they need to do differently? When they're thinking about all the things they know about the web and translating or transferring to mobile?
Brian Reed 26:24
Yeah, so a handful of things, the NowSecure website, you can find a what's the difference between mobile and web and what do I need to know guide. Feel free to hit that up; that's a short version of what I'm about to go through. We tend to find three key things people should look at. The first one is, if you're on the developer side, download and read the MASPS from OWASP, and if you're on the tester side, download and read the MSTG; you will learn a ton in that process. Because it comes from OWASP in the community, there's a lot of analogies provided in there about well, in the web world, it was like this, but in the mobile world, it is like that. They are a tome; it's a couple 100 pages. But that's really the definitive guide to understanding that. Then there's thinking about what's your strategy yourself? If you're a tester, for example, and what's your strategy with your engineering team? I'm thinking about how secure mobile development best practices are going to be shared and learned with your development team is very important; we find that the better application security teams have a good relationship with their developers and are helping feed them with secure coding best practices and resourcing like that. If you're a pen-tester, get involved in the community, we run the four-day mobile pen-testing class at BlackHat every year, and people love it; there's a line out the door, it fills up on the first day because we see that people really want to learn, and so there are resources out there If you're an open-source tooling person, go have a look at Frida and Ridare, very active communities around those open-source tools for reversing and instrumentation. People who are kind of black belts in mobile security will be using tooling like that. There are plenty of other tools in there, minimum proxy, Burp suite, and so forth for your network testing and all of that. I think overall, if you're building software, you need to think about what's my on-demand testing model? What's my continuous security testing model? What's my pen-testing model, and ultimately, do the appropriate level of threat modeling and risk modeling and mobile apps. Then make sure you're building in the right kind of testing strategy?
Chris Romeo 28:35
Definitely, I couldn't find anything I disagreed with, which I was hoping for at least one thing where I could be like, now, come on, Brian, you want to do that? But I've got nothing there and even ended with my favorite thing, threat modeling. When you think about, I'm not gonna say; I can't say shift left. I've labeled it a marketing term from now on in my life. I'll just say, as people are thinking about using DevOps, with mobile versus web, what are some of the things like if I've got a couple of mobile apps, but I've got a really mature DevOps approach for my web apps, but now I'm getting into DevOps and mobile, what are a couple of things I should be thinking about?
Brian Reed 29:21
Yeah, it's really good. The first thing is if you are running an effective web security program in DevOps, I'm not even going to use the word DevSecOps yet. I'm just going to say I've got a good web security program. You probably have at least two things you're doing. The first thing is you probably have a SAS tool that's doing some level of scanning. While SAS source code scanning will throw off a lot of false positives, that's at least going to help you find low-hanging fruit and raise your bar in security. You should also be doing something around SCA, so you should be looking for open source libraries and understanding where your risk is on open source and third-party libraries. We find that is a primary weakness attack vector and sort of malware vector in mobile. At a minimum, you ought to be doing those two things. I'm scanning my code all the time, whether it's third-party open-source code or the code that I write. When you get to mobile, it's interesting because in benchmarking those millions of apps and kind of correlating them with what testing tools, we've surveyed and discovered, many of these organizations are using, what we actually find is source code scanning only finds about 20% of the real-world vulnerabilities that are discovered. While web, you might be able to depend heavily on source code scanning. In mobile, it's best practice to do binary scanning of the compiled binary because that's what the attacker is attacking. You never know how that source code is going to compile down into a real application. State of the art and mobile is actually DAST and IAST. So statistically, if you analyze those millions of apps, you find that DAST finds about 50% of the volumes, IAST finds another 20 to 30% of the volumes, and then back end API security testing, which is making sure the back end part that the mobile is talking to also needs to be scanned, as well. What you'll see is there's a group of companies like NowSecure that come from the mobile binary testing world. None of the big guys they the traditional security guys like Veracode and Checkmarx, and those guys, they're not built to do high volume, deep mobile app-specific analysis. When you think about your strategy, you should still test your SCA, open-source; you should still SAS source code scan. But the big thing for mobile is you need to add DAST; if not, more than DAST getting into the IAST base. On mobile, you need to test the binary, not just the source. That becomes either an on-demand thing. So you may have pen-testers; what's pen-testing? Pen-testing is dynamically testing an app, frankly. You could have humans do it, and they do it periodically; you can license on-demand software to do it. Then a developer can submit it, or a tester can submit it, or you can build it into the pipeline. There are plenty of tools that plug into Jenkins and JIRA, Azure DevOps, and GitLab and GitHub and all that tooling that will do it in the background as a continuous security testing kind of model. Every build you generate, generates another test run, as it were.
Chris Romeo 32:21
That's great. It's good information for those people that are going down that path of trying to catch up their mobile environments to what they're doing from their web applications. When you think about concluding our conversation here, what's one or two calls to action? We'd love to leave our audience with something to do, give them some homework, send them to do something like. In case they tuned out for the last couple of minutes, they were listening, they tuned out. Wake up and Brian's about to give you a call to action with some homework to do. What would you say one or two things?
Brian Reed 32:58
Yeah, and so I'm gonna make it three. The first one is, if you want to go make money, become a mobile pen-tester or a mobile security expert, there is a dearth, I talked about 70% of the world is now using mobile apps, but only about 10% of application security people can do mobile. There's a huge job opportunity for you to build your skill sets and we're seeing that you get paid more. Mobile security experts often get a premium. That's the first thing to think about. I think the second thing is if you're an open source hound, get a look at Frida and Ridary and get involved in the mobile security open-source community, I think that's well worth looking at. The third one would be, when you think about getting smart, I'll go back to the OWASP resources. The the MSTG and MASVS, are really good learning resources. There's lots of practical resources wrapped around them. You can find a lot of training videos and explanatory resources at the NowSecure website around OWASP to help you flush that out. Those all become resources to take advantage of, depending on where you are in your security journey.
Chris Romeo 34:06
All right. Well, Brian, thank you so much for sharing your expertise with us and with our audience here. We'll definitely have to do this again in six months or a year. I've got a million other questions about mobile, but I'm going to save them for another day.
Brian Reed 34:19
This was great Chris. Thanks for having me along today.
Chris Romeo 34:23
Thanks for listening to the application security podcast. You'll find the show on Twitter @AppSecPodcast and on the web at www.securityjourney.com/resources/podcast. You can also find Chris on Twitter @edgeroute and Robert @RobertHurlbut. Remember, with application security; there are many paths but only one destination.