Let's Talk AppSecOps

Let's Talk AppSecOps

Agile DevOps, Cloud Deployment, Microservices, and Open Source have all dramatically accelerated application delivery and complexity. Today’s AppSec teams, outnumbered by as much as 100:1 by developers, depend on a collection of point security products and siloed manual processes. This leaves them struggling to gain the visibility, insight, and process scale they need to identify and protect the always changing and growing application risk surface. This resulting AppSec Chaos means applications ship fast without the assurance of shipping securely, leaving the organization at risk of breaches and losses. Welcome to the Let's Talk AppSecOps show, where we bring discussions with security thought leaders and practitioners and software development minds from leading enterprises to talk about their concerns, case studies, and best practices in operationalizing application security. This show is hosted by ArmorCode experts. It talks about how security and development teams can work together and implement practical security measures. Mark Lambert is a AppSecOps Evangelist and VP of Products at ArmorCode, breaking down the communication barrier between Developers and Security experts to help organizations adopt and scale security practices within their development teams. Mark is passionate about applying technology innovations to solving real world business problems. For the last 20 years, he has been working with the world's leading brands to streamline the delivery of secure, reliable and compliant software applications across Enterprise IT and Embedded/IoT markets.Mark has been invited to speak at numerous industry events, and been published in industry media. Luis is a Senior Solutions Engineer at ArmorCode and he comes from a background that includes names big and small. His technical skills have been forged in the fires of prospects and clients alike. Luis's diverse skill set includes the ability to explain technology to non-technical audiences, set up a “pizza box” in a freezer, cook a perfect elk steak over a mesquite-fueled grill, and spend late nights in a war-room! His plethora of application security skills and ability to social engineer the feathers off an owl, serves him well as our Senior Solutions Engineer! Nikhil Gupta is co-founder and CEO of ArmorCode. He is a successful serial entrepreneur with more than 25 years of experience. Prior to founding ArmorCode, Nikhil was CEO and Co-founder of Avid Secure which was acquired by Sophos. Avid Secure built a marketing-led AI-powered multi-cloud security and compliance platform. Nikhil has held several leadership positions in VMWare, Cisco, ForeScout, Ericsson (joined through the acquisition of Entrisphere), Alcatel, And Bell Labs. Nikhil holds an MBA from Columbia Business School and BS and MS in Computer Science. LingRaj Patil is the Head of Marketing at ArmorCode and a renowned speaker and business growth leader with 20+ years of experience spanning engineering and marketing in Seed, Series A/B/C/D, Unicorn, and Fortune 500 companies. He is a guest speaker on Marketing and Entrepreneurial Strategy at Stanford University. He has a passion for building communities that bring thought leaders and practitioners together to rally around the challenges and opportunities they present. He is also the Executive Chair of the Purple Book Community, a community of software security leaders who are on a mission to build more secure software. Let this show be your guide to hearing inspiring stories of leaders building secure software against odds, hearing insightful case studies, and getting to know more about the leaders who make it all happen. With the software demand increasing nonstop, now is the right time to tune in. Find show episodes at www.armorcode.com/lets-talk-appsecops.


November 3, 2022 6 min

Developers don't want to be slowed down, but security teams don't want development speed driving AppSec posture off a cliff. The compromise: security guardrails instead of release gates. With a basis of mutual trust that only critical findings will be sent for remediation and all critical findings will be remediated, friction between teams can be mitigated. Avoiding alert fatigue is one thing both security and developer tal...

Mark as Played

Prioritizing threat/vulnerability findings takes thought, a satellite cam, and a microscope if you don't have an AppSecOps platform at work. There's a lot to consider: criticality variance across tools (they don't come normalized out of the box), threat intelligence on CVEs, and tool/technique weight factors, for starters.

A major concept is the context around the app/sub-app/module associated with a finding. The softwar...

Mark as Played

Vulnerability Management looks different from business to business. What qualifies a risk as acceptable or not? When should confirmed vulns be fixed by? Perhaps most distressingly, how do we know when vulnerability has actually been remediated? Luis Guzmán talks about the different aspects of vulnerability and its most common musts:

  • a workflow framework that security & dev agree on
  • live critical finding notifications
  • active remedi...
  • Mark as Played
    October 6, 2022 5 min

    It's a common misconception that the first step to building an application security program is sorting out the tooling. In reality, security tools translate well, and most early-game head-scratching will center on process. It helps to start small: SCA (source composition analysis) being an un-intensive and non-invasive first measure is a great launch point. This is not only due to the great availability of SCA tools, but also b...

    Mark as Played
    October 6, 2022 8 min

    A short release cycle has myriad benefits: faster delivery to market for new functionalities, and swiftly-improving accuracy toward goals (what we call Agile) chief among them. And from a security perspective, a quick reaction time to zero-day threats thanks to a well-oiled assembly line is invaluable. But, of course, there are drawbacks: like a lack of cohesion and communication between security and dev teams, and unequal pressure...

    Mark as Played
    October 6, 2022 4 min

    The SBOM Movement has gained huge attention in just half a year. Whether as an external dependency of a developing product or a mission-critical tech stack component, inbound software has provenance (and often, vulnerabilities) that need to be reported for security downstream. US and foreign government support, as well as executive action, have done so much to stir awareness of these supporting docs. Many are ready to embrace it as...

    Mark as Played

    The State of AppSecOps Report found "reducing developer friction" was a top 3 priority for security leaders. A common contributor is the volleying of security responsibilities, especially with infrastructure-as-code—a gray area that often has security and dev teams pointing fingers. To get willing collaboration, security teams need to practice carrot tactics and better understand the expectations and environments their deve...

    Mark as Played

    The transition from all-hardware to mostly-digital assets has complicated and decentralized the job of security. Cloud and container apps and infrastructure-as-code are examples of innovations whose security requirements will span multiple desks, as the role of the cybersecurity do-it-all becomes a relic of the past—even for smaller organizations.

    About ArmorCode

    We develop, sell, and deliver the world’s first and leading AppSecOps p...

    Mark as Played

    Popular Podcasts

      Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations.

      Crime Junkie

      If you can never get enough true crime... Congratulations, you’ve found your people.

      The Piketon Massacre

      The most notorious mass murder in Ohio’s history happened on the night of April 21, 2016 in rural Pike County. Four crime scenes, thirty-two gunshot wounds, eight members of the Rhoden family left dead in their homes. Two years later a local family of four, the Wagners, are arrested and charged with the crimes. As the Wagners await four back-to-back capital murder trials, the KT Studios team revisits Pike County to examine: crime-scene forensics, upcoming legal proceedings, and the ties that bind the victims and the accused. As events unfold and new crimes are uncovered, what will it mean for all involved? What will it mean for Pike County?


      It’s a lighthearted nightmare in here, weirdos! Morbid is a true crime, creepy history and all things spooky podcast hosted by an autopsy technician and a hairstylist. Join us for a heavy dose of research with a dash of comedy thrown in for flavor.

      Stuff You Should Know

      If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks then look no further. Josh and Chuck have you covered.

    Advertise With Us

    For You

      Music, radio and podcasts, all free. Listen online or download the iHeart App.


      © 2022 iHeartMedia, Inc.