DevelopSec: Developing Security Awareness
Curious about application security? Want to learn how to detect security vulnerabilities and protect your application. We discuss different topics and provide valuable insights into the world of application security.
Episodes
Ever read a security advisory that told you to “use a VPN” to protect a Bluetooth device?
In this episode we talk about how bad or inaccurate recommendations can be a problem with security findings. We take a look at an example of recommendations that don't relate to the issue at all, leaving people confused at how to respond.
Share with us your experience with recommendations that just missed the mark.
References:
In this episode James gives an overview of the new OWASP Top 10 2025. He shares some insights into the history, changes, and additional thoughts on the top 10.
Do you have any thoughts on the OWASP Top 10? Let us know.
References:
Medium article of history of top 10 - https://medium.com/@dramkumar/history-of-all-owasp-top-10-over-the-years-9470c0adf43d
OWASP Top 10 2025 - https://owasp.org/Top10/2025/
Top 10 -> CWE Breakdown -...
In this episode, James talks about the difference between end-to-end encryption and the standard encryption in transit most web applications implement. There is an interesting story (referenced below) that was using end-to-end encryption outside of the standard understanding.
Check out what the differences are and what you can do to make sure you are thinking about how terms are used.
References:
Link to Article: https://www.esecurit...
Have you ever felt that feeling of thinking your account has been compromised?
It can be a scary feeling. But what about when it didn't really happen? Instead it was just confusing messaging.
That is what I talk about in this episode. The importance of proper messaging in the right context. Even the smallest thing can turn out to be a larger issue.
References:
Link to Article: https://www.bleepingcomputer.com/news/security/coi...
In this episode, James shares a story about fixing a flat tire on an E-Scooter and how it relates to security. He shows how the combination of tools, process, and knowledge can lead to a successful outcome.
Can you be successful without all three components? Maybe, but it might be more effort that is needed. Tune in to learn how these 3 components work together to create efficient solutions.
For more info go to https://www...
In this episode, I go over what Double-ClickJacking is and what you can potentially do about it to reduce the risk to your applications.
Will this be the new finding on everyone's pen tests this year?
Paulos Yibelo first described Double-ClickJacking and you can read more from him at his post referenced below.
References:
Paulos Yibelo Blog: https://www.paulosyibelo.com/2024/12/doubleclickjacking-what.html
In this episode, I talk about how security is a part of everyone's role and the labeling of "Security Culture". I share some ideas on how to improve on role based security awareness and building stronger relationships between security and the rest of the organization.
For more info go to https://www.developsec.com or follow us on X (@developsec).
For more info go to https://www.developsec.com or follow us on...
In this episode I talk about assigning responsibility for secure development and how the dev and security teams should be working together to accomplish a common goal.
I also discuss the importance of updating developer job descriptions and creating an expectation around developers having secure development experience.
For more info go to https://www.developsec.com or follow us on X (@developsec).
For more info go to https...
In this episode I talk about the evolving world of ransomware. I discuss a few examples of unique tactics the malicious actors are using to put pressure on organizations to pay the ransom.
Referenced Articles:
https://www.theregister.com/AMP/2024/04/30/finnish_psychotherapy_center_crook_sentenced/
In this episode we talk about addressing the root cause of an issue versus the symptoms. How can the process of keeping application components updated be improved?
For more info go to https://www.developsec.com or follow us on twitter (@developsec).
DevelopSec provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.
Transcript:
In this epis...
In this episode we talk about the spell check feature of the browser and how it could present a risk to sensitive data.
Link to article referenced: https://www.darkreading.com/application-security/spellchecking-google-chrome-microsoft-edge-browsers-leaks-passwords
For more info go to https://www.developsec.com or follow us on twitter (@developsec).
DevelopSec provides application security consulting and training to add val...
Log4J has been the talk of the town recently and everyone is focused on the technical details of the specific vulnerabilities found. In this episode, James talks about the overarching ideas around dealing with vulnerable components. Are you vulnerable? If so, what needs to be done?
For more info go to https://www.developsec.com or follow us on twitter (@developsec).
Join the conversations.. join our slack channel. Email james@develop...
Chrome has announced a few changes that we need to watch out for in the near future. We previously talked about the default value for samesite that is coming up fast. I wrote about this here: https://www.jardinesoftware.net/2019/10/28/samesite-by-default-in-2020/
Also, they are getting ready to start blocking mixed content downloads:
https://blog.chromium.org/2020/02/protecting-users-from-insecure.html
For more info go to https://w...
It was recently announced that Chrome was dropping the XSS Auditor in Chrome 78. What does that mean and how does that change things for you as a developer?
https://www.chromium.org/developers/design-documents/xss-auditor
For more info go to https://www.developsec.com or follow us on twitter (@developsec).
Join the conversations.. join our slack channel. Email james@developsec.com for an invitation.
DevelopSec provides application s...
In 2020, Chrome will default the SameSite attribute to Lax on all cookies. SameSite helps mitigate CSRF, but does that mean CSRF is Dead?
For more info go to https://www.developsec.com or follow us on twitter (@developsec).
Join the conversations.. join our slack channel. Email james@developsec.com for an invitation.
DevelopSec provides application security training to add value to your application security program. Contact us today ...
In this episode, James talks about investing in the development teams to increase application security priorities.
For more info go to https://www.developsec.com or follow us on twitter (@developsec).
Join the conversations.. join our slack channel. Email james@developsec.com for an invitation.
DevelopSec provides application security training to add value to your application security program. Contact us today to see how we can help.
In this episode, James talks about some of the risks and recommendations around security questions and their implementation.
For more info go to https://www.developsec.com or follow us on twitter (@developsec).
Join the conversations.. join our slack channel. Email james@developsec.com for an invitation.
DevelopSec provides application security consulting and training to add value to your application security program. Contact us tod...
Does your application give away details about it server, framework, or other components? How is this information used by an attacker? Check out this episode to learn more.
For more info go to https://www.developsec.com or follow us on twitter (@developsec).
Join the conversations.. join our slack channel. Email james@developsec.com for an invitation.
DevelopSec provides application security consulting and training to add value to yo...
Would you know if someone authenticated to your account? With the breaches we see in the news, and attacks like credential stuffing, there must be a way to be alerted to account access. James talks about authentication alerts, what they are, and why you may want to use them.
For more info go to https://www.developsec.com or follow us on twitter (@developsec).
Join the conversations.. join our slack channel. Email james@developsec.com...
James discusses how implementation matters with security controls and how it changes priorities. This came about after reading the following story:
https://www.theverge.com/2018/12/31/18162541/vein-authentication-wax-hand-hack-starbug
For more info go to https://www.developsec.com or follow us on twitter (@developsec).
Join the conversations.. join our slack channel. Email james@developsec.com for an invitation.
DevelopSec provides ...
Popular Podcasts
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Saskia Inwood woke up one morning, knowing her life would never be the same. The night before, she learned the unimaginable – that the husband she knew in the light of day was a different person after dark. This season unpacks Saskia’s discovery of her husband’s secret life and her fight to bring him to justice. Along the way, we expose a crime that is just coming to light. This is also a story about the myth of the “perfect victim:” who gets believed, who gets doubted, and why. We follow Saskia as she works to reclaim her body, her voice, and her life. If you would like to reach out to the Betrayal Team, email us at betrayalpod@gmail.com. Follow us on Instagram @betrayalpod and @glasspodcasts. Please join our Substack for additional exclusive content, curated book recommendations, and community discussions. Sign up FREE by clicking this link Beyond Betrayal Substack. Join our community dedicated to truth, resilience, and healing. Your voice matters! Be a part of our Betrayal journey on Substack.
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
The World's Most Dangerous Morning Show, The Breakfast Club, With DJ Envy, Jess Hilarious, And Charlamagne Tha God!
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by Audiochuck Media Company.