<![CDATA[AppSec]]>9e45d83a-d6d5-51b5-a725-39db724e703cThu, 02 Oct 2025 11:44:47 +0000Captivate.fmJerry Hoffhttps://artwork.captivate.fm/66bc79a7-e45b-4dd7-8019-a80364a07459/AppSec-FM.pngAppSecJerry HoffJerry HoffApplication Security Discussionhttps://appsec.fmfalseepisodicnopodcastEnterprise Secure Prompt EngineeringEnterprise Secure Prompt EngineeringPrompt engineering is no longer just a developer experiment, it is becoming a critical enterprise skill. In this episode of AppSec.FM, Jerry Hoff talks with Jim Manico about the emerging practice of secure prompt engineering, how it affects AI-generated code, and what organizations can do to prepare. They cover the risks of third-party libraries, the evolving AISVS project, and how AI has the potential to transform application security if used correctly.

Highlights:

• Why secure prompt engineering is critical at the enterprise level.

• How AI-generated code introduces new security challenges.

• The role of prompt testing and continuous improvement.

• Minimizing third-party libraries to reduce vulnerabilities.

• How AISVS is evolving to address AI and secure coding.

• The future of secure coding in an AI-driven world.


Guest links:

https://www.linkedin.com/in/jmanico/

https://manicode.com

AppSec.FM is the podcast for application security professionals, hosted by Jerry Hoff. Subscribe on Apple Podcasts, Spotify, or at appsec.fm.

]]>Prompt engineering is no longer just a developer experiment, it is becoming a critical enterprise skill. In this episode of AppSec.FM, Jerry Hoff talks with Jim Manico about the emerging practice of secure prompt engineering, how it affects AI-generated code, and what organizations can do to prepare. They cover the risks of third-party libraries, the evolving AISVS project, and how AI has the potential to transform application security if used correctly.

Highlights:

• Why secure prompt engineering is critical at the enterprise level.

• How AI-generated code introduces new security challenges.

• The role of prompt testing and continuous improvement.

• Minimizing third-party libraries to reduce vulnerabilities.

• How AISVS is evolving to address AI and secure coding.

• The future of secure coding in an AI-driven world.


Guest links:

https://www.linkedin.com/in/jmanico/

https://manicode.com

AppSec.FM is the podcast for application security professionals, hosted by Jerry Hoff. Subscribe on Apple Podcasts, Spotify, or at appsec.fm.

]]>95c732d7-f159-469f-be93-5a96293b1d15Thu, 02 Oct 2025 07:41:00 -040036:37falsefull88ZAP, Automation, and the Future of Open Source Security TestingZAP, Automation, and the Future of Open Source Security TestingThe Zed Attack Proxy (ZAP) has grown from a personal project into one of the most widely used open-source security testing tools in the world. In this episode of AppSec.FM, Jerry Hoff talks with Simon Bennetts, founder and lead of ZAP, about its evolution, role in CI/CD automation, and the importance of community contributions. The conversation also explores the integration of AI, the unique position of ZAP in the security ecosystem, and where the project is headed next.

Highlights:

• The journey of ZAP from concept to millions of downloads.

• How ZAP is used by developers, security teams, and pen testers.

• Why automation in CI/CD pipelines is key for AppSec.

• The role of AI in modern security testing.

• How ZAP differs from other tools like Burp.

• Community involvement and the future of open-source AppSec.

• Handling modern protocols such as WebSockets.

• Future directions for ZAP and security testing with AI.


Guest links:

https://www.linkedin.com/in/psiinon/

https://www.zaproxy.org

AppSec.FM is the podcast for application security professionals, hosted by Jerry Hoff. Subscribe on Apple Podcasts, Spotify, or at appsec.fm.

]]>The Zed Attack Proxy (ZAP) has grown from a personal project into one of the most widely used open-source security testing tools in the world. In this episode of AppSec.FM, Jerry Hoff talks with Simon Bennetts, founder and lead of ZAP, about its evolution, role in CI/CD automation, and the importance of community contributions. The conversation also explores the integration of AI, the unique position of ZAP in the security ecosystem, and where the project is headed next.

Highlights:

• The journey of ZAP from concept to millions of downloads.

• How ZAP is used by developers, security teams, and pen testers.

• Why automation in CI/CD pipelines is key for AppSec.

• The role of AI in modern security testing.

• How ZAP differs from other tools like Burp.

• Community involvement and the future of open-source AppSec.

• Handling modern protocols such as WebSockets.

• Future directions for ZAP and security testing with AI.


Guest links:

https://www.linkedin.com/in/psiinon/

https://www.zaproxy.org

AppSec.FM is the podcast for application security professionals, hosted by Jerry Hoff. Subscribe on Apple Podcasts, Spotify, or at appsec.fm.

]]>31deb418-a645-4592-9225-7f7e94ecb0cdThu, 02 Oct 2025 07:36:00 -040035:04falsefull77The Future of Threat Modeling in the Age of AIThe Future of Threat Modeling in the Age of AIThreat modeling is shifting from a manual process to one supercharged by AI. In this episode of AppSec.FM, Jerry Hoff talks with Fraser Scott, Chief Scientist at IriusRisk, about how AI and LLMs are transforming the way organizations identify risks in software development. The conversation explores the current state of threat modeling, supply chain challenges, and the economic value of embedding proactive security practices into the SDLC.

Highlights:

• Why threat modeling remains critical in modern AppSec.

• How AI and LLMs are changing the threat modeling process.

• Inputs, outputs, and practical adoption in organizations.

• The growing importance of supply chain risk management.

• Integrating threat modeling into secure software design.

• The ROI of identifying risks early in development.

• The role of threat modeling in defending against AI-powered attackers.


Guest links:

https://www.linkedin.com/in/zeroxten/

https://www.iriusrisk.com/

AppSec.FM is the podcast for application security professionals, hosted by Jerry Hoff. Subscribe on Apple Podcasts, Spotify, or at appsec.fm.

]]>Threat modeling is shifting from a manual process to one supercharged by AI. In this episode of AppSec.FM, Jerry Hoff talks with Fraser Scott, Chief Scientist at IriusRisk, about how AI and LLMs are transforming the way organizations identify risks in software development. The conversation explores the current state of threat modeling, supply chain challenges, and the economic value of embedding proactive security practices into the SDLC.

Highlights:

• Why threat modeling remains critical in modern AppSec.

• How AI and LLMs are changing the threat modeling process.

• Inputs, outputs, and practical adoption in organizations.

• The growing importance of supply chain risk management.

• Integrating threat modeling into secure software design.

• The ROI of identifying risks early in development.

• The role of threat modeling in defending against AI-powered attackers.


Guest links:

https://www.linkedin.com/in/zeroxten/

https://www.iriusrisk.com/

AppSec.FM is the podcast for application security professionals, hosted by Jerry Hoff. Subscribe on Apple Podcasts, Spotify, or at appsec.fm.

]]>f2f6ab68-0eca-401a-ae7e-1560a07a7747Thu, 02 Oct 2025 07:33:00 -040035:25falsefull66AI and the New Landscape of Application SecurityAI and the New Landscape of Application SecurityAI is transforming the way organizations build and secure software. In this episode of AppSec.FM, Jerry Hoff talks with Chris Hertz, co-founder and CEO of Healer, about how AI is reshaping both development practices and attacker strategies. The discussion explores the economics of vulnerability remediation, the challenges of securing open source dependencies, and how collaboration between developers and security teams can build more resilient software.

Highlights:

• How AI is reshaping development and security.

• Why attackers are leveraging AI to scale their exploits.

• The economics of vulnerability remediation and barriers to fixing issues.

• Healer’s approach to identifying exploitable vulnerabilities.

• Guardrails for managing malicious or risky dependencies.

• The importance of collaboration between AppSec teams and developers.

• Building resilience into software as the ultimate defense.


Guest links:

https://www.linkedin.com/in/christopherhertz/

https://www.heeler.com/

AppSec.FM is the podcast for application security professionals, hosted by Jerry Hoff. Subscribe on Apple Podcasts, Spotify, or at appsec.fm.

]]>AI is transforming the way organizations build and secure software. In this episode of AppSec.FM, Jerry Hoff talks with Chris Hertz, co-founder and CEO of Healer, about how AI is reshaping both development practices and attacker strategies. The discussion explores the economics of vulnerability remediation, the challenges of securing open source dependencies, and how collaboration between developers and security teams can build more resilient software.

Highlights:

• How AI is reshaping development and security.

• Why attackers are leveraging AI to scale their exploits.

• The economics of vulnerability remediation and barriers to fixing issues.

• Healer’s approach to identifying exploitable vulnerabilities.

• Guardrails for managing malicious or risky dependencies.

• The importance of collaboration between AppSec teams and developers.

• Building resilience into software as the ultimate defense.


Guest links:

https://www.linkedin.com/in/christopherhertz/

https://www.heeler.com/

AppSec.FM is the podcast for application security professionals, hosted by Jerry Hoff. Subscribe on Apple Podcasts, Spotify, or at appsec.fm.

]]>3e5cbc72-d4a7-4d59-96bd-75ad6b5ff201Thu, 02 Oct 2025 07:29:00 -040026:34falsefull55Investing in the Future of Application SecurityInvesting in the Future of Application SecurityApplication security is at a turning point, with AI transforming development and new security challenges emerging every day. In this episode of AppSec.FM, Jerry Hoff talks with Michael Coates about the importance of investing in innovative security solutions and the companies that will define the next generation of AppSec. They discuss the role of shadow developers, the accelerating pace of development, and how investors and practitioners alike can prepare for the future.

Highlights:

  • Why investment is critical to the future of AppSec.
  • How AI is changing the security and development landscape.
  • The rise of shadow developers and the risks they introduce.
  • Automatic remediation as a goal for the next generation of tools.
  • Why architects will play a larger role in managing software complexity.
  • Interconnected risks across the SDLC that demand new solutions.

Guest links:

https://www.linkedin.com/in/mcoates/

https://sevenhillventures.com

AppSec.FM is the podcast for application security professionals, hosted by Jerry Hoff. Subscribe on Apple Podcasts, Spotify, or at appsec.fm.

]]>Application security is at a turning point, with AI transforming development and new security challenges emerging every day. In this episode of AppSec.FM, Jerry Hoff talks with Michael Coates about the importance of investing in innovative security solutions and the companies that will define the next generation of AppSec. They discuss the role of shadow developers, the accelerating pace of development, and how investors and practitioners alike can prepare for the future.

Highlights:

  • Why investment is critical to the future of AppSec.
  • How AI is changing the security and development landscape.
  • The rise of shadow developers and the risks they introduce.
  • Automatic remediation as a goal for the next generation of tools.
  • Why architects will play a larger role in managing software complexity.
  • Interconnected risks across the SDLC that demand new solutions.

Guest links:

https://www.linkedin.com/in/mcoates/

https://sevenhillventures.com

AppSec.FM is the podcast for application security professionals, hosted by Jerry Hoff. Subscribe on Apple Podcasts, Spotify, or at appsec.fm.

]]>afb42f1b-d6f3-4e48-aa96-ef34e29eeaeaThu, 02 Oct 2025 07:03:00 -040027:58falsefull44Does AppSec Still Matter? CVEs, Risk, and Real-World SecurityDoes AppSec Still Matter? CVEs, Risk, and Real-World SecurityApplication security has never been more critical, but are we focusing on the wrong things? In this episode of AppSec.FM, Jerry Hoff sits down with Robert RSnake Hansen to explore the true relevance of AppSec in the age of CVEs, compliance, and adversaries who are evolving faster than ever.

Highlights:

  • Why most security risk comes from a small subset of CVEs.
  • The gap between compliance frameworks and real security outcomes.
  • How adversaries actually prioritize targets (hint: money).
  • The cultural factors that shape AppSec debates.
  • Why vulnerability management needs more data-driven approaches.
  • The impact of LLMs on modern cyber attacks.
  • Practical steps for defending web applications.


Guest links:

https://www.linkedin.com/in/roberthansen3/

https://www.rootevidence.com/


AppSec.FM is the podcast for application security professionals, hosted by Jerry Hoff. Subscribe on Apple Podcasts, Spotify, or at appsec.fm.

]]>Application security has never been more critical, but are we focusing on the wrong things? In this episode of AppSec.FM, Jerry Hoff sits down with Robert RSnake Hansen to explore the true relevance of AppSec in the age of CVEs, compliance, and adversaries who are evolving faster than ever.

Highlights:

  • Why most security risk comes from a small subset of CVEs.
  • The gap between compliance frameworks and real security outcomes.
  • How adversaries actually prioritize targets (hint: money).
  • The cultural factors that shape AppSec debates.
  • Why vulnerability management needs more data-driven approaches.
  • The impact of LLMs on modern cyber attacks.
  • Practical steps for defending web applications.


Guest links:

https://www.linkedin.com/in/roberthansen3/

https://www.rootevidence.com/


AppSec.FM is the podcast for application security professionals, hosted by Jerry Hoff. Subscribe on Apple Podcasts, Spotify, or at appsec.fm.

]]>20735f5e-413f-4d9a-88b0-04dc9ee2daa7Thu, 02 Oct 2025 06:52:00 -040044:19falsefull33Harnessing AI in Software Development: Code, Security, and AutomationHarnessing AI in Software Development: Code, Security, and AutomationAI is reshaping the way we build and secure software. In this episode of AppSec.FM, Jerry Hoff talks with Arshan Dabirsiaghi about the practical realities of AI-generated code, the challenges it introduces, and the opportunities it creates for modern AppSec.

Highlights:

  • How AI-generated code improves developer productivity.
  • Why prompt engineering matters for secure AI use.
  • Risks of hallucinated package names in generated code.
  • Adapting modern CI/CD pipelines to AI-assisted development.
  • Automating vulnerability triage and remediation.
  • The continued role of DAST and static analysis.
  • How AI might accelerate cyberattacks.

Guest Links:

https://www.linkedin.com/in/arshan-dabirsiaghi/

https://pixee.ai

AppSec.FM is the podcast for application security professionals, hosted by Jerry Hoff. Subscribe on Apple Podcasts, Spotify, or at appsec.fm.

]]>AI is reshaping the way we build and secure software. In this episode of AppSec.FM, Jerry Hoff talks with Arshan Dabirsiaghi about the practical realities of AI-generated code, the challenges it introduces, and the opportunities it creates for modern AppSec.

Highlights:

  • How AI-generated code improves developer productivity.
  • Why prompt engineering matters for secure AI use.
  • Risks of hallucinated package names in generated code.
  • Adapting modern CI/CD pipelines to AI-assisted development.
  • Automating vulnerability triage and remediation.
  • The continued role of DAST and static analysis.
  • How AI might accelerate cyberattacks.

Guest Links:

https://www.linkedin.com/in/arshan-dabirsiaghi/

https://pixee.ai

AppSec.FM is the podcast for application security professionals, hosted by Jerry Hoff. Subscribe on Apple Podcasts, Spotify, or at appsec.fm.

]]>5f814737-1d64-42cc-9782-65d791397099Thu, 02 Oct 2025 05:36:00 -040029:30falsefull22Is Threat Modeling Still Relevant in the Age of AI?Is Threat Modeling Still Relevant in the Age of AI?Threat modeling has been a cornerstone of application security for decades — but is it still relevant in the era of AI-assisted development? In this episode of AppSec.FM, Jerry Hoff talks with Amir Kavousian about how threat modeling must evolve to keep pace with modern software practices.

Highlights:

  • Why threat modeling is still essential for AppSec.
  • How AI-assisted development changes risk considerations.
  • Continuous threat modeling as a living document.
  • The role of compliance and legal in secure design.
  • Automating threat modeling to scale with modern pipelines.
  • Applying threat modeling to both new and legacy applications.
  • The business value of integrating threat modeling into security programs.

Guest Links:

https://www.linkedin.com/in/amir-kavousian/

https://www.devarmor.com/

]]>Threat modeling has been a cornerstone of application security for decades — but is it still relevant in the era of AI-assisted development? In this episode of AppSec.FM, Jerry Hoff talks with Amir Kavousian about how threat modeling must evolve to keep pace with modern software practices.

Highlights:

  • Why threat modeling is still essential for AppSec.
  • How AI-assisted development changes risk considerations.
  • Continuous threat modeling as a living document.
  • The role of compliance and legal in secure design.
  • Automating threat modeling to scale with modern pipelines.
  • Applying threat modeling to both new and legacy applications.
  • The business value of integrating threat modeling into security programs.

Guest Links:

https://www.linkedin.com/in/amir-kavousian/

https://www.devarmor.com/

]]>2cb53e37-e267-4584-848c-ff6287aff0a1Thu, 02 Oct 2025 05:22:00 -040033:49falsefull11