Modern AppSec: OWASP SAMM, AI Secure Coding, Threat Modeling & Champions – Sebastian Deleersnyder, James Manico, Adam Shostack, Dustin Lehr – ASW #362
Using OWASP SAMM to assess and improve compliance with the Cyber Resilience Act (CRA) is an excellent strategy, as SAMM provides a framework for secure development practices such as secure by design principles and handling vulns.
Segment Resources:
- https://owaspsamm.org/
- https://cybersecuritycoalition.be/resource/a-strategic-approach-to-product-security-with-owasp-samm/
As genAI becomes a more popular tool in software engineering, the definition of “secure coding” is changing. This session explores how artificial intelligence is reshaping the way developers learn, apply, and scale secure coding practices — and how new risks emerge when machines start generating the code themselves. We’ll dive into the dual challenge of securing both human-written and AI-assisted code, discuss how enterprises can validate AI outputs against existing security standards, and highlight practical steps teams can take to build resilience into the entire development pipeline. Join us as we look ahead to the convergence of secure software engineering and AI security — where trust, transparency, and tooling will define the future of code safety.
Segment Resources:
Understand the history of threat modeling with Adam Shostack. Learn how threat modeling has evolved with the Four Question Framework and can work in your organizations in the wake of the AI revolution.
Whether you're launching a formal Security Champions program or still figuring out where to start, there's one truth every security leader needs to hear: You already have allies in your org -- they're just waiting to be activated. In this session, we’ll explore how identifying and empowering your internal advocates is the fastest, most sustainable way to drive security culture change. These are your early adopters: the developers, engineers, and team leads who already “get it,” even if their title doesn’t say “security.”
We’ll unpack:
- Why you need help from people outside the security org to actually be effective
- Where to find your natural allies (hint: it starts with listening, not preaching)
- How to support and energize those allies so they influence the majority
- What behavioral science tells us about spreading change across an organization
Segment Resources:
- Security Champion Success Guide: https://securitychampionsuccessguide.org/
- Related interviews/podcasts: https://www.youtube.com/playlist?list=PLPb14P8f4T1ITv3p3Y3XtKsyEAA8W526h
- How to measure success and impact of culture change and champions: https://www.linkedin.com/pulse/from-soft-skills-hard-data-measuring-success-security-yhmse/
- Global Community of Champions sign up: https://docs.google.com/forms/d/e/1FAIpQLScyXPAMf9M8idpDMwO4p2h5Ng8I0ffofZuY70BbmgCZNPUS5Q/viewform
This interview is sponsored by the OWASP GenAI Security Project. Visit https://securityweekly.com/owaspappsec to watch all of CyberRisk TV's interviews from the OWASP 2025 Global AppSec Conference!
Seba is co-founder, CTO of Toreon and a proponent of application security as a holistic endeavor. He started the Belgian OWASP chapter, was a member of the OWASP Foundation Board and performed several public presentations on Application Security. Seba also co-organized the yearly security & hacker BruCON conference and trainings in Belgium.
With a background in development and many years of experience in security, he has trained countless developers to create software more securely. He has led OWASP projects such as OWASP SAMM, thereby truly making the world a little bit safer. Now he is adapting application security models to the evolving field of DevOps and is also focused on bringing Threat Modeling to a wider audience.
Jim Manico is the founder of Manicode Security, a company dedicated to providing expert training in secure coding and AI security engineering to software developers. In addition to leading Manicode, Jim is actively involved in the tech-startup ecosystem as an investor and advisor. His portfolio includes notable companies such as Semgrep, EdgeScan, Nucleus Security, Defect Dojo, RAD Security, Akto, Inspectiv, Levo.ai, and Phoenix Security. He is also a limited partner investor with Aviso Ventures and Grossman Ventures, bringing software-security expertise to the venture-capital domain.
A recognized figure in the software-development community, Jim is best known for advancing secure-software practices. He authored Iron-Clad Java: Building Secure Web Applications (Oracle Press) and holds the title of Java Champion. Jim gives back to the application-security community through his volunteer work with the OWASP Foundation, co-leading the OWASP Artificial Intelligence Security Verification Standard (AISVS), the OWASP Application Security Verification Standard (ASVS), and the OWASP Cheat Sheet Series.
Adam is the author of Threat Modeling: Designing for Security and Threats: What Every Engineer Should Learn from Star Wars. He’s a leading expert on threat modeling, a consultant, expert witness, and game designer. He has decades of experience delivering security. His experience ranges across the business world from founding startups to nearly a decade at Microsoft.
His accomplishments include:
> Helped create the CVE. Now an Emeritus member of the Advisory Board.
> Fixed Autorun for hundreds of millions of systems
> Led the design and delivery of the Microsoft SDL Threat Modeling Tool (v3)
> Created the Elevation of Privilege threat modeling game
> Co-authored The New School of Information Security
Beyond consulting and training, Shostack serves as a member of the Blackhat Review Board, an advisor to a variety of companies and academic institutions, and an Affiliate Professor at the Paul G. Allen School of Computer Science and Engineering at the University of Washington.
Dustin Lehr is the Application Security Advocate at Security Journey, Co-founder of Katilyst, and an accomplished software engineer and cybersecurity leader. He helps organizations build developer-centric programs that motivate and engage developers by leveraging behavioral science techniques.
