CyberRisk TV Live from OWASP Global AppSec 2025 – Allan Friedman – OWSP25 #1
CyberRisk TV kicks off live coverage from the 2025 OWASP Global AppSec Conference in Washington, D.C., hosted by Josh Marpet. In this opening conversation, Josh speaks with Allan Friedman, Senior Technical Advisor at the Institute for Security and Technology, about the growing importance of transparency in software and hardware security. They discuss the evolution from software bills of materials (SBOMs) to emerging hardware bills of materials (HBOMs), and how open standards are shaping the future of risk management across the entire technology stack.
This interview is sponsored by the OWASP GenAI Security Project. Visit https://securityweekly.com/owaspappsec to watch all of CyberRisk TV's interviews from the OWASP 2025 Global AppSec Conference!
Wearing the hats of both a technologist and a policy maker, Allan has over 20 years of experience in international cybersecurity and technology policy. His experience and research focuses on economic and market analyses of information security. On the practical side, he has designed, convened, and facilitated national and international multistakeholder processes that have produced real results, helping diverse organizations finding common ground on contentious, cutting edge issues.
Allan is known for applying technical and policy expertise to help audiences understand the pathways to change in an engaging fashion, and is frequently invited to speak or keynote to industry, academic, and public audiences. He has significant experience with the press, and has been featured in global media including CNN, NPR, and major American and international papers.
Use OWASP SAMM for CRA compliance – Sebastien Deleersnyder – OWSP25 #1
Using OWASP SAMM (Software Assurance Maturity Model) to assess and improve compliance with the Cyber Resilience Act (CRA) is an excellent strategy, as SAMM provides a measurable framework for secure development practices that directly address the CRA's requirements (e.g., secure by design, vulnerability handling).
This interview is sponsored by the OWASP GenAI Security Project. Visit https://securityweekly.com/owaspappsec to watch all of CyberRisk TV's interviews from the OWASP 2025 Global AppSec Conference!
Segment Resources: https://owaspsamm.org/ https://cybersecuritycoalition.be/resource/a-strategic-approach-to-product-security-with-owasp-samm/
Sebastien (Seba) Deleersnyder, co-founder and CTO of Toreon, combines software engineering expertise with a passion for holistic product security. After earning his Master’s in Software Engineering from the University of Ghent, with a thesis on “Hyphenation using neural networks,” he became a driving force in the security community as the founder of the Belgian OWASP chapter, a member of the OWASP Foundation Board, and co-founder of BruCON, Belgium’s annual security conference. His leadership of OWASP SAMM and his decade-long role as a highly rated Black Hat trainer have significantly impacted global software security, earning consistently outstanding feedback from participants. Currently, Seba focuses on adapting security models for DevOps and expanding awareness of AI Threat Modeling.
Secure Coding in the Age of AI – James Manico – OWSP25 #1
As AI becomes a co-developer in modern software engineering, the definition of “secure coding” is rapidly evolving. This session explores how artificial intelligence is reshaping the way developers learn, apply, and scale secure coding practices — and how new risks emerge when machines start generating the code themselves. We’ll dive into the dual challenge of securing both human-written and AI-assisted code, discuss how enterprises can validate AI outputs against existing security standards, and highlight practical steps teams can take to build resilience into the entire development pipeline. Join us as we look ahead to the convergence of secure software engineering and AI security — where trust, transparency, and tooling will define the future of code safety.
Segment Resources: https://manicode.com/ai/
This interview is sponsored by the OWASP GenAI Security Project. Visit https://securityweekly.com/owaspappsec to watch all of CyberRisk TV's interviews from the OWASP 2025 Global AppSec Conference!
Jim Manico is the founder of Manicode Security, a company dedicated to providing expert training in secure coding and AI security engineering to software developers. In addition to leading Manicode, Jim is actively involved in the tech-startup ecosystem as an investor and advisor. His portfolio includes notable companies such as Semgrep, EdgeScan, Nucleus Security, Defect Dojo, RAD Security, Akto, Inspectiv, Levo.ai, and Phoenix Security. He is also a limited partner investor with Aviso Ventures and Grossman Ventures, bringing software-security expertise to the venture-capital domain.
A recognized figure in the software-development community, Jim is best known for advancing secure-software practices. He authored Iron-Clad Java: Building Secure Web Applications (Oracle Press) and holds the title of Java Champion. Jim gives back to the application-security community through his volunteer work with the OWASP Foundation, co-leading the OWASP Artificial Intelligence Security Verification Standard (AISVS), the OWASP Application Security Verification Standard (ASVS), and the OWASP Cheat Sheet Series.
Threat Modeling and The Four Question Framework – Adam Shostack – OWSP25 #1
Understand the history of threat modeling with Adam Shostack, the father of threat modeling. Learn how threat modeling has evolved with the Four Question Framework and can work in your organizations in the wake of the AI revolution.
This interview is sponsored by the OWASP GenAI Security Project. Visit https://securityweekly.com/owaspappsec to watch all of CyberRisk TV's interviews from the OWASP 2025 Global AppSec Conference!
Adam is the author of Threat Modeling: Designing for Security and Threats: What Every Engineer Should Learn from Star Wars. He’s a leading expert on threat modeling, a consultant, expert witness, and game designer. He has decades of experience delivering security. His experience ranges across the business world from founding startups to nearly a decade at Microsoft.
His accomplishments include:
> Helped create the CVE. Now an Emeritus member of the Advisory Board.
> Fixed Autorun for hundreds of millions of systems
> Led the design and delivery of the Microsoft SDL Threat Modeling Tool (v3)
> Created the Elevation of Privilege threat modeling game
> Co-authored The New School of Information Security
Beyond consulting and training, Shostack serves as a member of the Blackhat Review Board, an advisor to a variety of companies and academic institutions, and an Affiliate Professor at the Paul G. Allen School of Computer Science and Engineering at the University of Washington.
Security Champions: You Already Have Them! How to Tap Their Potential – Dustin Lehr – OWSP25 #1
Want to create lasting change in cybersecurity? Stop going it alone.
Whether you're launching a formal Security Champions program or still figuring out where to start, there's one truth every security leader needs to hear: You already have allies in your org... they're just waiting to be activated.
In this session, we’ll explore how identifying and empowering your internal advocates is the fastest, most sustainable way to drive security culture change. These are your early adopters: the developers, engineers, and team leads who already “get it,” even if their title doesn’t say “security.”
We’ll unpack:
- Why you need help from people outside the security org to actually be effective
- Where to find your natural allies (hint: it starts with listening, not preaching)
- How to support and energize those allies so they influence the majority
- What behavioral science tells us about spreading change across an organization
Security is a team sport, and the opportunity to bring more people into the mission has never been greater. Whether you’re in security, engineering, product, or beyond, this conversation is for you.
Let’s talk champions. You’ve already got them. Now it’s time to activate them.
Segment Resources: Security Champion Success Guide: https://securitychampionsuccessguide.org/
Other interviews/podcasts I've done on Champs and AppSec: https://www.youtube.com/playlist?list=PLPb14P8f4T1ITv3p3Y3XtKsyEAA8W526h
How to measure success and impact of culture change and champions: https://www.linkedin.com/pulse/from-soft-skills-hard-data-measuring-success-security-yhmse/
Global Community of Champions sign up: https://docs.google.com/forms/d/e/1FAIpQLScyXPAMf9M8idpDMwO4p2h5Ng8I0ffofZuY70BbmgCZNPUS5Q/viewform
This interview is sponsored by the OWASP GenAI Security Project. Visit https://securityweekly.com/owaspappsec to watch all of CyberRisk TV's interviews from the OWASP 2025 Global AppSec Conference!
Dustin Lehr is the Application Security Advocate at Security Journey, Co-founder of Katilyst, and an accomplished software engineer and cybersecurity leader. He helps organizations build developer-centric programs that motivate and engage developers by leveraging behavioral science techniques.
Beyond the Firewall: Why Traditional Web Security Still Matters in the AI Era – Felipe Zipitria – OWSP25 #1
In an era dominated by AI-powered security tools and cloud-native architectures, are traditional Web Application Firewalls still relevant? Join us as we speak with Felipe Zipitria, co-leader of the OWASP Core Rule Set (CRS) project and a veteran security expert with over two decades of experience. Felipe has been at the forefront of open-source security, leading the development of one of the world's most widely deployed WAF rule sets, trusted by organizations globally to protect their web applications.
In this conversation, Felipe challenges common assumptions about "legacy" security technologies and explains why WAFs remain a critical layer in modern defense-in-depth strategies. We'll explore what makes OWASP CRS the go-to choice for security teams, dive into the project's current innovations, and discuss how traditional rule-based security is evolving to work alongside—not against—artificial intelligence. From his unique vantage point as both a practitioner and educator, Felipe offers insights into the future of web application security, the role of open-source communities in keeping the internet safe, and how the next generation of security tools will blend human expertise with machine learning capabilities.
Segment Resources: - github.com/coreruleset/coreruleset - coreruleset.org
This interview is sponsored by the OWASP GenAI Security Project. Visit https://securityweekly.com/owaspappsec to watch all of CyberRisk TV's interviews from the OWASP 2025 Global AppSec Conference!
Felipe Zipitria is a seasoned computer security expert with an MSc from Universidad de la República in Uruguay and over 20 years of technical experience. His career has evolved from SRE, DevOps, and SysAdmin roles into specialized security domains, with the past five years dedicated to Application Security and Cloud SecOps. Throughout his career, he has provided security consulting services for more than a decade, establishing himself as a trusted advisor in the field.
Beyond his professional practice, Felipe is deeply committed to education and open-source community leadership. He teaches Computer Security Fundamentals to undergraduate students and Web Application Security to graduate students at Uruguay’s public university. Since 2013, he has served as Uruguay Co-Chapter Leader for OWASP, and has been a core contributor to OWASP CRS as a developer and co-leader since 2021. He is also part of the OWASP Coraza leadership team, driving innovation in Web Application Firewall development. His dedication to nurturing the next generation of security professionals is evident through his four consecutive years as a Google Summer of Code mentor, where he guides students into open-source and OWASP initiatives.