Keeping current with the latest developments in application security can be challenging and time-consuming. One way to make it less so is to have a go-to list of active online application security pros to follow who can keep you up to date on the latest security threats and trends, as well as best practices, through their social media, blogs, podcasts, and newsletters.
Here are 20 app sec pros that provide security practitioners and leaders with the knowledge they need to stay at the top of their game.
[ Want curated software supply chain security news? Subscribe to Chainmail ]
Sean Atkinson and Tony Sager
Atkinson and Sager are co-hosts of the Cybersecurity Where You Are podcast, which is sponsored by the Center for Internet Security, a nonprofit organization whose mission is to make the connected world a safer place for people, businesses, and governments. In a typical podcast episode, the hosts and an expert guest or guests discuss a security topic. Recent episodes of CWYA include "Inside the 'Spidey Sense' of a Pentester," "Overcoming Pre-Audit Scaries Through Governance," and "Guiding Vendors to IoT Security by Design."
Baumgartner is a principal security analyst with the global research and analysis team at the cybersecurity software company Kaspersky. He focuses on the analysis and exposure of advanced persistent threats, as well as the investigation of targeted attacks, mass exploits, and cyber-intrusions, and he talks about malware issues at international conferences He can be found on both X, formerly Twitter, and Mastodon, although he's more active on X.
"Barracuda customers should remove all ESG appliances immediately....The FBI continues to observe active intrusions and considers all affected Barracuda ESG appliances to be compromised and vulnerable to this exploit" https://t.co/QkWdqk7QJj— Kurt Baumgartner (@k_sec) August 25, 2023
As a senior threat intelligence analyst at Microsoft, Beaumont is a frequent speaker at security conferences and author of the DoublePulsar blog, named for a nasty kernel-mode implant that was developed by the National Security Agency and leaked in 2017 to a hacker group called the Shadow Brokers. Recent blog entries discuss the distribution of Trojan-infected versions of a Hans Solo video role-playing game, unpatched server vulnerability at the Electoral Commission in the United Kingdom, and a backdoor discovered in a popular mobile device management product. Beaumont also tweets and posts to Mastodon.
Recognizing how rapidly the world of application security is evolving, Security Journey, a maker of application security education tools to help developers and the entire software development lifecycle team recognize and understand vulnerabilities and threats and proactively mitigate them, launched the Security Champions podcast, hosted by Burch, who is the company’s applications security director. Episodes include discussions with development leaders and security experts about the latest headlines in the app sec world, as well as advice on building, maintaining, and scaling a successful security program.
Curphey writes the Crash Override blog and newsletter. He's a founder of OWASP, as well as of SourceClear, a cloud-native data security platform. SourceClear's software composition tool technology was acquired by Veracode in 2018. The blog has entries on product software certification, security tooling, and the latest developments in the company's open-source Chalk project. Chalk allows software developers, DevOps engineers, and security pros to gain visibility across development and production. Curphey also tweets at @VuduChief.
As the Google vice president of privacy, safety, and security, Hansen is focused on making the Internet safer for everyone. During his term at Google, he launched OSV Scanner, a tool that allows developers to scan for vulnerabilities in open-source software dependencies, led the development of the company's security incident response plan, and worked to improve the security of its products and services, such as Chrome, Android, and Gmail. Hansen is active on both X and LinkedIn.
Best known for his invaluable Have I Been Pwned website, which allows Internet users to check whether their personal data has been compromised in a data breach, Hunt is an Australian web security consultant and educator who has written several popular security-related courses on Pluralsight, a provider of video training courses for software developers and IT pros. In addition to conducting keynotes and workshops at conferences around the world, he writes a blog and is active on X and Mastodon, and has a YouTube channel.
Kettle is director of research at PortSwigger, which makes Burp, a suite of programs for web security scanning and application testing. Of the 10 most popular Burp extensions, Kettle has written three of them: ActiveScan++, HTTP Request Smuggler, and Backslash Powered Scanner. He has also made presentations on HTTP desync attacks at DEF CON, and on practical web cache poisoning at BlackHat USA. In addition to maintaining a dynamic personal web page with links to PortSwigger research, he is active on X, Mastodon, and LinkedIn.
Thanks to everyone who came to the #DEFCON31 edition of Smashing the State Machine! I'll be hanging around chilling for the next couple of days; feel free to say hi. Hope the techniques yield many crazy bugs for you in future :)https://t.co/k9ECgD12FM— James Kettle (@albinowax) August 12, 2023
Seth Law and Ken Johnson
Law, founder of the research and security consulting firm Redpoint, and Johnson, co-founder and CTO of DryRun Security, a maker of security software for developers, are hosts of the Absolute AppSec podcast. The podcast offers discussions on a wide range of application security topics, including contextual security analysis, scans, app sec research, threat modeling, Zip TLD, PyPI 2FA, AI poisoning, watering-hole attacks, and adversarial AI. Recent guests include Brian Walter of OpenContext, Evan Johnson of RunReveal, and Brian Joe of Impart Security. Both are active on X.
Developers who use software composition tools to determine if the libraries they're using are free of known security defects are likely to be familiar with Long's work. He wrote and maintains Dependency-Check, one of the earliest software composition tools to be offered to code warriors. His day job is as a principal security engineer at ServiceNow, a cloud-based platform that automates IT service management and other business processes, but he's also active on X and GitHub.
Worse would be a compromised build plugin that backdoored everything built with it. IDEs aren't used in CI environments. Take a look at my malicious-dependencies repo for an example of what has terrified me since reading about #solarwinds https://t.co/Y9KB92jjSY https://t.co/SPqjywJ02i— Jeremy Long (@ctxt) August 9, 2023
Marks is a senior analyst at TechTarget's Enterprise Strategy Group. She writes about cloud-native application protection platforms, cloud workload protection, cloud security posture management, DevSecOps, and application security, including web application security testing such as static AST, dynamic AST, interactive AST, software composition analysis, and API security. Her latest report on APIs delves into the challenges of securing APIs and how to build an effective security strategy so developers can safely utilize the power of APIs to build better applications. She's active on both X and LinkedIn.
Bug bounty and vulnerability disclosure programs are Moussouris' specialty, which was honed working as chief policy officer for HackerOne and helping Microsoft and the U.S. Department of Defense set up their first bug bounty programs. Valuable knowledge can be gained by reading her blog at Luta Security, the company she founded. She's also very active on X, where she's garnered more than 116,000 followers.
Hackers, breaches, shadow government activity, hacktivism, and cybercrime are the subjects covered by Rhysider in his Darknet Diaries podcast. Episodes cover a range of subjects including the history of hacking and cybercrime, types of malware and how they work, and the dark web and how it is used for illegal activities, as well as stories about real-life hackers and cybercriminals and the latest trends in cybersecurity. In addition to his podcast, Rhysider is active on X and Discord. His website also has some cool T-shirts based on edgy original art created for his podcasts.
When She Can't Hack the Lock, She Hacks the Security Guard🎙Darknet Diaries Ep. 90: Jenny https://t.co/Hu5oWMnpRi— Jack Rhysider 🏴☠️ (@JackRhysider) August 25, 2023
Application security and threat modeling are Romeo's forte, but he's had many roles over his long career, including trusted product evaluator, senior security consultant, penetration tester, director of incident response, chief security advocate at Cisco, and startup CEO at Security Journey. Currently, he is managing general partner at
Kerr Ventures, a cybersecurity startup investment and advisory firm. He also hosts or shares hosting duties for the Threat Modeling podcast, the Application Security podcast, and the Security Table podcast. In addition to his podcast activity, Romeo pens the Reasonable Application Security newsletter.
Shema, along with John Kinsella and Akira Brand, hosts the Application Security Weekly podcast sponsored by SC Magazine. The podcast delivers interviews and news about app sec, DevOps, DevSecOps and all the ways software flaws can be found and fixed. Recent episodes include "Security in a Cloud Native World & Mobile App Attacks,"
"Pointers and Perils for Presentations," "You’ve Got Appsec, But Do You Have Archsec?," "Identity and Verifiable Credentials in Cars," and "Navigating the Complexities of Development to Create Secure APIs."
As an active member of the security community (he's on the Black Hat review board and an emeritus member of the CVE advisory board) and an author (he's written Threat Modeling: Designing for Security and Threats: What Every Engineer Should Learn from Star Wars and co-wrote The New School of Information Security) Shostack brings some impressive credentials and valuable insights to his Shostack + Associates blog. Recent entries include "Threat Modeling and Secure by Design," "Valorizing Rule Breaking," and "Microsoft Can Fix Ransomware Tomorrow."
The mysterious smelly_vx is the guardian of vx-underground.org, the largest collection of malware source code, samples, and papers on the Internet. Smelly describes himself as in his early 30s, married, and a dog owner. Judging from his tweets at the vx-underground X account, he also has a sense of humor. The latest activity at the vx-underground website—addition of malware samples and new papers—as well as hacker news can also be found at the X account, which has more than 224,000 followers.
image via /g/ pic.twitter.com/WJrVTwvFsZ
Stepanyan is an application security architect and leader of OWASP's London chapter. In addition to posting OWASP news and notices on his X and Mastodon accounts, Stepanyan riffs about data breaches, zero-day vulnerabilities, open-source licensing and other concerns of app sec practitioners.
Cybersecurity has been in Wysopal’s blood for a long time. He was one of the original vulnerability researchers at the L0pht, a 1990s hacker think tank, where he was one of the first to publicize the risks of insecure software. He co-founded Veracode, which pioneered the concept of using automated static binary analysis to discover vulnerabilities in software, where he's now CTO. A well-known security expert, he's testified before Congress and has been interviewed by numerous publications and TV networks. He's active on LinkedIn, X, and Mastodon.
What do you have to gain?
Staying on top of the rapidly evolving field of application security requires dedication and diligent effort. Following respected leaders in the app sec community through their blogs, newsletters, podcasts, and social media is a good way to keep up with the latest threats, tools, and best practices. The diverse group of experts highlighted here represent valuable sources of insight covering a wide range of topics from software composition analysis to threat modeling to vulnerability disclosure.
Whether you're just starting out in application security or are an experienced practitioner looking to expand your knowledge, subscribing to a select set of app sec thought leaders will ensure that you have access to breaking news and innovative thinking in the field. Making an effort to regularly consume their commentary and advice will pay dividends in helping you master today's threats and prepare for tomorrow's.
[ Want curated software supply chain security news? Subscribe to Chainmail ]
- Join Webinar: Threat Modeling & Software Supply Chain Security
- Supply Chain Risk Report: Learn why you need to upgrade your app sec
- See Special Report: The Evolution of Application Security
- Track key trends: The State of Supply Chain Security 2022-23
- Get report: Supply chain and the SOC: Why end-to-end security is key