Building Security Programs That Actually Scale – with Bonnie Viteri | Secrets of AppSec Champions 🎙️

Building Security Programs That Actually Scale – with Bonnie Viteri | Secrets of AppSec Champions 🎙️

Building great security programs takes more than checklists and best practices—it takes vision, collaboration, and adaptability. In this episode, Bonnie Viteri, Principal Technical Security Engineer at Yahoo, shares how to build scalable, resilient programs that evolve, survive leadership turnover, and actually provide value to the business. 🔔 Subscribe for more practical AppSec insights: https://www.youtube.com/channel/UCLgzXoXJ-TGO-y7Eh9quDUQ?sub_confirmation=1 Chapters: 00:00 – Start with the End: Vision-Driven Program Design 01:08 – Meet Bonnie Viteri: From Behavioral Psychology to Cybersecurity 02:10 – Foundation First: Mission, Vision, and Cross-Team Buy-In 04:07 – Designing Security Documents with Developers, Not for Them 06:00 – Metrics, Failure, and the Power of Feedback Loops 08:25 – People, Process, or Tech? Defining the Program Purpose 09:31 – Five-Year Plans and Building for Scale 12:26 – Implementation: Ownership, Handoffs, and Real-World Use 14:15 – Documentation That Survives Team Turnover 16:51 – Centralizing Knowledge and Making It Discoverable 18:30 – Program Optimization Through Onboarding and Culture 20:48 – Keeping Programs Alive via Security Champions & Internal Comms 22:25 – Case Study: API Security Documentation That Worked 25:19 – Reporting Program Value in Business Language 27:03 – Best Advice: "Your Fire Isn’t My Fire" 29:11 – Worst Advice: “You’d Be Bored as a Manager” 29:58 – Final Thoughts: Build, Fail Fast, Pivot Smarter What You’ll Learn: - How to build and scale a security program across teams - Why collaboration and early buy-in matter - Strategies for long-term documentation and program handoff - How to connect program value to business language and executive metrics - Real-world case study of API security success at scale 📺 Watch Next: ▶️ Secrets of AppSec Champions Podcast: https://www.youtube.com/playlist?list=PLR-uH0PJFszFcbMJ29AfAcWIJAPbBJaC7 ▶️ Our Customers’ Success Stories & Reviews: https://youtube.com/playlist?list=PLR-uH0PJFszHDC0p6CBEvccqx1uNx8fpT&si=SUI6d31ResR51434 ▶️ OWASP Top 10 LLM is Dead: Here's Why: https://youtu.be/Wet1tkt1eAw?si=NTUef42qt1WzcHbn ▶️ Mend.io Product Overview Demo: https://youtu.be/HfZ3uK-Eg5c ▶️ The Truth Behind Successful Security Operations Centers (SOC): https://youtu.be/XMlrxoIJVXg 🌐 Connect with Us: 🔗 Website: https://www.mend.io 🐦 Twitter: https://twitter.com/mend_io 📘 Facebook: https://www.facebook.com/mendappsec 💼 LinkedIn: https://www.linkedin.com/company/2440656 📜 Disclaimer: This video is for educational purposes only. Mend.io is not responsible for any security decisions made based on this content. #appsecurity #cybersecurity #cybersecurityexperts  Mend.io, formerly known as Whitesource, has over a decade of experience helping global organizations build world-class AppSec programs that reduce risk and accelerate development -– using tools built into the technologies that software and security teams already love. Our automated technology protects organizations from supply chain and malicious package attacks, vulnerabilities in open source and custom code, and open-source license risks. With a proven track record of successfully meeting complex and large-scale application security needs, Mend.io is the go-to technology for the world’s most demanding development and security teams. The company has more than 1,000 customers, including 25 percent of the Fortune 100, and manages Renovate, the open source automated dependency update project. For more information, visit www.mend.io, the Mend.io blog, and Mend.io on LinkedIn and Twitter.

Risk Mitigation and Cybersecurity Strategy with Samuel Brown | Secrets of AppSec Champions Podcast🎙️

As cyber threats evolve, so must the strategies to prevent them. In this episode, Samuel Brown—CEO of PacketX and retired U.S. Army CW4—shares mission-critical insights on risk mitigation, layered security, and why backups and plans on paper aren't enough. From ransomware recovery to real-world network defense, this conversation is packed with hard-earned lessons for AppSec professionals and business leaders alike. 🔔 Subscribe for real-world insights and actionable AppSec stories: https://www.youtube.com/channel/UCLgzXoXJ-TGO-y7Eh9quDUQ?sub_confirmation=1 Chapters: 00:00 – What Real Risk Mitigation Requires 00:55 – Meet Samuel Brown: CEO of PacketX & U.S. Army Veteran 02:43 – Risk Identification, Tiering, and Business Impact 04:28 – Ransomware Lessons: Why Tested Backups Matter 07:01 – Data vs. Devices: Smart Prioritization Decisions 08:13 – Ransomware Response: Steps to Contain and Recover 09:44 – Real-World Example: Website Compromise and Layered Security 11:14 – MFA and Role-Based Access: Core to Risk Reduction 13:47 – CAC Cards & Military Insights on Access Control 16:44 – Firewalls, Segmentation & Vendor Diversity 20:42 – Patch Management: Fixing Without Rebreaking 23:58 – Least Privilege: Why Admin Rights Are Dangerous 26:33 – Why Small Businesses Are Easy Targets 28:27 – Simple Risk Monitoring Tips for Any Company 30:43 – Best & Worst Advice in Cybersecurity 32:47 – Closing Thoughts & Call to Subscribe What You’ll Learn: - How to build a real, tested risk mitigation plan - Why backups fail without proper testing - Critical layers of defense: from firewalls to user training - How military cybersecurity practices apply to private business - The one mindset that can prevent massive breaches 📺 Watch Next: ▶️ Secrets of AppSec Champions Podcast: https://www.youtube.com/playlist?list=PLR-uH0PJFszFcbMJ29AfAcWIJAPbBJaC7 ▶️ Our Customers’ Success Stories & Reviews: https://youtube.com/playlist?list=PLR-uH0PJFszHDC0p6CBEvccqx1uNx8fpT&si=SUI6d31ResR51434 ▶️ OWASP Top 10 LLM is Dead: Here's Why: https://youtu.be/Wet1tkt1eAw?si=NTUef42qt1WzcHbn ▶️ Mend.io Product Overview Demo: https://youtu.be/HfZ3uK-Eg5c ▶️ The Truth Behind Successful Security Operations Centers (SOC): https://youtu.be/XMlrxoIJVXg 🌐 Connect with Us: 🔗 Website: https://www.mend.io 🐦 Twitter: https://twitter.com/mend_io 📘 Facebook: https://www.facebook.com/mendappsec 💼 LinkedIn: https://www.linkedin.com/company/2440656 📜 Disclaimer: This video is for educational purposes only. Mend.io is not responsible for any security decisions made based on this content. #Cybersecurity #RiskMitigation #AppSec #Infosec Mend.io, formerly known as Whitesource, has over a decade of experience helping global organizations build world-class AppSec programs that reduce risk and accelerate development - using tools built into the technologies that software and security teams already love. Our automated technology protects organizations from supply chain and malicious package attacks, vulnerabilities in open source and custom code, and open-source license risks. With a proven track record of successfully meeting complex and large-scale application security needs, Mend.io is the go-to technology for the world’s most demanding development and security teams. The company has more than 1,000 customers, including 25 percent of the Fortune 100, and manages Renovate, the open source automated dependency update project. For more information, visit www.mend.io, the Mend.io blog, and Mend.io on LinkedIn and Twitter.

From Developer to Cybersecurity Without Certs – Ed Urbasius' Story | Secrets of AppSec Champions 🎙️

As the cybersecurity industry grows, more professionals are breaking into security from nontraditional backgrounds. In this episode, Edvinous Urbasius, a former developer turned cybersecurity consultant, shares his unfiltered story of how he got into the field without certifications—and what he learned on the job in a SOC. 🔔 Subscribe for real-world insights and actionable AppSec stories: https://www.youtube.com/channel/UCLgzXoXJ-TGO-y7Eh9quDUQ?sub_confirmation=1 Chapters: 00:00 You Don’t Need Certifications to Start in Cybersecurity 00:56 Meet Edvinas: His Journey from Developer to Cybersecurity 03:50 The Cyber Attack That Sparked His Career Shift 07:01 Lessons Learned from Phishing Attacks and System Failures 11:02 Inside the SOC: Learning Logs, Alerts, and Triage on the Job 15:12 How Curiosity and Google Became His Cyber Tools 20:52 AI, Critical Thinking & Real-World Threat Detection 24:09 Peer Mentorship and Growing Through Collaboration 26:49 Why Coding Experience Helps in Cybersecurity Roles 31:49 Final Advice: Be So Good They Can’t Ignore You What You’ll Learn: - How to enter cybersecurity without a degree or certifications - What working in a SOC actually looks like - Why developer skills are a hidden advantage in security - The power of curiosity, Google, and collaboration in learning fast 📺 Watch Next: ▶️ Secrets of AppSec Champions Podcast: https://www.youtube.com/playlist?list=PLR-uH0PJFszFcbMJ29AfAcWIJAPbBJaC7 ▶️ Our Customers’ Success Stories & Reviews: https://youtube.com/playlist?list=PLR-uH0PJFszHDC0p6CBEvccqx1uNx8fpT&si=SUI6d31ResR51434 ▶️ OWASP Top 10 LLM is Dead: Here's Why: https://youtu.be/Wet1tkt1eAw?si=NTUef42qt1WzcHbn ▶️ Mend.io Product Overview Demo: https://youtu.be/HfZ3uK-Eg5c ▶️ The Truth Behind Successful Security Operations Centers (SOC): https://youtu.be/XMlrxoIJVXg 🌐 Connect with Us: 🔗 Website: https://www.mend.io 🐦 Twitter: https://twitter.com/mend_io 📘 Facebook: https://www.facebook.com/mendappsec 💼 LinkedIn: https://www.linkedin.com/company/2440656 📜 Disclaimer: This video is for educational purposes only. Mend.io is not responsible for any security decisions made based on this content. #CyberSecurityCareers #SOCAnalyst #AppSec #Infosec #DeveloperToCybersecurity #SecretsOfAppSecChampions

The Truth Behind Successful Security Operations Centers (SOC)

In this eye-opening episode, Reanna Schultz, an experienced Security Operations Center (SOC) team leader, pulls back the curtain on what makes a modern SOC truly effective. Drawing from her six-year journey through various cybersecurity roles, she reveals how SOCs serve as an organization's first line of defense against cyber threats.  The discussion covers essential insights on building a SOC from scratch, the value of managed security service providers (MSSPs), and how AI is reshaping the threat landscape. Schultz emphasizes that successful SOCs aren't just about technical capabilities – they're about building transparent communication, fostering the right team culture, and maintaining strong relationships across the organization.  Whether you're working in a smaller company considering your first SOC or an enterprise looking to enhance your security operations, this episode provides practical insights on evolving your security posture for 2025 and beyond. Key topics with timestamps:  00:00 Reanna Schultz: Leading Expertise in Security Operations    06:29 Evaluating Security Alerts and Tribal Knowledge    07:33 Identifying Security Gaps with the Pyramid of Pain    13:23 Splunk: Central Big Data Platform for Security Analysis    14:48 Detecting Compromises Through Network Traffic Visibility    20:19 Enhancing Security: Utilizing Both MSSP and SOC    21:06 Affordable Security Solutions: Exploring the MSSP Route    26:31 Balancing Passion with Career Advancement Challenges    30:35 Leading Effectively by Cultivating Passion and Growth    32:21 Integrating Passions: Enhancing Cybersecurity Collaboration

Supply Chain Security with Cassie Crossley

In Episode 11 of Secrets of AppSec Champions, Chris Lindsey and Cassie Crossley delve into the intricate world of supply chain security. Cassie Crossley, Vice President of Supply Chain Security at Schneider Electric, brings her extensive experience in software development and security to the fore, emphasizing the importance of following secure development practices. She advocates for the separation of build and development environments to avoid outdated methods and stresses the significance of modern frameworks like Google's Salsa platform and the NIST Secure Software Development Framework (SSDF), despite its lack of certification measures. Crossley also discusses the unique challenges of maintaining provenance for older software, especially open-source projects, and highlights the crucial role of developer education in preventing vulnerabilities introduced by unverified code snippets.   Chris Lindsey raises pertinent concerns about access control complexities within production environments and underscores the need for rigorous security measures to ensure the integrity of devices and software. The conversation shifts to the potential threats posed by AI, with both speakers stressing the importance of embedding security into AI-generated code from the outset. They explore global supply chain security issues, referencing Cisco’s audits and the effectiveness of zero-trust policies. Crossley also addresses the impact of legislative measures like California's connected devices law on both consumer and industrial devices, and how cybersecurity practices have evolved since the 80s and 90s.   The episode wraps up on a personal note, with Crossley sharing her views on career growth and the importance of pursuing roles that bring personal fulfillment. She advocates for exploring opportunities within the same organization to foster both personal and professional development without losing accumulated knowledge and experience. This episode offers listeners a comprehensive overview of supply chain security, blending high-level frameworks with practical challenges, and provides valuable insights into both the technical and human aspects of the field. Key topics with timestamps:  1. Understanding Supply Chain Security and Modern Software Practices with Cassie Crossley    2. Securing Software Development: From Google Salsa to NIST SSDF Standards    3. Protecting Supply Chains: Challenges and Solutions in a Digital World    4. Cassie Crossley on Cybersecurity Challenges in Modern Supply Chains    5. The Role of AI and Secure Development in Supply Chain Integrity    6. Ensuring Safe Software: Best Practices and Emerging Threats    7. Access Control, Zero Trust, and Supply Chain Security Insights    8. Cassie Crossley Discusses Securing Legacy Systems and Modern Software    9. From AI to Software Certification: Enhancing Cybersecurity Practices    10. Navigating the Complexities of Supply Chain Security and Software Updates For more amazing application security information, please visit the following LinkedIn communities: https://www.linkedin.com/company/appsec-hive Provided by Mend.io  (https://mend.io)