Attacks on the application layer can be the hardest to defend against. User input scenarios for your apps can be difficult to identify with intrusion detection signatures. On top of that, the layer is the most accessible and exposed to the Internet. It's a recipe for trouble.
That's why application security soldiers need to stay on top of what's happening in their field. Here's our updated list of 25 top pros whose Twitter feeds can help anyone who is interested in following the top trends for keeping their applications safe and their companies more cyber resilient.
Katy Anton
Lead security architect, JPMorgan Chase & Co.
Anton works with software architects, software developers, and security teams around the world and advises them about securing their software. She's also one of the leaders on the OWASP Top Ten Proactive Controls Project and an international speaker on topics related to application security at both developer and security conferences.
Kurt Baumgartner
Principal security researcher, Kaspersky Lab's Global Research and Analysis Team
Baumgartner monitors malware across the Americas. His specialties include reversing and analyzing known and unknown malware and identifying unique behaviors and static characteristics. In addition to tweeting, he blogs.
Michael Coates
Co-founder and CEO, Altitude Networks
In addition to his day job, Coates is an advisory board member of the Millennium Alliance, a networking and education group made up of industry leaders and visionaries. He is also the former head of security at Mozilla and Twitter, as well as a past chairman of the global board of directors at OWASP.
Josh Corman
Senior adviser and visiting researcher, the Cybersecurity and Infrastructure Security Agency
Corman co-founded I Am The Cavalry, a global grass-roots organization. It's focused on the intersection of computer security, public safety, and human life, concentrating on medical devices, automobiles, home electronics, and public infrastructure.
Dan Cornell
CTO, the Denim Group
Cornell is a globally recognized expert in application security. He leads the team at the Denim Group that helps Fortune 500 companies and government organizations integrate security throughout the development process. He offers his followers insightful advice and tips about the latest app sec research coming from his company.
Dino A. Dai Zovi
Head of security, Cash App
Dai Zovi co-founded Capsule 8, a real-time, zero-day attack detection platform, and co-wrote several books, including The iOS Hacker's Handbook, The Mac Hacker’s Handbook, and The Art of Software Security Testing. He's also a regular speaker at security conferences, including Black Hat and Defcon.
Mark Dowd
Director, L3 Trenchant
L3 Trenchant is owned by defense contractor L3 Technologies. Over Dowd's 10 years in application security, he has worked at IBM's Internet Security Systems (ISS) X-Force and as a principal security architect for McAfee.
Tom Eston
Application security practice director, Bishop Fox
Eston's employer is a professional services firm focused on offensive security testing. Easton frequently speaks at user groups, businesses, and worldwide conferences including SANS, OWASP AppSec, ShmooCon, DEFCON, Black Hat USA, Black Hat Abu Dhabi, InfoSec World, Notacon, DerbyCon, and ISSA summits. He is also the founder and co-host of the Shared Security Show, a podcast that includes news, tips, advice, and interviews with cybersecurity and privacy experts.
Mark Goodwin
Application security specialist, Matillion
Formerly with Mozilla, Goodwin is a developer turned information security specialist. His specialties include web application security, ethical hacking, penetration testing, and application security.
Robert Graham
CEO, Errata Security
Graham's accomplishments include creating the first intrusion prevention system, the BlackICE series of products, sidejacking, and masscan. A frequent speaker at security conferences, he has strong opinions—he refers to himself as a "provocateur"—and his Twitter feed reflects that.
Jeremiah Grossman
CEO, Bit Discovery
Grossman's resume includes information security officer at Yahoo and founder, in 2001, of WhiteHat Security. As a researcher, he has demonstrated ways to surreptitiously turn on anyone's computer video camera and microphone from anywhere across the Internet, and how to sidestep corporate firewalls, abuse online advertising networks to take any website offline, hijack the email and bank accounts of millions, and silently rip out saved passwords and surfing histories from any web browser.
Ben Hawkes
Team lead, Google's Project Zero
Hawkes is a founding member of the team created to find zero-day vulnerabilities in software. He has discovered dozens of serious vulnerabilities in a variety of software platforms and regularly presents and publishes research focused on vulnerability analysis and software exploitation.
Tanya Janca
Founder, We Hack Purple
Janca is the author of Alice and Bob Learn Application Security. Her primary passion is We Hack Purple, an online learning academy, community, and weekly podcast that revolves around teaching everyone to create secure software. She has been coding and working in IT for more than 20 years and has delivered hundreds of talks and training sessions on six continents.
Ashar Javed
Pentester, Hyundai AutoEver Europe
In addition to penetration testing, Javed performs source code reviews and mobile application vulnerability assessments. He works with developers and third-party vendors to eliminate web vulnerabilities in their applications. He's frequently invited to speak at conferences such as Black Hat, Hack in the Box, and RSA, and is the author of the Respect XSS blog.
Dan Kennedy
Research director, information security and networking, the 451 Group
Kennedy offers coverage and insights about the application security space and spends most of his days talking to CISOs. His tweets focus on top-line application security issues.
Mohit Kumar
Founder and CEO, Hacker News
Kumar's online publication attracts more than 10 million readers every month. He is also founder and organizer of the Hackers Conference, which brings together leaders in the information security industry and the cyber community, along with policymakers and government representatives, to address topical cybersecurity issues. Many of his tweets are touts for HN stories, but he also mixes in retweets about application security from other sources.
Malik Mesellem
CEO, MME
Mesellem is an independent security auditor, penetration tester, and ethical hacker, and has given master classes, lectures and workshops at conferences and at several institutions. He's also the creator of #bWAPP, an intentionally buggy open-source web application. It was designed to be insecure as an educational tool for security enthusiasts, developers, and students who want to learn about preventing web vulnerabilities.
Gary McGraw
Co-founder, the Berryville Institute of Machine Learning
McGraw has written 12 books, including Software Security: Building Security In. At Berryville, his focus is on security engineering of machine-learning solutions. His Silver Bullet Security podcast, which features in-depth interviews with security experts, reaches 13,000 listeners every month. When he's not tweeting or podcasting about security, McGraw plays the fiddle and mandolin with local bands.
Katie Moussouris
Founder and CEO, Luta Security
Moussouris' company helps businesses and governments work with hackers to defend themselves from digital attacks. She's a well-known authority on bug bounty programs and helped Microsoft and the US Department of Defense start their first programs. She is also founder of the Pay Equity Now Foundation, which seeks to inspire and support efforts to close the gender and racial pay gaps.
Chris Romeo
CEO and founder, Security Journey
Romeo's firm provides application security training and helps companies create their own security cultures. He previously worked as chief security advocate in charge of Cisco's Secure Development Lifecycle program, where he encouraged engineers to build security into all products. He is also co-host of the Application Security Podcast, which talks with some of the world's leading application security experts to reveal the tools, tactics, projects, and tricks that make them successful.
Parisa Tabriz
Head of product engineering and UX, Google Chrome
Tabriz is the "browser boss" and "security princess" for Chrome. During the Obama administration, she worked for the US Digital Service, where she advised the Executive Office of the President on best practices to enhance network and software security.
Johannes Ullrich
Director, the SANS Internet Storm Center
The SANS Internet Storm Center is used by more than 10,000 network security professionals daily. Ullrich is also dean of research at the SANS Technology Institute and teaches courses at the SANS Institute. His offerings include SEC503 Intrusion Detection in Depth, IPv6 Security Essentials, and Defending Web Applications.
Mike West
Software engineer, Google Chrome
West describes himself as a philosophy student cleverly disguised as a successful web developer. At the moment, he has traded Kant for his Google job on a team in Munich. Many of his tweets focus on web application security.
Robin Wood
Freelance security consultant
Wood specializes in web app testing. He comes from a developer's background, which can be a plus when explaining security problems in apps to the people who made them. He's also co-founder of the SteelCon conference and an associate lecturer at Sheffield Hallam University in the UK. He likes to mix a little whimsy into his Twitter feed.
Chris Wysopal
CTO and co-founder, Veracode
A former programmer at Lotus and later a security researcher at the hacker collective L0pht, Wysopal was part of a team that warned Congress about gaping Internet vulnerabilities as far back as 1998. A self-professed application security and security-transparency buff, Wysopal's tweets are newsy and cover a wide range of security-related topics.
Keep learning
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed fast on the state of app sec testing with TechBeacon's Guide. Plus: Get Gartner's 2021 Magic Quadrant for AST.
Get a handle on the app sec tools landscape with TechBeacon's Guide to Application Security Tools 2021.
Download the free The Forrester Wave for Static Application Security Testing. Plus: Learn how a SAST-DAST combo can boost your security in this Webinar.
Understand the five reasons why API security needs access management.
Learn how to build an app sec strategy for the next decade, and spend a day in the life of an application security developer.
Build a modern app sec foundation with TechBeacon's Guide.
