Micro Focus is now part of OpenText. Learn more >

You are here

You are here

Do app sec like a boss: The top 25 pros to follow

John P. Mello Jr. Freelance writer

Attacks on the application layer can be the hardest to defend against. User input scenarios for your apps can be difficult to identify with intrusion detection signatures. On top of that, the layer is the most accessible and exposed to the Internet. It's a recipe for trouble.

That's why application security soldiers need to stay on top of what's happening in their field. Here's our updated list of 25 top pros whose Twitter feeds can help anyone who is interested in following the top trends for keeping their applications safe and their companies more cyber resilient.

Katy Anton

Lead security architect, JPMorgan Chase & Co.


Anton works with software architects, software developers, and security teams around the world and advises them about securing their software. She's also one of the leaders on the OWASP Top Ten Proactive Controls Project and an international speaker on topics related to application security at both developer and security conferences.

Kurt Baumgartner

Principal security researcher, Kaspersky Lab's Global Research and Analysis Team


Baumgartner monitors malware across the Americas. His specialties include reversing and analyzing known and unknown malware and identifying unique behaviors and static characteristics. In addition to tweeting, he blogs.

Michael Coates

Co-founder and CEO, Altitude Networks


In addition to his day job, Coates is an advisory board member of the Millennium Alliance, a networking and education group made up of industry leaders and visionaries. He is also the former head of security at Mozilla and Twitter, as well as a past chairman of the global board of directors at OWASP.

Josh Corman

Senior adviser and visiting researcher, the Cybersecurity and Infrastructure Security Agency


Corman co-founded I Am The Cavalry, a global grass-roots organization. It's focused on the intersection of computer security, public safety, and human life, concentrating on medical devices, automobiles, home electronics, and public infrastructure.

Dan Cornell

CTO, the Denim Group


Cornell is a globally recognized expert in application security. He leads the team at the Denim Group that helps Fortune 500 companies and government organizations integrate security throughout the development process. He offers his followers insightful advice and tips about the latest app sec research coming from his company.

Dino A. Dai Zovi

Head of security, Cash App


Dai Zovi co-founded Capsule 8, a real-time, zero-day attack detection platform, and co-wrote several books, including The iOS Hacker's Handbook, The Mac Hacker’s Handbook, and The Art of Software Security Testing. He's also a regular speaker at security conferences, including Black Hat and Defcon.

Mark Dowd

Director, L3 Trenchant


L3 Trenchant is owned by defense contractor L3 Technologies. Over Dowd's 10 years in application security, he has worked at IBM's Internet Security Systems (ISS) X-Force and as a principal security architect for McAfee.

Tom Eston

Application security practice director, Bishop Fox


Eston's employer is a professional services firm focused on offensive security testing. Easton frequently speaks at user groups, businesses, and worldwide conferences including SANS, OWASP AppSec, ShmooCon, DEFCON, Black Hat USA, Black Hat Abu Dhabi, InfoSec World, Notacon, DerbyCon, and ISSA summits. He is also the founder and co-host of the Shared Security Show, a podcast that includes news, tips, advice, and interviews with cybersecurity and privacy experts.

Mark Goodwin

Application security specialist, Matillion


Formerly with Mozilla, Goodwin is a developer turned information security specialist. His specialties include web application security, ethical hacking, penetration testing, and application security.

Robert Graham

CEO, Errata Security


Graham's accomplishments include creating the first intrusion prevention system, the BlackICE series of products, sidejacking, and masscan. A frequent speaker at security conferences, he has strong opinions—he refers to himself as a "provocateur"—and his Twitter feed reflects that.

Jeremiah Grossman

CEO, Bit Discovery


Grossman's resume includes information security officer at Yahoo and founder, in 2001, of WhiteHat Security. As a researcher, he has demonstrated ways to surreptitiously turn on anyone's computer video camera and microphone from anywhere across the Internet, and how to sidestep corporate firewalls, abuse online advertising networks to take any website offline, hijack the email and bank accounts of millions, and silently rip out saved passwords and surfing histories from any web browser.

Ben Hawkes

Team lead, Google's Project Zero


Hawkes is a founding member of the team created to find zero-day vulnerabilities in software. He has discovered dozens of serious vulnerabilities in a variety of software platforms and regularly presents and publishes research focused on vulnerability analysis and software exploitation.

Tanya Janca

Founder, We Hack Purple


Janca is the author of Alice and Bob Learn Application Security. Her primary passion is We Hack Purple, an online learning academy, community, and weekly podcast that revolves around teaching everyone to create secure software. She has been coding and working in IT for more than 20 years and has delivered hundreds of talks and training sessions on six continents.

Ashar Javed

Pentester, Hyundai AutoEver Europe


In addition to penetration testing, Javed performs source code reviews and mobile application vulnerability assessments. He works with developers and third-party vendors to eliminate web vulnerabilities in their applications. He's frequently invited to speak at conferences such as Black Hat, Hack in the Box, and RSA, and is the author of the Respect XSS blog.

Dan Kennedy

Research director, information security and networking, the 451 Group


Kennedy offers coverage and insights about the application security space and spends most of his days talking to CISOs. His tweets focus on top-line application security issues.

Mohit Kumar

Founder and CEO, Hacker News


Kumar's online publication attracts more than 10 million readers every month. He is also founder and organizer of the Hackers Conference, which brings together leaders in the information security industry and the cyber community, along with policymakers and government representatives, to address topical cybersecurity issues. Many of his tweets are touts for HN stories, but he also mixes in retweets about application security from other sources.

Malik Mesellem



Mesellem is an independent security auditor, penetration tester, and ethical hacker, and has given master classes, lectures and workshops at conferences and at several institutions. He's also the creator of #bWAPP, an intentionally buggy open-source web application. It was designed to be insecure as an educational tool for security enthusiasts, developers, and students who want to learn about preventing web vulnerabilities.

Gary McGraw

Co-founder, the Berryville Institute of Machine Learning


McGraw has written 12 books, including Software Security: Building Security In. At Berryville, his focus is on security engineering of machine-learning solutions. His Silver Bullet Security podcast, which features in-depth interviews with security experts, reaches 13,000 listeners every month. When he's not tweeting or podcasting about security, McGraw plays the fiddle and mandolin with local bands.

Katie Moussouris

Founder and CEO, Luta Security


Moussouris' company helps businesses and governments work with hackers to defend themselves from digital attacks. She's a well-known authority on bug bounty programs and helped Microsoft and the US Department of Defense start their first programs. She is also founder of the Pay Equity Now Foundation, which seeks to inspire and support efforts to close the gender and racial pay gaps.

Chris Romeo

CEO and founder, Security Journey


Romeo's firm provides application security training and helps companies create their own security cultures. He previously worked as chief security advocate in charge of Cisco's Secure Development Lifecycle program, where he encouraged engineers to build security into all products. He is also co-host of the Application Security Podcast, which talks with some of the world's leading application security experts to reveal the tools, tactics, projects, and tricks that make them successful.

Parisa Tabriz

Head of product engineering and UX, Google Chrome


Tabriz is the "browser boss" and "security princess" for Chrome. During the Obama administration, she worked for the US Digital Service, where she advised the Executive Office of the President on best practices to enhance network and software security.

Johannes Ullrich

Director, the SANS Internet Storm Center


The SANS Internet Storm Center is used by more than 10,000 network security professionals daily. Ullrich is also dean of research at the SANS Technology Institute and teaches courses at the SANS Institute. His offerings include SEC503 Intrusion Detection in Depth, IPv6 Security Essentials, and Defending Web Applications.

Mike West

Software engineer, Google Chrome


West describes himself as a philosophy student cleverly disguised as a successful web developer. At the moment, he has traded Kant for his Google job on a team in Munich. Many of his tweets focus on web application security.

Robin Wood

Freelance security consultant


Wood specializes in web app testing. He comes from a developer's background, which can be a plus when explaining security problems in apps to the people who made them. He's also co-founder of the SteelCon conference and an associate lecturer at Sheffield Hallam University in the UK. He likes to mix a little whimsy into his Twitter feed.

Chris Wysopal

CTO and co-founder, Veracode


A former programmer at Lotus and later a security researcher at the hacker collective L0pht, Wysopal was part of a team that warned Congress about gaping Internet vulnerabilities as far back as 1998. A self-professed application security and security-transparency buff, Wysopal's tweets are newsy and cover a wide range of security-related topics.

Keep learning

Read more articles about: SecurityApplication Security