What if your AppSec program could be both deeply technical and deeply human? In this On Location episode from OWASP Global AppSec EU 2025 Conference, Spyros Gasteratos shares how automation, open-source tools, and community collaboration can unify fragmented efforts and turn security into a strategic advantage, not a bottleneck.
During the upcoming OWASP Global AppSec EU in Barcelona, Spyros Gasteratos, long-time OWASP contributor and co-founder of Smithy, to explore how automation, collaboration, and community resources are shaping the future of application security. Spyros shares the foundation of his talk at OWASP AppSec Global: building a DevSecOps program from scratch using existing community tools—blending technical guidance with a celebration of open-source achievements.
Spyros emphasizes that true progress in security stems not from an ever-growing stack of tools, but from aligning the humans behind them. According to him, security failures often stem from fragmented information and misaligned incentives across teams. His solution? Bring the teams together with a shared, streamlined flow of information and automate wherever possible to reduce wasted cycles and miscommunication.
At the core of Spyros’ philosophy is the need to turn AppSec from a blocker into a builder. Rather than overwhelming developers with endless bug reports, or security leaders with red dashboards, programs need to reflect the actual risk appetite of the business—prioritizing issues dynamically based on impact, timing, and operational goals. He challenges the one-size-fits-all approach, advocating instead for tagging systems that defer certain risks and encode organizational priorities in automation logic.
A major part of that transformation lies in Smithy, the platform he’s helping build. It’s designed to be “Zapier for security”—an automation engine rooted in open-source standards that allows for custom workflows without creating a tangle of fragile scripts. The idea is to let teams focus on what’s unique to them, while relying on battle-tested components for the rest.
Looking ahead, Spyros doesn’t buy into the doom-and-gloom narrative about AI limiting developer creativity. On the contrary, he argues that AI-enabled coding frees up cognitive space for better architecture and secure design thinking. In his view, creativity doesn’t die—it just shifts from syntax to strategy.
This episode is more than a discussion—it’s a blueprint for how teams can rally around a common goal, and how OWASP’s community can be the catalyst. Tune in to hear how open-source, automation, and human alignment are redefining AppSec from the ground up.
GUEST: Spyros Gasteratos | OpenCRE co-lead and Founder of smithy.security | https://www.linkedin.com/in/spyr/
HOST: Sean Martin, Co-Founder at ITSPmagazine and Host of Redefining CyberSecurity Podcast | https://www.seanmartin.com
SPONSORS
Manicode Security: https://itspm.ag/manicode-security-7q8i
RESOURCES
Spyros' Session: A completely pluggable DevSecOps programme, for free, using community resources (https://owasp2025globalappseceu.sched.com/event/1whCB/a-completely-pluggable-devsecops-programme-for-free-using-community-resources)
Learn more and catch more stories from OWASP Global AppSec EU 2025 Conference coverage: https://www.itspmagazine.com/owasp-global-appsec-barcelona-2025-application-security-event-coverage-in-catalunya-spain
Catch all of our event coverage: https://www.itspmagazine.com/technology-and-cybersecurity-conference-coverage
Want to tell your Brand Story Briefing as part of our event coverage? Learn More 👉 https://itspm.ag/evtcovbrf
Want Sean and Marco to be part of your event or conference? Let Us Know 👉 https://www.itspmagazine.com/contact-us
[00:00:00]
Sean Martin: Hey, look at that Spyros. Hi Sun. It's good to see you. Good to see you too. Here we are. We're in Barcelona. We are. What a great city. It is a great city, right? Yeah. With a great event. What a fantastic event. Great community,
Spyros Gasteratos: OWASP community is the best.
Sean Martin: It is the best. We're not partial,
Spyros Gasteratos: we're not biased.
Sean Martin: We are
Spyros Gasteratos: a hundred percent objective here.
Sean Martin: Exactly. Well, it's good, good to see you. I know you, you, you have a busy week. Um, you're, you have a talk as well?
Spyros Gasteratos: I do,
Sean Martin: yes. Friday early morning. Alright, so give us the title of that and what, uh, what it's about. Just a quick, and then we're gonna dig into some of the, some of the elements there.
Spyros Gasteratos: So the talk is about unifying or wasp execution.
Okay. Uh, so, and that's creating a DevSecOps program from scratch with community resources. It is 50% community celebration of all the awesome stuff we have. Sorry, it is 50% presentation, uh, celebration of all the awesome [00:01:00] stuff we have and 50%, uh, how to a tech very technical guide on how to automate testing, verification, and orchestration of.
Pretty much anything in no wasp and beyond. Right.
Sean Martin: This is really cool, and I think one of the, one of the parts that stuck out to me was this idea of not just bringing tools, but also the teams together, right? Because there's multiple stakeholders and you have to have a common goal. Exactly. And, and an an objective view of how to achieve that.
And, and then obviously a program to, to bring it all together too. So,
Spyros Gasteratos: exactly. I mean, security is all about the humans, right? So. If the humans cannot reach a consensus because their information is fragmented, or their information is presented in a way that leads them down the wrong paths, then there's no point you end up burning cycles, very limited cycles that you have, right.
[00:02:00] Uh, chasing rabbits down the wrong rabbit hole. Mm-hmm.
Sean Martin: So be, before we get into this, I want maybe a, a quick word from you just on. Who you are, your role within ow wasp, what you do on a daily basis as well, just so people know your experiences and what you, what you're up to.
Spyros Gasteratos: So, um, I'm Spiritos Gastos. I'm, uh, I help from Greece.
I live in London. I've been doing computer security for the past 18, 19 years. Uh, was the student in university when I started. Um, I've done many hats over the years. Uh, most of them open source. And I've been with OWA since the very beginning. I've maintained three projects now, uh, and contributed to a ton of others.
Um, open CRE being the largest so far, uh, the world's largest, uh, security knowledge graph. And now it has gotten a bit out of hand and it's [00:03:00] national regulation. Let's, uh. Uh, we celebrate that. Yeah.
Sean Martin: Um, I think I, I am gonna, just a quick side note, I'm gonna be pulling probably it sounds like you and Ali and a few others on this whole point of CRE and, and CVE and vd, NVD, nv, NVV and National National Database.
Anyway, then you vulnerability stuff. Yeah, yeah, yeah. That sounds great. Let's do it. Yeah. So after the event, we'll, we'll have a nice deep conversation there, but anyway.
Spyros Gasteratos: Absolutely. And, um, yeah. Um, lately, uh, professionally. I, um, I co-founded the company to hold, uh, a bunch of open core or open source, uh, security projects that, uh, help our users, uh, automate, uh, their life in AppSec or automate collection and explanation of information.
Um, we call the company Smithy with open source, very large part of it, uh, and we open source more as we go to make. [00:04:00] And the goal of Smith is to be a flex, be Zapier for security. Security. So flexibility, workflow engine that allows you to automate anything.
Sean Martin: Very cool. I'm a huge fan of Zapier, but Me too.
That's why we made it for security. I used the heck out of it. Um, alright, so let's talk about the stakeholders and what that landscape looks like and have we seen a good progression in organizations really rallying around AppSec, not just. Security and engineering. What, what do you see?
Spyros Gasteratos: Based on a lot of interviews and a lot of constant feedback from the community and the industry, we see that organizations don't really, AppSec becomes kind of the nagging, uh, if not implemented correctly, and, um.
As a result, organizations do not really focus on it. There is very few places where [00:05:00] application security people end up being the team's doctor instead of the police. So instead of nagging you, they help you, uh, create software like the proper way, right, with quality and security baked in. But most of the cases, this doesn't work.
And this is not for the lack of tooling or trying or resources. It's mostly because. There is no unified way to disseminate only the right information to all the right people, and you end up either overloading developers with low priority things or lower priority than the feature of the day, or overloading your boss with, you know, dashboards that just so red constantly so they end up with this noise fatigue and do nothing.
Yeah.
Sean Martin: As you're describing that, I'm, so a lot of my history is back in, in, uh, security management, uh, sim sim [00:06:00] space and trying to orchestrate all that and craziness. And what I'm hearing and seeing is a shift to automation. Certainly a shift with AI in the SOC to kind of take away a lot of the noise, take away a lot of the.
Mundane, burdensome stuff and giving or empowering the analysts, soc analysts in this case to actually use their brain and, and be creative in how they investigate and, and, and respond to incidents. So I'm wondering, I was talking to Taka yesterday from Japan and he was kind of saying in, in Japan the engineers are less interested in all the AppSec bugs that come their way.
They're actually shifting to. Um, a place where they want to use their mind to design better software Yep. And create better tooling for the software and leverage automation and other things to So [00:07:00] be creative in their engineering mindset to create something better rather than just plug in bugs every day.
Are you seeing something similar?
Spyros Gasteratos: There is definitely with the eyes of the qualified coding, AI assisted coding. Mm. There is certainly a slowly shifting focus to better design and better architecture because the code can be generated or written faster, right? Um, so this definitely exists at the same time, due to the same, due to us being on the early stages of that trend, we are not quite there yet, where we can only focus.
On design, we really, really need to keep doing bug fixing. Yeah. At the same time, we need to focus on design because that's the future. So because the times they are are changing, right.
Sean Martin: There's always legacy, right?
Spyros Gasteratos: Yeah. Not only [00:08:00] legacy, but this is a new tech, brand new technology. And because it is a brand new technology, it's not well polished, well baked yet.
It's not quite there yet. When it's there, give it like five years or 10, uh. Yes, we can focus all on design and be happy for now we need to chase bikes. Right.
Sean Martin: And so with yeah. Rooted in your talk and other, other things you're seeing and kind of sticking with the, the multi-stakeholders coming together.
Um, how does the bug landscape change? Because I obviously. The top 10 awas is famous for that. Um, it can be used properly. There are misuses of it, but it's a guide for some organizations. Mm-hmm. Um, I guess what I'm wondering is do organizations looking at severities and impacts and risk differently, um, as they start to come together [00:09:00] versus just engineering and AppSec kind of tossing stuff back and forth?
So does that view change?
Spyros Gasteratos: Is business risk is security. Risk is business risk, and business risk is custom to every organization. So custom to the business, how they operate and what is that specific quarter or period of time, their appetite for it
having. We have an abundance of dashboards that show you your risk or try to calculate your risk now, which is fantastic. Okay, but how do you calculate risk when the qualifications for what is risky keep changing? Right? So if right now I have a team that just needs to ship something to production to make a customer happy, otherwise we lose our biggest account, security risk doesn't matter, right?
Just push it, let's get the [00:10:00] money and then we fix it, right? Which is very calm, but then you end up having. To ignore, I don't know, thousands of alerts from your A SPM that then suddenly become a legacy. If you have the ability to just tag that team as, or that specific piece of infrastructure as I don't care about it, and then show it to me in like three months, then you can encode your business risk and your business practices, um, into code much better.
Right.
Sean Martin: So the, the role of automation, um, uh, you can, you can look at automation and one can say it's good as long as you know what you want to, what the outcome should look like, and you have all the stuff ready to achieve that outcome. Automation can help you do that faster with fewer human resources, right?
[00:11:00] Mm-hmm. But if there are, there's a lot of messiness. In this, and of course we're talking about a lot of owas tools and, and oasp data sets and things like that. How, how is what you're working on helping to Yeah. Bring consistency and clarity and transparency so that automation can exist? 'cause I think probably a lot of teams struggle with that, right?
A ton
Spyros Gasteratos: of teams struggle with that. However, the struggle is two tiered, the, you start from. Oh, this sounds easy. Let me just write one library for it or one client for say, defect dojo or just use defect dojos. Um, very well supported, uh, Python client, but then you need, um, to enrich that with a SBS or you need to enrich that with some, and then you write another client or another and slowly you end up in this, as you said, pile of zigzag written code.
That makes no sense. Meanwhile, if [00:12:00] you have a community based. Library or framework of resources that these, you already have all those clients, you just need to put them together in a way that makes sense for you and they're all well thought of and generic enough and deeply integrated enough to the every project.
Suddenly you end up in this scenario where you can, you can customize the things that are custom to you. Right. Meanwhile, all the generic things are well enough made to be, uh, to not need to be ready and to not fail like three weeks down the line.
Sean Martin: So the core of it's there and you can kind of thread unique elements through it or wrap your own stuff around it as well.
Spyros Gasteratos: Not unlike you would do with a sea more resort. Yeah,
Sean Martin: yeah,
Spyros Gasteratos: yeah,
Sean Martin: yeah.
Spyros Gasteratos: Makes sense.
Sean Martin: Um. One thing I wanna ask folks this week, and it's, it's been on my mind, it's [00:13:00] something I've been thinking about for years, but especially now with, uh, a lot of the AI stuff coming to life. Um, I have this view that, especially with, with gen ai, where the models are trained on data that exists already and the output is based on that.
And I don't know how much creativity. It is there to extend what exists, to create something new rather than just repurpose what's already been done. So that my, my view is that we're, we're approaching a point where we make it easy for teams and individual developers to create things for their own purposes using existing stuff, but they're not gonna, they're not gonna be as creative because they're not coding anymore.
They're using AI to code. And they're not gonna know how to be extra creative to create new things. I dunno if I'm making sense here. I, I call it the common denominator [00:14:00] I understand. Of, of coding.
Spyros Gasteratos: I understand. Yeah. But I think I disagree with you on this. Okay. I'm, I'm glad we didn't stop having creative uses of fire when we invented lighters or Okay.
Instead, we had even more creative uses of. Any technology once we created the shortcut to get into where we want to be. AI is nothing more than yet another tool. It's a shortcut, which we use to translate the abstract thought we have in our mind, and we expressing physical language into specific instructions for a, even if a AI could produce perfect code, we still need to somehow tell it what to do.
This is the real creativity. So we could say, give me five different clients from 20 different tools or, and then correlate that with different resources. But our value as AppSec people [00:15:00] is not into coding, uh, or being able to create yet, like the millionth Jira client, right. Our values, application security people is being able to say in this specific organization at this specific time.
This is what my AppSec program, this is what I want and this is how we're gonna get to safer and more secure code, faster with less risk for the company and less cost. Okay.
Sean Martin: So the future is bright in your mind.
Spyros Gasteratos: So far it has been.
Sean Martin: Why not? Alright, well I'm gonna, I'm gonna go with that and we'll, we'll kind of leave this conversation with that, with that bright moment, I wanna say thank you for joining me.
And I'm, I'm gonna ask a final question and I'm gonna have you, uh, address the camera. Okay. Sounds good. So maybe, so maybe face the camera and talk to the audience here. I want to know, you've been in, in this space for a while now. What does OAS mean to you? Tell, tell the folks listen
Spyros Gasteratos: to me. [00:16:00] OWA is the largest and most open security of application security, uh, community of application security experts in the world.
There are people who professionally donate, give their time to some ridiculously high security, uh, organizations who as a result have a must, uh, a ton of expertise who provide that very precious time, very expensive time to the community for free to maintain, uh, some of the world's. Uh, based projects, uh, like a SVS that's used by several governments to secure their own infrastructure or, uh, some may AI exchange.
Um, and open CI we talked about that, right? Uh, so that's it. Oasp is the best community in the world for cybersecurity [00:17:00] expertise and cybersecurity programs.
Sean Martin: Well said. Thank you. Good stuff. And I agree. I agree. Glad you do. I agree. Thank you everybody for uh, joining us for this conversation. Do connect with Spyros and, uh, become part of the OAS community and, and help us build safer apps so we can all live a safer life and conduct business more safely.
Exactly. Safe. Safe. Well said. Alright. Thanks everybody.