After getting a ping from an old friend about a potential new OWASP project, I had to bring him on as a guest. He's got an interesting idea around potential vulnerabilities in web crawlers which just happen to gather data for so many AI system. We talk about that, Cybersecurity and Government and so much more. Show Links: - LinkedIn https://www.linkedin.com/in/buanzo/ - Github https://www.linkedin.com/in/buanzo/

For years we've heard talk about a shortage of cybersecurity professionals so what can be done about that? In this episode, I speak to Brad Causey who has taken one approach he's found successful. We cover the trade-offs of his approach and how, should you agree with him, you can help fill those troubling vacancies at your company. Show Links: - SecurIT360 https://securit360.com/ - Offensive Security Blog https://offsec.blog/

In this episode we talk with Zain Haq and take a leap and bound over the first and second line to discover more about the third line - internal audit. We discover answers to a number of questions: What role does audit play in the overall cybersecurity of an organization? What does the CISO gain from having an audit function? What makes a good auditor? Learn how to get the most out of audit and what they bring to the table. Special thanks to Tina Turner for inspiring the show title. ;-) Show Links: - Zain Haq: https://www.linkedin.com/in/zainhaq25/

Software supply chain seems to be front and center for technologists, cybersecurity and many governments. One of the early pioneers in this space was Steve Springett with two highly successful projects: OWASP Dependency Track and CycloneDX. In this episode, we catch up with Steve to talk about how he got started in software supply chain management as well as the explosive growth for Dependency Track and ClycloneDX. We also touch on future developments for CycloneDX and places where Steve never expected to see his projects go. Enjoy! Show Links: - OWASP Dependency Track: https://dependencytrack.org/ - Dependency Track Github: https://github.com/DependencyTrack - CycloneDX: https://cyclonedx.org/ - CycloneDX Github: https://github.com/CycloneDX - Software Component Verification Standard: https://scvs.owasp.org/ Social Media links: - https://twitter.com/stevespringett - https://infosec.exchange/@stevespringett - https://www.linkedin.com/in/stevespringett/

In this episode I speak with Jerry Hoff who provides some very interesting perspective on application security especially at scale and from a high level view like that of a CISO. Even if you're not in a senior leadership position, you're likely to be reporting to one. Understanding that point of view can help you successfully frame your work and accomplish your goals. We touch on multiple topics and have some great back and forth that I'm sure will entertain and inform you. Enjoy!

WAFs have been with us a while and it's about time someone reconsidered WAFs and their role in AppSec given the cloud-native and Kubernetes landscape. The OWASP Coraza is not only asking these questions but putting some Go code behind their ideas. Should WAFs work in a mesh network? Why create an open source WAF? What's next for the OWASP Coraza project? These and more topics are covered in this episode. I had a great time recording it and I think you'll have the same while listening. Show Link: - Coraza Website: https://coraza.io/ - Coraza Github Repo: https://github.com/corazawaf/coraza - Coraza Twitter: https://twitter.com/corazaio - AppSec EU 2023 presentation on Coraza - https://www.youtube.com/watch?v=S_TtvDFmia4

In this episode I speak with Aaron about Point of Sale or POS systems. He's been investigating the security of POS systems for quite some time now and brings to light the state of the POS ecosystem. Buckle your seat belts, this is going to be a bumpy and very interesting ride.

In this episode I speak with Amitai Cohen who's been thinking a lot about tenant isolation. This is a problem for more then just cloud providers. Anyone with a SaaS offering or even large enterprise may want to isolate customers or parts of their business from each other. Several useful items came out of this including the Cloud VulnDB which catalogs security issues in cloud services and the PEACH tenant isolation framework. You may not think you need to worry about tenant isolation, but I bet you should at least keep it in mind. Enjoy! Show Links: - Cloud VulnDB: https://www.cloudvulndb.org/ - PEACH Framework: https://www.peach.wiz.io/ - OWASP Cloud Tenant Isolation Project: https://owasp.org/www-project-cloud-tenant-isolation/

In this episode, I speak with Caleb Queern, one of the authors of "Investments Unlimited" a book I highly recommend you get and read. While the book is fiction, there's a great deal of truth in the story about how automation can work for more than just DevSecOps. Compliance and audit also deserve a seat at the table. Learn how you can get more code out the door, with more safety and a 'risk reduced' smile on the auditors face. Show Links: - Investments Unlimited: https://itrevolution.com/product/investments-unlimited/ - DevOps Automated Governance Reference Architecture: https://itrevolution.com/product/devops-automated-governance-reference-architecture/

In this episode, I go solo and review the last year of podcasts but with a twist. I do my best to compare the topics covered to the OWASP Flagship projects. The goal is to see if the episodes I recorded this year match up with the projects strategically important to OWASP. Plus, the holiday listeners get gifts all around as I cover (and link) the OWASP Flagship projects. Show Links: - (January) New Ideas, New Voices, New Hosts: https://soundcloud.com/owasp-podcast/new-ideas-new-voices-new-hosts - (February) Tanya Janca - She Hack Purple: https://soundcloud.com/owasp-podcast/tanya-janca - SAMM (Software Assurance Maturity Model): https://owaspsamm.org/ - (March) Fast Times at SBOM High: https://soundcloud.com/owasp-podcast/fast-times-at-sbom-high-with-wendy-nather-and-matt-tesauro - CycloneDX: https://cyclonedx.org/ - Dependency-Track: https://dependencytrack.org/ - Dependency-Check: https://jeremylong.github.io/DependencyCheck/ - (April) The VOID: Verica Open Incident Database: https://soundcloud.com/owasp-podcast/the-void-verica-open-incident-database - Web Security Testing Guide: https://owasp.org/www-project-web-security-testing-guide/ - Mobile Application Security Guide: https://mas.owasp.org/ - (May) Threat Modeling using the Force: https://soundcloud.com/owasp-podcast/threat-modeling-using-the-force-with-adam-shostack-owasp-podcast-e001 - ASVS (Application Security Verification Standard): https://owasp.org/www-project-application-security-verification-standard/ - AMASS: https://owasp.org/www-project-amass/ - (June) Giving a jot about JWTs: JWT Patterns and Anti-Patterns: https://soundcloud.com/owasp-podcast/owasp-podcast-giving-a-jot-about-jwts-jwt-patterns-and-anti-patterns - Cheat Sheet Series: https://cheatsheetseries.owasp.org/ - API Top 10: https://owasp.org/www-project-api-security/ - (July) Getting Lean and Mean with DefectDojo: https://soundcloud.com/owasp-podcast/getting-lean-and-mean-in-the-defectdojo - DefectDojo: https://www.defectdojo.org/ - (August) Going Way Beyond 2FA: https://soundcloud.com/owasp-podcast/going-way-beyond-2fa - ModSecurity Core Rule Set: https://coreruleset.org/ - (September) Breaching the wirefall with community: https://soundcloud.com/owasp-podcast/breaching-the-wirefall-with-community - Security Shepherd: https://owasp.org/www-project-security-shepherd/ - Juice Shop: https://owasp.org/www-project-juice-shop/ - Security Knowledge: https://owasp.org/www-project-security-knowledge-framework/ - (October) Little Zap of Horrors: https://soundcloud.com/owasp-podcast/little-zap-of-horrors - Zed Attack Proxy (ZAP): https://www.zaproxy.org/ - OWTF (Offensive Web Testing Framework): https://owtf.github.io/ - (November) You've got some Kubernetes in my AppSec: https://soundcloud.com/owasp-podcast/youve-got-some-kubernetes-in-my-appsec - OWASP Top 10: https://owasp.org/www-project-top-ten/ - CSRFGuard: https://owasp.org/www-project-csrfguard/

In this episode, I speak with Jimmy Mesta, the project leader of the new OWASP Kubernetes Top 10. Beyond covering the actual Kubernetes Top 10 project, we cover how AppSec has expanded to cover other areas. You not only have to ensure that your application is secure, you need to ensure the security of the environment in which it runs. That environment is increasing becoming Kubernetes so what better than talk to someone who's protected Kubernetes clusters for years and trained many others to harden their clusters. Show Links: - OWASP Kubernetes Top 10: https://owasp.org/www-project-kubernetes-top-ten/ - Kubernetes Top 10 Github repo: https://github.com/OWASP/www-project-kubernetes-top-ten - OWASP Kubernetes Security Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Kubernetes_Security_Cheat_Sheet.html - Mozilla SOPS: https://github.com/mozilla/sops - Hashicorp Valut: https://www.hashicorp.com/products/vault - KSOC: https://ksoc.com/

In this episode, I speak with Simon Bennetts, the creator of OWASP Zed Attack Proxy lovingly known as ZAP. We talk about how it all got started, some of the surprises and lessons learned running a wildly successful open source project. We also cover how some security controls can sometimes actually hurt security. It's an interesting discussion I think you'll enjoy it just in time for Halloween. Show Links: - Zap Website: https://www.zaproxy.org/ - Zap Stats: https://www.zaproxy.org/docs/statistics/ - Zap Community: https://www.zaproxy.org/community/

In this episode, Matt Tesauro hosts wirefall to talk about creating and growing a security community and his 26 years of pen testing experience. In wirefall's case, it's the Dallas Hackers Association or DHA. Our conversation includes what motivated him to create DHA, the lessons he's learned, challenges faced and what success looks like today. He provides some advice for those wanting to get into cybersecurity or be a part of the broader security community. Enjoy. Show Links: - DHA Meetup: https://www.meetup.com/dallas-hackers-association/ - DHA Twitter: https://twitter.com/dallas_hackers - wirefall on Twitter: https://twitter.com/DHAhole

In this episode, Matt Tesauro hosts Neil Matatall to talk about going beyond 2FA as he relates lessons learned from Twitter and Github on account security. This is another episode with some good nuggets of wisdom and some sound advice for those writing or maintaining APIs. It's obvious that Neil has not only spent time doing solid engineering work but he's learned a few things that he's willing to share. Enjoy. Show Links: - OWASP DevSlop Episode: https://www.youtube.com/watch?v=hrAKE6LaizE&ab_channel=OWASPDevSlop - Slide Deck: https://bit.ly/35dcTm0 - Neil on Twitter: https://twitter.com/ndm

In this episode, Matt Tesauro hosts Greg Anderson and Cody Maffucci to talk about OWASP DefectDojo. DefectDojo is an OWASP flagship project that aims to be the single source of truth for AppSec or Product Security teams. It provides a single pane of glass for security programs and can import and normalize over 150 different security tools. I thought that the OWASP podcast might just cover an OWASP project now and then so here we go. Show Links: - https://www.defectdojo.org/ - Github organization: https://github.com/defectdojo - Github main repo: https://github.com/DefectDojo/django-DefectDojo - Pubic Demo info: https://github.com/DefectDojo/django-DefectDojo#demo - Data models (part of the project docs) https://defectdojo.github.io/django-DefectDojo/usage/models/

In this episode, Matt Tesauro hosts David Gillman about JWT Patterns and Anti-Patterns. I first met David at LASCON in the fall of 2021 when I sat in on his conference talk. Based on David’s experiences with JWTs we discuss where JSON Web Tokens can help and harm developers who use them. It seems like JWTs can be a mixed bag mostly determined by how you use them. Hopefully this episode will help you avoid any JWT sharp edges if or, more likely, when you work with them. Show Links: - Video of David’s presentation at LASCON - https://www.youtube.com/watch?v=xTk4ff0eAUg&list=PLLWzQe8KOh5nv8OBs3j39DNYULfxwv_6V&index=29&ab_channel=LASCON - David Gillman on Twitter - https://twitter.com/primed_mover

In this episode, Matt Tesauro hosts Adam Shostack to talk about threat modeling - not only what it is but what Adam has learned from teaching numerous teams how to do threat modeling. Learn what makes a good threat model and some news about a new book from Adam to help further the spread of threat modeling with the end goal of more threat modeling and fewer security surprises. Enjoy! Show Links: - Threats Book site: https://threatsbook.com/ - Resources on Adam’s website: https://shostack.org/resources

Welcome back to the OWASP podcast. In this episode, we're headed to The VOID. I speak with Courtney Nash about the Verica Open Incident Database, otherwise known as The VOID, which is a collection of software-related incident reports available at https://www.thevoid.community/. It's a fascinating discussion about how, by gathering data from The VOID, we can make the Internet a safer and more resilient place. Courtney was super passionate about the research work she's doing. It was completely fun to chat with her and they've already produced some very interesting conclusions, in the published report available on The VOID website. I had a blast recording this one and I hope you enjoy it. EPISODE LINKS - The VOID: https://www.thevoid.community/ - 2021 Report: https://www.thevoid.community/report - Podcast: https://podcast.thevoid.community/ - Google MTTR report: https://www.oreilly.com/library/view/incident-metrics-in/9781098103163/ (Summarized also in the 2021 VOID report)

Hello, it's Matt Tesauro. Welcome back to my take on the OWASP Podcast. It seems as if I'm turning my episodes into the equivalent of a conference hall track, those wonderful interactions you have at conferences, running between rooms at conferences, meeting up with smart minds you don't see all the time. I have the pleasure of reuniting with Wendy Nather, CISO Advisor Extraordinaire, for this episode. We had a very interesting conversation about Software Bill of Materials (SBOMs). Like many of my interactions with Wendy, I learned from our conversation. She threw out some really good nuggets. I highly recommend looking up Wendy on Twitter (@wendynather). Besides the security wisdom she's going to drop, she's got a hell of a sense of humor. I think it will be worth the follow. Enjoy the episode.

“I absolutely hate SAFe!” -- Bryan Finster That is Bryan Finster, Distinguished Engineer at Defense Unicorns out of Colorado Springs. I was scrolling through LinkedIn a couple days ago, saw a thread on SAFe, The Scaled Agile Framework, and what I was seeing wasn’t exactly… well, what you’d expect to hear about a framework that’s being used by over 20,000 organizations, including the United States government. Before we get too much into it, here is the definition of SAFe. I took it directly off Scaled Agile, the creators and providers of the SAFe framework: “The Scaled Agile Framework® (SAFe®) is a system for implementing Agile, Lean, and DevOps practices at scale. The Scaled Agile Framework is the most popular framework for leading enterprises because it works: it’s trusted, customizable, and sustainable. If you want to build operational excellence, collaboration, responsiveness, and customer satisfaction into your organizational DNA, where do you start? SAFe provides a proven playbook for transformation.” Some people will argue with “because it works”, and Bryan is one of those people. Here’s what started the whole thing. Bryan posted this on LinkedIn, “Example of terrible ideas propagated by #SAFe: feature teams. A feature team doesn’t own anything. They act as coding mills and have no quality ownership. SAFe recommends them as a method to increase output. It’s a hacky workaround for crappy architecture that results in increased support cost and more crappy architecture.” Tell us what you REALLY think, Bryan! In today’s broadcast, we talk to three people who have varying degrees of opinions on SAFe: Tracy Bannon, Senior Principal/ Software Architect & DevOps Advisor at Mitre, David Bishop, Certified SAFe 5.0 Program Consultant, and of course, Bryan. Stay with for what’s sure to be a fun ride. RESOURCES FROM THIS BROADCAST SAFe: Scaled Agile Framework https://www.scaledagileframework.com/ Bryan Finster https://www.linkedin.com/in/bryan-finster/ Tracy Bannon https://www.linkedin.com/in/tracylbannon/ David Bishop https://www.linkedin.com/in/david-bishop-08528220/

Hello, I'm Matt Tesauro, one of the OWASP Podcast co-hosts. I had the opportunity to interview Tanya Janca for this podcast. To be honest, I kind of wish it was a video recording because you'd be able to see the big smiles and vigorous head nodding during the recording. Tanya and I are in violent agreement about all things appsec, and it shows. There's a nice mix of general advice, war stories, and some good nuggets in this interview. I hope you enjoy it.

8 years ago I took over the OWASP Podcast from Jim Manico, originator of the project. In that time over 160 episodes have been published, with over 500,000 downloads. It has been a fun project, but it’s time to change things up a bit. There is a lot going on at OWASP, even more going on with the technology industry when it comes to cybersecurity. It’s too much for one person to keep up with. Enter the idea of multiple co-hosts for the podcast. Many of you listening already know of Vandana Verma and Matt Tesauro from their work with OWASP. I called to ask if they’d like to share the platform, producing their own episodes around a chosen concept. In today’s episode, Vandana, Matt and I talk about thoughts of an expanded concept for the podcast. We’ll each explain what we will be covering in our shows, and what you can expect to hear in the coming year. Our plan is to have three shows, (kind of like NPR programming when I think of it), under one umbrella: The OWASP Podcast Series. Come along with us and we talk through the new series and what it will me to you, as a listener.

We’ve all heard of “Red Teams” and “Blue Teams” when it comes to cybersecurity. But what about the “Purple Team”, the “Yellow Team” or the “Blue Team”. What are those? In February of 2020, Louis Cremen introduced the InfoSec Colour Wheel to the security community. The wheel expands upon April Wright’s work on bringing builders into the security team. The value of the wheel is to show the various types of security teams, seven in all, and the role each plays in security. Jasmine Henry brought the wheel to my attention. As she and I talked, we realized the InfoSec Wheel can be used as a thought exercise to show beginning cybersecurity professionals the various roles they can play within the community. This led to the discussion of careers in cybersecurity and what the near future looks like. In this broadcast, we’ll evaluate the wheel, talk through each of the seven personas and give our thoughts on the value of each role, how it works with the other roles, and the basics of what each provides. Let’s figure out what your primary color is. Stay tuned… https://hackernoon.com/introducing-the-infosec-colour-wheel-blending-developers-with-red-and-blue-security-teams-6437c1a07700 The OWASP Podcast Series is supported by the Open Web Application Security Project, home to over 240 community driven security projects, including the OWASP Top 10, the Web Security Testing Guide, and the Security Knowledge Framework projects. ABOUT JASMINE HENRY Jasmine Henry is a security practitioner who's used JupiterOne to create a compliant security function at a cloud-native startup. She has 10 years of experience leading security programs, an MS in Informatics and Analytics, and a commitment to mentoring rising security practitioners from underrepresented backgrounds. Jasmine is a Career Village co-organizer for The Diana Initiative security conference. She lives in the Capitol Hill neighborhood of Seattle, WA.

A couple weeks ago I read an article by Chris Roberts. The headline screamed, “Security Solved!” Security solved? What the hell was he talking about. Everyday there’s a new media storm around the latest breach or ransomware attack. There’s an entire industry built around the idea that security is hard, and the need for special equipment, software and people to even think about being secure. Chris was insistent. He professed that security is not hard nor complicated. Not only does he consider it inexpensive and undemanding to do the right thing, his premise is it’s easy to get the simple stuff sorted. I called Chris to get clarification on what he was talking about. As we got deeper into the discussion, we both realized this was a topic that needed more exposure. If there really is a simple way to implement security, the world should hear about it. We invited people to participate in the recording of our discussion. You’ll hear us reference people who were online with us, sending chat messages and questions. This session is a little longer that our usual podcast, but what’s here is important. Chris says it’s easy, I say it’s not, and then we get into it. We start when I ask Chris to give us a little about his background. You’ll be able to tell right from the start, this isn’t going to be your ordinary podcast. Notes for this broadcast: Chris' original article can be found on his LinkedIn feed: https://www.linkedin.com/posts/sidragon1_cybersecurity-management-training-activity-6810995026848485376-58Zs Basic Premise: This isn’t hard. This isn’t complicated. This doesn’t have to be expensive. This doesn’t need fancy words This doesn’t require gilted certificates This isn’t demanding This needs no awards This isn’t covered in glory. Step-by-Step Instructions: 1. Assets, what do you have? 2. Assets, where are they? 3. Who’s got access to them? 4. What DO they do, what is their purpose? 5. What’s on them? 6. Which ones do you need to care about?

In this episode of the People | Process | Technology podcast, I speak with Seba Deleersnyder from the Software Assurance Maturity Model, Carlos Holguera and Sven Schleier from the Mobile Security Testing Guide, and Bjoern Kimminich from the Juice Shop Project. This is part of an ongoing podcast series, highlighting the OWASP Flagship Projects that will be featured at the OWASP 20th Anniversary Celebration in September. I talk with the project leads to hear what they have been working on for the past year, what their plans are for the coming year, and what we can expect to see at the conference in September. Support for this broadcast is provide by OWASP, celebrating twenty years of making software safer. OWASP hosts their 24 hour, 20th Anniversary Celebration in September. Head to 20thAnniversary.owasp.org for your free ticket… and with support from JupiterOne, who believes that security is a basic right to every person, company, and enterprise. Security begins with cyber asset visibility, and includes understanding the relationships between those assets. Get started with your free, lifetime license at JupiterOne.com.

In this episode of the People | Process | Technology podcast, I speak with Simon Bennetts from the Zap Project, Christian Folini from the ModSecurity Core Rule Set Project, and Steve Springett from the Dependency Track Project. This is part of an ongoing podcast series, highlighting the OWASP Flagship Projects that will be featured at the OWASP 20th Anniversary Celebration in September. I talk with the project leads to hear what they have been working on for the past year, what their plans are for the coming year, and what we can expect to see at the conference in September. The OWASP 20th Anniversary Celebration is a 24 hour global event, featuring sessions from each of the OWASP flagship projects, leaders of the Top Ten Project, presenters from around the world, and sessions from people who have helped OWASP over the past 20 years. Registration is open, and you can’t beat the cost… it’s free. Even if you can’t attend, please register so you’ll have access to all of the recorded sessions following the conference. For the link check the show notes here on the podcast. Our program was produced today by Executive Editor Mark Miller. Special thanks to today’s guests, Simon Bennetts from the ZAP Project, Christian Folini from the ModSecurity Core Rule Set Project, and Steve Springett from the Dependency Track Project. You can stream our archive of over 160 episodes, for free, at soundCloud.com/owasp-podcast. The show is available on all of your favorite podcasting platforms, including Spotify and Apple Podcasts. Support for this broadcast is provided by OWASP, celebrating twenty years of making software safer. OWASP hosts their 24 hour, 20th Anniversary Celebration in September. Head to 20thAnniversary.owasp.org for your free ticket. Support also provided by JupiterOne, who believes that security is a basic right to every person, company, and enterprise. Security begins with cyber asset visibility, and includes understanding the relationships between those assets. Get started with your free, lifetime license at https://info.jupiterone.com/get-started.

In 2020, Security Magazine listed Sounil Yu as one of the most Influential People in Security in 2020, in part because of his work on the Cyber Defense Matrix, a framework for understanding and navigating your cybersecurity environments. The Cyber Defense Matrix started as a project when Sounil was the Chief Security Scientist at Bank of America. The initial problem he focused on with the matrix was how to evaluate and categorize vendors and the solutions they provided. The Cyber Defense Matrix is a structured framework that allows a company to understand who their vendors are, what they do, how they work along side one another, what problem they profess to solve, and ultimately to find gaps in the company’s portfolio of capabilities. In the seven years Sounil has been working on the project, he has developed use cases that make the Cyber Defense Matrix practical for purposes such as rationalizing technology purchases, defining metrics and measurements, and identifying control gaps and opportunities. The matrix has been adopted by the OWASP Foundation as a community project. Elements of the matrix have been incorporated into the Center for Internet Security’s (CIS) Top 20 Critical Security Controls. I talked with Sounil to hear how the project was going, what his plans are for the future of the matrix, and what help he can use from the community for expanding its usefulness. ABOUT SOUNIL YU Before Sounil Yu joined JupiterOne as CISO and Head of Research, he was the CISO-in-Residence for YL Ventures, where he worked closely with aspiring entrepreneurs to validate their startup ideas and develop approaches for hard problems in cybersecurity. Prior to that role, Yu served at Bank of America as their Chief Security Scientist and at Booz Allen Hamilton where he helped improve security at several Fortune 100 companies and government agencies.

The Top 10 is considered one of the most important community contributions to come out OWASP. In 2003, just two years after organization was started, the OWASP Top 10 was created. The purpose of the project was to create an awareness document, highlighting the top ten exploits security professionals should be aware of. Since that time, innumerable organizations have used it as a guideline or framework for creating security programs. The current Top 10 list was released four years ago, in 2017. As part of a 2021 initiative at OWASP, the OWASP Top 10 is in the process of being updated, and scheduled for release this summer, in time for the OWASP 20th Anniversary Celebration. I was curious as to what has changed over the years with the Top 10, and what to anticipate in the upcoming release. In this broadcast, I talk with Andrew van Der Stock, Executive Direct of OWASP. He explains how the top ten exploits are chosen, the data source for determining the exploits, and the data research done to verify the selections chosen. Our conversation starts with why the OWASP Top 10 is being spotlighted after being static for the past four years. Today’s broadcast is supported by the OWASP 20th Anniversary Celebration, coming September 2021. The CFP is now open for this online, 24 hour conference. Go to OWASP.org for more information. This broadcast is also supported by JupiterOne, providing cyber asset discovery and visibility into your entire cloud native infrastructure. Know more, fear less, with JupiterOne. CFP for OWASP 20th Anniversary Celebration: https://owasp.org/2021/03/08/cfp-20th-anniversary.html

When Shannon Lietz and the team at DevSecOps.org published the DevSecOps Manifesto six years ago, security was uppermost in their minds. The manifesto starts with a call to arms… “Through Security as Code, we have and will learn that there is simply a better way for security practitioners, like us, to operate and contribute value with less friction. We know we must adapt our ways quickly and foster innovation to ensure data security and privacy issues are not left behind because we were too slow to change.” The effect of the DevSecOps movement was not understood by many, other than the handful of practitioners who understood what the team was going after: security is the responsibility of everyone, not just the security team. Security deserves a seat at the DevOps table. Fast forward six years, and security is now not just at the table, but sitting at the head of the table, leading the way. During this transition to focus on security, operations has become the short leg on a three legged stool. What was original a two team party, Dev and Ops, became a threesome, gradually ignoring operations as Developers and Security built a strong relationship. Damon Edwards has been my go-to person when I want to talk to someone about how operations continues to be relevant as the third part of DevSecOps. I caught up with Damon a couple weeks back to talk with him about how the transition to enterprise automation is going in the industry, what has been happening in the past year with the COVID lockdown, and what he’s looking forward to in 2021. I started the conversation, asking how he perceives his role in the DevSecOps Community. ---------- This broadcast is supported by OWASP, the Open Web Application Security Project, host of “Call to Battle” a series of events for gamers, challenge champs, and fun-nerds. Get more information at owasp.org/events… and by JupiterOne.com featuring solutions that help you “Know more. Fear less” by mapping your cyber assets and knowing the relationships between those assets.

This is Mark Miller, Executive Producer. Over the years as I’ve produced the show, the topics of focus have followed the trends in the industry. What was originally called “The OWASP Podcast” became “OWASP 24/7” and then “The DevSecOps Podcast”. Each change brought with it a new audience, extending our community from exclusively OWASP practitioners, to DevOps and DevSecOps advocates. The audience for the podcast has grown, with close to 500,000 listens of the 150 episodes. We’ve covered book launches by speaking with the authors, we’ve talked about industry reports focusing on the Software Supply Chain. Topics have included Chaos Engineering, efforts to create a Software Bill of Materials initiative at the federal level, Threat Modeling and a multitude of other topics. You might have noticed something different, a new name for the podcast, at the beginning of the program today. Keeping a feel of the pulse of the industry is one of the things that interests me most as producer of the series. Currently, People, Process and Technology is starting to get its due The realization that these are not three things, but one thing that is intertwined into a convoluted, unimaginably complex whole is something that deserves our attention, and that will be our focus over the coming year. We’ll talk with practitioners who are creating security patterns for each leg of the People, Process, Technology triptych. We’ll continue to highlight OWASP projects that are focused on security, and how it relates to all aspects of technology. Guests will include leaders in the industry who are responsible for driving security, not as a stand-alone initiative, but as an integrated part of their business. Developing a secure development environment, one that builds quality into the process is something that should be of concern to everyone in that process. My desire is to help expose the practitioners who are thinking about the next generation of security, and how you can use their insights to help us build a safer world. Thank you for your continuing support. I’m excited to be expanding the program and hope you’ll stay with us for People, Process, and Technology. Support for this broadcast is provided by OWASP and JupiterOne.

OWASP is in a state of discord. Over the past few years, there have been fractures in the community. Recently, there have been arguments on the leader email list that have clearly breached the lines of etiquette. Personal attacks, distribution of funds, and complaints of lack of diversity are creating tension among the members. If we, as an organization refuse to confront these issues, there is a real potential we will no longer have relevance to the AppSec community. The in-fighting has become a detriment to chapter leaders and project leaders, who are looking to OWASP for consistent leadership and direction. In early July, the OWASP board announced the appointment of Andrew van der Stock as Executive Director. I called and spoke with Andrew at length about how he intends to confront the existing issues in the organization, and what he hopes to accomplish during his tenure. I have known Andrew for years through his work on the Application Security Verification Standard. As a previous OWASP board member, he has insight into how the board works and how to make changes. In our discussion, we spoke directly about the current problems at OWASP and Andrew's vision for moving the organization forward by confronting existing problems in policy, rewriting sections of the bylaws, and setting up enforcement of those bylaws. Andrew has not set himself an easy task. The push-back is sure to cause more strife in the beginning, but he is determined to implement changes that will make OWASP stronger in the long run, and put us on a course to continue to be a leading role to the AppSec community. In the spirit of transparency and open discussion, Andrew answered every question I had for him. He intends to continue this discussion with the community through the creation of live-online discussions. For now, Andrew is ready to implement his vision for OWASP, as he talks about here. Let's get started.

In this episode of the DevSecOps Podcast, we’re going to go off script and explore the LinkedIn algorithm. I could tie this back to DevSecOps, and how all of us need visibility for our work, or how important it is to build a community around our ideas, but the real reason is… I find this fascinating. One of the largest community engagement platforms in the world encourages us to play their game, but doesn’t tell us what the rules are! How are we to determine the best way to participate, when we have no idea on how to best contribute to maximize our visibility? Because that’s the game we are playing: how do we get, and maintain, visibility for our ideas on LinkedIn. How do we grow that visibility into an audience of our peers in order to contribute and expand those ideas. It is to the benefit of LinkedIn to give basic rules of engagement, but instead of guidelines for participation, we are punished for breaking undefined rules and rewarded for seemingly arbitrary reasons, which we then try to recreate without knowing why they were promoted. To add more complexity to the mix, the rules can change at any time. Is it a loser’s game, or are there fundamental patterns we can surface that will help give some visibility into the LinkedIn algorithm? For years, I’ve been making intuitive guesses as the best way to work on the platform. This lead me to the work of Andy Foote, from LinkedInsights, and Richard van der Blom, founder of Just Connecting, Through their research, they have found patterns that we might be able to use to expand our visibility and engagement on LinkedIn. I say “might”, because when you don’t know the rules, you don’t know when the rules change. On May 8, 2020, Richard, Andy and I sat down to discuss their research into the algorithm that determines how much visibility your content gets on LinkedIn. Andy’s article, “The LinkedIn Algorithm Explained In 25 Frequently Asked Questions” and Richard’s investigations which turned into “The LinkedIn Research Algorithm”, were the basis for our discussion. What I learned from them immediately changed how I engage with LinkedIn. When I say “immediately”, I mean within minutes of talking with them. Resources from this episode Richard van der Blom offers customized LinkedIn training sessions at Just Connecting https://www.justconnecting.nl/en/ Andy Foote offers LinkedIn coaching sessions at LinkedInsights.com The LinkedIn Algorithm Explained In 25 Frequently Asked Questions by Andy Foote https://www.linkedinsights.com/the-linkedin-algorithm-explained-in-25-frequently-asked-questions/ The LinkedIn Algorithm Full Report by Richard van der Blom https://www.slideshare.net/RichardvdBlom/full-report-linked-in-algorithm-july-2019

When I read Richard Stiennon's latest article in Forbes, The Demise of Symantec, I thought it was absolutely fascinating. Richard walks through the process of what happened at Symantec, how it was an acquisition engine for so many years, and now how it's started to decline. I got in touch with Richard and told him I'd like to have him read his article for the podcast, and he responded right away. What you'll hear in this episode is Richard talking about and reading from his article, The Demise of Symantec. Resources for this podcast: The Demise of Symantec, Forbes Online https://www.forbes.com/sites/richardstiennon/2020/03/16/the-demise-of-symantec/#6522117b5fc7 Security Yearbook 2020 https://www.security-yearbook.com/

Equifax is trying... I mean REALLY trying... to regain your trust. The Equifax CTO and CISO delivered the keynote at DevSecOps Days during 2020 RSAC. They contributed to multiple sessions and panels during the conference. The message was consistant: "Yes, we had a major problem. Here's what we're doing about it. Here's what you can learn from us." From a technical perspective, Bryson Koehler, CTO, and Jamil Farshchi, CISO, took on all questions from the audience. Nothing was out of bounds. They stayed after the session to talk one-on-one with those who had more questions. The words I heard most from the audience about the session was 'humility' and 'transparency'. That's a far cry from the poster child of breaches image the company has had to carry since 2017. Bryson and I sat down after the session at DevSecOps Days to go more into detail on what Equifax is working on, not just to re-gain user confidence, but to make a difference in the technology industry when it comes to lessons learned. He and Jamil are in the process of rebuilding the technology infrastructure at Equifax. They want to create a self-service, customer driven platform, that will include security as part of an automated solution to the future of data privacy. They are willing to openly share what they are working on, what has worked, what hasn't worked, all while building transparency into the process so that everyone can learn, not just the engineering team at Equifax. In this episode, we start with how Bryson felt the audience responded to the message from the stage, and what he had hoped to accomplish by stepping into the public spotlight.

If you like what you hear, you can download the entire book at sonatype.com/epicfailures As we were putting the finishing touches, getting ready to publish the latest version of Epic Failures in DevSecOps, I reread Jaclyn Damiano's chapter and was struck by how unique her message is. This is a personal story, one that will resonate with many people in the tech industry. It's a story of beginnings, of hardships, of leadership and finally, how all that combines into something much bigger than a technology solution. It's a story that talks about transforming people, not just companies. What you'll hear in this broadcast is Jaclyn reading her chapter, "Making Everyone Visible in Tech". There's no narrator, no discussion, just Jaclyn in her own words telling the story behind The Athena Project. It's a story of how she and her team took a diverse set of 40 applicants from underserved communities, with little to no technical background, and created a program to train and place those attendees in the tech industry. It's an inspiring story that needs to be heard.

When Derek Weeks and I started All Day DevOps in 2016, we were unsure as to whether anyone would be interested.It's now four years later. Last week we had close to 37,000 people register for the event. We're still trying to wrap our head around the scale of something that generates a world wide audience in the tens of thousands for a 24 hour conference. One of the things that has grown organically from All Day DevOps is a concept called "Viewing Parties". It's an idea the community has created, not something planned by us. Over 170 organizations, meetups or user groups around the world setup a large screen and invited colleagues and friends over to share in the DevOps journeys that were being told throughout the day. Last year, we heard through the grapevine that State Farm had over 600 people show up to participate at their viewing party in Dallas. That's 600 people internally at State Farm. When I heard about it, I knew I had to speak with Kevin ODell, Technology Director and DevOps Advocate at State Farm, the person who coordinated the event. Our initial conversation was a fascinating view into how he pulled off such a large event, internally. We kept in touch throughout the year, leading up to 2019 All Day DevOps. Keeping track of the registrations for Kevin, he soon came to realize what he had created was now a viral event at State Farm. For 2019, State Farm had 4000 of their 6000 developers confirmed to attend All Day DevOps. To me, that's just remarkable. While at the DevOps Enterprise Summit last month, Kevin and I sat down to talk about how he created such an incredible event, the process for getting business buy-in, and how he measures the value of letting 4000 developers collectively watch videos for the day. Even if I wasn't one of the co-founders of All Day DevOps, I'd find this a fascinating story. Stay with us and I think you'll be impressed, too.

Shortly after watching the documentary, Code Rush, I met with Tara Hernandez, the hockey stick carrying lead of the Netscape project that was being documented. We sat down at the Jenkins World Conference in San Francisco to talk about the effect that project had on her career, what she has been doing since with her position at google, and what she hopes to be working on in the coming years. We started our conversation by exploring the relationship between the Netscape project in 1998 and the current state of DevOps. Would DevOps have made a difference... the answer might surprise you.

Edwards Deming went to post-war Japan in the late 1940s to help with the census. While there, he built relationships with some of the main manufacturers in the region, helping them understand the value of building quality into a product as part of the production process, thus lowering time to market, eliminating rework and saving company resources. In his 1982 book, "Out of the Crisis", Deming explained in detail why Japan was ahead of the American manufacturing industry and what to do about. His "14 Points on Quality Management" helped revitalize American industry. Unknowingly, he laid the foundation for DevOps 40 years later. Eli Goldratt published "The Goal" in 1984, focusing on the "Theory of Constraints", the idea that a process can only go as fast as it's slowest part. In fictionalized novel form, Goldratt was able to reach a wide audience who would utilize the theory to help find bottlenecks, or constrainsts, within production that were holding back the entire system. Once again, the theories espoused in The Goal were a precursor to the DevOps movement 40 years later. In January 2013, 40 years after Deming and Goldratt reshaped the manufacturing processes in American, Gene Kim published "The Phoexnix Project". He used the same format as Goldratt, telling the story in a fictional novel format with characters who were easily identifiable within the software manufacturing process, from a manager's point of view. The Phoenix Project is now one of the most important books in the industry, and is used as a starting point for companies interested in participating in a DevOps transformation. It's now six years later, 2019. Gene's new book, The Unicorn Project, will be released at the upcoming DevOps Enterprise Summit in Las Vegas on October 28. This new book has an interesting premise: What was going on with the software development team in the Phoenix Project as the management team was flailing to get the project back on track. It's a novel approach to have parallel timelines in separate books, looking at the same project. In this broadcast, Gene and I talk about how the Unicorn Project aligns with the Phoenix Project, the overlap in storylines, and why he chose to speak for software developers in this iteration of the story. Do a quick review of the Phoenix Project, which is probably already on your bookshelf, and then listen in as we discuss using Deming, Goldratt and Kim as the foundation of the principles of the DevOps movement.

Once a year, Sacha Labourey and I sit down to discuss the past year and what the coming year looks like for DevOps and Jenkins. As CEO of CloudBees, Sacha has broad visibility into the progress of the DevOps/DevSecOps communities. We started our talk this year, commenting on the growth of the Jenkins World conference, with over 2000 attendees... what does Sacha attribute that to and does it coincide with the growth within the DevOps community. We continued our discussion by examining how cultural transformation within a company must align with the tools that are available to help with that transformation. Along the way we touched on where cultural transformation comes from within an enterprise, the question of whether DevOps has yet to jumped the chasm, the tipping point for a company's full acceptance of DevOps patterns, and what does Sacha hope to accomplish in the coming year All Day DevOps: A Supporter of DevSecOps Podcast If you're listening to this podcast, you've probably heard of All Day DevOps. This year, All Day DevOps has expanded to 150 sessions, including 9 sessions dedicated to OWASP projects such as Seba talking about DevOps Assurance with OWASP SAMMv2, the OWASP Security Knowledge Framework with Glen & Ricardo ten Cate, DevSecOps in Azure with OWASP DevSlop featuring Tanya Janca, and an overview of the OWASP Top 10 with Caroline Wong. Simon talking about the OWASP ZAP HUD project is another session not to be missed. All Day DevOps is a free, community event, sponsored and supported by hundreds of organizations like yours from around the world. Registration is free. Go to All Day DevOps dot com to register and start building your schedule. All Day DevOps. All live. All online. All free.

I was affected by it. You were affected by it. We were all affected by the Equifax breach in September 2017. The truly interesting thing about it is, Equifax wasn't the only company hit by the struts 2 vulnerability that day. Many other companies were hit by it within that time period, but Equifax became the poster child for the main stream media. It was just too easy of a target because of consumer visibility. In the two years since the breach, Equifax has been working hard to restore its reputation, not just with consumer protection, but with the companies that depend upon credit data to make real business choices. I wanted to find out what Equifax is doing behind the scenes not just reputation wise, but technology wise when it comes to protecting data. Was it status quo as soon as the buzz died down? Did they pay their fine and go back to business as usual? Or are they making changes under the hood that will make a difference in how financial data is handled and what can be done with it. I met with Sean Davis, Chief Transformation Evangelist at Equifax, while at Jenkins World in August. It had been two years since the breach, and I wanted to hear what was happening internally, what changes have been made and why we should begin to trust Equifax again. I have to say I was surprised. When I sat down with Sean, I thought there would be hesitancy, some caution as to what could and couldn't be talked about. To my surprise, it was a transparent discussion. I asked him questions I wanted to know as a consumer, as well as the technical queries about what's going on under the hood at Equifax, what changes have been made to make my data more secure. Is it time to trust Equifax again? I'll let you decide.

OWASP supports a global conference in North America each year, bringing together the projects, teams and chapters who make this one of the largest security tribes in the world. In this episode of the DevSecOps Podcast Series, I speak with Ben Pick one of the organizers of the conference about what's important about this type of gathering and what you can expect when attending. https://dc.globalappsec.org/

The 2019 State of the Software Supply Chain Report was released on June 25th. The report is an analysis of the answers from over 5500 participants, allowing data researchers the ability to extrapolate what the most productive enterprises are doing when it comes to managing the software supply chain, and how that compares to less efficient development practices. The purpose of the analysis was to objectively examine and empirically document, release patterns and hygiene practices across 36,000 open source project teams and 3.7 million open source releases. In this conversation I speak with Derek Weeks, Project Lead for the report, and Stephen Magil, who along with Gene Kim, acted as research partners on the report. If you've been looking for verified research that can be used to help justify a DevOps initiative, or to validate the value of DevOps projects within your company, you'll want to stay with us.

Let's not talk around the subject here... women are under represented when it comes to speaking or participating in tech conferences. It's a male dominated culture. When I saw Lani Rosales had published, "The Ultimate list of Austin women who can speak at your tech event" in response to the complaint that there are no women speakers available in the tech industry, I called her right away. As co-founder of the world's largest DevOps conference, All Day DevOps, and as one of the core organizers of the global DevSecOps Days series of events, I wanted to hear how the list came together, her motiviation for creating the list and how the tech community has responded to an overt call for women speakers. One of the most surprising topics during our conversation was the continual reference to "the vanity of diversity". Lani is opposed to replacing males speakers just for the sake of having a token female speaker or panelists. As she says it, "Let's not remove male speakers, let's add female speakers." When she said that, it resonated with me. That's how true diversity works: add women, don't subtract men. Lani's vision is to make attendees, all attendees, feel welcome, represented and given the feeling that their way of thinking is welcome in the room, in the conference, and in the community. That's the true reason for diversity, and that's what we'll be talking about today. The Ultimate List of Austin Women Who Can Speak at Your Tech Event https://theamericangenius.com/tech-news/austin-women/

I produced my first concert at the San Anselmo Playhouse in 1979. It was the first in a series of events that has lasted 40 years. I have produced more than 300 events and participated in many hundreds more as a speaker and participant. As the producer of this many events, I have an internal map of what to do to make an event successful, the steps to create and manage the logistics of an event, and how to promote them. All Day DevOps, a live online conference I co-founded with Derek Weeks, has over 30,000 registrations yearly. This type of involvement gives me a unique perspective into why an event is successful. In the past few years, I've been sketching out a "How To.." manual on producing successful events. When the book "Building Internal Conferences" came across my radar, my first thought was "Good! Something I won't have to do." After looking through the book, I called authors Matthew Skelton and Victoria Morgan-Smith to trade stories on tips and tricks for managing successful events. You might ask yourself at this point, "Why is this being covered on a tech podcast?" With so much to choose from when it comes to webinars, meetups, user groups and conferences, many companies are choosing to host their own event internally, or participate as supporters of a regional event. Industry conferences such as DevOps Days, DevSecOps Days, and SharePoint Saturday are run by local teams who are engaged in community development and education. This episode of the DevSecOps Podcast focuses on helping you as an event organizer avoid the "Epic Failures" that would stop your event from being a success. Where to find the book: https://confluxdigital.net/conflux-books/book-internal-tech-conferences

In April 2019, I was invited to host a panel at the International Conference on Cyber Engagement in Washington DC, to discuss "Securing the Software Supply Chain". On the panel were four of the top voices in software supply chain management: - Edna Conway, Chief Security Officer, Global Value Chain, at CISCO - Joyce Corell, Assistant Director, Supply Chain and Cyber Directorate, National Counterintelligence and Security Center, US Office of the Director of National Intelligence - Bob Kolasky, Director, National Risk Management Center, Cybersecurity and Infrastructure Security Agency, US Department of Homeland Security - Dr. Suzanne Schwartz, Associate Director for Science & Strategic Partnerships, Center for Devices & Radiological Health, US Food & Drug Administration This episode of the DevSecOps Podcast is the full session from the conference. It is an extended session, running an hour and a half, significantly longer that our usual broadcast. I think you'll find it worth the time. Thank you to the ICCE for allowing rebroadcast of the panel. Pull up a chair, sit back, and listen in as we discuss Securing the Software Supply Chain.

When I think of Tel Aviv, I imagine a robust, young culture, living a good, fun life. Not only is the culture conducive to a young life style, its tech industry continues to gain traction. As Wired Magazine said last August, "Israeli startups have always been high on Silicon Valley shopping lists, but Tel Aviv is beginning to shake off its reputation as Europe’s exit capital." Zebra, the medical diagnostics company, MyHeritage online family tree service, Via ride sharing service, and the Waze navigation app, as well as dozens of other influencial start-ups call Tel Aviv home. This places Tel Aviv at the heart of the tech industry in Isreal and encourages conferences and gatherings on a regional, as well as global scale. In this broadcast, I speak with Avi Douglen and Ofer Moar, co-chairs of the upcoming Global AppSec Conference in Tel Aviv. They are both active participates in OWASP and the security community. I called them to find out more about the conference, how it's different from other conferences and what participants can expect as takeaways from the event. More information and registration: https://telaviv.appsecglobal.org/

If you've read the Phoenix Project, you'll remember Brent, the indispensable cog on the operations team. Brent was a good guy, he wanted to do the right things, all of the right things, but was pulled in all directions because of the lack of a unified plan for the company's project workflow. But what if Brent didn't want to do the "right" thing? What if Brent was more interested in the convenience of getting his work done than he was in the overall health and output of the project. What if he deployed to production without checking into SourceSafe, not just once, but for years. From Tanya janca: I went to our trusty code repository, took a copy of the most recent code. I went looking for the bug, and I couldn't even find it. And then I'm running it locally, and I'm looking at the real one in prod. And they're completely different. I'm like, "What would have happened if I had pushed to prod? If I fixed that bug, and pushed to prod, and not noticed the difference?" And he's like, "All my work would have been gone. That would have been your mistake." I'm like, "Are you kidding?" He's like, "It's just easier if I check it in directly, if I just edit it right on the web server. It's just easier for me." I'm like, "Oh. Is it easier to do a shitty job? No. No, no, no. In today's episode, Tanya Janca, Cloud Security Advocate, Microsoft, expands on her just published article, "DevSecOps: Securing Software in a DevOps World", clarifying each of the 5 tactics she uses to integrate not just security into the software development process, but how to manage people as part of that process. Have a listen...

Three years ago there was an idea floating around OWASP... a core community was looking for a way to have an isolated week, where security project working groups could get together, with no distractions, and work on projects they felt were important. From this idea, the Open Security Summit was founded. Now in it's third year, the summit takes place in an isolated forest located between London and Manchester. The format for the gathering is to present an environment, with no distractions, where the community of 150 security professionals can meet to update each other on their progress in the past year and to choose working groups to outline and work on future projects. This is not a podium lecture series conference. It is a 5-day high-energy experience, during which attendees get the chance to work and collaborate intensively. Each working session is geared towards a specific Application Security challenge and will be focused on actionable outcomes. In this episode, I speak with Seba (Sayba) Deleersnyder, Denis Cruz, Jemma Davis and Francois Raynaud, core organizers of the event, talking about why they started the event, what has changed over the years and what you can expect as an attendee at the Open Security Summit. https://opensecuritysummit.org/

Open-source components and their use within the software supply chain has become ubiquitous within the past few years. Current estimates are that 80-90% of new software applications consist of open-source components and frameworks. Section A9 of the OWASP Top 10 places components with known vulnerabilities as one of the most prevalent and abused parts of the software supply chain, placing it at a security weakness level of three, on a scale from one to three. Quoting from the OWASP description in A9, "Component-heavy development patterns can lead to development teams not even understanding which components they use in their applications or APIs, much less keeping them up to date." In today's episode, I speak with Allan Friedman, Director of Cybersecurity Initiatives at the National Telecommunications and Information Administration. Our talk focused on the creation of a Software Bill of Materials, or an SBOM. As we begin, Allan describes his role in the project and what they hope to accomplish. About Allan Friedman I'm the Director of Cybersecurity Initiatives at the National Telecommunications and Information Administration, or NTIA. We're a tiny part of the US Department of Commerce, and our mission really is about promoting a free, open, and trustworthy internet. Over the past few years, we've engaged in what we call "multistakeholder processes", trying to identify areas where the entire digital ecosystem can come together on things that they care about and make progress. So the government doesn't have a vested interest in the outcome, we just feel that we'll all be better off if the community can find common ground and consensus.

"Chaos engineering is an empirical practice of setting up experiments to figure out where your system is vulnerable so that you can know that ahead of time and proactively fix some of these vulnerabilities in your system." -- Casey Rosenthal In this broadcast, I speak with Casey Rosenthal about the beginnings of Chaos Engineering and Netflix and how the concept has morphed into a cross-industry community, sharing ideas through local chaos conferences.

The Ladies of London Hacking Society was created by Eliza-May Austin in an act of frustration.Having nowhere to turn to meet other women within the security industry in the UK,Eliza-May fired off an online post lamenting the lack of local community support for technical security-based women. Her story is a common one. The post seemed to resonate with the local community. In a short time, she had close to 500 women join her London Meetup Group, focusing on sharing technical skills and industry stories.

What am I working on? What can go wrong? What am I going to do about it? Did I do a good job? These are the four questions at the heart of threat modeling In this episode, I speak with Adam Shostack, author of Threat Modeling: Designing for Security. We talk through how to begin threat modeling and the expectations of using modeling. Adam walks through the history of threat modeling, including his creation of the Elevation of Privilege game.

This is the sixth episode in an eight part series, talking with the authors of "Epic Failures in DevSecOps". In this segment, I speak with Chris Roberts about his chapter, "We are all special snowflakes", diving into topics as diverse as the failure of the security industry to protect us from ourselves and what is considered "acceptable" monitoring when it comes to the government, and to social sites. You can download a free copy of Epic Failures at DevSecOpsDays.com

The inclusion of security as an integral piece of the DevOps puzzle continues to gain traction. In this episode of the DevSecOps Days Podcast Series, I speak with Curtis Yanko and Scott McCarty about their new book, "A Concise Introduction to DevSecOps". We discuss why they wrote the book, who the audience is that will benefit from it and why enterprises should be considering security as part of the software development environment.

As if there aren't enough reasons to go to Southern California in the middle of a New York winter, AppSec Cali opens it's doors for its 6th Annual OWASP conference on January 22, 2019. In this broadcast, I speak with Richard Greenberg, one of the core organizers of the conference, talking about why people come, what they can expect to see and why he continues to help produce the conference year after year. For a transcript of this broadcast, go to DevSecOpsDays.com and click on "Podcasts".

Aubrey Stearn is the Technical Lead for the Enterprise Cloud Platform at Nationwide. In the broadcast we talk with Aubrey about her chapter, "The Tale of the Burning Programme", in the recently released "Epic Failures in DevSecOps" book. Aubrey talks about her extensive experience guiding and molding teams, leading the way through the maze of decisions needed in order to build a more productive and efficient engineering culture. We start off the discussion with "Why is our biggest problem DevOps, itself?"

"In the past when we were writing software, it was our engineers and our organizations that had total cost of ownership of that software. But now, that has fundamentally changed. Engineers are using open source software and deploying the entire application on an open source framework, which means a large part of the software supply chain is no longer owned by the engineer. " -- Chetan Conikee In this episode of the DevSecOps Days Podcast Series, I speak with Chetan Conikee about his chapter in the Epic Failures in DevSecOps book. About Chetan Conikee Chetan Conikee is a serial entrepreneur with over 20+ years of experience in authoring and architecting and securing mission-critical software. His expertise includes building web-scale distributed infrastructure, cybersecurity, personalization algorithms, complex event processing, fraud detection and prevention in investment/retail banking domains. He currently serves as CTO/Founder at ShiftLeft, and most recently Chief Data Officer and GM Operations at Cloud- Physics. Prior to CloudPhysics, Chetan was part of early founding teams at CashEdge (acquired FiServ), Business Signatures (acquired Entrust)and EndForce (acquired Sophos).

We continue the "Epic Failures in DevSecOps" series by speaking with Edwin Kwan on his chapter, "Threat Modeling - A Disaster Story". Edwin is Application and Software Security Team Lead at Tyro Payments. In our discussion, we talk about the three things he learned through his "Epic Failure": -- Demonstrate value at the buy-in -- Get early feedback -- Automate as much as possible During our discussion, we talk at length about the role of security and how to begin implementing automation at the earliest stages of the development process. About Edwin Kwan Edwin Kwan is the Application and Software Security Team Lead for a bank. His approach toward application and software security is to raise security awareness, provide light touch controls to the software development life cycle to increase visibility of security issues and work closely with engineering teams to quickly develop secure applications. Edwin started out as a software engineer and transitioned into the application security role to lead a range of security initiatives when the company was working towards obtaining an unrestricted banking licence. As a Software Engineer, he has over a decade of experience developing large scale; real-time; high performance; high reliability software applications for major telecommunication vendors. He is also experienced in working with stakeholders from small to large organisations to design and develop innovation solutions to help manage and grow their business.

Stefan Streichsbier talks about his chapter, "Unicorn Rodeos", in the just released book, "Epic Failures in DevSecOps". We start with where did the chapter name come from and what does it mean, then lead into his three main points for hanging on for the rodeo ride: -- Don't waste time over-engineering -- Build for the right audience -- Find your champions We conclude with a discussion of technology trends in South East Asia and Indonesia. People mentioned include Gene Kim, Caroline Wong, Fabian Lim, Mohamed Imran, Magda Chelly, Edwin Kwan, DJ Schleen and others.

DJ Schleen talks about his upcoming 15 part video series, "The DevSecOps Experiment", where he will walk through the setup of a software supply chain, including building in security during every step of the process. This is a lab workshop type series, where you'll be able to immediately implement the solutions at the end of each 15 minute session. DJ will be available to answer your questions on his public slack channel as well as provide resources in the DevSecOps Days github repository. This is a free, online workshop series. To be notified when each segment of the series is released, please sign up for notification on DevSecOpsDays.com

In this broadcast, I speak with Chris Roberts and Derek Weeks about lines of responsibility and npm package highjacking in light of the event-stream vulnerability announcement last week. The announcement of the event-stream npm package vulnerability has once again raised the issue of who it ultimately responsible when a breach like this is announced. Is it the original creator of the package? What about the team maintaining the package? Where does' the end user fit it in? How does social engineering come into play?

Once again, the pattern of taking over a known package and modifying it with malicious intent has happened. In this case, it's with the event-stream module in the npm repository. In this broadcast I speaker with Thomas Hunter, Software Developer at Intrinsic and author of "Compromised npm Package: event-stream", and Brian Fox, CTO of Sonatype, author of the Forbes "Open Source Developers And Infrastructure Are The New Front Line Of Security?" article. Compromised npm Package: event-stream https://medium.com/intrinsic/compromi... Open Source Developers And Infrastructure Are The New Front Line Of Security https://www.forbes.com/sites/forbestechcouncil/2018/05/11/open-source-developers-and-infrastructure-are-the-new-front-line-of-security/#2ad9e84457c2 Open Source Software Is Under Attack; New Event-Stream Hack Is Latest Proof https://blog.sonatype.com/open-source-software-is-under-attack-new-event-stream-hack-is-latest-proof

"The guy who wrote wifi software with SSID never imagined that someone could use that SSID to transmit data by writing two smaller applications to leverage it. We are constantly going to be in this [type of] battle. Ultimately we've got to find a way to stay ahead of it by understanding the mechanisms by which we're writing the abuse case possibilities." -- Shannon Lietz Following their session at DevOps Enterprise Summit 2018, I sat down and talked with Shannon Lietz and James Wickett to talk about who the real adversaries are when it comes to application security, what you can do to expose those adversaries and steps to get started in your own, internal adversary program. About Shannon Lietz DevSecOps Leader for Intuit Shannon Lietz is an award winning innovator with over two decades of experience pursuing advanced security defenses and next generation security solutions. Ms. Lietz is currently the DevSecOps Leader for Intuit where she is responsible for setting and driving the company’s DevSecOps and cloud security strategy, roadmap and implementation in support of corporate innovation. She operates a 24x7 DevSecOps team that specializes in Adversary Management. Prior to joining Intuit, Ms. Lietz worked for ServiceNow where she was responsible for the cloud security engineering efforts and Sony where she drove the implementation of a new secure data center. Ms. Lietz has significant experience leading crisis management large-scale security breaches and restoration of services for several Fortune 500 companies. She has previous experience as a founder a metrics company, leading major initiatives for hosting providers as a Master Security Architect, developing security software and consulting for many Fortune 500 companies globally. Ms. Lietz is an IANS faculty member and holds a Bachelors of Science degree in Biological Sciences from Mount St. Mary’s College. About James Wickett Head of Research, Signal Sciences James spends a lot of time at the intersection of the DevOps and Security communities. He works as Head of Research at Signal Sciences and is a supporter of the Rugged Software and DevSecOps movements. Seeing the gap in software testing, James founded an open source project, Gauntlt, to serve as a Rugged Testing Framework. He is the author of several security and DevOps courses onLinkedIn Learning, including: DevOps Foundations, Infrastructure as Code, DevSecOps: Automated Security Testing, Continuous Delivery (CI/CD), and Site Reliability Engineering. He got his start in technology when he founded a startup as a student at the University of Oklahoma and has since worked in environments ranging from large, web-scale enterprises to small, rapid-growth startups. He is a dynamic speaker on topics in DevOps, AppSec, InfoSec, cloud security, automated security testing, DevSecOps and serverless. James is the creator and founder of the Lonestar Application Security Conference which is the largest annual security conference in Austin, TX. He also runs DevOps Days Austin and previously served on the global DevOps Days board. He also bears several security certifications including CISSP and GWAPT.

"If you look inside a large enterprise IT organization, they have this very bizarre and broken layer that's completely separating the way that business thinks in terms of products, budgets and costs, and the way IT people know the way they need to innovate, which is delivering products faster." -- Mik Kersten I sat down with Mik Kersten, CEO of TaskTop, and John Willis after Mik's presentation at DOES2018. His new book, Projects to Products, is an attempt to help the industry move from using success metrics more appropriate for the industrial age, to a new type of measurement where value is measured as part of the overall business goal through Value Stream Mapping. About Mik Kersten Dr. Mik Kersten is the CEO of Tasktop Technologies, creator and leader of the Eclipse Mylyn open source project and inventor of the task-focused interface. As a research scientist at Xerox PARC, Mik implemented the first aspect-oriented programming tools for AspectJ. He created Mylyn and the task-focused interface during his PhD in Computer Science at the University of British Columbia. Mik has been an Eclipse committer since 2002, is an elected member of the Eclipse Board of Directors and serves on the Eclipse Architecture and Planning councils. Mik's thought leadership on task-focused collaboration makes him a popular speaker at software conferences, and he was voted a JavaOne Rock Star speaker in 2008 and 2009. Mik enjoys building tools that offload our brains and make it easier to get creative work done. Specialties: Software Development Tools, Productivity tools, Task-Focused Interfaces, Application Lifecycle Management, Agile, Management, Aspect-Oriented Programming, Eclipse, Java

Why would you allow open source usage in your company. What are the compelling reasons to take the risk. In this discussion, I talk with Topo Pal and Derek Weeks about the industry perception of open source and what's really happening behind the curtain at large enterprises. Topo had just finished his keynote presentation at DevOps Enterprise Summit 2018 and I wanted to dive a little deeper into some of the things he talked about. About Topo Pal Dr. Topo Pal is Senior Director & Sr. Engineering Fellow Capital One. His main areas of expertise are in DevOps/DevOpsSec/ Rugged DevOps and Continuous Integration, Continuous Delivery. Topo is also interested in Natural Language Processing, Information Extraction, Architecture Strategy, Application Architecture and Integration Architecture. About Derek Weeks Derek E. Weeks, Vice President, Sonatype. Derek is a huge advocate of applying proven supply chain management principles into DevOps practices to improve efficiencies and sustain long-lasting competitive advantages. He currently serves as vice president and DevOps advocate at Sonatype, creators of the Nexus repository manager and the global leader in solutions for software supply chain automation. Derek is also the co-founder of All Day DevOps, an online community of 40,000 IT professionals, and the lead researcher behind the annual State of the Software Supply Chain report for the DevOps industry. In 2018, Derek was recognized by DevOps.com as the "Best DevOps Evangelist" for his work in the community.

"The compensation, the incentives that people have are very much anchored in short term objectives that do not take into account the vision for the bigger transformations that are happening within the market." -- Sacha Labourey, CEO, CloudBees Sacha Labourey runs one of the most visible, respected companies within the DevOps and DevSecOps communities. At Jenkins World 2018, I sat down with Sacha to hear how his year went, how security can become more of an important process within the software development pipeline and how the Jenkins community adds value to the company.

While at 2018 AppSec EU, I spoke with Sam Stepanyan and Grigorios Fragkos, chapter leaders of one of OWASP's largest chapters. The conversation centered around what does it take to grow a community, what does it take to lead a chapter.

This is Mark Miller, Executive Producer. 4 years ago I took over the creation and curation of the OWASP podcast series. In that time, there have been 118 episodes, with a combined listenership of over 269,000 plays. The series began as a way to speak with OWASP project leads and chapters leaders to let the community hear what was being worked on. Gradually, the show has morphed into something broader. Recent broadcasts highlighting the work done in the DevOps and DevSecOps Communities receives well over 2000 listeners per episode. We have helped give exposure to DevSecOps practitioners at major AppSec Conferences in Europe and the United States, I have produced the DevSecOps tracks at RSA Conference in San Francisco and Singapore for the past 3 years, and we've given voice to the security practitioner in lieu of the security vendor through the production of All Day DevOps. This has allowed us to reach out to new communities, a new listenership, interested in hearing how software security is changing from a manual, labor intensive process, to an automated, supply chain solution. Cultural transformation, Continuous Delivery/Continuous integration, Cloud Native Infrastructure, and Site Reliability Engineer are all topics needing coverage if we are to truly build secure software. The future of this podcast series is in focusing on DevSecOps and the practitioners who are willing to share their stories and solutions to the OWASP Community. I'll talk with people like DJ Schleen who runs the DevSecOps initiative at Aetna, John Willis who brought the first DevOps Days to the United States, and Shannon Lietz who has introduced the concept of Red Teams to her colleagues at Intuit. We will continue to highlight OWASP projects and chapters, while having discussions that are inclusive of other communities with different ideas on the future of software security. It's an important transition historically to a safer, more secure world and we want everyone be be a part of it. I hope you stay with us as we begin to explore new voices, expand on existing ideas and highlight the diversity that will truly change our industry. Welcome to the new podcast series, DevSecOps Days.

In this episode, I speak with the organizing committee of 2018 AppSec EU, hearing about what's planned and why you should consider attending this international conference in London.

On March 1, 2018, the team at Semmle announced a critical vulnerability in the Pivotal Spring framework. The vulnerability was found by security researcher Man Yue Mo at Semmle — the team behind lgtm.com. In this episode of OWASP 24/7, I speak with research team at Semmle on how they discovered the vulnerability. Also, Brian Fox joins the discussion on the process for responsible disclosure, different ways to approach it and what other companies and projects are doing when a vulnerability is found in their project. About Man Yue Mo — Security Researcher at Semmle for lgtm.com During his PhD in mathematics at Oxford, Mo became interested in scientific algorithm development with a focus on data science and machine learning. At Semmle, Mo developed an interest in Semmle's core technology for writing queries over source code. This QL query technology is freely available on lgtm.com for the open source community to use for analyzing their code. Mo has since used QL to identify numerous security vulnerabilities, including CVE-2017-8046 in Pivotal's Spring Data REST, and the infamous CVE-2017-9805 in Apache Struts. He continues to works closely with the open source community to ensure these vulnerabilities are patched and responsibly disclosed. The blog on https://lgtm.com/blog contains various articles by Mo on how to use QL for security research. About Bas van Schaik — Head of Product at Semmle As the Head of Product at Semmle, Bas is responsible for the entire product portfolio — from the core QL query technology, to lgtm.com where this technology is made freely available to the open source community. Following his PhD in Computer Science at Oxford, Bas joined Semmle to work on machine learning and data science techniques for extracting insights from software engineering data. After setting up a strong team of machine learning experts, he now works closely with engineers and leaders to ensure that Semmle's products are effective in all parts of the software development process — to secure and improve code, reduce risk, and deliver actionable insights. He works closely with pioneers in the open source community, as well as with developers and leaders at organizations such as Google, Microsoft, NASA, Credit Suisse, NASDAQ, and Dell. About Brian Fox, CTO, Sonatype Co-founder and CTO, Brian Fox is a member of the Apache Software Foundation and former Chair of the Apache Maven project. As a direct contributor to the Maven ecosystem, including the maven-dependency-plugin and maven-enforcer-plugin, he has over 20 years of experience driving the vision behind, as well as developing and leading the development of software for organizations ranging from startups to large enterprises. Brian is a frequent speaker at national and regional events including Java User Groups and other development related conferences.

Shannon Lietz, Caroline Wong and Paula Thrasher will give the opening remarks at DevOps Connect: DevSecOps Days on April 16 at the RSAC Conference in San Francisco. On today's show, I talk with Shannon, Caroline and Paula, on what they hope to accomplish during their talk, and why DevSecOps is becoming the hottest topic in this year's growth of the DevOps Community.

Prior to his work as Principal Software Assurance Engineer at MITRE, Kevin E. Greene was R&D Program Manager for the Department of Homeland Security. He is currently on the organizing committee for HackNYC, helping to organize talks and sessions around protecting and securing our national infrastructure. I spoke with Kevin about the current state of software security and how each of us can play a roll in the security of modern software. About Kevin E. Greene With more than 17 years of information assurance and security experience in security program management, assessment, auditing, and testing, Kevin Greene brings valuable skills and capabilities to the Department of Homeland Security Science and Technology Directorate (DHS S&T). As a member of the Homeland Security Advanced Research Projects Agency (HSARPA) Cyber Security Division, Greene has identified, developed, and transitioned technology projects through multiple commercial and academic organizations for the past two years. Responsible for the oversight and management of research and development projects for improving the testing, analysis, and evaluation techniques used in software quality assurance tools, he currently is focusing on the build-out of the Software Assurance Marketplace (SWAMP), a national marketplace and collaborative research forum designed to advance secure software development best-practices within the industry.

In May, at HackNYC 2018 in New York City, Dr. Bill Curtis' team of Tracie Gerardi and Lev Lesokhin will deliver a presentation on putting an end to "Technical Debt". I spoke with Dr. Curtis about his work in the creation of various maturity models, the current state of security in software development and "what keeps him up at night". You might be surprised at his answer. Listen in... About Dr. Bill Curtis Dr. Bill Curtis (1948) is an American software and organizational scientist. He is best known for leading the development of the Capability Maturity Model [1] (CMM for Software) and the People CMM [2] in the Software Engineering Institute at Carnegie Mellon University. He co-founded TeraQuest, a provider of CMM-based services, which was sold to Borland Software Corporation in 2005. He has published 5 books, over 150 articles, and in 2007 was elected a Fellow of the Institute of Electrical and Electronics Engineers for his career contributions to software process improvement and measurement.

The OpenChain Project identifies key recommended processes for effective open source management. The project builds trust in open source by making open source license compliance simpler and more consistent. In this broadcast, I speak with Shane Coughlan, project director, about the purpose of the project and what his team hopes to accomplish in 2018.

Newly elected to the OWASP board, Greg Anderson is interested in how to expand the OWASP community. I talked with him about what he hope to accomplish in his tenure on the board, the first initiatives he would like to implement and on various ideas for working with OWASP chapters, projects and events. About Greg Anderson Technical leader with 6+ years of experience in all facets of security. Primary areas of expertise include application security, security in DevOps, security automation, program management and program development.

Caroline Wong, Paula Thrasher and I were having lunch at DevOps Enterprise Summit when the conversation took an interesting turn. Paula and Caroline had been on a panel the previous day and didn't get a chance to do a deep dive into any of the topics. As we were talking at lunch, I realized is was a good opportunity to give them a chance to talk with each other on government vs public software security, about how the OWASP Top 10 might best be used and to they have discovered as common security patterns in their large scale projects. About Caroline Wong I am a strategic leader with strong communications skills, cybersecurity knowledge, and experience delivering global programs. My close and practical information security knowledge stems from broad experience as a Cigital consultant, a Symantec product manager, and day-to-day leadership roles at eBay and Zynga. I have been featured as an Influencer in the Women in IT Security issue of SC Magazine, named as one of the Top 10 Women in Cloud by CloudNOW, and received a Women of Influence Award in the One to Watch category from the Executive Women's Forum. I authored the popular textbook Security Metrics: A Beginner's Guide. About Paula Thrasher Paula Thrasher has 20+ years experience in IT and has spent the last 15 years trying to implement Agile culture in the federal government. Paula’s first Agile project was in 2001, since then she has led over 15 programs and projects as an Agile developer, technical lead, Scrum master, or Agile coach. Her teams have helped two separate federal agencies migrate applications to Amazon AWS GovCloud, and done some other amazing DevOps ninja work along the way. Paula is a proud Carnegie Mellon University alumna with a B.S. in Statistics, is a Certified Scrum Master (CSM) and a Project Management Professional (PMP), but prefers learning new things through experience and working with smart people.

In our continuing series on the Struts2 vulnerability announcement and the breach at Equifax, we spoke with Mark Thomas, Director, Apache Software Foundation, and Brian Fox, CTO, Sonatype to clarify the processes ASF goes through when a vulnerability is found within one of their projects. About Mark Thomas Mark is currently employed by Pivotal where he spends most of his time working on Apache Tomcat. At the Apache Software Foundation, Mark is a committer and PMC member for Apache Tomcat as well as other projects. At the foundation level he is an ASF member, a member of the security and trademarks committees, is an infrastructure volunteer and a Director. Mark speaks regularly on Apache Tomcat including at ApacheCon.

A conversation on the ramifications of recent Struts2 announcements, the exploit at Equifax and the responsibility of companies using open source software. David Blevins, CEO, TomiTribe Brian Fox, CTO, Sonatype

What you should know about the latest struts2 vulnerability announcement w/ Brian Fox, CTO Sonatype, and Matthew Konda , Chair, OWASP Board of Directors. If you're a developer and concerned about security, a struts2 vulnerability announcement came out yesterday. I interviewed two experts to talk about the announcement and what you should be looking for. If you would like to watch a video of the interview, you can find it on YouTube: https://www.youtube.com/watch?v=jtUfPom06bo

Most of us want to help kids become proficient in programming and cybersecurity, but don't know how to get started or have time to manage such a project. Prashant Kv figured he'd put a team together with Vandana Verma and Rupali Dash and give it a shot. The first event in Bangalore was a huge success, with over 200 kids participating. I spoke with the Prashant, Vandana and Rupali about how the event was put together, why it worked and what their plans are for future events.

Earlier this week, Simon Bennetts from the OWASP ZAP Project announced the official availability of the OWASP DockerHub for housing projects. I caught up with Simon soon after to hear how ZAP was utilizing DockerHub and the benefits of containerization. https://hub.docker.com/u/owasp/

This segment of the "Less than 10 Minutes" series was recorded live at AppSec EU 2017 in Belfast. It is an update of the ModSecurity Core Rule Set Project with project co-lead Christian Folini. The OWASP ModSecurity CRS Project's goal is to provide an easily "pluggable" set of generic attack detection rules that provide a base level of protection for any web application. The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. The CRS aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts.

This segment of the "Less than 10 Minutes" series was recorded live at AppSec EU 2017 in Belfast. It is an update of the OWASP Summit 2017 with conference organizer Sebastien (Seba) Deleersnyder. OWASP Summit 2017 is a 5-day participant driven event, dedicated to the collaboration of Development and Security professionals, with a strong focus on DevSecOps.

This segment of the "Less than 10 Minutes" series was recorded live at AppSec EU 2017 in Belfast. It is an update of the WebGoat Project with project co-leads Jason White and Nanne Baars. WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons.

This segment of the "Less than 10 Minutes" series was recorded live at AppSec EU 2017 in Belfast. It is an update of the Vicnum Project with project lead Nicole Becher. The Vicnum Project is a collection of intentionally vulnerable web applications. Vicnum applications are commonly used in Capture the Flag exercises at security conferences.

This segment of the "Less than 10 Minutes" series was recorded live at AppSec EU 2017 in Belfast. It is an update of the Defect Dojo Project with project lead Greg Anderson. The Defect Dojo is an open source vulnerability management tool that streamlines the testing process by offering templating, report generation, metrics, and baseline self-service tools.

This segment of the "Less than 10 Minutes" series was recorded live at AppSec EU 2017 in Belfast. It is an update of the Virtual Village Project with project lead Evin Hernandez. The Virtual Village provides users with access to numerous operating system's Desktop as well as Servers. Users are able to create custom apps for other OWASP projects, as well as be able to request test environments , or honey pots , etc.

This segment of the "Less than 10 Minutes" series was recorded live at AppSec EU 2017 in Belfast. It is an update of the Juice Shop Project with project lead Bjoern Kimminich. The Juice Shop is an intentionally insecure webapp for security training, written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Bjoern Kimminich (Project Leader OWASP Juice Shop) Personal Twitter: http://twitter.com/bkimminich OWASP Juice Shop Project Twitter: http://twitter.com/owasp_juiceshop Project Wiki Page: https://www.owasp.org/index.php/OWASP_Juice_Shop_Project Main Github Project: https://github.com/bkimminich/juice-shop Juice Shop CTF-Extension Project: https://github.com/bkimminich/juice-shop-ctf

"Why does OWASP even exist? Why do we even have this idea of understanding common issues, common problems. There are resources to help us do it better next time. I feel we are not learning at the curve where we should be, considering the resources available to us." -- Jaya Baloo As CISO of KPN, the largest telecom in the Netherlands, Jaya Baloo has a lot on her mind, but maybe not what you'd think. In this free wheeling discussion, we begin with what Jaya will be talking about during her keynote at AppSec EU 2017 in Belfast, and then move into cryptography, quantum technologies, and her concerns with the way software is currently built.

Brian Fox and Shannon Lietz talk about the recent announcement of the struts 2 vulnerability: What is it, how can it affect you, what you can do about it. You can view this broadcast as video on YouTube: https://www.youtube.com/watch?v=EzRKOudJPtQ

In mid-May I'll be joining the organizing team of AppSec EU 2017 in Belfast for a week of security and DevOps sessions. Listen in as Gary Robinson, Michelle Simpson and Owen Pendlebury talk about what's planned for the week.

In preparation for her keynote session at AppSec EU 2017 in Belfast, Shannon Lietz continues to explore the integration of DevOps and security. This is a recording of her session at RSAC 2017 in San Francisco.

Shannon Lietz, DevSecOps Lead at Intuit, will be giving a keynote presentation at AppSec EU 2017, Belfast. I talked with Shannon about what she will be presenting and why she is so excited to return to Ireland.

WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons. It is one of the most used projects at OWASP. With the current team headed by Bruce Mayhew, Nanne Baars and Jason White, work is moving forward on the creation of new content for creating training lessons for application security. I talked with Bruce and team about what they've done with the latest update and what they hope to accomplish in the coming year.

The OWASP ModSecurity Core Rule Set Project's goal is to provide an easily "pluggable" set of generic attack detection rules that provide a base level of protection for any web application. Chaim Sanders,Ryan Barnett, Christian Folini and Walter Hop are the team coordinating the project. During 2016 AppSec USA, I spoke with Chaim about the purpose of the project, the work work done in the past year, the upcoming release and what the team hopes to accomplish in 2017. https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project

This is a live recording from 2016 IP Expo London, with Shannon Lietz (Intuit), Chris Swan (CSC) and host Mark Miller (Sonatype) discussing the future of security as it relates to DevOps. Shannon and Chris are real world practitioners, bringing stories from the trenches. We initially start with where the term DevSecOps came from, then move on to the future of automated security as part of the DevOps ecosystem.

Today's podcast is the fourth in a series of four, talking with prospective 2016 board members. Today's question is, "What is more important to you as a candidate 1) Members 2) Projects 3) Conferences 4) Chapters " The format for today's Q&A with potential board members is simple. We ask a single question. Each candidate has 2 minutes to respond to the question. These recordings were done using google hangouts, so there will be slight sound glitches and background noises during some of the answers.

Today's podcast is the third in a series of four, talking with prospective 2016 board members. Today's question is, "What is the single most important issue for you to tackle if elected to the board?" The format for today's Q&A with potential board members is simple. We ask a single question. Each candidate has 2 minutes to respond to the question. These recordings were done using google hangouts, so there will be slight sound glitches and background noises during some of the answers.

Today's podcast is the second in a series of four, talking with prospective 2016 board members. Today's question is, "Do you consider vendor neutrality an issue at OWASP? If so, why?" The format for today's Q&A with potential board members is simple. We ask a single question. Each candidate has 2 minutes to respond to the question. These recordings were done using google hangouts, so there will be slight sound glitches and background noises during some of the answers.

Today's podcast is the first in a series of four, talking with prospective 2016 board members. Today's question is, "What kind of action plan do you have in mind to help motivate the participation of Developers into OWASP community." The format for today's Q&A with potential board members is simple. We ask a single question. Each candidate has 2 minutes to respond to the question. These recordings were done using google hangouts, so there will be slight sound glitches and background noises during some of the answers.

From October 11 - 14, 2016, appsec professionals from around the world will gather in Washington DC to participate in one of this year's main OWASP events, AppSec USA 2016. In this broadcast, I speak with three organizers of the event (Andrew Weidenhamer, Mike McCabe, Patrick Cooley )to get insight as to what to anticipate at the conference, the unique qualities of an AppSec USA event, and a sneak peek at the sessions that will be given over the 4 day event.

Continuing the theme of integrating security in DevOps processes, I spoke with Sacha Lebourey, CEO of Cloudbees, during a stop at CD Summit in London. As one of the main players in the software supply chain for DevOps, I was interested in Sacha's perspective on how automated security fit into that supply chain. We start the discussion with "What is continuous delivery" followed by the place for security in the modern developer environment. About Sacha Labourey Sacha was born in Neuchâtel, Switzerland and graduated in 1999 from EPFL. It was during Sacha’s studies in 1996 that he started his first consulting business - Cogito Informatique. In 2001, he joined Marc Fleury’s JBoss project as a core contributor and implemented JBoss’ original clustering features. In 2003, Sacha founded the European headquarters for JBoss and, as GM for Europe, led the strategy and partnerships that helped fuel the company’s growth in that region. While in this position, he led the recruitment of some of JBoss’ key talent and acquisition of key technology. In 2005, he was appointed CTO of JBoss, Inc. and oversaw all of JBoss engineering. In June 2006, JBoss, Inc. was acquired by Red Hat (NYSE:RHT). After the acquisition, Sacha remained JBoss CTO and played a crucial role in integrating and productizing JBoss software with Red Hat offerings. In 2007, Sacha became co-General Manager of Red Hat’s middleware division. He ultimately left Red Hat in April 2009 and founded CloudBees in April 2010.

Sanjeev Sharma is a Distinguished Engineer at IBM. His main concern is how DevOps initiative scale in large enterprises. In this wide ranging discussion recorded during CD Summit in Stockholm, I talk with Sanjeev about DevOps adoption, how security will play a critical role in any automated, scalable solution and the transition of traditional IT operations to the role of service provider.

The "State of the Software Supply Chain Report" featured in today's show is an industry report produced by Sonatype. In the spirit of full disclosure, Mark Miller is the Senior Storyteller and DevOps Advocate for Sonatype. That said, no products are mentioned, nothing is being sold. Sonatype is the steward of the Central Repository and has access to an incredible set of data. The information in the report relates directly to A9 within the OWASP Top 10: Using components with known vulnerabilities. The full report is available as a free download. To describe the findings of the report and the discoveries made from analyzing the open source download patterns of 3000 companies, I spoke with Derek Weeks, VP and Rugged DevOps Advocate from Sonatype.

Jason Schmitt's passion is to assure security is built into the development process, not just as a bolt-on add-on. His experience in various aspects of software security has led him on a path through mobile, application and cloud security. In our conversation, Jason talks about the value OWASP provides to the community as well as what he perceives as a critical time for the integration between DevOps and security. About Jason Schmitt Jason Schmitt is vice president and general manager of HPE Security Products, Fortify for Hewlett Packard Enterprise. He is responsible for driving the growth of Fortify’s software security business and managing all operational functions within the group. Schmitt has extensive experience in product management, development and marketing for all types of web and security technologies. His expertise ranges from cloud-based secure web gateways, to application security and mobile security consulting services, to network-based video surveillance.

The Application Security Verification Standard Project is a Flagship project at OWASP. It provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development. I sat down with Andrew van der Stock at AppSecEU 2016 to get the most recent updates on the project and to gain an insight into future plans.

At 2016 AppSecEU in Rome, five teams showed up for the University Challeng. I talked with the organizers of the challenge about the history of the project and two team leaders to see how the challenge was going and what value they were getting by participating in the contest.

In this episode, Jim Manico turns the tables on me for for his 100th podcast. He digs into my past, asks about my motivations for participating in OWASP, inquires on what I hope to accomplish through the series and how DevOps and security can be part of a single conversation when it comes to the software supply chain. Mark Miller is the Senior Storyteller and Developer Evangelist for Sonatype. He is the curator of TheNexus Community Project, while participating in DevOps and security conferences as a frequent panel host. He recently helped build the DevOps track for RSAC Conference 2016, InfoSec Europe 2016 and is working on the DevOps track for AppSecUSA 2016, this fall in Washington, DC. Mark's most recent project is "An Innovator's Journey to DevOps", a series of interviews and profiles highlighting important people and DevOps projects that deserve more exposure. You can listen to that series at www.sonatype.com/devops-an-innova…journey-sonatype

What can you expect when you attend AppSec EU 2016 in Rome at the end of June? I talk with Bart de Win and Matteo Meucci, conference chair, to see who is coming, why you should and what to expect when AppSec EU goes to one of the world's greatest cities. Registration is open: https://2016.appsec.eu/

To understand more about communication patterns in open source supply chains, Dr. Gail Murphy and Dr. Marc Palyart undertook a study of 1,227 public projects hosted on GitHub. I spoke with Dr. Murphy about the project and what it means for open source developers trying to generate visibility and community around their project. About Dr. Gail Murphy Dr. Murphy is a leading researcher on software evolution and tools. She brings to Tasktop extensive experience as a software developer and principal investigator of a large research group. In recognition of her research, Gail has been a keynote speaker at several software engineering conferences. She has received international awards, such as the AITO Dahl-Nygaard Junior Prize, a University of Washington College of Engineering Diamond Award, and an ACM Distinguished Scientist award. Her national awards include the NSERC Steacie fellowship. Most notably, Gail was elected to be a fellow of the Royal Society of Canada. This fellowship is the highest academic accolade in the sciences, humanities and arts bestowed in Canada. At the University of British Columbia, Gail is a professor in the Department of Computer Science, where she works on human-oriented software development tools to make software developers more efficient and effective, and associate dean (Research & Graduate Studies) in the Faculty of Science. About Dr. Marc Palyert Marc Palyart is a researcher in Software Engineering from the Software Practices Lab at the University of British Columbia. He holds a PhD from the University of Toulouse and a BSc (Hons) from the Dundalk Institute of Technology. When not in the lab you can find him wandering around the coastal mountains of British Columbia.

Lawrence Pingree and I were having a discussion in the press room at RSA Conference 2016. We talked about his work with Gartner, analyzing deception as part of cybersecurity. His voice was so passionate, I just had to turn on the recorder. I haven't heard many people talking about this subject, but it's intriguing to think about... more than honeypots, true deception. Have a listen. About Lawrence Pingree Lawrence Pingree has been an active member of the Information Security industry for many years. He has consulted for large financial institutions, corporations and government entities on technologies ranging from firewalls, intrusion detection, networks, system penetration, risk management, compliance, eDiscovery and Forensics. He has served as a Chief Security Architect at both Peoplesoft and Netscreen. He is currently an active member of the Information Systems Security Association (ISSA) of Silicon Valley as well as the Open Web Application Security Project (OWASP) and is a published author of two books. Lawrence is a founding board member of the Digital Forensics Association where he is serving as Vice President. In his spare time enjoys trading money on the foreign currency market, hiking, nature and performance cars.

Leigh Honeywell And Ari Rubenstein are Senior Staff Security Engineers at Slack. I saw Leigh on Wendy Nather's panel during RSA Conference 2016 and was interested in getting some insight into what's going on at Slack when it comes to DevOps. As luck would have it, Ari was in the audience, so we were able to step outside into the hallway and talk about how DevOps, security and engineering work together at Slack. About Leigh Honeywell Leigh reboots computers and makes hackerspaces. Leigh is a Security Engineer at Slack. Prior to Slack, she worked at Salesforce.com, Microsoft, Symantec, and Bell Canada. Her career has included everything from stringing cable and building phone systems to responding to some of the most serious computer security incidents in industry history, shipping software to a billion people, and protecting infrastructure running companies’ critical business communications. Her community work includes founding the HackLabTO hackerspace in Toronto, Canada, and the first feminist hackerspace, the Seattle Attic Community Workshop, as well as advising countless others and speaking about hackerspace cultures, collaboration, and open source software. She is Chief Security Officer of Double Union, a women’s hackerspace in San Francisco. She is a former administrator of the Geek Feminism wiki and blog, and current adviser to the Ada Initiative, the SECTor security conference, and the Magic Vibes Corporation. Leigh has a Bachelors of Science from the University of Toronto where she majored in Computer Science and Equity Studies. About Ari Rubenstein Senior Staff Security Engineer - Developed tooling for Security Automation, Detection, and Response - Implemented multiple open-source technologies to gain visibility on a company-wide level - Led feature reviews and architecture critiques - Discovered multiple vulnerabilities in Open Source Software, and committed fixes upstream - Performed code audits and static analysis - Collaborated cross-organization on Security topics with Sales, Accounts, Engineering, and Executive teams - Managed public-facing bug bounty program for product security issues - Provided guidance for customer questions and support tickets

You just have to accept it. The hackers are going to get in. The question is, what are you going to do once they are in? In preparation for Sam Guckenheimer's session at Rugged DevOps, RSA Conference 2016, I spoke with Sam about his work at Microsoft and how his team is working on Security War Games to keep things in check. About Sam Guckenheimer Sam Guckenheimer is Product Owner for the Microsoft Visual Studio Cloud Services, including VS Team Services and Team Foundation Server. He focuses on DevOps, Agile and Application LifeCycle Management (ALM). His most recent talk: From Box to Cloud at Gartner AADI 2015 is available at https://gartner.mediasite.com/Mediasite/Play/a246d6f2d86f47dab8fc4ee49887b5f81d. Sam is the author of three books, most recently Visual Studio Team Foundation Server 2012: Adopting Agile Software Practices: From Backlog to Continuous Feedback. Prior to joining Microsoft in 2003, Sam was Director of Product Line Strategy at Rational Software Corporation, now the Rational Division of IBM. Sam lives in the Seattle area with his wife and three children in a sustainable house they built that has been described in articles in Metropolitan Home and Pacific Northwest magazine.

After John Willis' keynote session next week at Rugged DevOps during RSA Conference 2016, he says he's going to grab a front row seat because he's so excited about the line up. In this interview, I talk with John about his relationship with Josh Corman and how they started working together. We talk about security as part of the software supply chain, the part Docker plays in the reference architecture picture for enterprise DevOps and how the developer world has changed in the past 5 years. About John Willis John Willis has worked in the IT management industry for more than 35 years. Currently he is an Evangelist at Docker Inc. Prior to Docker Willis was the VP of Solutions for Socketplane (sold to Docker) and Enstratius (sold to Dell). Prior to to Socketplane and Enstratius Willis was the VP of Training & Services at Opscode where he formalized the training, evangelism, and professional services functions at the firm. Willis also founded Gulf Breeze Software, an award winning IBM business partner, which specializes in deploying Tivoli technology for the enterprise. John has authored six IBM Redbooks for IBM on enterprise systems management and was the founder and chief architect at Chain Bridge Systems.

Chenxi Wang has had a diverse career in the technology industry, Before her current position as Chief Strategy Officer at Twistlock, she was Vice President, Cloud Security & Strategy at CipherCloud, Vice President, Strategy and Market Intelligence at Intel Security, and Vice President at Forrester Research. Along the way, she has worked on technology education initiatives and is currently at work on Equal Respect, a movement to stop the objectification of women in technology. In this interview, I spoke with Chenxi about her upcoming sessions at RSA Conference 2016, her work on the Equal Respect initiative, and her passion for software security education.

I first met Paula Thrasher at DevOps Summit 2016 in San Francisco. Her message about people at the core of software supply chain processes resonated with me enough that I invited her to participate on a panel at RSA Conference 2016 in San Francisco on February 29. In the run up to the conference, I recorded this call with Paula about what it takes to facilitate a large scale DevOps project for the US Government. Her main concentration is in change management and how to deal with the intricacy of various personalities when working with developers, the security team and operations. About Paula Thrasher Paula is an Application Delivery Lead at CSRA, formed from the merger of CSC's government services unit and SRA International. CSRA is a the leading provider in next-generation IT and professional services to the US Government. Paula leads digital transformations for customers across the federal government. She has 20 years experience in information technology and works in the federal market leading agencies and teams towards Agile and DevOps. Paula’s first Agile project was in 2001, since then she has led over 15 programs and projects as an Agile developer, technical lead, Scrum master, or Agile coach. Her teams have helped three separate federal agencies migrate applications to Amazon AWS GovCloud, and done some other amazing DevOps ninja work along the way. Paula a Carnegie Mellon University alumna with a B.S. in Statistics, is a Certified Scrum Master (CSM) and a Project Management Professional (PMP), but prefers learning new things through experience and working with smart people.

The OWASP Top 10 Proactive Controls Project uses the OWASP Top 10 model as a way to encourage the community to participate in the building and maintenance of a Top 10 project aimed at developers. In this interview, I talk with Jim Manico and Katy Anton on the history of the project, how they anticipate it being utilized, and how they have worked with the community do decide the criteria for building the list of controls.

The WebGoat Project started 10 years ago and has had over 1,000,000 downloads. Version 7.0 is being released this week. I caught with Bruce Mayhew, project lead, to talk about the history of the project, what has been updated in version 7, and what he foresees as the future of this project. https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

Several months ago Johanna Curiel figured she'd had enough and was ready to take a break from OWASP. Recently, she came back and is working tirelessly to revamp the Project Review initiative. I talked with Johanna about why she left, what has changed to make it enticing enough for her to return and what her vision is for the Project Review team in the coming year.

As we move into 2016 and my second year as executive producer of OWASP 24/7, I want to give a quick overview of my objectives for the year and what you can expect from the series.

Funding of projects. Allocation of personal time. What does it take to get a project funded with limited resources? The OWASP NYC/NJ chapters are trying something new at the December 7th meeting: two projects will make pitches to a crowd of 300, with two angel investors in attendance. In this OWASP 24/7 broadcast, I talk with Tom Brennan, event organizer, and the two people who will be pitching their projects. Listen in to see if this is something you might want to do for your chapter or project. Here's a review of the Shark Tank pitch that two people made on the actual Shark Tank show. Needless to say, it didn't go too well. http://www.inc.com/brian-j-oconnor/shark-tank-recap-there-s-no-crying-on-shark-tank.html Find out more about the December 7 event on the NYC/NJ Meetup Page http://www.meetup.com/nycmetrocsc/ Credit: Music for today's broadcast was provided by the George Cole Quintet. Here more at http://georgecole.net/

The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls. The primary aim of the OWASP ASVS Project is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. Project on OWASP https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project

There's been a lot of discussion around the OWASP Benchmark Project since it's latest release. Jeff Williams wrote an article and then received a response from Chris Wysopal at Veracode. I was able to catch up with Dave Wichers, OWASP Project Lead, during AppSecUSA 2015 in San Francisco. I had Dave talk me through the project and what its intentions are. Resources: OWASP Benchmark Project https://www.owasp.org/index.php/Benchmark Why it's Insane to Trust Static Analysis http://www.darkreading.com/vulnerabilities---threats/why-its-insane-to-trust-static-analysis/a/d-id/1322274? No One Technology is a Silver Bullet https://www.veracode.com/blog/2015/09/no-one-technology-silver-bullet

The Security Shepherd Project is a mobile web application training platform for penetration testing. It covers the OWASP Top 10 risks from both the mobile and web projects. This recording was made at AppSecUSA 2015 during the Project Summit.

When I was at AppSecUSA 2015 in San Francisco, I was standing in the hallway talking with Matt Tesauro, Shannon Lietz and Jez Humble. We decide that our discussion was interesting enough to continue, so we grab a room and just started talking. Heads up: There are basic audio problems with the recording, such as some background hiss and some high frequency whining (not from us, from the lights overhead!). It was an interesting discussion about real world scenarios that the three have seen in different environments, with solutions for those issues. There's an important summary that starts at 34 minutes where each of them specifies the most important things they'd like you to take away from the discussion.

Part of a three part series of interviews talking with OWASP board candidates for 2015. This segment includes candidates Abbas Naderi, Michael Coates and Jonathan Carter.

Part of a three part series of interviews talking with OWASP board candidates for 2015. This segment includes candidates Bil Corry and Josh Sokol.

Part of a three part series of interviews talking with OWASP board candidates for 2015. This segment includes candidates Milton Smith, Tobias Gondrom and Tom Brennan.

With over 20,000 downloads within it's first two months of release, the Security Knowledge Framework Projects seems to have hit a resonant chord with the OWASP community. Glenn Ten Cate and his brother Riccardo created the project as a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. The OWASP Security Knowledge Framework is an expert system web-application that uses the OWASP Application Security Verification Standard and other resources. I spoke with Glenn about the project and it's future growth. You can learn more about the project on the OWASP project site: https://www.owasp.org/index.php/OWASP_Security_Knowledge_Framework

With the OWASP Summer of Code Sprint 2015 in full swing, OWASP 24/7 caught up with project lead Fabio Cerrulo to see what the future of the project looks like and what to expect from the current sprint.

In part two of our open discussion on project funding for OWASP projects, I talk with Johanna Curiel, Project Review Team Leader, and Claudia Casanovas, the newly appointed Project Coordinator. In this broadcast, we explore the roadblocks to getting OWASP project funding, discuss how to create a better process for requesting funds, and talk about historical examples of how the current process has, and has not, worked.

How do projects get funded at OWASP? Who should have access to those funds? What is the history of projects being funded at OWASP? In this wide ranging discussion we talk with Andrew van der Stock, Dinis Cruz and Josh Sokol about access to funds for project leads and the perceived difficulty of getting funding.

John Patrick Lita has been working on the OWASP Online Academy since February. He plans to release it to the community within the next month. In this conversation, we talk with John about his plans for the project. Joining us is Jerry Hoff, one of the first content contributors to the Online Academy. https://www.owasp.org/index.php/OWASP_Online_Academy

This year's AppSec USA Conference will be held in San Francisco, September 22 - 25. I spoke with Ben Hagen and Michael Coates, organizers of the event, to see how the planning is going and what will be special about this event. https://2015.appsecusa.org/

Paul Richie has been executive director of OWASP since July of 2014. In our talk, I get Paul's perspective on the best ways for chapters to utilize OWASP resources and what he sees in the near future for OWASP.

In this segment, we talk with the co-coordinators of the OWASP OWTF Project. The aim of the project is to make security assessments as efficient as possible by automating the manual, uncreative part of pen testing.

In this segment of OWASP 24/7, I speak with Tobias Gondrom on the strategic goals for OWASP in 2015.

In this broadcast, we talk with the organizing committee from AppSecEU 2015 to see what they've been working on and what you can expect when you go to the conference in Amsterdam this May.

Johanna Curiel is the wizard behind the curtain that manages the evaluation of OWASP projects. In this wide ranging discussion, I talk with Johanna about the criteria for project evaluation, how projects become "Flagship" status and what it takes to run a project of this size. About Johanna Curiel Johanna Curiel is a security engineer and developer of financial tools for Algorithmic Trading software. She workson multiple open source initiatives such as Owasp, Openbloomberg, Algorithmic Trading and bug hunting activities and hackatons.

I caught up with Tom Brennan, coordinator of the 2015 OWASP Project Summit in New York City to hear what he has in store for the 2 day event. http://www.meetup.com/OWASP-NYC/

The first SAMM (Software Assurance Maturity Model) will be held in Dublin, Ireland on March 27 - 28, 2015. I spoke with Seba Deleersnyder, co-ordinator of the summit to find out his goals for the SAMM project as well as the his hopes for the summit. About Seba Deleersnyder As security project leader, application security specialist, trainer and trusted advisor for our customers, I have a track record of delivering information security projects. I specialise in Web & Mobile Application Security, combining both my broad software development and ICT security experience.

What does it take to put on a successful conference? How much work is involved? In this segment, I sit down with Neil Matatall and Richard Greenberg, co-organizers of AppSec California 2015. We talk about how they came up with the idea and what resources were needed to pull off such a successful event. About Richard Greenberg Richard Greenberg, CISSP, a recognized leader in Information Security, is President of the Los Angeles Chapter of OWASP. His day job is Information Security Officer for the Los Angeles County Department of Public Health.

The OWASP AppSensor Project has just released version 2.0. In this broadcast we speak with John Melton, project code lead, on the latest features in the release and what the future looks like for the project. About John Melton John is one of the co-leaders for the OWASP AppSensor project and leads the software implementation. For his day job, he is a principal security researcher for WhiteHat Security, working in the SAST space. His background is in software and security engineering.

Moxie Marlinspike is the founder of Open Whisper Systems which is both a large community of Open Source contributors, as well as a small team of dedicated developers. Together, the members of Open Whisper Systems is working to advance the state of the art for secure communication, while simultaneously making it easy for everyone to use. Moxie works on secure protocols, Android clients, and server software. He has been contributing to Open Whisper Systems since it was Whisper Systems, formerly ran the product security team at Twitter, started the first cloud-based password cracking service. He has also published a number of attacks on secure protocols like SSL and MS-CHAPv2. He has been a keynote speaker at past OWASP and other security conferences.

At the IBM DevOps Symposium I watched as Dibbe Edwards enthralled the audience as she explained how IBM has instituted DevOps and Agile throughout the development cycle. In some cases the results are nearly unbelievable, such as reducing Overall Time to Development from 120 days down to 3 days. I wanted to hear more about how she could create such startling results, so I gave her a call. About Dibbe Edwards Dibbe Edwards is Vice President, IBM Rational DevOps Capabilities Development responsible for the executive leadership of Rational’s development business covering key aspects of IBM’s DevOps strategy and offerings, including application lifecycle management and reporting, quality and requirements management, systems development and architecture management, SaaS-based offerings, and integration and open software development. Dibbe is additionally driving Rational’s own internal continuous software delivery activities as well as Rational’s on-going transparent development initiative through jazz.net. Dibbe is a frequent speaker at devops events, including recently at DevOps Enterprise . She blogs at IBM developerWorks where she most recently authored a blog about A Day in the Life of an Enterprise DevOps Team.

The WebGoat Project has developed a free online tool used to test and uncover application flaws that might otherwise go unnoticed. In this episode of OWASP 24/7, we talk with two of the WebGoat team members, Rick Lawson and Jason White, about how WebGoat is being used and future plans. More about WebGoat WebGoat for J2EE is written in Java and therefore installs on any platform with a Java virtual machine. There are installation programs for Linux, OS X Tiger and Windows. Once deployed, the user can go through the lessons and track their progress with the scorecard

During a meeting at AppSec USA 2014 in Denver, the SWAMP team presented its case for working with OWASP to support a marketplace for security tools. I sat down with Kevin E. Greene from DHS S&T, Cybersecurity Division to talk about what SWAMP is an how OWASP and its various projects might become involved. About Kevin E. Greene Software Assurance Program Manager responsible for oversight and management of research and development projects focused on improving the testing, analysis, and evaluation techniques used in software quality assurance tools. In addition, responsible for building a Software Assurance Marketplace (SWAMP) which will provide continuous software assurance services. The SWAMP (www.cosalab.org) will serve as a national marketplace that will provide a collaborative research infrastructure to advance improvements in software development activities, as well as improvements in software quality assurance tools in the area of precision, soundness, and scalability.

I was able to get a quick update from Damon, Matt, Eoin and Martin this week at AppSec USA 2014 Denver. They each have a different perspective on what is going with OWASP in different parts of the world. Have a listen...

With the OWASP board elections of 2014 upon us, we are doing a series of interviews so that you can come "face-to-face" with prospective board members. In this session, we talk with Mateo Martinez. (Please note: This interview was done over the net with a connection from New York City to Montevideo, Uruguay. In some places, there is considerable static.)

With the OWASP board elections of 2014 upon us, we are doing a series of interviews so that you can come "face-to-face" with prospective board members. In this session, we talk with Jim Manico and Timur Khrotko.

With the OWASP board elections of 2014 upon us, we are doing a series of interviews so that you can come "face-to-face" with prospective board members. In this session, we talk with Andrew van der Stock, Nigel Phair and Abbas Naderi .

With the OWASP board elections of 2014 upon us, we are doing a series of interviews so that you can come “face-to-face” with prospective board members. In this session, we talk with Israel Bryski, Matt Konda, Bil Corry and Tahir Khan.

On the day before Black Hat 2014 kicked off, I was able to sit with Jonathan Carter to talk about his work and the projects he participates on in OWASP. The audio recording is a bit raw because the sound was cranked up in a conference full of people. What Jonathan has to say should more than compensate. About Jonathan Carter Jonathan Carter is an application security professional with over 15 years of security expertise within Canada, United States, Australia, and England. As a Software Engineer, Jonathan produced software for online gaming systems, payment gateways, SMS messaging gateways, and other solutions requiring a high degree of application security. Jonathan’s technical background in artificial intelligence and static code analysis has lead him to a diverse number of security roles: Enterprise Security Architect, Web Application Penetration Tester, Fortify Security Researcher, and Security Governance lead. He is currently Arxan’s Technical Director.

Sarah Baso is leaving OWASP at the end of the month. As executive director, she has been at the helm of the organization, helping to set up and run OWASP as a business. In our conversation we talk about the ups and downs of her tenure, and how she would like to be remembered in the future. About Sarah Baso Sarah is based in San Francisco, Californa, USA and has been the Executive Director of the OWASP Foundation since April 2013. In this role, she supervises the paid OWASP staff in addition to administering all programs and operations of the OWASP Foundation, reporting to the OWASP Board of Directors.

It's become a regular thing at AppSec: test the experts on their knowledge of current software security news events. This session was recorded at AppSec Europe 2014 with panelists Chris Eng, Matt Tesauro and Josh Corman. If you'd like to play along, you can view the gameshow slide deck. Looking forward to seeing you at our next AppSec session of "Wait Wait! Don't pwn me!"

Eoin (pronounced Owen for you Yankees) Keary runs a software security practice in Ireland. In his "spare time", he is a global board member for OWASP. At the AppSec Europe 2014 Conference in Cambridge, UK, I spoke with Eoin about how to get more women into the software security industry, starting with their participation in OWASP. About Eoin Keary Eoin Keary has been with OWASP since 2004. He is based in Ireland and runs a software security practice, bccriskadvisory.com. He is currently on the global board of the OWASP foundation, he was elected to the board in 2009. During this time Eoin assisted in founding the OWASP legal entity in Europe and has helped provide structure to OWASPs finances and strategy. Eoin previously lead the OWASP Testing Guide and currently the OWASP Code Review Guide and also contributed to other OWASP projects such as OWASP SAMM, OWASP CISO Guide & CISO Survey, OWASP Cheat sheets, and the OWASP ASVS & ZAP as a reviewer. Eoin also founded the OWASP Dublin chapter in 2006 and the OWASP Ireland event in 2008 which is in its 4th year and also hosted OWASP EU in 2011.

Achim Hoffman is a researcher who has created a tool for listing information about remote target's SSL certificate and testing the remote target against a given list of ciphers. This OWASP project, o-Saft, first gained notice when Jim Manico mentioned it on the OWASP email list. At AppSec Europe 2014, I was able to speak with Achim, along with Matt Tasauro, about the function of the tool and its uses. n About the Project o-Saft is designed to be used by penetration testers, security auditors or server administrators. The idea is to show the important informations or the special checks with a simple call of the tool. However, it provides a wide range of options so that it can be used for comprehensive and special checks by experienced people. O-Saft is a command-line tool, so it can be used offline and in closed environments. However, it can simply be turned into an online CGI-tool (please read documentation first). About Achim Hoffman Co-Autor OWASP: Best Practices: Projektierung der Sicherheitsprüfung von Webanwendungen https://www.owasp.org/images/0/00/OWASP-Projektierung_der_Sicherheitspr%C3%BCfung_von_Webanwendungen_v101.de.pdf Autor Sicherheit von Webanwendungen: BSI-Maßnahmenkatalog und Best Practices http://www.bsi.de/literat/studien/websec/WebSec.pdf Contributor to WASC Web Application Firewall Evaluation Criteria http://www.webappsec.org/projects/wafec/ Co-Author OWASP: Best Practices: Web Application Firewalls http://www.owasp.org/index.php/Best_Practices:_Web_Application_Firewalls Reviewer/Contributor to WASC Threat Classification v1 Deutsche Übersetzung der WASC Threat Classification v1 http://www.webappsec.org/projects/threat/ Reviewer/Contributor to WASC Threat Classification v2 http://projects.webappsec.org/Threat-Classification-Authors

The OWASP Top 10 Privacy Risks Project aims to develop a top 10 list for privacy risks in web applications because currently there is no such catalog available. I spoke with co-leads Florian Stahl and Stefan Burgmair about how the project was started, the selection process for the top 10 risks and their future plans. About Florian Stahl Florian Stahl is a German security and privacy consultant and evangelist. He achieved his master’s with honors in information systems science at the University of Regensburg in Germany and his master's in computer science at Växjö Universitet in Sweden. Florian started his professional career at the Swedish security software vendor Cryptzone in Gothenburg in 2006. He came back to Germany in 2009 and worked as consultant for Ernst & Young in Munich before moving on to msg systems where he currently holds the position as Lead Consultant. Florian has CISSP and CIPP/IT certifications and speaks fluent German, English and Swedish. His aim is to follow a holistic approach by combining technical, organisational and social measures to protect information. He is regular speaker at conferences and writes articles for magazines and on his blog securitybydesign.de. He leads the OWASP_Top_10_Privacy_Risks_Project. About Stefan Burgmair Stefan Burgmair is a German student at the Munich University of Applied Sciences. After he gained his B. Sc. title in Information Systems and Management he now writes his master thesis on the "Top 10 Privacy Risks for Web Applications" at the msg systems. Together with his advisor Florian Stahl, he is managing the OWASP Top 10 Privacy Risks Project.

In anticipation of Security Awareness Month in October, Tom Brennan is planning an event featuring a cross section of various cyber groups in New York and New Jersey. A few weeks ago, I attended a Meet Up in New York City where many of the local groups got together to talk about what they are working on and how that plays into the October event. The Meet Up was VERY loud, so the sound quality leaves a bit to be desired, but the passion and enthusiasm still comes through. The first segment of the show is an introduction with Tom Brennan as he talks about the cross-group event he put together in March and his plans for creating a large, cross-cyber group event for Security Awareness Month in October. I then spoke with Ian Amit, one of the OWASP chapter leaders for New York. He describes what he is working on for the OWASP chapter in New York. Izabela Pelszynska joins us to speak about the Women in Security group, and we end with a round table discussion of the upcoming event in October.

At 2014 SOURCE Boston, Josh Corman told me that Wolfgang Goerlich had an interesting DevOps story to tell. I sat down and spoke with Wolfgang and was astounded to hear a tale that could have come straight out of Gene Kim's book, The Phoenix Project. Listen in as Wolfgang describes the process of taking over a project that was mired in technical debt, falling behind in deliverables to stakeholders and in need of a new way of thinking. To me, this story is one of the strongest statements for DevOps that I've heard. About Wolfgang Goerlich As Vice President of Consulting Services at VioPoint, Wolfgang supports clients by advising, identifying, and assisting in managing information security risk as well as mentoring VioPoint’s consulting team. Wolfgang, known for his outstanding leadership in the technology and information security community, is the co-founder of OWASP Detroit and an organizer of the annual BSides Detroit conferences as well as an accomplished speaker at regional and national security events.

Dwayne Melancon, CTO of Tripwire, has an interesting idea: turn your team into gamers, let them build their internal images and support that vision. This isn't the type of thing you'd expect to hear at a security conference. In this short conversation, I talk with Dwayne about how to implement employee game theory within your project team. About Dwayne Melancon I was a contributor to both the Visible Ops Handbook and Visible Ops Security Handbook, working with authors Gene Kim, Kevin Behr, and George Spafford. As part of this effort, I have worked as a researcher with Carnegie Mellon’s SEI, the University of Florida, and the IT Process Institute in their studies and benchmarking of IT best practices. I work with numerous corporations around the world on IT service management improvement and IT security, and have teamed with the Institute of Internal Auditors in its pursuit of Generally Accepted IT Principles. As a frequent, highly-rated speaker at national and regional itSMF, ISACA, ISSA, IIA and other industry events, I present on how to achieve world-class IT results. Using a framework of essential IT controls, I provide operations, security, and audit audiences with prescriptive steps they can take to improve IT change policies, procedures and systems.

The HeartBleed bug is running rampant on many major sites such as Chase and Yahoo while people are scrambling madly to find solutions. At the SOURCE Boston Conference this morning, I caught up with Melissa Elliot from VeraCode as she was examining the impact of the HeartBleed on Yahoo, using software from Jared Staffer of JSPenguin.org. I asked her to describe what she was seeing. Have a listen... About Melissa Elliot I am 0xabad1dea (the zero-x is silent), a professional application security researcher also known as Melissa Elliott. If my name breaks your website we have a personal problem. My long-term goal is to convince programmers that the security of everything from the global economy all the way up to online Pokémon battles is in their hands and they need to take that responsibility seriously. My primary means of interacting with the community is through my extremely active Twitter account.

In March 2014, Rio Okada and his team in Japan organized the first AppSec APAC event in Japan. I called Rio to ask how the event went. Joining the conversation with me and Rio is Robert Dracea, Tobias Gondrom and Jerry Hoff. During our call we talked about what made the event so successful and how that success might be used in future AppSec events. Have a listen.

Ivan Bütler and his team at the Hacking Lab have whipped up a fun challenge for the Easter season. The Hacky Easter Challenge is a white-hat hacking competition for fun and education. Sign up and start your quest for easter eggs! No need to be a "1337 h4xor" - there are challenges of different difficulty. About Ivan Bütler Ivan Bütler is the co-founder and CEO of Compass Security, a Swiss Ethical Hacking and Penetration Testing company located in Switzerland and Germany. Besides his own business he is also a tutor at both, the University of Applied Sciences in Rapperswil and Lucerne University of Applied Sciences and Arts. Ivan is a regular speaker at international conferences (Blackhat USA, IT Underground Warsaw, OWASP AppSec). Ivan is in the board of the Swiss Cyber Storm 4 Conference Committee and as such, responsible for the CTF and Hacking platform for the European Cyber Security Challenge 2014/2015, a cyber talent competition between Austria, Switzerland and Germany and may others from the European Union. He is the founder of Hacking-Lab – a remote security lab that is being used world-wide by security enthusiasts and security professionals to train their hands-on experience. Hacking-Lab is partnering with OWASP and provides free OWASP TOP 10, OWPASP Hackademics and OWASP WebGoat challenges.

The OWASP Top Ten Proactive Controls Project is spearheaded by Jim Bird and Jim Manico. According to Jim Bird, it is a list of security techniques that should be included in every software development project. I spoke with him about the evolution of the project and how he envisions it being used by the OWASP community, and specifically by developers. Resources for this Broadcast OWASP Top Ten Proactive Controls Project Jim Bird on LinkedIn About Jim Bird Jim Bird is a software development manager and CTO with more than 25 years of experience in software engineering, with a special focus on high-integrity and high-reliability systems. Jim is currently the co-founder and CTO of a major US-based institutional trading service, where he is responsible for managing the company’s technology group and IT security programs. Jim has worked as a consultant to IBM and to major stock exchanges and banks globally. He was also the CTO of a technology firm (now part of NASDAQ OMX) that built custom IT solutions for stock exchanges and central banks in more than 30 countries. Jim is an active contributor to OWASP, helps out as a member of the SANS Analysts program on application security, and rants about Agile software development, project management and application security topics on his blog “Building Real Software.

For his most recent project at OWASP, Colin Watson has taken the concept of Microsoft's 'Elevation of Privilege' card game and transformed it as a process for identifying security requirements for web applications. In this segment of OWASP 24/7, I speak with Colin about the origin of the project, a typical use case for the game and what the next version of the deck will look like. Resources for this broadcast OWASP Cornucopia Project Pagel Microsoft Elevation of Privilege Card Game About Colin Watson Colin Watson is an application security consultant based in London. He is project leader for the OWASP Codes of Conduct and OWASP Cornucopia projects, wrote the Application Logging Cheat sheet, contributes to a number of other OWASP projects including AppSensor and Open SAMM, and was a member of the former OWASP Global Industry Committee.

The OWASP WebSpa Project The OWASP WebSpa project is a tool implementing the novel idea of web knocking. The term web knocking stems from port knocking, If port knocking is defined as "a form of host-to-host communication in which information flows across closed ports" then we define web knocking as a form of host-to-host communication in which information flows across erroneous URLs. In this podcast we present this web knocking tool for sending a single HTTP/S request to your web server, in order to authorise the execution of a preselected Operating System (O/S) command on it. About Yiannis Pavlosoglou There is a world of numbers, hiding behind letters, inside computers, this is what stimulates my work. I am currently employed in IT risk management within the financial industry, running a team of technical risk assessors. Prior to this, I spent 5 years in the world of professional penetration testing. I focused my career evolution on assisting large scale projects actually implement secure development practices. This included teaching developers how to write secure code. For OWASP, I was the project leader for JBroFuzz and used to chair the Global Industry Committee. I am on the Application Security Advisory Board of the (ISC)2. My academic qualifications include a PhD in information security, designing routing protocols for ad-hoc networks. I am a certified scrum master and hold the CISSP certification.

I was able to have a wonderful conversation with Riotaro Okada and Robert Dracea this morning, talking about the upcoming AppSec APAC conference in Tokyo. This interview is unique, in that we have the English and Japanese responses integrated into the conversation. This is the first event of its kind in Japan and you can tell the locals are very excited about the possibilities, from internationally recognized speakers to showing visitors the hospitality of Japan. We begin the discussion with how the Tokyo OWASP chapter was started and how it led to the AppSec APAC Conference. Riotaro Okada Researcher Born in Kobe, Hyogo Prefecture, Japan, Mr. Okada has over 20 years of experience in software development and network construction. He has been involved in network construction, software development and the implementation of information security measures at independent software development companies, the R&D divisions of manufacturing companies as well as consulting firms. Mr. Okada has also facilitated various technology-related communities such as for Linux and PHP. In 2004, he founded the Web Application Security Forum and as a member of the board became involved in the diffusion of security-related information. Moreover, he was also a researcher at the Information-technology Promotion Agency, Japan (IPA) for 8 years, and responsible for the IT strategy as well as disaster response projects at various government organizations. Mr. Okada is the co-leader of OWASP Japan since its founding, is CISA certified and holds an MBA from BBT (2009). Robert Dracea Mr. Dracea is responsible for the global strategy of a Japanese internet service company. With the mission of better sharing Japan’s advanced technological power with the world, from a business perspective, he has successfully architected numerous alliances and tie-ups both domestically in Japan as well as overseas. Additionally, he has also, on a volunteer-basis, conducted the translation and interpretation at multilingual OWASP Meetings. Mr. Dracea has been since its founding a member of the OWASP Japan Advisory Board.

The planning for AppSec Europe 2014, Cambridge is in full swing. I caught up with conference manager Adrian Winckles to see how things are shaping up.

Mark Arnold helps run a very successful OWASP chapter in Boston. In this extended discussion, I talk with Mark about why the chapter is doing so well, what lessons others could learn from his chapter's success and what he would like to see happen to gain a broader audience for the group. About Mark Arnold Mark Arnold is Director of Information Security for PTC, a global leader helping companies achieve and sustain service and product advantage. He has served in various security roles and capacities across multiple industries and as a security consultant. Mark continues to provide leadership by serving on a mix of technology (OWASP Boston, Risk I/O/CISO Advisor) and community boards. He helped launch the Boston Application Security Conference, an OWASP event, as a way to promote application security to local area college/university and secondary school students. Mark advocates bridging the digital and technical divide, supporting various STEM initiatives and encouraging increased minority and gender representation in the security field and its disciplines. He holds a BSEE from Stanford University, MDiv from Princeton Seminary, AM/PhD degrees from Harvard University, and industry certifications.

Not making a statement can be a statement in its own right." -- Tobias Gondrom Earlier this week, OWASP released a statement after an internal debate regarding recent allegations that RSA had weakened its encryption while receiving $10 million dollars from the NSA. There was heated discussion about whether or not to publish a statement. Would it be perceived as political? What is OWASP's responsibility when it comes to defending the trustworthiness of software? I spoke with Tobias Gondrom and Eoin Keary about that debate. Their premise is that this is not a political statement, but a clarification to keep OWASP focused on its original mission.

The OWASP team in Japan are putting the finishing touches on the big AppSec APAC Conference that is being held in March 2014. I spoke with Tobias Gondrom, keynote speaker for the conference, and asked him to fill us in on why this conference is unique and why you should consider attending.

"I am a developer and one of the things I hate are code reviews." -- Larry Conklin Larry Conklin is a developer and as a developer, he HATES code reviews. Because of this, he now heads the OWASP "Code Review Book" project which is creating a definitive guideline that allows companies to proceed with code reviews based upon technical facts, not emotions or intuition. I spoke with Larry at AppSec USA 2014. Dennis Groves was also there, so you'll hear him interject with a question in the middle of the program. About Larry Conklin Larry Conklin's current emphasis is in Microsoft .NET technologies including C#, VB.NET, and SQL Server. Recent project experiences include converting legacy VB software to .NET, creating and maintaining operational support web sites to help QuikTrip manage it’s 600+ stores

"For an organization to really mature around application security, they need to be building security into their software from day one." -- Jim Manico Jim Manico started the OWASP podcast series in 2008. In that time, he has recorded close to 100 interviews to keep the community updated on the lastest project development within OWASP. As Jim reaches his 100th episode, he reminisces about how the series was started, what his original vision was and what he's going to do now that he has passed the reins over and moves on to other projects. We start with a question about the origins of the project and how it grew. "It's easy to talk about to talk about the 'purity' of software development, but managing a fleet of already insecure apps is an equally difficult problem." -- Jim Manico About Jim Manico Jim Manico wasl elected as an OWASP Global Board Member as of January 1, 2013. He been an active member of OWASP since 2008. He is the VP of Security Architecture at WhiteHat Security. Jim's main passion at OWASP is supporting projects that help developers write secure code.

"There are a lot of security flaws in websites like Facebook and WordPress applications. Most of those flaws are because the developers first create the application and then consider the security." -- Abbas Naderi PHP is one of the most used programming languages for the web. The problem with PHP has always been that it's easy to get started programming with PHP, but that's also one of its biggest flaws when considering application security. Abbas Naderi leads the OWASP PHP Security Project, which is a sample framework to demonstrate proper usage of the tools and libraries, as well as providing guidelines for new PHP projects. In this segment of OWASP 24/7, I talk with Abbas about the PHPSEC project as well as one of his other project, RBAC. About Abbas Naderi Abbas Naderi Afooshteh is a renowned security expert in the middle east, he has ranked first in many national and global CTFs and has been in the field for more than 8 years. He is the current Iran Chapter Leader at OWASP, and has 5 years of activity in OWASP resulting in many projects such as OWASP RBAC Project, OWASP PHP Security Project, OWASP WebGoatPHP Project and etc. He has participated in many other projects such as Cheat Sheets and ESAPI. Abbas has studied software engineering and information technology in his BS and MS and is now going to CMU to study Information Security for MS+PhD. He spends many hours daily leading OWASP projects and mentoring new enthusiastics that join projects, as well as shaping bright ideas into OWASP projects.More can be found at https://abiusx.com/cv

"You can't automate all tests. There are a lot of things you can't find automatically. You have to have somebody who knows what they are looking for." -- Simon Bennetts In today's segment, I talk with Simon Bennetts, project lead for the OWASP Zed Attack Proxy Project or "ZAP" for short. Simon is working on a user friendly tool for integrated penetration testing of web applications. Our discussion took place at AppSec USA 2013. We begin with an overview of the ZAP project and talk about how it came about. About Simon Bennetts Simon Bennetts (a.k.a. Psiinon) has been developing web applications since 1997, and strongly believes that you cannot build secure web applications without knowing how to attack them. He works for Mozilla as part of their Security Team. Some of the projects Simon works on: -- OWASP Zed Attack Proxy project lead -- OWASP Vulnerable Web Applications Directory Project joint project lead -- Mozilla Zest project lead -- Mozilla Plug-n-Hack joint project lead -- Bodge It Store project lead -- OWASP Web Application Security Testing Cheat Sheet joint author -- OWASP AppSensor contributor -- wavsep contributor -- OWASP Data Exchange Format project lead (currently inactive)

Michael Coates has a vision: smart applications that come to their own defense. "We need to get to that point where we realize that our apps are in a military zone, they are being attacked all the time." -- Michael Coates In this segment of OWASP 24/7, I speak with Michael Coates, Chairman of the OWASP Board and the founder of the AppSensor Project. Michael's contention is that applications should be smarter, that an app should "know" when it is being attacked and have a proactive, built-in response. We discuss the AppSensor project in depth: what is it, why was it created. We start our discussion with the background and reasoning behind the project. "The real damage is when they know how your application works. They attack your business logic. They do things to violate the custom aspects of your application." -- Michael Coates About Michael Coates Michael Coates is the Chairman of the OWASP board. In addition, he is the creator of OWASP AppSensor, a project dedicated to creating attack aware applications that leverage real time detection and response capabilities. Michael is also the Director of Product Security at Shape Security, a Silicon Valley startup developing an entirely new type of web security product to protect web sites against modern attacks. Previously, Michael was the Director of Security Assurance at Mozilla where he founded and grew the Security Assurance and Web Security programs to 25 people. Throughout Michael's career he has advised major corporations and governments on secure architecture and software security. He’s also performed hundreds of technical security assessments for financial, enterprise, and cellular customers worldwide. Michael also maintains a security blog at michael-coates.blogspot.com Michael holds a Master of Science degree in Computer, Information and Network Security from DePaul University and a Bachelor of Science degree in Computer Science from the University of Illinois at Urbana-Champaign.

"The CISCO Guide provides guidance and visibility to CISOs on how to initiate an application security program, how to make the business case, how to manage the risks of applications and how to measure the those risks. The guide is structured as a journey, because application security is not a destination, it is a journey." Marco Marona Marco Marona, is the coordinator of the OWASP Application Security Guide For CISOs Project and Tobias Gondrom is the project lead for the OWASP CISO Survey. They have combined resources to provide us when a CISO framework for implementing an application security program. During our discussion at AppSec USA 2013, we talked about the origin of the projects and how they can be used to make a business case for application security. "If you have a security strategy that is about a two year time frame, you have a higher chance of increasing your application security investments.The question is then, 'How do you write that strategy?' That question is answered in the CISO Guide." -- Tobias Gondrom I start by asking Marco about the purpose of the CISO Guide.

Many people in the OWASP community don't know Dennis Groves... and that's a surprise since he is one of the co-founders of the movement. I was able to catch up with Dennis at AppSec USA in New York City (November 19, 2013) and we had an interesting discussion about the beginnings of OWASP and what he sees in the future. Highlights of our Discussion * The event that triggered the inspiration for OWASP * The original purpose of OWASP * The use of OWASP as a de facto standard * Future vision for OWASP * The dilemma of community obligation About Dennis Groves Dennis Groves's work focuses on a multidisciplinary approach to risk management. He is particularly interested in risk, randomness, and uncertainty. He holds an MSc in Information Security from the University of Royal Holloway where his thesis received a distinction. He is currently a UK expert for the UK mirror of ISO subcommittee 27, IT Security Techniques, working group 4, Security Controls and Services at the British Standards Institute. He is most well known for co-founding OWASP. His contributions to OWASP include the ‘OWASP Guide (v1)’ downloaded over 2 million times; now a reference document in the PCI DSS standard, and the de-facto standard for securing web applications. He is a thought leader in the web application security space, where he has spent the last decade of his career. Dennis Groves has been an Security Architect, Ethical Hacker, Web Application Security Consultant, IT Security Consultant, System Administrator, Network Administrator, and a Software Engineer. He has taught various courses on information security and is best known for his ability to bring fresh insight to difficult security problems. Specialties:Risk Management, Threat Modeling, Security Architecture, Application Security, and "the big picture".

Last week at AppSec USA in New York City (November 20, 2013), I moderated a panel with Jeff Williams and Ryan Berg talking about the latest addition to the OWASP Top 10, Using Components with Known Vulnerabilities. This is the full recording of that session.

On today's segment, we're going to take a different approach from our normal format. I was at the AppSec USA Conference in New York City last week and was asked to chair a panel for the game show "Wait, wait... don't pwn me!". This is the full recording of the session. As you listen, keep in mind, every situation described within the game is true. Let's start first with the introductions of Chris Eng, Josh Corman and Space Rogue.

In this segment, I talk with Tom Brennan, the organizer of AppSecUSA 2013 in New York City. The conversation centers around what's going on in New York, why Tom took on the project and what makes AppSec conferences special. About Tom Brannen Tom Brennan is volunteer to the OWASP Foundation since 2004 when he founded the New Jersey Chapter after serving on the Board of Directors for the FBI Infragard program in New Jersey. The NJ OWASP Chapter later merged with the New York City Chapter in 2006. Tom was appointed to the Global Board of Directors in 2007 by his peers and was re-elected by the membership in 2012 for another two year term. During his leadership of OWASP Foundation he has led many global and local initiatives for OWASP including governance, fund raising via conferences and membership and business marketing.

In this segment of OWASP 24/7, I talk with Kelly Santalucia about what it takes to grow OWASP, how she's working with the outreach foundation, the outreach program for kids, the diversification of the membership... things that are helping the community grow. We also talk about what OWASP will look like in the future as virtual chapter meetings become an integral part of the platform. I began by asking Kelly what her job responsibilities are with OWASP.

Kate Hartmann is Operations Director of OWASP. She is responsible for creating and maintaining the platform for the OWASP organization Kate has a unique perspective on how virtual meetings are becoming an important tool for the global community. We start our discussion with Kate talking about her typical day at OWASP... which begins with a full pot of coffee to get her jumpstarted. About Kate Hartmann Kate joined the OWASP Foundation May 2008. Her work within the OWASP Foundation includes supervising and facilitating the completion of operationally critical tasks. She provides direction to the operational team by mapping out cross-committee objectives and identifying opportunities that promote the Foundation's short term and long term strategic goals. Kate has a B.A. in English and History from VA Tech in Blacksburg, VA. Prior to joining the OWASP Foundation, she worked with Government funding sources in the Healthcare Industry.

Sarah Baso is the Executive Director of OWASP. Her day to day responsibilities include managing a membership of over 43,000 people in 100+ countries. What does it take to run an organization this size and how do you prepare for the future without getting bogged down in the details. About Sarah Baso Sarah is based in San Francisco, Californa, USA and has been the Executive Director of the OWASP Foundation since April 2013. In this role, she supervises the paid OWASP staff in addition to administering all programs and operations of the OWASP Foundation, reporting to the OWASP Board of Directors.

As the Projects Manager for all projects at OWASP (the Open Web Application Security Project), Samantha Groves has deep visibility into the 140 or so projects currently on the boards at OWASP. We start our discussion with what her typical day looks like and then move into how OWASP is changing and the different models for project frameworks. About Samantha Groves Samantha Groves is the Project Manager at OWASP. Samantha has led many projects in her career, some of which include website development, brand development, sustainability and socio-behavioural research projects, competitor analysis, event organisation and management, volunteer engagement projects, staff recruitment and training, and marketing department organisation and strategy implementation projects for a variety of commercial and not-for-profit organisations. She is eager to begin her work at OWASP and help the organisation reach its project completion goals. Samantha earned her MBA in International Management with a concentration in sustainability from Royal Holloway, University of London. She earned her Bachelor's degree majoring in Multimedia from The University of Advancing Technology in Mesa, Arizona, and she earned her Associate's degree from Scottsdale Community College in Scottsdale, Arizona. Additionally, Samantha recently attained her Prince2 (Foundation) project management certification.