Look for any podcast host, guest or anyone
Showing episodes and shows of

The OWASP Podcast Series

Shows

The OWASP Podcast Series
The OWASP Podcast Seriesep2024-10 Don't be Scared, It's just a Pen Test with Brad CauseyThere's no reason to be scared about a pen test - especially when it's run by a professional like Brad Causey. I catch up with Brad in this episode to discuss what's recently changed in pen testing in how you test and people's motivations for hiring a pen testing. Interesting and not spooky at all. Show Links: Brad on LinkedIn - https://www.linkedin.com/in/bradcausey/ SecurIT360 - https://www.securit360.com/ - https://www.linkedin.com/company/securit360/ OWASP Testing Guide - https://owasp.org/www-project-web-security-testing-guide/
2024-10-3137 minThe OWASP Podcast Series
The OWASP Podcast Seriesep2024-08 OWASP Projects RoundupThe August episode is a review of projects from a recent OWASP project showcase. We talk to the leaders of the OWASP pytm, OWASP Developer Guide, OWASP State of AppSec Survey Project. Get up on the latest news and update on these OWASP projects. OWASP pytm: - https://owasp.org/www-project-pytm/ - https://github.com/izar/pytm OWASP Develper Guide: - https://owasp.org/www-project-developer-guide/ - https://github.com/OWASP/www-project-developer-guide OWASP AppSec Survey Project: - https://owasp.org/www-project-state-of-appsec-survey/
2024-08-3036 minThe OWASP Podcast Series
The OWASP Podcast SeriesSBOMS, CycloneDX and Dependency Track: Automation for Survival with Steve SpringettSoftware supply chain seems to be front and center for technologists, cybersecurity and many governments. One of the early pioneers in this space was Steve Springett with two highly successful projects: OWASP Dependency Track and CycloneDX. In this episode, we catch up with Steve to talk about how he got started in software supply chain management as well as the explosive growth for Dependency Track and ClycloneDX. We also touch on future developments for CycloneDX and places where Steve never expected to see his projects go. Enjoy! Show Links: - OWASP Dependency Track: https://dependencytrack.org/ - Dependency Track Github...
2023-06-2729 minThe OWASP Podcast Series
The OWASP Podcast Series2023-04 Rethinking WAFs: OWASP CorazaWAFs have been with us a while and it's about time someone reconsidered WAFs and their role in AppSec given the cloud-native and Kubernetes landscape. The OWASP Coraza is not only asking these questions but putting some Go code behind their ideas. Should WAFs work in a mesh network? Why create an open source WAF? What's next for the OWASP Coraza project? These and more topics are covered in this episode. I had a great time recording it and I think you'll have the same while listening. Show Link: - Coraza Website: https://coraza.io/ - Coraza Github Repo: https...
2023-04-3029 minThe OWASP Podcast Series
The OWASP Podcast Series2023-02 Isolation is just PEACHyIn this episode I speak with Amitai Cohen who's been thinking a lot about tenant isolation. This is a problem for more then just cloud providers. Anyone with a SaaS offering or even large enterprise may want to isolate customers or parts of their business from each other. Several useful items came out of this including the Cloud VulnDB which catalogs security issues in cloud services and the PEACH tenant isolation framework. You may not think you need to worry about tenant isolation, but I bet you should at least keep it in mind. Enjoy! Show Links: - Cloud VulnDB...
2023-03-0133 minThe OWASP Podcast Series
The OWASP Podcast Series2022 Year in ReviewIn this episode, I go solo and review the last year of podcasts but with a twist. I do my best to compare the topics covered to the OWASP Flagship projects. The goal is to see if the episodes I recorded this year match up with the projects strategically important to OWASP. Plus, the holiday listeners get gifts all around as I cover (and link) the OWASP Flagship projects. Show Links: - (January) New Ideas, New Voices, New Hosts: https://soundcloud.com/owasp-podcast/new-ideas-new-voices-new-hosts - (February) Tanya Janca - She Hack Purple: https://soundcloud.com/owasp-podcast/tanya-janca - SAMM (Software...
2022-12-3014 minThe OWASP Podcast Series
The OWASP Podcast SeriesYou've got some Kubernetes in my AppSec!In this episode, I speak with Jimmy Mesta, the project leader of the new OWASP Kubernetes Top 10. Beyond covering the actual Kubernetes Top 10 project, we cover how AppSec has expanded to cover other areas. You not only have to ensure that your application is secure, you need to ensure the security of the environment in which it runs. That environment is increasing becoming Kubernetes so what better than talk to someone who's protected Kubernetes clusters for years and trained many others to harden their clusters. Show Links: - OWASP Kubernetes Top 10: https://owasp.org/www-project-kubernetes-top-ten/ - Kubernetes Top 10 Github repo...
2022-11-2841 minThe OWASP Podcast Series
The OWASP Podcast SeriesGetting Lean and Mean in the DefectDojoIn this episode, Matt Tesauro hosts Greg Anderson and Cody Maffucci to talk about OWASP DefectDojo. DefectDojo is an OWASP flagship project that aims to be the single source of truth for AppSec or Product Security teams. It provides a single pane of glass for security programs and can import and normalize over 150 different security tools. I thought that the OWASP podcast might just cover an OWASP project now and then so here we go. Show Links: - https://www.defectdojo.org/ - Github organization: https://github.com/defectdojo - Github main repo: https://github.com/DefectDojo/django-DefectDojo - Pubic...
2022-07-2030 minThe OWASP Podcast Series
The OWASP Podcast SeriesGiving a jot about JWTs: JWT Patterns and Anti-Patterns - OWASP Podcast e002In this episode, Matt Tesauro hosts David Gillman about JWT Patterns and Anti-Patterns. I first met David at LASCON in the fall of 2021 when I sat in on his conference talk. Based on David’s experiences with JWTs we discuss where JSON Web Tokens can help and harm developers who use them. It seems like JWTs can be a mixed bag mostly determined by how you use them. Hopefully this episode will help you avoid any JWT sharp edges if or, more likely, when you work with them. Show Links: - Video of David’s presentation at LASCON - https://www...
2022-06-2933 minThe OWASP Podcast Series
The OWASP Podcast SeriesThreat Modeling using the Force with Adam Shostack - OWASP Podcast e001In this episode, Matt Tesauro hosts Adam Shostack to talk about threat modeling - not only what it is but what Adam has learned from teaching numerous teams how to do threat modeling. Learn what makes a good threat model and some news about a new book from Adam to help further the spread of threat modeling with the end goal of more threat modeling and fewer security surprises. Enjoy! Show Links: - Threats Book site: https://threatsbook.com/ - Resources on Adam’s website: https://shostack.org/resources
2022-05-2647 minThe OWASP Podcast Series
The OWASP Podcast SeriesThe Void: Verica Open Incident DatabaseWelcome back to the OWASP podcast. In this episode, we're headed to The VOID. I speak with Courtney Nash about the Verica Open Incident Database, otherwise known as The VOID, which is a collection of software-related incident reports available at https://www.thevoid.community/. It's a fascinating discussion about how, by gathering data from The VOID, we can make the Internet a safer and more resilient place. Courtney was super passionate about the research work she's doing. It was completely fun to chat with her and they've already produced some very interesting conclusions, in the published report available on The...
2022-04-0543 minThe OWASP Podcast Series
The OWASP Podcast SeriesFast Times at SBOM High with Wendy Nather and Matt TesauroHello, it's Matt Tesauro. Welcome back to my take on the OWASP Podcast. It seems as if I'm turning my episodes into the equivalent of a conference hall track, those wonderful interactions you have at conferences, running between rooms at conferences, meeting up with smart minds you don't see all the time. I have the pleasure of reuniting with Wendy Nather, CISO Advisor Extraordinaire, for this episode. We had a very interesting conversation about Software Bill of Materials (SBOMs). Like many of my interactions with Wendy, I learned from our conversation. She threw out some really good nuggets. I highly...
2022-03-2442 minThe OWASP Podcast Series
The OWASP Podcast SeriesTanya Janca - She Hacks PurpleHello, I'm Matt Tesauro, one of the OWASP Podcast co-hosts. I had the opportunity to interview Tanya Janca for this podcast. To be honest, I kind of wish it was a video recording because you'd be able to see the big smiles and vigorous head nodding during the recording. Tanya and I are in violent agreement about all things appsec, and it shows. There's a nice mix of general advice, war stories, and some good nuggets in this interview. I hope you enjoy it.
2022-02-2848 minThe OWASP Podcast Series
The OWASP Podcast SeriesNew Ideas. New Voices. New Hosts.8 years ago I took over the OWASP Podcast from Jim Manico, originator of the project. In that time over 160 episodes have been published, with over 500,000 downloads. It has been a fun project, but it’s time to change things up a bit. There is a lot going on at OWASP, even more going on with the technology industry when it comes to cybersecurity. It’s too much for one person to keep up with. Enter the idea of multiple co-hosts for the podcast. Many of you listening already know of Vandana Verma and Matt Tesauro from their work with OWASP. I ca...
2022-02-0118 minThe OWASP Podcast Series
The OWASP Podcast SeriesThe InfoSec Color Wheel with Jasmine HenryWe’ve all heard of “Red Teams” and “Blue Teams” when it comes to cybersecurity. But what about the “Purple Team”, the “Yellow Team” or the “Blue Team”. What are those? In February of 2020, Louis Cremen introduced the InfoSec Colour Wheel to the security community. The wheel expands upon April Wright’s work on bringing builders into the security team. The value of the wheel is to show the various types of security teams, seven in all, and the role each plays in security. Jasmine Henry brought the wheel to my attention. As she and I talked, we realized the InfoSec Wheel can be use...
2022-01-1027 minThe OWASP Podcast Series
The OWASP Podcast SeriesOWASP Flagship Projects - Episode 02In this episode of the People | Process | Technology podcast, I speak with Seba Deleersnyder from the Software Assurance Maturity Model, Carlos Holguera and Sven Schleier from the Mobile Security Testing Guide, and Bjoern Kimminich from the Juice Shop Project. This is part of an ongoing podcast series, highlighting the OWASP Flagship Projects that will be featured at the OWASP 20th Anniversary Celebration in September. I talk with the project leads to hear what they have been working on for the past year, what their plans are for the coming year, and what we can expect to see at the conference...
2021-06-1625 minThe OWASP Podcast Series
The OWASP Podcast SeriesOWASP Flagship Projects - Episode 01In this episode of the People | Process | Technology podcast, I speak with Simon Bennetts from the Zap Project, Christian Folini from the ModSecurity Core Rule Set Project, and Steve Springett from the Dependency Track Project. This is part of an ongoing podcast series, highlighting the OWASP Flagship Projects that will be featured at the OWASP 20th Anniversary Celebration in September. I talk with the project leads to hear what they have been working on for the past year, what their plans are for the coming year, and what we can expect to see at the conference in September. The OWASP 20...
2021-06-0422 minThe OWASP Podcast Series
The OWASP Podcast Series2021 OWASP Top 10 with Andrew van der StockThe Top 10 is considered one of the most important community contributions to come out OWASP. In 2003, just two years after organization was started, the OWASP Top 10 was created. The purpose of the project was to create an awareness document, highlighting the top ten exploits security professionals should be aware of. Since that time, innumerable organizations have used it as a guideline or framework for creating security programs. The current Top 10 list was released four years ago, in 2017. As part of a 2021 initiative at OWASP, the OWASP Top 10 is in the process of being updated, and scheduled for release this summer...
2021-03-2615 minThe OWASP Podcast Series
The OWASP Podcast SeriesThe Ops Side of DevSecOps w/ Damon EdwardsWhen Shannon Lietz and the team at DevSecOps.org published the DevSecOps Manifesto six years ago, security was uppermost in their minds. The manifesto starts with a call to arms… “Through Security as Code, we have and will learn that there is simply a better way for security practitioners, like us, to operate and contribute value with less friction. We know we must adapt our ways quickly and foster innovation to ensure data security and privacy issues are not left behind because we were too slow to change.” The effect of the DevSecOps movement was not understood by many, other than t...
2021-01-2924 minThe OWASP Podcast Series
The OWASP Podcast SeriesA Note from the Executive ProducerThis is Mark Miller, Executive Producer. Over the years as I’ve produced the show, the topics of focus have followed the trends in the industry. What was originally called “The OWASP Podcast” became “OWASP 24/7” and then “The DevSecOps Podcast”. Each change brought with it a new audience, extending our community from exclusively OWASP practitioners, to DevOps and DevSecOps advocates. The audience for the podcast has grown, with close to 500,000 listens of the 150 episodes. We’ve covered book launches by speaking with the authors, we’ve talked about industry reports focusing on the Software Supply Chain. Topics have included Chaos Engineering, effor...
2021-01-2703 minThe OWASP Podcast Series
The OWASP Podcast SeriesA New Vision for the Future of OWASP, with Executive Director, Andrew van der StockOWASP is in a state of discord. Over the past few years, there have been fractures in the community. Recently, there have been arguments on the leader email list that have clearly breached the lines of etiquette. Personal attacks, distribution of funds, and complaints of lack of diversity are creating tension among the members. If we, as an organization refuse to confront these issues, there is a real potential we will no longer have relevance to the AppSec community. The in-fighting has become a detriment to chapter leaders and project leaders, who are looking to OWASP for consistent leadership and...
2020-07-1830 minThe OWASP Podcast Series
The OWASP Podcast SeriesDevOps, DevSecOps and the Year Ahead w/ Sacha LaboureyOnce a year, Sacha Labourey and I sit down to discuss the past year and what the coming year looks like for DevOps and Jenkins. As CEO of CloudBees, Sacha has broad visibility into the progress of the DevOps/DevSecOps communities. We started our talk this year, commenting on the growth of the Jenkins World conference, with over 2000 attendees... what does Sacha attribute that to and does it coincide with the growth within the DevOps community. We continued our discussion by examining how cultural transformation within a company must align with the tools that are available to help with that...
2019-10-0733 minThe OWASP Podcast Series
The OWASP Podcast Series2019 Global AppSec Conference DC w/ Ben PickOWASP supports a global conference in North America each year, bringing together the projects, teams and chapters who make this one of the largest security tribes in the world. In this episode of the DevSecOps Podcast Series, I speak with Ben Pick one of the organizers of the conference about what's important about this type of gathering and what you can expect when attending. https://dc.globalappsec.org/
2019-08-2420 minThe OWASP Podcast Series
The OWASP Podcast SeriesTel Aviv and the 2019 Global AppSec ConferenceWhen I think of Tel Aviv, I imagine a robust, young culture, living a good, fun life. Not only is the culture conducive to a young life style, its tech industry continues to gain traction. As Wired Magazine said last August, "Israeli startups have always been high on Silicon Valley shopping lists, but Tel Aviv is beginning to shake off its reputation as Europe’s exit capital." Zebra, the medical diagnostics company, MyHeritage online family tree service, Via ride sharing service, and the Waze navigation app, as well as dozens of other influencial start-ups call Tel Aviv home. This places Te...
2019-05-0118 minThe OWASP Podcast Series
The OWASP Podcast Series2019 Open Security Summit PreviewThree years ago there was an idea floating around OWASP... a core community was looking for a way to have an isolated week, where security project working groups could get together, with no distractions, and work on projects they felt were important. From this idea, the Open Security Summit was founded. Now in it's third year, the summit takes place in an isolated forest located between London and Manchester. The format for the gathering is to present an environment, with no distractions, where the community of 150 security professionals can meet to update each other on their progress in the past...
2019-04-0919 minThe OWASP Podcast Series
The OWASP Podcast SeriesWhat is an SBOM and Why Should You Care? w/ Allan FriedmanOpen-source components and their use within the software supply chain has become ubiquitous within the past few years. Current estimates are that 80-90% of new software applications consist of open-source components and frameworks. Section A9 of the OWASP Top 10 places components with known vulnerabilities as one of the most prevalent and abused parts of the software supply chain, placing it at a security weakness level of three, on a scale from one to three. Quoting from the OWASP description in A9, "Component-heavy development patterns can lead to development teams not even understanding which components they use in their applications or...
2019-04-0233 minThe OWASP Podcast Series
The OWASP Podcast SeriesWhat's In Store for the AppSec Cali Conference w/ Richard GreenbergAs if there aren't enough reasons to go to Southern California in the middle of a New York winter, AppSec Cali opens it's doors for its 6th Annual OWASP conference on January 22, 2019. In this broadcast, I speak with Richard Greenberg, one of the core organizers of the conference, talking about why people come, what they can expect to see and why he continues to help produce the conference year after year. For a transcript of this broadcast, go to DevSecOpsDays.com and click on "Podcasts".
2019-01-1519 minThe OWASP Podcast Series
The OWASP Podcast SeriesHow to Build Chapter Engagement at OWASPWhile at 2018 AppSec EU, I spoke with Sam Stepanyan and Grigorios Fragkos, chapter leaders of one of OWASP's largest chapters. The conversation centered around what does it take to grow a community, what does it take to lead a chapter.
2018-09-1716 minThe OWASP Podcast Series
The OWASP Podcast SeriesA Message from the Executive ProducerThis is Mark Miller, Executive Producer. 4 years ago I took over the creation and curation of the OWASP podcast series. In that time, there have been 118 episodes, with a combined listenership of over 269,000 plays. The series began as a way to speak with OWASP project leads and chapters leaders to let the community hear what was being worked on. Gradually, the show has morphed into something broader. Recent broadcasts highlighting the work done in the DevOps and DevSecOps Communities receives well over 2000 listeners per episode. We have helped give exposure to DevSecOps practitioners at major AppSec Conferences in Europe and...
2018-07-1502 minThe OWASP Podcast Series
The OWASP Podcast SeriesSteps to Responsible Disclosure with Bas van Schaik,Man Yue Mo and Brian FoxOn March 1, 2018, the team at Semmle announced a critical vulnerability in the Pivotal Spring framework. The vulnerability was found by security researcher Man Yue Mo at Semmle — the team behind lgtm.com. In this episode of OWASP 24/7, I speak with research team at Semmle on how they discovered the vulnerability. Also, Brian Fox joins the discussion on the process for responsible disclosure, different ways to approach it and what other companies and projects are doing when a vulnerability is found in their project. About Man Yue Mo — Security Researcher at Semmle for lgtm.com During his PhD in mathematics at Oxfo...
2018-03-2030 minThe OWASP Podcast Series
The OWASP Podcast SeriesExpanding Community Engagement at OWASP w/ Greg AndersonNewly elected to the OWASP board, Greg Anderson is interested in how to expand the OWASP community. I talked with him about what he hope to accomplish in his tenure on the board, the first initiatives he would like to implement and on various ideas for working with OWASP chapters, projects and events. About Greg Anderson Technical leader with 6+ years of experience in all facets of security. Primary areas of expertise include application security, security in DevOps, security automation, program management and program development.
2017-11-3023 minThe OWASP Podcast Series
The OWASP Podcast SeriesThoughts on Security in the Modern Software Supply ChainCaroline Wong, Paula Thrasher and I were having lunch at DevOps Enterprise Summit when the conversation took an interesting turn. Paula and Caroline had been on a panel the previous day and didn't get a chance to do a deep dive into any of the topics. As we were talking at lunch, I realized is was a good opportunity to give them a chance to talk with each other on government vs public software security, about how the OWASP Top 10 might best be used and to they have discovered as common security patterns in their large scale projects. About Caroline...
2017-11-161h 04The OWASP Podcast Series
The OWASP Podcast SeriesWhat you should know about the latest Struts2 vulnerability announcementWhat you should know about the latest struts2 vulnerability announcement w/ Brian Fox, CTO Sonatype, and Matthew Konda , Chair, OWASP Board of Directors. If you're a developer and concerned about security, a struts2 vulnerability announcement came out yesterday. I interviewed two experts to talk about the announcement and what you should be looking for. If you would like to watch a video of the interview, you can find it on YouTube: https://www.youtube.com/watch?v=jtUfPom06bo
2017-09-0724 minThe OWASP Podcast Series
The OWASP Podcast SeriesOWASP Hacker Kids in BangaloreMost of us want to help kids become proficient in programming and cybersecurity, but don't know how to get started or have time to manage such a project. Prashant Kv figured he'd put a team together with Vandana Verma and Rupali Dash and give it a shot. The first event in Bangalore was a huge success, with over 200 kids participating. I spoke with the Prashant, Vandana and Rupali about how the event was put together, why it worked and what their plans are for future events.
2017-08-2915 minThe OWASP Podcast Series
The OWASP Podcast SeriesLess than 10 Minutes Series: OWASP DockerHub with Simon BennettsEarlier this week, Simon Bennetts from the OWASP ZAP Project announced the official availability of the OWASP DockerHub for housing projects. I caught up with Simon soon after to hear how ZAP was utilizing DockerHub and the benefits of containerization. https://hub.docker.com/u/owasp/
2017-08-0808 minThe OWASP Podcast Series
The OWASP Podcast SeriesLess than 10 Minutes Series - ModSecurity Core Rule Set ProjectThis segment of the "Less than 10 Minutes" series was recorded live at AppSec EU 2017 in Belfast. It is an update of the ModSecurity Core Rule Set Project with project co-lead Christian Folini. The OWASP ModSecurity CRS Project's goal is to provide an easily "pluggable" set of generic attack detection rules that provide a base level of protection for any web application. The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. The CRS aims to protect web applications from a wide range of attacks, including the...
2017-05-1208 minThe OWASP Podcast Series
The OWASP Podcast SeriesLess than 10 Minutes Series: OWASP Summit 2017This segment of the "Less than 10 Minutes" series was recorded live at AppSec EU 2017 in Belfast. It is an update of the OWASP Summit 2017 with conference organizer Sebastien (Seba) Deleersnyder. OWASP Summit 2017 is a 5-day participant driven event, dedicated to the collaboration of Development and Security professionals, with a strong focus on DevSecOps.
2017-05-1107 minThe OWASP Podcast Series
The OWASP Podcast SeriesLess than 10 Minutes Series: WebGoat ProjectThis segment of the "Less than 10 Minutes" series was recorded live at AppSec EU 2017 in Belfast. It is an update of the WebGoat Project with project co-leads Jason White and Nanne Baars. WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons.
2017-05-1107 minThe OWASP Podcast Series
The OWASP Podcast SeriesLess than 10 Minutes Series: Virtual Village ProjectThis segment of the "Less than 10 Minutes" series was recorded live at AppSec EU 2017 in Belfast. It is an update of the Virtual Village Project with project lead Evin Hernandez. The Virtual Village provides users with access to numerous operating system's Desktop as well as Servers. Users are able to create custom apps for other OWASP projects, as well as be able to request test environments , or honey pots , etc.
2017-05-1009 minThe OWASP Podcast Series
The OWASP Podcast SeriesLess than 10 Minutes Series: The Juice Shop ProjectThis segment of the "Less than 10 Minutes" series was recorded live at AppSec EU 2017 in Belfast. It is an update of the Juice Shop Project with project lead Bjoern Kimminich. The Juice Shop is an intentionally insecure webapp for security training, written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Bjoern Kimminich (Project Leader OWASP Juice Shop) Personal Twitter: http://twitter.com/bkimminich OWASP Juice Shop Project Twitter: http://twitter.com/owasp_juiceshop Project Wiki Page: https://www.owasp.org/index.php/OWASP_Juice_Shop_Project Main Github Project: https://github.com/bkimminich...
2017-05-1007 minThe OWASP Podcast Series
The OWASP Podcast SeriesAppSec EU 2017, Belfast Keynote Preview with Jaya Baloo"Why does OWASP even exist? Why do we even have this idea of understanding common issues, common problems. There are resources to help us do it better next time. I feel we are not learning at the curve where we should be, considering the resources available to us." -- Jaya Baloo As CISO of KPN, the largest telecom in the Netherlands, Jaya Baloo has a lot on her mind, but maybe not what you'd think. In this free wheeling discussion, we begin with what Jaya will be talking about during her keynote at AppSec EU 2017 in Belfast, and then move...
2017-03-2217 minThe OWASP Podcast Series
The OWASP Podcast Series2016 AppSec USA - An Update on the WebGoat ProjectWebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons. It is one of the most used projects at OWASP. With the current team headed by Bruce Mayhew, Nanne Baars and Jason White, work is moving forward on the creation of new content for creating training lessons for application security. I talked with Bruce and team about what they've done with the latest update and what they hope to accomplish in the coming year.
2016-11-3013 minThe OWASP Podcast Series
The OWASP Podcast Series2016 AppSec USA: The Core Rule Set Project w/ Chaim SandersThe OWASP ModSecurity Core Rule Set Project's goal is to provide an easily "pluggable" set of generic attack detection rules that provide a base level of protection for any web application. Chaim Sanders,Ryan Barnett, Christian Folini and Walter Hop are the team coordinating the project. During 2016 AppSec USA, I spoke with Chaim about the purpose of the project, the work work done in the past year, the upcoming release and what the team hopes to accomplish in 2017. https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
2016-10-1209 minThe OWASP Podcast Series
The OWASP Podcast Series2016 Board Election Interviews - Part Two of Four - Vendor NeutralityToday's podcast is the second in a series of four, talking with prospective 2016 board members. Today's question is, "Do you consider vendor neutrality an issue at OWASP? If so, why?" The format for today's Q&A with potential board members is simple. We ask a single question. Each candidate has 2 minutes to respond to the question. These recordings were done using google hangouts, so there will be slight sound glitches and background noises during some of the answers.
2016-09-1519 minThe OWASP Podcast Series
The OWASP Podcast Series2016 OWASP Board Election Interviews - Part One of Four - Developer ParticipationToday's podcast is the first in a series of four, talking with prospective 2016 board members. Today's question is, "What kind of action plan do you have in mind to help motivate the participation of Developers into OWASP community." The format for today's Q&A with potential board members is simple. We ask a single question. Each candidate has 2 minutes to respond to the question. These recordings were done using google hangouts, so there will be slight sound glitches and background noises during some of the answers.
2016-09-1420 minThe OWASP Podcast Series
The OWASP Podcast SeriesAppSec USA 2016 Pre-Conference UpdateFrom October 11 - 14, 2016, appsec professionals from around the world will gather in Washington DC to participate in one of this year's main OWASP events, AppSec USA 2016. In this broadcast, I speak with three organizers of the event (Andrew Weidenhamer, Mike McCabe, Patrick Cooley )to get insight as to what to anticipate at the conference, the unique qualities of an AppSec USA event, and a sneak peek at the sessions that will be given over the 4 day event.
2016-09-0916 minThe OWASP Podcast Series
The OWASP Podcast Series2016 State of the Software Supply Chain Report with Derek WeeksThe "State of the Software Supply Chain Report" featured in today's show is an industry report produced by Sonatype. In the spirit of full disclosure, Mark Miller is the Senior Storyteller and DevOps Advocate for Sonatype. That said, no products are mentioned, nothing is being sold. Sonatype is the steward of the Central Repository and has access to an incredible set of data. The information in the report relates directly to A9 within the OWASP Top 10: Using components with known vulnerabilities. The full report is available as a free download. To describe the findings of the report and the discoveries...
2016-07-1116 minThe OWASP Podcast Series
The OWASP Podcast SeriesJim Manico's 100th Episode, featuring Mark Miller, Executive Producer of OWASP 24/7In this episode, Jim Manico turns the tables on me for for his 100th podcast. He digs into my past, asks about my motivations for participating in OWASP, inquires on what I hope to accomplish through the series and how DevOps and security can be part of a single conversation when it comes to the software supply chain. Mark Miller is the Senior Storyteller and Developer Evangelist for Sonatype. He is the curator of TheNexus Community Project, while participating in DevOps and security conferences as a frequent panel host. He recently helped build the DevOps track for RSAC Conference 2016, InfoSec...
2016-06-2938 minThe OWASP Podcast Series
The OWASP Podcast SeriesOWASP Top 10 Proactive Controls Project with Jim Manico and Katy AntonThe OWASP Top 10 Proactive Controls Project uses the OWASP Top 10 model as a way to encourage the community to participate in the building and maintenance of a Top 10 project aimed at developers. In this interview, I talk with Jim Manico and Katy Anton on the history of the project, how they anticipate it being utilized, and how they have worked with the community do decide the criteria for building the list of controls.
2016-02-0921 minThe OWASP Podcast Series
The OWASP Podcast SeriesThe OWASP WebGoat Project, version 7.0, with Bruce MayhewThe WebGoat Project started 10 years ago and has had over 1,000,000 downloads. Version 7.0 is being released this week. I caught with Bruce Mayhew, project lead, to talk about the history of the project, what has been updated in version 7, and what he foresees as the future of this project. https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
2016-02-0117 minThe OWASP Podcast Series
The OWASP Podcast SeriesJohanna Curiel on the Growing Pains of OWASP and Management of Project ReviewsSeveral months ago Johanna Curiel figured she'd had enough and was ready to take a break from OWASP. Recently, she came back and is working tirelessly to revamp the Project Review initiative. I talked with Johanna about why she left, what has changed to make it enticing enough for her to return and what her vision is for the Project Review team in the coming year.
2016-01-2726 minThe OWASP Podcast Series
The OWASP Podcast Series2016 - What's in Store for the OWASP 24/7 Podcast SeriesAs we move into 2016 and my second year as executive producer of OWASP 24/7, I want to give a quick overview of my objectives for the year and what you can expect from the series.
2016-01-2104 minThe OWASP Podcast Series
The OWASP Podcast SeriesOWASP Shark Tank - Could You Convince Someone to Invest in Your Project?Funding of projects. Allocation of personal time. What does it take to get a project funded with limited resources? The OWASP NYC/NJ chapters are trying something new at the December 7th meeting: two projects will make pitches to a crowd of 300, with two angel investors in attendance. In this OWASP 24/7 broadcast, I talk with Tom Brennan, event organizer, and the two people who will be pitching their projects. Listen in to see if this is something you might want to do for your chapter or project. Here's a review of the Shark Tank pitch that two people made on...
2015-11-2524 minThe OWASP Podcast Series
The OWASP Podcast SeriesOWASP Application Security Verification Standard Project w/ Andrew van der StockThe OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls. The primary aim of the OWASP ASVS Project is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. Project on OWASP https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project
2015-10-0108 minThe OWASP Podcast Series
The OWASP Podcast SeriesOWASP Benchmark Project w/ Dave WichersThere's been a lot of discussion around the OWASP Benchmark Project since it's latest release. Jeff Williams wrote an article and then received a response from Chris Wysopal at Veracode. I was able to catch up with Dave Wichers, OWASP Project Lead, during AppSecUSA 2015 in San Francisco. I had Dave talk me through the project and what its intentions are. Resources: OWASP Benchmark Project https://www.owasp.org/index.php/Benchmark Why it's Insane to Trust Static Analysis http://www.darkreading.com/vulnerabilities---threats/why-its-insane-to-trust-static-analysis/a/d-id/1322274? No One Technology is a Silver Bullet https://www.veracode.com/blog/2015/09/no-one-technology-silver-bullet
2015-09-3014 minThe OWASP Podcast Series
The OWASP Podcast SeriesOWASP Security Shepherd Project w/ Mark Denihan and Paul McCannThe Security Shepherd Project is a mobile web application training platform for penetration testing. It covers the OWASP Top 10 risks from both the mobile and web projects. This recording was made at AppSecUSA 2015 during the Project Summit.
2015-09-2913 minThe OWASP Podcast Series
The OWASP Podcast SeriesOWASP Board Candidate Interview - Abbas Naderi, Michael Coates, Jonathan CarterPart of a three part series of interviews talking with OWASP board candidates for 2015. This segment includes candidates Abbas Naderi, Michael Coates and Jonathan Carter.
2015-09-0348 minThe OWASP Podcast Series
The OWASP Podcast SeriesOWASP Board Candidate Interview - Bil Corry and Josh SokolPart of a three part series of interviews talking with OWASP board candidates for 2015. This segment includes candidates Bil Corry and Josh Sokol.
2015-09-0339 minThe OWASP Podcast Series
The OWASP Podcast SeriesOWASP Board Candidate Interview - Milton Smith, Tobias Gondrom, Tom BrennanPart of a three part series of interviews talking with OWASP board candidates for 2015. This segment includes candidates Milton Smith, Tobias Gondrom and Tom Brennan.
2015-09-0343 minThe OWASP Podcast Series
The OWASP Podcast SeriesOWASP Security Knowledge Framework Project w/ Glenn Ten CateWith over 20,000 downloads within it's first two months of release, the Security Knowledge Framework Projects seems to have hit a resonant chord with the OWASP community. Glenn Ten Cate and his brother Riccardo created the project as a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. The OWASP Security Knowledge Framework is an expert system web-application that uses the OWASP Application Security Verification Standard and other resources. I spoke with Glenn about the project and it's future growth. You can learn more about the...
2015-07-2723 minThe OWASP Podcast Series
The OWASP Podcast SeriesOWASP Summer of Code Sprint 2015 with Fabio CerulloWith the OWASP Summer of Code Sprint 2015 in full swing, OWASP 24/7 caught up with project lead Fabio Cerrulo to see what the future of the project looks like and what to expect from the current sprint.
2015-07-1521 minThe OWASP Podcast Series
The OWASP Podcast SeriesOWASP Project Funding Part 2 w/ Johanna Curiel and Claudia CasanovasIn part two of our open discussion on project funding for OWASP projects, I talk with Johanna Curiel, Project Review Team Leader, and Claudia Casanovas, the newly appointed Project Coordinator. In this broadcast, we explore the roadblocks to getting OWASP project funding, discuss how to create a better process for requesting funds, and talk about historical examples of how the current process has, and has not, worked.
2015-07-0250 minThe OWASP Podcast Series
The OWASP Podcast SeriesOWASP Project Funding w/ Josh Sokol, Dinis Cruz and Andrew van der StockHow do projects get funded at OWASP? Who should have access to those funds? What is the history of projects being funded at OWASP? In this wide ranging discussion we talk with Andrew van der Stock, Dinis Cruz and Josh Sokol about access to funds for project leads and the perceived difficulty of getting funding.
2015-06-2947 minThe OWASP Podcast Series
The OWASP Podcast SeriesThe OWASP Online Academy with John Patrick Lita and Jerry HoffJohn Patrick Lita has been working on the OWASP Online Academy since February. He plans to release it to the community within the next month. In this conversation, we talk with John about his plans for the project. Joining us is Jerry Hoff, one of the first content contributors to the Online Academy. https://www.owasp.org/index.php/OWASP_Online_Academy
2015-06-2518 minThe OWASP Podcast Series
The OWASP Podcast SeriesPaul Ritchie, Executive Director, Talks Present, Past and Future of OWASPPaul Richie has been executive director of OWASP since July of 2014. In our talk, I get Paul's perspective on the best ways for chapters to utilize OWASP resources and what he sees in the near future for OWASP.
2015-05-2822 minThe OWASP Podcast Series
The OWASP Podcast SeriesOWASP Offensive Web Testing Framework with Bharadwaj Machiraju and Abraham ArangurenIn this segment, we talk with the co-coordinators of the OWASP OWTF Project. The aim of the project is to make security assessments as efficient as possible by automating the manual, uncreative part of pen testing.
2015-04-1520 minThe OWASP Podcast Series
The OWASP Podcast SeriesTobias Gondrom on the OWASP Strategic Goals for 2015In this segment of OWASP 24/7, I speak with Tobias Gondrom on the strategic goals for OWASP in 2015.
2015-04-0323 minThe OWASP Podcast Series
The OWASP Podcast SeriesOWASP Project Reviews with Johanna CurielJohanna Curiel is the wizard behind the curtain that manages the evaluation of OWASP projects. In this wide ranging discussion, I talk with Johanna about the criteria for project evaluation, how projects become "Flagship" status and what it takes to run a project of this size. About Johanna Curiel Johanna Curiel is a security engineer and developer of financial tools for Algorithmic Trading software. She workson multiple open source initiatives such as Owasp, Openbloomberg, Algorithmic Trading and bug hunting activities and hackatons.
2015-02-2520 minThe OWASP Podcast Series
The OWASP Podcast Series2015 OWASP Project Summit in NYC with Tom BrennanI caught up with Tom Brennan, coordinator of the 2015 OWASP Project Summit in New York City to hear what he has in store for the 2 day event. http://www.meetup.com/OWASP-NYC/
2015-02-2410 minThe OWASP Podcast Series
The OWASP Podcast SeriesJohn Melton and the OWASP AppSensor ProjectThe OWASP AppSensor Project has just released version 2.0. In this broadcast we speak with John Melton, project code lead, on the latest features in the release and what the future looks like for the project. About John Melton John is one of the co-leaders for the OWASP AppSensor project and leads the software implementation. For his day job, he is a principal security researcher for WhiteHat Security, working in the SAST space. His background is in software and security engineering.
2015-02-1318 minThe OWASP Podcast Series
The OWASP Podcast SeriesKevin E. Greene on OWASP and the SWAMP ProjectDuring a meeting at AppSec USA 2014 in Denver, the SWAMP team presented its case for working with OWASP to support a marketplace for security tools. I sat down with Kevin E. Greene from DHS S&T, Cybersecurity Division to talk about what SWAMP is an how OWASP and its various projects might become involved. About Kevin E. Greene Software Assurance Program Manager responsible for oversight and management of research and development projects focused on improving the testing, analysis, and evaluation techniques used in software quality assurance tools. In addition, responsible for building a Software Assurance Marketplace (SWAMP) which will provide...
2014-10-1726 minThe OWASP Podcast Series
The OWASP Podcast SeriesOWASP Board Candidate Interviews - Mateo MartinezWith the OWASP board elections of 2014 upon us, we are doing a series of interviews so that you can come "face-to-face" with prospective board members. In this session, we talk with Mateo Martinez. (Please note: This interview was done over the net with a connection from New York City to Montevideo, Uruguay. In some places, there is considerable static.)
2014-09-1917 minThe OWASP Podcast Series
The OWASP Podcast SeriesOWASP Board Candidate Interviews - Jim Manico, Timur KhrotkoWith the OWASP board elections of 2014 upon us, we are doing a series of interviews so that you can come "face-to-face" with prospective board members. In this session, we talk with Jim Manico and Timur Khrotko.
2014-09-1636 minThe OWASP Podcast Series
The OWASP Podcast SeriesOWASP Board Candidate Interviews - Andrew van der Stock, Nigel Phair, Abbas NaderiWith the OWASP board elections of 2014 upon us, we are doing a series of interviews so that you can come "face-to-face" with prospective board members. In this session, we talk with Andrew van der Stock, Nigel Phair and Abbas Naderi .
2014-09-1639 minThe OWASP Podcast Series
The OWASP Podcast SeriesOWASP 2014 Board Candidate Interviews - Israel Bryski, Matt Konda, Bil Corry and Tahir KhanWith the OWASP board elections of 2014 upon us, we are doing a series of interviews so that you can come “face-to-face” with prospective board members. In this session, we talk with Israel Bryski, Matt Konda, Bil Corry and Tahir Khan.
2014-09-1646 minThe OWASP Podcast Series
The OWASP Podcast SeriesJonathan Carter - OWASP and Mobile SecurityOn the day before Black Hat 2014 kicked off, I was able to sit with Jonathan Carter to talk about his work and the projects he participates on in OWASP. The audio recording is a bit raw because the sound was cranked up in a conference full of people. What Jonathan has to say should more than compensate. About Jonathan Carter Jonathan Carter is an application security professional with over 15 years of security expertise within Canada, United States, Australia, and England. As a Software Engineer, Jonathan produced software for online gaming systems, payment gateways, SMS messaging gateways, and other...
2014-08-1522 minThe OWASP Podcast Series
The OWASP Podcast SeriesSarah Baso - The Final InterviewSarah Baso is leaving OWASP at the end of the month. As executive director, she has been at the helm of the organization, helping to set up and run OWASP as a business. In our conversation we talk about the ups and downs of her tenure, and how she would like to be remembered in the future. About Sarah Baso Sarah is based in San Francisco, Californa, USA and has been the Executive Director of the OWASP Foundation since April 2013. In this role, she supervises the paid OWASP staff in addition to administering all programs and operations of...
2014-07-3022 minThe OWASP Podcast Series
The OWASP Podcast SeriesEoin Keary on Women in Security and Growing an OWASP ChapterEoin (pronounced Owen for you Yankees) Keary runs a software security practice in Ireland. In his "spare time", he is a global board member for OWASP. At the AppSec Europe 2014 Conference in Cambridge, UK, I spoke with Eoin about how to get more women into the software security industry, starting with their participation in OWASP. About Eoin Keary Eoin Keary has been with OWASP since 2004. He is based in Ireland and runs a software security practice, bccriskadvisory.com. He is currently on the global board of the OWASP foundation, he was elected to the board in 2009. During this...
2014-07-1406 minThe OWASP Podcast Series
The OWASP Podcast SeriesAchim Hoffmann and the o-Saft Project for Scanning SSL ConnectionsAchim Hoffman is a researcher who has created a tool for listing information about remote target's SSL certificate and testing the remote target against a given list of ciphers. This OWASP project, o-Saft, first gained notice when Jim Manico mentioned it on the OWASP email list. At AppSec Europe 2014, I was able to speak with Achim, along with Matt Tasauro, about the function of the tool and its uses. n About the Project o-Saft is designed to be used by penetration testers, security auditors or server administrators. The idea is to show the important informations or the special...
2014-07-0107 minThe OWASP Podcast Series
The OWASP Podcast SeriesOWASP Top 10 Privacy Risks Project with Florian Stahl and Stefan BurgmairThe OWASP Top 10 Privacy Risks Project aims to develop a top 10 list for privacy risks in web applications because currently there is no such catalog available. I spoke with co-leads Florian Stahl and Stefan Burgmair about how the project was started, the selection process for the top 10 risks and their future plans. About Florian Stahl Florian Stahl is a German security and privacy consultant and evangelist. He achieved his master’s with honors in information systems science at the University of Regensburg in Germany and his master's in computer science at Växjö Universitet in Sweden. Florian started his...
2014-04-2916 minThe OWASP Podcast Series
The OWASP Podcast SeriesThe Run Up to a Massive Cyber Security Month with Tom BrennanIn anticipation of Security Awareness Month in October, Tom Brennan is planning an event featuring a cross section of various cyber groups in New York and New Jersey. A few weeks ago, I attended a Meet Up in New York City where many of the local groups got together to talk about what they are working on and how that plays into the October event. The Meet Up was VERY loud, so the sound quality leaves a bit to be desired, but the passion and enthusiasm still comes through. The first segment of the show is an introduction with Tom...
2014-04-2520 minThe OWASP Podcast Series
The OWASP Podcast SeriesThe OWASP Hacky Easter Challenge with Ivan BütlerIvan Bütler and his team at the Hacking Lab have whipped up a fun challenge for the Easter season. The Hacky Easter Challenge is a white-hat hacking competition for fun and education. Sign up and start your quest for easter eggs! No need to be a "1337 h4xor" - there are challenges of different difficulty. About Ivan Bütler Ivan Bütler is the co-founder and CEO of Compass Security, a Swiss Ethical Hacking and Penetration Testing company located in Switzerland and Germany. Besides his own business he is also a tutor at both, the University of App...
2014-03-2706 minThe OWASP Podcast Series
The OWASP Podcast SeriesThe OWASP Top Ten Proactive Controls Project with Jim BirdThe OWASP Top Ten Proactive Controls Project is spearheaded by Jim Bird and Jim Manico. According to Jim Bird, it is a list of security techniques that should be included in every software development project. I spoke with him about the evolution of the project and how he envisions it being used by the OWASP community, and specifically by developers. Resources for this Broadcast OWASP Top Ten Proactive Controls Project Jim Bird on LinkedIn About Jim Bird Jim Bird is a software development manager and CTO with more than 25 years of experience in software engineering, with...
2014-03-2414 minThe OWASP Podcast Series
The OWASP Podcast SeriesThe OWASP Cornucopia Project with Colin WatsonFor his most recent project at OWASP, Colin Watson has taken the concept of Microsoft's 'Elevation of Privilege' card game and transformed it as a process for identifying security requirements for web applications. In this segment of OWASP 24/7, I speak with Colin about the origin of the project, a typical use case for the game and what the next version of the deck will look like. Resources for this broadcast OWASP Cornucopia Project Pagel Microsoft Elevation of Privilege Card Game About Colin Watson Colin Watson is an application security consultant based in London. He is project...
2014-03-2115 minThe OWASP Podcast Series
The OWASP Podcast SeriesThe OWASP WebSpa Project with Yiannis Pavlosoglou and Jim ManicoThe OWASP WebSpa Project The OWASP WebSpa project is a tool implementing the novel idea of web knocking. The term web knocking stems from port knocking, If port knocking is defined as "a form of host-to-host communication in which information flows across closed ports" then we define web knocking as a form of host-to-host communication in which information flows across erroneous URLs. In this podcast we present this web knocking tool for sending a single HTTP/S request to your web server, in order to authorise the execution of a preselected Operating System (O/S) command on it.
2014-03-0332 minThe OWASP Podcast Series
The OWASP Podcast Series2014 AppSec APAC - History and Overview (Japanese and English)I was able to have a wonderful conversation with Riotaro Okada and Robert Dracea this morning, talking about the upcoming AppSec APAC conference in Tokyo. This interview is unique, in that we have the English and Japanese responses integrated into the conversation. This is the first event of its kind in Japan and you can tell the locals are very excited about the possibilities, from internationally recognized speakers to showing visitors the hospitality of Japan. We begin the discussion with how the Tokyo OWASP chapter was started and how it led to the AppSec APAC Conference. Riotaro Okada Researcher
2014-02-2017 minThe OWASP Podcast Series
The OWASP Podcast SeriesAppSec USA 2013 – Mark Arnold Talks about the Boston OWASP ChapterMark Arnold helps run a very successful OWASP chapter in Boston. In this extended discussion, I talk with Mark about why the chapter is doing so well, what lessons others could learn from his chapter's success and what he would like to see happen to gain a broader audience for the group. About Mark Arnold Mark Arnold is Director of Information Security for PTC, a global leader helping companies achieve and sustain service and product advantage. He has served in various security roles and capacities across multiple industries and as a security consultant. Mark continues to provide leadership...
2014-02-1810 minThe OWASP Podcast Series
The OWASP Podcast SeriesOWASP Statement on the Security of the Internet 2014Not making a statement can be a statement in its own right." -- Tobias Gondrom Earlier this week, OWASP released a statement after an internal debate regarding recent allegations that RSA had weakened its encryption while receiving $10 million dollars from the NSA. There was heated discussion about whether or not to publish a statement. Would it be perceived as political? What is OWASP's responsibility when it comes to defending the trustworthiness of software? I spoke with Tobias Gondrom and Eoin Keary about that debate. Their premise is that this is not a political statement, but a clarification to keep OWASP...
2014-01-3114 minThe OWASP Podcast Series
The OWASP Podcast SeriesAppSec USA 2013: Jim Manico - Life after OWASP Podcasting"For an organization to really mature around application security, they need to be building security into their software from day one." -- Jim Manico Jim Manico started the OWASP podcast series in 2008. In that time, he has recorded close to 100 interviews to keep the community updated on the lastest project development within OWASP. As Jim reaches his 100th episode, he reminisces about how the series was started, what his original vision was and what he's going to do now that he has passed the reins over and moves on to other projects. We start with a question about the origins...
2014-01-0713 minThe OWASP Podcast Series
The OWASP Podcast SeriesAppSec USA 2013 - Abbas Naderi and the OWASP PHP Security Project"There are a lot of security flaws in websites like Facebook and WordPress applications. Most of those flaws are because the developers first create the application and then consider the security." -- Abbas Naderi PHP is one of the most used programming languages for the web. The problem with PHP has always been that it's easy to get started programming with PHP, but that's also one of its biggest flaws when considering application security. Abbas Naderi leads the OWASP PHP Security Project, which is a sample framework to demonstrate proper usage of the tools and libraries, as well as providing...
2013-12-1911 minThe OWASP Podcast Series
The OWASP Podcast SeriesAppSec USA 2013: Zed Attack Proxy Project with Simon Bennetts"You can't automate all tests. There are a lot of things you can't find automatically. You have to have somebody who knows what they are looking for." -- Simon Bennetts In today's segment, I talk with Simon Bennetts, project lead for the OWASP Zed Attack Proxy Project or "ZAP" for short. Simon is working on a user friendly tool for integrated penetration testing of web applications. Our discussion took place at AppSec USA 2013. We begin with an overview of the ZAP project and talk about how it came about. About Simon Bennetts Simon Bennetts (a.k.a. Psiinon...
2013-12-1310 minThe OWASP Podcast Series
The OWASP Podcast SeriesAppSec USA 2013 - Michael Coates on the AppSensor ProjectMichael Coates has a vision: smart applications that come to their own defense. "We need to get to that point where we realize that our apps are in a military zone, they are being attacked all the time." -- Michael Coates In this segment of OWASP 24/7, I speak with Michael Coates, Chairman of the OWASP Board and the founder of the AppSensor Project. Michael's contention is that applications should be smarter, that an app should "know" when it is being attacked and have a proactive, built-in response. We discuss the AppSensor project in depth: what is it, why was it...
2013-12-1011 minThe OWASP Podcast Series
The OWASP Podcast SeriesAppSec USA 2013 - The OWASP Application Security CISO Guide with Marco Morana and Tobias Gondrom"The CISCO Guide provides guidance and visibility to CISOs on how to initiate an application security program, how to make the business case, how to manage the risks of applications and how to measure the those risks. The guide is structured as a journey, because application security is not a destination, it is a journey." Marco Marona Marco Marona, is the coordinator of the OWASP Application Security Guide For CISOs Project and Tobias Gondrom is the project lead for the OWASP CISO Survey. They have combined resources to provide us when a CISO framework for implementing an application security program...
2013-12-0227 minThe OWASP Podcast Series
The OWASP Podcast SeriesAppSec USA 2013 - The Purpose of OWASP, an Interview with Co-Founder Dennis GrovesMany people in the OWASP community don't know Dennis Groves... and that's a surprise since he is one of the co-founders of the movement. I was able to catch up with Dennis at AppSec USA in New York City (November 19, 2013) and we had an interesting discussion about the beginnings of OWASP and what he sees in the future. Highlights of our Discussion * The event that triggered the inspiration for OWASP * The original purpose of OWASP * The use of OWASP as a de facto standard * Future vision for OWASP * The dilemma of community obligation About Dennis Groves ...
2013-11-2618 minThe OWASP Podcast Series
The OWASP Podcast SeriesAppSec USA 2013 - OWASP Panel on Using Components with Known VulnerabilitiesLast week at AppSec USA in New York City (November 20, 2013), I moderated a panel with Jeff Williams and Ryan Berg talking about the latest addition to the OWASP Top 10, Using Components with Known Vulnerabilities. This is the full recording of that session.
2013-11-2648 minThe OWASP Podcast Series
The OWASP Podcast SeriesTom Brennan - What to expect at AppSecUSA 2013In this segment, I talk with Tom Brennan, the organizer of AppSecUSA 2013 in New York City. The conversation centers around what's going on in New York, why Tom took on the project and what makes AppSec conferences special. About Tom Brannen Tom Brennan is volunteer to the OWASP Foundation since 2004 when he founded the New Jersey Chapter after serving on the Board of Directors for the FBI Infragard program in New Jersey. The NJ OWASP Chapter later merged with the New York City Chapter in 2006. Tom was appointed to the Global Board of Directors in 2007 by his peers...
2013-11-0814 minThe OWASP Podcast Series
The OWASP Podcast SeriesKelly Santalucia - Growing OWASP and the Outreach ProgramsIn this segment of OWASP 24/7, I talk with Kelly Santalucia about what it takes to grow OWASP, how she's working with the outreach foundation, the outreach program for kids, the diversification of the membership... things that are helping the community grow. We also talk about what OWASP will look like in the future as virtual chapter meetings become an integral part of the platform. I began by asking Kelly what her job responsibilities are with OWASP.
2013-11-0712 minThe OWASP Podcast Series
The OWASP Podcast SeriesKate Hartmann - The Future of Virtual Chapter MeetingsKate Hartmann is Operations Director of OWASP. She is responsible for creating and maintaining the platform for the OWASP organization Kate has a unique perspective on how virtual meetings are becoming an important tool for the global community. We start our discussion with Kate talking about her typical day at OWASP... which begins with a full pot of coffee to get her jumpstarted. About Kate Hartmann Kate joined the OWASP Foundation May 2008. Her work within the OWASP Foundation includes supervising and facilitating the completion of operationally critical tasks. She provides direction to the operational team by mapping out...
2013-11-0514 minThe OWASP Podcast Series
The OWASP Podcast SeriesSarah Baso - What does it take to support 43,000 members in 100+ countries?Sarah Baso is the Executive Director of OWASP. Her day to day responsibilities include managing a membership of over 43,000 people in 100+ countries. What does it take to run an organization this size and how do you prepare for the future without getting bogged down in the details. About Sarah Baso Sarah is based in San Francisco, Californa, USA and has been the Executive Director of the OWASP Foundation since April 2013. In this role, she supervises the paid OWASP staff in addition to administering all programs and operations of the OWASP Foundation, reporting to the OWASP Board of Directors.
2013-10-3120 minThe OWASP Podcast Series
The OWASP Podcast SeriesSamantha Groves - Getting the Most from OWASP ProjectsAs the Projects Manager for all projects at OWASP (the Open Web Application Security Project), Samantha Groves has deep visibility into the 140 or so projects currently on the boards at OWASP. We start our discussion with what her typical day looks like and then move into how OWASP is changing and the different models for project frameworks. About Samantha Groves Samantha Groves is the Project Manager at OWASP. Samantha has led many projects in her career, some of which include website development, brand development, sustainability and socio-behavioural research projects, competitor analysis, event organisation and management, volunteer engagement projects...
2013-10-3017 min