Owasp 24/7

In this episode, Matt Tesauro hosts David Gillman about JWT Patterns and Anti-Patterns. I first met David at LASCON in the fall of 2021 when I sat in on his conference talk. Based on David’s experiences with JWTs we discuss where JSON Web Tokens can help and harm developers who use them. It seems like JWTs can be a mixed bag mostly determined by how you use them. Hopefully this episode will help you avoid any JWT sharp edges if or, more likely, when you work with them. Show Links: - Video of David’s presentation at LASCON - https://www.youtube.com/watch?v=xTk4ff0eAUg&list=PLLWzQe8KOh5nv8OBs3j39DNYULfxwv_6V&index=29&ab_channel=LASCON - David Gillman on Twitter - https://twitter.com/primed_mover

In this episode, Matt Tesauro hosts Adam Shostack to talk about threat modeling - not only what it is but what Adam has learned from teaching numerous teams how to do threat modeling. Learn what makes a good threat model and some news about a new book from Adam to help further the spread of threat modeling with the end goal of more threat modeling and fewer security surprises. Enjoy! Show Links: - Threats Book site: https://threatsbook.com/ - Resources on Adam’s website: https://shostack.org/resources

Welcome back to the OWASP podcast. In this episode, we're headed to The VOID. I speak with Courtney Nash about the Verica Open Incident Database, otherwise known as The VOID, which is a collection of software-related incident reports available at https://www.thevoid.community/. It's a fascinating discussion about how, by gathering data from The VOID, we can make the Internet a safer and more resilient place. Courtney was super passionate about the research work she's doing. It was completely fun to chat with her and they've already produced some very interesting conclusions, in the published report available on The VOID website. I had a blast recording this one and I hope you enjoy it. EPISODE LINKS - The VOID: https://www.thevoid.community/ - 2021 Report: https://www.thevoid.community/report - Podcast: https://podcast.thevoid.community/ - Google MTTR report: https://www.oreilly.com/library/view/incident-metrics-in/9781098103163/ (Summarized also in the 2021 VOID report)

Hello, it's Matt Tesauro. Welcome back to my take on the OWASP Podcast. It seems as if I'm turning my episodes into the equivalent of a conference hall track, those wonderful interactions you have at conferences, running between rooms at conferences, meeting up with smart minds you don't see all the time. I have the pleasure of reuniting with Wendy Nather, CISO Advisor Extraordinaire, for this episode. We had a very interesting conversation about Software Bill of Materials (SBOMs). Like many of my interactions with Wendy, I learned from our conversation. She threw out some really good nuggets. I highly recommend looking up Wendy on Twitter (@wendynather). Besides the security wisdom she's going to drop, she's got a hell of a sense of humor. I think it will be worth the follow. Enjoy the episode.

“I absolutely hate SAFe!” -- Bryan Finster That is Bryan Finster, Distinguished Engineer at Defense Unicorns out of Colorado Springs. I was scrolling through LinkedIn a couple days ago, saw a thread on SAFe, The Scaled Agile Framework, and what I was seeing wasn’t exactly… well, what you’d expect to hear about a framework that’s being used by over 20,000 organizations, including the United States government. Before we get too much into it, here is the definition of SAFe. I took it directly off Scaled Agile, the creators and providers of the SAFe framework: “The Scaled Agile Framework® (SAFe®) is a system for implementing Agile, Lean, and DevOps practices at scale. The Scaled Agile Framework is the most popular framework for leading enterprises because it works: it’s trusted, customizable, and sustainable. If you want to build operational excellence, collaboration, responsiveness, and customer satisfaction into your organizational DNA, where do you start? SAFe provides a proven playbook for transformatio

Hello, I'm Matt Tesauro, one of the OWASP Podcast co-hosts. I had the opportunity to interview Tanya Janca for this podcast. To be honest, I kind of wish it was a video recording because you'd be able to see the big smiles and vigorous head nodding during the recording. Tanya and I are in violent agreement about all things appsec, and it shows. There's a nice mix of general advice, war stories, and some good nuggets in this interview. I hope you enjoy it.

8 years ago I took over the OWASP Podcast from Jim Manico, originator of the project. In that time over 160 episodes have been published, with over 500,000 downloads. It has been a fun project, but it’s time to change things up a bit. There is a lot going on at OWASP, even more going on with the technology industry when it comes to cybersecurity. It’s too much for one person to keep up with. Enter the idea of multiple co-hosts for the podcast. Many of you listening already know of Vandana Verma and Matt Tesauro from their work with OWASP. I called to ask if they’d like to share the platform, producing their own episodes around a chosen concept. In today’s episode, Vandana, Matt and I talk about thoughts of an expanded concept for the podcast. We’ll each explain what we will be covering in our shows, and what you can expect to hear in the coming year. Our plan is to have three shows, (kind of like NPR programming when I think of it), under one umbrella: The OWASP Podcast Series. Come along with us and we t

We’ve all heard of “Red Teams” and “Blue Teams” when it comes to cybersecurity. But what about the “Purple Team”, the “Yellow Team” or the “Blue Team”. What are those? In February of 2020, Louis Cremen introduced the InfoSec Colour Wheel to the security community. The wheel expands upon April Wright’s work on bringing builders into the security team. The value of the wheel is to show the various types of security teams, seven in all, and the role each plays in security. Jasmine Henry brought the wheel to my attention. As she and I talked, we realized the InfoSec Wheel can be used as a thought exercise to show beginning cybersecurity professionals the various roles they can play within the community. This led to the discussion of careers in cybersecurity and what the near future looks like. In this broadcast, we’ll evaluate the wheel, talk through each of the seven personas and give our thoughts on the value of each role, how it works with the other roles, and the basics of what each provides. Let’s figure

A couple weeks ago I read an article by Chris Roberts. The headline screamed, “Security Solved!” Security solved? What the hell was he talking about. Everyday there’s a new media storm around the latest breach or ransomware attack. There’s an entire industry built around the idea that security is hard, and the need for special equipment, software and people to even think about being secure. Chris was insistent. He professed that security is not hard nor complicated. Not only does he consider it inexpensive and undemanding to do the right thing, his premise is it’s easy to get the simple stuff sorted. I called Chris to get clarification on what he was talking about. As we got deeper into the discussion, we both realized this was a topic that needed more exposure. If there really is a simple way to implement security, the world should hear about it. We invited people to participate in the recording of our discussion. You’ll hear us reference people who were online with us, sending chat messages and question

In this episode of the People | Process | Technology podcast, I speak with Seba Deleersnyder from the Software Assurance Maturity Model, Carlos Holguera and Sven Schleier from the Mobile Security Testing Guide, and Bjoern Kimminich from the Juice Shop Project. This is part of an ongoing podcast series, highlighting the OWASP Flagship Projects that will be featured at the OWASP 20th Anniversary Celebration in September. I talk with the project leads to hear what they have been working on for the past year, what their plans are for the coming year, and what we can expect to see at the conference in September. Support for this broadcast is provide by OWASP, celebrating twenty years of making software safer. OWASP hosts their 24 hour, 20th Anniversary Celebration in September. Head to 20thAnniversary.owasp.org for your free ticket… and with support from JupiterOne, who believes that security is a basic right to every person, company, and enterprise. Security begins with cyber asset visibility, and includes und

In this episode of the People | Process | Technology podcast, I speak with Simon Bennetts from the Zap Project, Christian Folini from the ModSecurity Core Rule Set Project, and Steve Springett from the Dependency Track Project. This is part of an ongoing podcast series, highlighting the OWASP Flagship Projects that will be featured at the OWASP 20th Anniversary Celebration in September. I talk with the project leads to hear what they have been working on for the past year, what their plans are for the coming year, and what we can expect to see at the conference in September. The OWASP 20th Anniversary Celebration is a 24 hour global event, featuring sessions from each of the OWASP flagship projects, leaders of the Top Ten Project, presenters from around the world, and sessions from people who have helped OWASP over the past 20 years. Registration is open, and you can’t beat the cost… it’s free. Even if you can’t attend, please register so you’ll have access to all of the recorded sessions following the con

In 2020, Security Magazine listed Sounil Yu as one of the most Influential People in Security in 2020, in part because of his work on the Cyber Defense Matrix, a framework for understanding and navigating your cybersecurity environments. The Cyber Defense Matrix started as a project when Sounil was the Chief Security Scientist at Bank of America. The initial problem he focused on with the matrix was how to evaluate and categorize vendors and the solutions they provided. The Cyber Defense Matrix is a structured framework that allows a company to understand who their vendors are, what they do, how they work along side one another, what problem they profess to solve, and ultimately to find gaps in the company’s portfolio of capabilities. In the seven years Sounil has been working on the project, he has developed use cases that make the Cyber Defense Matrix practical for purposes such as rationalizing technology purchases, defining metrics and measurements, and identifying control gaps and opportunities. The m

The Top 10 is considered one of the most important community contributions to come out OWASP. In 2003, just two years after organization was started, the OWASP Top 10 was created. The purpose of the project was to create an awareness document, highlighting the top ten exploits security professionals should be aware of. Since that time, innumerable organizations have used it as a guideline or framework for creating security programs. The current Top 10 list was released four years ago, in 2017. As part of a 2021 initiative at OWASP, the OWASP Top 10 is in the process of being updated, and scheduled for release this summer, in time for the OWASP 20th Anniversary Celebration. I was curious as to what has changed over the years with the Top 10, and what to anticipate in the upcoming release. In this broadcast, I talk with Andrew van Der Stock, Executive Direct of OWASP. He explains how the top ten exploits are chosen, the data source for determining the exploits, and the data research done to verify the selecti

When Shannon Lietz and the team at DevSecOps.org published the DevSecOps Manifesto six years ago, security was uppermost in their minds. The manifesto starts with a call to arms… “Through Security as Code, we have and will learn that there is simply a better way for security practitioners, like us, to operate and contribute value with less friction. We know we must adapt our ways quickly and foster innovation to ensure data security and privacy issues are not left behind because we were too slow to change.” The effect of the DevSecOps movement was not understood by many, other than the handful of practitioners who understood what the team was going after: security is the responsibility of everyone, not just the security team. Security deserves a seat at the DevOps table. Fast forward six years, and security is now not just at the table, but sitting at the head of the table, leading the way. During this transition to focus on security, operations has become the short leg on a three legged stool. What was or

This is Mark Miller, Executive Producer. Over the years as I’ve produced the show, the topics of focus have followed the trends in the industry. What was originally called “The OWASP Podcast” became “OWASP 24/7” and then “The DevSecOps Podcast”. Each change brought with it a new audience, extending our community from exclusively OWASP practitioners, to DevOps and DevSecOps advocates. The audience for the podcast has grown, with close to 500,000 listens of the 150 episodes. We’ve covered book launches by speaking with the authors, we’ve talked about industry reports focusing on the Software Supply Chain. Topics have included Chaos Engineering, efforts to create a Software Bill of Materials initiative at the federal level, Threat Modeling and a multitude of other topics. You might have noticed something different, a new name for the podcast, at the beginning of the program today. Keeping a feel of the pulse of the industry is one of the things that interests me most as producer of the series. Currently,

OWASP is in a state of discord. Over the past few years, there have been fractures in the community. Recently, there have been arguments on the leader email list that have clearly breached the lines of etiquette. Personal attacks, distribution of funds, and complaints of lack of diversity are creating tension among the members. If we, as an organization refuse to confront these issues, there is a real potential we will no longer have relevance to the AppSec community. The in-fighting has become a detriment to chapter leaders and project leaders, who are looking to OWASP for consistent leadership and direction. In early July, the OWASP board announced the appointment of Andrew van der Stock as Executive Director. I called and spoke with Andrew at length about how he intends to confront the existing issues in the organization, and what he hopes to accomplish during his tenure. I have known Andrew for years through his work on the Application Security Verification Standard. As a previous OWASP board member, h

In this episode of the DevSecOps Podcast, we’re going to go off script and explore the LinkedIn algorithm. I could tie this back to DevSecOps, and how all of us need visibility for our work, or how important it is to build a community around our ideas, but the real reason is… I find this fascinating. One of the largest community engagement platforms in the world encourages us to play their game, but doesn’t tell us what the rules are! How are we to determine the best way to participate, when we have no idea on how to best contribute to maximize our visibility? Because that’s the game we are playing: how do we get, and maintain, visibility for our ideas on LinkedIn. How do we grow that visibility into an audience of our peers in order to contribute and expand those ideas. It is to the benefit of LinkedIn to give basic rules of engagement, but instead of guidelines for participation, we are punished for breaking undefined rules and rewarded for seemingly arbitrary reasons, which we then try to recreate witho

When I read Richard Stiennon's latest article in Forbes, The Demise of Symantec, I thought it was absolutely fascinating. Richard walks through the process of what happened at Symantec, how it was an acquisition engine for so many years, and now how it's started to decline. I got in touch with Richard and told him I'd like to have him read his article for the podcast, and he responded right away. What you'll hear in this episode is Richard talking about and reading from his article, The Demise of Symantec. Resources for this podcast: The Demise of Symantec, Forbes Online https://www.forbes.com/sites/richardstiennon/2020/03/16/the-demise-of-symantec/#6522117b5fc7 Security Yearbook 2020 https://www.security-yearbook.com/

Equifax is trying... I mean REALLY trying... to regain your trust. The Equifax CTO and CISO delivered the keynote at DevSecOps Days during 2020 RSAC. They contributed to multiple sessions and panels during the conference. The message was consistant: "Yes, we had a major problem. Here's what we're doing about it. Here's what you can learn from us." From a technical perspective, Bryson Koehler, CTO, and Jamil Farshchi, CISO, took on all questions from the audience. Nothing was out of bounds. They stayed after the session to talk one-on-one with those who had more questions. The words I heard most from the audience about the session was 'humility' and 'transparency'. That's a far cry from the poster child of breaches image the company has had to carry since 2017. Bryson and I sat down after the session at DevSecOps Days to go more into detail on what Equifax is working on, not just to re-gain user confidence, but to make a difference in the technology industry when it comes to lessons learned. He and Jamil are

If you like what you hear, you can download the entire book at sonatype.com/epicfailures As we were putting the finishing touches, getting ready to publish the latest version of Epic Failures in DevSecOps, I reread Jaclyn Damiano's chapter and was struck by how unique her message is. This is a personal story, one that will resonate with many people in the tech industry. It's a story of beginnings, of hardships, of leadership and finally, how all that combines into something much bigger than a technology solution. It's a story that talks about transforming people, not just companies. What you'll hear in this broadcast is Jaclyn reading her chapter, "Making Everyone Visible in Tech". There's no narrator, no discussion, just Jaclyn in her own words telling the story behind The Athena Project. It's a story of how she and her team took a diverse set of 40 applicants from underserved communities, with little to no technical background, and created a program to train and place those attendees in the tech industry