Owasp 24/7

When Derek Weeks and I started All Day DevOps in 2016, we were unsure as to whether anyone would be interested.It's now four years later. Last week we had close to 37,000 people register for the event. We're still trying to wrap our head around the scale of something that generates a world wide audience in the tens of thousands for a 24 hour conference. One of the things that has grown organically from All Day DevOps is a concept called "Viewing Parties". It's an idea the community has created, not something planned by us. Over 170 organizations, meetups or user groups around the world setup a large screen and invited colleagues and friends over to share in the DevOps journeys that were being told throughout the day. Last year, we heard through the grapevine that State Farm had over 600 people show up to participate at their viewing party in Dallas. That's 600 people internally at State Farm. When I heard about it, I knew I had to speak with Kevin ODell, Technology Director and DevOps Advocate at State Far

Shortly after watching the documentary, Code Rush, I met with Tara Hernandez, the hockey stick carrying lead of the Netscape project that was being documented. We sat down at the Jenkins World Conference in San Francisco to talk about the effect that project had on her career, what she has been doing since with her position at google, and what she hopes to be working on in the coming years. We started our conversation by exploring the relationship between the Netscape project in 1998 and the current state of DevOps. Would DevOps have made a difference... the answer might surprise you.

Edwards Deming went to post-war Japan in the late 1940s to help with the census. While there, he built relationships with some of the main manufacturers in the region, helping them understand the value of building quality into a product as part of the production process, thus lowering time to market, eliminating rework and saving company resources. In his 1982 book, "Out of the Crisis", Deming explained in detail why Japan was ahead of the American manufacturing industry and what to do about. His "14 Points on Quality Management" helped revitalize American industry. Unknowingly, he laid the foundation for DevOps 40 years later. Eli Goldratt published "The Goal" in 1984, focusing on the "Theory of Constraints", the idea that a process can only go as fast as it's slowest part. In fictionalized novel form, Goldratt was able to reach a wide audience who would utilize the theory to help find bottlenecks, or constrainsts, within production that were holding back the entire system. Once again, the theories espoused

Once a year, Sacha Labourey and I sit down to discuss the past year and what the coming year looks like for DevOps and Jenkins. As CEO of CloudBees, Sacha has broad visibility into the progress of the DevOps/DevSecOps communities. We started our talk this year, commenting on the growth of the Jenkins World conference, with over 2000 attendees... what does Sacha attribute that to and does it coincide with the growth within the DevOps community. We continued our discussion by examining how cultural transformation within a company must align with the tools that are available to help with that transformation. Along the way we touched on where cultural transformation comes from within an enterprise, the question of whether DevOps has yet to jumped the chasm, the tipping point for a company's full acceptance of DevOps patterns, and what does Sacha hope to accomplish in the coming year All Day DevOps: A Supporter of DevSecOps Podcast If you're listening to this podcast, you've probably heard of All Day DevOps. Thi

I was affected by it. You were affected by it. We were all affected by the Equifax breach in September 2017. The truly interesting thing about it is, Equifax wasn't the only company hit by the struts 2 vulnerability that day. Many other companies were hit by it within that time period, but Equifax became the poster child for the main stream media. It was just too easy of a target because of consumer visibility. In the two years since the breach, Equifax has been working hard to restore its reputation, not just with consumer protection, but with the companies that depend upon credit data to make real business choices. I wanted to find out what Equifax is doing behind the scenes not just reputation wise, but technology wise when it comes to protecting data. Was it status quo as soon as the buzz died down? Did they pay their fine and go back to business as usual? Or are they making changes under the hood that will make a difference in how financial data is handled and what can be done with it. I met with Sean

OWASP supports a global conference in North America each year, bringing together the projects, teams and chapters who make this one of the largest security tribes in the world. In this episode of the DevSecOps Podcast Series, I speak with Ben Pick one of the organizers of the conference about what's important about this type of gathering and what you can expect when attending. https://dc.globalappsec.org/

The 2019 State of the Software Supply Chain Report was released on June 25th. The report is an analysis of the answers from over 5500 participants, allowing data researchers the ability to extrapolate what the most productive enterprises are doing when it comes to managing the software supply chain, and how that compares to less efficient development practices. The purpose of the analysis was to objectively examine and empirically document, release patterns and hygiene practices across 36,000 open source project teams and 3.7 million open source releases. In this conversation I speak with Derek Weeks, Project Lead for the report, and Stephen Magil, who along with Gene Kim, acted as research partners on the report. If you've been looking for verified research that can be used to help justify a DevOps initiative, or to validate the value of DevOps projects within your company, you'll want to stay with us.

Let's not talk around the subject here... women are under represented when it comes to speaking or participating in tech conferences. It's a male dominated culture. When I saw Lani Rosales had published, "The Ultimate list of Austin women who can speak at your tech event" in response to the complaint that there are no women speakers available in the tech industry, I called her right away. As co-founder of the world's largest DevOps conference, All Day DevOps, and as one of the core organizers of the global DevSecOps Days series of events, I wanted to hear how the list came together, her motiviation for creating the list and how the tech community has responded to an overt call for women speakers. One of the most surprising topics during our conversation was the continual reference to "the vanity of diversity". Lani is opposed to replacing males speakers just for the sake of having a token female speaker or panelists. As she says it, "Let's not remove male speakers, let's add female speakers." When she said

I produced my first concert at the San Anselmo Playhouse in 1979. It was the first in a series of events that has lasted 40 years. I have produced more than 300 events and participated in many hundreds more as a speaker and participant. As the producer of this many events, I have an internal map of what to do to make an event successful, the steps to create and manage the logistics of an event, and how to promote them. All Day DevOps, a live online conference I co-founded with Derek Weeks, has over 30,000 registrations yearly. This type of involvement gives me a unique perspective into why an event is successful. In the past few years, I've been sketching out a "How To.." manual on producing successful events. When the book "Building Internal Conferences" came across my radar, my first thought was "Good! Something I won't have to do." After looking through the book, I called authors Matthew Skelton and Victoria Morgan-Smith to trade stories on tips and tricks for managing successful events. You might ask y

In April 2019, I was invited to host a panel at the International Conference on Cyber Engagement in Washington DC, to discuss "Securing the Software Supply Chain". On the panel were four of the top voices in software supply chain management: - Edna Conway, Chief Security Officer, Global Value Chain, at CISCO - Joyce Corell, Assistant Director, Supply Chain and Cyber Directorate, National Counterintelligence and Security Center, US Office of the Director of National Intelligence - Bob Kolasky, Director, National Risk Management Center, Cybersecurity and Infrastructure Security Agency, US Department of Homeland Security - Dr. Suzanne Schwartz, Associate Director for Science & Strategic Partnerships, Center for Devices & Radiological Health, US Food & Drug Administration This episode of the DevSecOps Podcast is the full session from the conference. It is an extended session, running an hour and a half, significantly longer that our usual broadcast. I think you'll find it worth the time. Thank you to the ICCE

When I think of Tel Aviv, I imagine a robust, young culture, living a good, fun life. Not only is the culture conducive to a young life style, its tech industry continues to gain traction. As Wired Magazine said last August, "Israeli startups have always been high on Silicon Valley shopping lists, but Tel Aviv is beginning to shake off its reputation as Europe’s exit capital." Zebra, the medical diagnostics company, MyHeritage online family tree service, Via ride sharing service, and the Waze navigation app, as well as dozens of other influencial start-ups call Tel Aviv home. This places Tel Aviv at the heart of the tech industry in Isreal and encourages conferences and gatherings on a regional, as well as global scale. In this broadcast, I speak with Avi Douglen and Ofer Moar, co-chairs of the upcoming Global AppSec Conference in Tel Aviv. They are both active participates in OWASP and the security community. I called them to find out more about the conference, how it's different from other conferences and

If you've read the Phoenix Project, you'll remember Brent, the indispensable cog on the operations team. Brent was a good guy, he wanted to do the right things, all of the right things, but was pulled in all directions because of the lack of a unified plan for the company's project workflow. But what if Brent didn't want to do the "right" thing? What if Brent was more interested in the convenience of getting his work done than he was in the overall health and output of the project. What if he deployed to production without checking into SourceSafe, not just once, but for years. From Tanya janca: I went to our trusty code repository, took a copy of the most recent code. I went looking for the bug, and I couldn't even find it. And then I'm running it locally, and I'm looking at the real one in prod. And they're completely different. I'm like, "What would have happened if I had pushed to prod? If I fixed that bug, and pushed to prod, and not noticed the difference?" And he's like, "All my work would have been g

Three years ago there was an idea floating around OWASP... a core community was looking for a way to have an isolated week, where security project working groups could get together, with no distractions, and work on projects they felt were important. From this idea, the Open Security Summit was founded. Now in it's third year, the summit takes place in an isolated forest located between London and Manchester. The format for the gathering is to present an environment, with no distractions, where the community of 150 security professionals can meet to update each other on their progress in the past year and to choose working groups to outline and work on future projects. This is not a podium lecture series conference. It is a 5-day high-energy experience, during which attendees get the chance to work and collaborate intensively. Each working session is geared towards a specific Application Security challenge and will be focused on actionable outcomes. In this episode, I speak with Seba (Sayba) Deleersnyder

Open-source components and their use within the software supply chain has become ubiquitous within the past few years. Current estimates are that 80-90% of new software applications consist of open-source components and frameworks. Section A9 of the OWASP Top 10 places components with known vulnerabilities as one of the most prevalent and abused parts of the software supply chain, placing it at a security weakness level of three, on a scale from one to three. Quoting from the OWASP description in A9, "Component-heavy development patterns can lead to development teams not even understanding which components they use in their applications or APIs, much less keeping them up to date." In today's episode, I speak with Allan Friedman, Director of Cybersecurity Initiatives at the National Telecommunications and Information Administration. Our talk focused on the creation of a Software Bill of Materials, or an SBOM. As we begin, Allan describes his role in the project and what they hope to accomplish. About Allan F

"Chaos engineering is an empirical practice of setting up experiments to figure out where your system is vulnerable so that you can know that ahead of time and proactively fix some of these vulnerabilities in your system." -- Casey Rosenthal In this broadcast, I speak with Casey Rosenthal about the beginnings of Chaos Engineering and Netflix and how the concept has morphed into a cross-industry community, sharing ideas through local chaos conferences.

The Ladies of London Hacking Society was created by Eliza-May Austin in an act of frustration.Having nowhere to turn to meet other women within the security industry in the UK,Eliza-May fired off an online post lamenting the lack of local community support for technical security-based women. Her story is a common one. The post seemed to resonate with the local community. In a short time, she had close to 500 women join her London Meetup Group, focusing on sharing technical skills and industry stories.

What am I working on? What can go wrong? What am I going to do about it? Did I do a good job? These are the four questions at the heart of threat modeling In this episode, I speak with Adam Shostack, author of Threat Modeling: Designing for Security. We talk through how to begin threat modeling and the expectations of using modeling. Adam walks through the history of threat modeling, including his creation of the Elevation of Privilege game.

This is the sixth episode in an eight part series, talking with the authors of "Epic Failures in DevSecOps". In this segment, I speak with Chris Roberts about his chapter, "We are all special snowflakes", diving into topics as diverse as the failure of the security industry to protect us from ourselves and what is considered "acceptable" monitoring when it comes to the government, and to social sites. You can download a free copy of Epic Failures at DevSecOpsDays.com

The inclusion of security as an integral piece of the DevOps puzzle continues to gain traction. In this episode of the DevSecOps Days Podcast Series, I speak with Curtis Yanko and Scott McCarty about their new book, "A Concise Introduction to DevSecOps". We discuss why they wrote the book, who the audience is that will benefit from it and why enterprises should be considering security as part of the software development environment.

As if there aren't enough reasons to go to Southern California in the middle of a New York winter, AppSec Cali opens it's doors for its 6th Annual OWASP conference on January 22, 2019. In this broadcast, I speak with Richard Greenberg, one of the core organizers of the conference, talking about why people come, what they can expect to see and why he continues to help produce the conference year after year. For a transcript of this broadcast, go to DevSecOpsDays.com and click on "Podcasts".