Owasp 24/7

Aubrey Stearn is the Technical Lead for the Enterprise Cloud Platform at Nationwide. In the broadcast we talk with Aubrey about her chapter, "The Tale of the Burning Programme", in the recently released "Epic Failures in DevSecOps" book. Aubrey talks about her extensive experience guiding and molding teams, leading the way through the maze of decisions needed in order to build a more productive and efficient engineering culture. We start off the discussion with "Why is our biggest problem DevOps, itself?"

"In the past when we were writing software, it was our engineers and our organizations that had total cost of ownership of that software. But now, that has fundamentally changed. Engineers are using open source software and deploying the entire application on an open source framework, which means a large part of the software supply chain is no longer owned by the engineer. " -- Chetan Conikee In this episode of the DevSecOps Days Podcast Series, I speak with Chetan Conikee about his chapter in the Epic Failures in DevSecOps book. About Chetan Conikee Chetan Conikee is a serial entrepreneur with over 20+ years of experience in authoring and architecting and securing mission-critical software. His expertise includes building web-scale distributed infrastructure, cybersecurity, personalization algorithms, complex event processing, fraud detection and prevention in investment/retail banking domains. He currently serves as CTO/Founder at ShiftLeft, and most recently Chief Data Officer and GM Operations at Cloud

We continue the "Epic Failures in DevSecOps" series by speaking with Edwin Kwan on his chapter, "Threat Modeling - A Disaster Story". Edwin is Application and Software Security Team Lead at Tyro Payments. In our discussion, we talk about the three things he learned through his "Epic Failure": -- Demonstrate value at the buy-in -- Get early feedback -- Automate as much as possible During our discussion, we talk at length about the role of security and how to begin implementing automation at the earliest stages of the development process. About Edwin Kwan Edwin Kwan is the Application and Software Security Team Lead for a bank. His approach toward application and software security is to raise security awareness, provide light touch controls to the software development life cycle to increase visibility of security issues and work closely with engineering teams to quickly develop secure applications. Edwin started out as a software engineer and transitioned into the application security role to lead a range

Stefan Streichsbier talks about his chapter, "Unicorn Rodeos", in the just released book, "Epic Failures in DevSecOps". We start with where did the chapter name come from and what does it mean, then lead into his three main points for hanging on for the rodeo ride: -- Don't waste time over-engineering -- Build for the right audience -- Find your champions We conclude with a discussion of technology trends in South East Asia and Indonesia. People mentioned include Gene Kim, Caroline Wong, Fabian Lim, Mohamed Imran, Magda Chelly, Edwin Kwan, DJ Schleen and others.

DJ Schleen talks about his upcoming 15 part video series, "The DevSecOps Experiment", where he will walk through the setup of a software supply chain, including building in security during every step of the process. This is a lab workshop type series, where you'll be able to immediately implement the solutions at the end of each 15 minute session. DJ will be available to answer your questions on his public slack channel as well as provide resources in the DevSecOps Days github repository. This is a free, online workshop series. To be notified when each segment of the series is released, please sign up for notification on DevSecOpsDays.com

In this broadcast, I speak with Chris Roberts and Derek Weeks about lines of responsibility and npm package highjacking in light of the event-stream vulnerability announcement last week. The announcement of the event-stream npm package vulnerability has once again raised the issue of who it ultimately responsible when a breach like this is announced. Is it the original creator of the package? What about the team maintaining the package? Where does' the end user fit it in? How does social engineering come into play?

Once again, the pattern of taking over a known package and modifying it with malicious intent has happened. In this case, it's with the event-stream module in the npm repository. In this broadcast I speaker with Thomas Hunter, Software Developer at Intrinsic and author of "Compromised npm Package: event-stream", and Brian Fox, CTO of Sonatype, author of the Forbes "Open Source Developers And Infrastructure Are The New Front Line Of Security?" article. Compromised npm Package: event-stream https://medium.com/intrinsic/compromi... Open Source Developers And Infrastructure Are The New Front Line Of Security https://www.forbes.com/sites/forbestechcouncil/2018/05/11/open-source-developers-and-infrastructure-are-the-new-front-line-of-security/#2ad9e84457c2 Open Source Software Is Under Attack; New Event-Stream Hack Is Latest Proof https://blog.sonatype.com/open-source-software-is-under-attack-new-event-stream-hack-is-latest-proof

"The guy who wrote wifi software with SSID never imagined that someone could use that SSID to transmit data by writing two smaller applications to leverage it. We are constantly going to be in this [type of] battle. Ultimately we've got to find a way to stay ahead of it by understanding the mechanisms by which we're writing the abuse case possibilities." -- Shannon Lietz Following their session at DevOps Enterprise Summit 2018, I sat down and talked with Shannon Lietz and James Wickett to talk about who the real adversaries are when it comes to application security, what you can do to expose those adversaries and steps to get started in your own, internal adversary program. About Shannon Lietz DevSecOps Leader for Intuit Shannon Lietz is an award winning innovator with over two decades of experience pursuing advanced security defenses and next generation security solutions. Ms. Lietz is currently the DevSecOps Leader for Intuit where she is responsible for setting and driving the company’s DevSecOps and c

"If you look inside a large enterprise IT organization, they have this very bizarre and broken layer that's completely separating the way that business thinks in terms of products, budgets and costs, and the way IT people know the way they need to innovate, which is delivering products faster." -- Mik Kersten I sat down with Mik Kersten, CEO of TaskTop, and John Willis after Mik's presentation at DOES2018. His new book, Projects to Products, is an attempt to help the industry move from using success metrics more appropriate for the industrial age, to a new type of measurement where value is measured as part of the overall business goal through Value Stream Mapping. About Mik Kersten Dr. Mik Kersten is the CEO of Tasktop Technologies, creator and leader of the Eclipse Mylyn open source project and inventor of the task-focused interface. As a research scientist at Xerox PARC, Mik implemented the first aspect-oriented programming tools for AspectJ. He created Mylyn and the task-focused interface during his Ph

Why would you allow open source usage in your company. What are the compelling reasons to take the risk. In this discussion, I talk with Topo Pal and Derek Weeks about the industry perception of open source and what's really happening behind the curtain at large enterprises. Topo had just finished his keynote presentation at DevOps Enterprise Summit 2018 and I wanted to dive a little deeper into some of the things he talked about. About Topo Pal Dr. Topo Pal is Senior Director & Sr. Engineering Fellow Capital One. His main areas of expertise are in DevOps/DevOpsSec/ Rugged DevOps and Continuous Integration, Continuous Delivery. Topo is also interested in Natural Language Processing, Information Extraction, Architecture Strategy, Application Architecture and Integration Architecture. About Derek Weeks Derek E. Weeks, Vice President, Sonatype. Derek is a huge advocate of applying proven supply chain management principles into DevOps practices to improve efficiencies and sustain long-lasting competitive adva

"The compensation, the incentives that people have are very much anchored in short term objectives that do not take into account the vision for the bigger transformations that are happening within the market." -- Sacha Labourey, CEO, CloudBees Sacha Labourey runs one of the most visible, respected companies within the DevOps and DevSecOps communities. At Jenkins World 2018, I sat down with Sacha to hear how his year went, how security can become more of an important process within the software development pipeline and how the Jenkins community adds value to the company.

While at 2018 AppSec EU, I spoke with Sam Stepanyan and Grigorios Fragkos, chapter leaders of one of OWASP's largest chapters. The conversation centered around what does it take to grow a community, what does it take to lead a chapter.

This is Mark Miller, Executive Producer. 4 years ago I took over the creation and curation of the OWASP podcast series. In that time, there have been 118 episodes, with a combined listenership of over 269,000 plays. The series began as a way to speak with OWASP project leads and chapters leaders to let the community hear what was being worked on. Gradually, the show has morphed into something broader. Recent broadcasts highlighting the work done in the DevOps and DevSecOps Communities receives well over 2000 listeners per episode. We have helped give exposure to DevSecOps practitioners at major AppSec Conferences in Europe and the United States, I have produced the DevSecOps tracks at RSA Conference in San Francisco and Singapore for the past 3 years, and we've given voice to the security practitioner in lieu of the security vendor through the production of All Day DevOps. This has allowed us to reach out to new communities, a new listenership, interested in hearing how software security is changing from a

In this episode, I speak with the organizing committee of 2018 AppSec EU, hearing about what's planned and why you should consider attending this international conference in London.

On March 1, 2018, the team at Semmle announced a critical vulnerability in the Pivotal Spring framework. The vulnerability was found by security researcher Man Yue Mo at Semmle — the team behind lgtm.com. In this episode of OWASP 24/7, I speak with research team at Semmle on how they discovered the vulnerability. Also, Brian Fox joins the discussion on the process for responsible disclosure, different ways to approach it and what other companies and projects are doing when a vulnerability is found in their project. About Man Yue Mo — Security Researcher at Semmle for lgtm.com During his PhD in mathematics at Oxford, Mo became interested in scientific algorithm development with a focus on data science and machine learning. At Semmle, Mo developed an interest in Semmle's core technology for writing queries over source code. This QL query technology is freely available on lgtm.com for the open source community to use for analyzing their code. Mo has since used QL to identify numerous security vulnerabilities

Shannon Lietz, Caroline Wong and Paula Thrasher will give the opening remarks at DevOps Connect: DevSecOps Days on April 16 at the RSAC Conference in San Francisco. On today's show, I talk with Shannon, Caroline and Paula, on what they hope to accomplish during their talk, and why DevSecOps is becoming the hottest topic in this year's growth of the DevOps Community.

Prior to his work as Principal Software Assurance Engineer at MITRE, Kevin E. Greene was R&D Program Manager for the Department of Homeland Security. He is currently on the organizing committee for HackNYC, helping to organize talks and sessions around protecting and securing our national infrastructure. I spoke with Kevin about the current state of software security and how each of us can play a roll in the security of modern software. About Kevin E. Greene With more than 17 years of information assurance and security experience in security program management, assessment, auditing, and testing, Kevin Greene brings valuable skills and capabilities to the Department of Homeland Security Science and Technology Directorate (DHS S&T). As a member of the Homeland Security Advanced Research Projects Agency (HSARPA) Cyber Security Division, Greene has identified, developed, and transitioned technology projects through multiple commercial and academic organizations for the past two years. Responsible for the over

In May, at HackNYC 2018 in New York City, Dr. Bill Curtis' team of Tracie Gerardi and Lev Lesokhin will deliver a presentation on putting an end to "Technical Debt". I spoke with Dr. Curtis about his work in the creation of various maturity models, the current state of security in software development and "what keeps him up at night". You might be surprised at his answer. Listen in... About Dr. Bill Curtis Dr. Bill Curtis (1948) is an American software and organizational scientist. He is best known for leading the development of the Capability Maturity Model [1] (CMM for Software) and the People CMM [2] in the Software Engineering Institute at Carnegie Mellon University. He co-founded TeraQuest, a provider of CMM-based services, which was sold to Borland Software Corporation in 2005. He has published 5 books, over 150 articles, and in 2007 was elected a Fellow of the Institute of Electrical and Electronics Engineers for his career contributions to software process improvement and measurement.

The OpenChain Project identifies key recommended processes for effective open source management. The project builds trust in open source by making open source license compliance simpler and more consistent. In this broadcast, I speak with Shane Coughlan, project director, about the purpose of the project and what his team hopes to accomplish in 2018.

Newly elected to the OWASP board, Greg Anderson is interested in how to expand the OWASP community. I talked with him about what he hope to accomplish in his tenure on the board, the first initiatives he would like to implement and on various ideas for working with OWASP chapters, projects and events. About Greg Anderson Technical leader with 6+ years of experience in all facets of security. Primary areas of expertise include application security, security in DevOps, security automation, program management and program development.