Owasp 24/7

Caroline Wong, Paula Thrasher and I were having lunch at DevOps Enterprise Summit when the conversation took an interesting turn. Paula and Caroline had been on a panel the previous day and didn't get a chance to do a deep dive into any of the topics. As we were talking at lunch, I realized is was a good opportunity to give them a chance to talk with each other on government vs public software security, about how the OWASP Top 10 might best be used and to they have discovered as common security patterns in their large scale projects. About Caroline Wong I am a strategic leader with strong communications skills, cybersecurity knowledge, and experience delivering global programs. My close and practical information security knowledge stems from broad experience as a Cigital consultant, a Symantec product manager, and day-to-day leadership roles at eBay and Zynga. I have been featured as an Influencer in the Women in IT Security issue of SC Magazine, named as one of the Top 10 Women in Cloud by CloudNOW, and

In our continuing series on the Struts2 vulnerability announcement and the breach at Equifax, we spoke with Mark Thomas, Director, Apache Software Foundation, and Brian Fox, CTO, Sonatype to clarify the processes ASF goes through when a vulnerability is found within one of their projects. About Mark Thomas Mark is currently employed by Pivotal where he spends most of his time working on Apache Tomcat. At the Apache Software Foundation, Mark is a committer and PMC member for Apache Tomcat as well as other projects. At the foundation level he is an ASF member, a member of the security and trademarks committees, is an infrastructure volunteer and a Director. Mark speaks regularly on Apache Tomcat including at ApacheCon.

A conversation on the ramifications of recent Struts2 announcements, the exploit at Equifax and the responsibility of companies using open source software. David Blevins, CEO, TomiTribe Brian Fox, CTO, Sonatype

What you should know about the latest struts2 vulnerability announcement w/ Brian Fox, CTO Sonatype, and Matthew Konda , Chair, OWASP Board of Directors. If you're a developer and concerned about security, a struts2 vulnerability announcement came out yesterday. I interviewed two experts to talk about the announcement and what you should be looking for. If you would like to watch a video of the interview, you can find it on YouTube: https://www.youtube.com/watch?v=jtUfPom06bo

Most of us want to help kids become proficient in programming and cybersecurity, but don't know how to get started or have time to manage such a project. Prashant Kv figured he'd put a team together with Vandana Verma and Rupali Dash and give it a shot. The first event in Bangalore was a huge success, with over 200 kids participating. I spoke with the Prashant, Vandana and Rupali about how the event was put together, why it worked and what their plans are for future events.

Earlier this week, Simon Bennetts from the OWASP ZAP Project announced the official availability of the OWASP DockerHub for housing projects. I caught up with Simon soon after to hear how ZAP was utilizing DockerHub and the benefits of containerization. https://hub.docker.com/u/owasp/

This segment of the "Less than 10 Minutes" series was recorded live at AppSec EU 2017 in Belfast. It is an update of the ModSecurity Core Rule Set Project with project co-lead Christian Folini. The OWASP ModSecurity CRS Project's goal is to provide an easily "pluggable" set of generic attack detection rules that provide a base level of protection for any web application. The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. The CRS aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts.

This segment of the "Less than 10 Minutes" series was recorded live at AppSec EU 2017 in Belfast. It is an update of the OWASP Summit 2017 with conference organizer Sebastien (Seba) Deleersnyder. OWASP Summit 2017 is a 5-day participant driven event, dedicated to the collaboration of Development and Security professionals, with a strong focus on DevSecOps.

This segment of the "Less than 10 Minutes" series was recorded live at AppSec EU 2017 in Belfast. It is an update of the WebGoat Project with project co-leads Jason White and Nanne Baars. WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons.

This segment of the "Less than 10 Minutes" series was recorded live at AppSec EU 2017 in Belfast. It is an update of the Vicnum Project with project lead Nicole Becher. The Vicnum Project is a collection of intentionally vulnerable web applications. Vicnum applications are commonly used in Capture the Flag exercises at security conferences.

This segment of the "Less than 10 Minutes" series was recorded live at AppSec EU 2017 in Belfast. It is an update of the Defect Dojo Project with project lead Greg Anderson. The Defect Dojo is an open source vulnerability management tool that streamlines the testing process by offering templating, report generation, metrics, and baseline self-service tools.

This segment of the "Less than 10 Minutes" series was recorded live at AppSec EU 2017 in Belfast. It is an update of the Virtual Village Project with project lead Evin Hernandez. The Virtual Village provides users with access to numerous operating system's Desktop as well as Servers. Users are able to create custom apps for other OWASP projects, as well as be able to request test environments , or honey pots , etc.

This segment of the "Less than 10 Minutes" series was recorded live at AppSec EU 2017 in Belfast. It is an update of the Juice Shop Project with project lead Bjoern Kimminich. The Juice Shop is an intentionally insecure webapp for security training, written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Bjoern Kimminich (Project Leader OWASP Juice Shop) Personal Twitter: http://twitter.com/bkimminich OWASP Juice Shop Project Twitter: http://twitter.com/owasp_juiceshop Project Wiki Page: https://www.owasp.org/index.php/OWASP_Juice_Shop_Project Main Github Project: https://github.com/bkimminich/juice-shop Juice Shop CTF-Extension Project: https://github.com/bkimminich/juice-shop-ctf

"Why does OWASP even exist? Why do we even have this idea of understanding common issues, common problems. There are resources to help us do it better next time. I feel we are not learning at the curve where we should be, considering the resources available to us." -- Jaya Baloo As CISO of KPN, the largest telecom in the Netherlands, Jaya Baloo has a lot on her mind, but maybe not what you'd think. In this free wheeling discussion, we begin with what Jaya will be talking about during her keynote at AppSec EU 2017 in Belfast, and then move into cryptography, quantum technologies, and her concerns with the way software is currently built.

Brian Fox and Shannon Lietz talk about the recent announcement of the struts 2 vulnerability: What is it, how can it affect you, what you can do about it. You can view this broadcast as video on YouTube: https://www.youtube.com/watch?v=EzRKOudJPtQ

In mid-May I'll be joining the organizing team of AppSec EU 2017 in Belfast for a week of security and DevOps sessions. Listen in as Gary Robinson, Michelle Simpson and Owen Pendlebury talk about what's planned for the week.

In preparation for her keynote session at AppSec EU 2017 in Belfast, Shannon Lietz continues to explore the integration of DevOps and security. This is a recording of her session at RSAC 2017 in San Francisco.

Shannon Lietz, DevSecOps Lead at Intuit, will be giving a keynote presentation at AppSec EU 2017, Belfast. I talked with Shannon about what she will be presenting and why she is so excited to return to Ireland.

WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons. It is one of the most used projects at OWASP. With the current team headed by Bruce Mayhew, Nanne Baars and Jason White, work is moving forward on the creation of new content for creating training lessons for application security. I talked with Bruce and team about what they've done with the latest update and what they hope to accomplish in the coming year.

The OWASP ModSecurity Core Rule Set Project's goal is to provide an easily "pluggable" set of generic attack detection rules that provide a base level of protection for any web application. Chaim Sanders,Ryan Barnett, Christian Folini and Walter Hop are the team coordinating the project. During 2016 AppSec USA, I spoke with Chaim about the purpose of the project, the work work done in the past year, the upcoming release and what the team hopes to accomplish in 2017. https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project