Owasp 24/7

This is a live recording from 2016 IP Expo London, with Shannon Lietz (Intuit), Chris Swan (CSC) and host Mark Miller (Sonatype) discussing the future of security as it relates to DevOps. Shannon and Chris are real world practitioners, bringing stories from the trenches. We initially start with where the term DevSecOps came from, then move on to the future of automated security as part of the DevOps ecosystem.

Today's podcast is the fourth in a series of four, talking with prospective 2016 board members. Today's question is, "What is more important to you as a candidate 1) Members 2) Projects 3) Conferences 4) Chapters " The format for today's Q&A with potential board members is simple. We ask a single question. Each candidate has 2 minutes to respond to the question. These recordings were done using google hangouts, so there will be slight sound glitches and background noises during some of the answers.

Today's podcast is the third in a series of four, talking with prospective 2016 board members. Today's question is, "What is the single most important issue for you to tackle if elected to the board?" The format for today's Q&A with potential board members is simple. We ask a single question. Each candidate has 2 minutes to respond to the question. These recordings were done using google hangouts, so there will be slight sound glitches and background noises during some of the answers.

Today's podcast is the second in a series of four, talking with prospective 2016 board members. Today's question is, "Do you consider vendor neutrality an issue at OWASP? If so, why?" The format for today's Q&A with potential board members is simple. We ask a single question. Each candidate has 2 minutes to respond to the question. These recordings were done using google hangouts, so there will be slight sound glitches and background noises during some of the answers.

Today's podcast is the first in a series of four, talking with prospective 2016 board members. Today's question is, "What kind of action plan do you have in mind to help motivate the participation of Developers into OWASP community." The format for today's Q&A with potential board members is simple. We ask a single question. Each candidate has 2 minutes to respond to the question. These recordings were done using google hangouts, so there will be slight sound glitches and background noises during some of the answers.

From October 11 - 14, 2016, appsec professionals from around the world will gather in Washington DC to participate in one of this year's main OWASP events, AppSec USA 2016. In this broadcast, I speak with three organizers of the event (Andrew Weidenhamer, Mike McCabe, Patrick Cooley )to get insight as to what to anticipate at the conference, the unique qualities of an AppSec USA event, and a sneak peek at the sessions that will be given over the 4 day event.

Continuing the theme of integrating security in DevOps processes, I spoke with Sacha Lebourey, CEO of Cloudbees, during a stop at CD Summit in London. As one of the main players in the software supply chain for DevOps, I was interested in Sacha's perspective on how automated security fit into that supply chain. We start the discussion with "What is continuous delivery" followed by the place for security in the modern developer environment. About Sacha Labourey Sacha was born in Neuchâtel, Switzerland and graduated in 1999 from EPFL. It was during Sacha’s studies in 1996 that he started his first consulting business - Cogito Informatique. In 2001, he joined Marc Fleury’s JBoss project as a core contributor and implemented JBoss’ original clustering features. In 2003, Sacha founded the European headquarters for JBoss and, as GM for Europe, led the strategy and partnerships that helped fuel the company’s growth in that region. While in this position, he led the recruitment of some of JBoss’ key talent and acq

Sanjeev Sharma is a Distinguished Engineer at IBM. His main concern is how DevOps initiative scale in large enterprises. In this wide ranging discussion recorded during CD Summit in Stockholm, I talk with Sanjeev about DevOps adoption, how security will play a critical role in any automated, scalable solution and the transition of traditional IT operations to the role of service provider.

The "State of the Software Supply Chain Report" featured in today's show is an industry report produced by Sonatype. In the spirit of full disclosure, Mark Miller is the Senior Storyteller and DevOps Advocate for Sonatype. That said, no products are mentioned, nothing is being sold. Sonatype is the steward of the Central Repository and has access to an incredible set of data. The information in the report relates directly to A9 within the OWASP Top 10: Using components with known vulnerabilities. The full report is available as a free download. To describe the findings of the report and the discoveries made from analyzing the open source download patterns of 3000 companies, I spoke with Derek Weeks, VP and Rugged DevOps Advocate from Sonatype.

Jason Schmitt's passion is to assure security is built into the development process, not just as a bolt-on add-on. His experience in various aspects of software security has led him on a path through mobile, application and cloud security. In our conversation, Jason talks about the value OWASP provides to the community as well as what he perceives as a critical time for the integration between DevOps and security. About Jason Schmitt Jason Schmitt is vice president and general manager of HPE Security Products, Fortify for Hewlett Packard Enterprise. He is responsible for driving the growth of Fortify’s software security business and managing all operational functions within the group. Schmitt has extensive experience in product management, development and marketing for all types of web and security technologies. His expertise ranges from cloud-based secure web gateways, to application security and mobile security consulting services, to network-based video surveillance.

The Application Security Verification Standard Project is a Flagship project at OWASP. It provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development. I sat down with Andrew van der Stock at AppSecEU 2016 to get the most recent updates on the project and to gain an insight into future plans.

At 2016 AppSecEU in Rome, five teams showed up for the University Challeng. I talked with the organizers of the challenge about the history of the project and two team leaders to see how the challenge was going and what value they were getting by participating in the contest.

In this episode, Jim Manico turns the tables on me for for his 100th podcast. He digs into my past, asks about my motivations for participating in OWASP, inquires on what I hope to accomplish through the series and how DevOps and security can be part of a single conversation when it comes to the software supply chain. Mark Miller is the Senior Storyteller and Developer Evangelist for Sonatype. He is the curator of TheNexus Community Project, while participating in DevOps and security conferences as a frequent panel host. He recently helped build the DevOps track for RSAC Conference 2016, InfoSec Europe 2016 and is working on the DevOps track for AppSecUSA 2016, this fall in Washington, DC. Mark's most recent project is "An Innovator's Journey to DevOps", a series of interviews and profiles highlighting important people and DevOps projects that deserve more exposure. You can listen to that series at www.sonatype.com/devops-an-innova…journey-sonatype

What can you expect when you attend AppSec EU 2016 in Rome at the end of June? I talk with Bart de Win and Matteo Meucci, conference chair, to see who is coming, why you should and what to expect when AppSec EU goes to one of the world's greatest cities. Registration is open: https://2016.appsec.eu/

To understand more about communication patterns in open source supply chains, Dr. Gail Murphy and Dr. Marc Palyart undertook a study of 1,227 public projects hosted on GitHub. I spoke with Dr. Murphy about the project and what it means for open source developers trying to generate visibility and community around their project. About Dr. Gail Murphy Dr. Murphy is a leading researcher on software evolution and tools. She brings to Tasktop extensive experience as a software developer and principal investigator of a large research group. In recognition of her research, Gail has been a keynote speaker at several software engineering conferences. She has received international awards, such as the AITO Dahl-Nygaard Junior Prize, a University of Washington College of Engineering Diamond Award, and an ACM Distinguished Scientist award. Her national awards include the NSERC Steacie fellowship. Most notably, Gail was elected to be a fellow of the Royal Society of Canada. This fellowship is the highest academic accola

Lawrence Pingree and I were having a discussion in the press room at RSA Conference 2016. We talked about his work with Gartner, analyzing deception as part of cybersecurity. His voice was so passionate, I just had to turn on the recorder. I haven't heard many people talking about this subject, but it's intriguing to think about... more than honeypots, true deception. Have a listen. About Lawrence Pingree Lawrence Pingree has been an active member of the Information Security industry for many years. He has consulted for large financial institutions, corporations and government entities on technologies ranging from firewalls, intrusion detection, networks, system penetration, risk management, compliance, eDiscovery and Forensics. He has served as a Chief Security Architect at both Peoplesoft and Netscreen. He is currently an active member of the Information Systems Security Association (ISSA) of Silicon Valley as well as the Open Web Application Security Project (OWASP) and is a published author of two boo

Leigh Honeywell And Ari Rubenstein are Senior Staff Security Engineers at Slack. I saw Leigh on Wendy Nather's panel during RSA Conference 2016 and was interested in getting some insight into what's going on at Slack when it comes to DevOps. As luck would have it, Ari was in the audience, so we were able to step outside into the hallway and talk about how DevOps, security and engineering work together at Slack. About Leigh Honeywell Leigh reboots computers and makes hackerspaces. Leigh is a Security Engineer at Slack. Prior to Slack, she worked at Salesforce.com, Microsoft, Symantec, and Bell Canada. Her career has included everything from stringing cable and building phone systems to responding to some of the most serious computer security incidents in industry history, shipping software to a billion people, and protecting infrastructure running companies’ critical business communications. Her community work includes founding the HackLabTO hackerspace in Toronto, Canada, and the first feminist hackerspace

You just have to accept it. The hackers are going to get in. The question is, what are you going to do once they are in? In preparation for Sam Guckenheimer's session at Rugged DevOps, RSA Conference 2016, I spoke with Sam about his work at Microsoft and how his team is working on Security War Games to keep things in check. About Sam Guckenheimer Sam Guckenheimer is Product Owner for the Microsoft Visual Studio Cloud Services, including VS Team Services and Team Foundation Server. He focuses on DevOps, Agile and Application LifeCycle Management (ALM). His most recent talk: From Box to Cloud at Gartner AADI 2015 is available at https://gartner.mediasite.com/Mediasite/Play/a246d6f2d86f47dab8fc4ee49887b5f81d. Sam is the author of three books, most recently Visual Studio Team Foundation Server 2012: Adopting Agile Software Practices: From Backlog to Continuous Feedback. Prior to joining Microsoft in 2003, Sam was Director of Product Line Strategy at Rational Software Corporation, now the Rational Division of

After John Willis' keynote session next week at Rugged DevOps during RSA Conference 2016, he says he's going to grab a front row seat because he's so excited about the line up. In this interview, I talk with John about his relationship with Josh Corman and how they started working together. We talk about security as part of the software supply chain, the part Docker plays in the reference architecture picture for enterprise DevOps and how the developer world has changed in the past 5 years. About John Willis John Willis has worked in the IT management industry for more than 35 years. Currently he is an Evangelist at Docker Inc. Prior to Docker Willis was the VP of Solutions for Socketplane (sold to Docker) and Enstratius (sold to Dell). Prior to to Socketplane and Enstratius Willis was the VP of Training & Services at Opscode where he formalized the training, evangelism, and professional services functions at the firm. Willis also founded Gulf Breeze Software, an award winning IBM business partner, whic

Chenxi Wang has had a diverse career in the technology industry, Before her current position as Chief Strategy Officer at Twistlock, she was Vice President, Cloud Security & Strategy at CipherCloud, Vice President, Strategy and Market Intelligence at Intel Security, and Vice President at Forrester Research. Along the way, she has worked on technology education initiatives and is currently at work on Equal Respect, a movement to stop the objectification of women in technology. In this interview, I spoke with Chenxi about her upcoming sessions at RSA Conference 2016, her work on the Equal Respect initiative, and her passion for software security education.