Owasp 24/7

I first met Paula Thrasher at DevOps Summit 2016 in San Francisco. Her message about people at the core of software supply chain processes resonated with me enough that I invited her to participate on a panel at RSA Conference 2016 in San Francisco on February 29. In the run up to the conference, I recorded this call with Paula about what it takes to facilitate a large scale DevOps project for the US Government. Her main concentration is in change management and how to deal with the intricacy of various personalities when working with developers, the security team and operations. About Paula Thrasher Paula is an Application Delivery Lead at CSRA, formed from the merger of CSC's government services unit and SRA International. CSRA is a the leading provider in next-generation IT and professional services to the US Government. Paula leads digital transformations for customers across the federal government. She has 20 years experience in information technology and works in the federal market leading agencies

The OWASP Top 10 Proactive Controls Project uses the OWASP Top 10 model as a way to encourage the community to participate in the building and maintenance of a Top 10 project aimed at developers. In this interview, I talk with Jim Manico and Katy Anton on the history of the project, how they anticipate it being utilized, and how they have worked with the community do decide the criteria for building the list of controls.

The WebGoat Project started 10 years ago and has had over 1,000,000 downloads. Version 7.0 is being released this week. I caught with Bruce Mayhew, project lead, to talk about the history of the project, what has been updated in version 7, and what he foresees as the future of this project. https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

Several months ago Johanna Curiel figured she'd had enough and was ready to take a break from OWASP. Recently, she came back and is working tirelessly to revamp the Project Review initiative. I talked with Johanna about why she left, what has changed to make it enticing enough for her to return and what her vision is for the Project Review team in the coming year.

As we move into 2016 and my second year as executive producer of OWASP 24/7, I want to give a quick overview of my objectives for the year and what you can expect from the series.

Funding of projects. Allocation of personal time. What does it take to get a project funded with limited resources? The OWASP NYC/NJ chapters are trying something new at the December 7th meeting: two projects will make pitches to a crowd of 300, with two angel investors in attendance. In this OWASP 24/7 broadcast, I talk with Tom Brennan, event organizer, and the two people who will be pitching their projects. Listen in to see if this is something you might want to do for your chapter or project. Here's a review of the Shark Tank pitch that two people made on the actual Shark Tank show. Needless to say, it didn't go too well. http://www.inc.com/brian-j-oconnor/shark-tank-recap-there-s-no-crying-on-shark-tank.html Find out more about the December 7 event on the NYC/NJ Meetup Page http://www.meetup.com/nycmetrocsc/ Credit: Music for today's broadcast was provided by the George Cole Quintet. Here more at http://georgecole.net/

The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls. The primary aim of the OWASP ASVS Project is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. Project on OWASP https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project

There's been a lot of discussion around the OWASP Benchmark Project since it's latest release. Jeff Williams wrote an article and then received a response from Chris Wysopal at Veracode. I was able to catch up with Dave Wichers, OWASP Project Lead, during AppSecUSA 2015 in San Francisco. I had Dave talk me through the project and what its intentions are. Resources: OWASP Benchmark Project https://www.owasp.org/index.php/Benchmark Why it's Insane to Trust Static Analysis http://www.darkreading.com/vulnerabilities---threats/why-its-insane-to-trust-static-analysis/a/d-id/1322274? No One Technology is a Silver Bullet https://www.veracode.com/blog/2015/09/no-one-technology-silver-bullet

The Security Shepherd Project is a mobile web application training platform for penetration testing. It covers the OWASP Top 10 risks from both the mobile and web projects. This recording was made at AppSecUSA 2015 during the Project Summit.

When I was at AppSecUSA 2015 in San Francisco, I was standing in the hallway talking with Matt Tesauro, Shannon Lietz and Jez Humble. We decide that our discussion was interesting enough to continue, so we grab a room and just started talking. Heads up: There are basic audio problems with the recording, such as some background hiss and some high frequency whining (not from us, from the lights overhead!). It was an interesting discussion about real world scenarios that the three have seen in different environments, with solutions for those issues. There's an important summary that starts at 34 minutes where each of them specifies the most important things they'd like you to take away from the discussion.

Part of a three part series of interviews talking with OWASP board candidates for 2015. This segment includes candidates Abbas Naderi, Michael Coates and Jonathan Carter.

Part of a three part series of interviews talking with OWASP board candidates for 2015. This segment includes candidates Bil Corry and Josh Sokol.

Part of a three part series of interviews talking with OWASP board candidates for 2015. This segment includes candidates Milton Smith, Tobias Gondrom and Tom Brennan.

With over 20,000 downloads within it's first two months of release, the Security Knowledge Framework Projects seems to have hit a resonant chord with the OWASP community. Glenn Ten Cate and his brother Riccardo created the project as a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. The OWASP Security Knowledge Framework is an expert system web-application that uses the OWASP Application Security Verification Standard and other resources. I spoke with Glenn about the project and it's future growth. You can learn more about the project on the OWASP project site: https://www.owasp.org/index.php/OWASP_Security_Knowledge_Framework

With the OWASP Summer of Code Sprint 2015 in full swing, OWASP 24/7 caught up with project lead Fabio Cerrulo to see what the future of the project looks like and what to expect from the current sprint.

In part two of our open discussion on project funding for OWASP projects, I talk with Johanna Curiel, Project Review Team Leader, and Claudia Casanovas, the newly appointed Project Coordinator. In this broadcast, we explore the roadblocks to getting OWASP project funding, discuss how to create a better process for requesting funds, and talk about historical examples of how the current process has, and has not, worked.

How do projects get funded at OWASP? Who should have access to those funds? What is the history of projects being funded at OWASP? In this wide ranging discussion we talk with Andrew van der Stock, Dinis Cruz and Josh Sokol about access to funds for project leads and the perceived difficulty of getting funding.

John Patrick Lita has been working on the OWASP Online Academy since February. He plans to release it to the community within the next month. In this conversation, we talk with John about his plans for the project. Joining us is Jerry Hoff, one of the first content contributors to the Online Academy. https://www.owasp.org/index.php/OWASP_Online_Academy

This year's AppSec USA Conference will be held in San Francisco, September 22 - 25. I spoke with Ben Hagen and Michael Coates, organizers of the event, to see how the planning is going and what will be special about this event. https://2015.appsecusa.org/

Paul Richie has been executive director of OWASP since July of 2014. In our talk, I get Paul's perspective on the best ways for chapters to utilize OWASP resources and what he sees in the near future for OWASP.