The OWASP Podcast Series
186 episodes - English - Latest episode: 10 months ago - ★★★★★ - 23 ratingsThe OWASP Podcast Series is a recorded series of discussions with thought leaders and practitioners who are working on securing the future for coming generations.
Homepage Apple Podcasts Google Podcasts Overcast Castro Pocket Casts RSS feed
Episodes
Ladies of London Hacking Society w/ Eliza-May Austin
March 13, 2019 22:16 - 30 minutes - 27.4 MBThe Ladies of London Hacking Society was created by Eliza-May Austin in an act of frustration.Having nowhere to turn to meet other women within the security industry in the UK,Eliza-May fired off an online post lamenting the lack of local community support for technical security-based women. Her story is a common one. The post seemed to resonate with the local community. In a short time, she had close to 500 women join her London Meetup Group, focusing on sharing technical skills and industr...
Anticipating Failure through Threat Modeling w/ Adam Shostack
February 12, 2019 17:11 - 33 minutes - 32.9 MBWhat am I working on? What can go wrong? What am I going to do about it? Did I do a good job? These are the four questions at the heart of threat modeling In this episode, I speak with Adam Shostack, author of Threat Modeling: Designing for Security. We talk through how to begin threat modeling and the expectations of using modeling. Adam walks through the history of threat modeling, including his creation of the Elevation of Privilege game.
We Are All Special Snowflakes with Chris Roberts
February 07, 2019 19:54 - 35 minutes - 34.9 MBThis is the sixth episode in an eight part series, talking with the authors of "Epic Failures in DevSecOps". In this segment, I speak with Chris Roberts about his chapter, "We are all special snowflakes", diving into topics as diverse as the failure of the security industry to protect us from ourselves and what is considered "acceptable" monitoring when it comes to the government, and to social sites. You can download a free copy of Epic Failures at DevSecOpsDays.com
A Concise Introduction to DevSecOps
January 18, 2019 11:20 - 26 minutes - 26.5 MBThe inclusion of security as an integral piece of the DevOps puzzle continues to gain traction. In this episode of the DevSecOps Days Podcast Series, I speak with Curtis Yanko and Scott McCarty about their new book, "A Concise Introduction to DevSecOps". We discuss why they wrote the book, who the audience is that will benefit from it and why enterprises should be considering security as part of the software development environment.
What's In Store for the AppSec Cali Conference w/ Richard Greenberg
January 15, 2019 16:55 - 19 minutes - 18.9 MBAs if there aren't enough reasons to go to Southern California in the middle of a New York winter, AppSec Cali opens it's doors for its 6th Annual OWASP conference on January 22, 2019. In this broadcast, I speak with Richard Greenberg, one of the core organizers of the conference, talking about why people come, what they can expect to see and why he continues to help produce the conference year after year. For a transcript of this broadcast, go to DevSecOpsDays.com and click on "Podcasts".
Epic Failures in DevSecOps w/ Aubrey Stearn
January 10, 2019 15:00 - 41 minutes - 44.4 MBAubrey Stearn is the Technical Lead for the Enterprise Cloud Platform at Nationwide. In the broadcast we talk with Aubrey about her chapter, "The Tale of the Burning Programme", in the recently released "Epic Failures in DevSecOps" book. Aubrey talks about her extensive experience guiding and molding teams, leading the way through the maze of decisions needed in order to build a more productive and efficient engineering culture. We start off the discussion with "Why is our biggest problem ...
Strategic Asymetry - Leveling the Playing Field w/ Chetan Conikee
January 02, 2019 17:40 - 34 minutes - 30.2 MB"In the past when we were writing software, it was our engineers and our organizations that had total cost of ownership of that software. But now, that has fundamentally changed. Engineers are using open source software and deploying the entire application on an open source framework, which means a large part of the software supply chain is no longer owned by the engineer. " -- Chetan Conikee In this episode of the DevSecOps Days Podcast Series, I speak with Chetan Conikee about his chapter ...
Threat Modeling - A Disaster Story with Edwin Kwan
December 18, 2018 18:31 - 18 minutes - 17.4 MBWe continue the "Epic Failures in DevSecOps" series by speaking with Edwin Kwan on his chapter, "Threat Modeling - A Disaster Story". Edwin is Application and Software Security Team Lead at Tyro Payments. In our discussion, we talk about the three things he learned through his "Epic Failure": -- Demonstrate value at the buy-in -- Get early feedback -- Automate as much as possible During our discussion, we talk at length about the role of security and how to begin implementing automation at ...
The DevSecOps Unicorn Rodeo w/ Stefan Streichsbier
December 14, 2018 20:56 - 23 minutes - 20.9 MBStefan Streichsbier talks about his chapter, "Unicorn Rodeos", in the just released book, "Epic Failures in DevSecOps". We start with where did the chapter name come from and what does it mean, then lead into his three main points for hanging on for the rodeo ride: -- Don't waste time over-engineering -- Build for the right audience -- Find your champions We conclude with a discussion of technology trends in South East Asia and Indonesia. People mentioned include Gene Kim, Caroline Wong, Fa...
The DevSecOps Experiment
December 10, 2018 14:49 - 14 minutes - 14.6 MBDJ Schleen talks about his upcoming 15 part video series, "The DevSecOps Experiment", where he will walk through the setup of a software supply chain, including building in security during every step of the process. This is a lab workshop type series, where you'll be able to immediately implement the solutions at the end of each 15 minute session. DJ will be available to answer your questions on his public slack channel as well as provide resources in the DevSecOps Days github repository. ...
Open Source Vulnerabilities - Who is Ultimately Responsible
December 03, 2018 12:56 - 46 minutes - 44 MBIn this broadcast, I speak with Chris Roberts and Derek Weeks about lines of responsibility and npm package highjacking in light of the event-stream vulnerability announcement last week. The announcement of the event-stream npm package vulnerability has once again raised the issue of who it ultimately responsible when a breach like this is announced. Is it the original creator of the package? What about the team maintaining the package? Where does' the end user fit it in? How does social eng...
event-stream: Analysis of a Compromised npm Package
November 27, 2018 20:19 - 21 minutes - 21.2 MBOnce again, the pattern of taking over a known package and modifying it with malicious intent has happened. In this case, it's with the event-stream module in the npm repository. In this broadcast I speaker with Thomas Hunter, Software Developer at Intrinsic and author of "Compromised npm Package: event-stream", and Brian Fox, CTO of Sonatype, author of the Forbes "Open Source Developers And Infrastructure Are The New Front Line Of Security?" article. Compromised npm Package: event-stream ht...
Spy vs Spy in Application Security: Harvesting Adversaries
November 02, 2018 15:06 - 16 minutes - 22.6 MB"The guy who wrote wifi software with SSID never imagined that someone could use that SSID to transmit data by writing two smaller applications to leverage it. We are constantly going to be in this [type of] battle. Ultimately we've got to find a way to stay ahead of it by understanding the mechanisms by which we're writing the abuse case possibilities." -- Shannon Lietz Following their session at DevOps Enterprise Summit 2018, I sat down and talked with Shannon Lietz and James Wickett to ta...
Moving from Projects to Products w/ Mik Kersten
October 31, 2018 16:27 - 39 minutes - 57.7 MB"If you look inside a large enterprise IT organization, they have this very bizarre and broken layer that's completely separating the way that business thinks in terms of products, budgets and costs, and the way IT people know the way they need to innovate, which is delivering products faster." -- Mik Kersten I sat down with Mik Kersten, CEO of TaskTop, and John Willis after Mik's presentation at DOES2018. His new book, Projects to Products, is an attempt to help the industry move from using...
The Journey to Open Source at Capital One w/ Tapabrata "Topo" Pal
October 29, 2018 15:06 - 19 minutes - 29.6 MBWhy would you allow open source usage in your company. What are the compelling reasons to take the risk. In this discussion, I talk with Topo Pal and Derek Weeks about the industry perception of open source and what's really happening behind the curtain at large enterprises. Topo had just finished his keynote presentation at DevOps Enterprise Summit 2018 and I wanted to dive a little deeper into some of the things he talked about. About Topo Pal Dr. Topo Pal is Senior Director & Sr. Enginee...
The Future of Software and DevOps / with Sacha Labourey
September 17, 2018 22:52 - 23 minutes - 32.1 MB"The compensation, the incentives that people have are very much anchored in short term objectives that do not take into account the vision for the bigger transformations that are happening within the market." -- Sacha Labourey, CEO, CloudBees Sacha Labourey runs one of the most visible, respected companies within the DevOps and DevSecOps communities. At Jenkins World 2018, I sat down with Sacha to hear how his year went, how security can become more of an important process within the softw...
How to Build Chapter Engagement at OWASP
September 17, 2018 17:23 - 16 minutes - 23 MBWhile at 2018 AppSec EU, I spoke with Sam Stepanyan and Grigorios Fragkos, chapter leaders of one of OWASP's largest chapters. The conversation centered around what does it take to grow a community, what does it take to lead a chapter.
A Message from the Executive Producer
July 15, 2018 00:29 - 2 minutes - 4.07 MBThis is Mark Miller, Executive Producer. 4 years ago I took over the creation and curation of the OWASP podcast series. In that time, there have been 118 episodes, with a combined listenership of over 269,000 plays. The series began as a way to speak with OWASP project leads and chapters leaders to let the community hear what was being worked on. Gradually, the show has morphed into something broader. Recent broadcasts highlighting the work done in the DevOps and DevSecOps Communities receive...
2018 AppSec EU London - Conference Preview
June 19, 2018 19:45 - 22 minutes - 23.1 MBIn this episode, I speak with the organizing committee of 2018 AppSec EU, hearing about what's planned and why you should consider attending this international conference in London.
Steps to Responsible Disclosure with Bas van Schaik,Man Yue Mo and Brian Fox
March 20, 2018 10:49 - 30 minutes - 26.8 MBOn March 1, 2018, the team at Semmle announced a critical vulnerability in the Pivotal Spring framework. The vulnerability was found by security researcher Man Yue Mo at Semmle — the team behind lgtm.com. In this episode of OWASP 24/7, I speak with research team at Semmle on how they discovered the vulnerability. Also, Brian Fox joins the discussion on the process for responsible disclosure, different ways to approach it and what other companies and projects are doing when a vulnerability i...
RSAC 2018 - Preview of Opening Session for DevOps Connect: DevSecOps Day
February 26, 2018 18:45 - 35 minutes - 29.8 MBShannon Lietz, Caroline Wong and Paula Thrasher will give the opening remarks at DevOps Connect: DevSecOps Days on April 16 at the RSAC Conference in San Francisco. On today's show, I talk with Shannon, Caroline and Paula, on what they hope to accomplish during their talk, and why DevSecOps is becoming the hottest topic in this year's growth of the DevOps Community.
HackNYC 2018: Preview with Kevin E. Greene
February 07, 2018 18:01 - 18 minutes - 17.6 MBPrior to his work as Principal Software Assurance Engineer at MITRE, Kevin E. Greene was R&D Program Manager for the Department of Homeland Security. He is currently on the organizing committee for HackNYC, helping to organize talks and sessions around protecting and securing our national infrastructure. I spoke with Kevin about the current state of software security and how each of us can play a roll in the security of modern software. About Kevin E. Greene With more than 17 years of infor...
HackNYC 2018: Preview with Dr. Bill Curtis
February 01, 2018 19:58 - 32 minutes - 32.9 MBIn May, at HackNYC 2018 in New York City, Dr. Bill Curtis' team of Tracie Gerardi and Lev Lesokhin will deliver a presentation on putting an end to "Technical Debt". I spoke with Dr. Curtis about his work in the creation of various maturity models, the current state of security in software development and "what keeps him up at night". You might be surprised at his answer. Listen in... About Dr. Bill Curtis Dr. Bill Curtis (1948) is an American software and organizational scientist. He is be...
The OpenChain Project with Shane Coughlan
January 12, 2018 17:26 - 17 minutes - 16.7 MBThe OpenChain Project identifies key recommended processes for effective open source management. The project builds trust in open source by making open source license compliance simpler and more consistent. In this broadcast, I speak with Shane Coughlan, project director, about the purpose of the project and what his team hopes to accomplish in 2018.
Expanding Community Engagement at OWASP w/ Greg Anderson
November 30, 2017 19:04 - 23 minutes - 23.2 MBNewly elected to the OWASP board, Greg Anderson is interested in how to expand the OWASP community. I talked with him about what he hope to accomplish in his tenure on the board, the first initiatives he would like to implement and on various ideas for working with OWASP chapters, projects and events. About Greg Anderson Technical leader with 6+ years of experience in all facets of security. Primary areas of expertise include application security, security in DevOps, security automation, pr...
Thoughts on Security in the Modern Software Supply Chain
November 16, 2017 20:56 - 1 hour - 92.8 MBCaroline Wong, Paula Thrasher and I were having lunch at DevOps Enterprise Summit when the conversation took an interesting turn. Paula and Caroline had been on a panel the previous day and didn't get a chance to do a deep dive into any of the topics. As we were talking at lunch, I realized is was a good opportunity to give them a chance to talk with each other on government vs public software security, about how the OWASP Top 10 might best be used and to they have discovered as common secu...
Security Processes at the Apache Software Foundation w/ Mark Thomas and Brian Fox
September 15, 2017 20:48 - 27 minutes - 27.8 MBIn our continuing series on the Struts2 vulnerability announcement and the breach at Equifax, we spoke with Mark Thomas, Director, Apache Software Foundation, and Brian Fox, CTO, Sonatype to clarify the processes ASF goes through when a vulnerability is found within one of their projects. About Mark Thomas Mark is currently employed by Pivotal where he spends most of his time working on Apache Tomcat. At the Apache Software Foundation, Mark is a committer and PMC member for Apache Tomcat as ...
Struts2 Vulnerabilities: Who Is Responsible?
September 14, 2017 19:32 - 30 minutes - 29.5 MBA conversation on the ramifications of recent Struts2 announcements, the exploit at Equifax and the responsibility of companies using open source software. David Blevins, CEO, TomiTribe Brian Fox, CTO, Sonatype
What you should know about the latest Struts2 vulnerability announcement
September 07, 2017 17:29 - 24 minutes - 22.7 MBWhat you should know about the latest struts2 vulnerability announcement w/ Brian Fox, CTO Sonatype, and Matthew Konda , Chair, OWASP Board of Directors. If you're a developer and concerned about security, a struts2 vulnerability announcement came out yesterday. I interviewed two experts to talk about the announcement and what you should be looking for. If you would like to watch a video of the interview, you can find it on YouTube: https://www.youtube.com/watch?v=jtUfPom06bo
OWASP Hacker Kids in Bangalore
August 29, 2017 21:01 - 15 minutes - 15.7 MBMost of us want to help kids become proficient in programming and cybersecurity, but don't know how to get started or have time to manage such a project. Prashant Kv figured he'd put a team together with Vandana Verma and Rupali Dash and give it a shot. The first event in Bangalore was a huge success, with over 200 kids participating. I spoke with the Prashant, Vandana and Rupali about how the event was put together, why it worked and what their plans are for future events.
Less than 10 Minutes Series: OWASP DockerHub with Simon Bennetts
August 08, 2017 15:08 - 8 minutes - 10.2 MBEarlier this week, Simon Bennetts from the OWASP ZAP Project announced the official availability of the OWASP DockerHub for housing projects. I caught up with Simon soon after to hear how ZAP was utilizing DockerHub and the benefits of containerization. https://hub.docker.com/u/owasp/
Less than 10 Minutes Series - ModSecurity Core Rule Set Project
May 12, 2017 12:11 - 8 minutes - 11.4 MBThis segment of the "Less than 10 Minutes" series was recorded live at AppSec EU 2017 in Belfast. It is an update of the ModSecurity Core Rule Set Project with project co-lead Christian Folini. The OWASP ModSecurity CRS Project's goal is to provide an easily "pluggable" set of generic attack detection rules that provide a base level of protection for any web application. The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack detection rules for use with ModSecurity or compatib...
Less than 10 Minutes Series: OWASP Summit 2017
May 11, 2017 17:47 - 7 minutes - 10.3 MBThis segment of the "Less than 10 Minutes" series was recorded live at AppSec EU 2017 in Belfast. It is an update of the OWASP Summit 2017 with conference organizer Sebastien (Seba) Deleersnyder. OWASP Summit 2017 is a 5-day participant driven event, dedicated to the collaboration of Development and Security professionals, with a strong focus on DevSecOps.
Less than 10 Minutes Series: WebGoat Project
May 11, 2017 17:36 - 7 minutes - 11.1 MBThis segment of the "Less than 10 Minutes" series was recorded live at AppSec EU 2017 in Belfast. It is an update of the WebGoat Project with project co-leads Jason White and Nanne Baars. WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons.
Less than 10 Minutes Series: Vicnum Project
May 11, 2017 17:20 - 8 minutes - 10.8 MBThis segment of the "Less than 10 Minutes" series was recorded live at AppSec EU 2017 in Belfast. It is an update of the Vicnum Project with project lead Nicole Becher. The Vicnum Project is a collection of intentionally vulnerable web applications. Vicnum applications are commonly used in Capture the Flag exercises at security conferences.
Less than 10 Minutes Series: Defect Dojo Project
May 10, 2017 16:07 - 6 minutes - 9.45 MBThis segment of the "Less than 10 Minutes" series was recorded live at AppSec EU 2017 in Belfast. It is an update of the Defect Dojo Project with project lead Greg Anderson. The Defect Dojo is an open source vulnerability management tool that streamlines the testing process by offering templating, report generation, metrics, and baseline self-service tools.
Less than 10 Minutes Series: Virtual Village Project
May 10, 2017 15:34 - 9 minutes - 12.6 MBThis segment of the "Less than 10 Minutes" series was recorded live at AppSec EU 2017 in Belfast. It is an update of the Virtual Village Project with project lead Evin Hernandez. The Virtual Village provides users with access to numerous operating system's Desktop as well as Servers. Users are able to create custom apps for other OWASP projects, as well as be able to request test environments , or honey pots , etc.
Less than 10 Minutes Series: The Juice Shop Project
May 10, 2017 15:14 - 7 minutes - 10.8 MBThis segment of the "Less than 10 Minutes" series was recorded live at AppSec EU 2017 in Belfast. It is an update of the Juice Shop Project with project lead Bjoern Kimminich. The Juice Shop is an intentionally insecure webapp for security training, written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Bjoern Kimminich (Project Leader OWASP Juice Shop) Personal Twitter: http://twitter.com/bkimminich OWASP Juice Shop Project Twitter: http...
AppSec EU 2017, Belfast Keynote Preview with Jaya Baloo
March 22, 2017 19:31 - 17 minutes - 16.9 MB"Why does OWASP even exist? Why do we even have this idea of understanding common issues, common problems. There are resources to help us do it better next time. I feel we are not learning at the curve where we should be, considering the resources available to us." -- Jaya Baloo As CISO of KPN, the largest telecom in the Netherlands, Jaya Baloo has a lot on her mind, but maybe not what you'd think. In this free wheeling discussion, we begin with what Jaya will be talking about during her key...
Struts 2 Vulnerability Analysis
March 10, 2017 22:28 - 20 minutes - 19 MBBrian Fox and Shannon Lietz talk about the recent announcement of the struts 2 vulnerability: What is it, how can it affect you, what you can do about it. You can view this broadcast as video on YouTube: https://www.youtube.com/watch?v=EzRKOudJPtQ
AppSec EU 2017 Belfast - What to Expect
February 18, 2017 07:09 - 20 minutes - 21.1 MBIn mid-May I'll be joining the organizing team of AppSec EU 2017 in Belfast for a week of security and DevOps sessions. Listen in as Gary Robinson, Michelle Simpson and Owen Pendlebury talk about what's planned for the week.
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World
February 15, 2017 07:10 - 36 minutes - 48.4 MBIn preparation for her keynote session at AppSec EU 2017 in Belfast, Shannon Lietz continues to explore the integration of DevOps and security. This is a recording of her session at RSAC 2017 in San Francisco.
Shannon Lietz - Keynote Preview for AppSec EU 2017, Belfast
January 17, 2017 22:14 - 9 minutes - 9.18 MBShannon Lietz, DevSecOps Lead at Intuit, will be giving a keynote presentation at AppSec EU 2017, Belfast. I talked with Shannon about what she will be presenting and why she is so excited to return to Ireland.
2016 AppSec USA - An Update on the WebGoat Project
November 30, 2016 21:57 - 13 minutes - 12.8 MBWebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons. It is one of the most used projects at OWASP. With the current team headed by Bruce Mayhew, Nanne Baars and Jason White, work is moving forward on the creation of new content for creating training lessons for application security. I talked with Bruce and team about what they've done with the latest update and what they hope to accomplish in the coming year.
2016 AppSec USA: The Core Rule Set Project w/ Chaim Sanders
October 12, 2016 14:07 - 9 minutes - 9.04 MBThe OWASP ModSecurity Core Rule Set Project's goal is to provide an easily "pluggable" set of generic attack detection rules that provide a base level of protection for any web application. Chaim Sanders,Ryan Barnett, Christian Folini and Walter Hop are the team coordinating the project. During 2016 AppSec USA, I spoke with Chaim about the purpose of the project, the work work done in the past year, the upcoming release and what the team hopes to accomplish in 2017. https://www.owasp.org/i...
The Future of DevSecOps w/ Shannon Lietz and Chris Swan, Live From IP Expo London
October 09, 2016 06:15 - 57 minutes - 52.5 MBThis is a live recording from 2016 IP Expo London, with Shannon Lietz (Intuit), Chris Swan (CSC) and host Mark Miller (Sonatype) discussing the future of security as it relates to DevOps. Shannon and Chris are real world practitioners, bringing stories from the trenches. We initially start with where the term DevSecOps came from, then move on to the future of automated security as part of the DevOps ecosystem.
2016 Board Election Interviews - Part Four of Four - Members, Projects, Conferences, Chapters
September 19, 2016 05:07 - 16 minutes - 15.2 MBToday's podcast is the fourth in a series of four, talking with prospective 2016 board members. Today's question is, "What is more important to you as a candidate 1) Members 2) Projects 3) Conferences 4) Chapters " The format for today's Q&A with potential board members is simple. We ask a single question. Each candidate has 2 minutes to respond to the question. These recordings were done using google hangouts, so there will be slight sound glitches and background noises during some of the a...
2016 Board Election Interviews - Part Three of Four - Most Important Issues
September 18, 2016 05:24 - 18 minutes - 16.7 MBToday's podcast is the third in a series of four, talking with prospective 2016 board members. Today's question is, "What is the single most important issue for you to tackle if elected to the board?" The format for today's Q&A with potential board members is simple. We ask a single question. Each candidate has 2 minutes to respond to the question. These recordings were done using google hangouts, so there will be slight sound glitches and background noises during some of the answers.
2016 Board Election Interviews - Part Two of Four - Vendor Neutrality
September 15, 2016 16:11 - 19 minutes - 18.1 MBToday's podcast is the second in a series of four, talking with prospective 2016 board members. Today's question is, "Do you consider vendor neutrality an issue at OWASP? If so, why?" The format for today's Q&A with potential board members is simple. We ask a single question. Each candidate has 2 minutes to respond to the question. These recordings were done using google hangouts, so there will be slight sound glitches and background noises during some of the answers.
2016 OWASP Board Election Interviews - Part One of Four - Developer Participation
September 14, 2016 17:06 - 20 minutes - 18.5 MBToday's podcast is the first in a series of four, talking with prospective 2016 board members. Today's question is, "What kind of action plan do you have in mind to help motivate the participation of Developers into OWASP community." The format for today's Q&A with potential board members is simple. We ask a single question. Each candidate has 2 minutes to respond to the question. These recordings were done using google hangouts, so there will be slight sound glitches and background noises...