The OWASP Podcast Series

WAFs have been with us a while and it's about time someone reconsidered WAFs and their role in AppSec given the cloud-native and Kubernetes landscape. The OWASP Coraza is not only asking these questions but putting some Go code behind their ideas. Should WAFs work in a mesh network? Why create an open source WAF? What's next for the OWASP Coraza project? These and more topics are covered in this episode. I had a great time recording it and I think you'll have the same while listening. Show Link: - Coraza Website: https://coraza.io/ - Coraza Github Repo: https://github.com/corazawaf/coraza - Coraza Twitter: https://twitter.com/corazaio - AppSec EU 2023 presentation on Coraza - https://www.youtube.com/watch?v=S_TtvDFmia4

In this episode I speak with Aaron about Point of Sale or POS systems. He's been investigating the security of POS systems for quite some time now and brings to light the state of the POS ecosystem. Buckle your seat belts, this is going to be a bumpy and very interesting ride.

In this episode I speak with Amitai Cohen who's been thinking a lot about tenant isolation. This is a problem for more then just cloud providers. Anyone with a SaaS offering or even large enterprise may want to isolate customers or parts of their business from each other. Several useful items came out of this including the Cloud VulnDB which catalogs security issues in cloud services and the PEACH tenant isolation framework. You may not think you need to worry about tenant isolation, but I bet you should at least keep it in mind. Enjoy! Show Links: - Cloud VulnDB: https://www.cloudvulndb.org/ - PEACH Framework: https://www.peach.wiz.io/ - OWASP Cloud Tenant Isolation Project: https://owasp.org/www-project-cloud-tenant-isolation/

In this episode, I speak with Caleb Queern, one of the authors of "Investments Unlimited" a book I highly recommend you get and read. While the book is fiction, there's a great deal of truth in the story about how automation can work for more than just DevSecOps. Compliance and audit also deserve a seat at the table. Learn how you can get more code out the door, with more safety and a 'risk reduced' smile on the auditors face. Show Links: - Investments Unlimited: https://itrevolution.com/product/investments-unlimited/ - DevOps Automated Governance Reference Architecture: https://itrevolution.com/product/devops-automated-governance-reference-architecture/

In this episode, I go solo and review the last year of podcasts but with a twist. I do my best to compare the topics covered to the OWASP Flagship projects. The goal is to see if the episodes I recorded this year match up with the projects strategically important to OWASP. Plus, the holiday listeners get gifts all around as I cover (and link) the OWASP Flagship projects. Show Links: - (January) New Ideas, New Voices, New Hosts: https://soundcloud.com/owasp-podcast/new-ideas-new-voices-new-hosts - (February) Tanya Janca - She Hack Purple: https://soundcloud.com/owasp-podcast/tanya-janca - SAMM (Software Assurance Maturity Model): https://owaspsamm.org/ - (March) Fast Times at SBOM High: https://soundcloud.com/owasp-podcast/fast-times-at-sbom-high-with-wendy-nather-and-matt-tesauro - CycloneDX: https://cyclonedx.org/ - Dependency-Track: https://dependencytrack.org/ - Dependency-Check: https://jeremylong.github.io/DependencyCheck/ - (April) The VOID: Verica Open Incident Database: https://soundcloud.com/owasp-podcast/the-void-verica-open-incident-database - Web Security Testing Guide: https://owasp.org/www-project-web-security-testing-guide/ - Mobile Application Security Guide: https://mas.owasp.org/ - (May) Threat Modeling using the Force: https://soundcloud.com/owasp-podcast/threat-modeling-using-the-force-with-adam-shostack-owasp-podcast-e001 - ASVS (Application Security Verification Standard): https://owasp.org/www-project-application-security-verification-standard/ - AMASS: https://owasp.org/www-project-amass/ - (June) Giving a jot about JWTs: JWT Patterns and Anti-Patterns: https://soundcloud.com/owasp-podcast/owasp-podcast-giving-a-jot-about-jwts-jwt-patterns-and-anti-patterns - Cheat Sheet Series: https://cheatsheetseries.owasp.org/ - API Top 10: https://owasp.org/www-project-api-security/ - (July) Getting Lean and Mean with DefectDojo: https://soundcloud.com/owasp-podcast/getting-lean-and-mean-in-the-defectdojo - DefectDojo: https://www.defectdojo.org/ - (August) Going Way Beyond 2FA: https://soundcloud.com/owasp-podcast/going-way-beyond-2fa - ModSecurity Core Rule Set: https://coreruleset.org/ - (September) Breaching the wirefall with community: https://soundcloud.com/owasp-podcast/breaching-the-wirefall-with-community - Security Shepherd: https://owasp.org/www-project-security-shepherd/ - Juice Shop: https://owasp.org/www-project-juice-shop/ - Security Knowledge: https://owasp.org/www-project-security-knowledge-framework/ - (October) Little Zap of Horrors: https://soundcloud.com/owasp-podcast/little-zap-of-horrors - Zed Attack Proxy (ZAP): https://www.zaproxy.org/ - OWTF (Offensive Web Testing Framework): https://owtf.github.io/ - (November) You've got some Kubernetes in my AppSec: https://soundcloud.com/owasp-podcast/youve-got-some-kubernetes-in-my-appsec - OWASP Top 10: https://owasp.org/www-project-top-ten/ - CSRFGuard: https://owasp.org/www-project-csrfguard/

In this episode, I speak with Jimmy Mesta, the project leader of the new OWASP Kubernetes Top 10. Beyond covering the actual Kubernetes Top 10 project, we cover how AppSec has expanded to cover other areas. You not only have to ensure that your application is secure, you need to ensure the security of the environment in which it runs. That environment is increasing becoming Kubernetes so what better than talk to someone who's protected Kubernetes clusters for years and trained many others to harden their clusters. Show Links: - OWASP Kubernetes Top 10: https://owasp.org/www-project-kubernetes-top-ten/ - Kubernetes Top 10 Github repo: https://github.com/OWASP/www-project-kubernetes-top-ten - OWASP Kubernetes Security Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Kubernetes_Security_Cheat_Sheet.html - Mozilla SOPS: https://github.com/mozilla/sops - Hashicorp Valut: https://www.hashicorp.com/products/vault - KSOC: https://ksoc.com/

In this episode, I speak with Simon Bennetts, the creator of OWASP Zed Attack Proxy lovingly known as ZAP. We talk about how it all got started, some of the surprises and lessons learned running a wildly successful open source project. We also cover how some security controls can sometimes actually hurt security. It's an interesting discussion I think you'll enjoy it just in time for Halloween. Show Links: - Zap Website: https://www.zaproxy.org/ - Zap Stats: https://www.zaproxy.org/docs/statistics/ - Zap Community: https://www.zaproxy.org/community/

In this episode, Matt Tesauro hosts wirefall to talk about creating and growing a security community and his 26 years of pen testing experience. In wirefall's case, it's the Dallas Hackers Association or DHA. Our conversation includes what motivated him to create DHA, the lessons he's learned, challenges faced and what success looks like today. He provides some advice for those wanting to get into cybersecurity or be a part of the broader security community. Enjoy. Show Links: - DHA Meetup: https://www.meetup.com/dallas-hackers-association/ - DHA Twitter: https://twitter.com/dallas_hackers - wirefall on Twitter: https://twitter.com/DHAhole

In this episode, Matt Tesauro hosts Neil Matatall to talk about going beyond 2FA as he relates lessons learned from Twitter and Github on account security. This is another episode with some good nuggets of wisdom and some sound advice for those writing or maintaining APIs. It's obvious that Neil has not only spent time doing solid engineering work but he's learned a few things that he's willing to share. Enjoy. Show Links: - OWASP DevSlop Episode: https://www.youtube.com/watch?v=hrAKE6LaizE&ab_channel=OWASPDevSlop - Slide Deck: https://bit.ly/35dcTm0 - Neil on Twitter: https://twitter.com/ndm

In this episode, Matt Tesauro hosts Greg Anderson and Cody Maffucci to talk about OWASP DefectDojo. DefectDojo is an OWASP flagship project that aims to be the single source of truth for AppSec or Product Security teams. It provides a single pane of glass for security programs and can import and normalize over 150 different security tools. I thought that the OWASP podcast might just cover an OWASP project now and then so here we go. Show Links: - https://www.defectdojo.org/ - Github organization: https://github.com/defectdojo - Github main repo: https://github.com/DefectDojo/django-DefectDojo - Pubic Demo info: https://github.com/DefectDojo/django-DefectDojo#demo - Data models (part of the project docs) https://defectdojo.github.io/django-DefectDojo/usage/models/