The OWASP Podcast Series

This is a live recording from 2016 IP Expo London, with Shannon Lietz (Intuit), Chris Swan (CSC) and host Mark Miller (Sonatype) discussing the future of security as it relates to DevOps. Shannon and Chris are real world practitioners, bringing stories from the trenches. We initially start with where the term DevSecOps came from, then move on to the future of automated security as part of the DevOps ecosystem.

Today's podcast is the fourth in a series of four, talking with prospective 2016 board members. Today's question is, "What is more important to you as a candidate 1) Members 2) Projects 3) Conferences 4) Chapters " The format for today's Q&A with potential board members is simple. We ask a single question. Each candidate has 2 minutes to respond to the question. These recordings were done using google hangouts, so there will be slight sound glitches and background noises during some of the answers.

Today's podcast is the third in a series of four, talking with prospective 2016 board members. Today's question is, "What is the single most important issue for you to tackle if elected to the board?" The format for today's Q&A with potential board members is simple. We ask a single question. Each candidate has 2 minutes to respond to the question. These recordings were done using google hangouts, so there will be slight sound glitches and background noises during some of the answers.

Today's podcast is the second in a series of four, talking with prospective 2016 board members. Today's question is, "Do you consider vendor neutrality an issue at OWASP? If so, why?" The format for today's Q&A with potential board members is simple. We ask a single question. Each candidate has 2 minutes to respond to the question. These recordings were done using google hangouts, so there will be slight sound glitches and background noises during some of the answers.

Today's podcast is the first in a series of four, talking with prospective 2016 board members. Today's question is, "What kind of action plan do you have in mind to help motivate the participation of Developers into OWASP community." The format for today's Q&A with potential board members is simple. We ask a single question. Each candidate has 2 minutes to respond to the question. These recordings were done using google hangouts, so there will be slight sound glitches and background noises during some of the answers.

From October 11 - 14, 2016, appsec professionals from around the world will gather in Washington DC to participate in one of this year's main OWASP events, AppSec USA 2016. In this broadcast, I speak with three organizers of the event (Andrew Weidenhamer, Mike McCabe, Patrick Cooley )to get insight as to what to anticipate at the conference, the unique qualities of an AppSec USA event, and a sneak peek at the sessions that will be given over the 4 day event.

Continuing the theme of integrating security in DevOps processes, I spoke with Sacha Lebourey, CEO of Cloudbees, during a stop at CD Summit in London. As one of the main players in the software supply chain for DevOps, I was interested in Sacha's perspective on how automated security fit into that supply chain. We start the discussion with "What is continuous delivery" followed by the place for security in the modern developer environment. About Sacha Labourey Sacha was born in Neuchâtel, Switzerland and graduated in 1999 from EPFL. It was during Sacha’s studies in 1996 that he started his first consulting business - Cogito Informatique. In 2001, he joined Marc Fleury’s JBoss project as a core contributor and implemented JBoss’ original clustering features. In 2003, Sacha founded the European headquarters for JBoss and, as GM for Europe, led the strategy and partnerships that helped fuel the company’s growth in that region. While in this position, he led the recruitment of some of JBoss’ key talent and acquisition of key technology. In 2005, he was appointed CTO of JBoss, Inc. and oversaw all of JBoss engineering. In June 2006, JBoss, Inc. was acquired by Red Hat (NYSE:RHT). After the acquisition, Sacha remained JBoss CTO and played a crucial role in integrating and productizing JBoss software with Red Hat offerings. In 2007, Sacha became co-General Manager of Red Hat’s middleware division. He ultimately left Red Hat in April 2009 and founded CloudBees in April 2010.

Sanjeev Sharma is a Distinguished Engineer at IBM. His main concern is how DevOps initiative scale in large enterprises. In this wide ranging discussion recorded during CD Summit in Stockholm, I talk with Sanjeev about DevOps adoption, how security will play a critical role in any automated, scalable solution and the transition of traditional IT operations to the role of service provider.

The "State of the Software Supply Chain Report" featured in today's show is an industry report produced by Sonatype. In the spirit of full disclosure, Mark Miller is the Senior Storyteller and DevOps Advocate for Sonatype. That said, no products are mentioned, nothing is being sold. Sonatype is the steward of the Central Repository and has access to an incredible set of data. The information in the report relates directly to A9 within the OWASP Top 10: Using components with known vulnerabilities. The full report is available as a free download. To describe the findings of the report and the discoveries made from analyzing the open source download patterns of 3000 companies, I spoke with Derek Weeks, VP and Rugged DevOps Advocate from Sonatype.

Jason Schmitt's passion is to assure security is built into the development process, not just as a bolt-on add-on. His experience in various aspects of software security has led him on a path through mobile, application and cloud security. In our conversation, Jason talks about the value OWASP provides to the community as well as what he perceives as a critical time for the integration between DevOps and security. About Jason Schmitt Jason Schmitt is vice president and general manager of HPE Security Products, Fortify for Hewlett Packard Enterprise. He is responsible for driving the growth of Fortify’s software security business and managing all operational functions within the group. Schmitt has extensive experience in product management, development and marketing for all types of web and security technologies. His expertise ranges from cloud-based secure web gateways, to application security and mobile security consulting services, to network-based video surveillance.