The OWASP Podcast Series

The Application Security Verification Standard Project is a Flagship project at OWASP. It provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development. I sat down with Andrew van der Stock at AppSecEU 2016 to get the most recent updates on the project and to gain an insight into future plans.

At 2016 AppSecEU in Rome, five teams showed up for the University Challeng. I talked with the organizers of the challenge about the history of the project and two team leaders to see how the challenge was going and what value they were getting by participating in the contest.

In this episode, Jim Manico turns the tables on me for for his 100th podcast. He digs into my past, asks about my motivations for participating in OWASP, inquires on what I hope to accomplish through the series and how DevOps and security can be part of a single conversation when it comes to the software supply chain. Mark Miller is the Senior Storyteller and Developer Evangelist for Sonatype. He is the curator of TheNexus Community Project, while participating in DevOps and security conferences as a frequent panel host. He recently helped build the DevOps track for RSAC Conference 2016, InfoSec Europe 2016 and is working on the DevOps track for AppSecUSA 2016, this fall in Washington, DC. Mark's most recent project is "An Innovator's Journey to DevOps", a series of interviews and profiles highlighting important people and DevOps projects that deserve more exposure. You can listen to that series at www.sonatype.com/devops-an-innova…journey-sonatype

What can you expect when you attend AppSec EU 2016 in Rome at the end of June? I talk with Bart de Win and Matteo Meucci, conference chair, to see who is coming, why you should and what to expect when AppSec EU goes to one of the world's greatest cities. Registration is open: https://2016.appsec.eu/

To understand more about communication patterns in open source supply chains, Dr. Gail Murphy and Dr. Marc Palyart undertook a study of 1,227 public projects hosted on GitHub. I spoke with Dr. Murphy about the project and what it means for open source developers trying to generate visibility and community around their project. About Dr. Gail Murphy Dr. Murphy is a leading researcher on software evolution and tools. She brings to Tasktop extensive experience as a software developer and principal investigator of a large research group. In recognition of her research, Gail has been a keynote speaker at several software engineering conferences. She has received international awards, such as the AITO Dahl-Nygaard Junior Prize, a University of Washington College of Engineering Diamond Award, and an ACM Distinguished Scientist award. Her national awards include the NSERC Steacie fellowship. Most notably, Gail was elected to be a fellow of the Royal Society of Canada. This fellowship is the highest academic accolade in the sciences, humanities and arts bestowed in Canada. At the University of British Columbia, Gail is a professor in the Department of Computer Science, where she works on human-oriented software development tools to make software developers more efficient and effective, and associate dean (Research & Graduate Studies) in the Faculty of Science. About Dr. Marc Palyert Marc Palyart is a researcher in Software Engineering from the Software Practices Lab at the University of British Columbia. He holds a PhD from the University of Toulouse and a BSc (Hons) from the Dundalk Institute of Technology. When not in the lab you can find him wandering around the coastal mountains of British Columbia.

Lawrence Pingree and I were having a discussion in the press room at RSA Conference 2016. We talked about his work with Gartner, analyzing deception as part of cybersecurity. His voice was so passionate, I just had to turn on the recorder. I haven't heard many people talking about this subject, but it's intriguing to think about... more than honeypots, true deception. Have a listen. About Lawrence Pingree Lawrence Pingree has been an active member of the Information Security industry for many years. He has consulted for large financial institutions, corporations and government entities on technologies ranging from firewalls, intrusion detection, networks, system penetration, risk management, compliance, eDiscovery and Forensics. He has served as a Chief Security Architect at both Peoplesoft and Netscreen. He is currently an active member of the Information Systems Security Association (ISSA) of Silicon Valley as well as the Open Web Application Security Project (OWASP) and is a published author of two books. Lawrence is a founding board member of the Digital Forensics Association where he is serving as Vice President. In his spare time enjoys trading money on the foreign currency market, hiking, nature and performance cars.

Leigh Honeywell And Ari Rubenstein are Senior Staff Security Engineers at Slack. I saw Leigh on Wendy Nather's panel during RSA Conference 2016 and was interested in getting some insight into what's going on at Slack when it comes to DevOps. As luck would have it, Ari was in the audience, so we were able to step outside into the hallway and talk about how DevOps, security and engineering work together at Slack. About Leigh Honeywell Leigh reboots computers and makes hackerspaces. Leigh is a Security Engineer at Slack. Prior to Slack, she worked at Salesforce.com, Microsoft, Symantec, and Bell Canada. Her career has included everything from stringing cable and building phone systems to responding to some of the most serious computer security incidents in industry history, shipping software to a billion people, and protecting infrastructure running companies’ critical business communications. Her community work includes founding the HackLabTO hackerspace in Toronto, Canada, and the first feminist hackerspace, the Seattle Attic Community Workshop, as well as advising countless others and speaking about hackerspace cultures, collaboration, and open source software. She is Chief Security Officer of Double Union, a women’s hackerspace in San Francisco. She is a former administrator of the Geek Feminism wiki and blog, and current adviser to the Ada Initiative, the SECTor security conference, and the Magic Vibes Corporation. Leigh has a Bachelors of Science from the University of Toronto where she majored in Computer Science and Equity Studies. About Ari Rubenstein Senior Staff Security Engineer - Developed tooling for Security Automation, Detection, and Response - Implemented multiple open-source technologies to gain visibility on a company-wide level - Led feature reviews and architecture critiques - Discovered multiple vulnerabilities in Open Source Software, and committed fixes upstream - Performed code audits and static analysis - Collaborated cross-organization on Security topics with Sales, Accounts, Engineering, and Executive teams - Managed public-facing bug bounty program for product security issues - Provided guidance for customer questions and support tickets

You just have to accept it. The hackers are going to get in. The question is, what are you going to do once they are in? In preparation for Sam Guckenheimer's session at Rugged DevOps, RSA Conference 2016, I spoke with Sam about his work at Microsoft and how his team is working on Security War Games to keep things in check. About Sam Guckenheimer Sam Guckenheimer is Product Owner for the Microsoft Visual Studio Cloud Services, including VS Team Services and Team Foundation Server. He focuses on DevOps, Agile and Application LifeCycle Management (ALM). His most recent talk: From Box to Cloud at Gartner AADI 2015 is available at https://gartner.mediasite.com/Mediasite/Play/a246d6f2d86f47dab8fc4ee49887b5f81d. Sam is the author of three books, most recently Visual Studio Team Foundation Server 2012: Adopting Agile Software Practices: From Backlog to Continuous Feedback. Prior to joining Microsoft in 2003, Sam was Director of Product Line Strategy at Rational Software Corporation, now the Rational Division of IBM. Sam lives in the Seattle area with his wife and three children in a sustainable house they built that has been described in articles in Metropolitan Home and Pacific Northwest magazine.

After John Willis' keynote session next week at Rugged DevOps during RSA Conference 2016, he says he's going to grab a front row seat because he's so excited about the line up. In this interview, I talk with John about his relationship with Josh Corman and how they started working together. We talk about security as part of the software supply chain, the part Docker plays in the reference architecture picture for enterprise DevOps and how the developer world has changed in the past 5 years. About John Willis John Willis has worked in the IT management industry for more than 35 years. Currently he is an Evangelist at Docker Inc. Prior to Docker Willis was the VP of Solutions for Socketplane (sold to Docker) and Enstratius (sold to Dell). Prior to to Socketplane and Enstratius Willis was the VP of Training & Services at Opscode where he formalized the training, evangelism, and professional services functions at the firm. Willis also founded Gulf Breeze Software, an award winning IBM business partner, which specializes in deploying Tivoli technology for the enterprise. John has authored six IBM Redbooks for IBM on enterprise systems management and was the founder and chief architect at Chain Bridge Systems.

Chenxi Wang has had a diverse career in the technology industry, Before her current position as Chief Strategy Officer at Twistlock, she was Vice President, Cloud Security & Strategy at CipherCloud, Vice President, Strategy and Market Intelligence at Intel Security, and Vice President at Forrester Research. Along the way, she has worked on technology education initiatives and is currently at work on Equal Respect, a movement to stop the objectification of women in technology. In this interview, I spoke with Chenxi about her upcoming sessions at RSA Conference 2016, her work on the Equal Respect initiative, and her passion for software security education.