The OWASP Podcast Series

In this episode, Matt Tesauro hosts David Gillman about JWT Patterns and Anti-Patterns. I first met David at LASCON in the fall of 2021 when I sat in on his conference talk. Based on David’s experiences with JWTs we discuss where JSON Web Tokens can help and harm developers who use them. It seems like JWTs can be a mixed bag mostly determined by how you use them. Hopefully this episode will help you avoid any JWT sharp edges if or, more likely, when you work with them. Show Links: - Video of David’s presentation at LASCON - https://www.youtube.com/watch?v=xTk4ff0eAUg&list=PLLWzQe8KOh5nv8OBs3j39DNYULfxwv_6V&index=29&ab_channel=LASCON - David Gillman on Twitter - https://twitter.com/primed_mover

In this episode, Matt Tesauro hosts Adam Shostack to talk about threat modeling - not only what it is but what Adam has learned from teaching numerous teams how to do threat modeling. Learn what makes a good threat model and some news about a new book from Adam to help further the spread of threat modeling with the end goal of more threat modeling and fewer security surprises. Enjoy! Show Links: - Threats Book site: https://threatsbook.com/ - Resources on Adam’s website: https://shostack.org/resources

Welcome back to the OWASP podcast. In this episode, we're headed to The VOID. I speak with Courtney Nash about the Verica Open Incident Database, otherwise known as The VOID, which is a collection of software-related incident reports available at https://www.thevoid.community/. It's a fascinating discussion about how, by gathering data from The VOID, we can make the Internet a safer and more resilient place. Courtney was super passionate about the research work she's doing. It was completely fun to chat with her and they've already produced some very interesting conclusions, in the published report available on The VOID website. I had a blast recording this one and I hope you enjoy it. EPISODE LINKS - The VOID: https://www.thevoid.community/ - 2021 Report: https://www.thevoid.community/report - Podcast: https://podcast.thevoid.community/ - Google MTTR report: https://www.oreilly.com/library/view/incident-metrics-in/9781098103163/ (Summarized also in the 2021 VOID report)

Hello, it's Matt Tesauro. Welcome back to my take on the OWASP Podcast. It seems as if I'm turning my episodes into the equivalent of a conference hall track, those wonderful interactions you have at conferences, running between rooms at conferences, meeting up with smart minds you don't see all the time. I have the pleasure of reuniting with Wendy Nather, CISO Advisor Extraordinaire, for this episode. We had a very interesting conversation about Software Bill of Materials (SBOMs). Like many of my interactions with Wendy, I learned from our conversation. She threw out some really good nuggets. I highly recommend looking up Wendy on Twitter (@wendynather). Besides the security wisdom she's going to drop, she's got a hell of a sense of humor. I think it will be worth the follow. Enjoy the episode.

“I absolutely hate SAFe!” -- Bryan Finster That is Bryan Finster, Distinguished Engineer at Defense Unicorns out of Colorado Springs. I was scrolling through LinkedIn a couple days ago, saw a thread on SAFe, The Scaled Agile Framework, and what I was seeing wasn’t exactly… well, what you’d expect to hear about a framework that’s being used by over 20,000 organizations, including the United States government. Before we get too much into it, here is the definition of SAFe. I took it directly off Scaled Agile, the creators and providers of the SAFe framework: “The Scaled Agile Framework® (SAFe®) is a system for implementing Agile, Lean, and DevOps practices at scale. The Scaled Agile Framework is the most popular framework for leading enterprises because it works: it’s trusted, customizable, and sustainable. If you want to build operational excellence, collaboration, responsiveness, and customer satisfaction into your organizational DNA, where do you start? SAFe provides a proven playbook for transformation.” Some people will argue with “because it works”, and Bryan is one of those people. Here’s what started the whole thing. Bryan posted this on LinkedIn, “Example of terrible ideas propagated by #SAFe: feature teams. A feature team doesn’t own anything. They act as coding mills and have no quality ownership. SAFe recommends them as a method to increase output. It’s a hacky workaround for crappy architecture that results in increased support cost and more crappy architecture.” Tell us what you REALLY think, Bryan! In today’s broadcast, we talk to three people who have varying degrees of opinions on SAFe: Tracy Bannon, Senior Principal/ Software Architect & DevOps Advisor at Mitre, David Bishop, Certified SAFe 5.0 Program Consultant, and of course, Bryan. Stay with for what’s sure to be a fun ride. RESOURCES FROM THIS BROADCAST SAFe: Scaled Agile Framework https://www.scaledagileframework.com/ Bryan Finster https://www.linkedin.com/in/bryan-finster/ Tracy Bannon https://www.linkedin.com/in/tracylbannon/ David Bishop https://www.linkedin.com/in/david-bishop-08528220/

Hello, I'm Matt Tesauro, one of the OWASP Podcast co-hosts. I had the opportunity to interview Tanya Janca for this podcast. To be honest, I kind of wish it was a video recording because you'd be able to see the big smiles and vigorous head nodding during the recording. Tanya and I are in violent agreement about all things appsec, and it shows. There's a nice mix of general advice, war stories, and some good nuggets in this interview. I hope you enjoy it.

8 years ago I took over the OWASP Podcast from Jim Manico, originator of the project. In that time over 160 episodes have been published, with over 500,000 downloads. It has been a fun project, but it’s time to change things up a bit. There is a lot going on at OWASP, even more going on with the technology industry when it comes to cybersecurity. It’s too much for one person to keep up with. Enter the idea of multiple co-hosts for the podcast. Many of you listening already know of Vandana Verma and Matt Tesauro from their work with OWASP. I called to ask if they’d like to share the platform, producing their own episodes around a chosen concept. In today’s episode, Vandana, Matt and I talk about thoughts of an expanded concept for the podcast. We’ll each explain what we will be covering in our shows, and what you can expect to hear in the coming year. Our plan is to have three shows, (kind of like NPR programming when I think of it), under one umbrella: The OWASP Podcast Series. Come along with us and we talk through the new series and what it will me to you, as a listener.

We’ve all heard of “Red Teams” and “Blue Teams” when it comes to cybersecurity. But what about the “Purple Team”, the “Yellow Team” or the “Blue Team”. What are those? In February of 2020, Louis Cremen introduced the InfoSec Colour Wheel to the security community. The wheel expands upon April Wright’s work on bringing builders into the security team. The value of the wheel is to show the various types of security teams, seven in all, and the role each plays in security. Jasmine Henry brought the wheel to my attention. As she and I talked, we realized the InfoSec Wheel can be used as a thought exercise to show beginning cybersecurity professionals the various roles they can play within the community. This led to the discussion of careers in cybersecurity and what the near future looks like. In this broadcast, we’ll evaluate the wheel, talk through each of the seven personas and give our thoughts on the value of each role, how it works with the other roles, and the basics of what each provides. Let’s figure out what your primary color is. Stay tuned… https://hackernoon.com/introducing-the-infosec-colour-wheel-blending-developers-with-red-and-blue-security-teams-6437c1a07700 The OWASP Podcast Series is supported by the Open Web Application Security Project, home to over 240 community driven security projects, including the OWASP Top 10, the Web Security Testing Guide, and the Security Knowledge Framework projects. ABOUT JASMINE HENRY Jasmine Henry is a security practitioner who's used JupiterOne to create a compliant security function at a cloud-native startup. She has 10 years of experience leading security programs, an MS in Informatics and Analytics, and a commitment to mentoring rising security practitioners from underrepresented backgrounds. Jasmine is a Career Village co-organizer for The Diana Initiative security conference. She lives in the Capitol Hill neighborhood of Seattle, WA.

A couple weeks ago I read an article by Chris Roberts. The headline screamed, “Security Solved!” Security solved? What the hell was he talking about. Everyday there’s a new media storm around the latest breach or ransomware attack. There’s an entire industry built around the idea that security is hard, and the need for special equipment, software and people to even think about being secure. Chris was insistent. He professed that security is not hard nor complicated. Not only does he consider it inexpensive and undemanding to do the right thing, his premise is it’s easy to get the simple stuff sorted. I called Chris to get clarification on what he was talking about. As we got deeper into the discussion, we both realized this was a topic that needed more exposure. If there really is a simple way to implement security, the world should hear about it. We invited people to participate in the recording of our discussion. You’ll hear us reference people who were online with us, sending chat messages and questions. This session is a little longer that our usual podcast, but what’s here is important. Chris says it’s easy, I say it’s not, and then we get into it. We start when I ask Chris to give us a little about his background. You’ll be able to tell right from the start, this isn’t going to be your ordinary podcast. Notes for this broadcast: Chris' original article can be found on his LinkedIn feed: https://www.linkedin.com/posts/sidragon1_cybersecurity-management-training-activity-6810995026848485376-58Zs Basic Premise: This isn’t hard. This isn’t complicated. This doesn’t have to be expensive. This doesn’t need fancy words This doesn’t require gilted certificates This isn’t demanding This needs no awards This isn’t covered in glory. Step-by-Step Instructions: 1. Assets, what do you have? 2. Assets, where are they? 3. Who’s got access to them? 4. What DO they do, what is their purpose? 5. What’s on them? 6. Which ones do you need to care about?

In this episode of the People | Process | Technology podcast, I speak with Seba Deleersnyder from the Software Assurance Maturity Model, Carlos Holguera and Sven Schleier from the Mobile Security Testing Guide, and Bjoern Kimminich from the Juice Shop Project. This is part of an ongoing podcast series, highlighting the OWASP Flagship Projects that will be featured at the OWASP 20th Anniversary Celebration in September. I talk with the project leads to hear what they have been working on for the past year, what their plans are for the coming year, and what we can expect to see at the conference in September. Support for this broadcast is provide by OWASP, celebrating twenty years of making software safer. OWASP hosts their 24 hour, 20th Anniversary Celebration in September. Head to 20thAnniversary.owasp.org for your free ticket… and with support from JupiterOne, who believes that security is a basic right to every person, company, and enterprise. Security begins with cyber asset visibility, and includes understanding the relationships between those assets. Get started with your free, lifetime license at JupiterOne.com.