The OWASP Podcast Series

In this episode of the People | Process | Technology podcast, I speak with Simon Bennetts from the Zap Project, Christian Folini from the ModSecurity Core Rule Set Project, and Steve Springett from the Dependency Track Project. This is part of an ongoing podcast series, highlighting the OWASP Flagship Projects that will be featured at the OWASP 20th Anniversary Celebration in September. I talk with the project leads to hear what they have been working on for the past year, what their plans are for the coming year, and what we can expect to see at the conference in September. The OWASP 20th Anniversary Celebration is a 24 hour global event, featuring sessions from each of the OWASP flagship projects, leaders of the Top Ten Project, presenters from around the world, and sessions from people who have helped OWASP over the past 20 years. Registration is open, and you can’t beat the cost… it’s free. Even if you can’t attend, please register so you’ll have access to all of the recorded sessions following the conference. For the link check the show notes here on the podcast. Our program was produced today by Executive Editor Mark Miller. Special thanks to today’s guests, Simon Bennetts from the ZAP Project, Christian Folini from the ModSecurity Core Rule Set Project, and Steve Springett from the Dependency Track Project. You can stream our archive of over 160 episodes, for free, at soundCloud.com/owasp-podcast. The show is available on all of your favorite podcasting platforms, including Spotify and Apple Podcasts. Support for this broadcast is provided by OWASP, celebrating twenty years of making software safer. OWASP hosts their 24 hour, 20th Anniversary Celebration in September. Head to 20thAnniversary.owasp.org for your free ticket. Support also provided by JupiterOne, who believes that security is a basic right to every person, company, and enterprise. Security begins with cyber asset visibility, and includes understanding the relationships between those assets. Get started with your free, lifetime license at https://info.jupiterone.com/get-started.

In 2020, Security Magazine listed Sounil Yu as one of the most Influential People in Security in 2020, in part because of his work on the Cyber Defense Matrix, a framework for understanding and navigating your cybersecurity environments. The Cyber Defense Matrix started as a project when Sounil was the Chief Security Scientist at Bank of America. The initial problem he focused on with the matrix was how to evaluate and categorize vendors and the solutions they provided. The Cyber Defense Matrix is a structured framework that allows a company to understand who their vendors are, what they do, how they work along side one another, what problem they profess to solve, and ultimately to find gaps in the company’s portfolio of capabilities. In the seven years Sounil has been working on the project, he has developed use cases that make the Cyber Defense Matrix practical for purposes such as rationalizing technology purchases, defining metrics and measurements, and identifying control gaps and opportunities. The matrix has been adopted by the OWASP Foundation as a community project. Elements of the matrix have been incorporated into the Center for Internet Security’s (CIS) Top 20 Critical Security Controls. I talked with Sounil to hear how the project was going, what his plans are for the future of the matrix, and what help he can use from the community for expanding its usefulness. ABOUT SOUNIL YU Before Sounil Yu joined JupiterOne as CISO and Head of Research, he was the CISO-in-Residence for YL Ventures, where he worked closely with aspiring entrepreneurs to validate their startup ideas and develop approaches for hard problems in cybersecurity. Prior to that role, Yu served at Bank of America as their Chief Security Scientist and at Booz Allen Hamilton where he helped improve security at several Fortune 100 companies and government agencies.

The Top 10 is considered one of the most important community contributions to come out OWASP. In 2003, just two years after organization was started, the OWASP Top 10 was created. The purpose of the project was to create an awareness document, highlighting the top ten exploits security professionals should be aware of. Since that time, innumerable organizations have used it as a guideline or framework for creating security programs. The current Top 10 list was released four years ago, in 2017. As part of a 2021 initiative at OWASP, the OWASP Top 10 is in the process of being updated, and scheduled for release this summer, in time for the OWASP 20th Anniversary Celebration. I was curious as to what has changed over the years with the Top 10, and what to anticipate in the upcoming release. In this broadcast, I talk with Andrew van Der Stock, Executive Direct of OWASP. He explains how the top ten exploits are chosen, the data source for determining the exploits, and the data research done to verify the selections chosen. Our conversation starts with why the OWASP Top 10 is being spotlighted after being static for the past four years. Today’s broadcast is supported by the OWASP 20th Anniversary Celebration, coming September 2021. The CFP is now open for this online, 24 hour conference. Go to OWASP.org for more information. This broadcast is also supported by JupiterOne, providing cyber asset discovery and visibility into your entire cloud native infrastructure. Know more, fear less, with JupiterOne. CFP for OWASP 20th Anniversary Celebration: https://owasp.org/2021/03/08/cfp-20th-anniversary.html

When Shannon Lietz and the team at DevSecOps.org published the DevSecOps Manifesto six years ago, security was uppermost in their minds. The manifesto starts with a call to arms… “Through Security as Code, we have and will learn that there is simply a better way for security practitioners, like us, to operate and contribute value with less friction. We know we must adapt our ways quickly and foster innovation to ensure data security and privacy issues are not left behind because we were too slow to change.” The effect of the DevSecOps movement was not understood by many, other than the handful of practitioners who understood what the team was going after: security is the responsibility of everyone, not just the security team. Security deserves a seat at the DevOps table. Fast forward six years, and security is now not just at the table, but sitting at the head of the table, leading the way. During this transition to focus on security, operations has become the short leg on a three legged stool. What was original a two team party, Dev and Ops, became a threesome, gradually ignoring operations as Developers and Security built a strong relationship. Damon Edwards has been my go-to person when I want to talk to someone about how operations continues to be relevant as the third part of DevSecOps. I caught up with Damon a couple weeks back to talk with him about how the transition to enterprise automation is going in the industry, what has been happening in the past year with the COVID lockdown, and what he’s looking forward to in 2021. I started the conversation, asking how he perceives his role in the DevSecOps Community. ---------- This broadcast is supported by OWASP, the Open Web Application Security Project, host of “Call to Battle” a series of events for gamers, challenge champs, and fun-nerds. Get more information at owasp.org/events… and by JupiterOne.com featuring solutions that help you “Know more. Fear less” by mapping your cyber assets and knowing the relationships between those assets.

This is Mark Miller, Executive Producer. Over the years as I’ve produced the show, the topics of focus have followed the trends in the industry. What was originally called “The OWASP Podcast” became “OWASP 24/7” and then “The DevSecOps Podcast”. Each change brought with it a new audience, extending our community from exclusively OWASP practitioners, to DevOps and DevSecOps advocates. The audience for the podcast has grown, with close to 500,000 listens of the 150 episodes. We’ve covered book launches by speaking with the authors, we’ve talked about industry reports focusing on the Software Supply Chain. Topics have included Chaos Engineering, efforts to create a Software Bill of Materials initiative at the federal level, Threat Modeling and a multitude of other topics. You might have noticed something different, a new name for the podcast, at the beginning of the program today. Keeping a feel of the pulse of the industry is one of the things that interests me most as producer of the series. Currently, People, Process and Technology is starting to get its due The realization that these are not three things, but one thing that is intertwined into a convoluted, unimaginably complex whole is something that deserves our attention, and that will be our focus over the coming year. We’ll talk with practitioners who are creating security patterns for each leg of the People, Process, Technology triptych. We’ll continue to highlight OWASP projects that are focused on security, and how it relates to all aspects of technology. Guests will include leaders in the industry who are responsible for driving security, not as a stand-alone initiative, but as an integrated part of their business. Developing a secure development environment, one that builds quality into the process is something that should be of concern to everyone in that process. My desire is to help expose the practitioners who are thinking about the next generation of security, and how you can use their insights to help us build a safer world. Thank you for your continuing support. I’m excited to be expanding the program and hope you’ll stay with us for People, Process, and Technology. Support for this broadcast is provided by OWASP and JupiterOne.

OWASP is in a state of discord. Over the past few years, there have been fractures in the community. Recently, there have been arguments on the leader email list that have clearly breached the lines of etiquette. Personal attacks, distribution of funds, and complaints of lack of diversity are creating tension among the members. If we, as an organization refuse to confront these issues, there is a real potential we will no longer have relevance to the AppSec community. The in-fighting has become a detriment to chapter leaders and project leaders, who are looking to OWASP for consistent leadership and direction. In early July, the OWASP board announced the appointment of Andrew van der Stock as Executive Director. I called and spoke with Andrew at length about how he intends to confront the existing issues in the organization, and what he hopes to accomplish during his tenure. I have known Andrew for years through his work on the Application Security Verification Standard. As a previous OWASP board member, he has insight into how the board works and how to make changes. In our discussion, we spoke directly about the current problems at OWASP and Andrew's vision for moving the organization forward by confronting existing problems in policy, rewriting sections of the bylaws, and setting up enforcement of those bylaws. Andrew has not set himself an easy task. The push-back is sure to cause more strife in the beginning, but he is determined to implement changes that will make OWASP stronger in the long run, and put us on a course to continue to be a leading role to the AppSec community. In the spirit of transparency and open discussion, Andrew answered every question I had for him. He intends to continue this discussion with the community through the creation of live-online discussions. For now, Andrew is ready to implement his vision for OWASP, as he talks about here. Let's get started.

In this episode of the DevSecOps Podcast, we’re going to go off script and explore the LinkedIn algorithm. I could tie this back to DevSecOps, and how all of us need visibility for our work, or how important it is to build a community around our ideas, but the real reason is… I find this fascinating. One of the largest community engagement platforms in the world encourages us to play their game, but doesn’t tell us what the rules are! How are we to determine the best way to participate, when we have no idea on how to best contribute to maximize our visibility? Because that’s the game we are playing: how do we get, and maintain, visibility for our ideas on LinkedIn. How do we grow that visibility into an audience of our peers in order to contribute and expand those ideas. It is to the benefit of LinkedIn to give basic rules of engagement, but instead of guidelines for participation, we are punished for breaking undefined rules and rewarded for seemingly arbitrary reasons, which we then try to recreate without knowing why they were promoted. To add more complexity to the mix, the rules can change at any time. Is it a loser’s game, or are there fundamental patterns we can surface that will help give some visibility into the LinkedIn algorithm? For years, I’ve been making intuitive guesses as the best way to work on the platform. This lead me to the work of Andy Foote, from LinkedInsights, and Richard van der Blom, founder of Just Connecting, Through their research, they have found patterns that we might be able to use to expand our visibility and engagement on LinkedIn. I say “might”, because when you don’t know the rules, you don’t know when the rules change. On May 8, 2020, Richard, Andy and I sat down to discuss their research into the algorithm that determines how much visibility your content gets on LinkedIn. Andy’s article, “The LinkedIn Algorithm Explained In 25 Frequently Asked Questions” and Richard’s investigations which turned into “The LinkedIn Research Algorithm”, were the basis for our discussion. What I learned from them immediately changed how I engage with LinkedIn. When I say “immediately”, I mean within minutes of talking with them. Resources from this episode Richard van der Blom offers customized LinkedIn training sessions at Just Connecting https://www.justconnecting.nl/en/ Andy Foote offers LinkedIn coaching sessions at LinkedInsights.com The LinkedIn Algorithm Explained In 25 Frequently Asked Questions by Andy Foote https://www.linkedinsights.com/the-linkedin-algorithm-explained-in-25-frequently-asked-questions/ The LinkedIn Algorithm Full Report by Richard van der Blom https://www.slideshare.net/RichardvdBlom/full-report-linked-in-algorithm-july-2019

When I read Richard Stiennon's latest article in Forbes, The Demise of Symantec, I thought it was absolutely fascinating. Richard walks through the process of what happened at Symantec, how it was an acquisition engine for so many years, and now how it's started to decline. I got in touch with Richard and told him I'd like to have him read his article for the podcast, and he responded right away. What you'll hear in this episode is Richard talking about and reading from his article, The Demise of Symantec. Resources for this podcast: The Demise of Symantec, Forbes Online https://www.forbes.com/sites/richardstiennon/2020/03/16/the-demise-of-symantec/#6522117b5fc7 Security Yearbook 2020 https://www.security-yearbook.com/

Equifax is trying... I mean REALLY trying... to regain your trust. The Equifax CTO and CISO delivered the keynote at DevSecOps Days during 2020 RSAC. They contributed to multiple sessions and panels during the conference. The message was consistant: "Yes, we had a major problem. Here's what we're doing about it. Here's what you can learn from us." From a technical perspective, Bryson Koehler, CTO, and Jamil Farshchi, CISO, took on all questions from the audience. Nothing was out of bounds. They stayed after the session to talk one-on-one with those who had more questions. The words I heard most from the audience about the session was 'humility' and 'transparency'. That's a far cry from the poster child of breaches image the company has had to carry since 2017. Bryson and I sat down after the session at DevSecOps Days to go more into detail on what Equifax is working on, not just to re-gain user confidence, but to make a difference in the technology industry when it comes to lessons learned. He and Jamil are in the process of rebuilding the technology infrastructure at Equifax. They want to create a self-service, customer driven platform, that will include security as part of an automated solution to the future of data privacy. They are willing to openly share what they are working on, what has worked, what hasn't worked, all while building transparency into the process so that everyone can learn, not just the engineering team at Equifax. In this episode, we start with how Bryson felt the audience responded to the message from the stage, and what he had hoped to accomplish by stepping into the public spotlight.

If you like what you hear, you can download the entire book at sonatype.com/epicfailures As we were putting the finishing touches, getting ready to publish the latest version of Epic Failures in DevSecOps, I reread Jaclyn Damiano's chapter and was struck by how unique her message is. This is a personal story, one that will resonate with many people in the tech industry. It's a story of beginnings, of hardships, of leadership and finally, how all that combines into something much bigger than a technology solution. It's a story that talks about transforming people, not just companies. What you'll hear in this broadcast is Jaclyn reading her chapter, "Making Everyone Visible in Tech". There's no narrator, no discussion, just Jaclyn in her own words telling the story behind The Athena Project. It's a story of how she and her team took a diverse set of 40 applicants from underserved communities, with little to no technical background, and created a program to train and place those attendees in the tech industry. It's an inspiring story that needs to be heard.