The OWASP Podcast Series

When I think of Tel Aviv, I imagine a robust, young culture, living a good, fun life. Not only is the culture conducive to a young life style, its tech industry continues to gain traction. As Wired Magazine said last August, "Israeli startups have always been high on Silicon Valley shopping lists, but Tel Aviv is beginning to shake off its reputation as Europe’s exit capital." Zebra, the medical diagnostics company, MyHeritage online family tree service, Via ride sharing service, and the Waze navigation app, as well as dozens of other influencial start-ups call Tel Aviv home. This places Tel Aviv at the heart of the tech industry in Isreal and encourages conferences and gatherings on a regional, as well as global scale. In this broadcast, I speak with Avi Douglen and Ofer Moar, co-chairs of the upcoming Global AppSec Conference in Tel Aviv. They are both active participates in OWASP and the security community. I called them to find out more about the conference, how it's different from other conferences and what participants can expect as takeaways from the event. More information and registration: https://telaviv.appsecglobal.org/

If you've read the Phoenix Project, you'll remember Brent, the indispensable cog on the operations team. Brent was a good guy, he wanted to do the right things, all of the right things, but was pulled in all directions because of the lack of a unified plan for the company's project workflow. But what if Brent didn't want to do the "right" thing? What if Brent was more interested in the convenience of getting his work done than he was in the overall health and output of the project. What if he deployed to production without checking into SourceSafe, not just once, but for years. From Tanya janca: I went to our trusty code repository, took a copy of the most recent code. I went looking for the bug, and I couldn't even find it. And then I'm running it locally, and I'm looking at the real one in prod. And they're completely different. I'm like, "What would have happened if I had pushed to prod? If I fixed that bug, and pushed to prod, and not noticed the difference?" And he's like, "All my work would have been gone. That would have been your mistake." I'm like, "Are you kidding?" He's like, "It's just easier if I check it in directly, if I just edit it right on the web server. It's just easier for me." I'm like, "Oh. Is it easier to do a shitty job? No. No, no, no. In today's episode, Tanya Janca, Cloud Security Advocate, Microsoft, expands on her just published article, "DevSecOps: Securing Software in a DevOps World", clarifying each of the 5 tactics she uses to integrate not just security into the software development process, but how to manage people as part of that process. Have a listen...

Three years ago there was an idea floating around OWASP... a core community was looking for a way to have an isolated week, where security project working groups could get together, with no distractions, and work on projects they felt were important. From this idea, the Open Security Summit was founded. Now in it's third year, the summit takes place in an isolated forest located between London and Manchester. The format for the gathering is to present an environment, with no distractions, where the community of 150 security professionals can meet to update each other on their progress in the past year and to choose working groups to outline and work on future projects. This is not a podium lecture series conference. It is a 5-day high-energy experience, during which attendees get the chance to work and collaborate intensively. Each working session is geared towards a specific Application Security challenge and will be focused on actionable outcomes. In this episode, I speak with Seba (Sayba) Deleersnyder, Denis Cruz, Jemma Davis and Francois Raynaud, core organizers of the event, talking about why they started the event, what has changed over the years and what you can expect as an attendee at the Open Security Summit. https://opensecuritysummit.org/

Open-source components and their use within the software supply chain has become ubiquitous within the past few years. Current estimates are that 80-90% of new software applications consist of open-source components and frameworks. Section A9 of the OWASP Top 10 places components with known vulnerabilities as one of the most prevalent and abused parts of the software supply chain, placing it at a security weakness level of three, on a scale from one to three. Quoting from the OWASP description in A9, "Component-heavy development patterns can lead to development teams not even understanding which components they use in their applications or APIs, much less keeping them up to date." In today's episode, I speak with Allan Friedman, Director of Cybersecurity Initiatives at the National Telecommunications and Information Administration. Our talk focused on the creation of a Software Bill of Materials, or an SBOM. As we begin, Allan describes his role in the project and what they hope to accomplish. About Allan Friedman I'm the Director of Cybersecurity Initiatives at the National Telecommunications and Information Administration, or NTIA. We're a tiny part of the US Department of Commerce, and our mission really is about promoting a free, open, and trustworthy internet. Over the past few years, we've engaged in what we call "multistakeholder processes", trying to identify areas where the entire digital ecosystem can come together on things that they care about and make progress. So the government doesn't have a vested interest in the outcome, we just feel that we'll all be better off if the community can find common ground and consensus.

"Chaos engineering is an empirical practice of setting up experiments to figure out where your system is vulnerable so that you can know that ahead of time and proactively fix some of these vulnerabilities in your system." -- Casey Rosenthal In this broadcast, I speak with Casey Rosenthal about the beginnings of Chaos Engineering and Netflix and how the concept has morphed into a cross-industry community, sharing ideas through local chaos conferences.

The Ladies of London Hacking Society was created by Eliza-May Austin in an act of frustration.Having nowhere to turn to meet other women within the security industry in the UK,Eliza-May fired off an online post lamenting the lack of local community support for technical security-based women. Her story is a common one. The post seemed to resonate with the local community. In a short time, she had close to 500 women join her London Meetup Group, focusing on sharing technical skills and industry stories.

What am I working on? What can go wrong? What am I going to do about it? Did I do a good job? These are the four questions at the heart of threat modeling In this episode, I speak with Adam Shostack, author of Threat Modeling: Designing for Security. We talk through how to begin threat modeling and the expectations of using modeling. Adam walks through the history of threat modeling, including his creation of the Elevation of Privilege game.

This is the sixth episode in an eight part series, talking with the authors of "Epic Failures in DevSecOps". In this segment, I speak with Chris Roberts about his chapter, "We are all special snowflakes", diving into topics as diverse as the failure of the security industry to protect us from ourselves and what is considered "acceptable" monitoring when it comes to the government, and to social sites. You can download a free copy of Epic Failures at DevSecOpsDays.com

The inclusion of security as an integral piece of the DevOps puzzle continues to gain traction. In this episode of the DevSecOps Days Podcast Series, I speak with Curtis Yanko and Scott McCarty about their new book, "A Concise Introduction to DevSecOps". We discuss why they wrote the book, who the audience is that will benefit from it and why enterprises should be considering security as part of the software development environment.

As if there aren't enough reasons to go to Southern California in the middle of a New York winter, AppSec Cali opens it's doors for its 6th Annual OWASP conference on January 22, 2019. In this broadcast, I speak with Richard Greenberg, one of the core organizers of the conference, talking about why people come, what they can expect to see and why he continues to help produce the conference year after year. For a transcript of this broadcast, go to DevSecOpsDays.com and click on "Podcasts".