The OWASP Podcast Series

Aubrey Stearn is the Technical Lead for the Enterprise Cloud Platform at Nationwide. In the broadcast we talk with Aubrey about her chapter, "The Tale of the Burning Programme", in the recently released "Epic Failures in DevSecOps" book. Aubrey talks about her extensive experience guiding and molding teams, leading the way through the maze of decisions needed in order to build a more productive and efficient engineering culture. We start off the discussion with "Why is our biggest problem DevOps, itself?"

"In the past when we were writing software, it was our engineers and our organizations that had total cost of ownership of that software. But now, that has fundamentally changed. Engineers are using open source software and deploying the entire application on an open source framework, which means a large part of the software supply chain is no longer owned by the engineer. " -- Chetan Conikee In this episode of the DevSecOps Days Podcast Series, I speak with Chetan Conikee about his chapter in the Epic Failures in DevSecOps book. About Chetan Conikee Chetan Conikee is a serial entrepreneur with over 20+ years of experience in authoring and architecting and securing mission-critical software. His expertise includes building web-scale distributed infrastructure, cybersecurity, personalization algorithms, complex event processing, fraud detection and prevention in investment/retail banking domains. He currently serves as CTO/Founder at ShiftLeft, and most recently Chief Data Officer and GM Operations at Cloud- Physics. Prior to CloudPhysics, Chetan was part of early founding teams at CashEdge (acquired FiServ), Business Signatures (acquired Entrust)and EndForce (acquired Sophos).

We continue the "Epic Failures in DevSecOps" series by speaking with Edwin Kwan on his chapter, "Threat Modeling - A Disaster Story". Edwin is Application and Software Security Team Lead at Tyro Payments. In our discussion, we talk about the three things he learned through his "Epic Failure": -- Demonstrate value at the buy-in -- Get early feedback -- Automate as much as possible During our discussion, we talk at length about the role of security and how to begin implementing automation at the earliest stages of the development process. About Edwin Kwan Edwin Kwan is the Application and Software Security Team Lead for a bank. His approach toward application and software security is to raise security awareness, provide light touch controls to the software development life cycle to increase visibility of security issues and work closely with engineering teams to quickly develop secure applications. Edwin started out as a software engineer and transitioned into the application security role to lead a range of security initiatives when the company was working towards obtaining an unrestricted banking licence. As a Software Engineer, he has over a decade of experience developing large scale; real-time; high performance; high reliability software applications for major telecommunication vendors. He is also experienced in working with stakeholders from small to large organisations to design and develop innovation solutions to help manage and grow their business.

Stefan Streichsbier talks about his chapter, "Unicorn Rodeos", in the just released book, "Epic Failures in DevSecOps". We start with where did the chapter name come from and what does it mean, then lead into his three main points for hanging on for the rodeo ride: -- Don't waste time over-engineering -- Build for the right audience -- Find your champions We conclude with a discussion of technology trends in South East Asia and Indonesia. People mentioned include Gene Kim, Caroline Wong, Fabian Lim, Mohamed Imran, Magda Chelly, Edwin Kwan, DJ Schleen and others.

DJ Schleen talks about his upcoming 15 part video series, "The DevSecOps Experiment", where he will walk through the setup of a software supply chain, including building in security during every step of the process. This is a lab workshop type series, where you'll be able to immediately implement the solutions at the end of each 15 minute session. DJ will be available to answer your questions on his public slack channel as well as provide resources in the DevSecOps Days github repository. This is a free, online workshop series. To be notified when each segment of the series is released, please sign up for notification on DevSecOpsDays.com

In this broadcast, I speak with Chris Roberts and Derek Weeks about lines of responsibility and npm package highjacking in light of the event-stream vulnerability announcement last week. The announcement of the event-stream npm package vulnerability has once again raised the issue of who it ultimately responsible when a breach like this is announced. Is it the original creator of the package? What about the team maintaining the package? Where does' the end user fit it in? How does social engineering come into play?

Once again, the pattern of taking over a known package and modifying it with malicious intent has happened. In this case, it's with the event-stream module in the npm repository. In this broadcast I speaker with Thomas Hunter, Software Developer at Intrinsic and author of "Compromised npm Package: event-stream", and Brian Fox, CTO of Sonatype, author of the Forbes "Open Source Developers And Infrastructure Are The New Front Line Of Security?" article. Compromised npm Package: event-stream https://medium.com/intrinsic/compromi... Open Source Developers And Infrastructure Are The New Front Line Of Security https://www.forbes.com/sites/forbestechcouncil/2018/05/11/open-source-developers-and-infrastructure-are-the-new-front-line-of-security/#2ad9e84457c2 Open Source Software Is Under Attack; New Event-Stream Hack Is Latest Proof https://blog.sonatype.com/open-source-software-is-under-attack-new-event-stream-hack-is-latest-proof

"The guy who wrote wifi software with SSID never imagined that someone could use that SSID to transmit data by writing two smaller applications to leverage it. We are constantly going to be in this [type of] battle. Ultimately we've got to find a way to stay ahead of it by understanding the mechanisms by which we're writing the abuse case possibilities." -- Shannon Lietz Following their session at DevOps Enterprise Summit 2018, I sat down and talked with Shannon Lietz and James Wickett to talk about who the real adversaries are when it comes to application security, what you can do to expose those adversaries and steps to get started in your own, internal adversary program. About Shannon Lietz DevSecOps Leader for Intuit Shannon Lietz is an award winning innovator with over two decades of experience pursuing advanced security defenses and next generation security solutions. Ms. Lietz is currently the DevSecOps Leader for Intuit where she is responsible for setting and driving the company’s DevSecOps and cloud security strategy, roadmap and implementation in support of corporate innovation. She operates a 24x7 DevSecOps team that specializes in Adversary Management. Prior to joining Intuit, Ms. Lietz worked for ServiceNow where she was responsible for the cloud security engineering efforts and Sony where she drove the implementation of a new secure data center. Ms. Lietz has significant experience leading crisis management large-scale security breaches and restoration of services for several Fortune 500 companies. She has previous experience as a founder a metrics company, leading major initiatives for hosting providers as a Master Security Architect, developing security software and consulting for many Fortune 500 companies globally. Ms. Lietz is an IANS faculty member and holds a Bachelors of Science degree in Biological Sciences from Mount St. Mary’s College. About James Wickett Head of Research, Signal Sciences James spends a lot of time at the intersection of the DevOps and Security communities. He works as Head of Research at Signal Sciences and is a supporter of the Rugged Software and DevSecOps movements. Seeing the gap in software testing, James founded an open source project, Gauntlt, to serve as a Rugged Testing Framework. He is the author of several security and DevOps courses onLinkedIn Learning, including: DevOps Foundations, Infrastructure as Code, DevSecOps: Automated Security Testing, Continuous Delivery (CI/CD), and Site Reliability Engineering. He got his start in technology when he founded a startup as a student at the University of Oklahoma and has since worked in environments ranging from large, web-scale enterprises to small, rapid-growth startups. He is a dynamic speaker on topics in DevOps, AppSec, InfoSec, cloud security, automated security testing, DevSecOps and serverless. James is the creator and founder of the Lonestar Application Security Conference which is the largest annual security conference in Austin, TX. He also runs DevOps Days Austin and previously served on the global DevOps Days board. He also bears several security certifications including CISSP and GWAPT.

"If you look inside a large enterprise IT organization, they have this very bizarre and broken layer that's completely separating the way that business thinks in terms of products, budgets and costs, and the way IT people know the way they need to innovate, which is delivering products faster." -- Mik Kersten I sat down with Mik Kersten, CEO of TaskTop, and John Willis after Mik's presentation at DOES2018. His new book, Projects to Products, is an attempt to help the industry move from using success metrics more appropriate for the industrial age, to a new type of measurement where value is measured as part of the overall business goal through Value Stream Mapping. About Mik Kersten Dr. Mik Kersten is the CEO of Tasktop Technologies, creator and leader of the Eclipse Mylyn open source project and inventor of the task-focused interface. As a research scientist at Xerox PARC, Mik implemented the first aspect-oriented programming tools for AspectJ. He created Mylyn and the task-focused interface during his PhD in Computer Science at the University of British Columbia. Mik has been an Eclipse committer since 2002, is an elected member of the Eclipse Board of Directors and serves on the Eclipse Architecture and Planning councils. Mik's thought leadership on task-focused collaboration makes him a popular speaker at software conferences, and he was voted a JavaOne Rock Star speaker in 2008 and 2009. Mik enjoys building tools that offload our brains and make it easier to get creative work done. Specialties: Software Development Tools, Productivity tools, Task-Focused Interfaces, Application Lifecycle Management, Agile, Management, Aspect-Oriented Programming, Eclipse, Java

Why would you allow open source usage in your company. What are the compelling reasons to take the risk. In this discussion, I talk with Topo Pal and Derek Weeks about the industry perception of open source and what's really happening behind the curtain at large enterprises. Topo had just finished his keynote presentation at DevOps Enterprise Summit 2018 and I wanted to dive a little deeper into some of the things he talked about. About Topo Pal Dr. Topo Pal is Senior Director & Sr. Engineering Fellow Capital One. His main areas of expertise are in DevOps/DevOpsSec/ Rugged DevOps and Continuous Integration, Continuous Delivery. Topo is also interested in Natural Language Processing, Information Extraction, Architecture Strategy, Application Architecture and Integration Architecture. About Derek Weeks Derek E. Weeks, Vice President, Sonatype. Derek is a huge advocate of applying proven supply chain management principles into DevOps practices to improve efficiencies and sustain long-lasting competitive advantages. He currently serves as vice president and DevOps advocate at Sonatype, creators of the Nexus repository manager and the global leader in solutions for software supply chain automation. Derek is also the co-founder of All Day DevOps, an online community of 40,000 IT professionals, and the lead researcher behind the annual State of the Software Supply Chain report for the DevOps industry. In 2018, Derek was recognized by DevOps.com as the "Best DevOps Evangelist" for his work in the community.