The OWASP Podcast Series

"The compensation, the incentives that people have are very much anchored in short term objectives that do not take into account the vision for the bigger transformations that are happening within the market." -- Sacha Labourey, CEO, CloudBees Sacha Labourey runs one of the most visible, respected companies within the DevOps and DevSecOps communities. At Jenkins World 2018, I sat down with Sacha to hear how his year went, how security can become more of an important process within the software development pipeline and how the Jenkins community adds value to the company.

While at 2018 AppSec EU, I spoke with Sam Stepanyan and Grigorios Fragkos, chapter leaders of one of OWASP's largest chapters. The conversation centered around what does it take to grow a community, what does it take to lead a chapter.

This is Mark Miller, Executive Producer. 4 years ago I took over the creation and curation of the OWASP podcast series. In that time, there have been 118 episodes, with a combined listenership of over 269,000 plays. The series began as a way to speak with OWASP project leads and chapters leaders to let the community hear what was being worked on. Gradually, the show has morphed into something broader. Recent broadcasts highlighting the work done in the DevOps and DevSecOps Communities receives well over 2000 listeners per episode. We have helped give exposure to DevSecOps practitioners at major AppSec Conferences in Europe and the United States, I have produced the DevSecOps tracks at RSA Conference in San Francisco and Singapore for the past 3 years, and we've given voice to the security practitioner in lieu of the security vendor through the production of All Day DevOps. This has allowed us to reach out to new communities, a new listenership, interested in hearing how software security is changing from a manual, labor intensive process, to an automated, supply chain solution. Cultural transformation, Continuous Delivery/Continuous integration, Cloud Native Infrastructure, and Site Reliability Engineer are all topics needing coverage if we are to truly build secure software. The future of this podcast series is in focusing on DevSecOps and the practitioners who are willing to share their stories and solutions to the OWASP Community. I'll talk with people like DJ Schleen who runs the DevSecOps initiative at Aetna, John Willis who brought the first DevOps Days to the United States, and Shannon Lietz who has introduced the concept of Red Teams to her colleagues at Intuit. We will continue to highlight OWASP projects and chapters, while having discussions that are inclusive of other communities with different ideas on the future of software security. It's an important transition historically to a safer, more secure world and we want everyone be be a part of it. I hope you stay with us as we begin to explore new voices, expand on existing ideas and highlight the diversity that will truly change our industry. Welcome to the new podcast series, DevSecOps Days.

In this episode, I speak with the organizing committee of 2018 AppSec EU, hearing about what's planned and why you should consider attending this international conference in London.

On March 1, 2018, the team at Semmle announced a critical vulnerability in the Pivotal Spring framework. The vulnerability was found by security researcher Man Yue Mo at Semmle — the team behind lgtm.com. In this episode of OWASP 24/7, I speak with research team at Semmle on how they discovered the vulnerability. Also, Brian Fox joins the discussion on the process for responsible disclosure, different ways to approach it and what other companies and projects are doing when a vulnerability is found in their project. About Man Yue Mo — Security Researcher at Semmle for lgtm.com During his PhD in mathematics at Oxford, Mo became interested in scientific algorithm development with a focus on data science and machine learning. At Semmle, Mo developed an interest in Semmle's core technology for writing queries over source code. This QL query technology is freely available on lgtm.com for the open source community to use for analyzing their code. Mo has since used QL to identify numerous security vulnerabilities, including CVE-2017-8046 in Pivotal's Spring Data REST, and the infamous CVE-2017-9805 in Apache Struts. He continues to works closely with the open source community to ensure these vulnerabilities are patched and responsibly disclosed. The blog on https://lgtm.com/blog contains various articles by Mo on how to use QL for security research. About Bas van Schaik — Head of Product at Semmle As the Head of Product at Semmle, Bas is responsible for the entire product portfolio — from the core QL query technology, to lgtm.com where this technology is made freely available to the open source community. Following his PhD in Computer Science at Oxford, Bas joined Semmle to work on machine learning and data science techniques for extracting insights from software engineering data. After setting up a strong team of machine learning experts, he now works closely with engineers and leaders to ensure that Semmle's products are effective in all parts of the software development process — to secure and improve code, reduce risk, and deliver actionable insights. He works closely with pioneers in the open source community, as well as with developers and leaders at organizations such as Google, Microsoft, NASA, Credit Suisse, NASDAQ, and Dell. About Brian Fox, CTO, Sonatype Co-founder and CTO, Brian Fox is a member of the Apache Software Foundation and former Chair of the Apache Maven project. As a direct contributor to the Maven ecosystem, including the maven-dependency-plugin and maven-enforcer-plugin, he has over 20 years of experience driving the vision behind, as well as developing and leading the development of software for organizations ranging from startups to large enterprises. Brian is a frequent speaker at national and regional events including Java User Groups and other development related conferences.

Shannon Lietz, Caroline Wong and Paula Thrasher will give the opening remarks at DevOps Connect: DevSecOps Days on April 16 at the RSAC Conference in San Francisco. On today's show, I talk with Shannon, Caroline and Paula, on what they hope to accomplish during their talk, and why DevSecOps is becoming the hottest topic in this year's growth of the DevOps Community.

Prior to his work as Principal Software Assurance Engineer at MITRE, Kevin E. Greene was R&D Program Manager for the Department of Homeland Security. He is currently on the organizing committee for HackNYC, helping to organize talks and sessions around protecting and securing our national infrastructure. I spoke with Kevin about the current state of software security and how each of us can play a roll in the security of modern software. About Kevin E. Greene With more than 17 years of information assurance and security experience in security program management, assessment, auditing, and testing, Kevin Greene brings valuable skills and capabilities to the Department of Homeland Security Science and Technology Directorate (DHS S&T). As a member of the Homeland Security Advanced Research Projects Agency (HSARPA) Cyber Security Division, Greene has identified, developed, and transitioned technology projects through multiple commercial and academic organizations for the past two years. Responsible for the oversight and management of research and development projects for improving the testing, analysis, and evaluation techniques used in software quality assurance tools, he currently is focusing on the build-out of the Software Assurance Marketplace (SWAMP), a national marketplace and collaborative research forum designed to advance secure software development best-practices within the industry.

In May, at HackNYC 2018 in New York City, Dr. Bill Curtis' team of Tracie Gerardi and Lev Lesokhin will deliver a presentation on putting an end to "Technical Debt". I spoke with Dr. Curtis about his work in the creation of various maturity models, the current state of security in software development and "what keeps him up at night". You might be surprised at his answer. Listen in... About Dr. Bill Curtis Dr. Bill Curtis (1948) is an American software and organizational scientist. He is best known for leading the development of the Capability Maturity Model [1] (CMM for Software) and the People CMM [2] in the Software Engineering Institute at Carnegie Mellon University. He co-founded TeraQuest, a provider of CMM-based services, which was sold to Borland Software Corporation in 2005. He has published 5 books, over 150 articles, and in 2007 was elected a Fellow of the Institute of Electrical and Electronics Engineers for his career contributions to software process improvement and measurement.

The OpenChain Project identifies key recommended processes for effective open source management. The project builds trust in open source by making open source license compliance simpler and more consistent. In this broadcast, I speak with Shane Coughlan, project director, about the purpose of the project and what his team hopes to accomplish in 2018.

Newly elected to the OWASP board, Greg Anderson is interested in how to expand the OWASP community. I talked with him about what he hope to accomplish in his tenure on the board, the first initiatives he would like to implement and on various ideas for working with OWASP chapters, projects and events. About Greg Anderson Technical leader with 6+ years of experience in all facets of security. Primary areas of expertise include application security, security in DevOps, security automation, program management and program development.