The OWASP Podcast Series

Caroline Wong, Paula Thrasher and I were having lunch at DevOps Enterprise Summit when the conversation took an interesting turn. Paula and Caroline had been on a panel the previous day and didn't get a chance to do a deep dive into any of the topics. As we were talking at lunch, I realized is was a good opportunity to give them a chance to talk with each other on government vs public software security, about how the OWASP Top 10 might best be used and to they have discovered as common security patterns in their large scale projects. About Caroline Wong I am a strategic leader with strong communications skills, cybersecurity knowledge, and experience delivering global programs. My close and practical information security knowledge stems from broad experience as a Cigital consultant, a Symantec product manager, and day-to-day leadership roles at eBay and Zynga. I have been featured as an Influencer in the Women in IT Security issue of SC Magazine, named as one of the Top 10 Women in Cloud by CloudNOW, and received a Women of Influence Award in the One to Watch category from the Executive Women's Forum. I authored the popular textbook Security Metrics: A Beginner's Guide. About Paula Thrasher Paula Thrasher has 20+ years experience in IT and has spent the last 15 years trying to implement Agile culture in the federal government. Paula’s first Agile project was in 2001, since then she has led over 15 programs and projects as an Agile developer, technical lead, Scrum master, or Agile coach. Her teams have helped two separate federal agencies migrate applications to Amazon AWS GovCloud, and done some other amazing DevOps ninja work along the way. Paula is a proud Carnegie Mellon University alumna with a B.S. in Statistics, is a Certified Scrum Master (CSM) and a Project Management Professional (PMP), but prefers learning new things through experience and working with smart people.

In our continuing series on the Struts2 vulnerability announcement and the breach at Equifax, we spoke with Mark Thomas, Director, Apache Software Foundation, and Brian Fox, CTO, Sonatype to clarify the processes ASF goes through when a vulnerability is found within one of their projects. About Mark Thomas Mark is currently employed by Pivotal where he spends most of his time working on Apache Tomcat. At the Apache Software Foundation, Mark is a committer and PMC member for Apache Tomcat as well as other projects. At the foundation level he is an ASF member, a member of the security and trademarks committees, is an infrastructure volunteer and a Director. Mark speaks regularly on Apache Tomcat including at ApacheCon.

A conversation on the ramifications of recent Struts2 announcements, the exploit at Equifax and the responsibility of companies using open source software. David Blevins, CEO, TomiTribe Brian Fox, CTO, Sonatype

What you should know about the latest struts2 vulnerability announcement w/ Brian Fox, CTO Sonatype, and Matthew Konda , Chair, OWASP Board of Directors. If you're a developer and concerned about security, a struts2 vulnerability announcement came out yesterday. I interviewed two experts to talk about the announcement and what you should be looking for. If you would like to watch a video of the interview, you can find it on YouTube: https://www.youtube.com/watch?v=jtUfPom06bo

Most of us want to help kids become proficient in programming and cybersecurity, but don't know how to get started or have time to manage such a project. Prashant Kv figured he'd put a team together with Vandana Verma and Rupali Dash and give it a shot. The first event in Bangalore was a huge success, with over 200 kids participating. I spoke with the Prashant, Vandana and Rupali about how the event was put together, why it worked and what their plans are for future events.

Earlier this week, Simon Bennetts from the OWASP ZAP Project announced the official availability of the OWASP DockerHub for housing projects. I caught up with Simon soon after to hear how ZAP was utilizing DockerHub and the benefits of containerization. https://hub.docker.com/u/owasp/

This segment of the "Less than 10 Minutes" series was recorded live at AppSec EU 2017 in Belfast. It is an update of the ModSecurity Core Rule Set Project with project co-lead Christian Folini. The OWASP ModSecurity CRS Project's goal is to provide an easily "pluggable" set of generic attack detection rules that provide a base level of protection for any web application. The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. The CRS aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts.

This segment of the "Less than 10 Minutes" series was recorded live at AppSec EU 2017 in Belfast. It is an update of the OWASP Summit 2017 with conference organizer Sebastien (Seba) Deleersnyder. OWASP Summit 2017 is a 5-day participant driven event, dedicated to the collaboration of Development and Security professionals, with a strong focus on DevSecOps.

This segment of the "Less than 10 Minutes" series was recorded live at AppSec EU 2017 in Belfast. It is an update of the WebGoat Project with project co-leads Jason White and Nanne Baars. WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons.

This segment of the "Less than 10 Minutes" series was recorded live at AppSec EU 2017 in Belfast. It is an update of the Vicnum Project with project lead Nicole Becher. The Vicnum Project is a collection of intentionally vulnerable web applications. Vicnum applications are commonly used in Capture the Flag exercises at security conferences.