Cover image of DevSecOps Podcast Series
(21)
Technology

DevSecOps Podcast Series

Updated about 8 hours ago

Technology
Read more

The DevSecOps Days is a recorded series of discussions with thought leaders and practitioners who are working on integrating automated security into every phase of the software development pipeline.

Read more

The DevSecOps Days is a recorded series of discussions with thought leaders and practitioners who are working on integrating automated security into every phase of the software development pipeline.

iTunes Ratings

21 Ratings
Average Ratings
16
3
1
0
1

Very Well Done!

By rampanteer - Mar 16 2009
Read more
By far, the best podcast dealing with webapp security that I've found.

Fantastic!

By jinxpuppy - Dec 30 2008
Read more
Great resource to listen to

iTunes Ratings

21 Ratings
Average Ratings
16
3
1
0
1

Very Well Done!

By rampanteer - Mar 16 2009
Read more
By far, the best podcast dealing with webapp security that I've found.

Fantastic!

By jinxpuppy - Dec 30 2008
Read more
Great resource to listen to
Cover image of DevSecOps Podcast Series

DevSecOps Podcast Series

Latest release on Nov 14, 2019

Read more

The DevSecOps Days is a recorded series of discussions with thought leaders and practitioners who are working on integrating automated security into every phase of the software development pipeline.

Rank #1: OWASP Application Security Verification Standard Project w/ Andrew van der Stock

Podcast cover
Read more
The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls. The primary aim of the OWASP ASVS Project is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard.

Project on OWASP
https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project

Oct 01 2015

8mins

Play

Rank #2: Active Deception as a Methodology for Cybersecurity w/ Lawrence Pingree from Gartner

Podcast cover
Read more
Lawrence Pingree and I were having a discussion in the press room at RSA Conference 2016. We talked about his work with Gartner, analyzing deception as part of cybersecurity. His voice was so passionate, I just had to turn on the recorder. I haven't heard many people talking about this subject, but it's intriguing to think about... more than honeypots, true deception. Have a listen.

About Lawrence Pingree
Lawrence Pingree has been an active member of the Information Security industry for many years. He has consulted for large financial institutions, corporations and government entities on technologies ranging from firewalls, intrusion detection, networks, system penetration, risk management, compliance, eDiscovery and Forensics.

He has served as a Chief Security Architect at both Peoplesoft and Netscreen. He is currently an active member of the Information Systems Security Association (ISSA) of Silicon Valley as well as the Open Web Application Security Project (OWASP) and is a published author of two books.

Lawrence is a founding board member of the Digital Forensics Association where he is serving as Vice President. In his spare time enjoys trading money on the foreign currency market, hiking, nature and performance cars.

Mar 21 2016

18mins

Play

Rank #3: Steps to Responsible Disclosure with Bas van Schaik,Man Yue Mo and Brian Fox

Podcast cover
Read more
On March 1, 2018, the team at Semmle announced a critical vulnerability in the Pivotal Spring framework. The vulnerability was found by security researcher Man Yue Mo at Semmle — the team behind lgtm.com.

In this episode of OWASP 24/7, I speak with research team at Semmle on how they discovered the vulnerability. Also, Brian Fox joins the discussion on the process for responsible disclosure, different ways to approach it and what other companies and projects are doing when a vulnerability is found in their project.

About Man Yue Mo — Security Researcher at Semmle for lgtm.com

During his PhD in mathematics at Oxford, Mo became interested in scientific algorithm development with a focus on data science and machine learning. At Semmle, Mo developed an interest in Semmle's core technology for writing queries over source code. This QL query technology is freely available on lgtm.com for the open source community to use for analyzing their code. Mo has since used QL to identify numerous security vulnerabilities, including CVE-2017-8046 in Pivotal's Spring Data REST, and the infamous CVE-2017-9805 in Apache Struts. He continues to works closely with the open source community to ensure these vulnerabilities are patched and responsibly disclosed. The blog on https://lgtm.com/blog contains various articles by Mo on how to use QL for security research.

About Bas van Schaik — Head of Product at Semmle

As the Head of Product at Semmle, Bas is responsible for the entire product portfolio — from the core QL query technology, to lgtm.com where this technology is made freely available to the open source community. Following his PhD in Computer Science at Oxford, Bas joined Semmle to work on machine learning and data science techniques for extracting insights from software engineering data. After setting up a strong team of machine learning experts, he now works closely with engineers and leaders to ensure that Semmle's products are effective in all parts of the software development process — to secure and improve code, reduce risk, and deliver actionable insights. He works closely with pioneers in the open source community, as well as with developers and leaders at organizations such as Google, Microsoft, NASA, Credit Suisse, NASDAQ, and Dell.

About Brian Fox, CTO, Sonatype

Co-founder and CTO, Brian Fox is a member of the Apache Software Foundation and former Chair of the Apache Maven project. As a direct contributor to the Maven ecosystem, including the maven-dependency-plugin and maven-enforcer-plugin, he has over 20 years of experience driving the vision behind, as well as developing and leading the development of software for organizations ranging from startups to large enterprises. Brian is a frequent speaker at national and regional events including Java User Groups and other development related conferences.

Mar 20 2018

30mins

Play

Rank #4: A Concise Introduction to DevSecOps

Podcast cover
Read more
The inclusion of security as an integral piece of the DevOps puzzle continues to gain traction. In this episode of the DevSecOps Days Podcast Series, I speak with Curtis Yanko and Scott McCarty about their new book, "A Concise Introduction to DevSecOps". We discuss why they wrote the book, who the audience is that will benefit from it and why enterprises should be considering security as part of the software development environment.

Jan 18 2019

26mins

Play

Rank #5: 2014 AppSec APAC - Post Mortem (English)

Podcast cover
Read more
In March 2014, Rio Okada and his team in Japan organized the first AppSec APAC event in Japan. I called Rio to ask how the event went. Joining the conversation with me and Rio is Robert Dracea, Tobias Gondrom and Jerry Hoff. During our call we talked about what made the event so successful and how that success might be used in future AppSec events. Have a listen.

Apr 01 2014

18mins

Play

Rank #6: The OWASP Cornucopia Project with Colin Watson

Podcast cover
Read more
For his most recent project at OWASP, Colin Watson has taken the concept of Microsoft's 'Elevation of Privilege' card game and transformed it as a process for identifying security requirements for web applications. In this segment of OWASP 24/7, I speak with Colin about the origin of the project, a typical use case for the game and what the next version of the deck will look like.

Resources for this broadcast OWASP Cornucopia Project Pagel Microsoft Elevation of Privilege Card Game About Colin Watson
Colin Watson is an application security consultant based in London. He is project leader for the OWASP Codes of Conduct and OWASP Cornucopia projects, wrote the Application Logging Cheat sheet, contributes to a number of other OWASP projects including AppSensor and Open SAMM, and was a member of the former OWASP Global Industry Committee.

Mar 21 2014

15mins

Play

Rank #7: The OWASP WebSpa Project with Yiannis Pavlosoglou and Jim Manico

Podcast cover
Read more
The OWASP WebSpa Project
The OWASP WebSpa project is a tool implementing the novel idea of web
knocking. The term web knocking stems from port knocking, If port
knocking is defined as "a form of host-to-host communication in which
information flows across closed ports" then we define web knocking as
a form of host-to-host communication in which information flows across
erroneous URLs.

In this podcast we present this web knocking tool for
sending a single HTTP/S request to your web server, in order to
authorise the execution of a preselected Operating System (O/S)
command on it.

About Yiannis Pavlosoglou
There is a world of numbers, hiding behind letters, inside computers,
this is what stimulates my work. I am currently employed in IT risk
management within the financial industry, running a team of technical
risk assessors.

Prior to this, I spent 5 years in the world of
professional penetration testing. I focused my career evolution on
assisting large scale projects actually implement secure development
practices. This included teaching developers how to write secure code.
For OWASP, I was the project leader for JBroFuzz and used to chair the
Global Industry Committee. I am on the Application Security Advisory
Board of the (ISC)2.

My academic qualifications include a PhD in
information security, designing routing protocols for ad-hoc networks.
I am a certified scrum master and hold the CISSP certification.

Mar 03 2014

32mins

Play

Rank #8: AppSec APAC 2014 with Tobias Gondrom – What To Expect

Podcast cover
Read more
The OWASP team in Japan are putting the finishing touches on the big AppSec APAC Conference that is being held in March 2014. I spoke with Tobias Gondrom, keynote speaker for the conference, and asked him to fill us in on why this conference is unique and why you should consider attending.

Jan 14 2014

7mins

Play

Rank #9: AppSec USA 2013 - Abbas Naderi and the OWASP PHP Security Project

Podcast cover
Read more
"There are a lot of security flaws in websites like Facebook and WordPress applications. Most of those flaws are because the developers first create the application and then consider the security." -- Abbas Naderi

PHP is one of the most used programming languages for the web. The problem with PHP has always been that it's easy to get started programming with PHP, but that's also one of its biggest flaws when considering application security. Abbas Naderi leads the OWASP PHP Security Project, which is a sample framework to demonstrate proper usage of the tools and libraries, as well as providing guidelines for new PHP projects. In this segment of OWASP 24/7, I talk with Abbas about the PHPSEC project as well as one of his other project, RBAC.

About Abbas Naderi
Abbas Naderi Afooshteh is a renowned security expert in the middle east, he has ranked first in many national and global CTFs and has been in the field for more than 8 years. He is the current Iran Chapter Leader at OWASP, and has 5 years of activity in OWASP resulting in many projects such as OWASP RBAC Project, OWASP PHP Security Project, OWASP WebGoatPHP Project and etc. He has participated in many other projects such as Cheat Sheets and ESAPI.

Abbas has studied software engineering and information technology in his BS and MS and is now going to CMU to study Information Security for MS+PhD. He spends many hours daily leading OWASP projects and mentoring new enthusiastics that join projects, as well as shaping bright ideas into OWASP projects.More can be found at https://abiusx.com/cv

Dec 19 2013

11mins

Play

Rank #10: The Run Up to a Massive Cyber Security Month with Tom Brennan

Podcast cover
Read more
In anticipation of Security Awareness Month in October, Tom Brennan is planning an event featuring a cross section of various cyber groups in New York and New Jersey. A few weeks ago, I attended a Meet Up in New York City where many of the local groups got together to talk about what they are working on and how that plays into the October event. The Meet Up was VERY loud, so the sound quality leaves a bit to be desired, but the passion and enthusiasm still comes through.

The first segment of the show is an introduction with Tom Brennan as he talks about the cross-group event he put together in March and his plans for creating a large, cross-cyber group event for Security Awareness Month in October. I then spoke with Ian Amit, one of the OWASP chapter leaders for New York. He describes what he is working on for the OWASP chapter in New York. Izabela Pelszynska joins us to speak about the Women in Security group, and we end with a round table discussion of the upcoming event in October.

Apr 25 2014

20mins

Play

Rank #11: Security Processes at the Apache Software Foundation w/ Mark Thomas and Brian Fox

Podcast cover
Read more
In our continuing series on the Struts2 vulnerability announcement and the breach at Equifax, we spoke with Mark Thomas, Director, Apache Software Foundation, and Brian Fox, CTO, Sonatype to clarify the processes ASF goes through when a vulnerability is found within one of their projects.

About Mark Thomas
Mark is currently employed by Pivotal where he spends most of his time working on Apache Tomcat. At the Apache Software Foundation, Mark is a committer and PMC member for Apache Tomcat as well as other projects. At the foundation level he is an ASF member, a member of the security and trademarks committees, is an infrastructure volunteer and a Director. Mark speaks regularly on Apache Tomcat including at ApacheCon.

Sep 15 2017

27mins

Play

Rank #12: Less than 10 Minutes Series - ModSecurity Core Rule Set Project

Podcast cover
Read more
This segment of the "Less than 10 Minutes" series was recorded live at AppSec EU 2017 in Belfast. It is an update of the ModSecurity Core Rule Set Project with project co-lead Christian Folini.

The OWASP ModSecurity CRS Project's goal is to provide an easily "pluggable" set of generic attack detection rules that provide a base level of protection for any web application. The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls.

The CRS aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts.

May 12 2017

8mins

Play

Rank #13: AppSec USA 2013: Zed Attack Proxy Project with Simon Bennetts

Podcast cover
Read more
"You can't automate all tests. There are a lot of things you can't find automatically. You have to have somebody who knows what they are looking for." -- Simon Bennetts

In today's segment, I talk with Simon Bennetts, project lead for the OWASP Zed Attack Proxy Project or "ZAP" for short. Simon is working on a user friendly tool for integrated penetration testing of web applications. Our discussion took place at AppSec USA 2013. We begin with an overview of the ZAP project and talk about how it came about.

About Simon Bennetts
Simon Bennetts (a.k.a. Psiinon) has been developing web applications since 1997, and strongly believes that you cannot build secure web applications without knowing how to attack them.

He works for Mozilla as part of their Security Team.

Some of the projects Simon works on:
-- OWASP Zed Attack Proxy project lead
-- OWASP Vulnerable Web Applications Directory Project joint project lead
-- Mozilla Zest project lead
-- Mozilla Plug-n-Hack joint project lead
-- Bodge It Store project lead
-- OWASP Web Application Security Testing Cheat Sheet joint author
-- OWASP AppSensor contributor
-- wavsep contributor
-- OWASP Data Exchange Format project lead (currently inactive)

Dec 13 2013

10mins

Play

Rank #14: The OWASP Hacky Easter Challenge with Ivan Bütler

Podcast cover
Read more
Ivan Bütler and his team at the Hacking Lab have whipped up a fun challenge for the Easter season. The Hacky Easter Challenge is a white-hat hacking competition for fun and education. Sign up and start your quest for easter eggs! No need to be a "1337 h4xor" - there are challenges of different difficulty.

About Ivan Bütler
Ivan Bütler is the co-founder and CEO of Compass Security, a Swiss Ethical Hacking and Penetration Testing company located in Switzerland and Germany. Besides his own business he is also a tutor at both, the University of Applied Sciences in Rapperswil and Lucerne University of Applied Sciences and Arts. Ivan is a regular speaker at international conferences (Blackhat USA, IT Underground Warsaw, OWASP AppSec).

Ivan is in the board of the Swiss Cyber Storm 4 Conference Committee and as such, responsible for the CTF and Hacking platform for the European Cyber Security Challenge 2014/2015, a cyber talent competition between Austria, Switzerland and Germany and may others from the European Union.

He is the founder of Hacking-Lab – a remote security lab that is being used world-wide by security enthusiasts and security professionals to train their hands-on experience. Hacking-Lab is partnering with OWASP and provides free OWASP TOP 10, OWPASP Hackademics and OWASP WebGoat challenges.

Mar 27 2014

6mins

Play

Rank #15: RSAC 2018 - Preview of Opening Session for DevOps Connect: DevSecOps Day

Podcast cover
Read more
Shannon Lietz, Caroline Wong and Paula Thrasher will give the opening remarks at DevOps Connect: DevSecOps Days on April 16 at the RSAC Conference in San Francisco. On today's show, I talk with Shannon, Caroline and Paula, on what they hope to accomplish during their talk, and why DevSecOps is becoming the hottest topic in this year's growth of the DevOps Community.

Feb 26 2018

35mins

Play

Rank #16: OWASP Hacker Kids in Bangalore

Podcast cover
Read more
Most of us want to help kids become proficient in programming and cybersecurity, but don't know how to get started or have time to manage such a project. Prashant Kv figured he'd put a team together with Vandana Verma and Rupali Dash and give it a shot.

The first event in Bangalore was a huge success, with over 200 kids participating. I spoke with the Prashant, Vandana and Rupali about how the event was put together, why it worked and what their plans are for future events.

Aug 29 2017

15mins

Play

Rank #17: Jonathan Carter - OWASP and Mobile Security

Podcast cover
Read more
On the day before Black Hat 2014 kicked off, I was able to sit with Jonathan Carter to talk about his work and the projects he participates on in OWASP. The audio recording is a bit raw because the sound was cranked up in a conference full of people. What Jonathan has to say should more than compensate.

About Jonathan Carter
Jonathan Carter is an application security professional with over 15 years of security expertise within Canada, United States, Australia, and England. As a Software Engineer, Jonathan produced software for online gaming systems, payment gateways, SMS messaging gateways, and other solutions requiring a high degree of application security.

Jonathan’s technical background in artificial intelligence and static code analysis has lead him to a diverse number of security roles: Enterprise Security Architect, Web Application Penetration Tester, Fortify Security Researcher, and Security Governance lead. He is currently Arxan’s Technical Director.

Aug 15 2014

22mins

Play

Rank #18: Wait! Wait! Don't pwn me! from AppSec Europe 2014

Podcast cover
Read more
It's become a regular thing at AppSec: test the experts on their knowledge of current software security news events. This session was recorded at AppSec Europe 2014 with panelists Chris Eng, Matt Tesauro and Josh Corman.

If you'd like to play along, you can view the gameshow slide deck. Looking forward to seeing you at our next AppSec session of "Wait Wait! Don't pwn me!"

Jul 18 2014

32mins

Play

Rank #19: OWASP Offensive Web Testing Framework with Bharadwaj Machiraju and Abraham Aranguren

Podcast cover
Read more
In this segment, we talk with the co-coordinators of the OWASP OWTF Project. The aim of the project is to make security assessments as efficient as possible by automating the manual, uncreative part of pen testing.

Apr 15 2015

20mins

Play

Rank #20: John Melton and the OWASP AppSensor Project

Podcast cover
Read more
The OWASP AppSensor Project has just released version 2.0. In this broadcast we speak with John Melton, project code lead, on the latest features in the release and what the future looks like for the project.

About John Melton
John is one of the co-leaders for the OWASP AppSensor project and leads the software implementation. For his day job, he is a principal security researcher for WhiteHat Security, working in the SAST space. His background is in software and security engineering.

Feb 13 2015

18mins

Play

How to Engage 4000 Developers in One Day

Podcast cover
Read more
When Derek Weeks and I started All Day DevOps in 2016, we were unsure as to whether anyone would be interested.It's now four years later. Last week we had close to 37,000 people register for the event. We're still trying to wrap our head around the scale of something that generates a world wide audience in the tens of thousands for a 24 hour conference.

One of the things that has grown organically from All Day DevOps is a concept called "Viewing Parties". It's an idea the community has created, not something planned by us. Over 170 organizations, meetups or user groups around the world setup a large screen and invited colleagues and friends over to share in the DevOps journeys that were being told throughout the day. Last year, we heard through the grapevine that State Farm had over 600 people show up to participate at their viewing party in Dallas. That's 600 people internally at State Farm.

When I heard about it, I knew I had to speak with Kevin ODell, Technology Director and DevOps Advocate at State Farm, the person who coordinated the event. Our initial conversation was a fascinating view into how he pulled off such a large event, internally. We kept in touch throughout the year, leading up to 2019 All Day DevOps. Keeping track of the registrations for Kevin, he soon came to realize what he had created was now a viral event at State Farm. For 2019, State Farm had 4000 of their 6000 developers confirmed to attend All Day DevOps. To me, that's just remarkable. While at the DevOps Enterprise Summit last month, Kevin and I sat down to talk about how he created such an incredible event, the process for getting business buy-in, and how he measures the value of letting 4000 developers collectively watch videos for the day. Even if I wasn't one of the co-founders of All Day DevOps, I'd find this a fascinating story. Stay with us and I think you'll be impressed, too.

Nov 14 2019

17mins

Play

Code Rush, DevOps and Google: Software in the Fast Lane

Podcast cover
Read more
Shortly after watching the documentary, Code Rush, I met with Tara Hernandez, the hockey stick carrying lead of the Netscape project that was being documented. We sat down at the Jenkins World Conference in San Francisco to talk about the effect that project had on her career, what she has been doing since with her position at google, and what she hopes to be working on in the coming years.

We started our conversation by exploring the relationship between the Netscape project in 1998 and the current state of DevOps. Would DevOps have made a difference... the answer might surprise you.

Oct 17 2019

28mins

Play

The Unicorn Project w/ Gene Kim

Podcast cover
Read more
Edwards Deming went to post-war Japan in the late 1940s to help with the census. While there, he built relationships with some of the main manufacturers in the region, helping them understand the value of building quality into a product as part of the production process, thus lowering time to market, eliminating rework and saving company resources. In his 1982 book, "Out of the Crisis", Deming explained in detail why Japan was ahead of the American manufacturing industry and what to do about. His "14 Points on Quality Management" helped revitalize American industry. Unknowingly, he laid the foundation for DevOps 40 years later.

Eli Goldratt published "The Goal" in 1984, focusing on the "Theory of Constraints", the idea that a process can only go as fast as it's slowest part. In fictionalized novel form, Goldratt was able to reach a wide audience who would utilize the theory to help find bottlenecks, or constrainsts, within production that were holding back the entire system. Once again, the theories espoused in The Goal were a precursor to the DevOps movement 40 years later.

In January 2013, 40 years after Deming and Goldratt reshaped the manufacturing processes in American, Gene Kim published "The Phoexnix Project". He used the same format as Goldratt, telling the story in a fictional novel format with characters who were easily identifiable within the software manufacturing process, from a manager's point of view. The Phoenix Project is now one of the most important books in the industry, and is used as a starting point for companies interested in participating in a DevOps transformation.

It's now six years later, 2019. Gene's new book, The Unicorn Project, will be released at the upcoming DevOps Enterprise Summit in Las Vegas on October 28. This new book has an interesting premise: What was going on with the software development team in the Phoenix Project as the management team was flailing to get the project back on track. It's a novel approach to have parallel timelines in separate books, looking at the same project.

In this broadcast, Gene and I talk about how the Unicorn Project aligns with the Phoenix Project, the overlap in storylines, and why he chose to speak for software developers in this iteration of the story. Do a quick review of the Phoenix Project, which is probably already on your bookshelf, and then listen in as we discuss using Deming, Goldratt and Kim as the foundation of the principles of the DevOps movement.

Oct 16 2019

44mins

Play

DevOps, DevSecOps and the Year Ahead w/ Sacha Labourey

Podcast cover
Read more
Once a year, Sacha Labourey and I sit down to discuss the past year and what the coming year looks like for DevOps and Jenkins. As CEO of CloudBees, Sacha has broad visibility into the progress of the DevOps/DevSecOps communities. We started our talk this year, commenting on the growth of the Jenkins World conference, with over 2000 attendees... what does Sacha attribute that to and does it coincide with the growth within the DevOps community. We continued our discussion by examining how cultural transformation within a company must align with the tools that are available to help with that transformation. Along the way we touched on where cultural transformation comes from within an enterprise, the question of whether DevOps has yet to jumped the chasm, the tipping point for a company's full acceptance of DevOps patterns, and what does Sacha hope to accomplish in the coming year

All Day DevOps: A Supporter of DevSecOps Podcast
If you're listening to this podcast, you've probably heard of All Day DevOps. This year, All Day DevOps has expanded to 150 sessions, including 9 sessions dedicated to OWASP projects such as Seba talking about DevOps Assurance with OWASP SAMMv2, the OWASP Security Knowledge Framework with Glen & Ricardo ten Cate, DevSecOps in Azure with OWASP DevSlop featuring Tanya Janca, and an overview of the OWASP Top 10 with Caroline Wong. Simon talking about the OWASP ZAP HUD project is another session not to be missed. All Day DevOps is a free, community event, sponsored and supported by hundreds of organizations like yours from around the world. Registration is free. Go to All Day DevOps dot com to register and start building your schedule. All Day DevOps. All live. All online. All free.

Oct 07 2019

33mins

Play

Is it time to trust Equifax again? You decide.

Podcast cover
Read more
I was affected by it. You were affected by it. We were all affected by the Equifax breach in September 2017. The truly interesting thing about it is, Equifax wasn't the only company hit by the struts 2 vulnerability that day. Many other companies were hit by it within that time period, but Equifax became the poster child for the main stream media. It was just too easy of a target because of consumer visibility.

In the two years since the breach, Equifax has been working hard to restore its reputation, not just with consumer protection, but with the companies that depend upon credit data to make real business choices. I wanted to find out what Equifax is doing behind the scenes not just reputation wise, but technology wise when it comes to protecting data. Was it status quo as soon as the buzz died down? Did they pay their fine and go back to business as usual? Or are they making changes under the hood that will make a difference in how financial data is handled and what can be done with it.

I met with Sean Davis, Chief Transformation Evangelist at Equifax, while at Jenkins World in August. It had been two years since the breach, and I wanted to hear what was happening internally, what changes have been made and why we should begin to trust Equifax again. I have to say I was surprised. When I sat down with Sean, I thought there would be hesitancy, some caution as to what could and couldn't be talked about. To my surprise, it was a transparent discussion. I asked him questions I wanted to know as a consumer, as well as the technical queries about what's going on under the hood at Equifax, what changes have been made to make my data more secure.

Is it time to trust Equifax again? I'll let you decide.

Sep 17 2019

35mins

Play

2019 Global AppSec Conference DC w/ Ben Pick

Podcast cover
Read more
OWASP supports a global conference in North America each year, bringing together the projects, teams and chapters who make this one of the largest security tribes in the world. In this episode of the DevSecOps Podcast Series, I speak with Ben Pick one of the organizers of the conference about what's important about this type of gathering and what you can expect when attending.

https://dc.globalappsec.org/

Aug 23 2019

20mins

Play

2019 State of the Software Supply Chain Report

Podcast cover
Read more
The 2019 State of the Software Supply Chain Report was released on June 25th. The report is an analysis of the answers from over 5500 participants, allowing data researchers the ability to extrapolate what the most productive enterprises are doing when it comes to managing the software supply chain, and how that compares to less efficient development practices. The purpose of the analysis was to objectively examine and empirically document, release patterns and hygiene practices across 36,000 open source project teams and 3.7 million open source releases.

In this conversation I speak with Derek Weeks, Project Lead for the report, and Stephen Magil, who along with Gene Kim, acted as research partners on the report. If you've been looking for verified research that can be used to help justify a DevOps initiative, or to validate the value of DevOps projects within your company, you'll want to stay with us.

Jun 27 2019

33mins

Play

The Vanity of Diversity

Podcast cover
Read more
Let's not talk around the subject here... women are under represented when it comes to speaking or participating in tech conferences. It's a male dominated culture.

When I saw Lani Rosales had published, "The Ultimate list of Austin women who can speak at your tech event" in response to the complaint that there are no women speakers available in the tech industry, I called her right away. As co-founder of the world's largest DevOps conference, All Day DevOps, and as one of the core organizers of the global DevSecOps Days series of events, I wanted to hear how the list came together, her motiviation for creating the list and how the tech community has responded to an overt call for women speakers.

One of the most surprising topics during our conversation was the continual reference to "the vanity of diversity". Lani is opposed to replacing males speakers just for the sake of having a token female speaker or panelists. As she says it, "Let's not remove male speakers, let's add female speakers." When she said that, it resonated with me. That's how true diversity works: add women, don't subtract men.

Lani's vision is to make attendees, all attendees, feel welcome, represented and given the feeling that their way of thinking is welcome in the room, in the conference, and in the community. That's the true reason for diversity, and that's what we'll be talking about today.

The Ultimate List of Austin Women Who Can Speak at Your Tech Event
https://theamericangenius.com/tech-news/austin-women/

May 15 2019

26mins

Play

Create and Manage Internal Tech Conferences

Podcast cover
Read more
I produced my first concert at the San Anselmo Playhouse in 1979. It was the first in a series of events that has lasted 40 years. I have produced more than 300 events and participated in many hundreds more as a speaker and participant. As the producer of this many events, I have an internal map of what to do to make an event successful, the steps to create and manage the logistics of an event, and how to promote them. All Day DevOps, a live online conference I co-founded with Derek Weeks, has over 30,000 registrations yearly. This type of involvement gives me a unique perspective into why an event is successful.

In the past few years, I've been sketching out a "How To.." manual on producing successful events. When the book "Building Internal Conferences" came across my radar, my first thought was "Good! Something I won't have to do." After looking through the book, I called authors Matthew Skelton and Victoria Morgan-Smith to trade stories on tips and tricks for managing successful events.

You might ask yourself at this point, "Why is this being covered on a tech podcast?" With so much to choose from when it comes to webinars, meetups, user groups and conferences, many companies are choosing to host their own event internally, or participate as supporters of a regional event. Industry conferences such as DevOps Days, DevSecOps Days, and SharePoint Saturday are run by local teams who are engaged in community development and education. This episode of the DevSecOps Podcast focuses on helping you as an event organizer avoid the "Epic Failures" that would stop your event from being a success.

Where to find the book:
https://confluxdigital.net/conflux-books/book-internal-tech-conferences

May 08 2019

37mins

Play

Securing the Software Supply Chain - Live Panel for International Conference on Cyber Engagement

Podcast cover
Read more
In April 2019, I was invited to host a panel at the International Conference on Cyber Engagement in Washington DC, to discuss "Securing the Software Supply Chain". On the panel were four of the top voices in software supply chain management:

- Edna Conway, Chief Security Officer, Global Value Chain, at CISCO
- Joyce Corell, Assistant Director, Supply Chain and Cyber Directorate, National Counterintelligence and Security Center, US Office of the Director of National Intelligence
- Bob Kolasky, Director, National Risk Management Center, Cybersecurity and Infrastructure Security Agency, US Department of Homeland Security
- Dr. Suzanne Schwartz, Associate Director for Science & Strategic Partnerships, Center for Devices & Radiological Health, US Food & Drug Administration

This episode of the DevSecOps Podcast is the full session from the conference. It is an extended session, running an hour and a half, significantly longer that our usual broadcast. I think you'll find it worth the time. Thank you to the ICCE for allowing rebroadcast of the panel. Pull up a chair, sit back, and listen in as we discuss Securing the Software Supply Chain.

May 06 2019

1hr 28mins

Play

Tel Aviv and the 2019 Global AppSec Conference

Podcast cover
Read more
When I think of Tel Aviv, I imagine a robust, young culture, living a good, fun life. Not only is the culture conducive to a young life style, its tech industry continues to gain traction. As Wired Magazine said last August, "Israeli startups have always been high on Silicon Valley shopping lists, but Tel Aviv is beginning to shake off its reputation as Europe’s exit capital." Zebra, the medical diagnostics company, MyHeritage online family tree service, Via ride sharing service, and the Waze navigation app, as well as dozens of other influencial start-ups call Tel Aviv home. This places Tel Aviv at the heart of the tech industry in Isreal and encourages conferences and gatherings on a regional, as well as global scale.

In this broadcast, I speak with Avi Douglen and Ofer Moar, co-chairs of the upcoming Global AppSec Conference in Tel Aviv. They are both active participates in OWASP and the security community. I called them to find out more about the conference, how it's different from other conferences and what participants can expect as takeaways from the event.

More information and registration:
https://telaviv.appsecglobal.org/

May 01 2019

18mins

Play

Persectives on the "Sec" in DevSecOps w/ Tanya Janca

Podcast cover
Read more
If you've read the Phoenix Project, you'll remember Brent, the indispensable cog on the operations team. Brent was a good guy, he wanted to do the right things, all of the right things, but was pulled in all directions because of the lack of a unified plan for the company's project workflow. But what if Brent didn't want to do the "right" thing? What if Brent was more interested in the convenience of getting his work done than he was in the overall health and output of the project. What if he deployed to production without checking into SourceSafe, not just once, but for years.

From Tanya janca: I went to our trusty code repository, took a copy of the most recent code. I went looking for the bug, and I couldn't even find it. And then I'm running it locally, and I'm looking at the real one in prod. And they're completely different. I'm like, "What would have happened if I had pushed to prod? If I fixed that bug, and pushed to prod, and not noticed the difference?" And he's like, "All my work would have been gone. That would have been your mistake." I'm like, "Are you kidding?" He's like, "It's just easier if I check it in directly, if I just edit it right on the web server. It's just easier for me." I'm like, "Oh. Is it easier to do a shitty job? No. No, no, no.

In today's episode, Tanya Janca, Cloud Security Advocate, Microsoft, expands on her just published article, "DevSecOps: Securing Software in a DevOps World", clarifying each of the 5 tactics she uses to integrate not just security into the software development process, but how to manage people as part of that process. Have a listen...

Apr 16 2019

44mins

Play

2019 Open Security Summit Preview

Podcast cover
Read more
Three years ago there was an idea floating around OWASP... a core community was looking for a way to have an isolated week, where security project working groups could get together, with no distractions, and work on projects they felt were important. From this idea, the Open Security Summit was founded. Now in it's third year, the summit takes place in an isolated forest located between London and Manchester.

The format for the gathering is to present an environment, with no distractions, where the community of 150 security professionals can meet to update each other on their progress in the past year and to choose working groups to outline and work on future projects.

This is not a podium lecture series conference. It is a 5-day high-energy experience, during which attendees get the chance to work and collaborate intensively. Each working session is geared towards a specific Application Security challenge and will be focused on actionable outcomes.

In this episode, I speak with Seba (Sayba) Deleersnyder, Denis Cruz, Jemma Davis and Francois Raynaud, core organizers of the event, talking about why they started the event, what has changed over the years and what you can expect as an attendee at the Open Security Summit.

https://opensecuritysummit.org/

Apr 09 2019

19mins

Play

What is an SBOM and Why Should You Care? w/ Allan Friedman

Podcast cover
Read more
Open-source components and their use within the software supply chain has become ubiquitous within the past few years. Current estimates are that 80-90% of new software applications consist of open-source components and frameworks. Section A9 of the OWASP Top 10 places components with known vulnerabilities as one of the most prevalent and abused parts of the software supply chain, placing it at a security weakness level of three, on a scale from one to three. Quoting from the OWASP description in A9, "Component-heavy development patterns can lead to development teams not even understanding which components they use in their applications or APIs, much less keeping them up to date."

In today's episode, I speak with Allan Friedman, Director of Cybersecurity Initiatives at the National Telecommunications and Information Administration. Our talk focused on the creation of a Software Bill of Materials, or an SBOM. As we begin, Allan describes his role in the project and what they hope to accomplish.

About Allan Friedman
I'm the Director of Cybersecurity Initiatives at the National Telecommunications and Information Administration, or NTIA. We're a tiny part of the US Department of Commerce, and our mission really is about promoting a free, open, and trustworthy internet.

Over the past few years, we've engaged in what we call "multistakeholder processes", trying to identify areas where the entire digital ecosystem can come together on things that they care about and make progress. So the government doesn't have a vested interest in the outcome, we just feel that we'll all be better off if the community can find common ground and consensus.

Apr 02 2019

33mins

Play

What is Chaos Engineering, an Interview with Casey Rosenthal

Podcast cover
Read more
"Chaos engineering is an empirical practice of setting up experiments to figure out where your system is vulnerable so that you can know that ahead of time and proactively fix some of these vulnerabilities in your system." -- Casey Rosenthal

In this broadcast, I speak with Casey Rosenthal about the beginnings of Chaos Engineering and Netflix and how the concept has morphed into a cross-industry community, sharing ideas through local chaos conferences.

Mar 18 2019

29mins

Play

Ladies of London Hacking Society w/ Eliza-May Austin

Podcast cover
Read more
The Ladies of London Hacking Society was created by Eliza-May Austin in an act of frustration.Having nowhere to turn to meet other women within the security industry in the UK,Eliza-May fired off an online post lamenting the lack of local community support for technical security-based women. Her story is a common one.

The post seemed to resonate with the local community. In a short time, she had close to 500 women join her London Meetup Group, focusing on sharing technical skills and industry stories.

Mar 13 2019

30mins

Play

Anticipating Failure through Threat Modeling w/ Adam Shostack

Podcast cover
Read more
What am I working on?
What can go wrong?
What am I going to do about it?
Did I do a good job?

These are the four questions at the heart of threat modeling In this episode, I speak with Adam Shostack, author of Threat Modeling: Designing for Security. We talk through how to begin threat modeling and the expectations of using modeling. Adam walks through the history of threat modeling, including his creation of the Elevation of Privilege game.

Feb 12 2019

33mins

Play

We Are All Special Snowflakes with Chris Roberts

Podcast cover
Read more
This is the sixth episode in an eight part series, talking with the authors of "Epic Failures in DevSecOps". In this segment, I speak with Chris Roberts about his chapter, "We are all special snowflakes", diving into topics as diverse as the failure of the security industry to protect us from ourselves and what is considered "acceptable" monitoring when it comes to the government, and to social sites.

You can download a free copy of Epic Failures at DevSecOpsDays.com

Feb 07 2019

35mins

Play

A Concise Introduction to DevSecOps

Podcast cover
Read more
The inclusion of security as an integral piece of the DevOps puzzle continues to gain traction. In this episode of the DevSecOps Days Podcast Series, I speak with Curtis Yanko and Scott McCarty about their new book, "A Concise Introduction to DevSecOps". We discuss why they wrote the book, who the audience is that will benefit from it and why enterprises should be considering security as part of the software development environment.

Jan 18 2019

26mins

Play

What's In Store for the AppSec Cali Conference w/ Richard Greenberg

Podcast cover
Read more
As if there aren't enough reasons to go to Southern California in the middle of a New York winter, AppSec Cali opens it's doors for its 6th Annual OWASP conference on January 22, 2019. In this broadcast, I speak with Richard Greenberg, one of the core organizers of the conference, talking about why people come, what they can expect to see and why he continues to help produce the conference year after year.

For a transcript of this broadcast, go to DevSecOpsDays.com and click on "Podcasts".

Jan 15 2019

19mins

Play

iTunes Ratings

21 Ratings
Average Ratings
16
3
1
0
1

Very Well Done!

By rampanteer - Mar 16 2009
Read more
By far, the best podcast dealing with webapp security that I've found.

Fantastic!

By jinxpuppy - Dec 30 2008
Read more
Great resource to listen to