Episodes List

Brook Schoenfield is a Master Security Architect @IOActive and author of Securing Systems, as well as an industry leader in security architecture and threat modeling, and a friend.

“We have a static analysis tool. Why do we need a program?” This is what Brook overheard at one point in his past, from a company CTO, and it sums up the program issue. The CTO was trying to drive a technical strategy for an entire company, and security was just one piece of that. A mandate or a tool would have made life so easy.

Brook takes us on a journey based on his experience building programs, with advice, stories, comments, and quotes. We talk about architecture, culture, mindset, tools, compilers and so much more.

Catch Brook’s next book, “Secrets of a Cyber Security Architect” which arrives in Fall 2019.

Here is Brook’s first book on Amazon: Securing Systems: Applied Security Architecture and Threat Models

Podcast: Play in new window | Download

Subscribe: Apple Podcasts | Android | Email | Google Podcasts | Stitcher | TuneIn | Spotify | RSS | More

Liran Tal is a Developer Advocate @snyksec and is the author of Essential Node.js Security. He takes #opensource and protecting the #web very seriously.

Podcast: Play in new window | Download

Subscribe: Apple Podcasts | Android | Email | Google Podcasts | Stitcher | TuneIn | Spotify | RSS | More

Why should someone care about open source security?

Podcast: Play in new window | Download

Subscribe: Apple Podcasts | Android | Email | Google Podcasts | Stitcher | TuneIn | Spotify | RSS | More

Steve Springett is a technologist, husband, father, entrepreneur, and tequila aficionado. He is the creator of the OWASP @DependencyTrack and @CycloneDX_Spec. In this conversation, we begin with the problem of software supply chain risk and the failures of commercial Software Composition Analysis tools. We then go through an extensive list of criteria for purchasing a software composition analysis tool. I have never seen a list like this ever shared anywhere in the industry. Steve is definitely in the know when it comes to these types of tools, and this is a detailed checklist of what he looks for in a tool.  We end with a 60-second update on Dependency Track.

Podcast: Play in new window | Download

Subscribe: Apple Podcasts | Android | Email | Google Podcasts | Stitcher | TuneIn | Spotify | RSS | More

The question is for Steve Springett, in regards to Software Composition Analysis / Software Supply Chain and OWASP Dependency Track.

Podcast: Play in new window | Download

Subscribe: Apple Podcasts | Android | Email | Google Podcasts | Stitcher | TuneIn | Spotify | RSS | More

Elissa Shevinsky is CEO at Faster Than Light. She’s had a storied career as an entrepreneur with Brave, Everyday Health, and Geekcorps. We discuss Elissa’s origin story, security startups, and the value of mentoring to her career. Then we get into Static Analysis and how we make security easier for people so that security gets done. 

Podcast: Play in new window | Download

Subscribe: Apple Podcasts | Android | Email | Google Podcasts | Stitcher | TuneIn | Spotify | RSS | More

Robert asks Elissa Shevinsky, why should people be nice, or why is niceness important in security?

Podcast: Play in new window | Download

Subscribe: Apple Podcasts | Android | Email | Google Podcasts | Stitcher | TuneIn | Spotify | RSS | More

Matt McGrath is an old school Java developer that made the transition into security. Matt has had success in rolling out a programmatic approach to security improvement called security coaching.

A security coach is much more than a wellness or life coach for your developers. They have some commonalities, but the security coach is thinking about how you help the developer want to get better at security. In his experience, developers are not going to kick and scream away from security but will embrace it when asked.

The job description for a good coach does not require a development background. The biggest thing you need is a passion for security. Communication is one of the most important things for a coach to have as well, and technical skills do not hurt.

We hope you enjoy this conversation with Matt McGrath.

Our sponsor for this episode is Security Journey. Security Journey knows that building security culture takes time and planning. Our belts are carefully designed to help you build security culture from the ground up.

Podcast: Play in new window | Download

Subscribe: Apple Podcasts | Android | Email | Google Podcasts | Stitcher | TuneIn | Spotify | RSS | More

Erez Yalon and Liora Herman are both passionate security professionals. They joined forces to create the AppSec Village, an event at DefCon in Las Vegas. If you are in Vegas for BH/DC, stop by the village and say hi to Robert, who will be in attendance as well.

Podcast: Play in new window | Download

Subscribe: Apple Podcasts | Android | Email | Google Podcasts | Stitcher | TuneIn | Spotify | RSS | More

It’s BlackHat and DefCon season, so we asked a question of Erez Yalon; why did you start the AppSec Village?

Podcast: Play in new window | Download

Subscribe: Apple Podcasts | Android | Email | Google Podcasts | Stitcher | TuneIn | Spotify | RSS | More

Adam Shostack is a leading expert on threat modeling, and a consultant, entrepreneur, technologist, author and game designer. He’s a member of the BlackHat Review Board and helped create the CVE and many other things. He currently helps many organizations improve their security via Shostack & Associates, and advises startups. Adam is known for his work with threat modeling. In this episode, we take threat modeling to a whole new level as we explore the idea of threat modeling layer 8 or human beings, and explore the concept of conflict modeling.

You’ll find Adam’s conflict modeling work on GitHub.

https://github.com/adamshostack/conflictmodeling

Podcast: Play in new window | Download

Subscribe: Apple Podcasts | Android | Email | Google Podcasts | Stitcher | TuneIn | Spotify | RSS | More

If you’ve done anything with threat modeling, you’ve heard of Adam Shostack. We asked him the question, “why would anyone threat model?”.

Podcast: Play in new window | Download

Subscribe: Apple Podcasts | Android | Email | Google Podcasts | Stitcher | TuneIn | Spotify | RSS | More

Zoe Braiterman is an Innovation Intelligence Strategist focused on both the Machine and Human and also the OWASP WIA Chair. We explore the intersection of application security with artificial intelligence and machine learning and end up discussing data protection. Zoe approaches AppSec from a different angle, and her perspectives get us thinking about the importance of appsec in the future of autonomous everything.

Podcast: Play in new window | Download

Subscribe: Apple Podcasts | Android | Email | Google Podcasts | Stitcher | TuneIn | Spotify | RSS | More

Caroline Wong has had a long career in security, starting with eBay and leading to her role today at Cobalt.IO as Chief Strategist. Caroline shares her explanation of self-care and tells her story about how neglecting self-care led to problems. She offers ideas about how to better approach self-care as a security professional, work-life balance, and ways for approaching a successful career in security.

Podcast: Play in new window | Download

Subscribe: Apple Podcasts | Android | Email | Google Podcasts | Stitcher | TuneIn | Spotify | RSS | More

Björn Kimminich is the project leader for OWASP JuiceShop. This is his second visit to the podcast, and we discuss new features in JuiceShop, including XSS in jingle promo video, marketing campaign coupon hacking, GDPR related features and challenges, working 2FA with TOTP, and the DLP failure challenges. Then we get into the cool new things that will come as a result of the GSoC, where a developer will add new functionality to the JS where new vulns can be hidden. We end discussing the upcoming Open Security Summit from OWASP.

Podcast: Play in new window | Download

Subscribe: Apple Podcasts | Android | Email | Google Podcasts | Stitcher | TuneIn | Spotify | RSS | More

Björn Kimminich is the project leader for OWASP JuiceShop. He created JuiceShop out of necessity, after reviewing all the available vulnerable web apps years ago, and not finding what he needed. OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security training, awareness demos, CTFs, and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire OWASP Top Ten along with many other security flaws found in real-world applications!

Podcast: Play in new window | Download

Subscribe: Apple Podcasts | Android | Email | Google Podcasts | Stitcher | TuneIn | Spotify | RSS | More

Nancy Gariché and Tanya Janca are two of the project leaders for the OWASP DevSlop Project. As we learn more about DevSlop, we realize that it is much more than a project: it’s a movement. DevSlop is about the learning and sharing of four awesome women and is a platform for them to share what they’ve learned with the community.

DevSlop consists of four different modules:

1. Patty – An Azure DevSecOps pipeline
2. Pixi-CRS & Pixi-CRS-ZAP are two Circle-CI pipelines that demonstrate adding a WAF to your pipeline for automatic tuning before moving your apps to prod
3. Pixi is an intentionally vulnerable app and consists of a vulnerable web app and API service,
4. The DevSlop Show, a video streaming series where project members build things live, interview members of the OWASP and InfoSec community, and learn where they fit into DevOps.

We hope you enjoy.

Find Nancy, Tanya, and DevSlop on Twitter.

Podcast: Play in new window | Download

Subscribe: Apple Podcasts | Android | Email | Google Podcasts | Stitcher | TuneIn | Spotify | RSS | More

Tanya Janca is excited about mentoring. She’s started a hashtag on Twitter for mentors to find mentee’s, and for mentee’s to search for mentors. Mentoring is such an essential part of growing our community, so if you are not mentoring anyone today, I can only ask, why not? Here is Tanya’s take on mentoring and her advice on how to get involved with #MentoringMonday.

5 Minute AppSec is an AppSec Podcast experiment with micro-content. Hit us up on Twitter and tell us what you think, @AppSecPodcast.

Podcast: Play in new window | Download

Subscribe: Apple Podcasts | Android | Email | Google Podcasts | Stitcher | TuneIn | Spotify | RSS | More

Matt Clapham is a product security person, as a developer, security engineer, advisor,  and manager. He began his career as a software tester, which led him down the path of figuring out how to break things.   Matt lives in the medical software world and visited the Healthcare Information and Management Systems Society (HIMSS) conference. Matt shares his perspectives on application/cybersecurity through the eyes of the healthcare industry. There is much for us to understand by viewing how other segments approach security and privacy. Matt believes in stepping outside the echo chamber and experiencing how other industries see security, and he achieved that by visiting this non-security conference and sharing his experiences with us. (And if he visits your booth at an event, you better know how your companies make a secure product or solution!)

Podcast: Play in new window | Download

Subscribe: Apple Podcasts | Android | Email | Google Podcasts | Stitcher | TuneIn | Spotify | RSS | More

Jon McCoy is a security engineer, a developer, and a hacker; and a passionate OWASP advocate. Maybe even a hacker first. Jon has a passion to connect people and break down barriers between hackers and corporate folks. Jon explains the idea of hacker outreach and breaks down what we can expect if we venture to the DefCon event in Las Vegas.  Jon also remembered a cautionary tale of Robert’s Fitbit out at a DefCon event. Jon is someone we can all learn from about giving back to our community.

Podcast: Play in new window | Download

Subscribe: Apple Podcasts | Android | Email | Google Podcasts | Stitcher | TuneIn | Spotify | RSS | More

Omer Levi Hevroni has written extensively on the topic of Kubernetes and secrets, and he’s a super dev. He’s the author of a tool for secrets management called Kamus. Kamus is an open source, GitOps, zero-trust secrets encryption and decryption solution for Kubernetes applications. Kamus enables users to easily encrypt secrets that can be decrypted only by the application running on Kubernetes. The encryption is done using strong encryption providers (currently supported: Azure KeyVault, Google Cloud KMS, and AES).

Find Omer on Twitter to converse about all things K8s and secrets.

Show notes:

https://blog.solutotlv.com/can-kubernetes-keep-a-secret/

https://github.com/Soluto/kamus

Podcast: Play in new window | Download

Subscribe: Apple Podcasts | Android | Email | Google Podcasts | Stitcher | TuneIn | Spotify | RSS | More

Izar Tarandach is a threat modeling pioneer, seen as one of the movers and shakers in the threat modeling world. Izar leads a small team that develops the pytm tool, which is self-described as a “A Pythonic framework for threat modeling”. The GitHub page goes on to say define your system in Python using the elements and properties described in the pytm framework. Based on your definition, pytm can generate, a Data Flow Diagram (DFD), a Sequence Diagram and most important of all, threats to your system.

Reach out to Izar on Twitter and visit the pytm GitHub page to download and try this tool out for yourself!

Podcast: Play in new window | Download

Subscribe: Apple Podcasts | Android | Email | Google Podcasts | Stitcher | TuneIn | Spotify | RSS | More

Simon Bennetts is the project leader for OWASP ZAP. Simon joined Robert at CodeMash to talk about the origin of ZAP, the new heads up display, and ZAP API.

ZAP is an OWASP FlagShip Project and is available here: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

Podcast: Play in new window | Download

Subscribe: Apple Podcasts | Android | Email | Google Podcasts | Stitcher | TuneIn | Spotify | RSS | More

Robert meets up with Bill Sempf at the CodeMash conference and discusses how to grow AppSec people. Developers can transform into application security people. They also cover how to inspire the next generation of cybersecurity people (kids) through the example of KidzMash.

Podcast: Play in new window | Download

Subscribe: Apple Podcasts | Android | Email | Google Podcasts | Stitcher | TuneIn | Spotify | RSS | More