Application Security PodCast 574428

Elissa Shevinsky is CEO at Faster Than Light. She’s had a storied career as an entrepreneur with Brave, Everyday Health, and Geekcorps. We discuss Elissa’s origin story, security startups, and the value of mentoring to her career. Then we get into Static Analysis and how we make security easier for people so that security gets done.  The post Elissa Shevinsky — Static Analysis early and often appeared first on Security Journey.

Robert asks Elissa Shevinsky, why should people be nice, or why is niceness important in security? The post Elissa Shevinsky — Be Kind, Security People — 5 Minute AppSec appeared first on Security Journey.

Matt McGrath is an old school Java developer that made the transition into security. Matt has had success in rolling out a programmatic approach to security improvement called security coaching. A security coach is much more than a wellness or life coach for your developers. They have some commonalities, but the security coach is thinking about how you help the developer want to get better at security. In his experience, developers are not going to kick and scream away from security but will embrace it when asked. The job description for a good coach does not require a development background. The biggest thing you need is a ion for security. Communication is one of the most important things for a coach to have as well, and technical skills do not hurt. We hope you enjoy this conversation with Matt McGrath. Our sponsor for this episode is Security Journey. Security Journey knows that building security culture takes time and planning. Our belts are carefully designed to help you build security culture from the ground up. The post Matt McGrath — Security coaches appeared first on Security Journey.

Erez Yalon and Liora Herman are both ionate security professionals. They ed forces to create the AppSec Village, an event at DefCon in Las Vegas. If you are in Vegas for BH/DC, stop by the village and say hi to Robert, who will be in attendance as well. The post Erez Yalon and Liora Herman – The Application Security Village @ DefCon appeared first on Security Journey.

It’s BlackHat and DefCon season, so we asked a question of Erez Yalon; why did you start the AppSec Village? The post Erez Yalon – AppSec Village – 5 Minute AppSec appeared first on Security Journey.

Tommy Ross serves as Senior Director, Policy with BSA | The Software Alliance. In this role, he works with BSA to develop and advance global policy positions on a range of key issues, with a focus on cybersecurity, privacy, and market access barriers. Tommy is one of the coordinators/collaborators on the BSA Framework for Secure Software.  This document caught our attention when it came out a few months ago, as it is a reliable representation of all the pieces an organization needs for software security. Tommy shares with us some of the background stories on how this document came to be, and also walks through the various pieces contained within. If you’d like to comment or collaborate on this document, it is available in the review form at https://github.com/thomasrbsa/BSA-Framework-for-Secure-Software The PDF is available on the BSA website: https://www.bsa.org/files/reports/bsa_software_security_framework_web_final.pdf The post Tommy Ross — The BSA Framework for Secure Software appeared first on Security Journey.

Adam Shostack is a leading expert on threat modeling, and a consultant, entrepreneur, technologist, author and game designer. He’s a member of the BlackHat Review Board and helped create the CVE and many other things. He currently helps many organizations improve their security via Shostack & Associates, and advises startups. Adam is known for his work with threat modeling. In this episode, we take threat modeling to a whole new level as we explore the idea of threat modeling layer 8 or human beings, and explore the concept of conflict modeling. You’ll find Adam’s conflict modeling work on GitHub. https://github.com/adamshostack/conflictmodeling The post Adam Shostack — Threat modeling layer 8 and conflict modeling appeared first on Security Journey.

If you’ve done anything with threat modeling, you’ve heard of Adam Shostack. We asked him the question, “why would anyone threat model?”. The post Adam Shostack – Threat Modeling – 5 Minute AppSec appeared first on Security Journey.

Zoe Braiterman is an Innovation Intelligence Strategist focused on both the Machine and Human and also the OWASP WIA Chair. We explore the intersection of application security with artificial intelligence and machine learning and end up discussing data protection. Zoe approaches AppSec from a different angle, and her perspectives get us thinking about the importance of appsec in the future of autonomous everything. The post Zoe Braiterman — AI, ML, AppSec, and a dose of data protection appeared first on Security Journey.

Caroline Wong has had a long career in security, starting with eBay and leading to her role today at Cobalt.IO as Chief Strategist. Caroline shares her explanation of self-care and tells her story about how neglecting self-care led to problems. She offers ideas about how to better approach self-care as a security professional, work-life balance, and ways for approaching a successful career in security. The post Caroline Wong — Self-care and self-aware for security people appeared first on Security Journey.

Björn Kimminich is the project leader for OWASP JuiceShop. This is his second visit to the podcast, and we discuss new features in JuiceShop, including XSS in jingle promo video, marketing campaign coupon hacking, GDPR related features and challenges, working 2FA with TOTP, and the DLP failure challenges. Then we get into the cool new things that will come as a result of the GSoC, where a developer will add new functionality to the JS where new vulns can be hidden. We end discussing the Open Security Summit from OWASP. The post Björn Kimminich — The new JuiceShop, GSOC, and Open Security Summit appeared first on Security Journey.

Björn Kimminich is the project leader for OWASP JuiceShop. He created JuiceShop out of necessity, after reviewing all the available vulnerable web apps years ago, and not finding what he needed. OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security training, awareness demos, CTFs, and as a guinea pig for security tools! Juice Shop encomes vulnerabilities from the entire OWASP Top Ten along with many other security flaws found in real-world applications! The post Björn Kimminich — JuiceShop — 5 minute AppSec appeared first on Security Journey.

Nancy Gariché and Tanya Janca are two of the project leaders for the OWASP DevSlop Project. As we learn more about DevSlop, we realize that it is much more than a project: it’s a movement. DevSlop is about the learning and sharing of four awesome women and is a platform for them to share what they’ve learned with the community. DevSlop consists of four different modules: Patty – An Azure DevSecOps pipeline Pixi-CRS & Pixi-CRS-ZAP are two Circle-CI pipelines that demonstrate adding a WAF to your pipeline for automatic tuning before moving your apps to prod Pixi is an intentionally vulnerable app and consists of a vulnerable web app and API service, The DevSlop Show, a video streaming series where project build things live, interview of the OWASP and InfoSec community, and learn where they fit into DevOps. We hope you enjoy. Find Nancy, Tanya, and DevSlop on Twitter. The post Nancy Gariché and Tanya Janca — DevSlop, the movement appeared first on Security Journey.

Tanya Janca is excited about mentoring. She’s started a hashtag on Twitter for mentors to find mentee’s, and for mentee’s to search for mentors. Mentoring is such an essential part of growing our community, so if you are not mentoring anyone today, I can only ask, why not? Here is Tanya’s take on mentoring and her advice on how to get involved with #MentoringMonday. 5 Minute AppSec is an AppSec Podcast experiment with micro-content. Hit us up on Twitter and tell us what you think, @AppSeodcast. The post Tanya Janca — Mentoring Monday — 5 Minute AppSec appeared first on Security Journey.

Matt Clapham is a product security person, as a developer, security engineer, advisor,  and manager. He began his career as a software tester, which led him down the path of figuring out how to break things.   Matt lives in the medical software world and visited the Healthcare Information and Management Systems Society (HIMSS) conference. Matt shares his perspectives on application/cybersecurity through the eyes of the healthcare industry. There is much for us to understand by viewing how other segments approach security and privacy. Matt believes in stepping outside the echo chamber and experiencing how other industries see security, and he achieved that by visiting this non-security conference and sharing his experiences with us. (And if he visits your booth at an event, you better know how your companies make a secure product or solution!) The post Matt Clapham — A perspective on appsec from the world of medical software appeared first on Security Journey.

Jon McCoy is a security engineer, a developer, and a hacker; and a ionate OWASP advocate. Maybe even a hacker first. Jon has a ion to connect people and break down barriers between hackers and corporate folks. Jon explains the idea of hacker outreach and breaks down what we can expect if we venture to the DefCon event in Las Vegas.  Jon also ed a cautionary tale of Robert’s Fitbit out at a DefCon event. Jon is someone we can all learn from about giving back to our community. The post Jon McCoy — Hacker outreach appeared first on Security Journey.

Omer Levi Hevroni has written extensively on the topic of Kubernetes and secrets, and he’s a super dev. He’s the author of a tool for secrets management called Kamus. Kamus is an open source, GitOps, zero-trust secrets encryption and decryption solution for Kubernetes applications. Kamus enables s to easily encrypt secrets that can be decrypted only by the application running on Kubernetes. The encryption is done using strong encryption providers (currently ed: Azure KeyVault, Google Cloud KMS, and AES). Find Omer on Twitter to converse about all things K8s and secrets. Show notes: https://blog.solutotlv.com/can-kubernetes-keep-a-secret/ https://github.com/Soluto/kamus The post Omer Levi Hevroni — K8s can keep a secret? appeared first on Security Journey.

Izar Tarandach is a threat modeling pioneer, seen as one of the movers and shakers in the threat modeling world. Izar leads a small team that develops the pytm tool, which is self-described as a “A Pythonic framework for threat modeling”. The GitHub page goes on to say define your system in Python using the elements and properties described in the pytm framework. Based on your definition, pytm can generate, a Data Flow Diagram (DFD), a Sequence Diagram and most important of all, threats to your system. Reach out to Izar on Twitter and visit the pytm GitHub page to and try this tool out for yourself! The post Izar Tarandach — Command line threat modeling with pytm appeared first on Security Journey.

Simon Bennetts is the project leader for OWASP ZAP. Simon ed Robert at CodeMash to talk about the origin of ZAP, the new heads up display, and ZAP API. ZAP is an OWASP FlagShip Project and is available here: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project The post Simon Bennetts — OWASP ZAP: past, present, and future appeared first on Security Journey.

Robert meets up with Bill Sempf at the CodeMash conference and discusses how to grow AppSec people. Developers can transform into application security people. They also cover how to inspire the next generation of cybersecurity people (kids) through the example of KidzMash, the effort Bill started at CodeMash to provide a place for kids at cons. The post Bill Sempf — Growing AppSec People and KidzMash appeared first on Security Journey.