People | Process | Technology Podcast

In 2020, Security Magazine listed Sounil Yu as one of the most Influential People in Security in 2020, in part because of his work on the Cyber Defense Matrix, a framework for understanding and navigating your cybersecurity environments. The Cyber Defense Matrix started as a project when Sounil was the Chief Security Scientist at Bank of America. The initial problem he focused on with the matrix was how to evaluate and categorize vendors and the solutions they provided. The Cyber Defense Matrix is a structured framework that allows a company to understand who their vendors are, what they do, how they work along side one another, what problem they profess to solve, and ultimately to find gaps in the company’s portfolio of capabilities. In the seven years Sounil has been working on the project, he has developed use cases that make the Cyber Defense Matrix practical for purposes such as rationalizing technology purchases, defining metrics and measurements, and identifying control gaps and opportunities. The matrix has been adopted by the OWASP Foundation as a community project. Elements of the matrix have been incorporated into the Center for Internet Security’s (CIS) Top 20 Critical Security Controls. I talked with Sounil to hear how the project was going, what his plans are for the future of the matrix, and what help he can use from the community for expanding its usefulness. ABOUT SOUNIL YU Before Sounil Yu joined JupiterOne as CISO and Head of Research, he was the CISO-in-Residence for YL Ventures, where he worked closely with aspiring entrepreneurs to validate their startup ideas and develop approaches for hard problems in cybersecurity. Prior to that role, Yu served at Bank of America as their Chief Security Scientist and at Booz Allen Hamilton where he helped improve security at several Fortune 100 companies and government agencies.

The Top 10 is considered one of the most important community contributions to come out OWASP. In 2003, just two years after organization was started, the OWASP Top 10 was created. The purpose of the project was to create an awareness document, highlighting the top ten exploits security professionals should be aware of. Since that time, innumerable organizations have used it as a guideline or framework for creating security programs. The current Top 10 list was released four years ago, in 2017. As part of a 2021 initiative at OWASP, the OWASP Top 10 is in the process of being updated, and scheduled for release this summer, in time for the OWASP 20th Anniversary Celebration. I was curious as to what has changed over the years with the Top 10, and what to anticipate in the upcoming release. In this broadcast, I talk with Andrew van Der Stock, Executive Direct of OWASP. He explains how the top ten exploits are chosen, the data source for determining the exploits, and the data research done to verify the selections chosen. Our conversation starts with why the OWASP Top 10 is being spotlighted after being static for the past four years. Today’s broadcast is supported by the OWASP 20th Anniversary Celebration, coming September 2021. The CFP is now open for this online, 24 hour conference. Go to OWASP.org for more information. This broadcast is also supported by JupiterOne, providing cyber asset discovery and visibility into your entire cloud native infrastructure. Know more, fear less, with JupiterOne. CFP for OWASP 20th Anniversary Celebration: https://owasp.org/2021/03/08/cfp-20th-anniversary.html

When Shannon Lietz and the team at DevSecOps.org published the DevSecOps Manifesto six years ago, security was uppermost in their minds. The manifesto starts with a call to arms… “Through Security as Code, we have and will learn that there is simply a better way for security practitioners, like us, to operate and contribute value with less friction. We know we must adapt our ways quickly and foster innovation to ensure data security and privacy issues are not left behind because we were too slow to change.” The effect of the DevSecOps movement was not understood by many, other than the handful of practitioners who understood what the team was going after: security is the responsibility of everyone, not just the security team. Security deserves a seat at the DevOps table. Fast forward six years, and security is now not just at the table, but sitting at the head of the table, leading the way. During this transition to focus on security, operations has become the short leg on a three legged stool. What was original a two team party, Dev and Ops, became a threesome, gradually ignoring operations as Developers and Security built a strong relationship. Damon Edwards has been my go-to person when I want to talk to someone about how operations continues to be relevant as the third part of DevSecOps. I caught up with Damon a couple weeks back to talk with him about how the transition to enterprise automation is going in the industry, what has been happening in the past year with the COVID lockdown, and what he’s looking forward to in 2021. I started the conversation, asking how he perceives his role in the DevSecOps Community. ---------- This broadcast is supported by OWASP, the Open Web Application Security Project, host of “Call to Battle” a series of events for gamers, challenge champs, and fun-nerds. Get more information at owasp.org/events… and by JupiterOne.com featuring solutions that help you “Know more. Fear less” by mapping your cyber assets and knowing the relationships between those assets.

This is Mark Miller, Executive Producer. Over the years as I’ve produced the show, the topics of focus have followed the trends in the industry. What was originally called “The OWASP Podcast” became “OWASP 24/7” and then “The DevSecOps Podcast”. Each change brought with it a new audience, extending our community from exclusively OWASP practitioners, to DevOps and DevSecOps advocates. The audience for the podcast has grown, with close to 500,000 listens of the 150 episodes. We’ve covered book launches by speaking with the authors, we’ve talked about industry reports focusing on the Software Supply Chain. Topics have included Chaos Engineering, efforts to create a Software Bill of Materials initiative at the federal level, Threat Modeling and a multitude of other topics. You might have noticed something different, a new name for the podcast, at the beginning of the program today. Keeping a feel of the pulse of the industry is one of the things that interests me most as producer of the series. Currently, People, Process and Technology is starting to get its due The realization that these are not three things, but one thing that is intertwined into a convoluted, unimaginably complex whole is something that deserves our attention, and that will be our focus over the coming year. We’ll talk with practitioners who are creating security patterns for each leg of the People, Process, Technology triptych. We’ll continue to highlight OWASP projects that are focused on security, and how it relates to all aspects of technology. Guests will include leaders in the industry who are responsible for driving security, not as a stand-alone initiative, but as an integrated part of their business. Developing a secure development environment, one that builds quality into the process is something that should be of concern to everyone in that process. My desire is to help expose the practitioners who are thinking about the next generation of security, and how you can use their insights to help us build a safer world. Thank you for your continuing support. I’m excited to be expanding the program and hope you’ll stay with us for People, Process, and Technology. Support for this broadcast is provided by OWASP and JupiterOne.

OWASP is in a state of discord. Over the past few years, there have been fractures in the community. Recently, there have been arguments on the leader email list that have clearly breached the lines of etiquette. Personal attacks, distribution of funds, and complaints of lack of diversity are creating tension among the members. If we, as an organization refuse to confront these issues, there is a real potential we will no longer have relevance to the AppSec community. The in-fighting has become a detriment to chapter leaders and project leaders, who are looking to OWASP for consistent leadership and direction. In early July, the OWASP board announced the appointment of Andrew van der Stock as Executive Director. I called and spoke with Andrew at length about how he intends to confront the existing issues in the organization, and what he hopes to accomplish during his tenure. I have known Andrew for years through his work on the Application Security Verification Standard. As a previous OWASP board member, he has insight into how the board works and how to make changes. In our discussion, we spoke directly about the current problems at OWASP and Andrew's vision for moving the organization forward by confronting existing problems in policy, rewriting sections of the bylaws, and setting up enforcement of those bylaws. Andrew has not set himself an easy task. The push-back is sure to cause more strife in the beginning, but he is determined to implement changes that will make OWASP stronger in the long run, and put us on a course to continue to be a leading role to the AppSec community. In the spirit of transparency and open discussion, Andrew answered every question I had for him. He intends to continue this discussion with the community through the creation of live-online discussions. For now, Andrew is ready to implement his vision for OWASP, as he talks about here. Let's get started.

In this episode of the DevSecOps Podcast, we’re going to go off script and explore the LinkedIn algorithm. I could tie this back to DevSecOps, and how all of us need visibility for our work, or how important it is to build a community around our ideas, but the real reason is… I find this fascinating. One of the largest community engagement platforms in the world encourages us to play their game, but doesn’t tell us what the rules are! How are we to determine the best way to participate, when we have no idea on how to best contribute to maximize our visibility? Because that’s the game we are playing: how do we get, and maintain, visibility for our ideas on LinkedIn. How do we grow that visibility into an audience of our peers in order to contribute and expand those ideas. It is to the benefit of LinkedIn to give basic rules of engagement, but instead of guidelines for participation, we are punished for breaking undefined rules and rewarded for seemingly arbitrary reasons, which we then try to recreate without knowing why they were promoted. To add more complexity to the mix, the rules can change at any time. Is it a loser’s game, or are there fundamental patterns we can surface that will help give some visibility into the LinkedIn algorithm? For years, I’ve been making intuitive guesses as the best way to work on the platform. This lead me to the work of Andy Foote, from LinkedInsights, and Richard van der Blom, founder of Just Connecting, Through their research, they have found patterns that we might be able to use to expand our visibility and engagement on LinkedIn. I say “might”, because when you don’t know the rules, you don’t know when the rules change. On May 8, 2020, Richard, Andy and I sat down to discuss their research into the algorithm that determines how much visibility your content gets on LinkedIn. Andy’s article, “The LinkedIn Algorithm Explained In 25 Frequently Asked Questions” and Richard’s investigations which turned into “The LinkedIn Research Algorithm”, were the basis for our discussion. What I learned from them immediately changed how I engage with LinkedIn. When I say “immediately”, I mean within minutes of talking with them. Resources from this episode Richard van der Blom offers customized LinkedIn training sessions at Just Connecting https://www.justconnecting.nl/en/ Andy Foote offers LinkedIn coaching sessions at LinkedInsights.com The LinkedIn Algorithm Explained In 25 Frequently Asked Questions by Andy Foote https://www.linkedinsights.com/the-linkedin-algorithm-explained-in-25-frequently-asked-questions/ The LinkedIn Algorithm Full Report by Richard van der Blom https://www.slideshare.net/RichardvdBlom/full-report-linked-in-algorithm-july-2019

When I read Richard Stiennon's latest article in Forbes, The Demise of Symantec, I thought it was absolutely fascinating. Richard walks through the process of what happened at Symantec, how it was an acquisition engine for so many years, and now how it's started to decline. I got in touch with Richard and told him I'd like to have him read his article for the podcast, and he responded right away. What you'll hear in this episode is Richard talking about and reading from his article, The Demise of Symantec. Resources for this podcast: The Demise of Symantec, Forbes Online https://www.forbes.com/sites/richardstiennon/2020/03/16/the-demise-of-symantec/#6522117b5fc7 Security Yearbook 2020 https://www.security-yearbook.com/

Equifax is trying... I mean REALLY trying... to regain your trust. The Equifax CTO and CISO delivered the keynote at DevSecOps Days during 2020 RSAC. They contributed to multiple sessions and panels during the conference. The message was consistant: "Yes, we had a major problem. Here's what we're doing about it. Here's what you can learn from us." From a technical perspective, Bryson Koehler, CTO, and Jamil Farshchi, CISO, took on all questions from the audience. Nothing was out of bounds. They stayed after the session to talk one-on-one with those who had more questions. The words I heard most from the audience about the session was 'humility' and 'transparency'. That's a far cry from the poster child of breaches image the company has had to carry since 2017. Bryson and I sat down after the session at DevSecOps Days to go more into detail on what Equifax is working on, not just to re-gain user confidence, but to make a difference in the technology industry when it comes to lessons learned. He and Jamil are in the process of rebuilding the technology infrastructure at Equifax. They want to create a self-service, customer driven platform, that will include security as part of an automated solution to the future of data privacy. They are willing to openly share what they are working on, what has worked, what hasn't worked, all while building transparency into the process so that everyone can learn, not just the engineering team at Equifax. In this episode, we start with how Bryson felt the audience responded to the message from the stage, and what he had hoped to accomplish by stepping into the public spotlight.

If you like what you hear, you can download the entire book at sonatype.com/epicfailures As we were putting the finishing touches, getting ready to publish the latest version of Epic Failures in DevSecOps, I reread Jaclyn Damiano's chapter and was struck by how unique her message is. This is a personal story, one that will resonate with many people in the tech industry. It's a story of beginnings, of hardships, of leadership and finally, how all that combines into something much bigger than a technology solution. It's a story that talks about transforming people, not just companies. What you'll hear in this broadcast is Jaclyn reading her chapter, "Making Everyone Visible in Tech". There's no narrator, no discussion, just Jaclyn in her own words telling the story behind The Athena Project. It's a story of how she and her team took a diverse set of 40 applicants from underserved communities, with little to no technical background, and created a program to train and place those attendees in the tech industry. It's an inspiring story that needs to be heard.

When Derek Weeks and I started All Day DevOps in 2016, we were unsure as to whether anyone would be interested.It's now four years later. Last week we had close to 37,000 people register for the event. We're still trying to wrap our head around the scale of something that generates a world wide audience in the tens of thousands for a 24 hour conference. One of the things that has grown organically from All Day DevOps is a concept called "Viewing Parties". It's an idea the community has created, not something planned by us. Over 170 organizations, meetups or user groups around the world setup a large screen and invited colleagues and friends over to share in the DevOps journeys that were being told throughout the day. Last year, we heard through the grapevine that State Farm had over 600 people show up to participate at their viewing party in Dallas. That's 600 people internally at State Farm. When I heard about it, I knew I had to speak with Kevin ODell, Technology Director and DevOps Advocate at State Farm, the person who coordinated the event. Our initial conversation was a fascinating view into how he pulled off such a large event, internally. We kept in touch throughout the year, leading up to 2019 All Day DevOps. Keeping track of the registrations for Kevin, he soon came to realize what he had created was now a viral event at State Farm. For 2019, State Farm had 4000 of their 6000 developers confirmed to attend All Day DevOps. To me, that's just remarkable. While at the DevOps Enterprise Summit last month, Kevin and I sat down to talk about how he created such an incredible event, the process for getting business buy-in, and how he measures the value of letting 4000 developers collectively watch videos for the day. Even if I wasn't one of the co-founders of All Day DevOps, I'd find this a fascinating story. Stay with us and I think you'll be impressed, too.

Shortly after watching the documentary, Code Rush, I met with Tara Hernandez, the hockey stick carrying lead of the Netscape project that was being documented. We sat down at the Jenkins World Conference in San Francisco to talk about the effect that project had on her career, what she has been doing since with her position at google, and what she hopes to be working on in the coming years. We started our conversation by exploring the relationship between the Netscape project in 1998 and the current state of DevOps. Would DevOps have made a difference... the answer might surprise you.

Edwards Deming went to post-war Japan in the late 1940s to help with the census. While there, he built relationships with some of the main manufacturers in the region, helping them understand the value of building quality into a product as part of the production process, thus lowering time to market, eliminating rework and saving company resources. In his 1982 book, "Out of the Crisis", Deming explained in detail why Japan was ahead of the American manufacturing industry and what to do about. His "14 Points on Quality Management" helped revitalize American industry. Unknowingly, he laid the foundation for DevOps 40 years later. Eli Goldratt published "The Goal" in 1984, focusing on the "Theory of Constraints", the idea that a process can only go as fast as it's slowest part. In fictionalized novel form, Goldratt was able to reach a wide audience who would utilize the theory to help find bottlenecks, or constrainsts, within production that were holding back the entire system. Once again, the theories espoused in The Goal were a precursor to the DevOps movement 40 years later. In January 2013, 40 years after Deming and Goldratt reshaped the manufacturing processes in American, Gene Kim published "The Phoexnix Project". He used the same format as Goldratt, telling the story in a fictional novel format with characters who were easily identifiable within the software manufacturing process, from a manager's point of view. The Phoenix Project is now one of the most important books in the industry, and is used as a starting point for companies interested in participating in a DevOps transformation. It's now six years later, 2019. Gene's new book, The Unicorn Project, will be released at the upcoming DevOps Enterprise Summit in Las Vegas on October 28. This new book has an interesting premise: What was going on with the software development team in the Phoenix Project as the management team was flailing to get the project back on track. It's a novel approach to have parallel timelines in separate books, looking at the same project. In this broadcast, Gene and I talk about how the Unicorn Project aligns with the Phoenix Project, the overlap in storylines, and why he chose to speak for software developers in this iteration of the story. Do a quick review of the Phoenix Project, which is probably already on your bookshelf, and then listen in as we discuss using Deming, Goldratt and Kim as the foundation of the principles of the DevOps movement.

Once a year, Sacha Labourey and I sit down to discuss the past year and what the coming year looks like for DevOps and Jenkins. As CEO of CloudBees, Sacha has broad visibility into the progress of the DevOps/DevSecOps communities. We started our talk this year, commenting on the growth of the Jenkins World conference, with over 2000 attendees... what does Sacha attribute that to and does it coincide with the growth within the DevOps community. We continued our discussion by examining how cultural transformation within a company must align with the tools that are available to help with that transformation. Along the way we touched on where cultural transformation comes from within an enterprise, the question of whether DevOps has yet to jumped the chasm, the tipping point for a company's full acceptance of DevOps patterns, and what does Sacha hope to accomplish in the coming year All Day DevOps: A Supporter of DevSecOps Podcast If you're listening to this podcast, you've probably heard of All Day DevOps. This year, All Day DevOps has expanded to 150 sessions, including 9 sessions dedicated to OWASP projects such as Seba talking about DevOps Assurance with OWASP SAMMv2, the OWASP Security Knowledge Framework with Glen & Ricardo ten Cate, DevSecOps in Azure with OWASP DevSlop featuring Tanya Janca, and an overview of the OWASP Top 10 with Caroline Wong. Simon talking about the OWASP ZAP HUD project is another session not to be missed. All Day DevOps is a free, community event, sponsored and supported by hundreds of organizations like yours from around the world. Registration is free. Go to All Day DevOps dot com to register and start building your schedule. All Day DevOps. All live. All online. All free.

I was affected by it. You were affected by it. We were all affected by the Equifax breach in September 2017. The truly interesting thing about it is, Equifax wasn't the only company hit by the struts 2 vulnerability that day. Many other companies were hit by it within that time period, but Equifax became the poster child for the main stream media. It was just too easy of a target because of consumer visibility. In the two years since the breach, Equifax has been working hard to restore its reputation, not just with consumer protection, but with the companies that depend upon credit data to make real business choices. I wanted to find out what Equifax is doing behind the scenes not just reputation wise, but technology wise when it comes to protecting data. Was it status quo as soon as the buzz died down? Did they pay their fine and go back to business as usual? Or are they making changes under the hood that will make a difference in how financial data is handled and what can be done with it. I met with Sean Davis, Chief Transformation Evangelist at Equifax, while at Jenkins World in August. It had been two years since the breach, and I wanted to hear what was happening internally, what changes have been made and why we should begin to trust Equifax again. I have to say I was surprised. When I sat down with Sean, I thought there would be hesitancy, some caution as to what could and couldn't be talked about. To my surprise, it was a transparent discussion. I asked him questions I wanted to know as a consumer, as well as the technical queries about what's going on under the hood at Equifax, what changes have been made to make my data more secure. Is it time to trust Equifax again? I'll let you decide.

OWASP supports a global conference in North America each year, bringing together the projects, teams and chapters who make this one of the largest security tribes in the world. In this episode of the DevSecOps Podcast Series, I speak with Ben Pick one of the organizers of the conference about what's important about this type of gathering and what you can expect when attending. https://dc.globalappsec.org/