People | Process | Technology Podcast

The HeartBleed bug is running rampant on many major sites such as Chase and Yahoo while people are scrambling madly to find solutions. At the SOURCE Boston Conference this morning, I caught up with Melissa Elliot from VeraCode as she was examining the impact of the HeartBleed on Yahoo, using software from Jared Staffer of JSPenguin.org. I asked her to describe what she was seeing. Have a listen... About Melissa Elliot I am 0xabad1dea (the zero-x is silent), a professional application security researcher also known as Melissa Elliott. If my name breaks your website we have a personal problem. My long-term goal is to convince programmers that the security of everything from the global economy all the way up to online Pokémon battles is in their hands and they need to take that responsibility seriously. My primary means of interacting with the community is through my extremely active Twitter account.

In March 2014, Rio Okada and his team in Japan organized the first AppSec APAC event in Japan. I called Rio to ask how the event went. Joining the conversation with me and Rio is Robert Dracea, Tobias Gondrom and Jerry Hoff. During our call we talked about what made the event so successful and how that success might be used in future AppSec events. Have a listen.

Ivan Bütler and his team at the Hacking Lab have whipped up a fun challenge for the Easter season. The Hacky Easter Challenge is a white-hat hacking competition for fun and education. Sign up and start your quest for easter eggs! No need to be a "1337 h4xor" - there are challenges of different difficulty. About Ivan Bütler Ivan Bütler is the co-founder and CEO of Compass Security, a Swiss Ethical Hacking and Penetration Testing company located in Switzerland and Germany. Besides his own business he is also a tutor at both, the University of Applied Sciences in Rapperswil and Lucerne University of Applied Sciences and Arts. Ivan is a regular speaker at international conferences (Blackhat USA, IT Underground Warsaw, OWASP AppSec). Ivan is in the board of the Swiss Cyber Storm 4 Conference Committee and as such, responsible for the CTF and Hacking platform for the European Cyber Security Challenge 2014/2015, a cyber talent competition between Austria, Switzerland and Germany and may others from the European Union. He is the founder of Hacking-Lab – a remote security lab that is being used world-wide by security enthusiasts and security professionals to train their hands-on experience. Hacking-Lab is partnering with OWASP and provides free OWASP TOP 10, OWPASP Hackademics and OWASP WebGoat challenges.

The OWASP Top Ten Proactive Controls Project is spearheaded by Jim Bird and Jim Manico. According to Jim Bird, it is a list of security techniques that should be included in every software development project. I spoke with him about the evolution of the project and how he envisions it being used by the OWASP community, and specifically by developers. Resources for this Broadcast OWASP Top Ten Proactive Controls Project Jim Bird on LinkedIn About Jim Bird Jim Bird is a software development manager and CTO with more than 25 years of experience in software engineering, with a special focus on high-integrity and high-reliability systems. Jim is currently the co-founder and CTO of a major US-based institutional trading service, where he is responsible for managing the company’s technology group and IT security programs. Jim has worked as a consultant to IBM and to major stock exchanges and banks globally. He was also the CTO of a technology firm (now part of NASDAQ OMX) that built custom IT solutions for stock exchanges and central banks in more than 30 countries. Jim is an active contributor to OWASP, helps out as a member of the SANS Analysts program on application security, and rants about Agile software development, project management and application security topics on his blog “Building Real Software.

For his most recent project at OWASP, Colin Watson has taken the concept of Microsoft's 'Elevation of Privilege' card game and transformed it as a process for identifying security requirements for web applications. In this segment of OWASP 24/7, I speak with Colin about the origin of the project, a typical use case for the game and what the next version of the deck will look like. Resources for this broadcast OWASP Cornucopia Project Pagel Microsoft Elevation of Privilege Card Game About Colin Watson Colin Watson is an application security consultant based in London. He is project leader for the OWASP Codes of Conduct and OWASP Cornucopia projects, wrote the Application Logging Cheat sheet, contributes to a number of other OWASP projects including AppSensor and Open SAMM, and was a member of the former OWASP Global Industry Committee.

The OWASP WebSpa Project The OWASP WebSpa project is a tool implementing the novel idea of web knocking. The term web knocking stems from port knocking, If port knocking is defined as "a form of host-to-host communication in which information flows across closed ports" then we define web knocking as a form of host-to-host communication in which information flows across erroneous URLs. In this podcast we present this web knocking tool for sending a single HTTP/S request to your web server, in order to authorise the execution of a preselected Operating System (O/S) command on it. About Yiannis Pavlosoglou There is a world of numbers, hiding behind letters, inside computers, this is what stimulates my work. I am currently employed in IT risk management within the financial industry, running a team of technical risk assessors. Prior to this, I spent 5 years in the world of professional penetration testing. I focused my career evolution on assisting large scale projects actually implement secure development practices. This included teaching developers how to write secure code. For OWASP, I was the project leader for JBroFuzz and used to chair the Global Industry Committee. I am on the Application Security Advisory Board of the (ISC)2. My academic qualifications include a PhD in information security, designing routing protocols for ad-hoc networks. I am a certified scrum master and hold the CISSP certification.

I was able to have a wonderful conversation with Riotaro Okada and Robert Dracea this morning, talking about the upcoming AppSec APAC conference in Tokyo. This interview is unique, in that we have the English and Japanese responses integrated into the conversation. This is the first event of its kind in Japan and you can tell the locals are very excited about the possibilities, from internationally recognized speakers to showing visitors the hospitality of Japan. We begin the discussion with how the Tokyo OWASP chapter was started and how it led to the AppSec APAC Conference. Riotaro Okada Researcher Born in Kobe, Hyogo Prefecture, Japan, Mr. Okada has over 20 years of experience in software development and network construction. He has been involved in network construction, software development and the implementation of information security measures at independent software development companies, the R&D divisions of manufacturing companies as well as consulting firms. Mr. Okada has also facilitated various technology-related communities such as for Linux and PHP. In 2004, he founded the Web Application Security Forum and as a member of the board became involved in the diffusion of security-related information. Moreover, he was also a researcher at the Information-technology Promotion Agency, Japan (IPA) for 8 years, and responsible for the IT strategy as well as disaster response projects at various government organizations. Mr. Okada is the co-leader of OWASP Japan since its founding, is CISA certified and holds an MBA from BBT (2009). Robert Dracea Mr. Dracea is responsible for the global strategy of a Japanese internet service company. With the mission of better sharing Japan’s advanced technological power with the world, from a business perspective, he has successfully architected numerous alliances and tie-ups both domestically in Japan as well as overseas. Additionally, he has also, on a volunteer-basis, conducted the translation and interpretation at multilingual OWASP Meetings. Mr. Dracea has been since its founding a member of the OWASP Japan Advisory Board.

The planning for AppSec Europe 2014, Cambridge is in full swing. I caught up with conference manager Adrian Winckles to see how things are shaping up.

Mark Arnold helps run a very successful OWASP chapter in Boston. In this extended discussion, I talk with Mark about why the chapter is doing so well, what lessons others could learn from his chapter's success and what he would like to see happen to gain a broader audience for the group. About Mark Arnold Mark Arnold is Director of Information Security for PTC, a global leader helping companies achieve and sustain service and product advantage. He has served in various security roles and capacities across multiple industries and as a security consultant. Mark continues to provide leadership by serving on a mix of technology (OWASP Boston, Risk I/O/CISO Advisor) and community boards. He helped launch the Boston Application Security Conference, an OWASP event, as a way to promote application security to local area college/university and secondary school students. Mark advocates bridging the digital and technical divide, supporting various STEM initiatives and encouraging increased minority and gender representation in the security field and its disciplines. He holds a BSEE from Stanford University, MDiv from Princeton Seminary, AM/PhD degrees from Harvard University, and industry certifications.

Not making a statement can be a statement in its own right." -- Tobias Gondrom Earlier this week, OWASP released a statement after an internal debate regarding recent allegations that RSA had weakened its encryption while receiving $10 million dollars from the NSA. There was heated discussion about whether or not to publish a statement. Would it be perceived as political? What is OWASP's responsibility when it comes to defending the trustworthiness of software? I spoke with Tobias Gondrom and Eoin Keary about that debate. Their premise is that this is not a political statement, but a clarification to keep OWASP focused on its original mission.

The OWASP team in Japan are putting the finishing touches on the big AppSec APAC Conference that is being held in March 2014. I spoke with Tobias Gondrom, keynote speaker for the conference, and asked him to fill us in on why this conference is unique and why you should consider attending.

"I am a developer and one of the things I hate are code reviews." -- Larry Conklin Larry Conklin is a developer and as a developer, he HATES code reviews. Because of this, he now heads the OWASP "Code Review Book" project which is creating a definitive guideline that allows companies to proceed with code reviews based upon technical facts, not emotions or intuition. I spoke with Larry at AppSec USA 2014. Dennis Groves was also there, so you'll hear him interject with a question in the middle of the program. About Larry Conklin Larry Conklin's current emphasis is in Microsoft .NET technologies including C#, VB.NET, and SQL Server. Recent project experiences include converting legacy VB software to .NET, creating and maintaining operational support web sites to help QuikTrip manage it’s 600+ stores

"For an organization to really mature around application security, they need to be building security into their software from day one." -- Jim Manico Jim Manico started the OWASP podcast series in 2008. In that time, he has recorded close to 100 interviews to keep the community updated on the lastest project development within OWASP. As Jim reaches his 100th episode, he reminisces about how the series was started, what his original vision was and what he's going to do now that he has passed the reins over and moves on to other projects. We start with a question about the origins of the project and how it grew. "It's easy to talk about to talk about the 'purity' of software development, but managing a fleet of already insecure apps is an equally difficult problem." -- Jim Manico About Jim Manico Jim Manico wasl elected as an OWASP Global Board Member as of January 1, 2013. He been an active member of OWASP since 2008. He is the VP of Security Architecture at WhiteHat Security. Jim's main passion at OWASP is supporting projects that help developers write secure code.

"There are a lot of security flaws in websites like Facebook and WordPress applications. Most of those flaws are because the developers first create the application and then consider the security." -- Abbas Naderi PHP is one of the most used programming languages for the web. The problem with PHP has always been that it's easy to get started programming with PHP, but that's also one of its biggest flaws when considering application security. Abbas Naderi leads the OWASP PHP Security Project, which is a sample framework to demonstrate proper usage of the tools and libraries, as well as providing guidelines for new PHP projects. In this segment of OWASP 24/7, I talk with Abbas about the PHPSEC project as well as one of his other project, RBAC. About Abbas Naderi Abbas Naderi Afooshteh is a renowned security expert in the middle east, he has ranked first in many national and global CTFs and has been in the field for more than 8 years. He is the current Iran Chapter Leader at OWASP, and has 5 years of activity in OWASP resulting in many projects such as OWASP RBAC Project, OWASP PHP Security Project, OWASP WebGoatPHP Project and etc. He has participated in many other projects such as Cheat Sheets and ESAPI. Abbas has studied software engineering and information technology in his BS and MS and is now going to CMU to study Information Security for MS+PhD. He spends many hours daily leading OWASP projects and mentoring new enthusiastics that join projects, as well as shaping bright ideas into OWASP projects.More can be found at https://abiusx.com/cv

"You can't automate all tests. There are a lot of things you can't find automatically. You have to have somebody who knows what they are looking for." -- Simon Bennetts In today's segment, I talk with Simon Bennetts, project lead for the OWASP Zed Attack Proxy Project or "ZAP" for short. Simon is working on a user friendly tool for integrated penetration testing of web applications. Our discussion took place at AppSec USA 2013. We begin with an overview of the ZAP project and talk about how it came about. About Simon Bennetts Simon Bennetts (a.k.a. Psiinon) has been developing web applications since 1997, and strongly believes that you cannot build secure web applications without knowing how to attack them. He works for Mozilla as part of their Security Team. Some of the projects Simon works on: -- OWASP Zed Attack Proxy project lead -- OWASP Vulnerable Web Applications Directory Project joint project lead -- Mozilla Zest project lead -- Mozilla Plug-n-Hack joint project lead -- Bodge It Store project lead -- OWASP Web Application Security Testing Cheat Sheet joint author -- OWASP AppSensor contributor -- wavsep contributor -- OWASP Data Exchange Format project lead (currently inactive)