People | Process | Technology Podcast

Michael Coates has a vision: smart applications that come to their own defense. "We need to get to that point where we realize that our apps are in a military zone, they are being attacked all the time." -- Michael Coates In this segment of OWASP 24/7, I speak with Michael Coates, Chairman of the OWASP Board and the founder of the AppSensor Project. Michael's contention is that applications should be smarter, that an app should "know" when it is being attacked and have a proactive, built-in response. We discuss the AppSensor project in depth: what is it, why was it created. We start our discussion with the background and reasoning behind the project. "The real damage is when they know how your application works. They attack your business logic. They do things to violate the custom aspects of your application." -- Michael Coates About Michael Coates Michael Coates is the Chairman of the OWASP board. In addition, he is the creator of OWASP AppSensor, a project dedicated to creating attack aware applications that leverage real time detection and response capabilities. Michael is also the Director of Product Security at Shape Security, a Silicon Valley startup developing an entirely new type of web security product to protect web sites against modern attacks. Previously, Michael was the Director of Security Assurance at Mozilla where he founded and grew the Security Assurance and Web Security programs to 25 people. Throughout Michael's career he has advised major corporations and governments on secure architecture and software security. He’s also performed hundreds of technical security assessments for financial, enterprise, and cellular customers worldwide. Michael also maintains a security blog at michael-coates.blogspot.com Michael holds a Master of Science degree in Computer, Information and Network Security from DePaul University and a Bachelor of Science degree in Computer Science from the University of Illinois at Urbana-Champaign.

"The CISCO Guide provides guidance and visibility to CISOs on how to initiate an application security program, how to make the business case, how to manage the risks of applications and how to measure the those risks. The guide is structured as a journey, because application security is not a destination, it is a journey." Marco Marona Marco Marona, is the coordinator of the OWASP Application Security Guide For CISOs Project and Tobias Gondrom is the project lead for the OWASP CISO Survey. They have combined resources to provide us when a CISO framework for implementing an application security program. During our discussion at AppSec USA 2013, we talked about the origin of the projects and how they can be used to make a business case for application security. "If you have a security strategy that is about a two year time frame, you have a higher chance of increasing your application security investments.The question is then, 'How do you write that strategy?' That question is answered in the CISO Guide." -- Tobias Gondrom I start by asking Marco about the purpose of the CISO Guide.

Many people in the OWASP community don't know Dennis Groves... and that's a surprise since he is one of the co-founders of the movement. I was able to catch up with Dennis at AppSec USA in New York City (November 19, 2013) and we had an interesting discussion about the beginnings of OWASP and what he sees in the future. Highlights of our Discussion * The event that triggered the inspiration for OWASP * The original purpose of OWASP * The use of OWASP as a de facto standard * Future vision for OWASP * The dilemma of community obligation About Dennis Groves Dennis Groves's work focuses on a multidisciplinary approach to risk management. He is particularly interested in risk, randomness, and uncertainty. He holds an MSc in Information Security from the University of Royal Holloway where his thesis received a distinction. He is currently a UK expert for the UK mirror of ISO subcommittee 27, IT Security Techniques, working group 4, Security Controls and Services at the British Standards Institute. He is most well known for co-founding OWASP. His contributions to OWASP include the ‘OWASP Guide (v1)’ downloaded over 2 million times; now a reference document in the PCI DSS standard, and the de-facto standard for securing web applications. He is a thought leader in the web application security space, where he has spent the last decade of his career. Dennis Groves has been an Security Architect, Ethical Hacker, Web Application Security Consultant, IT Security Consultant, System Administrator, Network Administrator, and a Software Engineer. He has taught various courses on information security and is best known for his ability to bring fresh insight to difficult security problems. Specialties:Risk Management, Threat Modeling, Security Architecture, Application Security, and "the big picture".

Last week at AppSec USA in New York City (November 20, 2013), I moderated a panel with Jeff Williams and Ryan Berg talking about the latest addition to the OWASP Top 10, Using Components with Known Vulnerabilities. This is the full recording of that session.

On today's segment, we're going to take a different approach from our normal format. I was at the AppSec USA Conference in New York City last week and was asked to chair a panel for the game show "Wait, wait... don't pwn me!". This is the full recording of the session. As you listen, keep in mind, every situation described within the game is true. Let's start first with the introductions of Chris Eng, Josh Corman and Space Rogue.

In this segment, I talk with Tom Brennan, the organizer of AppSecUSA 2013 in New York City. The conversation centers around what's going on in New York, why Tom took on the project and what makes AppSec conferences special. About Tom Brannen Tom Brennan is volunteer to the OWASP Foundation since 2004 when he founded the New Jersey Chapter after serving on the Board of Directors for the FBI Infragard program in New Jersey. The NJ OWASP Chapter later merged with the New York City Chapter in 2006. Tom was appointed to the Global Board of Directors in 2007 by his peers and was re-elected by the membership in 2012 for another two year term. During his leadership of OWASP Foundation he has led many global and local initiatives for OWASP including governance, fund raising via conferences and membership and business marketing.

In this segment of OWASP 24/7, I talk with Kelly Santalucia about what it takes to grow OWASP, how she's working with the outreach foundation, the outreach program for kids, the diversification of the membership... things that are helping the community grow. We also talk about what OWASP will look like in the future as virtual chapter meetings become an integral part of the platform. I began by asking Kelly what her job responsibilities are with OWASP.

Kate Hartmann is Operations Director of OWASP. She is responsible for creating and maintaining the platform for the OWASP organization Kate has a unique perspective on how virtual meetings are becoming an important tool for the global community. We start our discussion with Kate talking about her typical day at OWASP... which begins with a full pot of coffee to get her jumpstarted. About Kate Hartmann Kate joined the OWASP Foundation May 2008. Her work within the OWASP Foundation includes supervising and facilitating the completion of operationally critical tasks. She provides direction to the operational team by mapping out cross-committee objectives and identifying opportunities that promote the Foundation's short term and long term strategic goals. Kate has a B.A. in English and History from VA Tech in Blacksburg, VA. Prior to joining the OWASP Foundation, she worked with Government funding sources in the Healthcare Industry.

Sarah Baso is the Executive Director of OWASP. Her day to day responsibilities include managing a membership of over 43,000 people in 100+ countries. What does it take to run an organization this size and how do you prepare for the future without getting bogged down in the details. About Sarah Baso Sarah is based in San Francisco, Californa, USA and has been the Executive Director of the OWASP Foundation since April 2013. In this role, she supervises the paid OWASP staff in addition to administering all programs and operations of the OWASP Foundation, reporting to the OWASP Board of Directors.

As the Projects Manager for all projects at OWASP (the Open Web Application Security Project), Samantha Groves has deep visibility into the 140 or so projects currently on the boards at OWASP. We start our discussion with what her typical day looks like and then move into how OWASP is changing and the different models for project frameworks. About Samantha Groves Samantha Groves is the Project Manager at OWASP. Samantha has led many projects in her career, some of which include website development, brand development, sustainability and socio-behavioural research projects, competitor analysis, event organisation and management, volunteer engagement projects, staff recruitment and training, and marketing department organisation and strategy implementation projects for a variety of commercial and not-for-profit organisations. She is eager to begin her work at OWASP and help the organisation reach its project completion goals. Samantha earned her MBA in International Management with a concentration in sustainability from Royal Holloway, University of London. She earned her Bachelor's degree majoring in Multimedia from The University of Advancing Technology in Mesa, Arizona, and she earned her Associate's degree from Scottsdale Community College in Scottsdale, Arizona. Additionally, Samantha recently attained her Prince2 (Foundation) project management certification.