People | Process | Technology Podcast

The OWASP Top 10 Proactive Controls Project uses the OWASP Top 10 model as a way to encourage the community to participate in the building and maintenance of a Top 10 project aimed at developers. In this interview, I talk with Jim Manico and Katy Anton on the history of the project, how they anticipate it being utilized, and how they have worked with the community do decide the criteria for building the list of controls.

The WebGoat Project started 10 years ago and has had over 1,000,000 downloads. Version 7.0 is being released this week. I caught with Bruce Mayhew, project lead, to talk about the history of the project, what has been updated in version 7, and what he foresees as the future of this project. https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

Several months ago Johanna Curiel figured she'd had enough and was ready to take a break from OWASP. Recently, she came back and is working tirelessly to revamp the Project Review initiative. I talked with Johanna about why she left, what has changed to make it enticing enough for her to return and what her vision is for the Project Review team in the coming year.

As we move into 2016 and my second year as executive producer of OWASP 24/7, I want to give a quick overview of my objectives for the year and what you can expect from the series.

Funding of projects. Allocation of personal time. What does it take to get a project funded with limited resources? The OWASP NYC/NJ chapters are trying something new at the December 7th meeting: two projects will make pitches to a crowd of 300, with two angel investors in attendance. In this OWASP 24/7 broadcast, I talk with Tom Brennan, event organizer, and the two people who will be pitching their projects. Listen in to see if this is something you might want to do for your chapter or project. Here's a review of the Shark Tank pitch that two people made on the actual Shark Tank show. Needless to say, it didn't go too well. http://www.inc.com/brian-j-oconnor/shark-tank-recap-there-s-no-crying-on-shark-tank.html Find out more about the December 7 event on the NYC/NJ Meetup Page http://www.meetup.com/nycmetrocsc/ Credit: Music for today's broadcast was provided by the George Cole Quintet. Here more at http://georgecole.net/

The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls. The primary aim of the OWASP ASVS Project is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. Project on OWASP https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project

There's been a lot of discussion around the OWASP Benchmark Project since it's latest release. Jeff Williams wrote an article and then received a response from Chris Wysopal at Veracode. I was able to catch up with Dave Wichers, OWASP Project Lead, during AppSecUSA 2015 in San Francisco. I had Dave talk me through the project and what its intentions are. Resources: OWASP Benchmark Project https://www.owasp.org/index.php/Benchmark Why it's Insane to Trust Static Analysis http://www.darkreading.com/vulnerabilities---threats/why-its-insane-to-trust-static-analysis/a/d-id/1322274? No One Technology is a Silver Bullet https://www.veracode.com/blog/2015/09/no-one-technology-silver-bullet

The Security Shepherd Project is a mobile web application training platform for penetration testing. It covers the OWASP Top 10 risks from both the mobile and web projects. This recording was made at AppSecUSA 2015 during the Project Summit.

When I was at AppSecUSA 2015 in San Francisco, I was standing in the hallway talking with Matt Tesauro, Shannon Lietz and Jez Humble. We decide that our discussion was interesting enough to continue, so we grab a room and just started talking. Heads up: There are basic audio problems with the recording, such as some background hiss and some high frequency whining (not from us, from the lights overhead!). It was an interesting discussion about real world scenarios that the three have seen in different environments, with solutions for those issues. There's an important summary that starts at 34 minutes where each of them specifies the most important things they'd like you to take away from the discussion.

Part of a three part series of interviews talking with OWASP board candidates for 2015. This segment includes candidates Abbas Naderi, Michael Coates and Jonathan Carter.

Part of a three part series of interviews talking with OWASP board candidates for 2015. This segment includes candidates Bil Corry and Josh Sokol.

Part of a three part series of interviews talking with OWASP board candidates for 2015. This segment includes candidates Milton Smith, Tobias Gondrom and Tom Brennan.

With over 20,000 downloads within it's first two months of release, the Security Knowledge Framework Projects seems to have hit a resonant chord with the OWASP community. Glenn Ten Cate and his brother Riccardo created the project as a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. The OWASP Security Knowledge Framework is an expert system web-application that uses the OWASP Application Security Verification Standard and other resources. I spoke with Glenn about the project and it's future growth. You can learn more about the project on the OWASP project site: https://www.owasp.org/index.php/OWASP_Security_Knowledge_Framework

With the OWASP Summer of Code Sprint 2015 in full swing, OWASP 24/7 caught up with project lead Fabio Cerrulo to see what the future of the project looks like and what to expect from the current sprint.

In part two of our open discussion on project funding for OWASP projects, I talk with Johanna Curiel, Project Review Team Leader, and Claudia Casanovas, the newly appointed Project Coordinator. In this broadcast, we explore the roadblocks to getting OWASP project funding, discuss how to create a better process for requesting funds, and talk about historical examples of how the current process has, and has not, worked.