In this episode, I speak with Caleb Queern, one of the authors of "Investments Unlimited" a book I highly recommend you get and read. While the book is fiction, there's a great deal of truth in the story about how automation can work for more than just DevSecOps. Compliance and audit also deserve a seat at the table. Learn how you can get more code out the door, with more safety and a 'risk reduced' smile on the auditors face.

Show Links:
- Investments Unlimited: https://itrevolution.com/product/investments-unlimited/
- DevOps Automated Governance Reference Architecture: https://itrevolution.com/product/devops-automated-governance-reference-architecture/

OWASP Podcast

OWASP Ep 2023-01: Audit, Compliance and automation, Oh my!

In this episode I speak with Amitai Cohen who's been thinking a lot about tenant isolation. This is a problem for more then just cloud providers. Anyone with a SaaS offering or even large enterprise may want to isolate customers or parts of their business from each other. Several useful items came out of this including the Cloud VulnDB which catalogs security issues in cloud services and the PEACH tenant isolation framework. You may not think you need to worry about tenant isolation, but I bet you should at least keep it in mind. Enjoy!

Show Links:
- Cloud VulnDB: https://www.cloudvulndb.org/
- PEACH Framework: https://www.peach.wiz.io/
- OWASP Cloud Tenant Isolation Project: https://owasp.org/www-project-cloud-tenant-isolation/

2023-02 Isolation is just PEACHy

In this episode I speak with Aaron about Point of Sale or POS systems. He's been investigating the security of POS systems for quite some time now and brings to light the state of the POS ecosystem. Buckle your seat belts, this is going to be a bumpy and very interesting ride.

2023-03 Point of Scary - the POS ecosystem

WAFs have been with us a while and it's about time someone reconsidered WAFs and their role in AppSec given the cloud-native and Kubernetes landscape. The OWASP Coraza is not only asking these questions but putting some Go code behind their ideas. Should WAFs work in a mesh network? Why create an open source WAF? What's next for the OWASP Coraza project? These and more topics are covered in this episode. I had a great time recording it and I think you'll have the same while listening.

Show Link:
- Coraza Website: https://coraza.io/
- Coraza Github Repo: https://github.com/corazawaf/coraza
- Coraza Twitter: https://twitter.com/corazaio
- AppSec EU 2023 presentation on Coraza - https://www.youtube.com/watch?v=S_TtvDFmia4

2023-04 Rethinking WAFs: OWASP Coraza

In this episode I speak with Jerry Hoff who provides some very interesting perspective on application security especially at scale and from a high level view like that of a CISO. Even if you're not in a senior leadership position, you're likely to be reporting to one. Understanding that point of view can help you successfully frame your work and accomplish your goals. We touch on multiple topics and have some great back and forth that I'm sure will entertain and inform you. Enjoy!

AppSec at 40,000 feet

Software supply chain seems to be front and center for technologists, cybersecurity and many governments. One of the early pioneers in this space was Steve Springett with two highly successful projects: OWASP Dependency Track and CycloneDX. In this episode, we catch up with Steve to talk about how he got started in software supply chain management as well as the explosive growth for Dependency Track and ClycloneDX. We also touch on future developments for CycloneDX and places where Steve never expected to see his projects go.  Enjoy!

Show Links:

- OWASP Dependency Track: https://dependencytrack.org/
- Dependency Track Github: https://github.com/DependencyTrack
- CycloneDX: https://cyclonedx.org/
- CycloneDX Github: https://github.com/CycloneDX
- Software Component Verification Standard: https://scvs.owasp.org/
Social Media links:
- https://twitter.com/stevespringett
- https://infosec.exchange/@stevespringett
- https://www.linkedin.com/in/stevespringett/

SBOMS, CycloneDX and Dependency Track: Automation for Survival with Steve Springett

In this episode we talk with Zain Haq and take a leap and bound over the first and second line to discover more about the third line - internal audit. We discover answers to a number of questions: What role does audit play in the overall cybersecurity of an organization? What does the CISO gain from having an audit function? What makes a good auditor? Learn how to get the most out of audit and what they bring to the table. Special thanks to Tina Turner for inspiring the show title. ;-)

Show Links:

- Zain Haq: https://www.linkedin.com/in/zainhaq25/

ep2023-07 What's Audit got to do with IT

For years we've heard talk about a shortage of cybersecurity professionals so what can be done about that? In this episode, I speak to Brad Causey who has taken one approach he's found successful. We cover the trade-offs of his approach and how, should you agree with him, you can help fill those troubling vacancies at your company.

Show Links:

- SecurIT360 https://securit360.com/
- Offensive Security Blog https://offsec.blog/

The OWASP Podcast

ep2023-08 Finding Next Gen Cybersecurity Professionals with Brad Causey

After getting a ping from an old friend about a potential new OWASP project, I had to bring him on as a guest. He's got an interesting idea around potential vulnerabilities in web crawlers which just happen to gather data for so many AI system. We talk about that, Cybersecurity and Government and so much more.

Show Links:

- LinkedIn https://www.linkedin.com/in/buanzo/
- Github https://www.linkedin.com/in/buanzo/

ep2023-09  Vulnerable Data Gathering for AI with Arturo Buanzo Busleiman

We're thrilled Tanya Janca (aka SheHacksPurple) joined us this week on the podcast! She and Kali Fencl discuss secure guardrails, Semgrep Academy, the process of writing two books, gardening, and so much more.

Voices from Infosec: Tanya Janca

After a long and unplanned pause, the OWASP podast is back with a home run of an episode. We have Lisa Plaggemier as our guest who reprises her eloquent keynote topic from AppSec DC. All hope isn't lost, we are making progress - just look at safety in the auto industry to understand where we are and where we're going.

Links:
Lisa's keynote from AppSec DC
https://www.youtube.com/watch?v=Rirxc1OXR4Q&list=PLpr-xdpM8wG_3eyVQxB0oXqVJwlNKs85x&index=38&ab_channel=OWASPFoundation
Kubikle web series
https://kubikleseries.com/
Convene Seattle 2024 event
https://staysafeonline.org/programs/events/convene-seattle-2024/

ep2024-07 Safety belts for AppSec with Lisa Plaggemier

The August episode is a review of projects from a recent OWASP project showcase. We talk to the leaders of the OWASP pytm, OWASP Developer Guide, OWASP State of AppSec Survey Project. Get up on the latest news and update on these OWASP projects.

OWASP pytm:
- https://owasp.org/www-project-pytm/
- https://github.com/izar/pytm
OWASP Develper Guide:
- https://owasp.org/www-project-developer-guide/
- https://github.com/OWASP/www-project-developer-guide
OWASP AppSec Survey Project:
- https://owasp.org/www-project-state-of-appsec-survey/

ep2024-08 OWASP Projects Roundup

Some production issues caused this one to slip to December so the intro is a bit off but this is still a great episode. So, learn some lessons on creating secure code from one of my favorite guests: Tanya Janca. It was hard to keep this one to its current length as Tanya is such a great person to talk to for any reason. Enjoy and happy holidays!

Show Links:

Get your copy of Alice and Bob Learn Secure Coding! (and more):
https://shehackspurple.ca/books/
Also the newsletter so that you can join the free online streams:
https://newsletter.shehackspurple.ca/

owasp podcast

ep2024-12 Tanya Janca: Happy Holidays are Secure Code

In this episode of Breaking Badness, we sit down with Tanya Janca, aka SheHacksPurple, a cybersecurity educator, and author of the best-selling book Alice and Bob Learn Application Security. Tanya shares her journey from software developer to AppSec expert, dives into the unique challenges of teaching secure coding, and discusses the impact of cybersecurity breaches on industries and individuals. 

From her creative teaching methods to her advocacy for change in university curriculums, Tanya offers insights that resonate with developers, educators, and security professionals alike. 

Discover how Tanya is paving the way for accessible AppSec education, the role of AI in secure coding, and her mission to teach security as a fundamental skill for every developer.

Tanya Janca on Secure Coding, AppSec, and Breaking Barriers in Cybersecurity

In this episode of Breaking Badness, we welcome back Tanya Janca, aka SheHacksPurple, to discuss her latest book, Alice and Bob Learn Secure Coding. Tanya dives deep into the fundamental principles of secure software development, the psychology behind developer incentives, and the often-overlooked importance of zero trust security.

Zero Trust, Secure Coding & Developer Incentives: Tanya Janca on AppSec’s Biggest Challenges

Where timely and relevant security meets puns and witty banter. Our goal is to keep defenders apprised of pertinent news and trends in under forty-five minutes.

The OWASP Podcast Series is a recorded series of discussions with thought leaders and practitioners who are working on securing the future for coming generations.

New tracks tagged #appsec