The OWASP Top 10 Proactive Controls Project uses the OWASP Top 10 model as a way to encourage the community to participate in the building and maintenance of a Top 10 project aimed at developers. In this interview, I talk with Jim Manico and Katy Anton on the history of the project, how they anticipate it being utilized, and how they have worked with the community do decide the criteria for building the list of controls.
The OWASP WebGoat Project started 10 years ago and has had over 1,000,000 downloads. Version 7.0 is being released this week. I caught with Bruce Mayhew, project lead, to talk about the history of the project, what has been updated in version 7, and what he foresees as the future of this project.
Resource: The OWASP WebGoat Project
Several months ago Johanna Curiel figured she’d had enough and was ready to take a break from OWASP. Recently, she came back and is working tirelessly to revamp the Project Reviews initiative. I talked with Johanna about why she left, what has changed to make it enticing enough for her to return and what her vision is for the Project Review team in the coming year.
Resources for this Broadcast
The sessions for DevOps Connect: Rugged DevOps at RSAC on February 29 are starting to be announced. I’m excited to confirm Kim Zetter from Wired will be doing a session on the epic security and privacy fails of 2015. All attendees of RSAC have access to the full day of DevOps sessions.
Here’s the abstract from Kim. Hope to see you there.
2015 in Review: Major Failures in Public Safety and Privacy
In 2015, Kim Zetter, Senior Reporter at Wired, covered major cyber security and privacy failures including “The US Office of Personnel Management’s Struggle to… Manage”, “Ashley Madison Cheaters Were Cheated Out of Their Privacy”, “Gemalto’s Rapid Response to Hack Was a Little Too Rapid”, “Hillary Clinton’s Server”, “Everything We Know About Ukraine’s Power Plant Hack” and “Secret Code Found in Juniper’s Firewalls Shows Risk of Government Backdoors”.
This session will look at the people, companies, and events having the most epic security and privacy fails in 2015—and what we can expect to see in 2016.
Kim’s talk will lay the groundwork for the afternoon track, where we’ll talk about the need for better, more secure software and development practices through Rugged DevOps and automation of the Software Supply Chain.
About Kim Zetter
Kim Zetter is an award-winning investigative journalist and author who covers cybersecurity, cybercrime, cyber warfare, privacy and civil liberties. She has been covering computer security and the hacking underground since 1999, first for PC World magazine, and now for WIRED, where she has been reporting since 2003 and is currently a senior staff writer. She has broken numerous stories over the years and has three times been voted one of the top 10 security reporters in the nation by her journalism peers and security industry professionals.
Kim recently completed a book about Stuxnet, a sophisticated digital weapon that was launched by the U.S. and Israel to sabotage Iran’s uranium enrichment program. Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon published by Crown/Random House in November 2014.
Funding of projects. Allocation of personal time. What does it take to get a project funded with limited resources? The OWASP NYC/NJ chapters are trying something new at the December 7th meeting: two projects will make pitches to a crowd of 300, with two angel investors in attendance.
In this OWASP 24/7 broadcast, I talk with Tom Brennan, event organizer, and the two people who will be pitching their projects. Listen in to see if this is something you might want to do for your chapter or project.
Here’s a review of the Shark Tank pitch that two people made on the actual Shark Tank show. Needless to say, it didn’t go too well.
Find out more about the December 7 event on the NYC/NJ Meetup Page
Credit: Music for today’s broadcast was provided by the George Cole Quintet. Here more at georgecole.net/
What does it take to put on a successful conference? How much work is involved? In this segment, I sit down with Neil Matatall and Richard Greenberg, co-organizers of AppSec California 2015. We talk about how they came up with the idea and what resources were needed to pull off such a successful event.
The OWASP AppSensor Project has just released version 2.0. In this broadcast we speak with John Melton, project code lead, on the latest features in the release and what the future looks like for the project.
About John Melton
John is one of the co-leaders for the OWASP AppSensor project and leads the software implementation. For his day job, he is a principal security researcher for WhiteHat Security, working in the SAST space. His background is in software and security engineering.
Moxie Marlinspike is the founder of Open Whisper Systems which is both a large community of Open Source contributors, as well as a small team of dedicated developers. Together, the members of Open Whisper Systems is working to advance the state of the art for secure communication, while simultaneously making it easy for everyone to use.
Moxie works on secure protocols, Android clients, and server software. He has been contributing to Open Whisper Systems since it was Whisper Systems, formerly ran the product security team at Twitter, started the first cloud-based password cracking service. He has also published a number of attacks on secure protocols like SSL and MS-CHAPv2.
He has been a keynote speaker at past OWASP and other security conferences.