Jonathan Carter – OWASP and Mobile Security


, , ,

On the day before Black Hat 2014 kicked off, I was able to sit with Jonathan Carter to talk about his work and the projects he participates on in OWASP. The audio recording is a bit raw because the sound was cranked up in a conference full of people. What Jonathan has to say should more than compensate.

Listen to the full interview


About Jonathan Carter
Jonathan Carter is an application security professional with over 15 years of security expertise within Canada, United States, Australia, and England. As a Software Engineer, Jonathan produced software for online gaming systems, payment gateways, SMS messaging gateways, and other solutions requiring a high degree of application security.

Jonathan’s technical background in artificial intelligence and static code analysis has lead him to a diverse number of security roles: Enterprise Security Architect, Web Application Penetration Tester, Fortify Security Researcher, and Security Governance lead. He is currently Arxan’s Technical Director.

Resources mentioned in this podcast


Sarah Baso – The Final OWASP Interview [AUDIO]


, , ,

Sarah Baso is leaving OWASP at the end of the month. As executive director, she has been at the helm of the organization, helping to set up and run OWASP as a business. In our conversation we talk about the ups and downs of her tenure, and how she would like to be remembered in the future.

Listen to the entire interview


About Sarah Baso
Sarah is based in San Francisco, Californa, USA and has been the Executive Director of the OWASP Foundation since April 2013. In this role, she supervises the paid OWASP staff in addition to administering all programs and operations of the OWASP Foundation, reporting to the OWASP Board of Directors.

Wait! Wait! Don’t pwn me! from AppSec Europe 2014

It’s become a regular thing at AppSec: test the experts on their knowledge of current software security news events. This session was recorded at AppSec Europe 2014 with panelists Chris Eng, Matt Tesauro and Josh Corman.

If you’d like to play along, you can view the gameshow slide deck. Looking forward to seeing you at our next AppSec session of “Wait Wait! Don’t pwn me!”

Listen to the entire show

View the Slide Deck of Question and Answers

Eoin Keary on Women in Security and Growing an OWASP Chapter


, , , ,

Eoin (pronounced Owen for you Yankees) Keary runs a software security practice in Ireland. In his “spare time”, he is a global board member for OWASP. At the AppSec Europe 2014 Conference in Cambridge, UK, I spoke with Eoin about how to get more women into the software security industry, starting with their participation in OWASP.

Listen to the interview with Eoin Keary on SoundCloud


About Eoin Keary
Eoin Keary has been with OWASP since 2004. He is based in Ireland and runs a software security practice, He is currently on the global board of the OWASP foundation, he was elected to the board in 2009. During this time Eoin assisted in founding the OWASP legal entity in Europe and has helped provide structure to OWASPs finances and strategy.

Eoin previously lead the OWASP Testing Guide and currently the OWASP Code Review Guide and also contributed to other OWASP projects such as OWASP SAMM, OWASP CISO Guide & CISO Survey, OWASP Cheat sheets, and the OWASP ASVS & ZAP as a reviewer. Eoin also founded the OWASP Dublin chapter in 2006 and the OWASP Ireland event in 2008 which is in its 4th year and also hosted OWASP EU in 2011.

Achim Hoffmann and the o-Saft Project for Scanning SSL Connections


, , ,

Achim Hoffmann is a researcher who has created a tool for listing information about remote target’s SSL certificate and testing the remote target against a given list of ciphers. This OWASP project, o-Saft, first gained notice when Jim Manico mentioned it on the OWASP email list. At AppSec Europe 2014, I was able to speak with Achim, along with Matt Tasauro, about the function of the tool and its uses.


About the Project
o-Saft is designed to be used by penetration testers, security auditors or server administrators. The idea is to show the important informations or the special checks with a simple call of the tool. However, it provides a wide range of options so that it can be used for comprehensive and special checks by experienced people.

O-Saft is a command-line tool, so it can be used offline and in closed environments. However, it can simply be turned into an online CGI-tool (please read documentation first).

About Achim Hoffmann
Co-Autor OWASP: Best Practices: Projektierung der Sicherheitsprüfung von Webanwendungen…

Autor Sicherheit von Webanwendungen: BSI-Maßnahmenkatalog und Best Practices

Contributor to WASC Web Application Firewall Evaluation Criteria

Co-Author OWASP: Best Practices: Web Application Firewalls…lication_Firewalls

Reviewer/Contributor to WASC Threat Classification v1
Deutsche Übersetzung der WASC Threat Classification v1

Reviewer/Contributor to WASC Threat Classification v2…ation-Authors

The Results Are In: 4th Annual Open Source and Application Security Survey



3300 people responded to the 4th Annual Open Source and Application Security Survey. It’s time to see the results of that survey:

  • 56% have an open source policy (up from 43% last year)
  • Component feature, licensing and security information were deemed most helpful by developers when selecting components
  • 83% source their components from the (Maven) Central Repository
  • 47% don’t actively monitor for changes in security data

To see the results of the survey and hear analysis from Adrian Lane, Analyst/CTO, Securosis and Brian Fox, VP of Product Management, Sonatype, in the live-online broadcast,  Wednesday June 18, at 1:00pm ET. Adrian will present the AppSec perspective, while Brian will address the Development perspective.

For updated info, check out the survey site and update your calendar. This one is going to be good.  The survey was taken right in the midst of the Heartbleed announcement.  This represents the best perspective on the state of open source development and security at the time of Heartbleed

2014 Survey Results