Browsed by
Author: Daniel

The #OWASP Cheat Sheet Project (S03E11)

The #OWASP Cheat Sheet Project (S03E11)

Jim Manico joins on this weeks episode to discuss some of the changes with the OWASP Cheat Sheets and the plans they have for the future of that project. Jim also talks about how they are looking for experts in the field to create or update some of the Cheat Sheets.

You can find Jim on Twitter @manicode

Selling #AppSec Up The Chain (S03E09)

Selling #AppSec Up The Chain (S03E09)

Jim Routh joins the podcast to discuss selling #AppSec up the chain. Jim has built 5 successful software security programs in his career and serves as a CISO now. Jim shares his real-world experience with how to successfully sell #AppSec to senior management (as well as many other pieces of wisdom for running an AppSec program).

You can find Jim on Twitter @jmrouth01

#AppSec Recommendations (S03E08)

#AppSec Recommendations (S03E08)

Chris and Robert go over a plethora of recommendations they have accumulated over their years of experience in the industry.
Chris’s recommendations
1. Book: Agile Application Security: Enabling Security in a Continuous Delivery Pipeline
by Laura Bell (Author),‎ Michael Brunton-Spall (Author),‎ Rich Smith (Author),‎ Jim Bird (Author)
2. Website: Iron Geek
Adrian Crenshaw records many major, non-commercial security conferences and posts the talks to Youtube
3. Book: The DevOps Handbook: How to Create World-Class Agility, Reliability, and Security in Technology Organizations
by Gene Kim  (Author),‎ Patrick Debois  (Author),‎ John Willis (Author),‎ Jez Humble  (Author)
 4. News Source: The Register
News site, but has great sources and a bit of British humor attached to technology failures
5. Blog: TechBeacon
6. Book: Threat Modeling: Designing for Security
by Adam Shostack  (Author)
7. Book: The Tangled Web: A Guide to Securing Modern Web Applications
by Michal Zalewski  (Author)
8. Book: Start with Why: How Great Leaders Inspire Everyone to Take Action
by Simon Sinek  (Author)
Not a security book, but a good approach for those trying to change a security culture
Robert’s Recommendations
1. Books by Martin Fowler (Author)
He wrote many books on understanding Architecture.
2. Book: Software Security: Building Security In
by Gary McGraw (Author)
3. Book: Core Software Security: Security at the Source
by James Ransome (Author) and Anmol Misra (Author)
4. Book: Threat Modeling: Designing for Security
by Adam Shostack  (Author)
5. Websites: Troy Hunt
6. Conferences: #AppSec USA, , B-Sides, Source, Converge
7. Website: Google Alerts
Use this to be notified about specific topics you want to learn about.
8. Book: The Checklist Manifesto: How to Get Things Right
by Atul Gawande (Author)
9. Book Securing Systems: Applied Security Architecture and Threat Models
by Brook S. E. Schoenfield (Author)
10. Book: Risk Centric Threat Modeling: Process for Attack Simulation and Threat Analysis
by Tony UcedaVelez (Author) and Marco M. Morano
SAST, DAST, and IAST. Oh My! (S03E05)

SAST, DAST, and IAST. Oh My! (S03E05)

Pete Chestna is an advocate for SAST, DAST, and IAST tools and a passionate #AppSec enthusiast. A moving quote that Pete shared during this episode is “an #AppSec program is the byproduct of building secure developers.” #Truth

Pete describes the differences between SAST, DAST, IAST, and RASP, the struggles that developers encounter using new tools, false positives that occur and how to reduce them, and advice for building an #AppSec program from scratch versus adding tools to a mature program.

You can find Pete on Twitter @PeteChestna.

Additional information on this topic:

We Are Not Making It Worse (S03E04)

We Are Not Making It Worse (S03E04)

Irene Michlin operates at the intersection of security and agility. She teaches about incremental threat modeling and how to do threat modeling when living in an Agile or DevOps world.

Irene ends the discussion by saying that her goal when working with a team on threat modeling is that they all conclude “We are not making it worse.”

You can find Irene on Twitter @IreneMichlin, and check out Irene’s talk on Incremental Threat Modeling last year at AppSec EU.

The Exploitation of IoT (S02E18)

The Exploitation of IoT (S02E18)

On this weeks episode of the #AppSec Podcast, Robert and Chris are joined by Aditya Gupta.

They speak with him about the many facets of IoT and some of its effects with pen testing, training, and mobile application security.

Rate us on iTunes and provide a positive comment, please!

The Future of the OWASP Proactive Controls (S02E17)

The Future of the OWASP Proactive Controls (S02E17)

On this episode of the Application Security Podcast, Chris and Robert talk to Jim Manico and Katy Anton about the OWASP Proactive Controls project.

This is something we have talked about before, and they are looking for feedback on the update coming soon.

Rate us on iTunes and provide a positive comment, please!