The OWASP Podcast Series is a recorded series of discussions with thought leaders and practitioners who are working on securing the future for coming generations.
…
continue reading
The Owasp Podcast Series
Your anything goes security podcast presented to you by Black Lantern Security
…
continue reading
1
ep2024-12 Tanya Janca: Happy Holidays are Secure Code
1:00:13
1:00:13
Play later
Play later
Lists
Like
Liked
1:00:13
Some production issues caused this one to slip to December so the intro is a bit off but this is still a great episode. So, learn some lessons on creating secure code from one of my favorite guests: Tanya Janca. It was hard to keep this one to its current length as Tanya is such a great person to talk to for any reason. Enjoy and happy holidays!Sho…
…
continue reading
1
ep2024-10 Don't be Scared, It's just a Pen Test with Brad Causey
37:19
37:19
Play later
Play later
Lists
Like
Liked
37:19
There's no reason to be scared about a pen test - especially when it's run by a professional like Brad Causey. I catch up with Brad in this episode to discuss what's recently changed in pen testing in how you test and people's motivations for hiring a pen testing. Interesting and not spooky at all.Show Links:Brad on LinkedIn- https://www.linkedin.c…
…
continue reading
What happens when you get interested in Threat Modeling and you want to share. For some, that means you do one work shop, then another, then another. What happens when you start down this path. Takaharu Ogasa tells us what it's been like to become a threat modeling evangelist in Japan, what he's learned and what he's got planned next. It's a great …
…
continue reading
The August episode is a review of projects from a recent OWASP project showcase. We talk to the leaders of the OWASP pytm, OWASP Developer Guide, OWASP State of AppSec Survey Project. Get up on the latest news and update on these OWASP projects.OWASP pytm:- https://owasp.org/www-project-pytm/- https://github.com/izar/pytmOWASP Develper Guide:- http…
…
continue reading
1
ep2024-07 Safety belts for AppSec with Lisa Plaggemier
32:04
32:04
Play later
Play later
Lists
Like
Liked
32:04
After a long and unplanned pause, the OWASP podast is back with a home run of an episode. We have Lisa Plaggemier as our guest who reprises her eloquent keynote topic from AppSec DC. All hope isn't lost, we are making progress - just look at safety in the auto industry to understand where we are and where we're going.Links:Lisa's keynote from AppSe…
…
continue reading
1
ep2023-09 Vulnerable Data Gathering for AI with Arturo Buanzo Busleiman
32:38
32:38
Play later
Play later
Lists
Like
Liked
32:38
After getting a ping from an old friend about a potential new OWASP project, I had to bring him on as a guest. He's got an interesting idea around potential vulnerabilities in web crawlers which just happen to gather data for so many AI system. We talk about that, Cybersecurity and Government and so much more.Show Links:- LinkedIn https://www.linke…
…
continue reading
1
ep2023-08 Finding Next Gen Cybersecurity Professionals with Brad Causey
32:48
32:48
Play later
Play later
Lists
Like
Liked
32:48
For years we've heard talk about a shortage of cybersecurity professionals so what can be done about that? In this episode, I speak to Brad Causey who has taken one approach he's found successful. We cover the trade-offs of his approach and how, should you agree with him, you can help fill those troubling vacancies at your company.Show Links:- Secu…
…
continue reading
In this episode we talk with Zain Haq and take a leap and bound over the first and second line to discover more about the third line - internal audit. We discover answers to a number of questions: What role does audit play in the overall cybersecurity of an organization? What does the CISO gain from having an audit function? What makes a good audit…
…
continue reading
1
SBOMS, CycloneDX and Dependency Track: Automation for Survival with Steve Springett
29:32
29:32
Play later
Play later
Lists
Like
Liked
29:32
Software supply chain seems to be front and center for technologists, cybersecurity and many governments. One of the early pioneers in this space was Steve Springett with two highly successful projects: OWASP Dependency Track and CycloneDX. In this episode, we catch up with Steve to talk about how he got started in software supply chain management …
…
continue reading
In this episode I speak with Jerry Hoff who provides some very interesting perspective on application security especially at scale and from a high level view like that of a CISO. Even if you're not in a senior leadership position, you're likely to be reporting to one. Understanding that point of view can help you successfully frame your work and ac…
…
continue reading
WAFs have been with us a while and it's about time someone reconsidered WAFs and their role in AppSec given the cloud-native and Kubernetes landscape. The OWASP Coraza is not only asking these questions but putting some Go code behind their ideas. Should WAFs work in a mesh network? Why create an open source WAF? What's next for the OWASP Coraza pr…
…
continue reading
1
The Boys Start A Mini-Series - Introducing The OWASP Review
41:06
41:06
Play later
Play later
Lists
Like
Liked
41:06
To continue our adventure in talking about security concepts on the net, we have decided it's time to talk through the top Web Application vulnerabilities. On top of that we decided to make it a mini-series! In this episode we cover the number one OWASP vulnerability - Broken Access Controls. Follow along as we explore all the fun of web applicatio…
…
continue reading
1
2023-03 Point of Scary - the POS ecosystem
34:46
34:46
Play later
Play later
Lists
Like
Liked
34:46
In this episode I speak with Aaron about Point of Sale or POS systems. He's been investigating the security of POS systems for quite some time now and brings to light the state of the POS ecosystem. Buckle your seat belts, this is going to be a bumpy and very interesting ride.By The OWASP Podcast Series
…
continue reading
In this episode I speak with Amitai Cohen who's been thinking a lot about tenant isolation. This is a problem for more then just cloud providers. Anyone with a SaaS offering or even large enterprise may want to isolate customers or parts of their business from each other. Several useful items came out of this including the Cloud VulnDB which catalo…
…
continue reading
1
The team is going to a con! (And doing some training and other stuff)
0:53
0:53
Play later
Play later
Lists
Like
Liked
0:53
The boys are headed to the Kennedy Space Center for HackSpaceCon in April! BLS will be hosting a training there too! Also, come check out the training at DakotaCon in March! We're doing it the pay what you can style (for the training)! Links: HackSpaceCon Official Site DakotaCon Official Site The Official BLS Discord The Official BLS Website The Of…
…
continue reading
1
OWASP Ep 2023-01: Audit, Compliance and automation, Oh my!
27:35
27:35
Play later
Play later
Lists
Like
Liked
27:35
In this episode, I speak with Caleb Queern, one of the authors of "Investments Unlimited" a book I highly recommend you get and read. While the book is fiction, there's a great deal of truth in the story about how automation can work for more than just DevSecOps. Compliance and audit also deserve a seat at the table. Learn how you can get more code…
…
continue reading
In this episode, I go solo and review the last year of podcasts but with a twist. I do my best to compare the topics covered to the OWASP Flagship projects. The goal is to see if the episodes I recorded this year match up with the projects strategically important to OWASP. Plus, the holiday listeners get gifts all around as I cover (and link) the O…
…
continue reading
The boys are back with BLS' own Josh to discuss the difficulties a new penetration tester might face, and how to break in to the industry. Links: The Official BLS Discord The Official BLS Website The Official BLS Github The Official APotN Twitter Free lecture resources: Professor Messer Heath Adams John Hammond Katie Paxton-Fear Free hands on resou…
…
continue reading
In this episode, I speak with Jimmy Mesta, the project leader of the new OWASP Kubernetes Top 10. Beyond covering the actual Kubernetes Top 10 project, we cover how AppSec has expanded to cover other areas. You not only have to ensure that your application is secure, you need to ensure the security of the environment in which it runs. That environm…
…
continue reading
In this episode, I speak with Simon Bennetts, the creator of OWASP Zed Attack Proxy lovingly known as ZAP. We talk about how it all got started, some of the surprises and lessons learned running a wildly successful open source project. We also cover how some security controls can sometimes actually hurt security. It's an interesting discussion I th…
…
continue reading
1
Saving Money the Reski Way: Getting the Most for Your Pentest!
54:51
54:51
Play later
Play later
Lists
Like
Liked
54:51
The boys are back with Mike to discuss how to get the most bang for your buck when scheduling a pentest (mostly boils down to being nice to us please) and things predictably go off the rails. Links: The Official BLS Discord The Official BLS Website The Official BLS Github The Official APotN Twitter
…
continue reading
In this episode, Matt Tesauro hosts wirefall to talk about creating and growing a security community and his 26 years of pen testing experience. In wirefall's case, it's the Dallas Hackers Association or DHA. Our conversation includes what motivated him to create DHA, the lessons he's learned, challenges faced and what success looks like today. He …
…
continue reading
The boys have found their mics once again and have returned to the digital stage. This stage exists primarily in closets. In the hiatus Sam & Chase have equally lost sanity and the ability to stay on topic for longer than five minutes. Join in and try to follow along for the a wild return to season 2. Links: The Official BLS Discord The Official BL…
…
continue reading
In this episode, Matt Tesauro hosts Neil Matatall to talk about going beyond 2FA as he relates lessons learned from Twitter and Github on account security. This is another episode with some good nuggets of wisdom and some sound advice for those writing or maintaining APIs. It's obvious that Neil has not only spent time doing solid engineering work …
…
continue reading
1
Special Episode: Be Taught BBOT with TheTechromancer
45:38
45:38
Play later
Play later
Lists
Like
Liked
45:38
In today's episode the boys discuss a new hacker focused OSINT framework created by BLS' Python Superstar Joel. Links: BBOT Spiderfoot Writehat Manspider BLS Discord
…
continue reading
In this episode, Matt Tesauro hosts Greg Anderson and Cody Maffucci to talk about OWASP DefectDojo. DefectDojo is an OWASP flagship project that aims to be the single source of truth for AppSec or Product Security teams. It provides a single pane of glass for security programs and can import and normalize over 150 different security tools. I though…
…
continue reading
1
Giving a jot about JWTs: JWT Patterns and Anti-Patterns - OWASP Podcast e002
33:22
33:22
Play later
Play later
Lists
Like
Liked
33:22
In this episode, Matt Tesauro hosts David Gillman about JWT Patterns and Anti-Patterns. I first met David at LASCON in the fall of 2021 when I sat in on his conference talk. Based on David’s experiences with JWTs we discuss where JSON Web Tokens can help and harm developers who use them. It seems like JWTs can be a mixed bag mostly determined by ho…
…
continue reading
1
Threat Modeling using the Force with Adam Shostack - OWASP Podcast e001
47:35
47:35
Play later
Play later
Lists
Like
Liked
47:35
In this episode, Matt Tesauro hosts Adam Shostack to talk about threat modeling - not only what it is but what Adam has learned from teaching numerous teams how to do threat modeling. Learn what makes a good threat model and some news about a new book from Adam to help further the spread of threat modeling with the end goal of more threat modeling …
…
continue reading
Welcome back to the OWASP podcast. In this episode, we're headed to The VOID. I speak with Courtney Nash about the Verica Open Incident Database, otherwise known as The VOID, which is a collection of software-related incident reports available at https://www.thevoid.community/. It's a fascinating discussion about how, by gathering data from The VOI…
…
continue reading
1
Fast Times at SBOM High with Wendy Nather and Matt Tesauro
42:36
42:36
Play later
Play later
Lists
Like
Liked
42:36
Hello, it's Matt Tesauro. Welcome back to my take on the OWASP Podcast. It seems as if I'm turning my episodes into the equivalent of a conference hall track, those wonderful interactions you have at conferences, running between rooms at conferences, meeting up with smart minds you don't see all the time.I have the pleasure of reuniting with Wendy …
…
continue reading
“I absolutely hate SAFe!” -- Bryan FinsterThat is Bryan Finster, Distinguished Engineer at Defense Unicorns out of Colorado Springs. I was scrolling through LinkedIn a couple days ago, saw a thread on SAFe, The Scaled Agile Framework, and what I was seeing wasn’t exactly… well, what you’d expect to hear about a framework that’s being used by over 2…
…
continue reading
Hello, I'm Matt Tesauro, one of the OWASP Podcast co-hosts. I had the opportunity to interview Tanya Janca for this podcast. To be honest, I kind of wish it was a video recording because you'd be able to see the big smiles and vigorous head nodding during the recording. Tanya and I are in violent agreement about all things appsec, and it shows.Ther…
…
continue reading
8 years ago I took over the OWASP Podcast from Jim Manico, originator of the project. In that time over 160 episodes have been published, with over 500,000 downloads. It has been a fun project, but it’s time to change things up a bit.There is a lot going on at OWASP, even more going on with the technology industry when it comes to cybersecurity. It…
…
continue reading
1
The InfoSec Color Wheel with Jasmine Henry
27:50
27:50
Play later
Play later
Lists
Like
Liked
27:50
We’ve all heard of “Red Teams” and “Blue Teams” when it comes to cybersecurity. But what about the “Purple Team”, the “Yellow Team” or the “Blue Team”. What are those?In February of 2020, Louis Cremen introduced the InfoSec Colour Wheel to the security community. The wheel expands upon April Wright’s work on bringing builders into the security team…
…
continue reading
In this episode Sam & Chase suffer from post engagement delirium. The pair chat about chatting with clients and why technical interviews are not as scary as they seem. Chase slanders Sam. Sam responds with potential libel. Links: Our Discord BLS Risk Assessments MITRE ATT&CK Framework
…
continue reading
The APotN Crew is back! We kick off season 2 with a chat (maybe a lecture?) on the new old hotness, Attack Surface Management. A new character will be introduced and we determine our band name. Sam climbs a soap box while Chase hides in a closet. This and much much more in the season 2 premier! ... we get started on a weird foot. Links BLS Website …
…
continue reading
1
CYA - Cover Your Assets with Chris Roberts
44:16
44:16
Play later
Play later
Lists
Like
Liked
44:16
A couple weeks ago I read an article by Chris Roberts. The headline screamed, “Security Solved!”Security solved? What the hell was he talking about. Everyday there’s a new media storm around the latest breach or ransomware attack. There’s an entire industry built around the idea that security is hard, and the need for special equipment, software an…
…
continue reading
It's here - the second part of our first two part series. We complete our discussion around ransomware. Brian sums up the steps used to defend against these attacks. Sam closes out the season by talking too much. Chase uses the c word and doesn't apologize for it (hint... it rhymes with crowd). And that's a wrap on season one! Thanks everyone for l…
…
continue reading
We bring back Brian to talk about the Kaseya ransomware incident only to discover 100 related rabbit holes. We do our best to be concise with the topic but obviously we failed and had to make this two parts. Join us as we work through Kaseya's incident from the incident response perspective. Then join us again in two weeks when we finish talking ab…
…
continue reading
New guest alert! Jack Ward teaches us about the basics of Reverse Engineering. Sam struggles with remembering things in the morning while over using the word capabilities. While Chase continues to encourage bad corporate spreadsheet etiquette. We work to keep ourselves out of the deep end of software development. The team announces the public Black…
…
continue reading
In this episode of the People | Process | Technology podcast, I speak with Seba Deleersnyder from the Software Assurance Maturity Model, Carlos Holguera and Sven Schleier from the Mobile Security Testing Guide, and Bjoern Kimminich from the Juice Shop Project. This is part of an ongoing podcast series, highlighting the OWASP Flagship Projects that …
…
continue reading
We couldn't do it. Things at BLS have been pretty busy lately, which means we were not able to pull together a quality episode in time. So, here is Sam briefly talking about our shortcoming. In other news... ANOUNCEMENT: Only two more episodes are in left our first season! If you have any feedback on the season so far or anything you would like to …
…
continue reading
In this episode of the People | Process | Technology podcast, I speak with Simon Bennetts from the Zap Project, Christian Folini from the ModSecurity Core Rule Set Project, and Steve Springett from the Dependency Track Project. This is part of an ongoing podcast series, highlighting the OWASP Flagship Projects that will be featured at the OWASP 20t…
…
continue reading
1
Getting Hacked on Your Own Supply... Chain
52:24
52:24
Play later
Play later
Lists
Like
Liked
52:24
Carson comes back! He is rip-roaring ready to talk about Supply Chain Attacks. The crew also hits on the Colonial Pipeline incident, Ukraine, and many other hot button cybersecurity topics. Sam proves he is the fastest googler. Chase has another new mic. Do you like history? If so, topics like the 2013 Target Breach and Stuxnet may interest you. Bo…
…
continue reading
Paul is back! This time he takes us hunting. We learn about bug bounties and how to get them. We also talk about some of the best tools of the trade. Can you cross site script your way to being a millionaire? We sure hope so. Links: HackerOne Bugcrowd Synack Darknet Diaries: dawgyg James Kettle HTTP Request Smuggler Param Miner Paul's Blog Paul's T…
…
continue reading
Today the gang talks about what it's like to be blue. Chase has a few things to say and may be emotionally scarred. Our guest, Brian O'hara, absolutely enthralls us with his tales of detection. Sam remembers that this one time at the other place... things happened. We also touch on detection analysis, logging management, and incident response in th…
…
continue reading
1
The Cyber Defense Matrix Project with Sounil Yu
22:56
22:56
Play later
Play later
Lists
Like
Liked
22:56
In 2020, Security Magazine listed Sounil Yu as one of the most Influential People in Security in 2020, in part because of his work on the Cyber Defense Matrix, a framework for understanding and navigating your cybersecurity environments. The Cyber Defense Matrix started as a project when Sounil was the Chief Security Scientist at Bank of America. T…
…
continue reading
Today we talk to our least and favorite people, ourselves! Inspired by Chase's appreciation for hearing other info sec professional's stories - Sam has Chase tell his story. Jokes about the impossible recruiting expectations are expressed. And this episode can probably be played as an afterschool special for aspiring cybersecurity students. Links: …
…
continue reading
1
Securing Finance Securities for Secure Financials
42:47
42:47
Play later
Play later
Lists
Like
Liked
42:47
On this one we step outside of the "traditional" security mindset and discuss how cybersecurity closely integrates with the business side of an organization. Thomas Preston, a former money man turned hacker man, discusses his unique perspective on the relationship between these two industries. We look at why business knowledge is necessary for an e…
…
continue reading
1
2021 OWASP Top 10 with Andrew van der Stock
15:06
15:06
Play later
Play later
Lists
Like
Liked
15:06
The Top 10 is considered one of the most important community contributions to come out OWASP. In 2003, just two years after organization was started, the OWASP Top 10 was created. The purpose of the project was to create an awareness document, highlighting the top ten exploits security professionals should be aware of. Since that time, innumerable …
…
continue reading
