163 episodes

The "People | Process | Technology" podcast is a recorded series of discussions with thought leaders and practitioners who are working on integrating the three areas of business that are most likely to have a massive impact on your business.

People | Process | Technology Podcast People | Process | Technology Podcast

    • Technology
    • 4.5 • 22 Ratings

The "People | Process | Technology" podcast is a recorded series of discussions with thought leaders and practitioners who are working on integrating the three areas of business that are most likely to have a massive impact on your business.

    CYA - Cover Your Assets with Chris Roberts

    CYA - Cover Your Assets with Chris Roberts

    A couple weeks ago I read an article by Chris Roberts. The headline screamed, “Security Solved!”

    Security solved? What the hell was he talking about. Everyday there’s a new media storm around the latest breach or ransomware attack. There’s an entire industry built around the idea that security is hard, and the need for special equipment, software and people to even think about being secure.

    Chris was insistent. He professed that security is not hard nor complicated. Not only does he consider it inexpensive and undemanding to do the right thing, his premise is it’s easy to get the simple stuff sorted. I called Chris to get clarification on what he was talking about. As we got deeper into the discussion, we both realized this was a topic that needed more exposure. If there really is a simple way to implement security, the world should hear about it.

    We invited people to participate in the recording of our discussion. You’ll hear us reference people who were online with us, sending chat messages and questions. This session is a little longer that our usual podcast, but what’s here is important. Chris says it’s easy, I say it’s not, and then we get into it.

    We start when I ask Chris to give us a little about his background. You’ll be able to tell right from the start, this isn’t going to be your ordinary podcast.

    Notes for this broadcast:
    Chris' original article can be found on his LinkedIn feed:
    https://www.linkedin.com/posts/sidragon1_cybersecurity-management-training-activity-6810995026848485376-58Zs

    Basic Premise:
    This isn’t hard.
    This isn’t complicated.
    This doesn’t have to be expensive.
    This doesn’t need fancy words
    This doesn’t require gilted certificates
    This isn’t demanding
    This needs no awards
    This isn’t covered in glory.

    Step-by-Step Instructions:
    1. Assets, what do you have?
    2. Assets, where are they?
    3. Who’s got access to them?
    4. What DO they do, what is their purpose?
    5. What’s on them?
    6. Which ones do you need to care about?

    • 44 min
    OWASP Flagship Projects - Episode 02

    OWASP Flagship Projects - Episode 02

    In this episode of the People | Process | Technology podcast, I speak with Seba Deleersnyder from the Software Assurance Maturity Model, Carlos Holguera and Sven Schleier from the Mobile Security Testing Guide, and Bjoern Kimminich from the Juice Shop Project.

    This is part of an ongoing podcast series, highlighting the OWASP Flagship Projects that will be featured at the OWASP 20th Anniversary Celebration in September. I talk with the project leads to hear what they have been working on for the past year, what their plans are for the coming year, and what we can expect to see at the conference in September.

    Support for this broadcast is provide by OWASP, celebrating twenty years of making software safer. OWASP hosts their 24 hour, 20th Anniversary Celebration in September. Head to 20thAnniversary.owasp.org for your free ticket… and with support from JupiterOne, who believes that security is a basic right to every person, company, and enterprise. Security begins with cyber asset visibility, and includes understanding the relationships between those assets. Get started with your free, lifetime license at JupiterOne.com.

    • 25 min
    OWASP Flagship Projects - Episode 01

    OWASP Flagship Projects - Episode 01

    In this episode of the People | Process | Technology podcast, I speak with Simon Bennetts from the Zap Project, Christian Folini from the ModSecurity Core Rule Set Project, and Steve Springett from the Dependency Track Project.

    This is part of an ongoing podcast series, highlighting the OWASP Flagship Projects that will be featured at the OWASP 20th Anniversary Celebration in September. I talk with the project leads to hear what they have been working on for the past year, what their plans are for the coming year, and what we can expect to see at the conference in September.

    The OWASP 20th Anniversary Celebration is a 24 hour global event, featuring sessions from each of the OWASP flagship projects, leaders of the Top Ten Project, presenters from around the world, and sessions from people who have helped OWASP over the past 20 years. Registration is open, and you can’t beat the cost… it’s free. Even if you can’t attend, please register so you’ll have access to all of the recorded sessions following the conference. For the link check the show notes here on the podcast.

    Our program was produced today by Executive Editor Mark Miller. Special thanks to today’s guests, Simon Bennetts from the ZAP Project, Christian Folini from the ModSecurity Core Rule Set Project, and Steve Springett from the Dependency Track Project. You can stream our archive of over 160 episodes, for free, at soundCloud.com/owasp-podcast. The show is available on all of your favorite podcasting platforms, including Spotify and Apple Podcasts.

    Support for this broadcast is provided by OWASP, celebrating twenty years of making software safer. OWASP hosts their 24 hour, 20th Anniversary Celebration in September. Head to 20thAnniversary.owasp.org for your free ticket.

    Support also provided by JupiterOne, who believes that security is a basic right to every person, company, and enterprise. Security begins with cyber asset visibility, and includes understanding the relationships between those assets. Get started with your free, lifetime license at https://info.jupiterone.com/get-started.

    • 22 min
    The Cyber Defense Matrix Project with Sounil Yu

    The Cyber Defense Matrix Project with Sounil Yu

    In 2020, Security Magazine listed Sounil Yu as one of the most Influential People in Security in 2020, in part because of his work on the Cyber Defense Matrix, a framework for understanding and navigating your cybersecurity environments. The Cyber Defense Matrix started as a project when Sounil was the Chief Security Scientist at Bank of America. The initial problem he focused on with the matrix was how to evaluate and categorize vendors and the solutions they provided.

    The Cyber Defense Matrix is a structured framework that allows a company to understand who their vendors are, what they do, how they work along side one another, what problem they profess to solve, and ultimately to find gaps in the company’s portfolio of capabilities. In the seven years Sounil has been working on the project, he has developed use cases that make the Cyber Defense Matrix practical for purposes such as rationalizing technology purchases, defining metrics and measurements, and identifying control gaps and opportunities. The matrix has been adopted by the OWASP Foundation as a community project. Elements of the matrix have been incorporated into the Center for Internet Security’s (CIS) Top 20 Critical Security Controls.

    I talked with Sounil to hear how the project was going, what his plans are for the future of the matrix, and what help he can use from the community for expanding its usefulness.

    ABOUT SOUNIL YU
    Before Sounil Yu joined JupiterOne as CISO and Head of Research, he was the CISO-in-Residence for YL Ventures, where he worked closely with aspiring entrepreneurs to validate their startup ideas and develop approaches for hard problems in cybersecurity. Prior to that role, Yu served at Bank of America as their Chief Security Scientist and at Booz Allen Hamilton where he helped improve security at several Fortune 100 companies and government agencies.

    • 22 min
    2021 OWASP Top 10 with Andrew van der Stock

    2021 OWASP Top 10 with Andrew van der Stock

    The Top 10 is considered one of the most important community contributions to come out OWASP. In 2003, just two years after organization was started, the OWASP Top 10 was created. The purpose of the project was to create an awareness document, highlighting the top ten exploits security professionals should be aware of. Since that time, innumerable organizations have used it as a guideline or framework for creating security programs. The current Top 10 list was released four years ago, in 2017.

    As part of a 2021 initiative at OWASP, the OWASP Top 10 is in the process of being updated, and scheduled for release this summer, in time for the OWASP 20th Anniversary Celebration. I was curious as to what has changed over the years with the Top 10, and what to anticipate in the upcoming release. In this broadcast, I talk with Andrew van Der Stock, Executive Direct of OWASP. He explains how the top ten exploits are chosen, the data source for determining the exploits, and the data research done to verify the selections chosen.

    Our conversation starts with why the OWASP Top 10 is being spotlighted after being static for the past four years.


    Today’s broadcast is supported by the OWASP 20th Anniversary Celebration, coming September 2021. The CFP is now open for this online, 24 hour conference. Go to OWASP.org for more information.

    This broadcast is also supported by JupiterOne, providing cyber asset discovery and visibility into your entire cloud native infrastructure. Know more, fear less, with JupiterOne.

    CFP for OWASP 20th Anniversary Celebration: https://owasp.org/2021/03/08/cfp-20th-anniversary.html

    • 15 min
    The Ops Side of DevSecOps w/ Damon Edwards

    The Ops Side of DevSecOps w/ Damon Edwards

    When Shannon Lietz and the team at DevSecOps.org published the DevSecOps Manifesto six years ago, security was uppermost in their minds. The manifesto starts with a call to arms…

    “Through Security as Code, we have and will learn that there is simply a better way for security practitioners, like us, to operate and contribute value with less friction. We know we must adapt our ways quickly and foster innovation to ensure data security and privacy issues are not left behind because we were too slow to change.”

    The effect of the DevSecOps movement was not understood by many, other than the handful of practitioners who understood what the team was going after: security is the responsibility of everyone, not just the security team. Security deserves a seat at the DevOps table. Fast forward six years, and security is now not just at the table, but sitting at the head of the table, leading the way.

    During this transition to focus on security, operations has become the short leg on a three legged stool. What was original a two team party, Dev and Ops, became a threesome, gradually ignoring operations as Developers and Security built a strong relationship.

    Damon Edwards has been my go-to person when I want to talk to someone about how operations continues to be relevant as the third part of DevSecOps. I caught up with Damon a couple weeks back to talk with him about how the transition to enterprise automation is going in the industry, what has been happening in the past year with the COVID lockdown, and what he’s looking forward to in 2021.

    I started the conversation, asking how he perceives his role in the DevSecOps Community.

    ----------

    This broadcast is supported by OWASP, the Open Web Application Security Project, host of “Call to Battle” a series of events for gamers, challenge champs, and fun-nerds. Get more information at owasp.org/events… and by JupiterOne.com featuring solutions that help you “Know more. Fear less” by mapping your cyber assets and knowing the relationships between those assets.

    • 24 min

Customer Reviews

4.5 out of 5
22 Ratings

22 Ratings

DJ Mangus ,

Nice

Worth a listen for any web dev. Could do without the sound effects but content makes dealing with it worth it.

Brian Contos ,

Keep up the great work!

This is an excellent podcast with great interviews. It’s one of the best sources for a wide array of application security information on the net.

rampanteer ,

Very Well Done!

By far, the best podcast dealing with webapp security that I've found.

Top Podcasts In Technology

Listeners Also Subscribed To