Wait! Wait! Don’t pwn me! from AppSec Europe 2014

It’s become a regular thing at AppSec: test the experts on their knowledge of current software security news events. This session was recorded at AppSec Europe 2014 with panelists Chris Eng, Matt Tesauro and Josh Corman.

If you’d like to play along, you can view the gameshow slide deck. Looking forward to seeing you at our next AppSec session of “Wait Wait! Don’t pwn me!”

Listen to the entire show

View the Slide Deck of Question and Answers

Eoin Keary on Women in Security and Growing an OWASP Chapter


, , , ,

Eoin (pronounced Owen for you Yankees) Keary runs a software security practice in Ireland. In his “spare time”, he is a global board member for OWASP. At the AppSec Europe 2014 Conference in Cambridge, UK, I spoke with Eoin about how to get more women into the software security industry, starting with their participation in OWASP.

Listen to the interview with Eoin Keary on SoundCloud


About Eoin Keary
Eoin Keary has been with OWASP since 2004. He is based in Ireland and runs a software security practice, bccriskadvisory.com. He is currently on the global board of the OWASP foundation, he was elected to the board in 2009. During this time Eoin assisted in founding the OWASP legal entity in Europe and has helped provide structure to OWASPs finances and strategy.

Eoin previously lead the OWASP Testing Guide and currently the OWASP Code Review Guide and also contributed to other OWASP projects such as OWASP SAMM, OWASP CISO Guide & CISO Survey, OWASP Cheat sheets, and the OWASP ASVS & ZAP as a reviewer. Eoin also founded the OWASP Dublin chapter in 2006 and the OWASP Ireland event in 2008 which is in its 4th year and also hosted OWASP EU in 2011.

Achim Hoffmann and the o-Saft Project for Scanning SSL Connections


, , ,

Achim Hoffmann is a researcher who has created a tool for listing information about remote target’s SSL certificate and testing the remote target against a given list of ciphers. This OWASP project, o-Saft, first gained notice when Jim Manico mentioned it on the OWASP email list. At AppSec Europe 2014, I was able to speak with Achim, along with Matt Tasauro, about the function of the tool and its uses.


About the Project
o-Saft is designed to be used by penetration testers, security auditors or server administrators. The idea is to show the important informations or the special checks with a simple call of the tool. However, it provides a wide range of options so that it can be used for comprehensive and special checks by experienced people.

O-Saft is a command-line tool, so it can be used offline and in closed environments. However, it can simply be turned into an online CGI-tool (please read documentation first).

About Achim Hoffmann
Co-Autor OWASP: Best Practices: Projektierung der Sicherheitsprüfung von Webanwendungen www.owasp.org/images/0/00/OWASP-…dungen_v101.de.pdf

Autor Sicherheit von Webanwendungen: BSI-Maßnahmenkatalog und Best Practices

Contributor to WASC Web Application Firewall Evaluation Criteria

Co-Author OWASP: Best Practices: Web Application Firewalls

Reviewer/Contributor to WASC Threat Classification v1
Deutsche Übersetzung der WASC Threat Classification v1

Reviewer/Contributor to WASC Threat Classification v2

The Results Are In: 4th Annual Open Source and Application Security Survey



3300 people responded to the 4th Annual Open Source and Application Security Survey. It’s time to see the results of that survey:

  • 56% have an open source policy (up from 43% last year)
  • Component feature, licensing and security information were deemed most helpful by developers when selecting components
  • 83% source their components from the (Maven) Central Repository
  • 47% don’t actively monitor for changes in security data

To see the results of the survey and hear analysis from Adrian Lane, Analyst/CTO, Securosis and Brian Fox, VP of Product Management, Sonatype, in the live-online broadcast,  Wednesday June 18, at 1:00pm ET. Adrian will present the AppSec perspective, while Brian will address the Development perspective.

For updated info, check out the survey site and update your calendar. This one is going to be good.  The survey was taken right in the midst of the Heartbleed announcement.  This represents the best perspective on the state of open source development and security at the time of Heartbleed

2014 Survey Results

David A. Wheeler on the Current State of Application Security [AUDIO]


, , , ,

“Typically, people divide the (software) world into cost, schedule, functionality, quality. In my experience, almost everyone when they talk ‘quality’, are excluding security.” — David A. Wheeler

Listen to the entire interview with David A. Wheeler


“We’ve already moved to a mostly componentized world. We now have to understand that we have to update the components as we go along. We need to put tools in the customer’s hands so they can quickly identify, ‘Wow! You’re using a library with 300 known vulnerabilities. I’m not going to use your system until you get your act together.’” — David A.  Wheeler

David Wheeler is a project leader at the Institute for Defense Analyses. He also teaches a graduate classon software security at George Mason University. David has a unique view of security’s role as part of the software development life cycle.

In this wide ranging discussion, we talk about the current state of security, how people are trained (or not trained) to handle security as part of the development process, and what the future looks like for the security industry.

About David A. Wheeler

My professional interests are in improving software development practices for higher-risk software systems (i.e., ones which must be secure, large, and/or safety-critical). My specialties include writing secure programs, vulnerability assessment, open standards, open source software / free software (OSS/FS), Internet/web standards and technologies, and POSIX.


May 9, 2014 – Security from the Inside Out with Chris Eng


, , ,

This segment of TSWA Network News includes commentary on the South Carolina data breach and one month later, after Heartbleed.

View the entire segment with Chris Eng



May 7, 2013 – Space Rogue and Mark Miller on Recent Security News


, , , ,

In this segment, Space and I talk about Symantec’s announcement that anti-virus software is dead, and then we switch to the known vulnerability risks in some open source components.

View the video with Space Rogue and Mark Miller

Resources for this segment:
CSO: Symantec develops new business strategy, says AV is dead
4 Open Source Components You Need to Update Right Now

About Space Rogue

Over twenty years in the security industry and a proven ability to use Open Source Intelligence to link disparate events, read between the lines and distill complex technical information into easy to understand and actionable intelligence. Skilled at utilizing social and traditional media to communicate with a wide and varied audience.

Widely sought after for unique views and perceptions of the security industry, I have testified before the Senate Committee on Governmental Affairs and have been quoted in numerous media outlets from Austrian TV to MTV and from Wired to MSNBC. I have spoke on a wide range of topics in front of audiences at OWASP, ISACA, Blackhat, Defcon, BSides, HOPE, Shmoocon, and others.

An early member of the security research think tank known as L0pht Heavy Industries I helped co-found the Internet security consultancy @Stake. While at L0pht Heavy Industries I created the widely popular Hacker News Network, which, not once but twice, became a major resource on the Internet for information security news.


Omkhar Arasaratnam on Open Source Usage within the Large Enterprise


, , , ,

“I think with development practices, such as CI, we’re going to get to a point that rather than having this one, monolithic milestone where you’re given these hundreds of defects, instead the developer will have the ability to ingest these quality defects as they truly are on a daily or nightly basis as their code is checked in, compiled, assessed and run against the test harness allowing for a lot more of these defects to be addressed a lot earlier in the development cycle.” — Omkhar Arasaratnam

Listen to the entire interview with Omkhar Arasaratnam


In today’s show, I talk with Omkhar Arasaratnam, Chief Security Architect at the TD Bank Group. I talk with Omkhar about his work with open source and how component based software has become ubiquitous within the development environment, finding its way into virtually every corner of today’s software.

With his history as an open source developer, Omkhar brings a unique perspective to his role as security architect. We begin today with a story about his realization as to how prevalent open source really is.

About Omkar Arasaratnam

Omkhar Arasaratnam is the Chief Security Architect for TD Bank Group. He has over 15 years of Information Technology experience. Omkhar has had a long history of leading global, multi billion dollar projects. He has lead organizations to realize their business goals while effectively managing risk and compliance requirements.

Omkhar leads the Enterprise Security Architecture department at TD Bank Group. In this capacity, he has been accountable for revolutionizing the effectiveness of security architecture across the bank. Omkhar is also an accomplished author with several pending patents and is an Open Group certified Master Infrastructure Architect.

Dwayne Melancon, CTO – A Glimpse of the Future at Tripwire


, ,

At Source Conference in Boston last month, I sat down several times with Tripwire CTO Dwayne Melancon. Our discussion centered around his work with the development and engineering teams at Tripwire, their use of open source components, the future roadmap for Tripwire and Dwayne’s vision for placing business context around incident response. We start the discussion with an overview of Tripwire.


00:43 Overview of Tripwire
04:27 Tool chain at Tripwire
06:14 Use of Open Source Components
09:10 Roadmap for Tripwire
11:03 Business Context Around Incident Response

About Dwayne Melancon
I was a contributor to both the Visible Ops Handbook and Visible Ops Security Handbook, working with authors Gene Kim, Kevin Behr, and George Spafford. As part of this effort, I have worked as a researcher with Carnegie Mellon’s SEI, the University of Florida, and the IT Process Institute in their studies and benchmarking of IT best practices. I work with numerous corporations around the world on IT service management improvement and IT security, and have teamed with the Institute of Internal Auditors in its pursuit of Generally Accepted IT Principles.

As a frequent, highly-rated speaker at national and regional itSMF, ISACA, ISSA, IIA and other industry events, I present on how to achieve world-class IT results. Using a framework of essential IT controls, I provide operations, security, and audit audiences with prescriptive steps they can take to improve IT change policies, procedures and systems.