The OWASP Podcast Series

ep2024-12 Tanya Janca: Happy Holidays are Secure Code

23 Dec 2024

Contributed by Lukas

Some production issues caused this one to slip to December so the intro is a bit off but this is still a great episode. So, learn some lessons on crea...

ep2024-10 Don't be Scared, It's just a Pen Test with Brad Causey

31 Oct 2024

Contributed by Lukas

There's no reason to be scared about a pen test - especially when it's run by a professional like Brad Causey. I catch up with Brad in this episode to...

ep2024-09 Threat Modeling with Takaharu

25 Sep 2024

Contributed by Lukas

What happens when you get interested in Threat Modeling and you want to share. For some, that means you do one work shop, then another, then another. ...

ep2024-08 OWASP Projects Roundup

30 Aug 2024

Contributed by Lukas

The August episode is a review of projects from a recent OWASP project showcase. We talk to the leaders of the OWASP pytm, OWASP Developer Guide, OWAS...

ep2024-07 Safety belts for AppSec with Lisa Plaggemier

12 Jul 2024

Contributed by Lukas

After a long and unplanned pause, the OWASP podast is back with a home run of an episode. We have Lisa Plaggemier as our guest who reprises her eloque...

ep2023-09 Vulnerable Data Gathering for AI with Arturo Buanzo Busleiman

02 Oct 2023

Contributed by Lukas

After getting a ping from an old friend about a potential new OWASP project, I had to bring him on as a guest. He's got an interesting idea around pot...

ep2023-08 Finding Next Gen Cybersecurity Professionals with Brad Causey

31 Aug 2023

Contributed by Lukas

For years we've heard talk about a shortage of cybersecurity professionals so what can be done about that? In this episode, I speak to Brad Causey who...

ep2023-07 What's Audit got to do with IT

31 Jul 2023

Contributed by Lukas

In this episode we talk with Zain Haq and take a leap and bound over the first and second line to discover more about the third line - internal audit....

SBOMS, CycloneDX and Dependency Track: Automation for Survival with Steve Springett

27 Jun 2023

Contributed by Lukas

Software supply chain seems to be front and center for technologists, cybersecurity and many governments. One of the early pioneers in this space was ...

AppSec at 40,000 feet

22 May 2023

Contributed by Lukas

In this episode I speak with Jerry Hoff who provides some very interesting perspective on application security especially at scale and from a high lev...

2023-04 Rethinking WAFs: OWASP Coraza

30 Apr 2023

Contributed by Lukas

WAFs have been with us a while and it's about time someone reconsidered WAFs and their role in AppSec given the cloud-native and Kubernetes landscape....

2023-03 Point of Scary - the POS ecosystem

28 Mar 2023

Contributed by Lukas

In this episode I speak with Aaron about Point of Sale or POS systems. He's been investigating the security of POS systems for quite some time now and...

2023-02 Isolation is just PEACHy

01 Mar 2023

Contributed by Lukas

In this episode I speak with Amitai Cohen who's been thinking a lot about tenant isolation. This is a problem for more then just cloud providers. Anyo...

OWASP Ep 2023-01: Audit, Compliance and automation, Oh my!

31 Jan 2023

Contributed by Lukas

In this episode, I speak with Caleb Queern, one of the authors of "Investments Unlimited" a book I highly recommend you get and read. While the book i...

2022 Year in Review

30 Dec 2022

Contributed by Lukas

In this episode, I go solo and review the last year of podcasts but with a twist. I do my best to compare the topics covered to the OWASP Flagship pro...

You've got some Kubernetes in my AppSec!

28 Nov 2022

Contributed by Lukas

In this episode, I speak with Jimmy Mesta, the project leader of the new OWASP Kubernetes Top 10. Beyond covering the actual Kubernetes Top 10 project...

Little Zap of Horrors

31 Oct 2022

Contributed by Lukas

In this episode, I speak with Simon Bennetts, the creator of OWASP Zed Attack Proxy lovingly known as ZAP. We talk about how it all got started, some...

Breaching the wirefall with community

29 Sep 2022

Contributed by Lukas

In this episode, Matt Tesauro hosts wirefall to talk about creating and growing a security community and his 26 years of pen testing experience. In wi...

Going Way Beyond 2FA

31 Aug 2022

Contributed by Lukas

In this episode, Matt Tesauro hosts Neil Matatall to talk about going beyond 2FA as he relates lessons learned from Twitter and Github on account secu...

Getting Lean and Mean in the DefectDojo

20 Jul 2022

Contributed by Lukas

In this episode, Matt Tesauro hosts Greg Anderson and Cody Maffucci to talk about OWASP DefectDojo. DefectDojo is an OWASP flagship project that aims...

Giving a jot about JWTs: JWT Patterns and Anti-Patterns - OWASP Podcast e002

29 Jun 2022

Contributed by Lukas

In this episode, Matt Tesauro hosts David Gillman about JWT Patterns and Anti-Patterns. I first met David at LASCON in the fall of 2021 when I sat in...

Threat Modeling using the Force with Adam Shostack - OWASP Podcast e001

26 May 2022

Contributed by Lukas

In this episode, Matt Tesauro hosts Adam Shostack to talk about threat modeling - not only what it is but what Adam has learned from teaching numerous...

The Void: Verica Open Incident Database

05 Apr 2022

Contributed by Lukas

Welcome back to the OWASP podcast. In this episode, we're headed to The VOID. I speak with Courtney Nash about the Verica Open Incident Database, othe...

Fast Times at SBOM High with Wendy Nather and Matt Tesauro

24 Mar 2022

Contributed by Lukas

Hello, it's Matt Tesauro. Welcome back to my take on the OWASP Podcast. It seems as if I'm turning my episodes into the equivalent of a conference hal...

SAFe or UnSAFe at Any Speed

12 Mar 2022

Contributed by Lukas

“I absolutely hate SAFe!” -- Bryan Finster That is Bryan Finster, Distinguished Engineer at Defense Unicorns out of Colorado Springs. I was scrol...

Tanya Janca - She Hacks Purple

28 Feb 2022

Contributed by Lukas

Hello, I'm Matt Tesauro, one of the OWASP Podcast co-hosts. I had the opportunity to interview Tanya Janca for this podcast. To be honest, I kind of w...

New Ideas. New Voices. New Hosts.

01 Feb 2022

Contributed by Lukas

8 years ago I took over the OWASP Podcast from Jim Manico, originator of the project. In that time over 160 episodes have been published, with over 50...

The InfoSec Color Wheel with Jasmine Henry

10 Jan 2022

Contributed by Lukas

We’ve all heard of “Red Teams” and “Blue Teams” when it comes to cybersecurity. But what about the “Purple Team”, the “Yellow Team” ...

CYA - Cover Your Assets with Chris Roberts

09 Aug 2021

Contributed by Lukas

A couple weeks ago I read an article by Chris Roberts. The headline screamed, “Security Solved!” Security solved? What the hell was he talking ab...

OWASP Flagship Projects - Episode 02

16 Jun 2021

Contributed by Lukas

In this episode of the People | Process | Technology podcast, I speak with Seba Deleersnyder from the Software Assurance Maturity Model, Carlos Holgue...

OWASP Flagship Projects - Episode 01

04 Jun 2021

Contributed by Lukas

In this episode of the People | Process | Technology podcast, I speak with Simon Bennetts from the Zap Project, Christian Folini from the ModSecurity ...

The Cyber Defense Matrix Project with Sounil Yu

21 Apr 2021

Contributed by Lukas

In 2020, Security Magazine listed Sounil Yu as one of the most Influential People in Security in 2020, in part because of his work on the Cyber Defens...

2021 OWASP Top 10 with Andrew van der Stock

26 Mar 2021

Contributed by Lukas

The Top 10 is considered one of the most important community contributions to come out OWASP. In 2003, just two years after organization was started, ...

The Ops Side of DevSecOps w/ Damon Edwards

29 Jan 2021

Contributed by Lukas

When Shannon Lietz and the team at DevSecOps.org published the DevSecOps Manifesto six years ago, security was uppermost in their minds. The manifesto...

A Note from the Executive Producer

27 Jan 2021

Contributed by Lukas

This is Mark Miller, Executive Producer. Over the years as I’ve produced the show, the topics of focus have followed the trends in the industry. Wha...

A New Vision for the Future of OWASP, with Executive Director, Andrew van der Stock

18 Jul 2020

Contributed by Lukas

OWASP is in a state of discord. Over the past few years, there have been fractures in the community. Recently, there have been arguments on the leader...

Exploring the LinkedIn Algorithm

11 May 2020

Contributed by Lukas

In this episode of the DevSecOps Podcast, we’re going to go off script and explore the LinkedIn algorithm. I could tie this back to DevSecOps, and h...

The Demise of Symantec by Richard Stiennon

20 Mar 2020

Contributed by Lukas

When I read Richard Stiennon's latest article in Forbes, The Demise of Symantec, I thought it was absolutely fascinating. Richard walks through the pr...

Equifax and the Road Ahead w/ Bryson Koehler

04 Mar 2020

Contributed by Lukas

Equifax is trying... I mean REALLY trying... to regain your trust. The Equifax CTO and CISO delivered the keynote at DevSecOps Days during 2020 RSAC. ...

Making Everyone Visible in Tech - Jaclyn Damiano

07 Feb 2020

Contributed by Lukas

If you like what you hear, you can download the entire book at sonatype.com/epicfailures As we were putting the finishing touches, getting ready to p...

How to Engage 4000 Developers in One Day

14 Nov 2019

Contributed by Lukas

When Derek Weeks and I started All Day DevOps in 2016, we were unsure as to whether anyone would be interested.It's now four years later. Last week we...

Code Rush, DevOps and Google: Software in the Fast Lane

17 Oct 2019

Contributed by Lukas

Shortly after watching the documentary, Code Rush, I met with Tara Hernandez, the hockey stick carrying lead of the Netscape project that was being do...

The Unicorn Project w/ Gene Kim

16 Oct 2019

Contributed by Lukas

Edwards Deming went to post-war Japan in the late 1940s to help with the census. While there, he built relationships with some of the main manufacture...

DevOps, DevSecOps and the Year Ahead w/ Sacha Labourey

07 Oct 2019

Contributed by Lukas

Once a year, Sacha Labourey and I sit down to discuss the past year and what the coming year looks like for DevOps and Jenkins. As CEO of CloudBees, S...

Is it time to trust Equifax again? You decide.

17 Sep 2019

Contributed by Lukas

I was affected by it. You were affected by it. We were all affected by the Equifax breach in September 2017. The truly interesting thing about it is, ...

2019 Global AppSec Conference DC w/ Ben Pick

23 Aug 2019

Contributed by Lukas

OWASP supports a global conference in North America each year, bringing together the projects, teams and chapters who make this one of the largest sec...

2019 State of the Software Supply Chain Report

27 Jun 2019

Contributed by Lukas

The 2019 State of the Software Supply Chain Report was released on June 25th. The report is an analysis of the answers from over 5500 participants, al...

The Vanity of Diversity

15 May 2019

Contributed by Lukas

Let's not talk around the subject here... women are under represented when it comes to speaking or participating in tech conferences. It's a male domi...

Create and Manage Internal Tech Conferences

08 May 2019

Contributed by Lukas

I produced my first concert at the San Anselmo Playhouse in 1979. It was the first in a series of events that has lasted 40 years. I have produced mor...

Securing the Software Supply Chain - Live Panel for International Conference on Cyber Engagement

06 May 2019

Contributed by Lukas

In April 2019, I was invited to host a panel at the International Conference on Cyber Engagement in Washington DC, to discuss "Securing the Software S...

Tel Aviv and the 2019 Global AppSec Conference

01 May 2019

Contributed by Lukas

When I think of Tel Aviv, I imagine a robust, young culture, living a good, fun life. Not only is the culture conducive to a young life style, its tec...

Persectives on the "Sec" in DevSecOps w/ Tanya Janca

16 Apr 2019

Contributed by Lukas

If you've read the Phoenix Project, you'll remember Brent, the indispensable cog on the operations team. Brent was a good guy, he wanted to do the rig...

2019 Open Security Summit Preview

09 Apr 2019

Contributed by Lukas

Three years ago there was an idea floating around OWASP... a core community was looking for a way to have an isolated week, where security project wor...

What is an SBOM and Why Should You Care? w/ Allan Friedman

02 Apr 2019

Contributed by Lukas

Open-source components and their use within the software supply chain has become ubiquitous within the past few years. Current estimates are that 80-9...

What is Chaos Engineering, an Interview with Casey Rosenthal

18 Mar 2019

Contributed by Lukas

"Chaos engineering is an empirical practice of setting up experiments to figure out where your system is vulnerable so that you can know that ahead of...

Ladies of London Hacking Society w/ Eliza-May Austin

13 Mar 2019

Contributed by Lukas

The Ladies of London Hacking Society was created by Eliza-May Austin in an act of frustration.Having nowhere to turn to meet other women within the se...

Anticipating Failure through Threat Modeling w/ Adam Shostack

12 Feb 2019

Contributed by Lukas

What am I working on? What can go wrong? What am I going to do about it? Did I do a good job? These are the four questions at the heart of threat mod...

We Are All Special Snowflakes with Chris Roberts

07 Feb 2019

Contributed by Lukas

This is the sixth episode in an eight part series, talking with the authors of "Epic Failures in DevSecOps". In this segment, I speak with Chris Rober...

A Concise Introduction to DevSecOps

18 Jan 2019

Contributed by Lukas

The inclusion of security as an integral piece of the DevOps puzzle continues to gain traction. In this episode of the DevSecOps Days Podcast Series, ...

What's In Store for the AppSec Cali Conference w/ Richard Greenberg

15 Jan 2019

Contributed by Lukas

As if there aren't enough reasons to go to Southern California in the middle of a New York winter, AppSec Cali opens it's doors for its 6th Annual OWA...

Epic Failures in DevSecOps w/ Aubrey Stearn

10 Jan 2019

Contributed by Lukas

Aubrey Stearn is the Technical Lead for the Enterprise Cloud Platform at Nationwide. In the broadcast we talk with Aubrey about her chapter, "The Tale...

Strategic Asymetry - Leveling the Playing Field w/ Chetan Conikee

02 Jan 2019

Contributed by Lukas

"In the past when we were writing software, it was our engineers and our organizations that had total cost of ownership of that software. But now, tha...

Threat Modeling - A Disaster Story with Edwin Kwan

18 Dec 2018

Contributed by Lukas

We continue the "Epic Failures in DevSecOps" series by speaking with Edwin Kwan on his chapter, "Threat Modeling - A Disaster Story". Edwin is Applica...

The DevSecOps Unicorn Rodeo w/ Stefan Streichsbier

14 Dec 2018

Contributed by Lukas

Stefan Streichsbier talks about his chapter, "Unicorn Rodeos", in the just released book, "Epic Failures in DevSecOps". We start with where did the ch...

The DevSecOps Experiment

10 Dec 2018

Contributed by Lukas

DJ Schleen talks about his upcoming 15 part video series, "The DevSecOps Experiment", where he will walk through the setup of a software supply chain,...

Open Source Vulnerabilities - Who is Ultimately Responsible

03 Dec 2018

Contributed by Lukas

In this broadcast, I speak with Chris Roberts and Derek Weeks about lines of responsibility and npm package highjacking in light of the event-stream v...

event-stream: Analysis of a Compromised npm Package

27 Nov 2018

Contributed by Lukas

Once again, the pattern of taking over a known package and modifying it with malicious intent has happened. In this case, it's with the event-stream m...

Spy vs Spy in Application Security: Harvesting Adversaries

02 Nov 2018

Contributed by Lukas

"The guy who wrote wifi software with SSID never imagined that someone could use that SSID to transmit data by writing two smaller applications to lev...

Moving from Projects to Products w/ Mik Kersten

31 Oct 2018

Contributed by Lukas

"If you look inside a large enterprise IT organization, they have this very bizarre and broken layer that's completely separating the way that busines...

The Journey to Open Source at Capital One w/ Tapabrata "Topo" Pal

29 Oct 2018

Contributed by Lukas

Why would you allow open source usage in your company. What are the compelling reasons to take the risk. In this discussion, I talk with Topo Pal and ...

The Future of Software and DevOps / with Sacha Labourey

17 Sep 2018

Contributed by Lukas

"The compensation, the incentives that people have are very much anchored in short term objectives that do not take into account the vision for the b...

How to Build Chapter Engagement at OWASP

17 Sep 2018

Contributed by Lukas

While at 2018 AppSec EU, I spoke with Sam Stepanyan and Grigorios Fragkos, chapter leaders of one of OWASP's largest chapters. The conversation center...

A Message from the Executive Producer

15 Jul 2018

Contributed by Lukas

This is Mark Miller, Executive Producer. 4 years ago I took over the creation and curation of the OWASP podcast series. In that time, there have been ...

2018 AppSec EU London - Conference Preview

19 Jun 2018

Contributed by Lukas

In this episode, I speak with the organizing committee of 2018 AppSec EU, hearing about what's planned and why you should consider attending this inte...

Steps to Responsible Disclosure with Bas van Schaik,Man Yue Mo and Brian Fox

20 Mar 2018

Contributed by Lukas

On March 1, 2018, the team at Semmle announced a critical vulnerability in the Pivotal Spring framework. The vulnerability was found by security resea...

RSAC 2018 - Preview of Opening Session for DevOps Connect: DevSecOps Day

26 Feb 2018

Contributed by Lukas

Shannon Lietz, Caroline Wong and Paula Thrasher will give the opening remarks at DevOps Connect: DevSecOps Days on April 16 at the RSAC Conference in ...

HackNYC 2018: Preview with Kevin E. Greene

07 Feb 2018

Contributed by Lukas

Prior to his work as Principal Software Assurance Engineer at MITRE, Kevin E. Greene was R&D Program Manager for the Department of Homeland Security. ...

HackNYC 2018: Preview with Dr. Bill Curtis

01 Feb 2018

Contributed by Lukas

In May, at HackNYC 2018 in New York City, Dr. Bill Curtis' team of Tracie Gerardi and Lev Lesokhin will deliver a presentation on putting an end to "T...

The OpenChain Project with Shane Coughlan

12 Jan 2018

Contributed by Lukas

The OpenChain Project identifies key recommended processes for effective open source management. The project builds trust in open source by making ope...

Expanding Community Engagement at OWASP w/ Greg Anderson

30 Nov 2017

Contributed by Lukas

Newly elected to the OWASP board, Greg Anderson is interested in how to expand the OWASP community. I talked with him about what he hope to accomplish...

Thoughts on Security in the Modern Software Supply Chain

16 Nov 2017

Contributed by Lukas

Caroline Wong, Paula Thrasher and I were having lunch at DevOps Enterprise Summit when the conversation took an interesting turn. Paula and Caroline h...

Security Processes at the Apache Software Foundation w/ Mark Thomas and Brian Fox

15 Sep 2017

Contributed by Lukas

In our continuing series on the Struts2 vulnerability announcement and the breach at Equifax, we spoke with Mark Thomas, Director, Apache Software Fou...

Struts2 Vulnerabilities: Who Is Responsible?

14 Sep 2017

Contributed by Lukas

A conversation on the ramifications of recent Struts2 announcements, the exploit at Equifax and the responsibility of companies using open source soft...

What you should know about the latest Struts2 vulnerability announcement

07 Sep 2017

Contributed by Lukas

What you should know about the latest struts2 vulnerability announcement w/ Brian Fox, CTO Sonatype, and Matthew Konda , Chair, OWASP Board of Directo...

OWASP Hacker Kids in Bangalore

29 Aug 2017

Contributed by Lukas

Most of us want to help kids become proficient in programming and cybersecurity, but don't know how to get started or have time to manage such a proje...

Less than 10 Minutes Series: OWASP DockerHub with Simon Bennetts

08 Aug 2017

Contributed by Lukas

Earlier this week, Simon Bennetts from the OWASP ZAP Project announced the official availability of the OWASP DockerHub for housing projects. I caught...

Less than 10 Minutes Series - ModSecurity Core Rule Set Project

12 May 2017

Contributed by Lukas

This segment of the "Less than 10 Minutes" series was recorded live at AppSec EU 2017 in Belfast. It is an update of the ModSecurity Core Rule Set Pro...

Less than 10 Minutes Series: OWASP Summit 2017

11 May 2017

Contributed by Lukas

This segment of the "Less than 10 Minutes" series was recorded live at AppSec EU 2017 in Belfast. It is an update of the OWASP Summit 2017 with confer...

Less than 10 Minutes Series: WebGoat Project

11 May 2017

Contributed by Lukas

This segment of the "Less than 10 Minutes" series was recorded live at AppSec EU 2017 in Belfast. It is an update of the WebGoat Project with project ...

Less than 10 Minutes Series: Vicnum Project

11 May 2017

Contributed by Lukas

This segment of the "Less than 10 Minutes" series was recorded live at AppSec EU 2017 in Belfast. It is an update of the Vicnum Project with project l...

Less than 10 Minutes Series: Defect Dojo Project

10 May 2017

Contributed by Lukas

This segment of the "Less than 10 Minutes" series was recorded live at AppSec EU 2017 in Belfast. It is an update of the Defect Dojo Project with proj...

Less than 10 Minutes Series: Virtual Village Project

10 May 2017

Contributed by Lukas

This segment of the "Less than 10 Minutes" series was recorded live at AppSec EU 2017 in Belfast. It is an update of the Virtual Village Project with ...

Less than 10 Minutes Series: The Juice Shop Project

10 May 2017

Contributed by Lukas

This segment of the "Less than 10 Minutes" series was recorded live at AppSec EU 2017 in Belfast. It is an update of the Juice Shop Project with proje...

AppSec EU 2017, Belfast Keynote Preview with Jaya Baloo

22 Mar 2017

Contributed by Lukas

"Why does OWASP even exist? Why do we even have this idea of understanding common issues, common problems. There are resources to help us do it better...

Struts 2 Vulnerability Analysis

10 Mar 2017

Contributed by Lukas

Brian Fox and Shannon Lietz talk about the recent announcement of the struts 2 vulnerability: What is it, how can it affect you, what you can do about...

AppSec EU 2017 Belfast - What to Expect

18 Feb 2017

Contributed by Lukas

In mid-May I'll be joining the organizing team of AppSec EU 2017 in Belfast for a week of security and DevOps sessions. Listen in as Gary Robinson, Mi...

Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World

15 Feb 2017

Contributed by Lukas

In preparation for her keynote session at AppSec EU 2017 in Belfast, Shannon Lietz continues to explore the integration of DevOps and security. This i...

Shannon Lietz - Keynote Preview for AppSec EU 2017, Belfast

17 Jan 2017

Contributed by Lukas

Shannon Lietz, DevSecOps Lead at Intuit, will be giving a keynote presentation at AppSec EU 2017, Belfast. I talked with Shannon about what she will b...

2016 AppSec USA - An Update on the WebGoat Project

30 Nov 2016

Contributed by Lukas

WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons. It is one of the most used ...

2016 AppSec USA: The Core Rule Set Project w/ Chaim Sanders

12 Oct 2016

Contributed by Lukas

The OWASP ModSecurity Core Rule Set Project's goal is to provide an easily "pluggable" set of generic attack detection rules that provide a base level...