After getting a ping from an old friend about a potential new OWASP project, I had to bring him on as a guest. He's got an interesting idea around potential vulnerabilities in web crawlers which just happen to gather data for so many AI system.

ep2023-08 Finding Next Gen Cybersecurity Professionals with Brad Causey

Aug 31st, 2023 32m 48s

For years we've heard talk about a shortage of cybersecurity professionals so what can be done about that? In this episode, I speak to Brad Causey who has taken one approach he's found successful. We cover the trade-offs of his approach and how

ep2023-07 What's Audit got to do with IT

Jul 31st, 2023 33m 40s

In this episode we talk with Zain Haq and take a leap and bound over the first and second line to discover more about the third line - internal audit. We discover answers to a number of questions: What role does audit play in the overall cybers

SBOMS, CycloneDX and Dependency Track: Automation for Survival with Steve Springett

Jun 27th, 2023 29m 32s

Software supply chain seems to be front and center for technologists, cybersecurity and many governments. One of the early pioneers in this space was Steve Springett with two highly successful projects: OWASP Dependency Track and CycloneDX. In

AppSec at 40,000 feet

May 22nd, 2023 44m 2s

In this episode I speak with Jerry Hoff who provides some very interesting perspective on application security especially at scale and from a high level view like that of a CISO. Even if you're not in a senior leadership position, you're likely

2023-04 Rethinking WAFs: OWASP Coraza

Apr 30th, 2023 29m 14s

WAFs have been with us a while and it's about time someone reconsidered WAFs and their role in AppSec given the cloud-native and Kubernetes landscape. The OWASP Coraza is not only asking these questions but putting some Go code behind their ide

2023-03 Point of Scary - the POS ecosystem

Mar 28th, 2023 34m 46s

In this episode I speak with Aaron about Point of Sale or POS systems. He's been investigating the security of POS systems for quite some time now and brings to light the state of the POS ecosystem. Buckle your seat belts, this is going to be a

2023-02 Isolation is just PEACHy

Mar 1st, 2023 33m 54s

In this episode I speak with Amitai Cohen who's been thinking a lot about tenant isolation. This is a problem for more then just cloud providers. Anyone with a SaaS offering or even large enterprise may want to isolate customers or parts of the

OWASP Ep 2023-01: Audit, Compliance and automation, Oh my!

Jan 31st, 2023 27m 35s

In this episode, I speak with Caleb Queern, one of the authors of "Investments Unlimited" a book I highly recommend you get and read. While the book is fiction, there's a great deal of truth in the story about how automation can work for more t

2022 Year in Review

Dec 30th, 2022 14m 19s

In this episode, I go solo and review the last year of podcasts but with a twist. I do my best to compare the topics covered to the OWASP Flagship projects. The goal is to see if the episodes I recorded this year match up with the projects stra

You've got some Kubernetes in my AppSec!

Nov 28th, 2022 41m 44s

In this episode, I speak with Jimmy Mesta, the project leader of the new OWASP Kubernetes Top 10. Beyond covering the actual Kubernetes Top 10 project, we cover how AppSec has expanded to cover other areas. You not only have to ensure that you

Little Zap of Horrors

Oct 31st, 2022 33m 9s

In this episode, I speak with Simon Bennetts, the creator of OWASP Zed Attack Proxy lovingly known as ZAP. We talk about how it all got started, some of the surprises and lessons learned running a wildly successful open source project. We also

Breaching the wirefall with community

Sep 29th, 2022 39m 35s

In this episode, Matt Tesauro hosts wirefall to talk about creating and growing a security community and his 26 years of pen testing experience. In wirefall's case, it's the Dallas Hackers Association or DHA. Our conversation includes what moti

Going Way Beyond 2FA

Aug 31st, 2022 30m 45s

In this episode, Matt Tesauro hosts Neil Matatall to talk about going beyond 2FA as he relates lessons learned from Twitter and Github on account security. This is another episode with some good nuggets of wisdom and some sound advice for those

Getting Lean and Mean in the DefectDojo

Jul 20th, 2022 30m 44s

In this episode, Matt Tesauro hosts Greg Anderson and Cody Maffucci to talk about OWASP DefectDojo. DefectDojo is an OWASP flagship project that aims to be the single source of truth for AppSec or Product Security teams. It provides a single

Giving a jot about JWTs: JWT Patterns and Anti-Patterns - OWASP Podcast e002

Jun 29th, 2022 33m 22s

In this episode, Matt Tesauro hosts David Gillman about JWT Patterns and Anti-Patterns. I first met David at LASCON in the fall of 2021 when I sat in on his conference talk. Based on David’s experiences with JWTs we discuss where JSON Web Toke

Threat Modeling using the Force with Adam Shostack - OWASP Podcast e001

May 26th, 2022 47m 35s

In this episode, Matt Tesauro hosts Adam Shostack to talk about threat modeling - not only what it is but what Adam has learned from teaching numerous teams how to do threat modeling. Learn what makes a good threat model and some news about a n

The Void: Verica Open Incident Database

Apr 5th, 2022 43m 43s

Welcome back to the OWASP podcast. In this episode, we're headed to The VOID. I speak with Courtney Nash about the Verica Open Incident Database, otherwise known as The VOID, which is a collection of software-related incident reports available

Fast Times at SBOM High with Wendy Nather and Matt Tesauro

Mar 24th, 2022 42m 36s

Hello, it's Matt Tesauro. Welcome back to my take on the OWASP Podcast. It seems as if I'm turning my episodes into the equivalent of a conference hall track, those wonderful interactions you have at conferences, running between rooms at confer

SAFe or UnSAFe at Any Speed

Mar 12th, 2022 32m 11s

“I absolutely hate SAFe!” -- Bryan FinsterThat is Bryan Finster, Distinguished Engineer at Defense Unicorns out of Colorado Springs. I was scrolling through LinkedIn a couple days ago, saw a thread on SAFe, The Scaled Agile Framework, and wha

Tanya Janca - She Hacks Purple

Feb 28th, 2022 48m 24s

Hello, I'm Matt Tesauro, one of the OWASP Podcast co-hosts. I had the opportunity to interview Tanya Janca for this podcast. To be honest, I kind of wish it was a video recording because you'd be able to see the big smiles and vigorous head nod

New Ideas. New Voices. New Hosts.

Feb 1st, 2022 18m 21s

8 years ago I took over the OWASP Podcast from Jim Manico, originator of the project. In that time over 160 episodes have been published, with over 500,000 downloads. It has been a fun project, but it’s time to change things up a bit.There is

The InfoSec Color Wheel with Jasmine Henry

Jan 10th, 2022 27m 50s

We’ve all heard of “Red Teams” and “Blue Teams” when it comes to cybersecurity. But what about the “Purple Team”, the “Yellow Team” or the “Blue Team”. What are those?In February of 2020, Louis Cremen introduced the InfoSec Colour Wheel to th

CYA - Cover Your Assets with Chris Roberts

Aug 9th, 2021 44m 16s

A couple weeks ago I read an article by Chris Roberts. The headline screamed, “Security Solved!”Security solved? What the hell was he talking about. Everyday there’s a new media storm around the latest breach or ransomware attack. There’s an

OWASP Flagship Projects - Episode 02

Jun 16th, 2021 25m 5s

In this episode of the People | Process | Technology podcast, I speak with Seba Deleersnyder from the Software Assurance Maturity Model, Carlos Holguera and Sven Schleier from the Mobile Security Testing Guide, and Bjoern Kimminich from the Jui