Software Security: Industry Influencers

By Mark Miller, Trusted Software Alliance

About this podcast   English    United States

50 in 50 is a series of interviews, talking with open source security experts from around the world as we work together to create to manage the security of open source applications.
In this podcast

Software Security

Industry Influencers

Machine generated. There may be errors. Report errors to us.
March 24, 2015
Matthew McCullough is the director of field services at GitHub. While at DevNexus 2015 in Atlanta earlier this month, Matthew and I sat down with Brian Fox, VP of Product Management at Sonatype. The discussion was wide ranging, covering everything from the prevelance of Java on GitHub to the patterns for enterprise software development through the use of the DevOps tool chain through polyglot programming becoming the norm. Part of the discussion talks about how Nexus and GitHub work together to create a complimentary tool set for the contemporary programmer. Music for today's broadcast is provided by The George Cole Quintet.
June 10, 2014
"Typically, people divide the (software) world into cost, schedule, functionality, quality. In my experience, almost everyone when they talk 'quality', are excluding security." -- David Wheeler David Wheeler is a project leader at the Institute for Defense Analyses. He also teaches a graduate classon software security at George Mason University. David has a unique view of security's role as part of the software development life cycle. In this wide ranging discussion, we talk about the current state of security, how people are trained (or not trained) to handle security as part of the development process, and what the future looks like for the security industry. "We've already moved to a mostly componentized world. We now have to understand that we have to update the components as we go along. We need to put tools in the customer's hands so they can quickly identify, 'Wow! You're using a library with 300 known vulnerabilities. I'm not going to use your system until you get your act together.'" -- David Wheeler About David A. Wheeler My professional interests are in improving software development practices for higher-risk software systems (i.e., ones which must be secure, large, and/or safety-critical). My specialties include writing secure programs, vulnerability assessment, open standards, open source software / free software (OSS/FS), Internet/web standards and technologies, and POSIX. http://www.dwheeler.com/
May 6, 2014
"I think with development practices, such as CI, we're going to get to a point that rather than having this one, monolithic milestone where you're given these hundreds of defects, instead the developer will have the ability to ingest these quality defects as they truly are on a daily or nightly basis as their code is checked in, compiled, assessed and run against the test harness allowing for a lot more of these defects to be addressed a lot earlier in the development cycle." -- Omkhar Arasaratnam In today's show, I talk with Omkhar Arasaratnam, Chief Security Architect at the TD Bank Group. I talk with Ohmkar about his work with open source and how component based software has become ubiquitous within the development environment, finding its way into virtually every corner of today's software. With his history as an open source developer, Omkhar brings a unique perspective to his role as security architect. We begin today with a story about his realization as to how prevalent open source really is. About Omkar Arasaratnam Omkhar Arasaratnam is the Chief Security Architect for TD Bank Group. He has over 15 years of Information Technology experience. Omkhar has had a long history of leading global, multi billion dollar projects. He has lead organizations to realize their business goals while effectively managing risk and compliance requirements. Omkhar leads the Enterprise Security Architecture department at TD Bank Group. In this capacity, he has been accountable for revolutionizing the effectiveness of security architecture across the bank. Omkhar is also an accomplished author with several pending patents and is an Open Group certified Master Infrastructure Architect.
April 30, 2014
At Source Conference in Boston last month, I sat down several times with Tripwire CTO Dwayne Melancon. Our discussion centered around his work with the development and engineering teams at Tripwire, their use of open source components, the future roadmap for Tripwire and Dwayne's vision for placing business context around incident response. We start the discussion with an overview of Tripwire. Highlights 00:43 Overview of Tripwire 04:27 Tool chain at Tripwire 06:14 Use of Open Source Components 09:10 Roadmap for Tripwire 11:03 Business Context Around Incident Response About Dwayne Melancon I was a contributor to both the Visible Ops Handbook and Visible Ops Security Handbook, working with authors Gene Kim, Kevin Behr, and George Spafford. As part of this effort, I have worked as a researcher with Carnegie Mellon’s SEI, the University of Florida, and the IT Process Institute in their studies and benchmarking of IT best practices. I work with numerous corporations around the world on IT service management improvement and IT security, and have teamed with the Institute of Internal Auditors in its pursuit of Generally Accepted IT Principles. As a frequent, highly-rated speaker at national and regional itSMF, ISACA, ISSA, IIA and other industry events, I present on how to achieve world-class IT results. Using a framework of essential IT controls, I provide operations, security, and audit audiences with prescriptive steps they can take to improve IT change policies, procedures and systems.
April 10, 2014
Allison Miller caught my attention at the end of her session at 2014 Source Boston when she 'Risk Rolled' the audience and had them sing along with a talking head embedded in her presentation. I knew immediately this was someone I wanted to talk with and get to know. Allison is the President of the Society of Information Risk Analysts, a relatively new organization that is an interest group for practitioners of information risk management. We talk about the mission of the group and why people would want to participate in a risk based approach to solving problems. About Allison Miller Allison Miller (@selenakyle) is Senior Director of Operations at Electronic Arts, where she oversees the business operations of EA’s cross-company digital platform.Allison has over 10 years of experience in designing, building and deploying real-time threat detection and prevention systems. Miller is active in the security community and presents research on fraud prevention and account security issues regularly to both industry and government audiences, including the ITWeb Security Summit, Black Hat Briefings, SOURCE Conferences (Boston, Barcelona, Seattle, Dublin), Nordic Security Conference, BruCon, USENIX/Metricon, and RSA. Prior to joining EA, Miller led Tagged’s Security & Risk Management team, managed PayPal’s Account Risk & Security team and was Director of Product / Technology Risk at Visa International. She is currently the president of the Society of Information Risk Analysts (SIRA).
April 9, 2014
'"It's only metadata" is a mischaracterization that plays into goverment hands.' -- Bruce Schneier At the 2014 Source Conference in Boston, I was able to sit down with Bruce Schneier after his keynote to clarify his position on several topics he brought up. The twitter stream was on fire during his presentation as he described how the power of government and large corporations affects the internet. Where are the boundaries between personal data and corporate/government usage of that data? What is our responsibility in the equation? An interesting observation from Bruce is that despite the government's insistence that they are only collecting metadata, which according to them has no intrinsic value, that presupposes metadata is somehow less important or less personal when it comes to interrogating the data. This despite that it can be used to generate a network of contacts such as "who your friends are, who your family is, what you're concerned about, where you go, your relationships, your interests", creating extremely an intimate and personal portrait of a person's life. About Bruce Schneier I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998. I write books, articles, and academic papers. Currently, I'm the Chief Technology Officer of Co3 Systems, a fellow at Harvard's Berkman Center, and a board member of EFF.
Jan. 24, 2014
"Increasingly, we're putting our lives on the line in software driven devices.From an industry perspective, we've got to start thinking about how we update these devices over time." -- Wayne Jackson I have been working with Sonatype as a community advocate for a while, but never had a chance to catch up with Wayne Jackson until now. My main objective was to ask him the things I want to know about the company, what the security market looks like to him as the CEO and how he intends to guide the company in the future. We start the conversation with defining what, exactly, does the CEO of a software security company do. "Ultimately the only way we are going to solve security issues in the cyber realm is to make better software." -- Wayne Jackson Highlights of our discussion 00:48 What does the CEO of a software security company do 01:07 Why the career transition to software security 02:08 Personal realization of magnitude of software vulnerabilities 02:53 Market differentiation with component security vs code security 04:13 Managing the Central Repository 06:05 Software is everywhere, it's taking over everything 07:11 Choices in managing software security 07:50 Security is an industry problem, not just a software problem 08:30 Create a better ecosystem for security software with community best practices 09:25 Move beyond known vulnerabilities in single components
Nov. 6, 2013
"There are ways through automation, design and testing techniques where we can take what is traditionally a three to six to nine week testing cycle and shrink it into minutes or hours." -- Curtis Yanko In November of 2013, I was able to catch up with Curtis Yanko, Architectural manager for CIGNA in Hartford, CT. Our discussion is on the cost curve of fixing defects in the application life cycle and alternatives to current methodologies. "Most companies waste somewhere between 30% and 40% of their productivity on rework." -- Curtis Yanko Highlights of the Discussion 00:25 - Analyzing the cost curve of fixing defects 01:45 - The difficulty of proving the cost of fixing a defect 03:15 - The lack of alternatives to current methodologies 04:45 - Some alternatives to current methodologies 06:05 - Managing the security handoff process 07:07 - Real world story on integrating security and developers 13:05 - A wake up call to corporate America 15:40 - Documenting a process based upon real world experience "It's a fast pace world. Disruption can come from anywhere, and even if it's not disruption, it could be just be very profound change. Your ability to respond and act to that is key to stay in the game over the long haul." -- Curtis Yanko About Curtis Yanko, Architecture Manager - Clinical IT / DevOps, Cigna experience in improving process and developer productivity that deliver superior and trusted applications to drive competitive differentiation. Curtis has built his career by helping large enterprises modernize their application development and delivery by architecting and implementing DevSecOps processes that ensure trust and collaboration between development, QA, IT Ops, Legal and Security teams. He is a leading advocate for IT transformation through teaching these different enterprise silos how to partner for success.
Oct. 24, 2013
"If you take the big, monolithic testing effort you currently have at the end, and you push it towards the beginning but it remains monolithic, you're not going to get the dramatic increase in efficiency and decrease in cost you expect. It has to be an incremental effect." -- John Steven One of the things I have recently been investigating is the true cost, the real cost, of security and how that changes based upon where in the application life cycle you are. I was talking with John Steven from Cigital and we agreed it might be good to record our thoughts to see where it leads. "With security, it's not a question of how far left you can get. It's really a question of are you doing the right things at each step." -- John Steven Highlights of our Discussion 00:45 - Source of current graphs on cost of application security 03:45 - How can you prove cost savings when including security earlier in the application life cycle 06:30 - Process vs technology 07:45 - How early in development should security be inserted 09:25 - Incremental security within the development process 12:17 - How do you measure the effect and efficiency of moving left About John Steven John Steven, Internal CTO John’s expertise runs the gamut of software security from threat modeling and architectural risk analysis, through static analysis (with an emphasis on automation), to security testing. As a consultant, John has provided strategic direction to many multi-national corporations, and his keen interest in automation keeps Cigital technology at the cutting edge. He has served as co-editor of the Building Security In department of IEEE Security & Privacy magazine, and led the Northern Virginia OWASP Chapter. John contributed to the Hacking Exposed Mobile book, and speaks with regularly at conferences and trade shows.
Oct. 18, 2013
In this morning's news I saw a reference to a project on OWASP that documents the vulnerabilities in web applications and someone who is keeping a public repository of those vulnerabilities. I called and spoke with Simon Bennetts, co-lead of the project with Raul Siles, to hear his thoughts on where this leads and what his vision is for the future of web application security. Highlights of our Discussion 00:34 - How did the project start 02:50 - Directory vs repository 03:30 - How large is the data set 04:15 - How do you anticipate people will use the information 04:45 - Future vision for the project 05:40 - Final thoughts on bug bounties About Simon Bennetts Simon Bennetts (a.k.a. Psiinon) has been developing web applications since 1997, and strongly believes that you cannot build secure web applications without knowing how to attack them. He works for Mozilla as part of their Security Team. Bennetts started the OWASP Zed Attack Proxy project, and leads the international group of volunteers who develop it. He is also one of the founders of the OWASP Manchester chapter and the OWASP Data Exchange Format project.
Disclaimer: The podcast and artwork embedded on this page are from Mark Miller, Trusted Software Alliance, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.