DevSecOps Podcast Series

After a long and unplanned pause, the OWASP podast is back with a home run of an episode. We have Lisa Plaggemier as our guest who reprises her eloquent keynote topic from AppSec DC. All hope isn't lost, we are making progress - just look at safety in the auto industry to understand where we are and where we're going. Links: Lisa's keynote from AppSec DC https://www.youtube.com/watch?v=Rirxc1OXR4Q&list=PLpr-xdpM8wG_3eyVQxB0oXqVJwlNKs85x&index=38&ab_channel=OWASPFoundation Kubikle web series https://kubikleseries.com/ Convene Seattle 2024 event https://staysafeonline.org/programs/events/convene-seattle-2024/

After getting a ping from an old friend about a potential new OWASP project, I had to bring him on as a guest. He's got an interesting idea around potential vulnerabilities in web crawlers which just happen to gather data for so many AI system. We talk about that, Cybersecurity and Government and so much more. Show Links: - LinkedIn https://www.linkedin.com/in/buanzo/ - Github https://www.linkedin.com/in/buanzo/

For years we've heard talk about a shortage of cybersecurity professionals so what can be done about that? In this episode, I speak to Brad Causey who has taken one approach he's found successful. We cover the trade-offs of his approach and how, should you agree with him, you can help fill those troubling vacancies at your company. Show Links: - SecurIT360 https://securit360.com/ - Offensive Security Blog https://offsec.blog/

In this episode we talk with Zain Haq and take a leap and bound over the first and second line to discover more about the third line - internal audit. We discover answers to a number of questions: What role does audit play in the overall cybersecurity of an organization? What does the CISO gain from having an audit function? What makes a good auditor? Learn how to get the most out of audit and what they bring to the table. Special thanks to Tina Turner for inspiring the show title. ;-) Show Links: - Zain Haq: https://www.linkedin.com/in/zainhaq25/

Software supply chain seems to be front and center for technologists, cybersecurity and many governments. One of the early pioneers in this space was Steve Springett with two highly successful projects: OWASP Dependency Track and CycloneDX. In this episode, we catch up with Steve to talk about how he got started in software supply chain management as well as the explosive growth for Dependency Track and ClycloneDX. We also touch on future developments for CycloneDX and places where Steve never expected to see his projects go. Enjoy! Show Links: - OWASP Dependency Track: https://dependencytrack.org/ - Dependency Track Github: https://github.com/DependencyTrack - CycloneDX: https://cyclonedx.org/ - CycloneDX Github: https://github.com/CycloneDX - Software Component Verification Standard: https://scvs.owasp.org/ Social Media links: - https://twitter.com/stevespringett - https://infosec.exchange/@stevespringett - https://www.linkedin.com/in/stevespringett/

In this episode I speak with Jerry Hoff who provides some very interesting perspective on application security especially at scale and from a high level view like that of a CISO. Even if you're not in a senior leadership position, you're likely to be reporting to one. Understanding that point of view can help you successfully frame your work and accomplish your goals. We touch on multiple topics and have some great back and forth that I'm sure will entertain and inform you. Enjoy!

WAFs have been with us a while and it's about time someone reconsidered WAFs and their role in AppSec given the cloud-native and Kubernetes landscape. The OWASP Coraza is not only asking these questions but putting some Go code behind their ideas. Should WAFs work in a mesh network? Why create an open source WAF? What's next for the OWASP Coraza project? These and more topics are covered in this episode. I had a great time recording it and I think you'll have the same while listening. Show Link: - Coraza Website: https://coraza.io/ - Coraza Github Repo: https://github.com/corazawaf/coraza - Coraza Twitter: https://twitter.com/corazaio - AppSec EU 2023 presentation on Coraza - https://www.youtube.com/watch?v=S_TtvDFmia4

In this episode I speak with Aaron about Point of Sale or POS systems. He's been investigating the security of POS systems for quite some time now and brings to light the state of the POS ecosystem. Buckle your seat belts, this is going to be a bumpy and very interesting ride.

In this episode I speak with Amitai Cohen who's been thinking a lot about tenant isolation. This is a problem for more then just cloud providers. Anyone with a SaaS offering or even large enterprise may want to isolate customers or parts of their business from each other. Several useful items came out of this including the Cloud VulnDB which catalogs security issues in cloud services and the PEACH tenant isolation framework. You may not think you need to worry about tenant isolation, but I bet you should at least keep it in mind. Enjoy! Show Links: - Cloud VulnDB: https://www.cloudvulndb.org/ - PEACH Framework: https://www.peach.wiz.io/ - OWASP Cloud Tenant Isolation Project: https://owasp.org/www-project-cloud-tenant-isolation/

In this episode, I speak with Caleb Queern, one of the authors of "Investments Unlimited" a book I highly recommend you get and read. While the book is fiction, there's a great deal of truth in the story about how automation can work for more than just DevSecOps. Compliance and audit also deserve a seat at the table. Learn how you can get more code out the door, with more safety and a 'risk reduced' smile on the auditors face. Show Links: - Investments Unlimited: https://itrevolution.com/product/investments-unlimited/ - DevOps Automated Governance Reference Architecture: https://itrevolution.com/product/devops-automated-governance-reference-architecture/

In this episode, I go solo and review the last year of podcasts but with a twist. I do my best to compare the topics covered to the OWASP Flagship projects. The goal is to see if the episodes I recorded this year match up with the projects strategically important to OWASP. Plus, the holiday listeners get gifts all around as I cover (and link) the OWASP Flagship projects. Show Links: - (January) New Ideas, New Voices, New Hosts: https://soundcloud.com/owasp-podcast/new-ideas-new-voices-new-hosts - (February) Tanya Janca - She Hack Purple: https://soundcloud.com/owasp-podcast/tanya-janca - SAMM (Software Assurance Maturity Model): https://owaspsamm.org/ - (March) Fast Times at SBOM High: https://soundcloud.com/owasp-podcast/fast-times-at-sbom-high-with-wendy-nather-and-matt-tesauro - CycloneDX: https://cyclonedx.org/ - Dependency-Track: https://dependencytrack.org/ - Dependency-Check: https://jeremylong.github.io/DependencyCheck/ - (April) The VOID: Verica Open Incident Database: https://soundcloud.com/owasp-podcast/the-void-verica-open-incident-database - Web Security Testing Guide: https://owasp.org/www-project-web-security-testing-guide/ - Mobile Application Security Guide: https://mas.owasp.org/ - (May) Threat Modeling using the Force: https://soundcloud.com/owasp-podcast/threat-modeling-using-the-force-with-adam-shostack-owasp-podcast-e001 - ASVS (Application Security Verification Standard): https://owasp.org/www-project-application-security-verification-standard/ - AMASS: https://owasp.org/www-project-amass/ - (June) Giving a jot about JWTs: JWT Patterns and Anti-Patterns: https://soundcloud.com/owasp-podcast/owasp-podcast-giving-a-jot-about-jwts-jwt-patterns-and-anti-patterns - Cheat Sheet Series: https://cheatsheetseries.owasp.org/ - API Top 10: https://owasp.org/www-project-api-security/ - (July) Getting Lean and Mean with DefectDojo: https://soundcloud.com/owasp-podcast/getting-lean-and-mean-in-the-defectdojo - DefectDojo: https://www.defectdojo.org/ - (August) Going Way Beyond 2FA: https://soundcloud.com/owasp-podcast/going-way-beyond-2fa - ModSecurity Core Rule Set: https://coreruleset.org/ - (September) Breaching the wirefall with community: https://soundcloud.com/owasp-podcast/breaching-the-wirefall-with-community - Security Shepherd: https://owasp.org/www-project-security-shepherd/ - Juice Shop: https://owasp.org/www-project-juice-shop/ - Security Knowledge: https://owasp.org/www-project-security-knowledge-framework/ - (October) Little Zap of Horrors: https://soundcloud.com/owasp-podcast/little-zap-of-horrors - Zed Attack Proxy (ZAP): https://www.zaproxy.org/ - OWTF (Offensive Web Testing Framework): https://owtf.github.io/ - (November) You've got some Kubernetes in my AppSec: https://soundcloud.com/owasp-podcast/youve-got-some-kubernetes-in-my-appsec - OWASP Top 10: https://owasp.org/www-project-top-ten/ - CSRFGuard: https://owasp.org/www-project-csrfguard/

In this episode, I speak with Jimmy Mesta, the project leader of the new OWASP Kubernetes Top 10. Beyond covering the actual Kubernetes Top 10 project, we cover how AppSec has expanded to cover other areas. You not only have to ensure that your application is secure, you need to ensure the security of the environment in which it runs. That environment is increasing becoming Kubernetes so what better than talk to someone who's protected Kubernetes clusters for years and trained many others to harden their clusters. Show Links: - OWASP Kubernetes Top 10: https://owasp.org/www-project-kubernetes-top-ten/ - Kubernetes Top 10 Github repo: https://github.com/OWASP/www-project-kubernetes-top-ten - OWASP Kubernetes Security Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Kubernetes_Security_Cheat_Sheet.html - Mozilla SOPS: https://github.com/mozilla/sops - Hashicorp Valut: https://www.hashicorp.com/products/vault - KSOC: https://ksoc.com/

In this episode, I speak with Simon Bennetts, the creator of OWASP Zed Attack Proxy lovingly known as ZAP. We talk about how it all got started, some of the surprises and lessons learned running a wildly successful open source project. We also cover how some security controls can sometimes actually hurt security. It's an interesting discussion I think you'll enjoy it just in time for Halloween. Show Links: - Zap Website: https://www.zaproxy.org/ - Zap Stats: https://www.zaproxy.org/docs/statistics/ - Zap Community: https://www.zaproxy.org/community/

In this episode, Matt Tesauro hosts wirefall to talk about creating and growing a security community and his 26 years of pen testing experience. In wirefall's case, it's the Dallas Hackers Association or DHA. Our conversation includes what motivated him to create DHA, the lessons he's learned, challenges faced and what success looks like today. He provides some advice for those wanting to get into cybersecurity or be a part of the broader security community. Enjoy. Show Links: - DHA Meetup: https://www.meetup.com/dallas-hackers-association/ - DHA Twitter: https://twitter.com/dallas_hackers - wirefall on Twitter: https://twitter.com/DHAhole

In this episode, Matt Tesauro hosts Neil Matatall to talk about going beyond 2FA as he relates lessons learned from Twitter and Github on account security. This is another episode with some good nuggets of wisdom and some sound advice for those writing or maintaining APIs. It's obvious that Neil has not only spent time doing solid engineering work but he's learned a few things that he's willing to share. Enjoy. Show Links: - OWASP DevSlop Episode: https://www.youtube.com/watch?v=hrAKE6LaizE&ab_channel=OWASPDevSlop - Slide Deck: https://bit.ly/35dcTm0 - Neil on Twitter: https://twitter.com/ndm

In this episode, Matt Tesauro hosts Greg Anderson and Cody Maffucci to talk about OWASP DefectDojo. DefectDojo is an OWASP flagship project that aims to be the single source of truth for AppSec or Product Security teams. It provides a single pane of glass for security programs and can import and normalize over 150 different security tools. I thought that the OWASP podcast might just cover an OWASP project now and then so here we go. Show Links: - https://www.defectdojo.org/ - Github organization: https://github.com/defectdojo - Github main repo: https://github.com/DefectDojo/django-DefectDojo - Pubic Demo info: https://github.com/DefectDojo/django-DefectDojo#demo - Data models (part of the project docs) https://defectdojo.github.io/django-DefectDojo/usage/models/

In this episode, Matt Tesauro hosts David Gillman about JWT Patterns and Anti-Patterns. I first met David at LASCON in the fall of 2021 when I sat in on his conference talk. Based on David's experiences with JWTs we discuss where JSON Web Tokens can help and harm developers who use them. It seems like JWTs can be a mixed bag mostly determined by how you use them. Hopefully this episode will help you avoid any JWT sharp edges if or, more likely, when you work with them. Show Links: - Video of David's presentation at LASCON - https://www.youtube.com/watch?v=xTk4ff0eAUg&list=PLLWzQe8KOh5nv8OBs3j39DNYULfxwv_6V&index=29&ab_channel=LASCON - David Gillman on Twitter - https://twitter.com/primed_mover

In this episode, Matt Tesauro hosts Adam Shostack to talk about threat modeling - not only what it is but what Adam has learned from teaching numerous teams how to do threat modeling. Learn what makes a good threat model and some news about a new book from Adam to help further the spread of threat modeling with the end goal of more threat modeling and fewer security surprises. Enjoy! Show Links: - Threats Book site: https://threatsbook.com/ - Resources on Adam's website: https://shostack.org/resources

Welcome back to the OWASP podcast. In this episode, we're headed to The VOID. I speak with Courtney Nash about the Verica Open Incident Database, otherwise known as The VOID, which is a collection of software-related incident reports available at https://www.thevoid.community/. It's a fascinating discussion about how, by gathering data from The VOID, we can make the Internet a safer and more resilient place. Courtney was super passionate about the research work she's doing. It was completely fun to chat with her and they've already produced some very interesting conclusions, in the published report available on The VOID website. I had a blast recording this one and I hope you enjoy it. EPISODE LINKS - The VOID: https://www.thevoid.community/ - 2021 Report: https://www.thevoid.community/report - Podcast: https://podcast.thevoid.community/ - Google MTTR report: https://www.oreilly.com/library/view/incident-metrics-in/9781098103163/ (Summarized also in the 2021 VOID report)

Hello, it's Matt Tesauro. Welcome back to my take on the OWASP Podcast. It seems as if I'm turning my episodes into the equivalent of a conference hall track, those wonderful interactions you have at conferences, running between rooms at conferences, meeting up with smart minds you don't see all the time. I have the pleasure of reuniting with Wendy Nather, CISO Advisor Extraordinaire, for this episode. We had a very interesting conversation about Software Bill of Materials (SBOMs). Like many of my interactions with Wendy, I learned from our conversation. She threw out some really good nuggets. I highly recommend looking up Wendy on Twitter (@wendynather). Besides the security wisdom she's going to drop, she's got a hell of a sense of humor. I think it will be worth the follow. Enjoy the episode.

“I absolutely hate SAFe!” -- Bryan Finster That is Bryan Finster, Distinguished Engineer at Defense Unicorns out of Colorado Springs. I was scrolling through LinkedIn a couple days ago, saw a thread on SAFe, The Scaled Agile Framework, and what I was seeing wasn't exactly… well, what you'd expect to hear about a framework that's being used by over 20,000 organizations, including the United States government. Before we get too much into it, here is the definition of SAFe. I took it directly off Scaled Agile, the creators and providers of the SAFe framework: “The Scaled Agile Framework® (SAFe®) is a system for implementing Agile, Lean, and DevOps practices at scale. The Scaled Agile Framework is the most popular framework for leading enterprises because it works: it's trusted, customizable, and sustainable. If you want to build operational excellence, collaboration, responsiveness, and customer satisfaction into your organizational DNA, where do you start? SAFe provides a proven playbook for transformation.” Some people will argue with “because it works”, and Bryan is one of those people. Here's what started the whole thing. Bryan posted this on LinkedIn, “Example of terrible ideas propagated by #SAFe: feature teams. A feature team doesn't own anything. They act as coding mills and have no quality ownership. SAFe recommends them as a method to increase output. It's a hacky workaround for crappy architecture that results in increased support cost and more crappy architecture.” Tell us what you REALLY think, Bryan! In today's broadcast, we talk to three people who have varying degrees of opinions on SAFe: Tracy Bannon, Senior Principal/ Software Architect & DevOps Advisor at Mitre, David Bishop, Certified SAFe 5.0 Program Consultant, and of course, Bryan. Stay with for what's sure to be a fun ride. RESOURCES FROM THIS BROADCAST SAFe: Scaled Agile Framework https://www.scaledagileframework.com/ Bryan Finster https://www.linkedin.com/in/bryan-finster/ Tracy Bannon https://www.linkedin.com/in/tracylbannon/ David Bishop https://www.linkedin.com/in/david-bishop-08528220/

Hello, I'm Matt Tesauro, one of the OWASP Podcast co-hosts. I had the opportunity to interview Tanya Janca for this podcast. To be honest, I kind of wish it was a video recording because you'd be able to see the big smiles and vigorous head nodding during the recording. Tanya and I are in violent agreement about all things appsec, and it shows. There's a nice mix of general advice, war stories, and some good nuggets in this interview. I hope you enjoy it.

8 years ago I took over the OWASP Podcast from Jim Manico, originator of the project. In that time over 160 episodes have been published, with over 500,000 downloads. It has been a fun project, but it's time to change things up a bit. There is a lot going on at OWASP, even more going on with the technology industry when it comes to cybersecurity. It's too much for one person to keep up with. Enter the idea of multiple co-hosts for the podcast. Many of you listening already know of Vandana Verma and Matt Tesauro from their work with OWASP. I called to ask if they'd like to share the platform, producing their own episodes around a chosen concept. In today's episode, Vandana, Matt and I talk about thoughts of an expanded concept for the podcast. We'll each explain what we will be covering in our shows, and what you can expect to hear in the coming year. Our plan is to have three shows, (kind of like NPR programming when I think of it), under one umbrella: The OWASP Podcast Series. Come along with us and we talk through the new series and what it will me to you, as a listener.

We've all heard of “Red Teams” and “Blue Teams” when it comes to cybersecurity. But what about the “Purple Team”, the “Yellow Team” or the “Blue Team”. What are those? In February of 2020, Louis Cremen introduced the InfoSec Colour Wheel to the security community. The wheel expands upon April Wright's work on bringing builders into the security team. The value of the wheel is to show the various types of security teams, seven in all, and the role each plays in security. Jasmine Henry brought the wheel to my attention. As she and I talked, we realized the InfoSec Wheel can be used as a thought exercise to show beginning cybersecurity professionals the various roles they can play within the community. This led to the discussion of careers in cybersecurity and what the near future looks like. In this broadcast, we'll evaluate the wheel, talk through each of the seven personas and give our thoughts on the value of each role, how it works with the other roles, and the basics of what each provides. Let's figure out what your primary color is. Stay tuned… https://hackernoon.com/introducing-the-infosec-colour-wheel-blending-developers-with-red-and-blue-security-teams-6437c1a07700 The OWASP Podcast Series is supported by the Open Web Application Security Project, home to over 240 community driven security projects, including the OWASP Top 10, the Web Security Testing Guide, and the Security Knowledge Framework projects. ABOUT JASMINE HENRY Jasmine Henry is a security practitioner who's used JupiterOne to create a compliant security function at a cloud-native startup. She has 10 years of experience leading security programs, an MS in Informatics and Analytics, and a commitment to mentoring rising security practitioners from underrepresented backgrounds. Jasmine is a Career Village co-organizer for The Diana Initiative security conference. She lives in the Capitol Hill neighborhood of Seattle, WA.

A couple weeks ago I read an article by Chris Roberts. The headline screamed, “Security Solved!” Security solved? What the hell was he talking about. Everyday there's a new media storm around the latest breach or ransomware attack. There's an entire industry built around the idea that security is hard, and the need for special equipment, software and people to even think about being secure. Chris was insistent. He professed that security is not hard nor complicated. Not only does he consider it inexpensive and undemanding to do the right thing, his premise is it's easy to get the simple stuff sorted. I called Chris to get clarification on what he was talking about. As we got deeper into the discussion, we both realized this was a topic that needed more exposure. If there really is a simple way to implement security, the world should hear about it. We invited people to participate in the recording of our discussion. You'll hear us reference people who were online with us, sending chat messages and questions. This session is a little longer that our usual podcast, but what's here is important. Chris says it's easy, I say it's not, and then we get into it. We start when I ask Chris to give us a little about his background. You'll be able to tell right from the start, this isn't going to be your ordinary podcast. Notes for this broadcast: Chris' original article can be found on his LinkedIn feed: https://www.linkedin.com/posts/sidragon1_cybersecurity-management-training-activity-6810995026848485376-58Zs Basic Premise: This isn't hard. This isn't complicated. This doesn't have to be expensive. This doesn't need fancy words This doesn't require gilted certificates This isn't demanding This needs no awards This isn't covered in glory. Step-by-Step Instructions: 1. Assets, what do you have? 2. Assets, where are they? 3. Who's got access to them? 4. What DO they do, what is their purpose? 5. What's on them? 6. Which ones do you need to care about?

In this episode of the People | Process | Technology podcast, I speak with Seba Deleersnyder from the Software Assurance Maturity Model, Carlos Holguera and Sven Schleier from the Mobile Security Testing Guide, and Bjoern Kimminich from the Juice Shop Project. This is part of an ongoing podcast series, highlighting the OWASP Flagship Projects that will be featured at the OWASP 20th Anniversary Celebration in September. I talk with the project leads to hear what they have been working on for the past year, what their plans are for the coming year, and what we can expect to see at the conference in September. Support for this broadcast is provide by OWASP, celebrating twenty years of making software safer. OWASP hosts their 24 hour, 20th Anniversary Celebration in September. Head to 20thAnniversary.owasp.org for your free ticket… and with support from JupiterOne, who believes that security is a basic right to every person, company, and enterprise. Security begins with cyber asset visibility, and includes understanding the relationships between those assets. Get started with your free, lifetime license at JupiterOne.com.

In this episode of the People | Process | Technology podcast, I speak with Simon Bennetts from the Zap Project, Christian Folini from the ModSecurity Core Rule Set Project, and Steve Springett from the Dependency Track Project. This is part of an ongoing podcast series, highlighting the OWASP Flagship Projects that will be featured at the OWASP 20th Anniversary Celebration in September. I talk with the project leads to hear what they have been working on for the past year, what their plans are for the coming year, and what we can expect to see at the conference in September. The OWASP 20th Anniversary Celebration is a 24 hour global event, featuring sessions from each of the OWASP flagship projects, leaders of the Top Ten Project, presenters from around the world, and sessions from people who have helped OWASP over the past 20 years. Registration is open, and you can’t beat the cost… it’s free. Even if you can’t attend, please register so you’ll have access to all of the recorded sessions following the conference. For the link check the show notes here on the podcast. Our program was produced today by Executive Editor Mark Miller. Special thanks to today’s guests, Simon Bennetts from the ZAP Project, Christian Folini from the ModSecurity Core Rule Set Project, and Steve Springett from the Dependency Track Project. You can stream our archive of over 160 episodes, for free, at soundCloud.com/owasp-podcast. The show is available on all of your favorite podcasting platforms, including Spotify and Apple Podcasts. Support for this broadcast is provided by OWASP, celebrating twenty years of making software safer. OWASP hosts their 24 hour, 20th Anniversary Celebration in September. Head to 20thAnniversary.owasp.org for your free ticket. Support also provided by JupiterOne, who believes that security is a basic right to every person, company, and enterprise. Security begins with cyber asset visibility, and includes understanding the relationships between those assets. Get started with your free, lifetime license at https://info.jupiterone.com/get-started.

In 2020, Security Magazine listed Sounil Yu as one of the most Influential People in Security in 2020, in part because of his work on the Cyber Defense Matrix, a framework for understanding and navigating your cybersecurity environments. The Cyber Defense Matrix started as a project when Sounil was the Chief Security Scientist at Bank of America. The initial problem he focused on with the matrix was how to evaluate and categorize vendors and the solutions they provided. The Cyber Defense Matrix is a structured framework that allows a company to understand who their vendors are, what they do, how they work along side one another, what problem they profess to solve, and ultimately to find gaps in the company’s portfolio of capabilities. In the seven years Sounil has been working on the project, he has developed use cases that make the Cyber Defense Matrix practical for purposes such as rationalizing technology purchases, defining metrics and measurements, and identifying control gaps and opportunities. The matrix has been adopted by the OWASP Foundation as a community project. Elements of the matrix have been incorporated into the Center for Internet Security’s (CIS) Top 20 Critical Security Controls. I talked with Sounil to hear how the project was going, what his plans are for the future of the matrix, and what help he can use from the community for expanding its usefulness. ABOUT SOUNIL YU Before Sounil Yu joined JupiterOne as CISO and Head of Research, he was the CISO-in-Residence for YL Ventures, where he worked closely with aspiring entrepreneurs to validate their startup ideas and develop approaches for hard problems in cybersecurity. Prior to that role, Yu served at Bank of America as their Chief Security Scientist and at Booz Allen Hamilton where he helped improve security at several Fortune 100 companies and government agencies.

The Top 10 is considered one of the most important community contributions to come out OWASP. In 2003, just two years after organization was started, the OWASP Top 10 was created. The purpose of the project was to create an awareness document, highlighting the top ten exploits security professionals should be aware of. Since that time, innumerable organizations have used it as a guideline or framework for creating security programs. The current Top 10 list was released four years ago, in 2017. As part of a 2021 initiative at OWASP, the OWASP Top 10 is in the process of being updated, and scheduled for release this summer, in time for the OWASP 20th Anniversary Celebration. I was curious as to what has changed over the years with the Top 10, and what to anticipate in the upcoming release. In this broadcast, I talk with Andrew van Der Stock, Executive Direct of OWASP. He explains how the top ten exploits are chosen, the data source for determining the exploits, and the data research done to verify the selections chosen. Our conversation starts with why the OWASP Top 10 is being spotlighted after being static for the past four years. Today’s broadcast is supported by the OWASP 20th Anniversary Celebration, coming September 2021. The CFP is now open for this online, 24 hour conference. Go to OWASP.org for more information. This broadcast is also supported by JupiterOne, providing cyber asset discovery and visibility into your entire cloud native infrastructure. Know more, fear less, with JupiterOne. CFP for OWASP 20th Anniversary Celebration: https://owasp.org/2021/03/08/cfp-20th-anniversary.html

When Shannon Lietz and the team at DevSecOps.org published the DevSecOps Manifesto six years ago, security was uppermost in their minds. The manifesto starts with a call to arms… “Through Security as Code, we have and will learn that there is simply a better way for security practitioners, like us, to operate and contribute value with less friction. We know we must adapt our ways quickly and foster innovation to ensure data security and privacy issues are not left behind because we were too slow to change.” The effect of the DevSecOps movement was not understood by many, other than the handful of practitioners who understood what the team was going after: security is the responsibility of everyone, not just the security team. Security deserves a seat at the DevOps table. Fast forward six years, and security is now not just at the table, but sitting at the head of the table, leading the way. During this transition to focus on security, operations has become the short leg on a three legged stool. What was original a two team party, Dev and Ops, became a threesome, gradually ignoring operations as Developers and Security built a strong relationship. Damon Edwards has been my go-to person when I want to talk to someone about how operations continues to be relevant as the third part of DevSecOps. I caught up with Damon a couple weeks back to talk with him about how the transition to enterprise automation is going in the industry, what has been happening in the past year with the COVID lockdown, and what he’s looking forward to in 2021. I started the conversation, asking how he perceives his role in the DevSecOps Community. ---------- This broadcast is supported by OWASP, the Open Web Application Security Project, host of “Call to Battle” a series of events for gamers, challenge champs, and fun-nerds. Get more information at owasp.org/events… and by JupiterOne.com featuring solutions that help you “Know more. Fear less” by mapping your cyber assets and knowing the relationships between those assets.

This is Mark Miller, Executive Producer. Over the years as I’ve produced the show, the topics of focus have followed the trends in the industry. What was originally called “The OWASP Podcast” became “OWASP 24/7” and then “The DevSecOps Podcast”. Each change brought with it a new audience, extending our community from exclusively OWASP practitioners, to DevOps and DevSecOps advocates. The audience for the podcast has grown, with close to 500,000 listens of the 150 episodes. We’ve covered book launches by speaking with the authors, we’ve talked about industry reports focusing on the Software Supply Chain. Topics have included Chaos Engineering, efforts to create a Software Bill of Materials initiative at the federal level, Threat Modeling and a multitude of other topics. You might have noticed something different, a new name for the podcast, at the beginning of the program today. Keeping a feel of the pulse of the industry is one of the things that interests me most as producer of the series. Currently, People, Process and Technology is starting to get its due The realization that these are not three things, but one thing that is intertwined into a convoluted, unimaginably complex whole is something that deserves our attention, and that will be our focus over the coming year. We’ll talk with practitioners who are creating security patterns for each leg of the People, Process, Technology triptych. We’ll continue to highlight OWASP projects that are focused on security, and how it relates to all aspects of technology. Guests will include leaders in the industry who are responsible for driving security, not as a stand-alone initiative, but as an integrated part of their business. Developing a secure development environment, one that builds quality into the process is something that should be of concern to everyone in that process. My desire is to help expose the practitioners who are thinking about the next generation of security, and how you can use their insights to help us build a safer world. Thank you for your continuing support. I’m excited to be expanding the program and hope you’ll stay with us for People, Process, and Technology. Support for this broadcast is provided by OWASP and JupiterOne.

OWASP is in a state of discord. Over the past few years, there have been fractures in the community. Recently, there have been arguments on the leader email list that have clearly breached the lines of etiquette. Personal attacks, distribution of funds, and complaints of lack of diversity are creating tension among the members. If we, as an organization refuse to confront these issues, there is a real potential we will no longer have relevance to the AppSec community. The in-fighting has become a detriment to chapter leaders and project leaders, who are looking to OWASP for consistent leadership and direction. In early July, the OWASP board announced the appointment of Andrew van der Stock as Executive Director. I called and spoke with Andrew at length about how he intends to confront the existing issues in the organization, and what he hopes to accomplish during his tenure. I have known Andrew for years through his work on the Application Security Verification Standard. As a previous OWASP board member, he has insight into how the board works and how to make changes. In our discussion, we spoke directly about the current problems at OWASP and Andrew's vision for moving the organization forward by confronting existing problems in policy, rewriting sections of the bylaws, and setting up enforcement of those bylaws. Andrew has not set himself an easy task. The push-back is sure to cause more strife in the beginning, but he is determined to implement changes that will make OWASP stronger in the long run, and put us on a course to continue to be a leading role to the AppSec community. In the spirit of transparency and open discussion, Andrew answered every question I had for him. He intends to continue this discussion with the community through the creation of live-online discussions. For now, Andrew is ready to implement his vision for OWASP, as he talks about here. Let's get started.

In this episode of the DevSecOps Podcast, we’re going to go off script and explore the LinkedIn algorithm. I could tie this back to DevSecOps, and how all of us need visibility for our work, or how important it is to build a community around our ideas, but the real reason is… I find this fascinating. One of the largest community engagement platforms in the world encourages us to play their game, but doesn’t tell us what the rules are! How are we to determine the best way to participate, when we have no idea on how to best contribute to maximize our visibility? Because that’s the game we are playing: how do we get, and maintain, visibility for our ideas on LinkedIn. How do we grow that visibility into an audience of our peers in order to contribute and expand those ideas. It is to the benefit of LinkedIn to give basic rules of engagement, but instead of guidelines for participation, we are punished for breaking undefined rules and rewarded for seemingly arbitrary reasons, which we then try to recreate without knowing why they were promoted. To add more complexity to the mix, the rules can change at any time. Is it a loser’s game, or are there fundamental patterns we can surface that will help give some visibility into the LinkedIn algorithm? For years, I’ve been making intuitive guesses as the best way to work on the platform. This lead me to the work of Andy Foote, from LinkedInsights, and Richard van der Blom, founder of Just Connecting, Through their research, they have found patterns that we might be able to use to expand our visibility and engagement on LinkedIn. I say “might”, because when you don’t know the rules, you don’t know when the rules change. On May 8, 2020, Richard, Andy and I sat down to discuss their research into the algorithm that determines how much visibility your content gets on LinkedIn. Andy’s article, “The LinkedIn Algorithm Explained In 25 Frequently Asked Questions” and Richard’s investigations which turned into “The LinkedIn Research Algorithm”, were the basis for our discussion. What I learned from them immediately changed how I engage with LinkedIn. When I say “immediately”, I mean within minutes of talking with them. Resources from this episode Richard van der Blom offers customized LinkedIn training sessions at Just Connecting https://www.justconnecting.nl/en/ Andy Foote offers LinkedIn coaching sessions at LinkedInsights.com The LinkedIn Algorithm Explained In 25 Frequently Asked Questions by Andy Foote https://www.linkedinsights.com/the-linkedin-algorithm-explained-in-25-frequently-asked-questions/ The LinkedIn Algorithm Full Report by Richard van der Blom https://www.slideshare.net/RichardvdBlom/full-report-linked-in-algorithm-july-2019

When I read Richard Stiennon's latest article in Forbes, The Demise of Symantec, I thought it was absolutely fascinating. Richard walks through the process of what happened at Symantec, how it was an acquisition engine for so many years, and now how it's started to decline. I got in touch with Richard and told him I'd like to have him read his article for the podcast, and he responded right away. What you'll hear in this episode is Richard talking about and reading from his article, The Demise of Symantec. Resources for this podcast: The Demise of Symantec, Forbes Online https://www.forbes.com/sites/richardstiennon/2020/03/16/the-demise-of-symantec/#6522117b5fc7 Security Yearbook 2020 https://www.security-yearbook.com/

Equifax is trying... I mean REALLY trying... to regain your trust. The Equifax CTO and CISO delivered the keynote at DevSecOps Days during 2020 RSAC. They contributed to multiple sessions and panels during the conference. The message was consistant: "Yes, we had a major problem. Here's what we're doing about it. Here's what you can learn from us." From a technical perspective, Bryson Koehler, CTO, and Jamil Farshchi, CISO, took on all questions from the audience. Nothing was out of bounds. They stayed after the session to talk one-on-one with those who had more questions. The words I heard most from the audience about the session was 'humility' and 'transparency'. That's a far cry from the poster child of breaches image the company has had to carry since 2017. Bryson and I sat down after the session at DevSecOps Days to go more into detail on what Equifax is working on, not just to re-gain user confidence, but to make a difference in the technology industry when it comes to lessons learned. He and Jamil are in the process of rebuilding the technology infrastructure at Equifax. They want to create a self-service, customer driven platform, that will include security as part of an automated solution to the future of data privacy. They are willing to openly share what they are working on, what has worked, what hasn't worked, all while building transparency into the process so that everyone can learn, not just the engineering team at Equifax. In this episode, we start with how Bryson felt the audience responded to the message from the stage, and what he had hoped to accomplish by stepping into the public spotlight.

If you like what you hear, you can download the entire book at sonatype.com/epicfailures As we were putting the finishing touches, getting ready to publish the latest version of Epic Failures in DevSecOps, I reread Jaclyn Damiano's chapter and was struck by how unique her message is. This is a personal story, one that will resonate with many people in the tech industry. It's a story of beginnings, of hardships, of leadership and finally, how all that combines into something much bigger than a technology solution. It's a story that talks about transforming people, not just companies. What you'll hear in this broadcast is Jaclyn reading her chapter, "Making Everyone Visible in Tech". There's no narrator, no discussion, just Jaclyn in her own words telling the story behind The Athena Project. It's a story of how she and her team took a diverse set of 40 applicants from underserved communities, with little to no technical background, and created a program to train and place those attendees in the tech industry. It's an inspiring story that needs to be heard.

When Derek Weeks and I started All Day DevOps in 2016, we were unsure as to whether anyone would be interested.It's now four years later. Last week we had close to 37,000 people register for the event. We're still trying to wrap our head around the scale of something that generates a world wide audience in the tens of thousands for a 24 hour conference. One of the things that has grown organically from All Day DevOps is a concept called "Viewing Parties". It's an idea the community has created, not something planned by us. Over 170 organizations, meetups or user groups around the world setup a large screen and invited colleagues and friends over to share in the DevOps journeys that were being told throughout the day. Last year, we heard through the grapevine that State Farm had over 600 people show up to participate at their viewing party in Dallas. That's 600 people internally at State Farm. When I heard about it, I knew I had to speak with Kevin ODell, Technology Director and DevOps Advocate at State Farm, the person who coordinated the event. Our initial conversation was a fascinating view into how he pulled off such a large event, internally. We kept in touch throughout the year, leading up to 2019 All Day DevOps. Keeping track of the registrations for Kevin, he soon came to realize what he had created was now a viral event at State Farm. For 2019, State Farm had 4000 of their 6000 developers confirmed to attend All Day DevOps. To me, that's just remarkable. While at the DevOps Enterprise Summit last month, Kevin and I sat down to talk about how he created such an incredible event, the process for getting business buy-in, and how he measures the value of letting 4000 developers collectively watch videos for the day. Even if I wasn't one of the co-founders of All Day DevOps, I'd find this a fascinating story. Stay with us and I think you'll be impressed, too.

Shortly after watching the documentary, Code Rush, I met with Tara Hernandez, the hockey stick carrying lead of the Netscape project that was being documented. We sat down at the Jenkins World Conference in San Francisco to talk about the effect that project had on her career, what she has been doing since with her position at google, and what she hopes to be working on in the coming years. We started our conversation by exploring the relationship between the Netscape project in 1998 and the current state of DevOps. Would DevOps have made a difference... the answer might surprise you.

Edwards Deming went to post-war Japan in the late 1940s to help with the census. While there, he built relationships with some of the main manufacturers in the region, helping them understand the value of building quality into a product as part of the production process, thus lowering time to market, eliminating rework and saving company resources. In his 1982 book, "Out of the Crisis", Deming explained in detail why Japan was ahead of the American manufacturing industry and what to do about. His "14 Points on Quality Management" helped revitalize American industry. Unknowingly, he laid the foundation for DevOps 40 years later. Eli Goldratt published "The Goal" in 1984, focusing on the "Theory of Constraints", the idea that a process can only go as fast as it's slowest part. In fictionalized novel form, Goldratt was able to reach a wide audience who would utilize the theory to help find bottlenecks, or constrainsts, within production that were holding back the entire system. Once again, the theories espoused in The Goal were a precursor to the DevOps movement 40 years later. In January 2013, 40 years after Deming and Goldratt reshaped the manufacturing processes in American, Gene Kim published "The Phoexnix Project". He used the same format as Goldratt, telling the story in a fictional novel format with characters who were easily identifiable within the software manufacturing process, from a manager's point of view. The Phoenix Project is now one of the most important books in the industry, and is used as a starting point for companies interested in participating in a DevOps transformation. It's now six years later, 2019. Gene's new book, The Unicorn Project, will be released at the upcoming DevOps Enterprise Summit in Las Vegas on October 28. This new book has an interesting premise: What was going on with the software development team in the Phoenix Project as the management team was flailing to get the project back on track. It's a novel approach to have parallel timelines in separate books, looking at the same project. In this broadcast, Gene and I talk about how the Unicorn Project aligns with the Phoenix Project, the overlap in storylines, and why he chose to speak for software developers in this iteration of the story. Do a quick review of the Phoenix Project, which is probably already on your bookshelf, and then listen in as we discuss using Deming, Goldratt and Kim as the foundation of the principles of the DevOps movement.

Once a year, Sacha Labourey and I sit down to discuss the past year and what the coming year looks like for DevOps and Jenkins. As CEO of CloudBees, Sacha has broad visibility into the progress of the DevOps/DevSecOps communities. We started our talk this year, commenting on the growth of the Jenkins World conference, with over 2000 attendees... what does Sacha attribute that to and does it coincide with the growth within the DevOps community. We continued our discussion by examining how cultural transformation within a company must align with the tools that are available to help with that transformation. Along the way we touched on where cultural transformation comes from within an enterprise, the question of whether DevOps has yet to jumped the chasm, the tipping point for a company's full acceptance of DevOps patterns, and what does Sacha hope to accomplish in the coming year All Day DevOps: A Supporter of DevSecOps Podcast If you're listening to this podcast, you've probably heard of All Day DevOps. This year, All Day DevOps has expanded to 150 sessions, including 9 sessions dedicated to OWASP projects such as Seba talking about DevOps Assurance with OWASP SAMMv2, the OWASP Security Knowledge Framework with Glen & Ricardo ten Cate, DevSecOps in Azure with OWASP DevSlop featuring Tanya Janca, and an overview of the OWASP Top 10 with Caroline Wong. Simon talking about the OWASP ZAP HUD project is another session not to be missed. All Day DevOps is a free, community event, sponsored and supported by hundreds of organizations like yours from around the world. Registration is free. Go to All Day DevOps dot com to register and start building your schedule. All Day DevOps. All live. All online. All free.

I was affected by it. You were affected by it. We were all affected by the Equifax breach in September 2017. The truly interesting thing about it is, Equifax wasn't the only company hit by the struts 2 vulnerability that day. Many other companies were hit by it within that time period, but Equifax became the poster child for the main stream media. It was just too easy of a target because of consumer visibility. In the two years since the breach, Equifax has been working hard to restore its reputation, not just with consumer protection, but with the companies that depend upon credit data to make real business choices. I wanted to find out what Equifax is doing behind the scenes not just reputation wise, but technology wise when it comes to protecting data. Was it status quo as soon as the buzz died down? Did they pay their fine and go back to business as usual? Or are they making changes under the hood that will make a difference in how financial data is handled and what can be done with it. I met with Sean Davis, Chief Transformation Evangelist at Equifax, while at Jenkins World in August. It had been two years since the breach, and I wanted to hear what was happening internally, what changes have been made and why we should begin to trust Equifax again. I have to say I was surprised. When I sat down with Sean, I thought there would be hesitancy, some caution as to what could and couldn't be talked about. To my surprise, it was a transparent discussion. I asked him questions I wanted to know as a consumer, as well as the technical queries about what's going on under the hood at Equifax, what changes have been made to make my data more secure. Is it time to trust Equifax again? I'll let you decide.

OWASP supports a global conference in North America each year, bringing together the projects, teams and chapters who make this one of the largest security tribes in the world. In this episode of the DevSecOps Podcast Series, I speak with Ben Pick one of the organizers of the conference about what's important about this type of gathering and what you can expect when attending. https://dc.globalappsec.org/

The 2019 State of the Software Supply Chain Report was released on June 25th. The report is an analysis of the answers from over 5500 participants, allowing data researchers the ability to extrapolate what the most productive enterprises are doing when it comes to managing the software supply chain, and how that compares to less efficient development practices. The purpose of the analysis was to objectively examine and empirically document, release patterns and hygiene practices across 36,000 open source project teams and 3.7 million open source releases. In this conversation I speak with Derek Weeks, Project Lead for the report, and Stephen Magil, who along with Gene Kim, acted as research partners on the report. If you've been looking for verified research that can be used to help justify a DevOps initiative, or to validate the value of DevOps projects within your company, you'll want to stay with us.

Let's not talk around the subject here... women are under represented when it comes to speaking or participating in tech conferences. It's a male dominated culture. When I saw Lani Rosales had published, "The Ultimate list of Austin women who can speak at your tech event" in response to the complaint that there are no women speakers available in the tech industry, I called her right away. As co-founder of the world's largest DevOps conference, All Day DevOps, and as one of the core organizers of the global DevSecOps Days series of events, I wanted to hear how the list came together, her motiviation for creating the list and how the tech community has responded to an overt call for women speakers. One of the most surprising topics during our conversation was the continual reference to "the vanity of diversity". Lani is opposed to replacing males speakers just for the sake of having a token female speaker or panelists. As she says it, "Let's not remove male speakers, let's add female speakers." When she said that, it resonated with me. That's how true diversity works: add women, don't subtract men. Lani's vision is to make attendees, all attendees, feel welcome, represented and given the feeling that their way of thinking is welcome in the room, in the conference, and in the community. That's the true reason for diversity, and that's what we'll be talking about today. The Ultimate List of Austin Women Who Can Speak at Your Tech Event https://theamericangenius.com/tech-news/austin-women/

I produced my first concert at the San Anselmo Playhouse in 1979. It was the first in a series of events that has lasted 40 years. I have produced more than 300 events and participated in many hundreds more as a speaker and participant. As the producer of this many events, I have an internal map of what to do to make an event successful, the steps to create and manage the logistics of an event, and how to promote them. All Day DevOps, a live online conference I co-founded with Derek Weeks, has over 30,000 registrations yearly. This type of involvement gives me a unique perspective into why an event is successful. In the past few years, I've been sketching out a "How To.." manual on producing successful events. When the book "Building Internal Conferences" came across my radar, my first thought was "Good! Something I won't have to do." After looking through the book, I called authors Matthew Skelton and Victoria Morgan-Smith to trade stories on tips and tricks for managing successful events. You might ask yourself at this point, "Why is this being covered on a tech podcast?" With so much to choose from when it comes to webinars, meetups, user groups and conferences, many companies are choosing to host their own event internally, or participate as supporters of a regional event. Industry conferences such as DevOps Days, DevSecOps Days, and SharePoint Saturday are run by local teams who are engaged in community development and education. This episode of the DevSecOps Podcast focuses on helping you as an event organizer avoid the "Epic Failures" that would stop your event from being a success. Where to find the book: https://confluxdigital.net/conflux-books/book-internal-tech-conferences

In April 2019, I was invited to host a panel at the International Conference on Cyber Engagement in Washington DC, to discuss "Securing the Software Supply Chain". On the panel were four of the top voices in software supply chain management: - Edna Conway, Chief Security Officer, Global Value Chain, at CISCO - Joyce Corell, Assistant Director, Supply Chain and Cyber Directorate, National Counterintelligence and Security Center, US Office of the Director of National Intelligence - Bob Kolasky, Director, National Risk Management Center, Cybersecurity and Infrastructure Security Agency, US Department of Homeland Security - Dr. Suzanne Schwartz, Associate Director for Science & Strategic Partnerships, Center for Devices & Radiological Health, US Food & Drug Administration This episode of the DevSecOps Podcast is the full session from the conference. It is an extended session, running an hour and a half, significantly longer that our usual broadcast. I think you'll find it worth the time. Thank you to the ICCE for allowing rebroadcast of the panel. Pull up a chair, sit back, and listen in as we discuss Securing the Software Supply Chain.

When I think of Tel Aviv, I imagine a robust, young culture, living a good, fun life. Not only is the culture conducive to a young life style, its tech industry continues to gain traction. As Wired Magazine said last August, "Israeli startups have always been high on Silicon Valley shopping lists, but Tel Aviv is beginning to shake off its reputation as Europe’s exit capital." Zebra, the medical diagnostics company, MyHeritage online family tree service, Via ride sharing service, and the Waze navigation app, as well as dozens of other influencial start-ups call Tel Aviv home. This places Tel Aviv at the heart of the tech industry in Isreal and encourages conferences and gatherings on a regional, as well as global scale. In this broadcast, I speak with Avi Douglen and Ofer Moar, co-chairs of the upcoming Global AppSec Conference in Tel Aviv. They are both active participates in OWASP and the security community. I called them to find out more about the conference, how it's different from other conferences and what participants can expect as takeaways from the event. More information and registration: https://telaviv.appsecglobal.org/

If you've read the Phoenix Project, you'll remember Brent, the indispensable cog on the operations team. Brent was a good guy, he wanted to do the right things, all of the right things, but was pulled in all directions because of the lack of a unified plan for the company's project workflow. But what if Brent didn't want to do the "right" thing? What if Brent was more interested in the convenience of getting his work done than he was in the overall health and output of the project. What if he deployed to production without checking into SourceSafe, not just once, but for years. From Tanya janca: I went to our trusty code repository, took a copy of the most recent code. I went looking for the bug, and I couldn't even find it. And then I'm running it locally, and I'm looking at the real one in prod. And they're completely different. I'm like, "What would have happened if I had pushed to prod? If I fixed that bug, and pushed to prod, and not noticed the difference?" And he's like, "All my work would have been gone. That would have been your mistake." I'm like, "Are you kidding?" He's like, "It's just easier if I check it in directly, if I just edit it right on the web server. It's just easier for me." I'm like, "Oh. Is it easier to do a shitty job? No. No, no, no. In today's episode, Tanya Janca, Cloud Security Advocate, Microsoft, expands on her just published article, "DevSecOps: Securing Software in a DevOps World", clarifying each of the 5 tactics she uses to integrate not just security into the software development process, but how to manage people as part of that process. Have a listen...

Three years ago there was an idea floating around OWASP... a core community was looking for a way to have an isolated week, where security project working groups could get together, with no distractions, and work on projects they felt were important. From this idea, the Open Security Summit was founded. Now in it's third year, the summit takes place in an isolated forest located between London and Manchester. The format for the gathering is to present an environment, with no distractions, where the community of 150 security professionals can meet to update each other on their progress in the past year and to choose working groups to outline and work on future projects. This is not a podium lecture series conference. It is a 5-day high-energy experience, during which attendees get the chance to work and collaborate intensively. Each working session is geared towards a specific Application Security challenge and will be focused on actionable outcomes. In this episode, I speak with Seba (Sayba) Deleersnyder, Denis Cruz, Jemma Davis and Francois Raynaud, core organizers of the event, talking about why they started the event, what has changed over the years and what you can expect as an attendee at the Open Security Summit. https://opensecuritysummit.org/

Open-source components and their use within the software supply chain has become ubiquitous within the past few years. Current estimates are that 80-90% of new software applications consist of open-source components and frameworks. Section A9 of the OWASP Top 10 places components with known vulnerabilities as one of the most prevalent and abused parts of the software supply chain, placing it at a security weakness level of three, on a scale from one to three. Quoting from the OWASP description in A9, "Component-heavy development patterns can lead to development teams not even understanding which components they use in their applications or APIs, much less keeping them up to date." In today's episode, I speak with Allan Friedman, Director of Cybersecurity Initiatives at the National Telecommunications and Information Administration. Our talk focused on the creation of a Software Bill of Materials, or an SBOM. As we begin, Allan describes his role in the project and what they hope to accomplish. About Allan Friedman I'm the Director of Cybersecurity Initiatives at the National Telecommunications and Information Administration, or NTIA. We're a tiny part of the US Department of Commerce, and our mission really is about promoting a free, open, and trustworthy internet. Over the past few years, we've engaged in what we call "multistakeholder processes", trying to identify areas where the entire digital ecosystem can come together on things that they care about and make progress. So the government doesn't have a vested interest in the outcome, we just feel that we'll all be better off if the community can find common ground and consensus.

"Chaos engineering is an empirical practice of setting up experiments to figure out where your system is vulnerable so that you can know that ahead of time and proactively fix some of these vulnerabilities in your system." -- Casey Rosenthal In this broadcast, I speak with Casey Rosenthal about the beginnings of Chaos Engineering and Netflix and how the concept has morphed into a cross-industry community, sharing ideas through local chaos conferences.