POPULARITY
6 episodes with bill sempf
2 episodes with bill sempf
4 episodes with bill sempf
Robert is joined by Bill Sempf, an application security architect with over 20 years of experience in software development and security. Bill shares his security origins as a curious child immersed in technology, leading to his lifelong dedication to application security. They discuss CodeMash, a developer conference in Ohio, and recount Bill's presentation on the Veilid application framework, designed for privacy-driven mobile applications. Bill also explores his efforts in educating children about technology and programming, drawing on his experiences with Kidsmash and other initiatives. Additionally, they delve into the challenges of application security, particularly modern software development practices and the utility of languages like Rust for creating secure applications. Bill concludes with intriguing thoughts on application security trends and the importance of a diverse skill set for both developers and security professionals.Helpful Links:Bill's homepage - https://www.sempf.net/CodeMash conference - https://codemash.orgVeilid Application Framework - https://veilid.com/Math Without Numbers - https://www.amazon.com/Math-Without-Numbers-Milo-Beckman/dp/1524745545FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Robert meets up with Bill Sempf at the CodeMash conference and discusses how to grow AppSec people. Developers can transform into application security people. They also cover how to inspire the next generation of cybersecurity people (kids) through the example of KidzMash. The post Bill Sempf — Growing AppSec People and KidzMash appeared first on Security Journey Podcasts.
Announcements: SpecterOps and Tim Tomes are giving training at WorkshopCon https://www.workshopcon.com Rob Cheyne Source Boston - https://sourceconference.com/events/boston19/ Austin Cybernauts meetup - https://www.eventbrite.com/e/cybernauts-ctf-meetup-indeed-tickets-58816141663 SHOW NOTES: Architecture is not an implementation, but a way of thinking about a problem that has potentially many different answers, and no one single "correct" answer. https://github.com/OWASP/ASVS “is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. “ #ASVS team: Daniel Cuthbert @dcuthbert Andrew van der Stock Jim Manico @manicode Mark Burnett Josh C Grossman https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.pdf https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.docx https://drive.google.com/file/d/17-NDN7TWdC-vZLbsKkkBFhrYmUhF6907/view?usp=sharing https://www.owasp.org/images/3/33/OWASP_Application_Security_Verification_Standard_3.0.1.pdf - old version http://traffic.libsyn.com/brakeingsecurity/2015-046_ASVS_with_Bill_Sempf.mp3 - Older BrakeSec Episode ASVS Page 14 - “If developers had invested in a single, secure identity provider model, such as SAML federated identity, the identity provider could be updated to incorporate new requirements such as NIST 800-63 compliance, while not changing the interfaces of the original application. If many applications shared the same security architecture and thus that same component, they all benefit from this upgrade at once. However, SAML will not always remain as the best or most suitable authentication solution - it might need to be swapped out for other solutions as requirements change. Changes like this are either complicated, so costly as to necessitate a complete re-write, or outright impossible without security architecture.” What are the biggest differences between V3 and V4? Why was a change needed? https://xkcd.com/936/ - famous XKCD password comic David Cybuck: Appendix C: IoT Why was this added? These controls are in addition to all the other ASVS controls? How do they see section 1 architecture and section 14, configuration --- in the context of rapid deployment, infrastructure as code, containerization. You added IoT, but not ICS or SCADA? https://www.owasp.org/index.php/OWASP_ICS_/_SCADA_Security_Project BrakeSec IoT Top 10 discussion: http://traffic.libsyn.com/brakeingsecurity/2019-001.mp3 http://traffic.libsyn.com/brakeingsecurity/2019-002-aaron_guzman_pt2.mp3 Seems incomplete… (Section 1.13 “API”) Will this be added later? What is needed to fill that in? (manpower, SME’s, etc?) 3 levels of protection… why have levels at all? Why shouldn’t everyone be at Level 3? I just don’t like the term ‘bare minimum’ (level 1)--brbr Threat modeling blog (leviathan): https://www.leviathansecurity.com/blog/the-calculus-of-threat-modeling Adam Shostack ThreatModeling Book: https://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998 https://www.owasp.org/images/archive/6/65/20170626175919!TM-Lessons-Star-Wars-May-2017.pdf https://www.youtube.com/watch?v=2C7mNr5WMjA Cost to get to L2? L3? https://manicode.com/ secure coding education https://www.blackhat.com/presentations/bh-usa-09/WILLIAMS/BHUSA09-Williams-EnterpriseJavaRootkits-PAPER.pdf Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Show Notes SpecterOps and Tim Tomes are giving training at WorkshopCon https://www.workshopcon.com Rob Cheyne Source Boston - https://sourceconference.com/events/boston19/ Architecture is not an implementation, but a way of thinking about a problem that has potentially many different answers, and no one single "correct" answer. https://github.com/OWASP/ASVS “is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. “ ASVS team: Daniel Cuthbert @dcuthbert Andrew van der Stock Jim Manico @manicode Mark Burnett Josh C Grossman https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.pdf https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.docx Don’t post these links in show notes ASVS list (google sheet): https://drive.google.com/open?id=1xFLmvNoR2tohk08cQDLU46FWNgpx28wd ASVS PDF: https://drive.google.com/file/d/17-NDN7TWdC-vZLbsKkkBFhrYmUhF6907/view?usp=sharing https://www.owasp.org/images/3/33/OWASP_Application_Security_Verification_Standard_3.0.1.pdf - old version http://traffic.libsyn.com/brakeingsecurity/2015-046_ASVS_with_Bill_Sempf.mp3 - Older BrakeSec Episode ASVS Page 14 - “If developers had invested in a single, secure identity provider model, such as SAML federated identity, the identity provider could be updated to incorporate new requirements such as NIST 800-63 compliance, while not changing the interfaces of the original application. If many applications shared the same security architecture and thus that same component, they all benefit from this upgrade at once. However, SAML will not always remain as the best or most suitable authentication solution - it might need to be swapped out for other solutions as requirements change. Changes like this are either complicated, so costly as to necessitate a complete re-write, or outright impossible without security architecture.” What are the biggest differences between V3 and V4? Why was a change needed? https://xkcd.com/936/ - famous XKCD password comic David Cybuck: Appendix C: IoT Why was this added? These controls are in addition to all the other ASVS controls? How do they see section 1 architecture and section 14, configuration --- in the context of rapid deployment, infrastructure as code, containerization. You added IoT, but not ICS or SCADA? https://www.owasp.org/index.php/OWASP_ICS_/_SCADA_Security_Project BrakeSec IoT Top 10 discussion: http://traffic.libsyn.com/brakeingsecurity/2019-001.mp3 http://traffic.libsyn.com/brakeingsecurity/2019-002-aaron_guzman_pt2.mp3 Seems incomplete… (Section 1.13 “API”) Will this be added later? What is needed to fill that in? (manpower, SME’s, etc?) 3 levels of protection… why have levels at all? Why shouldn’t everyone be at Level 3? I just don’t like the term ‘bare minimum’ (level 1)--brbr Threat modeling blog (leviathan): https://www.leviathansecurity.com/blog/the-calculus-of-threat-modeling Adam Shostack ThreatModeling Book: https://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998 https://www.owasp.org/images/archive/6/65/20170626175919!TM-Lessons-Star-Wars-May-2017.pdf https://www.youtube.com/watch?v=2C7mNr5WMjA Cost to get to L2? L3? https://manicode.com/ secure coding education https://www.blackhat.com/presentations/bh-usa-09/WILLIAMS/BHUSA09-Williams-EnterpriseJavaRootkits-PAPER.pdf Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Andy Beeker is watching Office Space. This episode is not sponsored! Want to be a sponsor? You can contact me or check out my sponsorship gig on Fiverr This episode is different than a normal episode of Cross Cutting Concerns! This episode is about an R-Rated movie! Normally my podcast is G-rated, but that is not the case for this episode. If you normally listen with children, I recommend you listen to Story Pirates with them instead! This is a long episode: almost an hour. Normally my episodes are around 15 minutes. This is an episode about a (vaguely) technical/computer related movie. I’ve done a couple of episodes like this in the past: 071 - Bill Sempf on Sneakers and 036 - Kevin Groves on Pirates of Silicon Valley. Show Notes: We watched Office Space, a 1999 film by Mike Judge. If you haven’t watched it, you should! Inside joke alert: the mention of a "white jimmy". This is a reference to a GMC Jimmy SUV that’s painted white. But suppose someone came up to you and said "I have a white Jimmy" and then paused for 15 seconds… There are many tangents we go on in this episode. Confused? Send me a question, and I will try to clarify. K*Pax - a film you’ve probably never heard of starring Kevin Spacey, Jeff Bridges, and (notable for this podcast) Ajay Naidu. Speaking of Kevin Spacey, if you’re out of the loop, you might want to read up on Anthony Rapp. The video discussed briefly in the episode is 7 Things You (Probably) Didn’t Know About Office Space Adult Swim is the late night block of Cartoon Network that showed King of the Hill in syndication. Be sure to check out the Office Space soundtrack. Speaking of the "year 2000 switch", check out episode 100 - with Joe Kelly on COBOL. We mentioned Tiger LCD games. Here’s a refresher if you don’t quite remember them. Bob Dole: The Bus Tour What movie should I tackle next time? Leave some feedback and let me know! Want to be on the next episode? You can! All you need is the willingness to talk about something technical.
intro CFP for Bsides Barcelona is open! https://bsides.barcelona Aaron Guzman: @scriptingxss https://www.computerweekly.com/news/252443777/Global-IoT-security-standard-remains-elusive https://www.owasp.org/index.php/IoT_Attack_Surface_Areas https://scriptingxss.gitbooks.io/embedded-appsec-best-practices//executive_summary/9_usage_of_data_collection_and_storage_-_privacy.html OWASP SLACK: https://owasp.slack.com/ https://www.owasp.org/images/7/79/OWASP_2018_IoT_Top10_Final.jpg Team of 10 or so… list of “do’s and don’ts” Sub-projects? Embedded systems, car hacking Embedded applications best practices? *potential show* Standards: https://xkcd.com/927/ CCPA: https://en.wikipedia.org/wiki/California_Consumer_Privacy_Act California SB-327: https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201720180SB327 How did you decide on the initial criteria? Weak, Guessable, or Hardcoded passwords Insecure Network Services Insecure Ecosystem interfaces Lack of Secure Update mechanism Use of insecure or outdated components Insufficient Privacy Mechanisms Insecure data transfer and storage Lack of device management Insecure default settings Lack of physical hardening 2014 OWASP IoT list: https://www.owasp.org/index.php/Top_10_IoT_Vulnerabilities_(2014) 2014 list: I1 Insecure Web Interface I2 Insufficient Authentication/Authorization I3 Insecure Network Services I4 Lack of Transport Encryption I5 Privacy Concerns I6 Insecure Cloud Interface I7 Insecure Mobile Interface I8 Insufficient Security Configurability I9 Insecure Software/Firmware I10 Poor Physical Security BrakeSec Episode on ASVS http://traffic.libsyn.com/brakeingsecurity/2015-046_ASVS_with_Bill_Sempf.mp3 OWASP SLACK: https://owasp.slack.com/ What didn’t make the list? How do we get Devs onboard with these? How does someone interested get involved with OWASP Iot working group? https://docs.microsoft.com/en-us/azure/iot-fundamentals/iot-security-best-practices https://www.iiconsortium.org/pdf/SMM_Description_and_Intended_Use_2018-04-09.pdf https://www.dhs.gov/sites/default/files/publications/Strategic_Principles_for_Securing_the_Internet_of_Things-2016-1115-FINAL_v2-dg11.pdf https://api.ctia.org/wp-content/uploads/2018/08/CTIA-IoT-Cybersecurity-Certification-Test-Plan-V1_0.pdf https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/747977/Mapping_of_IoT__Security_Recommendations_Guidance_and_Standards_to_CoP_Oct_2018.pdf https://www.mocana.com/news/mocana-xilinx-avnet-infineon-and-microsoft-join-forces-to-secure-industrial-control-and-iot-devices https://www.microsoft.com/en-us/research/wp-content/uploads/2017/03/SevenPropertiesofHighlySecureDevices.pdf Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Aaron Guzman: @scriptingxss https://www.computerweekly.com/news/252443777/Global-IoT-security-standard-remains-elusive https://www.owasp.org/index.php/IoT_Attack_Surface_Areas https://scriptingxss.gitbooks.io/embedded-appsec-best-practices//executive_summary/9_usage_of_data_collection_and_storage_-_privacy.html OWASP SLACK: https://owasp.slack.com/ https://www.owasp.org/images/7/79/OWASP_2018_IoT_Top10_Final.jpg Team of 10 or so… list of “do’s and don’ts” Sub-projects? Embedded systems, car hacking Embedded applications best practices? *potential show* Standards: https://xkcd.com/927/ CCPA: https://en.wikipedia.org/wiki/California_Consumer_Privacy_Act California SB-327: https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201720180SB327 How did you decide on the initial criteria? Weak, Guessable, or Hardcoded passwords Insecure Network Services Insecure Ecosystem interfaces Lack of Secure Update mechanism Use of insecure or outdated components Insufficient Privacy Mechanisms Insecure data transfer and storage Lack of device management Insecure default settings Lack of physical hardening 2014 OWASP IoT list: https://www.owasp.org/index.php/Top_10_IoT_Vulnerabilities_(2014) 2014 list: I1 Insecure Web Interface I2 Insufficient Authentication/Authorization I3 Insecure Network Services I4 Lack of Transport Encryption I5 Privacy Concerns I6 Insecure Cloud Interface I7 Insecure Mobile Interface I8 Insufficient Security Configurability I9 Insecure Software/Firmware I10 Poor Physical Security BrakeSec Episode on ASVS http://traffic.libsyn.com/brakeingsecurity/2015-046_ASVS_with_Bill_Sempf.mp3 OWASP SLACK: https://owasp.slack.com/ What didn’t make the list? How do we get Devs onboard with these? How does someone interested get involved with OWASP Iot working group? https://docs.microsoft.com/en-us/azure/iot-fundamentals/iot-security-best-practices https://www.iiconsortium.org/pdf/SMM_Description_and_Intended_Use_2018-04-09.pdf https://www.dhs.gov/sites/default/files/publications/Strategic_Principles_for_Securing_the_Internet_of_Things-2016-1115-FINAL_v2-dg11.pdf https://api.ctia.org/wp-content/uploads/2018/08/CTIA-IoT-Cybersecurity-Certification-Test-Plan-V1_0.pdf https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/747977/Mapping_of_IoT__Security_Recommendations_Guidance_and_Standards_to_CoP_Oct_2018.pdf https://www.mocana.com/news/mocana-xilinx-avnet-infineon-and-microsoft-join-forces-to-secure-industrial-control-and-iot-devices https://www.microsoft.com/en-us/research/wp-content/uploads/2017/03/SevenPropertiesofHighlySecureDevices.pdf
Joel Lord is using passwordless authentication. This episode is sponsored by Smartsheet. Show Notes: Joel works for Auth0 xkcd comic called "password strength" Check out episode 71, Bill Sempf talking about security in the movie 'Sneakers' Slack uses a 'magic link' passwordless system What is a dongle? There are a lot of security dongles, here’s one called ChaosKey. The Auth0 blog Joel’s site: JavaScriptEverything.com Joel Lord is on Twitter. Want to be on the next episode? You can! All you need is the willingness to talk about something technical. Music is by Joe Ferg, check out more music on JoeFerg.com!
David Giard is using Microsoft’s Vision Cognitive Services. This episode is sponsored by Smartsheet. Show Notes: Check out the last time David was on the show discussing some of the other cognitive services Short URL: microsoft.com/cognitive We discussed facial recognition and security, be sure to check out episode 71 with Bill Sempf for more on that topic. Custom Vision David Giard’s collection of cognitive services resources David’s CognitiveSvcsDemos repository on Github Be sure to check out David’s show, Technology and Friends, which is an excellent show and a direct inspiration for this very podcast. David Giard is on Twitter. Want to be on the next episode? You can! All you need is the willingness to talk about something technical. Music is by Joe Ferg, check out more music on JoeFerg.com!
Bill Sempf and I watched a movie called Sneakers. This episode is sponsored by Smartsheet. This is an extra-large, jumbo-sized, special episode of Cross Cutting Concerns. There's just too much awesome in Sneakers to fit in a 15 minute episode. But don't worry, I'll be back to regular length episodes starting next week! Show Notes: Sneakers is a 1992 movie. If you haven't seen it yet, go watch it first, because this podcast contains spoilers! It's available to stream on Amazon, and it is well worth a purchase. Check out the incredible cast on IMDb (and also peek at the trivia section) An interview with Bob Abbott RSA - named after Rivest, Shamir, Adleman Intel's 49 qubit chip Fluhrer, Mantin, and Shamir attack on RC4 Book: Brute Force: Cracking the Data Encryption Standard by Matt Curtin We mentioned: Dark Web, Deep Web, Tor, look it up OSINT Framework by Justin Nordine Blue Team vs Red Team Conferences: CodeMash, DerbyCon David Kennedy segment on CNN Money Podcast: Security Through Education - Episode 098: Winning the SECTF with Chris & Rachel The Economist cover and story: The world’s most valuable resource is no longer oil, but data Bitcoin was mentioned Paper: Smartphone User Identity Verification Using Gait Characteristics (gait analysis) Comic: XKCD on Security Captain Crunch = John Draper, here's a video from ABC News Tiger Team: Car Dealer Takedown OWASP Bill Sempf is on Twitter. Want to be on the next episode? You can! All you need is the willingness to talk about something technical. Music is by Joe Ferg, check out more music on JoeFerg.com!
Bill Sempf joins to talk insecure deserialization. We do a deep dive and contextual review of the generalities of deserialization, and the specifics of how it applies to “.NET”. Bill gets into his journey to understand these types of vulnerabilities and provides some hints and tips for how you can look for them in your [...] The post Insecure Deserialization (S03E03) – Application Security PodCast appeared first on Security Journey Podcasts.
So what does it take to make your web applications secure? Carl and Richard talk to Bill Sempf about his work educating developers on writing secure software. The conversation focuses on the Open Web Application Security Project (OWASP) and all the resources there for securing your web applications. Bill leads the .NET side of OWASP, providing tools, techniques and links for everything you need to build a more secure web application. You'd be amazed how many great security resources are built into the .NET Framework, you just need to know where to look, and OWASP can help you - check it out!Support this podcast at — https://redcircle.com/net-rocks/donations
So what does it take to make your web applications secure? Carl and Richard talk to Bill Sempf about his work educating developers on writing secure software. The conversation focuses on the Open Web Application Security Project (OWASP) and all the resources there for securing your web applications. Bill leads the .NET side of OWASP, providing tools, techniques and links for everything you need to build a more secure web application. You'd be amazed how many great security resources are built into the .NET Framework, you just need to know where to look, and OWASP can help you - check it out!Support this podcast at — https://redcircle.com/net-rocks/donations
During our last podcast with Bill Sempf (@sempf), we were talking about how to get developers to understand how to turn a vuln into a defect and how to get a dev to understand how vulns affect the overall quality of the product. During our conversation, a term "ASVS" came up. So we did a quick and dirty session with Bill about this. It's a security #requirements #document that ensures that projects that are being scoped out are meeting specific security requirements. This can be a valuable ally when your company is creating products or software applications. Bill explains with us this week exactly how you incorporate this into your Secure #SDLC #lifecycle #project #management #security #architect Direct Link: http://traffic.libsyn.com/brakeingsecurity/sempf2.mp3 iTunes Link: https://itunes.apple.com/us/podcast/2015-046-getting-security/id799131292?i=356958476&mt=2 TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/ Bill's Bside Columbus talk on ASVS: http://www.irongeek.com/i.php?page=videos/bsidescolumbus2015/defense00-got-software-need-a-security-test-plan-got-you-covered-bill-sempf Bill's Blog: http://www.sempf.net Bill's Twitter: http://www.twitter.com/sempf BrakeSec Podcast Twitter: http://www.twitter.com/brakesec
When you receive a #pentest or vuln scan report, we think in terms of #SQLi or #XSS. Take that report to your dev, and she/he sees Egyptian hieroglyphics and we wonder why it's so difficult to get devs to understand. It's a language barrier folks. They think terms of defects or how something will affect the customer experience. We think in terms of #vulnerabilities, and what caused the issue. We need to find that common ground, and often, that will mean us heading into unfamiliar territory. It doesn't have to be 'us vs. them'. We are supposed to be a team. Join us this week as we discuss that very topic with Bill #Sempf. Bill has spent nearly 25 years doing software development and security, working as an independent contractor for dozens of companies on hundreds of #software #projects. He helps us figure out how to speak 'dev', and to develop a mindset that will ensure you can get the most out of interactions with developers and coders. Show notes: http://brakeingsecurity.com/2015-045-care-and-feeding-of-devs-podcast-edition-with-bill-sempf Direct Link: http://traffic.libsyn.com/brakeingsecurity/2015-045_Bill_Sempf-care_and_feeding_of_devs.mp3 Itunes: https://itunes.apple.com/us/podcast/2015-045-care-feeding-devs/id799131292?i=356366452&mt=2 Bill's #DerbyCon Talk "#Developers: Care and Feeding": http://www.irongeek.com/i.php?page=videos/derbycon5/teach-me11-developers-care-and-feeding-bill-sempf Bill's Blog: https://sempf.net/ Bill's Twitter: http://www.twitter.com/sempf Check us out using the #TuneIn App!: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/ #RSS: http://www.brakeingsecurity.com/rss
© 2020-2025 Ivy Podcast Discovery LLC
