Podcast appearances and mentions of jim manico

Organizations build and deploy applications at an unprecedented pace, but security is often an afterthought. This episode of ITSPmagazine's Brand Story features Jim Manico, founder of Manicode Security, in conversation with hosts Sean Martin and Marco Ciappelli. The discussion explores the current state of application security, the importance of developer training, and how organizations can integrate security from the ground up to drive better business outcomes.The Foundation of Secure DevelopmentJim Manico has spent decades helping engineers and architects understand and implement secure coding practices. His work with the Open Web Application Security Project (OWASP), including contributions to the OWASP Top 10 and the OWASP Cheat Sheet Series, has influenced how security is approached in software development. He emphasizes that security should not be an afterthought but a fundamental part of the development process.He highlights OWASP's role in providing documentation, security tools, and standards like the Application Security Verification Standard (ASVS), which is now in its 5.0 release. These resources help organizations build secure applications, but Manico points out that simply having the guidance available isn't enough—engineers need the right training to apply security principles effectively.Why Training MattersManico has trained thousands of engineers worldwide and sees firsthand the impact of hands-on education. He explains that developers often lack formal security training, which leads to common mistakes such as insecure authentication, improper data handling, and vulnerabilities in third-party dependencies. His training programs focus on practical, real-world applications, allowing developers to immediately integrate security into their work.Security training also helps businesses beyond just compliance. While some companies initially engage in training to meet regulatory requirements, many realize the long-term value of security in reducing risk, improving product quality, and building customer trust. Manico shares an example of a startup that embedded security from the beginning, investing heavily in training early on. That approach helped differentiate them in the market and contributed to their success as a multi-billion-dollar company.The Role of AI and Continuous LearningManico acknowledges that the speed of technological change presents challenges for security training. Frameworks, programming languages, and attack techniques evolve constantly, requiring continuous learning. He has integrated AI tools into his training workflow to help answer complex questions, identify knowledge gaps, and refine content. AI serves as an augmentation tool, not a replacement, and he encourages developers to use it as an assistant to strengthen their understanding of security concepts.Security as a Business EnablerThe conversation reinforces that secure coding is not just about avoiding breaches—it is about building better software. Organizations that prioritize security early can reduce costs, improve reliability, and increase customer confidence. Manico's approach to education is about empowering developers to think beyond compliance and see security as a critical component of software quality and business success.For organizations looking to enhance their security posture, developer training is an investment that pays off. Manicode Security offers customized training programs to meet the specific needs of teams, covering topics from secure coding fundamentals to advanced application security techniques. To learn more or schedule a session, Jim Manico can be reached at Jim@manicode.com.Tune in to the full episode to hear more insights from Jim Manico on how security training is shaping the future of application security.Learn more about Manicode: https://itspm.ag/manicode-security-7q8iNote: This story contains promotional content. Learn more.Guest: Jim Manico, Founder and Secure Coding Educator at Manicode Security | On Linkedin: https://www.linkedin.com/in/jmanico/ResourcesDownload the Course Catalog: https://itspm.ag/manicode-x684Learn more and catch more stories from Manicode Security: https://www.itspmagazine.com/directory/manicode-securityAre you interested in telling your story?https://www.itspmagazine.com/telling-your-story

Guest: Jim Manico, Founder and Secure Coding Educator, Manicode SecurityOn LinkedIn | https://www.linkedin.com/in/jmanico/On Twitter | https://x.com/manicode____________________________Hosts: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/sean-martinMarco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society PodcastOn ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli____________________________Episode NotesIn this episode of On Location with Sean and Marco, host Sean Martin engages in a compelling discussion with Jim Manico about the current landscape of application security. Jim, a notable leader in the field, delves into several critical topics surrounding application security and its evolving challenges.The conversation opens by touching on the significant influence of artificial intelligence (AI) on application security, suggesting a future episode dedicated entirely to exploring this complex topic. They then shift focus to the necessity of having a formalized approach when dealing with security vulnerabilities. Jim underscores the importance of planning and preparation before tackling security threats, emphasizing that structured processes lead to more effective management of potential issues.A significant portion of the dialogue explores the challenges associated with identifying and managing vulnerable or outdated libraries within codebases. Jim and Sean discuss how modern development practices often lead to the incorporation of various libraries, each of which can introduce potential security risks if not properly maintained. The intricacies of keeping these libraries updated to prevent vulnerabilities are highlighted, including the frequent necessity of updating or replacing libraries to ensure robust security.Jim also touches upon the noise generated by automated security findings, which can overwhelm development teams with alerts and potential issues. He stresses the value of effectively prioritizing and addressing these findings to ensure that the most critical vulnerabilities are tackled promptly, reducing the risk of exploitation.Throughout the episode, Jim and Sean highlight the balance that must be struck between developing new features and maintaining a secure, resilient application environment. Ensuring that security is integrated into the development lifecycle rather than being an afterthought is a recurring theme in their discussion.This engaging episode provides listeners with a deep dive into the strategic and tactical aspects of application security, offering valuable insights and practical advice on navigating the often complex and ever-evolving security landscape.Be sure to follow our Coverage Journey and subscribe to our podcasts!____________________________Follow our OWASP AppSec Global Lisbon 2024 coverage: https://www.itspmagazine.com/owasp-global-2024-lisbon-application-security-event-coverage-in-portugalOn YouTube:

Guest: Jim Manico, Founder and Secure Coding Educator, Manicode SecurityOn LinkedIn | https://www.linkedin.com/in/jmanico/On Twitter | https://x.com/manicode____________________________Hosts: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/sean-martinMarco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society PodcastOn ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli____________________________Episode NotesIn this episode of On Location with Sean and Marco, host Sean Martin engages in a compelling discussion with Jim Manico about the current landscape of application security. Jim, a notable leader in the field, delves into several critical topics surrounding application security and its evolving challenges.The conversation opens by touching on the significant influence of artificial intelligence (AI) on application security, suggesting a future episode dedicated entirely to exploring this complex topic. They then shift focus to the necessity of having a formalized approach when dealing with security vulnerabilities. Jim underscores the importance of planning and preparation before tackling security threats, emphasizing that structured processes lead to more effective management of potential issues.A significant portion of the dialogue explores the challenges associated with identifying and managing vulnerable or outdated libraries within codebases. Jim and Sean discuss how modern development practices often lead to the incorporation of various libraries, each of which can introduce potential security risks if not properly maintained. The intricacies of keeping these libraries updated to prevent vulnerabilities are highlighted, including the frequent necessity of updating or replacing libraries to ensure robust security.Jim also touches upon the noise generated by automated security findings, which can overwhelm development teams with alerts and potential issues. He stresses the value of effectively prioritizing and addressing these findings to ensure that the most critical vulnerabilities are tackled promptly, reducing the risk of exploitation.Throughout the episode, Jim and Sean highlight the balance that must be struck between developing new features and maintaining a secure, resilient application environment. Ensuring that security is integrated into the development lifecycle rather than being an afterthought is a recurring theme in their discussion.This engaging episode provides listeners with a deep dive into the strategic and tactical aspects of application security, offering valuable insights and practical advice on navigating the often complex and ever-evolving security landscape.Be sure to follow our Coverage Journey and subscribe to our podcasts!____________________________Follow our OWASP AppSec Global Lisbon 2024 coverage: https://www.itspmagazine.com/owasp-global-2024-lisbon-application-security-event-coverage-in-portugalOn YouTube:

In this special episode of the Future of Application Security, recorded at the Developers & Security are Friends Day, Eric speaks with Jim Manico, Founder and CEO of Manicode Security, a secure coding education firm. They discuss the various challenges around certain items on the OWASP Top Ten list, including server side request forgery and access control, and how security and developers can partner for better logging and alerting. They also talk about the courses Jim offers and why the biggest one in demand today is AI and security. Topics discussed: What are the biggest changes in the OWASP Top Ten, and the challenges that accompany two of the list's issues: server side request forgery and access control. What issue is Jim surprised to see on the OWASP Top Ten. How developers and security can work more closely together to create a better approach to logging and alerting. Why the best approach to DevOps is to have it as a service and a liaison team, not as a merger of individuals from across the organization. Why training on AI and security is increasing in demand today. How security professionals and developers are like professional wrestling superstars.  

CIS Control 16 - Application Software SecurityThe way in which we interact with applications has changed dramatically over years. Organizations use applications in day-to-day operations to manage their most sensitive data and control access to system resources. Instead of traversing a labyrinth of networks and systems, attackers today see an opening to turn an organizations applications against it to bypass network security controls and compromise sensitive data.  NOTE: Crowdstrike notes that Cloud based attacks and initial access via these systems has increased 112%, therefore SaaS applications, their potential vulnerabilities and misconfigurations along with initial access are all being focused on by threat actors.**Jim Manico at minute 52:40 - do not miss!!**Our sponsor: Jim Manico, Founder of Manicode is considered the "Godfather" of the OWASP Top 10 and trains software development teams around the globe. His firm helps organizations building secure code and creates programs to address the primary cause of insecurity, which is the lack of secure software development practices. Contact Jim here: https://manicode.com/Co-hosts:Ryan Weeks: https://www.linkedin.com/in/ryanweeks/Phyllis Lee: https://www.linkedin.com/in/phyllis-lee-21b58a1a4/Wes Spencer: https://www.linkedin.com/in/wesspencer/'

This interview was recorded for GOTO Unscripted.gotopia.techRead the full transcription of this interview hereJim Manico - Founder at Manicode Security & Co-Author of "Iron-Clad Java"John Steven - Founding Principal at Aedify Security & CTO at Concourse LabsDESCRIPTIONSecurity is a key topic in software. Lately, it has shifted from a security team responsibility to a task every single developer has to think about. Jim Manico, Founder and Secure Coding Educator at Manicode Security, and John Steven, the Founding Principal at Aedify Security, assess the evolution of the security role in order for developers to make the right decisions.RECOMMENDED BOOKSJim Manico & August Detlefsen • Iron-Clad JavaLiz Rice • Container SecurityLiz Rice • Kubernetes SecurityAaron Parecki • OAuth 2.0 SimplifiedAaron Parecki • OAuth 2.0 ServersAaron Parecki • The Little Book of OAuth 2.0 RFCsErdal Ozkaya • Cybersecurity: The Beginner's GuideRicher & Sanso • OAuth 2 in ActionWilson & Hingnikar • Demystifying OAuth 2.0, OpenID Connect, and SAML 2.0TwitterLinkedInFacebookLooking for a unique learning experience?Attend the next GOTO conference near you! Get your ticket at gotopia.techSUBSCRIBE TO OUR YOUTUBE CHANNEL - new videos posted almost daily.Discovery MattersA collection of stories and insights on matters of discovery that advance life...Listen on: Apple Podcasts Spotify Health, Wellness & Performance Catalyst w/ Dr. Brad CooperLooking for a catalyst to optimize your health, wellness & performance? You've found it!!Listen on: Apple Podcasts Spotify

Jim Manico is full of opinions. The founder of Manicode Security has advice on how to use the OWASP Top 10, on secure coding and especially on the OWASP Application Security Verification Standard (ASVS). He has advice for people starting out in security and all around thoughts on what it means to be a decent person. Jim is definitely one of those! He's also an educator, author, investor and entrepreneur. There are so many reasons to listen to this episode. Here are just a few: * Hear from one of the leading educators focused on helping developers code securely. * Learn more about all the important projects and initiatives happening at OWASP.* Get Jim's perspective on how organizations can best implement DevSecOps.  Key quotes: * "Honestly, you shouldn't be basing a security program on the OWASP Top 10. The Top 10 is meant for one purpose only: awareness. This is not just my opinion. This is actually codified in the introduction of the Top 10."* "Being a decent human being, being a community supporter, trying to help people out, giving free talks: you can call it being a decent person, but it's also a good life and business strategy."* "Learn how to f-ing code. And you don't have to be an expert at it. You don't have to be a software engineer, but if you're an IT professional and you don't even understand the basics of coding, it's going to limit your capability because the best pentesters I know write scripts." Related links:* https://manicode.com/* https://owasp.org/www-project-top-ten/* https://owasp.org/www-project-application-security-verification-standard/* https://www.synack.com/

It seems like security is mostly a passive game as developers usually think about fixing issues rather than building security into their applications and development lifecycles. In this episode, I talk to Josh Grossman, CTO at Bounce Security and OWASP Israel Board Member about the Top 10 Proactive Controls project by OWASP (The Open Web Application Security Project). Josh walks us through how to think about security risks as well as understand what controls need to be put in place to ensure your applications are secure from day one. ----- Ways you can reach out to Josh: Twitter: https://twitter.com/JoshCGrossman Email: josh(at)bouncesecurity.com The training mentioned about tool processes: https://twitter.com/JoshCGrossman/sta... OWASP Links: Main page: https://owasp.org/ Upcoming events: https://owasp.org/events/ OWASP Top Ten Proactive controls project: https://owasp.org/www-project-proacti... (Credit to Katy Anton, Jim Bird and Jim Manico who are the project leaders)

  Is a pleasure to host again our good friend Jim. Jim Manico is an AppSec enthusiast, educator, the Manicode founder, an investor, Java Champion, and an OWASP leader. This passionate conversation revolves around the new OWASP Top 10, reference architecture, threat modelling, SMS authentication, and TLS certificates.    The episode is brought you by AppSec Phoenix Ltd with the Phoenix platform you can make Vulnerability management for software and organization SMART.  Follow the tag #appsecsmart https://www.appsecphoenix.com get a free 30-day licence quoting CSCP https://landing.appsecphoenix.com/register   0:00 Introduction 0:28 Jim's background 1:50 OWASP Top 10 Old and New 4:05 Secure design and threat modelling 9:55 Reference architecture 14:15 Follow through and scale 16:30 Security bugs 18:13 Authentication 24:32 JWT 27:45 TLS certificates 31:50 Zero trust 32:14 Positive Message 33:50 Connect with Jim 35:00 Outro    Jim Manico Twitter @manicode linkedin.com/in/jmanico manicode.com   manicode.com    Cyber Security and Cloud Podcast hosted by Francesco Cipollone Twitter @FrankSEC42 #CSCP #cybermentoringmonday cybercloudpodcast.com    Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/   

8 years ago I took over the OWASP Podcast from Jim Manico, originator of the project. In that time over 160 episodes have been published, with over 500,000 downloads. It has been a fun project, but it's time to change things up a bit. There is a lot going on at OWASP, even more going on with the technology industry when it comes to cybersecurity. It's too much for one person to keep up with. Enter the idea of multiple co-hosts for the podcast. Many of you listening already know of Vandana Verma and Matt Tesauro from their work with OWASP. I called to ask if they'd like to share the platform, producing their own episodes around a chosen concept. In today's episode, Vandana, Matt and I talk about thoughts of an expanded concept for the podcast. We'll each explain what we will be covering in our shows, and what you can expect to hear in the coming year. Our plan is to have three shows, (kind of like NPR programming when I think of it), under one umbrella: The OWASP Podcast Series. Come along with us and we talk through the new series and what it will me to you, as a listener.

  CSCP is bringing back season 1 in a newly remastered version. This is part 2 of the interview with Jim Manico. Jim and Francesco address some of the criticisms of OWASP, discuss what makes a chapter great, and the future of cyber security.  The episode is brought you by AppSec Phoenix Ltd with the Phoenix platform you can make Vulnerability management for software and organization SMART.  Follow the tag #appsecsmart https://www.appsecphoenix.com get a free 30-day licence quoting CSCP https://landing.appsecphoenix.com/register   0:00 Intro 0:27 Fixing the legacy problem 7:00 Critics of OWASP 13:00 OWASP can't be tamed 16:26 Order VS chaos 22:20 What makes a chapter great 24:04 Final positive message 26:18 Closing words 26:54 Outro    Jim Manico Twitter @manicode https://www.linkedin.com/in/jmanico/     Cyber Security and Cloud Podcast hosted by Francesco Cipollone Twitter @FrankSEC42 #CSCP #cybermentoringmonday cybercloudpodcast.com    Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/ 

  CSCP is bringing back season 1 in a newly remastered version. Jim Manico is the Founder and Secure Coding Instructor at Manicode Security, a member of OWASP, and an AppSec enthusiast. In part 1 of this lively conversation, they discuss Netflix, automated security, and the complex problem of fixing legacy software.  The episode is brought you by AppSec Phoenix Ltd with the Phoenix platform you can make Vulnerability management for software and organization SMART.  Follow the tag #appsecsmart https://www.appsecphoenix.com get a free 30-day licence quoting CSCP https://landing.appsecphoenix.com/register   0:46 Introducing Jim 2:15 Conversation begins 5:15 Painful problem of AppSec 10:10 Security and money 11:20 Security testing 12:05 Privacy laws 14:50 Automated/integrated security 15:45 DevSecOps 18:06 Netflix 19:40 OWASP 20:50 Java 26:10 Outro    Jim Manico Twitter @manicode https://www.linkedin.com/in/jmanico/     Cyber Security and Cloud Podcast hosted by Francesco Cipollone Twitter @FrankSEC42 #CSCP #cybermentoringmonday cybercloudpodcast.com    Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/ 

In this episode of AppSec Builders, Jb is joined by security professional Jim Manico, founder of Manicode Security to discuss Application Security, Developers, and why they should be trained to build Secure Applications . About Jim: Linkedin: https://www.linkedin.com/in/jmanico (https://www.linkedin.com/in/jmanico) Twitter: https://twitter.com/manicode (https://twitter.com/manicode) Jim Manico is the founder of Manicode Security where he trains software developers on secure coding and security engineering. He is also the co-founder of the LocoMoco Security Conference and is an investor/advisor for Nucleus Security, BitDiscovery, Secure Circle and Inspectiv. Jim is a frequent speaker on secure software practices and is a member of the JavaOne rockstar speaker community. He is the author of https://www.amazon.com/Iron-Clad-Java-Building-Secure-Applications/dp/0071835881 ("Iron-Clad Java: Building Secure Web Applications”)  from McGraw-Hill. Transcript Intro / Outro: [00:00:02] Welcome to AppSec Builders, the podcast for Practitioners Building Modern AppSec hosted by JB Aviat. JB Aviat: [00:00:14] Welcome to this episode of AppSec Builders I am JB Aviat and I am honored to welcome Jim Manico, who, on top of being a famous, opinionated security professional, is also the founder of Many Good Security, where she trains software developers in secure coding and security Engineering he is also an investor advisor for many companies, frequent speaker on secure coding practices and a book writer with Ironclad Java Building Secure Web Applications. Jim, why don't you introduce yourself as well? Jim Manico: [00:00:50] Jean-baptiste is a pleasure to be on your podcast and your show. And like you said, I'm an opinionated application security professional. I just hope that my opinions are helpful to you and your audience. JB Aviat: [00:01:04] Opinions are always helpful, especially when they are held by smart people. So, yes, definitely. And I'm looking forward to have you sharing a bit more about that with our listeners. So, Jim, thanks a lot for joining us today. So when we are familiar with your work, we can notice that your primary focus is developers. So you train them, you write books to educate them. You contribute to a lot of OWASP resources around education. Why that focus centered on the developers? Jim Manico: [00:01:40] I believe that the application security industry traditionally has primarily been about security testing and dev ops and all these different pieces that are about assessment of the security of an application. And I do not believe that you can achieve security through testing. I believe that the only way to truly do application security is to get developers to build secure software and to utilize tools and techniques and processes that will help developers, author, secure software. And I believe that our industry places very little focus on that important specialty because it's hard to sell an idea. The idea that you must change your process, you must change your engineering capabilities and similar. It's not something that sells in the marketplace. It's education, which is not a very big part of our industry. So that's why I focus on that, because it's my specialty and it's also my belief. That's how you really do application security is to enable developers capabilities around security in some way. JB Aviat: [00:02:54] And a so you've been doing that for a while. What are the big changes that you have witnessed over the past year? Jim Manico: [00:03:01] I think the acceleration of dev ops is very interesting. Now, Dev Ops has been around for 20 years. This is about automation around the building, testing, deploying in other aspects of the SDLC. And we were doing that in the late 90s through a lot of custom scripts and similar. And I think that today there's extremely modern tool sets like Jenkins', GitHub actions and similar, where I can build a significant security centric...

This week Jeff Foley hangs all to talk about asset discovery using amass, recon methodologies,  hashcat style brute forcing vs. wordlists, extending functionality via the embedded Lua engine and more. My 3 main takeaways were 1) how to find assets that don't share a domain name using JARM 2) how they made scanning faster by essentially lowering the DNS brute forcing query rate and 3) what the future has in store for the project For more information, including the show notes check out https://breachsense.io/podcast            This week Jim Manico joins the show to talk about Cross Site Scripting, CSPs, strict dynamic, trusted types, SameSite cookies,  NIST SP 800-63, password shucking and more. My 3 main takeaways were 1) how to do input validation correctly 2) why using nonces in your CSP is safer than creating an allowed list policy and 3) the right way to handle passwords For more information, including the show notes check out https://breachsense.io/podcast This week Jim Manico joins the show to talk about Cross Site Scripting, CSPs, strict dynamic, trusted types, SameSite cookies,  NIST SP 800-63, password shucking and more. My 3 main takeaways were 1) how to do input validation correctly 2) why using nonces in your CSP is safer than creating an allowed list policy and 3) the right way to handle passwords For more information, including the show notes check out https://breachsense.io/podcast This week Jim Manico joins the show to talk about Cross Site Scripting, CSPs, strict dynamic, trusted types, SameSite cookies,  NIST SP 800-63, password shucking and more. My 3 main takeaways were 1) how to do input validation correctly 2) why using nonces in your CSP is safer than creating an allowed list policy and 3) the right way to handle passwords For more information, including the show notes check out https://breachsense.io/podcast This week Jim Manico joins the show to talk about Cross Site Scripting, CSPs, strict dynamic, trusted types, SameSite cookies,  NIST SP 800-63, password shucking and more. My 3 main takeaways were 1) how to do input validation correctly 2) why using nonces in your CSP is safer than creating an allowed list policy and 3) the right way to handle passwords This week Charlie Belmer joins the show to chat about NoSQLi, web proxies, cloud security, tips to get started in InfoSec and more. My 3 main takeaways were 1) how SQLi differs from NoSQLi 2) why privacy still matters and 3) How cookieless tracking works and some of the frightening techniques used For more information, including the show notes check out https://breachsense.io/podcast 

This week on Privacy Please we have the great pleasure of chatting with a very close friend of the show, the ever so entertaining, intelligent, irrationally exuberant, Mr, Jim Manico. We talk about Secure coding, what is Manicode Security, building modern secure applications, Apple, Microsoft, Facebook, Google, privacy, teaching secure coding with passion and excitement, and much more! You do not want to miss this entertaining and very informative episode!  Jim Manico - https://www.linkedin.com/in/jmanico/

        This week Jim Manico joins the show to talk about Cross Site Scripting, CSPs, strict dynamic, trusted types, SameSite cookies,  NIST SP 800-63, password shucking and more. My 3 main takeaways were 1) how to do input validation correctly 2) why using nonces in your CSP is safer than creating an allowed list policy and 3) the right way to handle passwords For more information, including the show notes check out https://breachsense.io/podcast This week Jim Manico joins the show to talk about Cross Site Scripting, CSPs, strict dynamic, trusted types, SameSite cookies,  NIST SP 800-63, password shucking and more. My 3 main takeaways were 1) how to do input validation correctly 2) why using nonces in your CSP is safer than creating an allowed list policy and 3) the right way to handle passwords For more information, including the show notes check out https://breachsense.io/podcast This week Jim Manico joins the show to talk about Cross Site Scripting, CSPs, strict dynamic, trusted types, SameSite cookies,  NIST SP 800-63, password shucking and more. My 3 main takeaways were 1) how to do input validation correctly 2) why using nonces in your CSP is safer than creating an allowed list policy and 3) the right way to handle passwords For more information, including the show notes check out https://breachsense.io/podcast This week Jim Manico joins the show to talk about Cross Site Scripting, CSPs, strict dynamic, trusted types, SameSite cookies,  NIST SP 800-63, password shucking and more. My 3 main takeaways were 1) how to do input validation correctly 2) why using nonces in your CSP is safer than creating an allowed list policy and 3) the right way to handle passwords This week Jeff Foley hangs all to talk about asset discovery using amass, recon methodologies,  hashcat style brute forcing vs. wordlists, extending functionality via the embedded Lua engine and more. My 3 main takeaways were 1) how to find assets that don't share a domain name using JARM 2) how they made scanning faster by essentially lowering the DNS brute forcing query rate and 3) what the future has in store for the project For more information, including the show notes check out https://breachsense.io/podcast 

The major cause of insecurity is the lack of secure software development practices. It’s crucial to understand the importance of security within the SDLC. Jim Manico is the founder of MANICODE Security where he trains software developers on secure coding and security engineering. He stops by BarCode to help us define “DevSecOps”, building an Effective CI/CD Pipeline, the differences between SAST/SCA/RASP/DAST and IAST, Security Team/ Development Team Cohesion, what most organizations GET WRONG with implementing DevSecOps, cloud involvement within the SDLC, and helpful OWASP resources.Tony the Bartender gits “Radioactive”.Support the show (https://paypal.me/thebarcodepodcast)

    This week Jim Manico joins the show to talk about Cross Site Scripting, CSPs, strict dynamic, trusted types, SameSite cookies,  NIST SP 800-63, password shucking and more. My 3 main takeaways were 1) how to do input validation correctly 2) why using nonces in your CSP is safer than creating an allowed list policy and 3) the right way to handle passwords For more information, including the show notes check out https://breachsense.io/podcast 

Our special guest today is Jim Manico. He is the founder of Manicode Security where he trains software developers on secure coding and security engineering. He is also the co-founder of the LocoMoco Security Conference in Hawaii as well as an investor and advisor for BitDiscovery and Signal Sciences. Jim is a frequent speaker on secure software practices and is a member of the JavaOne rockstar speaker community. He is the author of Iron-Clad Java: Building Secure Web Applications from McGraw-Hill. https://www.linkedin.com/in/jmanicohttps://locomocosec.com/https://bitdiscovery.com/https://www.signalsciences.com/http://www.amazon.com/Iron-Clad-Java-Building-Secure-Applications/dp/0071835881Jim Manico is interviewed by David Quisenberry and John L. Whiteman.Follow us:HomepageTwitterMeetupLinkedInYouTube- Become an OWASP member - Donate to our OWASP PDX chapterSupport the show (https://owasp.org/supporters/)

If you're a business leader, especially at a SaaS firm or if you're a developer at a SaaS firm, this episode with Jim Manico will provide a ton of value.  You'll hear practical advice on how to approach application security that even the most technically un-savvy listeners can understand. Joe Manico is an application security powerhouse. He is the Founder of an application security training company, Manicode Security, is a major contributor to a number of OWASP projects, and he has a really great passionate approach to his work.  What we talked about: ASVS 101 Where should you start when addressing your security needs? Comprehensive tips and advice for application security business leaders To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here. If you don't use Apple Podcasts, you can find all our episodes here.

First off, a shout out to Tanya Janca for helping us to kick this chats on the road podcast into gear with the introduction to two of our guests today, Erez Yalon and Liora Herman. Of course, our third guest we know very well; it’s always an absolute pleasure to have Jim Manico join us for a conversation! The topic for this chats on the road is the launch of the new AppSec Village at DEF CON. During our conversation, we look at: - Who the Village is designed for (there’s something for everyone interested in coding and/or security and/or applications) - The differences between engineers and hackers; are they (m)any? - The differences between InfoSec and Hackers in the context of application security As noted by Lior during the chat, diversity of the community is important to ensure everyone is writing secure code — and this Village was defined and is being managed with this at the forefront. It’s critical that we have a good balance of representation of the community as a whole: women, men, people from the US, people from abroad—application security spans the globe. “It’s important for society to promote good application security — all roads lead to code." ~Jim Manico It’s also important to recognize that the products and solutions (and applications) we are building a using are comprised of multiple components from all of the place—custom, commercial, and open-source—and from all over the world. At the end of the day, we’re all speaking about code, and we all need to write secure code. Start speaking about it with your peers at the inaugural AppSec Village at DEF CON 27. But first, have a listen to this chat to learn more. ________ We'd like to thank our conference coverage sponsors for their support. Be sure to visit their directory pages on ITSPmagazine to learn more about them. - Reversing Labs: https://www.itspmagazine.com/company-directory/reversing-labs - Bugcrowd: https://www.itspmagazine.com/company-directory/bugcrowd - STEALTHbits: https://www.itspmagazine.com/company-directory/stealthbits ________ Want more from Hacker Summer Camp 2019 in Las Vegas? Follow all of our coverage here: https://www.itspmagazine.com/black-hat-2019-and-defcon-27-event-coverage-las-vegas-usa-news-and-podcasts Looking for more chats on the road to Las Vegas? You can find those here: https://itspmagazine.com/itsp-chronicles/chats-on-the-road-to-hacker-summer-camp-black-hat-and-def-con-las-vegas-2019

An In The News Podcast on ITSPmagazine Hosts: Sean Martin | Marco Ciappelli Guest: Francesco Cipollone As part of our In The News series, in this episode, we connect with Francesco Cipollone to host a Q&A session where the questions were driven by the InfoSec community. The questions asked were presented to Francesco via social media and Francesco selected 3 questions to respond to in this episode. These are the people and their questions: Jim Manico [@manicode] John Opdenakker‏ [@j_opdenakker] Tanya Janca [@shehackspurple] Have a listen and then join the conversation by sending us your own question(s). ________ This episode of In The News is made possible by the generosity of our sponsors. Today, that's us! Learn more about becoming a sponsor of one of our columns here: https://www.itspmagazine.com/podcast-series-sponsorships To catch more stories In The News, be sure to visit https://www.itspmagazine.com/in-the-news

Announcements: SpecterOps and Tim Tomes are giving training at WorkshopCon https://www.workshopcon.com Rob Cheyne Source Boston - https://sourceconference.com/events/boston19/ Austin Cybernauts meetup - https://www.eventbrite.com/e/cybernauts-ctf-meetup-indeed-tickets-58816141663 SHOW NOTES: Architecture is not an implementation, but a way of thinking about a problem that has potentially many different answers, and no one single "correct" answer. https://github.com/OWASP/ASVS “is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. “   #ASVS team: Daniel Cuthbert @dcuthbert Andrew van der Stock Jim Manico @manicode Mark Burnett Josh C Grossman   https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.pdf https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.docx   https://drive.google.com/file/d/17-NDN7TWdC-vZLbsKkkBFhrYmUhF6907/view?usp=sharing   https://www.owasp.org/images/3/33/OWASP_Application_Security_Verification_Standard_3.0.1.pdf - old version http://traffic.libsyn.com/brakeingsecurity/2015-046_ASVS_with_Bill_Sempf.mp3  - Older BrakeSec Episode   ASVS Page 14 - “If developers had invested in a single, secure identity provider model, such as SAML federated identity, the identity provider could be updated to incorporate new requirements such as NIST 800-63 compliance, while not changing the interfaces of the original application. If many applications shared the same security architecture and thus that same component, they all benefit from this upgrade at once. However, SAML will not always remain as the best or most suitable authentication solution - it might need to be swapped out for other solutions as requirements change. Changes like this are either complicated, so costly as to necessitate a complete re-write, or outright impossible without security architecture.”   What are the biggest differences between V3 and V4? Why was a change needed?  https://xkcd.com/936/ - famous XKCD password comic David Cybuck: Appendix C:  IoT     Why was this added?     These controls are in addition to all the other ASVS controls? How do they see section 1 architecture and section 14, configuration --- in the context of rapid deployment, infrastructure as code, containerization.   You added IoT, but not ICS or SCADA?     https://www.owasp.org/index.php/OWASP_ICS_/_SCADA_Security_Project   BrakeSec IoT Top 10 discussion: http://traffic.libsyn.com/brakeingsecurity/2019-001.mp3 http://traffic.libsyn.com/brakeingsecurity/2019-002-aaron_guzman_pt2.mp3   Seems incomplete… (Section 1.13 “API”)     Will this be added later?     What is needed to fill that in? (manpower, SME’s, etc?)   3 levels of protection… why have levels at all?     Why shouldn’t everyone be at Level 3?     I just don’t like the term ‘bare minimum’ (level 1)--brbr   Threat modeling blog (leviathan): https://www.leviathansecurity.com/blog/the-calculus-of-threat-modeling Adam Shostack ThreatModeling Book: https://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998 https://www.owasp.org/images/archive/6/65/20170626175919!TM-Lessons-Star-Wars-May-2017.pdf https://www.youtube.com/watch?v=2C7mNr5WMjA Cost to get to L2? L3? https://manicode.com/ secure coding education   https://www.blackhat.com/presentations/bh-usa-09/WILLIAMS/BHUSA09-Williams-EnterpriseJavaRootkits-PAPER.pdf Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Show Notes SpecterOps and Tim Tomes are giving training at WorkshopCon https://www.workshopcon.com Rob Cheyne Source Boston - https://sourceconference.com/events/boston19/   Architecture is not an implementation, but a way of thinking about a problem that has potentially many different answers, and no one single "correct" answer.   https://github.com/OWASP/ASVS “is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. “   ASVS team: Daniel Cuthbert @dcuthbert Andrew van der Stock Jim Manico @manicode Mark Burnett Josh C Grossman   https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.pdf https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.docx Don’t post these links in show notes ASVS list (google sheet): https://drive.google.com/open?id=1xFLmvNoR2tohk08cQDLU46FWNgpx28wd   ASVS PDF: https://drive.google.com/file/d/17-NDN7TWdC-vZLbsKkkBFhrYmUhF6907/view?usp=sharing   https://www.owasp.org/images/3/33/OWASP_Application_Security_Verification_Standard_3.0.1.pdf - old version http://traffic.libsyn.com/brakeingsecurity/2015-046_ASVS_with_Bill_Sempf.mp3  - Older BrakeSec Episode   ASVS Page 14 - “If developers had invested in a single, secure identity provider model, such as SAML federated identity, the identity provider could be updated to incorporate new requirements such as NIST 800-63 compliance, while not changing the interfaces of the original application. If many applications shared the same security architecture and thus that same component, they all benefit from this upgrade at once. However, SAML will not always remain as the best or most suitable authentication solution - it might need to be swapped out for other solutions as requirements change. Changes like this are either complicated, so costly as to necessitate a complete re-write, or outright impossible without security architecture.”   What are the biggest differences between V3 and V4? Why was a change needed?   https://xkcd.com/936/ - famous XKCD password comic   David Cybuck: Appendix C:  IoT     Why was this added?     These controls are in addition to all the other ASVS controls? How do they see section 1 architecture and section 14, configuration --- in the context of rapid deployment, infrastructure as code, containerization.   You added IoT, but not ICS or SCADA?     https://www.owasp.org/index.php/OWASP_ICS_/_SCADA_Security_Project   BrakeSec IoT Top 10 discussion: http://traffic.libsyn.com/brakeingsecurity/2019-001.mp3 http://traffic.libsyn.com/brakeingsecurity/2019-002-aaron_guzman_pt2.mp3   Seems incomplete… (Section 1.13 “API”)     Will this be added later?     What is needed to fill that in? (manpower, SME’s, etc?) 3 levels of protection… why have levels at all?     Why shouldn’t everyone be at Level 3?     I just don’t like the term ‘bare minimum’ (level 1)--brbr Threat modeling blog (leviathan): https://www.leviathansecurity.com/blog/the-calculus-of-threat-modeling Adam Shostack ThreatModeling Book: https://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998 https://www.owasp.org/images/archive/6/65/20170626175919!TM-Lessons-Star-Wars-May-2017.pdf https://www.youtube.com/watch?v=2C7mNr5WMjA Cost to get to L2? L3? https://manicode.com/ secure coding education   https://www.blackhat.com/presentations/bh-usa-09/WILLIAMS/BHUSA09-Williams-EnterpriseJavaRootkits-PAPER.pdf   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

In episode 26 of The Secure Developer, Guy is joined by Jim Manico, founder of Manicode Security, to discuss insights from his long career as a security educator, and to explore the importance of developer training in application security. The post Ep. #26, Security Education with Jim Manico appeared first on Heavybit.

On this episode, Jim Manico joins again to talk about the ways that AppSec has changed over the years and give us an in-depth look at the history of SQL Injection and XSS. You can find Jim on Twitter @manicode The post The Extremely Unabridged History of SQLi and XSS(S04E19) appeared first on Security Journey Podcasts.

Ken and Seth are joined by Jim Manico (@manicode) RAW, training, OWASP, code security, and all things AppSec.

Ken and Seth are joined by Jim Manico (@manicode) RAW, training, OWASP, code security, and all things AppSec.

Jim Manico joins on this weeks episode to discuss some of the changes with the OWASP Cheat Sheets and the plans they have for the future of that project. Jim also talks about how they are looking for experts in the field to create or update some of the Cheat Sheets. You can find Jim [...] The post The #OWASP Cheat Sheet Project (S03E11) – Application Security PodCast appeared first on Security Journey Podcasts.

Jim Manico and I connected a few years ago through some of the OWASP meetings he presented at in Denver.  He was talking about cross-site scripting prevention, and in the brief training, I knew that Jim would be a great person to know if I ever needed to educate people.  Fast forward a few years,... The post EP009: Jim Manico – Trainer from Manicode.com, Developer, and OWASP speaker on secure coding. appeared first on Angle Free IT.

On this episode of the Application Security Podcast, Chris and Robert talk to Jim Manico and Katy Anton about the OWASP Proactive Controls project. This is something we have talked about before, and they are looking for feedback on the update coming soon. Rate us on iTunes and provide a positive comment, please!   The post The Future of the OWASP Proactive Controls (S02E17) – Application Security PodCast appeared first on Security Journey Podcasts.

Brett Whittington is concerned about security on data in motion. Note: I said "SSH" at one point, I meant SSL; Brett was too polite to point it out. I also made a mustard pun. Please send your hate tweets to @spetryjohnson. Show Notes: SSL Labs - SSL Server Test ZAPP from OWASP Jim Manico ("AppSec Enthusiast") on Twitter The DROWN attack Heartbleed Google's collision attack on two different documents 0 Day Exploit exposed by Wikileaks Innovative Codes explaining how HTTPS works J Wolfgang Goerlich ("hacker strategist") on Twitter Brett Whittington is on Twitter Want to be on the next episode? You can! All you need is the willingness to talk about something technical. Theme music is "Crosscutting Concerns" by The Dirty Truckers, check out their music on Amazon or iTunes.

Hey everyone, Welcome to the next episode of the #AppSecPodcast. We’re here today with Jim Manico, a project lead with OWASP. We dive deep into some of the projects on his plate. Rate us on iTunes and provide a positive comment, please! The post MORE OWASP! (S02E07) – Application Security PodCast appeared first on Security Journey Podcasts.

In this episode, Jim Manico turns the tables on me for for his 100th podcast. He digs into my past, asks about my motivations for participating in OWASP, inquires on what I hope to accomplish through the series and how DevOps and security can be part of a single conversation when it comes to the software supply chain. Mark Miller is the Senior Storyteller and Developer Evangelist for Sonatype. He is the curator of TheNexus Community Project, while participating in DevOps and security conferences as a frequent panel host. He recently helped build the DevOps track for RSAC Conference 2016, InfoSec Europe 2016 and is working on the DevOps track for AppSecUSA 2016, this fall in Washington, DC. Mark's most recent project is "An Innovator's Journey to DevOps", a series of interviews and profiles highlighting important people and DevOps projects that deserve more exposure. You can listen to that series at www.sonatype.com/devops-an-innova…journey-sonatype

The OWASP Top 10 Proactive Controls Project uses the OWASP Top 10 model as a way to encourage the community to participate in the building and maintenance of a Top 10 project aimed at developers. In this interview, I talk with Jim Manico and Katy Anton on the history of the project, how they anticipate it being utilized, and how they have worked with the community do decide the criteria for building the list of controls.

With the OWASP board elections of 2014 upon us, we are doing a series of interviews so that you can come "face-to-face" with prospective board members. In this session, we talk with Jim Manico and Timur Khrotko.

Achim Hoffman is a researcher who has created a tool for listing information about remote target's SSL certificate and testing the remote target against a given list of ciphers. This OWASP project, o-Saft, first gained notice when Jim Manico mentioned it on the OWASP email list. At AppSec Europe 2014, I was able to speak with Achim, along with Matt Tasauro, about the function of the tool and its uses. n About the Project o-Saft is designed to be used by penetration testers, security auditors or server administrators. The idea is to show the important informations or the special checks with a simple call of the tool. However, it provides a wide range of options so that it can be used for comprehensive and special checks by experienced people. O-Saft is a command-line tool, so it can be used offline and in closed environments. However, it can simply be turned into an online CGI-tool (please read documentation first). About Achim Hoffman Co-Autor OWASP: Best Practices: Projektierung der Sicherheitsprüfung von Webanwendungen https://www.owasp.org/images/0/00/OWASP-Projektierung_der_Sicherheitspr%C3%BCfung_von_Webanwendungen_v101.de.pdf Autor Sicherheit von Webanwendungen: BSI-Maßnahmenkatalog und Best Practices http://www.bsi.de/literat/studien/websec/WebSec.pdf Contributor to WASC Web Application Firewall Evaluation Criteria http://www.webappsec.org/projects/wafec/ Co-Author OWASP: Best Practices: Web Application Firewalls http://www.owasp.org/index.php/Best_Practices:_Web_Application_Firewalls Reviewer/Contributor to WASC Threat Classification v1 Deutsche Übersetzung der WASC Threat Classification v1 http://www.webappsec.org/projects/threat/ Reviewer/Contributor to WASC Threat Classification v2 http://projects.webappsec.org/Threat-Classification-Authors

The OWASP Top Ten Proactive Controls Project is spearheaded by Jim Bird and Jim Manico. According to Jim Bird, it is a list of security techniques that should be included in every software development project. I spoke with him about the evolution of the project and how he envisions it being used by the OWASP community, and specifically by developers. Resources for this Broadcast OWASP Top Ten Proactive Controls Project Jim Bird on LinkedIn About Jim Bird Jim Bird is a software development manager and CTO with more than 25 years of experience in software engineering, with a special focus on high-integrity and high-reliability systems. Jim is currently the co-founder and CTO of a major US-based institutional trading service, where he is responsible for managing the company’s technology group and IT security programs. Jim has worked as a consultant to IBM and to major stock exchanges and banks globally. He was also the CTO of a technology firm (now part of NASDAQ OMX) that built custom IT solutions for stock exchanges and central banks in more than 30 countries. Jim is an active contributor to OWASP, helps out as a member of the SANS Analysts program on application security, and rants about Agile software development, project management and application security topics on his blog “Building Real Software.

The OWASP WebSpa Project The OWASP WebSpa project is a tool implementing the novel idea of web knocking. The term web knocking stems from port knocking, If port knocking is defined as "a form of host-to-host communication in which information flows across closed ports" then we define web knocking as a form of host-to-host communication in which information flows across erroneous URLs. In this podcast we present this web knocking tool for sending a single HTTP/S request to your web server, in order to authorise the execution of a preselected Operating System (O/S) command on it. About Yiannis Pavlosoglou There is a world of numbers, hiding behind letters, inside computers, this is what stimulates my work. I am currently employed in IT risk management within the financial industry, running a team of technical risk assessors. Prior to this, I spent 5 years in the world of professional penetration testing. I focused my career evolution on assisting large scale projects actually implement secure development practices. This included teaching developers how to write secure code. For OWASP, I was the project leader for JBroFuzz and used to chair the Global Industry Committee. I am on the Application Security Advisory Board of the (ISC)2. My academic qualifications include a PhD in information security, designing routing protocols for ad-hoc networks. I am a certified scrum master and hold the CISSP certification.

"For an organization to really mature around application security, they need to be building security into their software from day one." -- Jim Manico Jim Manico started the OWASP podcast series in 2008. In that time, he has recorded close to 100 interviews to keep the community updated on the lastest project development within OWASP. As Jim reaches his 100th episode, he reminisces about how the series was started, what his original vision was and what he's going to do now that he has passed the reins over and moves on to other projects. We start with a question about the origins of the project and how it grew. "It's easy to talk about to talk about the 'purity' of software development, but managing a fleet of already insecure apps is an equally difficult problem." -- Jim Manico About Jim Manico Jim Manico wasl elected as an OWASP Global Board Member as of January 1, 2013. He been an active member of OWASP since 2008. He is the VP of Security Architecture at WhiteHat Security. Jim's main passion at OWASP is supporting projects that help developers write secure code.

Syhopsis When I caught up with these two gentlemen in Amsterdam over the week of Black Hat 2012, I knew we wouldn't run out of things to talk about!  We ended up chatting for quite some time, and I think you'll find this conversation interesting from hearing of David's recent work with Oracle, and Jim's perspective on "the fix"... I kept the conversation going and am probably at last partially responsible for how long this podcast ended up being.  It's well worth the time, in my opinion, as we cover the following topics: Attacking Oracle (David's talk had to be shelved, but he talks about ways to attack Oracle via putting a string into a numeric query - by manipulating the meta-environment) Jim & David talk about how to do sane SQL Injection protection (bind everything!) David talks about some contrived ways of hacking Oracle databases, that are 'outside the business logic' and explains why validation is still important Jim brings up structural validation of inputs (useful white-listing) David brings up that his exploits from 2007 are STILL working in 2012 - terrifying "Parameterize it, or jeopardize it" - Jim's campaign to rid the world of SQL Injection David talks about unconventional database forensics that identify attacks via weblogs Vendors have upped their game to protect applications, developers are still writing bad code Jim Manico "We are entering the golden age of hackers" ... does this mean better security?! David discusses how if MS had stopped development of NEW features, WinNT4 would be 'secure' by now... but innovation & features will continue to drive forward - security suffers Jim asks "does the [development] framework of the future, consider security as a built-in?" Guests Jim Manico - One of the people who holds OWASP together, Jim is an enthusiastic espouser of the Web App Security word.  You can find him providing training, practical advice, and code knowledge all over the place, particularly for the OWASP organization. David Litchfield - David has been taking Oracle to task over their claims of database security for years, and continues to be a driving force behind penetration testing, database forensics, and all things Oracle security.