Archiv pro štítek: OWASP

Steps to Responsible Disclosure with Bas van Schaik,Man Yue Mo and Brian Fox

On March 1, 2018, the team at Semmle announced a critical vulnerability in the Pivotal Spring framework. The vulnerability was found by security researcher Man Yue Mo at Semmle — the team behind lgtm.com. In this episode of OWASP 24/7, I speak with research team at Semmle on how they discovered the vulnerability. Also, Brian Fox joins the discussion on the process for responsible disclosure, different ways to approach it and what other companies and projects are doing when a vulnerability is found in their project. About Man Yue Mo — Security Researcher at Semmle for lgtm.com During his PhD in mathematics at Oxford, Mo became interested in scientific algorithm development with a focus on data science and machine learning. At Semmle, Mo developed an interest in Semmle's core technology for writing queries over source code. This QL query technology is freely available on lgtm.com for the open source community to use for analyzing their code. Mo has since used QL to identify numerous security vulnerabilities, including CVE-2017-8046 in Pivotal's Spring Data REST, and the infamous CVE-2017-9805 in Apache Struts. He continues to works closely with the open source community to ensure these vulnerabilities are patched and responsibly disclosed. The blog on https://lgtm.com/blog contains various articles by Mo on how to use QL for security research. About Bas van Schaik — Head of Product at Semmle As the Head of Product at Semmle, Bas is responsible for the entire product portfolio — from the core QL query technology, to lgtm.com where this technology is made freely available to the open source community. Following his PhD in Computer Science at Oxford, Bas joined Semmle to work on machine learning and data science techniques for extracting insights from software engineering data. After setting up a strong team of machine learning experts, he now works closely with engineers and leaders to ensure that Semmle's products are effective in all parts of the software development process — to secure and improve code, reduce risk, and deliver actionable insights. He works closely with pioneers in the open source community, as well as with developers and leaders at organizations such as Google, Microsoft, NASA, Credit Suisse, NASDAQ, and Dell. About Brian Fox, CTO, Sonatype Co-founder and CTO, Brian Fox is a member of the Apache Software Foundation and former Chair of the Apache Maven project. As a direct contributor to the Maven ecosystem, including the maven-dependency-plugin and maven-enforcer-plugin, he has over 20 years of experience driving the vision behind, as well as developing and leading the development of software for organizations ranging from startups to large enterprises. Brian is a frequent speaker at national and regional events including Java User Groups and other development related conferences.

Steps to Responsible Disclosure with Bas van Schaik,Man Yue Mo and Brian Fox

On March 1, 2018, the team at Semmle announced a critical vulnerability in the Pivotal Spring framework. The vulnerability was found by security researcher Man Yue Mo at Semmle — the team behind lgtm.com. In this episode of OWASP 24/7, I speak with research team at Semmle on how they discovered the vulnerability. Also, Brian Fox joins the discussion on the process for responsible disclosure, different ways to approach it and what other companies and projects are doing when a vulnerability is found in their project. About Man Yue Mo — Security Researcher at Semmle for lgtm.com During his PhD in mathematics at Oxford, Mo became interested in scientific algorithm development with a focus on data science and machine learning. At Semmle, Mo developed an interest in Semmle's core technology for writing queries over source code. This QL query technology is freely available on lgtm.com for the open source community to use for analyzing their code. Mo has since used QL to identify numerous security vulnerabilities, including CVE-2017-8046 in Pivotal's Spring Data REST, and the infamous CVE-2017-9805 in Apache Struts. He continues to works closely with the open source community to ensure these vulnerabilities are patched and responsibly disclosed. The blog on https://lgtm.com/blog contains various articles by Mo on how to use QL for security research. About Bas van Schaik — Head of Product at Semmle As the Head of Product at Semmle, Bas is responsible for the entire product portfolio — from the core QL query technology, to lgtm.com where this technology is made freely available to the open source community. Following his PhD in Computer Science at Oxford, Bas joined Semmle to work on machine learning and data science techniques for extracting insights from software engineering data. After setting up a strong team of machine learning experts, he now works closely with engineers and leaders to ensure that Semmle's products are effective in all parts of the software development process — to secure and improve code, reduce risk, and deliver actionable insights. He works closely with pioneers in the open source community, as well as with developers and leaders at organizations such as Google, Microsoft, NASA, Credit Suisse, NASDAQ, and Dell. About Brian Fox, CTO, Sonatype Co-founder and CTO, Brian Fox is a member of the Apache Software Foundation and former Chair of the Apache Maven project. As a direct contributor to the Maven ecosystem, including the maven-dependency-plugin and maven-enforcer-plugin, he has over 20 years of experience driving the vision behind, as well as developing and leading the development of software for organizations ranging from startups to large enterprises. Brian is a frequent speaker at national and regional events including Java User Groups and other development related conferences.

RSAC 2018 – Preview of Opening Session for DevOps Connect: DevSecOps Day

Shannon Lietz, Caroline Wong and Paula Thrasher will give the opening remarks at DevOps Connect: DevSecOps Days on April 16 at the RSAC Conference in San Francisco. On today's show, I talk with Shannon, Caroline and Paula, on what they hope to accomplish during their talk, and why DevSecOps is becoming the hottest topic in this year's growth of the DevOps Community.

RSAC 2018 – Preview of Opening Session for DevOps Connect: DevSecOps Day

Shannon Lietz, Caroline Wong and Paula Thrasher will give the opening remarks at DevOps Connect: DevSecOps Days on April 16 at the RSAC Conference in San Francisco. On today's show, I talk with Shannon, Caroline and Paula, on what they hope to accomplish during their talk, and why DevSecOps is becoming the hottest topic in this year's growth of the DevOps Community.

HackNYC 2018: Preview with Kevin E. Greene

Prior to his work as Principal Software Assurance Engineer at MITRE, Kevin E. Greene was R&D Program Manager for the Department of Homeland Security. He is currently on the organizing committee for HackNYC, helping to organize talks and sessions around protecting and securing our national infrastructure. I spoke with Kevin about the current state of software security and how each of us can play a roll in the security of modern software. About Kevin E. Greene With more than 17 years of information assurance and security experience in security program management, assessment, auditing, and testing, Kevin Greene brings valuable skills and capabilities to the Department of Homeland Security Science and Technology Directorate (DHS S&T). As a member of the Homeland Security Advanced Research Projects Agency (HSARPA) Cyber Security Division, Greene has identified, developed, and transitioned technology projects through multiple commercial and academic organizations for the past two years. Responsible for the oversight and management of research and development projects for improving the testing, analysis, and evaluation techniques used in software quality assurance tools, he currently is focusing on the build-out of the Software Assurance Marketplace (SWAMP), a national marketplace and collaborative research forum designed to advance secure software development best-practices within the industry.

HackNYC 2018: Preview with Kevin E. Greene

Prior to his work as Principal Software Assurance Engineer at MITRE, Kevin E. Greene was R&D Program Manager for the Department of Homeland Security. He is currently on the organizing committee for HackNYC, helping to organize talks and sessions around protecting and securing our national infrastructure. I spoke with Kevin about the current state of software security and how each of us can play a roll in the security of modern software. About Kevin E. Greene With more than 17 years of information assurance and security experience in security program management, assessment, auditing, and testing, Kevin Greene brings valuable skills and capabilities to the Department of Homeland Security Science and Technology Directorate (DHS S&T). As a member of the Homeland Security Advanced Research Projects Agency (HSARPA) Cyber Security Division, Greene has identified, developed, and transitioned technology projects through multiple commercial and academic organizations for the past two years. Responsible for the oversight and management of research and development projects for improving the testing, analysis, and evaluation techniques used in software quality assurance tools, he currently is focusing on the build-out of the Software Assurance Marketplace (SWAMP), a national marketplace and collaborative research forum designed to advance secure software development best-practices within the industry.

HackNYC 2018: Preview with Dr. Bill Curtis

In May, at HackNYC 2018 in New York City, Dr. Bill Curtis' team of Tracie Gerardi and Lev Lesokhin will deliver a presentation on putting an end to "Technical Debt". I spoke with Dr. Curtis about his work in the creation of various maturity models, the current state of security in software development and "what keeps him up at night". You might be surprised at his answer. Listen in... About Dr. Bill Curtis Dr. Bill Curtis (1948) is an American software and organizational scientist. He is best known for leading the development of the Capability Maturity Model [1] (CMM for Software) and the People CMM [2] in the Software Engineering Institute at Carnegie Mellon University. He co-founded TeraQuest, a provider of CMM-based services, which was sold to Borland Software Corporation in 2005. He has published 5 books, over 150 articles, and in 2007 was elected a Fellow of the Institute of Electrical and Electronics Engineers for his career contributions to software process improvement and measurement.

HackNYC 2018: Preview with Dr. Bill Curtis

In May, at HackNYC 2018 in New York City, Dr. Bill Curtis' team of Tracie Gerardi and Lev Lesokhin will deliver a presentation on putting an end to "Technical Debt". I spoke with Dr. Curtis about his work in the creation of various maturity models, the current state of security in software development and "what keeps him up at night". You might be surprised at his answer. Listen in... About Dr. Bill Curtis Dr. Bill Curtis (1948) is an American software and organizational scientist. He is best known for leading the development of the Capability Maturity Model [1] (CMM for Software) and the People CMM [2] in the Software Engineering Institute at Carnegie Mellon University. He co-founded TeraQuest, a provider of CMM-based services, which was sold to Borland Software Corporation in 2005. He has published 5 books, over 150 articles, and in 2007 was elected a Fellow of the Institute of Electrical and Electronics Engineers for his career contributions to software process improvement and measurement.

The OpenChain Project with Shane Coughlan

The OpenChain Project identifies key recommended processes for effective open source management. The project builds trust in open source by making open source license compliance simpler and more consistent. In this broadcast, I speak with Shane Coughlan, project director, about the purpose of the project and what his team hopes to accomplish in 2018.

The OpenChain Project with Shane Coughlan

The OpenChain Project identifies key recommended processes for effective open source management. The project builds trust in open source by making open source license compliance simpler and more consistent. In this broadcast, I speak with Shane Coughlan, project director, about the purpose of the project and what his team hopes to accomplish in 2018.