The ASW February 2024 Recap
February brought us the Lunar New Year, a Leap Day, and more OWASP projects than we expected!
Grant Ongers kicked off our February shows with a preview of his new OWASP project – the Product Security Capability Framework. He explains how it relates to efforts like ASVS and SAMM and, importantly, why it’s not just another top 10 list.
Then Christien Rioux talked about code scanning strategies and how better visibility into code translates to more meaningful flaws to pay attention to. He shares how seeing what’s running in prod and what prod systems are talking to helps dev teams far more than a long list of potential vulns.
Episode 223 (from the vault)
We went back to the vault for week three, bringing back a discussion on successful threat modeling with Jeevan Singh. Our focus wasn’t so much on the nuances of threat models, but the adjectives around them – successful and scalable. All too often appsec teams say “do threat modeling” and mistake an approach that works once with a process that needs to scale.
As a mirror to the start of the month, Farshad Abasi to talk about his upcoming OWASP project – the Secure Pipeline Verification Standard. One of the motivations for this was that, sure, there’s a top 10 list, but there are no solutions. It’s great to see more projects focusing on frameworks and design patterns that dev teams can follow to secure how code is compiled into artifacts and artifacts are sent to prod.
Subscribe to ASW to find these episodes and more! Also check out the January 2024 recap.