Risky Business

On this week’s show we’ll be having a look at the latest OWASP top 10. As many of you would know, the new list is out. A couple of items have been dropped and a couple of items have been introduced. But we’re really using this new top 10 as an excuse to have a broader chat about the top 10 and the OWASP mission more generally.

As you’ll hear, everyone seems to agree the list is a good thing, but maybe OWASP needs to sharpen its communication strategy a little to make itself more accessible to the developers it’s trying to help.

We’ll hear from OWASP Bristol chapter leader and Veracode consultant Katy Anton on that, as well as Safestack head honcho Laura Bell and penetration tester and founder of Matchme consulting Pam O’Shea.

This week’s show is brought to you by a first time sponsor, VMRAY. They make malware analysis software that’s very popular with CERTs, but I suspect a lot of listeners out there in IR will also be interested in what they’re doing. The core offering is a cloud malware analyser that isn’t public, so if you don’t want to fire off a sample to VirusTotal and let the bad guys know you’re on to them, VMRAY is a better option.

VMRAY didn’t actually get one of its staff into this week’s sponsor slot, it chose one of its users instead – Koen Van Impe. He pops along to talk through what he uses VMRAY for and to give us a bit of an overview of what it does.

Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.

Show notes Uber security executives leave company amid lawsuit and breach investigation Proposed law would jail execs who fail to report data breaches – Naked Security U.K. cyber agency tells government to handle Russian anti-virus software with caution Former N.S.A. Employee Pleads Guilty to Taking Classified Information - The New York Times Ex-NSA Hackers Worry China And Russia Will Try to Arrest Them - Motherboard The US Should Modernize Election Systems to Prevent Hacking | WIRED Russia Wants to Launch Backup DNS System by August 1, 2018 How DJI fumbled its bug bounty program and created a PR nightmare DHS: Drone Maker "Likely" Helping China Spy on US The EU Will Foot the Bill for VLC Player's Public Bug Bounty Program Privacy regulator warns MPs over shared passwords - BBC News SEC Halts a Silly Initial Coin Offering - Bloomberg ‘Mailsploit’ Lets Hackers Forge Perfect Email Spoofs | WIRED Andromeda botnet mastermind arrested in Belarus, identified by his ICQ number Hacked Password Service Leakbase Goes Dark — Krebs on Security Dell, Other Vendors Start Shipping Laptops With Intel ME Firmware Disabled Satori Botnet Has Sudden Awakening With Over 280,000 Active Bots Cisco Patches Critical Playback Bugs in WebEx Players | Threatpost | The first stop for security news Flaw Found In Dirty COW Patch | Threatpost | The first stop for security news GitHub will soon warn developers of insecure dependencies, adds news feed, team chat and more Man Hacks Jail Computer Network to Get Friend Released Early Malware Detection & Malware Sandbox Analysis | VMRay Securing Ethereum at Empire Hacking | Trail of Bits Blog Careers at Fitbit