Sounder SIGN UP FOR FREE
OWASP PodCast
OWASP PodCast

Season 1, Episode · 1 year ago

0x01 - 2021-05-02

ABOUT THIS EPISODE

02 May Notes - Episode 2:

• Spotlight Series - https://owasp.org/projects/spotlight/

• Open Security Summit session that Vandana referred to as the time when she got inspired to start the Spotlight series: https://www.youtube.com/watch?v=7zs4wezbt8o

• Education Committee's "How To get into Appsec Project's" Survey into Appsec Practitioners Landscape (takes less than 5min) - https://forms.gle/UoM2PobtbRrZxo3J7

• How to become a lifetime member and remember there are savings for the 20th Anniversary of OWASP - https://owasp.org/membership/

• OWASP Chapter Rules and Inactive Chapters - Updates on effort made to reach out to dormant chapters and also the new requirements from chapters. 

• Sacramento chapter slack channel link: https://owasp.slack.com/archives/CN89K5H9D

• New merchandise store: https://www.zazzle.com/s/owasp_foundation

• Easter egg - a Turkish word 

Welcome to the OAST podcast. Actually, I'm data and BANDANNA and we're bringing you news from inside o us hi Wan gonna. How are you today? High we are. I am very well. How are you? I'm all right. Thank you so much. So I came across your passion project, the spotlight series. I know it's currently in the process of becoming an overst project as well, but can you tell us a bit about it? How did you start and where can people find more about it? Sure so. Actually, it has just joined the OSK product projects as well, so you can find it on oversk project stage as well now, and there is a proper section for oversk project spotlight series. So the only the way it will started as an I was working on a lot of like reading about the projects, what they do, and during that process I realize that I had some understanding about the project, but this project is totally different. I was thinking it is a offensive project, but then came to it came to my life that it's a defensive project. So oversk has been turning out massive project for the benefit of community. However, a lot of people like me who are not aware about each and every project, or the people who are aware. Again, like me, have very little idea on the working of most to the projects. So vast project, see project spotlight series started with the intent to bring the awareness about vast projects to people, and what I cover it as part of the project is that I create a b due about the project. Wherein how exactly the project work? What is the motivation behind running the project? How does it work with the Demo, because most of the projects have a demo like it's a working if I talk about dependency check, if I talk about Zepp, if I talk about dependency track it, if I talk or talk about any other project. So it has a working similarly, there are some coding projects for training people. Those are also amazing projects. So I didn't know that they exist. Think about it. A person who's WHO's a developer, who knows the coding really well, but they struggling with a secure code review because security is for seeing them. How about going through security coding? Those show which can actually train them in just a day or two. You just do have to do the exercises and you'll be good to go. You'll understand how different one o over these works. So this was started with that intent and with every video there is a small snippet that I published, but that video is like just fifteen minutes. So even though you're just like doing some work, you can play it on the background. You can listen about it and understand the working of it, especially if it's a demo off like the enterteen minutes. It's easy to watch and quick to know about it and put to remember. So that's the basic intent about it and all the sixteen video sixteen projects have done so far our life. And they'll be one more project which will be out tonight and yeah, we'll be sharing it about the project. That's great. And just for the record, where today is the second of May, so I don't know when you guys will be listening to this. But so yeah, we'rech out for the new spotlight episode. That's great. So that fits very closely with our objective of this podcast. So we do want to do similar interviews with the projects. So maybe we'll. Because you've done the sixteen projects and you'll be going on doing more. We can leave them to the last when we come to dip those projects and we can just sign post to spotlight series for them. But I think our podcasts we're also sharing loss of different news from different committees, not...

...just projects, but committee and Community News as well. Right, anything to add to the spotlights, Bandana or to be I would say that a spotlight C us is more of a technical demos and working of the project in just fifteen, ten, fifteen minutes. When it comes to our own podcast, it's about Community News. It's about the news about the project, like what's new, which is happening in the industry? which project is excelling in what area? So those two, even though at different, had the same intent. We're trying to target the audience, trying to bring them the news about the projects, how different these projects are and how these projects can be a differentiator. When you're going to going for a commercial project, think about you want a software composition analysis tool. Instead of paying healthy amount for the tools, why not try the open source projects? And what with the podcast we can tell them, like in a candid conversation, that this is how exactly this work and this might help you. And once you know that, okay, this is your appetite, this is your security appetite, and you go ahead start using it and later on when you feel that yes, now we are comfortable in buying the commercial project, because there are certain more needs that needs to be fulfilled with the commercial project. So I think it compliments really well. This podcast complements really well with the spotlight series. I agree. So I think. I think the other thing I want to keep in mind is not everybody watches youtube and wants to sit down. Some people just want to passively listen to podcast as they're doing the dishes, as they're commuting to work, as they're doing laundry, doing gardening. So I think getting, and I hope you guys agree with this, I think having an overlap in contents. Okay, it's actually good, because different people have different aspect for this information. That's very true. Nice. Okay, so, man and I want to ask you a question and we didn't prep for this beforehand. So so I'm sorry. I F I'm putting on the spot. I'm not. I'm not crying this out of the recording, though. What gave you the idea to do it? was that like Eureka moment of like I want to do this project? I'll tell you. So, when I was preparing for the overask Forard, there was certain questions which were asked to me that what exactly you want to do it for over, ask what idea you have. So there were a lot of discussions at the time on leaders list was going on. Not just the chapter leaders, but project leaders were very concerned about not getting the right spotlight for their projects. There were some projects which were never talked about. So my objective, if I go back and listen to my recording, that how I am supposed to contribute to west. I wanted to contribute to to the chapter leaders, wherein I wanted to bring chapters more closer to west. And we did chapters all day last year, wherein we had over twenty five chapters who were part of not actually twenty four. Why did I say that? It's over forty eight chapters which were part of spotlight series, which was a huge number, and chapters all day. Sorry. So that was that. But how about projects? Project summit is there, but still this something which is very short, which can connect to people. So that's when I did my first session for open Security Summit on Web web testing guide, and there I got the ideas like it reached huge amount of people, like it was one of the most viewed video on open Security Summit, and I felt let's go ahead and start for each project and I can pass the part of that because I bet to learn. Yeah, I remember you with a host. Yeah, it was amazing. Yeah, so that's how it all started. And I started with sick web testing, eye...

...then dependency check, and it just went on and on and I started. I started on my own, but then I started into introducing the leaders who are part of the project so that people can get to know those leaders as well and they can reach out to those leaders in person. When they see a person, they can connect really well. So I was not sure for how long it's going to go, but I was hopeful that people are going to at least, even if they're a hundred people who watch the video, I think more than happy at least hundred people are getting to know something about the project. But now I feel that there are huge amount of project people who are watching it and there are some videos which are like highly recommended. People are reaching back to me saying that can we have a another session with the with the leader, or a longest session with the leader? So I think, I feel that it's motivating me to do more. So that's why, from one to sixteen, or I would say now seventeen. So we've come a long way. Every week coming out with one real it's I feel that. I'm hopeful that you got to do more and more in the coming months. Awesowesome drinks. I was going to say jinks. Do you guys is that? Is that a phrase in in England? Jinks, you ow MINESOTA. Is that, I think, globally or is that a US think it has. It has. Yeah, I know we say Jinks here and we have in Turkish. We have a very similar so then crisps or something. Sorry, back back on, back on topic. Okay, we need to nourish the child in ourselves as well. Yes, absolutely. What's talk of it about coming up training? Do you know what's coming up? Yes, so the last training events for two thousand and twenty one. This this really started a while back. I really enjoyed it in two thousand and twenty the summer of appsack that we did and a few other things. This is a continuation of that. We have an event coming up may twenty five to the twenty six, and we're giving you a heads up because this is a better in the middle of the week. So you do have to coordinate and get some time off and this is just like any other training. Four covid times. This is an online version of that. They're really high quality trainings. I have a great announcement and I moved on to swiftly, but I hope that's okay. About one of the project that I'm part of how to get into APP sex. So this is a project under the education committee and it's for people who who, like me, have been trying to understand what APP sick is. What do I need to learn? How can I get to become an APSET professional? And the more we had discussions in this within the project, the more we realize there is it's very hard to define what an APP sack person does. So we have decided to do a research project within the project and we have a survey out which is which takes less than five minutes and we will put it on in the show notes. It's open for any APP sick person, no matter if you're a beginner or you've been doing it for ten years, it doesn't matter in whatever capacity you think you do APP sick. Please do take five minutes and respond to it. It will be amazing. It will feed into our project and multiple other projects. It will help us understand the types of work we happing APP sick. It will help us build up some generic job descriptions for different types of jobs in APP seck, which will be a great contribution for the whole community and also the companies so that they don't have to rewrite job descriptions and have hundred items...

...in it where it's not really necessary for that job. And also it's going to help us build road maps from different types of roles to destination roles, which will be the APP sick roles. Yeah, you had a question. To be very sad, it up there. Yeah, do you mind? After the show? Can we tweeted out on the with this podcast twitter and then have you to have a guy tweeted at already? I think we are all in the process of tweeting. I. We have just created our twitter account, so it any retreet helps us. So yeah, of course, I would love that. Okay, so far our lesteners, they can just go to our twitter and describe the link. I'll get in it. That will be awesome. Thank you. And and other news, I became a lifetime member. Yay, that's awesome. So, so now the three of us are all officially leftime members last lifetime members yes, you know, for my professional emails, I just use my last fame on nowadays, like I don't and I was like, I don't want to forget to pay one year and I lose my email. I think for me it's worth just having it for the email. That was one of my drivers as well. It's just it feels really good to have an overus plot or email address. It's so cool. Whenever, whenever I see lifetime memberships, I just do it because, like, i'Ming, like the return on value, even if it's minor, like, let's say, in five years I stopped being like a huge contributor to a last and stop being part of the community, even just having the free email. That's it's a gmail, it's a google APPs account, it's that. That just feels good to me. Yeah, if and also we should mention the twenty anniversary savings. I think there is still some, yeah, savings going on for the memberships, lifetime membership. See, I know that as well. It is going on actually, especially for India. Earlier the one time in the ship used to be twenty dollar a year. It's fifteen and your and if you're buying for two years. It's going to be thirty. So I just got it. I've just forced my friends to do it. Some of them have become likely members because they want to. I just push them that you should be part of it, and a lot of my student friends they have become the like who years members and it's there are a lot of benefits around it. Yeah, and if there are people who are like me who used to pay it yearly and they want to turn it into a lifetime you need to first get it, get your annual one canceled and then apply for the lifetime and I can help you with that. I can give you the email address that I used to email and they help me in in an hour. So it was so swift. That is really cool. Yeah, the lifetime membership make so much so to me. This is not an ad, it's just I'm lazy and I don't want to think about it. So, Durbane, you have another topic or US chapter rules and inactive chapters. Tell us a bit about that. Yeah, so Andrew, our executive director, is working on figuring out how do we get more attention, more money, more efforts put towards the chapters that are contributing versus chapters that have been an active for a long time. So Andrew and his team have gone out of their way to try to contact chapters that have been dormant or seemingly dormant for many months or many years. They have reached out...

...to them on twitter, are linked in on on every medium that we can possibly get in touch with them, and some chapters are just nonresponsive. You know, it's okay, people move on with our life. So there are new rules being put in to make sure that the chapters that are there are providing now yet are creating value. So the the rule has always been to have so many meetings per year. The currently it's being asked that it's at least once a quarter. So one one, one, one chapter meeting every month. And as long as you're meeting that you're fine. But if you're not meeting that, your your events are going to get closed down, your chapter is going to be put in dormant you can always apply to become a chapter again with a new collead, but for now they're pinning being put on hold and and I think it's a good thing. I think Andrew was sharing on the last ordinating that the participation in in some of the other chapters that are near. These smaller chapters have gone up since since the closing up these chapters. You know, I have one of those chapters that's probably on the line. Sacramento is not a huge chapter. It's we are where, one of the smaller chapters and it's hard to get events going. So as a result and be able the bay area chapter right next to us, who has a huge offering and a pretty big community. So being part of that makes makes sense. I so. Even Andrew himself posted on Linkedin about his chapter that he needs to become more of all something. I solved it Twittin. Yeah, poste me. Yeah, it's hard, you know, and here's a shout out, the Sacramento Chapter. Are Co chapter lead moved away and the Chapter Guideline say that chapter leads need to be within a fifty mile driving distance and for those it's like ninety something kilometers. I forget the conversion of miles to kilometers. So so if anybody is interested in being a CO chapter lead with me for Sacramento, I will do all the work. I just need a code lead. They to be with me so I can be compliant. Okay, I'm not gonna do all the work. I would really love it. So I would really love lovely good lead that's within the Sacramento area. Yeah, come on, a email or tweet or dm you. How should they contact? Yeah, so the Sacramento Chapter. Anything, anything you like. So I think the easiest way to talk to me about chapter stuff is in the OAS slack on the Sacramento Chapter Channel. That's that's the best way to get ahold of me. Note it Nice. So, Jervaine, do we have a march store for all of us? Yes, we do. So if you're like me, your entire wardrobe is probably conference tshirts, and I'm I've right out of t shirts because of covid. So there is a OAS merge store zazzle. Is that how you pronounce that? Zazzle? I hope so. We do have a merge store ONS AZZLE and there are currently pretty good discounts on there. So if you need to go and retrofit your wardrobe because you've been missing out on conference as a DOP tshirts, it's a good place to go. My favorite part is that day's a OAS mask that has the Os logo on it, and I'm just wondering how people are going to feel with new walking around with with an insect on my mask and if they don't know what it is. I think it's going to be Hilarious, nice and it does its ship worldwide. That's a good question. I know that we don't have inventory just sitting so anytime somebody orders it's made to order. It's made at the time of order. I don't know what the...

...shipping policies are. Definitely know what they do Europe and and us. It looks like that. It does go Australia, Brazil, Belgium, Canada, UK. It seems to be Australia, Japan. Yeah, it seems to be covering most most of the world, okay, and probably it will get better coverage. Is there are more orders? Yeah, I think it's a question of what areas does azzle themselves cover for for their service son. Anyways, as all ships, that's good. I like also having merchandise. Yeah, I will. I will tweet the link to this on our page and I think we all just retweeted as well, so that, yeah, the link is there. I know lots of work has gone into it. It does look like a small thing, but it's very, very hard to find a good merchandise partner. Yeah, shout out to people who have been working on it. How can projects get grants? Because with with this new grant structure, is the question right. So there is a new grants policy that has come into picture where and it is going to help people getting grants and there is a stipulate amount where and you can get the grant and there's a structure to it, like how you can donate to a specific project. Even what we are planning is that peak organizations can donate to a specific chapter that they support, which is really good one. So this brant's policy is going to apply on other policies as well, like sponsorship policy, or could be on any other policy that we get. They we are working towards travel policy. So based on some of the policies, like if you want to sponsor someone to travel to a conference which is over us and that time you need the grand policy to invoke wherein there is a specific grant that will be given to a particular project or particular person. It's not like if I am traveling to UK, I'll be traveled my stype. One would be a proof full. No, they'll be stipulated amount that will be given to me based on the need, based on the justification, and it's also based on the the amount of sponsorship that particular framework is getting. And once in that for the ground providers, like the external entities that want to how is it different from sponsorship? is where I'm getting a bit confused. I think it starts to blow the lines a little bit. But if you and I can hear bill and the backgrounds of bill, is one of the board members on the board, and and grant, who's currently the treasurer, and and I can see them like trying to correct this. So I'll do my best at explaining the difference as I'm new to the board. But you know, like outside of o us, grants are very specific things where there is deliverables and there is requirements for it and they're given out like government. Grants are given out to achieve a special goal, where sponsorships are a little bit more. We generally sponsor our mission, we generally sponsor what you're trying to do. So grants are a good way if you run a company, for example, and the education stuff, that the training stuff, is a great example. I try to get a grant for that a couple times and I wasn't successful. But if you run an organization and you have this dependency on a curriculum, for example, you can create a grant and awarded to all US in order to...

...build that curriculum and you're controlling the deliverables of that project through your grant. You say I need these capabilities in it. All lots would still be independent and can do its own surveys and its own building, its own thing. It would all be the same from our side, but it kind of helps that company make sure that the money that they're putting in and goes towards what they want. And so there's no more partnership in grounds and you, if you are a ground provider, you have more say in how it is used. Right. Yeah, that's correct, because grant has to be fully funded and if it's not funded then you cannot have it, and especially when I said it's for any person, any chapter project or even the contribution that local people does. So it has to be funded. And another important aspect to it is that it cannot exceed more than twelve months, if I remember correctly. So it can be only done for twelve months. After that the grunt will expire and board has to vote upon for to fund a strategy. Granted. Okay, yes, this is what we want and especially when we talk about audits, it is required that if we properly documented, we properly design it in a way that if, let's say, it's for an event, it's for a cause, so it'll only be spent for that. Yeah, it's good. It's good to have that flexibility and I'm sure grant, not grant with a little g Graham, with a big G on the OAS Board and build might at me on twitter after this podcast launches if we left anything off line there. So I'm prepared for that. But you can. What's awesome about us is you can go and read on our grants policy pages. They're all public pages. There were approved. If you want to know more, you can absolutely go on a last our org and go under our policies and read. Read all of these policies if you're interested, and remember to read about awards and scholarships as well, scholarship policy as well. Good call out. Yeah, we should. We should talk about we should bring people in the have gotten o asp scholarships and have them talk about how, how it impacted them. I can not be awesome. Yeah, absolutely, I'm sure it's going to be amazing because last year, I remember, we forced or the the edy to have scholarship for students and for people to attend the conference and to attend the free trainings, like the trainings which can be made available to them for free. So over forty students and professionals got the free training tickets and I think it's a good way towards bringing more diverse people to the to the organization, but in the people who can't afford the trainings, the people who can't afford the conference, they can get free tickets or nominal tickets to join the conference. I think I was helping organize one of them and it was the engagement from the young people was really, really great. To say that also reminds me there was a recent activity done, or be still being done, to train through words, to gender neutral pronounced. Is there is? How's that going to you? It's it's going well. So that was that was my first motion on the boarder. I like that that was my first motion. So yeah, there's a there's an open merge request out there and the board voted on it last month. I think it's we're merging that end. So, yeah, we removed the useless words I chair man and and it's now chairperson. So it just, you know, it was really organic, like the way it came up. We were we were...

...running, like we were doing the officer selections this year, and like one and I was on the board and like we're like wait, why does this a chair man? This is this is very, very limiting, and like it's just one of those things. I like you don't think about it and tell you have to think about it. And this is another reason having diversity is good, right, like, if I'll be honest, in one and I wasn't in the room, I wouldn't have even I would have just like read it and thought past it. Right, but it was awesome. Sorry, Brandon, I don't need to put you on the spot. No, no, I know, because I remember having some kind of discussion, similar discussion with the Martin as well last year, where and we were speaking about something around gender neutrality, and I'm so glad that actually it took an effect from this year, because this is so much needed. Like some one of my friends are set like told me that what wise, chairman, how does it sound. It doesn't sound right because you're not a man, you're a woman, but you are on the board. So whether what would you write? And Wise, chairperson is very neutral anyone on the spot and doesn't need to be me or anyone or any other gender. Right. It is neutral to anyone. Anyone on the board can be can be a chairperson, can be a white chair person or any other one. So it's not putting on a sport. I feel it did so much relevant and I truly support this motion. Yeah, I want to talk about something I came across like three weeks ago. It's this going to be short one, so all was glue project. I don't know how many of you were aware of it, but they're retiring it the oldness of it, but they're also looking for new maintainers. So it's a chance to contact them if you are interested in this project. It's it's like the project that brings all of us tools together. So I'm going to put the Linkedin Post from Matt Konda and the show notes as well, so you can reach out to him. Close US outdid are do you have another fun Easter Egg for us? Yes, I do, and it is a Turkish word. I will not tell what it is and because that is the challenge, the word is given nick. So go figure it out and the MS on twitter and the first person to tweet, not tweet to d MS with the right answer will get a surprise mention from us. Thank you so much for listening and see you next time. m.

In-Stream Audio Search

NEW

Search across all episodes within this podcast

Episodes (4)