February brought us the Lunar New Year, a Leap Day, and more OWASP projects than we expected!

The Case of the New Year (ep. 272)

Grant Ongers kicked off our February shows with a preview of his new OWASP project – the Product Security Capability Framework. He explains how it relates to efforts like ASVS and SAMM and, importantly, why it’s not just another top 10 list.

Year of the Wood Dragon (ep. 273)

Then Christien Rioux talked about code scanning strategies and how better visibility into code translates to more meaningful flaws to pay attention to. He shares how seeing what’s running in prod and what prod systems are talking to helps dev teams far more than a long list of potential vulns.

Pure Energy (ep. 223, replay)

We went back to the vault for week three, bringing back a discussion on successful threat modeling with Jeevan Singh. Our focus wasn’t so much on the nuances of threat models, but the adjectives around them – successful and scalable. All too often appsec teams say “do threat modeling” and mistake an approach that works once with a process that needs to scale.

Welcome to 2023 (ep. 224)

As a mirror to the start of the month, Farshad Abasi to talk about his upcoming OWASP project – the Secure Pipeline Verification Standard. One of the motivations for this was that, sure, there’s a top 10 list, but there are no solutions. It’s great to see more projects focusing on frameworks and design patterns that dev teams can follow to secure how code is compiled into artifacts and artifacts are sent to prod.

Subscribe to catch these episodes and more! Then go check out the previous recap.