PodParley PodParley
PodParley
2019-012: OWASP ASVSv4 discussion with Daniel Cuthbert and Jim Manico - Part 1 episode artwork

EPISODE · Apr 1, 2019 · 51 MIN

2019-012: OWASP ASVSv4 discussion with Daniel Cuthbert and Jim Manico - Part 1

from BrakeSec Education Podcast

Show Notes SpecterOps and Tim Tomes are giving training at WorkshopCon https://www.workshopcon.com Rob Cheyne Source Boston - https://sourceconference.com/events/boston19/   Architecture is not an implementation, but a way of thinking about a problem that has potentially many different answers, and no one single "correct" answer.   https://github.com/OWASP/ASVS "is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. "   ASVS team: Daniel Cuthbert @dcuthbert Andrew van der Stock Jim Manico @manicode Mark Burnett Josh C Grossman   https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.pdf https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.docx Don't post these links in show notes ASVS list (google sheet): https://drive.google.com/open?id=1xFLmvNoR2tohk08cQDLU46FWNgpx28wd   ASVS PDF: https://drive.google.com/file/d/17-NDN7TWdC-vZLbsKkkBFhrYmUhF6907/view?usp=sharing   https://www.owasp.org/images/3/33/OWASP_Application_Security_Verification_Standard_3.0.1.pdf - old version http://traffic.libsyn.com/brakeingsecurity/2015-046_ASVS_with_Bill_Sempf.mp3  - Older BrakeSec Episode   ASVS Page 14 - "If developers had invested in a single, secure identity provider model, such as SAML federated identity, the identity provider could be updated to incorporate new requirements such as NIST 800-63 compliance, while not changing the interfaces of the original application. If many applications shared the same security architecture and thus that same component, they all benefit from this upgrade at once. However, SAML will not always remain as the best or most suitable authentication solution - it might need to be swapped out for other solutions as requirements change. Changes like this are either complicated, so costly as to necessitate a complete re-write, or outright impossible without security architecture."   What are the biggest differences between V3 and V4? Why was a change needed?   https://xkcd.com/936/ - famous XKCD password comic   David Cybuck: Appendix C:  IoT     Why was this added?     These controls are in addition to all the other ASVS controls? How do they see section 1 architecture and section 14, configuration --- in the context of rapid deployment, infrastructure as code, containerization.   You added IoT, but not ICS or SCADA?     https://www.owasp.org/index.php/OWASP_ICS_/_SCADA_Security_Project   BrakeSec IoT Top 10 discussion: http://traffic.libsyn.com/brakeingsecurity/2019-001.mp3 http://traffic.libsyn.com/brakeingsecurity/2019-002-aaron_guzman_pt2.mp3   Seems incomplete… (Section 1.13 "API")     Will this be added later?     What is needed to fill that in? (manpower, SME's, etc?) 3 levels of protection… why have levels at all?     Why shouldn't everyone be at Level 3?     I just don't like the term 'bare minimum' (level 1)--brbr Threat modeling blog (leviathan): https://www.leviathansecurity.com/blog/the-calculus-of-threat-modeling Adam Shostack ThreatModeling Book: https://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998 https://www.owasp.org/images/archive/6/65/20170626175919!TM-Lessons-Star-Wars-May-2017.pdf https://www.youtube.com/watch?v=2C7mNr5WMjA Cost to get to L2? L3? https://manicode.com/ secure coding education   https://www.blackhat.com/presentations/bh-usa-09/WILLIAMS/BHUSA09-Williams-EnterpriseJavaRootkits-PAPER.pdf   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

NOW PLAYING

2019-012: OWASP ASVSv4 discussion with Daniel Cuthbert and Jim Manico - Part 1

0:00 51:51

No transcript for this episode yet

We transcribe on demand. Request one and we'll notify you when it's ready — usually under 10 minutes.

Share this episode

Similar Episodes

Shadowwork and The Divine Union Within

Dec 5, 2025 ·50m

You gotta RELEASE to RECIEVE Babes 💁🏽‍♀️

Oct 9, 2025 ·33m

The Manifestation Matrix 👁️

Oct 3, 2025 ·40m

Reclaiming the Divine Feminine Throne as The Crone 👑🖤🌙

Sep 11, 2025 ·31m

Why destiny swap when you can just do this?

Aug 27, 2025 ·39m

One thing is for sure, two are for certain…

Aug 18, 2025 ·54m

Similar Podcasts

Big Old Life: Heather Blackbird interviews people on planet earth. Heather Blackbird loves asking questions. This podcast is a learning experience. Join me, Heather Blackbird, as I talk to people about their lives. Frequency of new episodes is a little all over the place and I'm learning as I go. Big Old Life is a small way of talking about the vastness of life, one person at a time. If you are reading this or found this podcast it's probably because someone you know gave you a link to it. :) Explicit The Sacred +Profane Podcast nephtaragrace The Sacred + Profane Podcast is a provocative conversation dedicated to cementing a better future for all. We specialize in unpacking the nuances of what is considered sacred and profane, particularly focusing on sex, death, and all that pertains to the circle of life. Our aim in focusing on such ”taboo” subject matter is to demystify what is unconscious, bring to light what has been known for centuries as ”the occult,” and empower the rapid transformation that is occurring on the Planet. Explicit Undeniable w/ Braxton Curtis Braxton Curtis The official Podcast of Braxton Curtis.A Father, Husband, and Business Owner just trying to figure it all out. Explicit Bitcoin Gateway Lea meakin Welcome to Bitcoin Gateway, the podcast where we dive deep into the world of Bitcoin, hosted by Lea Meakin. This show is for anyone who’s ever felt overwhelmed by the complex world of cryptocurrencies and wants a simple, straightforward explanation. Each episode, we’ll break down the basics of Bitcoin, explore its history, and discuss its potential impact on the future of finance. Whether you’re a complete beginner or just looking to expand your knowledge, Bitcoin Gateway is here to help you understand Bitcoin, one episode at a time. Explicit

Frequently Asked Questions

How long is this episode of BrakeSec Education Podcast?

This episode is 51 minutes long.

When was this BrakeSec Education Podcast episode published?

This episode was published on April 1, 2019.

What is this episode about?

Show Notes SpecterOps and Tim Tomes are giving training at WorkshopCon https://www.workshopcon.com Rob Cheyne Source Boston - https://sourceconference.com/events/boston19/   Architecture is not an implementation, but a way of thinking about a...

Can I download this BrakeSec Education Podcast episode?

Yes, you can download this episode by clicking the download button on the episode player, or subscribe to the podcast in your preferred podcast app for automatic downloads.
URL copied to clipboard!