EP 47 — Manicode Security’s Jim Manico on Addressing OWASP Top Ten Issues Through Better Security and Developer Partnerships
In this special episode of the Future of Application Security, recorded at the Developers & Security are Friends Day, Eric speaks with Jim Manico, Founder and CEO of Manicode Security, a secure coding education firm. They discuss the various challenges around certain items on the OWASP Top Ten list, including server side request forgery and access control, and how security and developers can partner for better logging and alerting. They also talk about the courses Jim offers and why the biggest one in demand today is AI and security.
- What are the biggest changes in the OWASP Top Ten, and the challenges that accompany two of the list’s issues: server side request forgery and access control.
- What issue is Jim surprised to see on the OWASP Top Ten.
- How developers and security can work more closely together to create a better approach to logging and alerting.
- Why the best approach to DevOps is to have it as a service and a liaison team, not as a merger of individuals from across the organization.
- Why training on AI and security is increasing in demand today.
- How security professionals and developers are like professional wrestling superstars.
“I also like the idea of developers onboarding security teams around how the app works and what to look for in the logs. When you have good security logging and understanding between your security and developer team, you get some really impressive intelligence about when you’re being attacked in real time. And especially for high risk applications, I want to know in real time when I’m being attacked so I can take action.” (16:18)
“The entire world of DevOps and DevSecOps and CI/CD class security scanning, it’s useless at finding the number one problem in the OWASP Top Ten, which is broken access control. And that’s why this is such a major problem in the world today.” (10:03)
“When the developer is explaining to security teams exactly how the app works, what they’re logging from a security context, and they fine tune that together, and that’s part of the onboarding. Security teams know exactly what logs to ignore, what to focus on.” (18:06)
“If you have a dedicated team or dedicated set of developers who are maintaining pipeline that are across multiple software teams and they’re working close with security, that seems like a much more efficient and cost effective way to actually build out the dream of DevOps.” (20:02)
“I just built and just completed a course on artificial intelligence security … things like prompt injection, poisoning the models, stealing data out of models, and similar. And I don’t think it’s really difficult information. It’s just bleeding edge. And the hunger to get that course in is huge.” (22:09)
On a recent episode of the Future of Application Security podcast, Curtis Koenig, Head of Application Security at Gen, talked about how he's able to understand security...Read more
On a recent episode of the Future of Application Security podcast, Arthur Loris, Senior Manager, Product Security at Ping Identity, talked about how the biggest challenge to...Read more