The OWASP DevSlop Show

I am part of an OWASP project called DevSlop, as in “Sloppy DevOps”. I started the project with Nicole Becher, and since then we have added Franziska Bühler and Mohammed A. Imran to our project team. We started the project so we could learn about weaving security through DevOps, which we like to call DevSecOps.

First we created Pixi, an intentionally vulnerable MEAN Stack app with a poorly-formed and easily-manipulated API. Nikki and I did several workshops on it at various conferences, it was quite educational for the two of us (and hopefully also our audiences).

Then I started to create my own pipeline in Azure named Patty. Unfortunately I quickly figured out that “sharing” a pipeline via open source is *really hard*, there’s no package people can easily download and then implement themselves… I decided the best way to “share” would be to create a live stream myself digging into different ideas and exactly how to implement them. We stream LIVE every Sunday at 1:00 pm EDT, on Mixer, Twitch, and YouTube, for approximately an hour. All videos are edited, captioned, and uploaded to YouTube. Sometimes wonderful members of the OWASP community even translates them for us. :-D

Please join us live if you can, or check out the videos afterwards.

S01E00 — Franziska Bühler and Tanya Janca try and fail to implement HTTPS, but settle for adding a few security headers. This was a “test” episode.

S01E01 — Franziska and Tanya implement more security headers.

S01E02 — Even more security headers for Franziska and Tanya!

S01E02.1 — Franziska and Tanya implement HTTPs for their website, DevSlop.co.

S01E03: Smart Contracts with Elissa Shevinsky

S01E04 — Morgan Roman and Tanya Janca explore the concept of negative unit tests.

Tune in this Sunday to join myself and Joy Huggins while we implement Snyk to scan the DevSlop Project GitHub repo.