Podcast 40

OWASP Podcast Series #40

OWASP Interview with Rohit Sethi Recorded July 27, 2009 Published Sept 23, 2009

http://www.owasp.org/download/jmanico/itunes.jpg https://www.owasp.org/images/d/d3/Feed-icon-32x32.png mp3

Participants
 Rohit Sethi, Manager of Professional Services, Security Compass, is a specialist in threat modeling, application security reviews, and building security controls into the software development life cycle (SDLC). Mr. Sethi is a frequent guest speaker and instructor at several conferences, including RSA, Shmoocon, and CSI. He has written articles for Security Focus and the Web Application Security Consortium (WASC), and has been quoted as an expert in application security for ITWorldCanada and Computer World. At Security Compass, Rohit teaches students various topics on web application security in cities across North America. He has also managed and performed extensive threat analysis, source code reviews, and penetration testing for clients in financial services, utilities, telecommunications and healthcare. He is often consulted for his dual expertise in information security and software engineering. 

Questions

 * How did your team come up with the idea of writing this paper?
 * How does the security analysis of Core J2EE patterns differ from the Core Security patterns book? Do we need both?
 * Why did you choose the J2EE Core Design patterns and not the Gang of Four Design Patterns?
 * What value does this analysis have? Who is actually going to use this stuff?
 * How does this design pattern analysis differ from the most popular design-time security activity: threat modeling?
 * The analysis doesn’t have a notion of “risk” – it doesn’t articulate the difference between say an application on Intranet versus one on the Internet.
 * What are the next steps for this OWASP project?
 * How can people contribute to the project?