July 2, 2020

Last Updated on January 4, 2024

People say that I get excited when I talk about security.
I don’t hold a candle to Jim Manico. 
He is an application security powerhouse.
He founded and runs his own application security training company, Manicode and is a major contributor to a number of OWASP projects. 
And we love OWASP around here. 
His understanding of how to bring application security concepts to developers in a way they can appreciate, and at the same time, bring application security concepts to business leaders in a way they can understand is what makes Jim so special. 
Application security is both a technical and a business risk. 
Jim really, really gets how this works.
I was a little bit nervous about sitting down with Jim. 
I’ve seen Jim speak publicly, and I’ve heard him on someone else’s podcast where he just wrecked a couple of people that challenged him.
He’s got a really big personality and a crazy accomplished resume.
It was a blast. 
So, if you are a business leader, especially at a SaaS firm or if you are a developer at a SaaS firm, this conversation will bring a ton of value. You’ll hear practical advice on how to approach application security that even the most technically un-savvy listeners like myself can understand.

Ask a simple question, get an in-depth, mind blowing answer

I thought I’d start out with a quick look at ASVS because it’s pretty straightforward, and we both really appreciate and respect ASVS and what it is capable of, even coming at it from different ends. I’m looking at it from the assessment side… Here’s the question:

“What does it take for a developer to really leverage the guidance that you’re providing?” -Host, John Verry

Since Jim is such an influential player at OWASP, I figured this was a bit of a softball, and a good starting point. Well, Jim went into a ton of detail, and took everything to another level, bringing up some really valid points and handing out some valuable advice.

ASVS 101

It’s a challenge navigating security and building a solid team to implement it. 
While there are some really great forms of guidance available, some of which Jim has actually authored, it’s not so simple to decipher sometimes, and even more challenging to stitch the information together to an effective end result. There are lots of really nuanced requirements, and not everyone is as excited as Jim about all of this stuff. 
The first part of his answer was pretty powerful. 
He started at step 0, citing an Automotive Linux Group study on secure coding. The study discovered that the single most important factor regarding whether or not your project will be successful from a security point of view, comes down to one factor. 
skilled coding
So, takeaway moment here. You need a good team. Period. 
The regulations are created and implemented by people like Jim with really big brains and a truckload of passion for this stuff. It’s a good idea to have someone on hand to run interference, and interpret the language for you. That way the business side of your SaaS and the developer side of your SaaS can make informed decisions.
Some things really are better off handing off, or at the least, bringing in at least one person who can speak both languages.
Some things Jim goes on to point out about ASVS:

  • Before you give requirements to developers, hopefully your team forks the standard… make it your own!
  • He doesn’t use ASVS out of the box, but looks at each company’s needs.
  • The OWASP cheat sheet series is like a living encyclopedia on secure coding knowledge. Use it
  • ASVS works best with the addition of the OWASP testing guide. ASVS alone isn’t giving you it all.

ASVS
So, 5 minutes in and we had some really great insights. Fantastic.

Educating the masses.

Jim feels a responsibility to get developers educated, but he also feels that many of the issues that developers take heat for are really C-level sign offs. Jim trains them too. CISO’s especially will benefit from an in-depth training program geared to their level of need. 
Jim goes on to say a bunch of things the business person in charge of app development needs to understand:

  • What are your bug triage processes?
  • What are your SLAs to fix bugs? 
  • What additional security testing are you going to put in place? 
  • What kind of design review should happen? 
  • What kind of programming languages are you using? 
  • More, more, more.

Tune into the episode for an incredible glimpse into Jim’s mind!
You will walk away with valuable, real-world suggestions and advice on:

  • SDLC
  • Systems architecture
  • Threat modeling (why Jim thinks it’s not used correctly)
  • Third party library usage
  • Legacy software
  • More, more, more!

This post is based on The Virtual CISO podcast hosted by John Verry and featuring special guest,  Jim Manico
To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.
If you don’t use Apple Podcasts, you can find all our episodes here.