Using JIRA to manage RISKS - v1.0 - OWASP AppSec EU - June 2016

Here is the presentation I just delivered at OWASP's AppSec EU in Rome

Using jira to manage risks v1.0 - owasp app sec eu - june 2016 from Dinis Cruz

Another 6 updates on Software Quality Book

Here are the Software Quality book sections recently updated

• Why this book 
• Open Sourcing your Knowledge
• Data Integrity is much more dangerous than Data Confidentiality 
• Measuring Software Quality Using Application Security 
• Graduates to manage JIRA. 
• Parking Ticket Karma and coding 

Let me know what you think of them, and if you spot any issues or have comments to make, feel free to open an Issue or send a Pull Request

40 technologies used on the 'Maturity Models' nodeJS application

I've been working on an Maturity Model application to help me manage a project where I'm doing an large BSIMM mapping exercise.

The tech stack is based on NodeJS + Angular, and it looks like this:

OWASP Mobile Top 10 2016 (Release candidate)

When looking a mobile applications security a great place to start is the OWASP Mobile Top 10 2016 which is currently in its release candidate state (previous version can be found here)

When doing a Threat Model of an mobile application, in addition to the STRIDE questions, go through these 10 items and ask the questions:

Should dependencies be committed to main source-code repo?

What do you think?

Please cast your vote here

Working on major update of 'Practical Angular JS' book

(email I just sent to my Leanpub readers that chose to be contacted directly)

Thanks for being an reader of my Practical Angular JS book and allowing me to contact you directly with updates (you chose to share your email with me).

The first version of the book was mainly made of blog posts I published at blog.diniscruz.com, and it took me a while to figure out how to best complete the book. 

Recently I started working on an project (creating Maturity Models mappings and visualisations for BSIMM) which I was able to open source. This project is a clean implementation of my ideas of how to code and test AngularJS, and once I had the first version of the app working, I realised that this was a perfect first for this Practical Angular JS book.

My current plan is to split the book in to two parts, where 'Part I' is the new content, and 'Part II' is the existing (published content).

Link to join OWASP Slack

If you want to participate in one of the multiple great AppSec channels at https://owasp.slack.com and don't have an account, please use this link:

http://owasp.herokuapp.com

(posting this a blog so that it is easy to find on Google)

Some draft content on JIRA RISK workflows

On the Software Quality book that I'm writing, I've started to map out the JIRA RISK workflows (as described in this previous blog post)

Here are some of the (very draft) chapters that I have written on this topic.

• JIRA issues 
• Software Complexity 
• Graduates to manage JIRA. 
• DevOps 
• Describe Risks as Features rather than as Wishes 
• Legacy code 

Let me know what you think of these concepts

6 sections added to Software Quality Book (on AppSec and Testing)

I have been slowing working on my Software Quality book (with tons of notes captured on small Moleskine notebooks and new audio recordings).

Here are the sections I worked on this week:

• Describe Risks as Features rather than as Wishes 
• Protecting Legal and Compliance Text on Websites 
• Application security teams need developers 
• Buying tools for developers 
• Putting Data in PasteBin 
• Creating Small Tests 

Please let me know what you think of them, and if you spot any issues or have comments to make, feel free to open an Issue or send a Pull Request