Podcast: OWASP Flagship Projects - Episode 02

In this episode of the People | Process | Technology Podcast, I speak with Seba Deleersnyder from the Software Assurance Maturity Model, Carlos Holguera and Sven Schleier from the Mobile Security Testing Guide, and Bjoern Kimminich from the Juice Shop Project. 

Today’s episode begins with Seba Deleersnyder, project lead for the Software Assurance Maturity Model, or SAMM. The mission of this OWASP Flagship Project is to provide an effective and measurable way for you to analyze and improve your secure development lifecycle. SAMM supports the complete software lifecycle and is technology and process agnostic.  SAMM was built to be evolutive and risk-driven in nature, as there is no single recipe that works for all organizations. 

The next Flagship Project we’ll hear from is the Mobile Security Testing Guide, with project leaders Carlos Holguera and Sven Schleier. The mission of the project is to “Define the industry standard for mobile application security.” MSTG is a security standard for mobile apps and a comprehensive testing guide that covers the processes, techniques, and tools used during a mobile app security test, as well as an exhaustive set of test cases that enables testers to deliver consistent and complete results. The project includes “Mobile App Security Requirements and Verification” and the “Mobile App Security Checklist”. 

Our final project in this episode is Juice Shop, an insecure web application for training, led by project lead Bjoern Kimminich. It is probably the most modern and sophisticated insecure web application. It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools. Juice Shop encompasses vulnerabilities from the entire OWASP Top Ten, along with many other security flaws found in real-world applications. Juice Shop is written in Node.js, Express and Angular. It was the first application written entirely in JavaScript listed in the OWASP VWA Directory


The OWASP 20th Anniversary Celebration is a 24 hour global event, featuring sessions from each of the OWASP flagship projects, leaders of the Top Ten Project, presenters from around the world, and sessions from people who have helped OWASP over the past 20 years. Registration is open, and you can’t beat the cost… it’s free. Even if you can’t attend, please register so you’ll have access to all of the recorded sessions following the conference. For the link check the show notes here on the podcast.

Our program was produced today by Executive Editor Mark Miller. Special thanks to today’s guests, Seba Deleersnyder from the Software Assurance Maturity Model, Carlos Holguera and Sven Schleier from the Mobile Security Testing Guide , and Bjoern Kimminich from the Juice Shop Project. You can stream our archive of over 160 episodes, for free, at soundCloud.com/owasp-podcast.  The show is available on all of your favorite podcasting platforms, including Spotify and Apple Podcasts. 

Support for this broadcast is provided by OWASP, celebrating twenty years of making software safer. OWASP hosts their 24 hour, 20th Anniversary Celebration in September. Head to 20thAnniversary.owasp.org for your free ticket.

Support also provided by JupiterOne, who believes that security is a basic right to every person, company, and enterprise. Security begins with cyber asset visibility, and includes understanding the relationships between those assets. Get started with your free, lifetime license at info.jupiterone.com/get-started.

Resources for this article


Posted By Mark Miller

Mark Miller speaks and writes extensively on DevSecOps and Cybersecurity. He has published 9 books, including "Modern Cybersecurity: Tales from the Near-Distant Future", and the popular "Epic Failures in DevSecOps" series.

Mark actively participates in the DevSecOps and cybersecurity communities by producing DevSecOps tracks at security conferences such as RSA Conference, InfoSec Europe, CD Summit, AppSec USA and AppSec EU. He is the former Senior Director of Editorial Strategy and Content at JupiterOne.

As well, Mark is Executive Producer of the OWASP Podcast Series (500K+ listens), and the Executive Editor of the LinkedIn DevOps Group (125K+ members).


cyber-security 1

Ad Title Placeholder

Lorem ipsum dolor sit amet, consectetur adipiscing elit.