Application Security Weekly (Audio)
291 episodes - English - Latest episode: 24 days ago - ★★★★★ - 11 ratingsThe Application Security Weekly podcast delivers interviews and news from the worlds of AppSec, DevOps, DevSecOps, and all the other ways people find and fix software flaws.
Join hosts Mike Shema, John Kinsella, and Akira Brand on a journey through modern security practices for apps, clouds, containers, and more.
Homepage Apple Podcasts Google Podcasts Overcast Castro Pocket Casts RSS feed
Episodes
Hackers and Policy: Empowering Users and Shaping Discussions at DEF CON, Jeff Moss - ASW #238
April 25, 2023 22:27 - 1 hour - 184 MBJeff Moss shares some of history of DEF CON, from CFPs to Codes of Conduct, and what makes it a hacker conference. We also discuss the role of hackers and researchers in representing users within policy discussions. Segment links https://defcon.org https://forum.defcon.org https://media.defcon.org https://defcon.social/about Microsoft turns to a weather-based taxonomy, k8s shares a security audit, a GhostToken that can't be exorcised from Google accounts, BrokenSesame RCE,...
Bug Bounty Programs and Community Building: Unveiling Rewards, Challenges, and Exciting Adventures, Ben Sadeghipour (NahamSec) - ASW #237
April 18, 2023 21:53 - 1 hour - 162 MBWe talk with Ben about the rewards, hazards, and fun of bug bounty programs. Then we find out different ways to build successful and welcoming communities. A new deps.dev API for supply chain enthusiasts, hacking and modding agricultural devices, guidance from CISA on secure by design (and by default!), Glaze brings adversarial art to AI training, key transparency for WhatsApp, a new appsec myth(?), Android hacking tool list, and a Chrome extension to find web debugging behavior. Visit...
Application Security in the Cloud: Safeguarding Data and Preventing Unauthorized Access, Vandana Verma Sehgal - ASW #236
April 11, 2023 23:43 - 1 hour - 130 MBApplication security in the cloud is a crucial aspect of protecting data and preventing unauthorized access to applications hosted on cloud platforms. As cloud computing becomes more prevalent, ensuring the security of applications has become a top priority for organizations. This is because cloud environments present unique security challenges, such as shared resources, multi-tenancy, and a lack of physical control. Therefore, it is essential to implement security measures that are specific...
eBPF: The Future of Security and Infrastructure Tools Revealed, Liz Rice - ASW #235
April 04, 2023 19:31 - 1 hour - 164 MBFollowing on from her successful title "Container Security", Liz has recently authored "Learning eBPF", published by O'Reilly. eBPF is a revolutionary kernel technology that is enabling a whole new generation of infrastructure tools for networking, observability, and security. Let's explore eBPF and understand its value for security, and how it's used to secure network connectivity in the Cilium project, and for runtime security observability and enforcement in Cilium's sub-project, Tetragon...
AI in Production: Unveiling Use Cases, Security Risks, and Real-Life Experiences, Frank Catucci - ASW #234
March 28, 2023 16:15 - 1 hour - 171 MBWith the increased interest and use of AI such as GTP 3/4, ChatGPT, GitHub Copilot, and internal modeling, there comes an array of use cases and examples for increased efficiency, but also inherent security risks that organizations should consider. In this talk, Invicti’s CTO & Head of Security Research Frank Catucci discusses potential use cases and talks through real-life examples of using AI in production environments. Frank delves into benefits, as well as security implications, touching...
The Power of Static Analysis: Strengthening Application Security from Code Scrutiny, Josh Goldberg - ASW #233
March 21, 2023 17:30 - 1 hour - 177 MBStatic analysis is the art of scrutinizing your code without building or running it. Common static analysis tools are formatters (which change whitespace and other trivia), linters (which detect likely best practice and style issues), and type checkers (which detect likely bugs). Each of these can aid in improving application security by detecting real issues at development-time. Segment Resources: https://typescript-eslint.io https://eslint.org https://blog.joshuakgoldberg.com ...
ASW #232 - Josh Grossman
March 14, 2023 21:03 - 1 hour - 198 MBIn this segment, Josh will talk about the OWASP ASVS project which he co-leads. He will talk a little about its background and in particular how it is starting to be used within the security industry. We will also discuss some of the practicalities and pitfalls of trying to get development teams to include security activities and considerations in their day-to-day work and examples of how Josh has seen this “in the wild”. Segment Resources: Josh's personal website, https://joshcgrossm...
ASW #231 - Neatsun Ziv
March 07, 2023 19:42 - 1 hour - 184 MBIn this episode, Neatsun Ziv, co-founder and CEO of Ox security takes a deep dive into supply chain security. He focuses on the new Open Software Supply Chain Attack Reference (OSC&R), a consortium of leading cybersecurity leaders. OSC&R the first and only open framework for understanding and evaluating existing threats to entire software supply chain security. Segment Resources: https://pbom.dev/ -https://github.com/pbomdev/ OSCAR WebSocket hijack that leads to a full workspace ta...
ASW #230 - Lina Lau
February 28, 2023 19:06 - 1 hour - 164 MBJoin us for this segment with Lina Lau to learn lessons from real incident response engagements covering types of attacks leveraged against the cloud, war stories from supply chain breaches seen in the last 1-2 years, and how defenders and enterprises can better protect and proactively defend against these attacks. Segment Resources: Attacking and Defending the Cloud (Training) https://training.xintra.org/ Blackhat Singapore 2023 Training ADVANCED APT THREAT HUNTING & INCIDENT RESP...
Throwback Episode - ASW #178
February 21, 2023 14:20 - 33 minutes - 45.9 MBIt's another holiday week, so enjoy this episode from our archives! What does a collaborative approach to security testing look like? What does it take to tackle an entire attack class as opposed to fixing a bunch of bugs? If we can shift from vulnerability mitigation to vulnerability elimination, then appsec would be able to demonstrate some significant wins -- and they need a partnership with DevOps teams in order to do this successfully. Log4j has more updates and more vulns (but probab...
ASW #229 - Nick Selby
February 14, 2023 18:13 - 1 hour - 186 MBOrganizations spend hundreds of work hours to build applications and services that will benefit customers and employees alike. Whether the application/service is externally facing or for internal use only, it is mandatory to identify and understand the scope of potential cyber risks and threats it poses to the organization. But where and how do you start with an accurate threat model? Nick can discuss how to approach this and create a model that's useful to security and developers alike. S...
ASW #228 - Adrian Sanabria
February 07, 2023 17:12 - 1 hour - 182 MBMost of the myths and lies in InfoSec take hold because they seem correct or sound logical. Similar cognitive biases make it possible for even the most preposterous conspiracy theories to become commonly accepted in some groups. This is a talk about the importance of critical thinking and checking sources in InfoSec. Our industry is relatively new and constantly changing. Too often, we operate more off faith and hope than fact or results. Exhausted and overworked defenders often don't have t...
ASW #227 - Dr. David Movshovitz
January 31, 2023 18:29 - 1 hour - 166 MBA $10M ransom demand to Riot Games, a DoS in BIND and why there's no version 10, an unexpected refactor at Twilio, insights in Rust from the git security audit, SQL Slammer 20 years later, the SQLMap tool We talk with Dr. David Movshovitz about There Is No Average Behavior! Segment Resources: White paper: https://www.reveal.security/lp/white-paper/ Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweek...
ASW #226 - Marudhamaran Gunasekaran
January 24, 2023 23:17 - 1 hour - 178 MBBreach disclosures from T-Mobile and PayPal, SSRF in Azure services, Google Threat Horizons report, integer overflows and more, Rust in Chromium, ML for web scanning, Top 10 web hacking techniques of 2022 Developers write code. Ideally, secure code. But what do we mean by secure code? What should secure code training look like? Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.f...
Throwback Episode - Dev(Sec)Ops Scanning Challenges & Tips - ASW170
January 17, 2023 21:17 - 1 hour - 95.6 MBWe're aren't recording this holiday week, so enjoy this ASW throwback episode! Main host Mike Shema selected this episode to share as it's still relevant to the AppSec community today. This week, we welcome Nuno Loureiro, CEO at Probely, and Tiago Mendo, CTO at Probely, to talk about Dev(Sec)Ops Scanning Challenges & Tips! There's a plenitude of ways to do Dev(Sec)Ops, and each organization or even each team uses a different approach. Questions such as how many environments you have a...
ASW #225 - Dan Moore
January 10, 2023 18:27 - 1 hour - 184 MBExposed secrets from CircleCI, web hackers target the auto industry, $100K bounty for making Google smart speakers listen, inspiration from Office Space, AWS making better defaults for S3, resources for learning Rust This segment will discuss options for protecting your APIs. First, why protect them? Second, what are the options and the tradeoffs. Segment Resources: - https://stackoverflow.blog/2022/04/11/the-complete-guide-to-protecting-your-apis-with-oauth2/ - https://fusionau...
ASW #224 - Keith Hoodlet
January 03, 2023 16:25 - 1 hour - 175 MBHow do you mature a team responsible for securing software? What are effective ways to prioritize investments? We'll discuss a set of posts on building talent, building capabilities, and what mature teams look like. Segment resources: - https://securing.dev/categories/essentials/ Metrics for building a security product, hands-on image classification attacks, a proposed PEACH framework for cloud isolation, looking back at Log4Shell, building an appsec toolbox Visit https://www...
ASW #223 - Jeevan Singh
December 13, 2022 19:57 - 1 hour - 184 MBFreeBSD joins the ping of death list, exploiting a SQL injection through JSON manipulation, Apple's design for iCloud encryption, attacks against machine learning systems and AIs like ChatGPT Threat modeling is an important part of a security program, but as companies grow you will choose which features you want to threat model or become a bottleneck. What if I told you, you can have your cake and eat it too. It is possible to scale your program and deliver higher quality threat models...
ASW #222 - Aviv Grafi
December 06, 2022 18:42 - 1 hour - 186 MBAndroid platform certs leaked, SQL injection to leaked credentials to cross-tenant access in IBM's Cloud Database, hacking cars through web-based APIs, technical and social considerations when getting into bug bounties, a brief note on memory safety in Android Finding the balance between productivity and security is most successful when it leads to security solutions that help users rather than blames them for security failures. We'll talk about the security decisions that go into hand...
ASW #221 - Kenn White
November 29, 2022 18:49 - 1 hour - 185 MBCrossing tenants with AWS AppSync, more zeros in C++ to defeat vulns, HTTP/3 connection contamination, Thinkst Quarterly review of research, building a research team MongoDB recently announced the industry’s first encrypted search scheme using breakthrough cryptography engineering called Queryable Encryption. This technology gives developers the ability to query encrypted sensitive data in a simple and intuitive way without impacting performance, with zero cryptography experience requi...
ASW #220 - Daniel Krivelevich
November 15, 2022 18:43 - 1 hour - 120 MBCosMiss in Azure, $70k bounty for a Pixel Lock Screen bypass, finding path traversal with Raspberry Pi-based emulators, NSA guidance on moving to memory safe languages, implementing phishing-resistant MFA, egress filtering, and how to approach code reviews Cider Security’s recently published research of the Top 10 CI/CD Security Risks acts to identify vulnerabilities to help defenders focus on areas to secure their CI/CD ecosystem. They created a free learning tool with a deliberately ...
ASW #219 - Karl Triebes
November 08, 2022 17:43 - 1 hour - 111 MBWhile APIs enable innovation, they’re increasingly targeted as a pathway to data. API abuses are often carried out through automated attacks, in which a botnet floods the API with unwanted traffic—seeking vulnerable applications and unprotected data. In this discussion, Karl Triebes shares what you need to know about the automated bot threats targeting your APIs with guidance on how to protect your applications and APIs from these attacks. This segment is sponsored by Imperva. Visit https:...
ASW #218 - Sandy Carielli, Martha Bennett
November 01, 2022 15:01 - 1 hour - 111 MBA critical OpenSSL vuln is coming this Tuesday, a SQLite vuln, Apple blogs about memory safety and bug bounties, determining a random shuffle The Web3 ecosystem is chock full of applications and projects that have lost money (and their customers’ money) due to breaches, code flaws, or outright fraud. How can security teams do a better job of protecting Web3 apps? Web3 applications (including NFTs) aren’t just vulnerable to attack, they often present a broader attack surface (due to the...
ASW #217 - Kong Yew Chan
October 25, 2022 19:56 - 1 hour - 108 MBLearn what keeps DevOps and SecOps up at night when securing Kubernetes, container, and cloud native applications, what tactics are best for developers and application architects to consider when securing your latest cloud application and hardening your CI/CD pipeline and processes. This segment is sponsored by Qualys. Visit https://securityweekly.com/qualys to learn more about them! Text4Shell isn't a new patching hell, using supply chain info with GUAC, OpenSSF Scorecards and metri...
ASW #216 - Jason Recla
October 18, 2022 20:25 - 1 hour - 109 MBExploiting FortiOS with HTTP client headers, mishandling memory in Linux kernel Wi-Fi stack, a field guide to security communities, secure coding resources from the OpenSSF, Linux kernel exploitation Cybersecurity is a data problem. Accelerated AI enables 100 percent data visibility and faster threat detection and remediation. Find out how NVIDIA used AI to reduce cybersecurity events from 100M per week to up to 10 actionable events per day, and accelerate threat detection from weeks to minu...
ASW #215 - Akira Brand
October 11, 2022 12:17 - 1 hour - 107 MBWe talk with Akira Brand about appsec educational resources and crafting better resources for developers to learn about secure coding. Segment Resources: - www.akirabrand.com - www.wehackpurple.com - www.owasp.org - www.brightsec.com/blog Rust arrives in the Linux Kernel, verdict in the Uber security case, overview(s) of JavaScript prototype pollution, flaws in PHP Composer and the NPM vm2 package, reading CloudSecDocs Visit https://www.securityweekly.com/asw for all th...
ASW #214 - Dean Agron
October 04, 2022 16:17 - 1 hour - 107 MBThe core focus of this podcast is to provide the listeners with food for thoughts for what is required for releasing secured cloud native applications - Continuous, Multi-layer, and Multi-service analysis and focusing not only on the code, but also on the runtime and the infrastructure. - Focus on the vulnerabilities that matter. The critical, exploitable ones. Use Context. - Choose the right remediation forms. It may come in different shapes Segment Resources: Oxeye Website for vi...
ASW #213 - Janet Worthington
September 27, 2022 15:38 - 1 hour - 114 MBApplications are the most frequent external attack vector for companies. However, application security can improve only if developers either code securely or remediate existing security flaws — unfortunately, many don’t receive training with proper security know-how. In this session, we will talk about the state of application security education and what you can do to secure what you sell. Segment Resources: - https://www.forrester.com/blogs/school-is-in-session-but-appsec-is-still-on-vac...
ASW #212 - Sam Placette
September 20, 2022 13:42 - 1 hour - 112 MBAppsec places a lot of importance on secure SDLC practices, API security, integrating security tools, and collaborating with developers. What does this look like from a developer's perspective? We'll cover API security, effective ways to test code, and what appsec teams can do to help developers create secure code. This segment is sponsored by ThreatX. Visit https://securityweekly.com/threatx to learn more about them! Appsec dimensions of the Uber breach, Rust creates a security team...
ASW #211 - Sonali Shah
September 13, 2022 18:25 - 1 hour - 107 MBGo releases their own curated vuln management resources, OSS-Fuzz finds command injection, Microsoft gets rid of Basic Auth in Exchange, NSA provides guidance on securing SDLC practices, reflections on pentesting, comments on e2e Shifting left has been a buzzword in the application security space for several years now, and with good reason – making security an integral part of development is the only practical approach for modern agile workflows. But in their drive to build security te...
ASW #210 - Doug Dooley
August 30, 2022 16:47 - 1 hour - 113 MBWe will review the primary needs for cloud security: - Guardrails against misconfiguration - Continuously Identify and Remediate Vulnerabilities in Cloud APIs, Apps, and Services - Observability, Protection, and Reporting against Compliance and Risk Policies - We will also review CNAPP -- Cloud Native Application Protection Platform -- and why companies need to take a closer look for the best cloud security Segment Resources: - https://www.datatheorem.com/news/2021/data-theorem-represen...
ASW #209 - Kiran Kamity
August 23, 2022 20:06 - 1 hour - 145 MBThe unique nature of cloud native apps, Kubernetes, and microservices based architectures introduces new risks and opportunities that require AppSec practitioners to adapt their approach to security tooling, integration with the CI/CD pipeline, and how they engage developers to fix vulnerabilities. In this episode, we’ll discuss how AppSec teams can effectively manage the transition from securing traditional monolithic applications to modern cloud native applications and the types of securit...
ASW #208 - Tanya Janca
August 17, 2022 19:54 - 1 hour - 139 MBLet's talk about adding security tools to a CI/CD, the difference between "perfect" and "good" appsec, and my upcoming book. Segment Resources: https://community.wehackpurple.com #CyberMentoringMonday on Twitter Microsoft fixes an old bounty from 2019, rewards almost $14M on bounties in the past year, and releases a security layer for Edge; Black Hat talks on bounties and desync attacks, Google's bounties for the Linux kernel, modifying browser behavior, and the Excel championships. Vi...
ASW #207 - Chen Gour Arie
August 09, 2022 23:00 - 1 hour - 143 MBIn today's high-tech industries, security is struggling to keep up with rapidly changing production systems and the chaos that agile development introduces into workflows. Application security (AppSec) teams are fighting an uphill battle to gain visibility and control over their environments. Rather than invest their time in critical activities, teams are overwhelmed by gaps in visibility and tools to govern the process. As a result, many digital services remain improperly protected. In this...
ASW #206 - Manish Gupta
August 04, 2022 19:21 - 1 hour - 104 MBIn our first segment, we are joined by Manish Gupt, the CEO and Co-Founder of ShiftLeft for A discussion of how the changes and advancements in static application security testing (SAST) and intelligent software composition analysis (SCA) have helped development and DevSecOps teams work better together to fix security issues faster! In the AppSec News: Multiple vulns in a smart lock, Office Macros finally disabled by default, data breach costs and threat modeling, designing migration paths f...
ASW #199 - Nikhil Gupta
July 28, 2022 09:00 - 1 hour - 140 MBNikhil will be discussing the pain points that leaders in the application security space are facing, which can cover how software development has evolved, as well as how this has impacted development teams and security teams as well as the occurrence of shifting left. He would also like to speak to the solution he has found to this problem, specifically being that of developing a community, the Purple Book Community. This closely connects to the final topics he would like to cover, which inc...
ASW #205 - Ferruh Mavituna
July 25, 2022 21:09 - 1 hour - 105 MBVuln in an Atlassian Confluence app, "Dirty Dancing" in OAuth flows, security audits of sigstore and slf4j, flaws in fleet management app, conducting tabletop exercises. Pressured by the speed of innovation, organizations are struggling to achieve the continuous web application security they need in the face of mounting threats and compliance requirements. What does it take in order for your AppSec program to be both effective and agile? In this segment, Ferruh Mavituna, founder and st...
ASW #204 - Larry Maccherone
July 20, 2022 19:10 - 1 hour - 102 MB0-day vulnerabilities pose a high risk because cybercriminals race to exploit them and vulnerable systems are exposed until a patch is issued & installed. These types of software vulnerabilities can be found through continuous detection but even then may not always have a patch available. It’s important for software teams to set up tools that continually look for these types of flaws, as well as defenses that let software adapt itself to an evolving threat landscape. In this episode, we will...
ASW #203 - Farshad Abasi
July 15, 2022 18:25 - 1 hour - 96 MBThis week in the AppSec News: Apple introduces Lockdown Mode, PyPI hits 2FA trouble, cataloging cloud vulns, practical attacks on ML, NIST's post-quantum algorithms, & more! Appsec starts with the premise that we need to build secure code, but it also has to be able to recommend effective practices and tools that help developers. This also means appsec teams need to work with developers to create criteria for security solutions, whether it's training or scanners, in order to make sure ...
ASW #202 - Mike Benjamin
July 14, 2022 20:47 - 1 hour - 72.9 MBBoth GraphQL and template engines have the potential for injection attacks, from potentially exposing data due to weak authorization in APIs to the slew of OGNL-related vulns in Java this past year. We take a look at both of these technologies in order to understand the similarities in what could go wrong, while also examining the differences in how each one influences modern application architectures. This week in the AppSec News: Lessons learned from fuzzing, OT:ICEFALL report on ins...
ASW #201 - IE11 Goes to Zero
July 12, 2022 18:15 - 1 hour - 61.3 MBThis week in the AppSec News: SynLapse shows shell injection via ODBC, Java deserialization example, MFA for Ruby Gems ecosystem, simple flaws in firmware, the decade-long journey of a Safari vuln, & more! IE has gone to 11 and is no more. There's some notable history related to IE11 and bug bounty programs. In 2008, Katie Moussouris and others from Microsoft announced their vulnerability disclosure program. In 2013 this evolved into a bug bounty program piloted with IE11, with award r...
ASW #200 - Keith Hoodlet
July 08, 2022 16:43 - 1 hour - 93.9 MBHTTP RFCs have evolved: A Cloudflare view of HTTP usage trends, Career Advice and Professional Development, Active Exploitation of Confluence CVE-2022-26134 Seamlessly Connect & Protect Entire IT Ecosystem The new business reality is that everything is connected, and everyone is vulnerable. In today’s world, security resilience is imperative, and Cisco believes it requires an open, unified security platform that crosses hybrid multi-cloud environments. Our vision for the Cisco Security C...
ASW #198 - Matias Madou
June 22, 2022 23:00 - 1 hour - 98.6 MBDevelopers want bug-free code -- it frees up their time and is easier to maintain. They want secure code for the same reasons. Matias Madou joins to talk about how the definition of secure coding varies among developers and appsec teams, why it's important to understand those perspectives, and how training is just one step towards building a security culture. This week in the AppSec News: OWASP Top 10 for Kubernetes, Firefox improves security with process isolation, CNCF releases guidance on...
ASW #197 - Brian Glas
May 20, 2022 15:30 - 1 hour - 109 MBThis week, in the first segment, Brian Glas answers the questions surrounding the next generations of AppSec professionals: What does it look like to try teaching cybersecurity at an undergraduate level? What are the goals and challenges faced when trying to help future generations learn what they need to know to contribute to this industry? Then, in the AppSec News: Typosquatting spreads to Rust, curl fixes flaws in mishandling dots and slashes, OpenSSF invests in a mobilization plan for op...
ASW #196 - Christoph Nagy
May 10, 2022 21:30 - 1 hour - 100 MBThis week, Mike and John kick off the show with an interview of Christoph Nagy, the CEO of SecurityBridge! Then, in the AppSec News: Secure coding practices and smart contracts, lessons from the Heroku breach, Real World Crypto conference highlights, and an entertaining bug in Google Docs, & more! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Visit https://www.securityweekly.com/asw for all the latest episodes! Sh...
ASW #195 - Lynn Marks
May 03, 2022 22:30 - 1 hour - 101 MBThis week, Mike and John interview Lynn Marks, Product Manager at Imperva, & discuss Bad Bots: The Automated Threat Targeting Your Websites, Apps, & APIs! In the AppSec News: ExtraReplica in Azure, Chrome disfavors document.domain, appsec presentations highlighted in the latest Thinkst Quarterly, Nimbuspwn Vuln in Linux, & more! This segment is sponsored by Imperva. Visit https://securityweekly.com/imperva to learn more about them! Follow us on Twitter: https://www.twitter.com/security...
ASW #194 - Dr. Chenxi Wang
April 26, 2022 18:30 - 1 hour - 97.1 MBHow should we empower developers to embrace the NIST software development practices? Because from here on out, developers need to view themselves as the front lines of defense for the end-consumer. A more secure-aware developer leads to a more-protected consumer. Dr. Wang will offer her perspectives! In the AppSec News: Java's ECDSA implementation is all for nought, writing a modern Linux kernel RCE, lessons learned from the Okta breach, lessons repeated from a log4shell hot patch, a strateg...
ASW #193 - AppSec (& adjacent) Metrics
April 19, 2022 22:00 - 1 hour - 106 MBWe can create top 10 lists and we can count vulns that we find with scanners and pen tests, but those aren't effective metrics for understanding and improving an appsec program. So, what should we focus on? How do we avoid the trap of focusing on the metrics that are easy to gather and shift to metrics that have clear ways that teams can influence them? In the AppSec News: OAuth tokens compromised, five flaws in a medical robot, lessons from ASN.1 parsing, XSS and bad UX, proactive security ...
ASW #192 - William Morgan
April 12, 2022 16:30 - 1 hour - 105 MBThe zero trust approach can be applied to almost every technology choice in the modern enterprise, and Kubernetes is no exception. For Kubernetes network security particularly, adopting a zero trust model involves some radical changes, including moving from a security perimeter defined by firewalls, IP addresses, and cluster boundaries to a granular approach that treats the network itself as adversarial and moves the security boundary down to the pod level. William will discuss why the zero ...
ASW #191 - Eric Allard
April 05, 2022 21:00 - 1 hour - 108 MBMaking a positive impact to how we package software to make developer's lives easier in how they have to manage security. FORCEDENTRY implications for the BlastDoor sandbox, Spring RCE, Zlib flaw resurfaces, security for startups, verifying Rust models, two HTML parsers lead to one flaw! Show Notes: https://securityweekly.com/asw191 Segment Resources: - https://app.soos.io/demo - https://soos.io/ - https://youtu.be/Y8jvhCHGQg8 Visit https://securityweekly.com/soos to learn mo...