Application Security Weekly (Video)
574 episodes - English - Latest episode: 3 days ago - ★★★★ - 5 ratingsThe Application Security Weekly podcast delivers interviews and news from the worlds of AppSec, DevOps, DevSecOps, and all the other ways people find and fix software flaws.
Join hosts Mike Shema, John Kinsella, and Akira Brand on a journey through modern security practices for apps, clouds, containers, and more.
Homepage Apple Podcasts Google Podcasts Overcast Castro Pocket Casts RSS feed
Episodes
XZ & Open Source, PuTTY's Private Keys, LeakyCLI, LLMs Writing Exploits - ASW #282
April 23, 2024 21:00 - 38 minutes - 166 MB VideoCISA chimes in on the XZ Utils backdoor, PuTTY's private keys and maintaining a secure design, LeakyCLI and maintaining secure secrets in CSPs, LLMs and exploit generation, and more! Show Notes: https://securityweekly.com/asw-282
Sustainable Funding of Open Source Tools - Simon Bennetts, Mark Curphey - ASW #282
April 23, 2024 15:43 - 39 minutes - 171 MB VideoHow can open source projects find a funding model that works for them? What are the implications with different sources of funding? Simon Bennetts talks about his stewardship of Zed Attack Proxy and its journey from OWASP to OpenSSF to an Open Source Fellowship with Crash Override. Mark Curphy adds how his experience with OWASP and the appsec community motivated him to create Crash Override and help projects like ZAP gain the support they deserve. Segment resources: https://crashoverride...
Arg Parsing in Rust, End of Life Hardware, CSRB & MS, Chrome’s V8 Sandbox - ASW #281
April 16, 2024 21:00 - 28 minutes - 122 MB VideoA Rust advisory highlights the perils of parsing and problems of inconsistent approaches, D-Link (sort of) deals with end of life hardware, CSRB recommends practices and processes for Microsoft, Chrome’s V8 Sandbox increases defense, and more! Show Notes: https://securityweekly.com/asw-281
Demystifying Security Engineering Career Tracks - Karan Dwivedi - ASW #281
April 16, 2024 14:34 - 35 minutes - 153 MB VideoThere are as many paths into infosec as there are disciplines within infosec to specialize in. Karan Dwivedi talks about the recent book he and co-author Raaghav Srinivasan wrote about security engineering. There's an appealing future to security taking on engineering roles and creating solutions to problems that orgs face. We talk about the breadth and depth of security engineering and ways to build the skills that will help you in your appsec career. Segment resources: https://kickstart...
OWASP Breach, Types of Prompt Injection, Device-Bound Sessions, ASVS & APIs - ASW #280
April 09, 2024 21:00 - 28 minutes - 126 MB VideoOWASP leaks resumes, defining different types of prompt injection, a secure design example in device-bound sessions, turning an ASVS requirement into practice, Ivanti has its 2000s-era Microsoft moment, HTTP/2 CONTINUATION flood, and more! Show Notes: https://securityweekly.com/asw-280
Lessons That The XZ Utils Backdoor Spells Out - Farshad Abasi - ASW #280
April 09, 2024 13:36 - 31 minutes - 139 MB VideoWe look into the supply chain saga of the XZ Utils backdoor. It's a wild story of a carefully planned long con to add malicious code to a commonly used package that many SSH connections rely on. It hits themes from social engineering and abuse of trust to obscuring the changes and suppressing warnings. It also has a few lessons about software development, the social and economic dynamics of open source, and strategies for patching software. It's an exciting topic partially because so much ...
Top 10's First Update, Metasploit's Second Update, PHP Prepares Statements, RSA & MS - ASW #279
April 02, 2024 21:00 - 26 minutes - 119 MB VideoThe OWASP Top 10 gets its first update after a year, Metasploit gets its first rewrite (but it's still in Perl), PHP adds support for prepared statements, RSA Conference puts passwords on notice while patching remains hard, and more! Show Notes: https://securityweekly.com/asw-279
Infosec Myths, Mistakes, and Misconceptions - Adrian Sanabria - ASW #279
April 02, 2024 16:12 - 34 minutes - 153 MB VideoSometimes infosec problems can be summarized succinctly, like "patching is hard". Sometimes a succinct summary sounds convincing, but is based on old data, irrelevant data, or made up data. Adrian Sanabria walks through some of the archeological work he's done to dig up the source of some myths. We talk about some of our favorite (as in most disliked) myths to point out how oversimplified slogans and oversimplified threat models lead to bad advice -- and why bad advice can make users less se...
Successful Security Needs a Streamlined UX - Benedek Gagyi - ASW #278
March 26, 2024 16:43 - 36 minutes - 159 MB VideoOne of the biggest failures in appsec is an attitude that blames users for security problems. A lot of processes and workflows break down because of an insecure design or insecure defaults. Benedek Gagyi chats with us about the impact of the user experience (UX) on security and why it's not only important to understand how to make a user's life easier, but in defining who that user is in the first place. Segment resources: https://www.usenix.org/conference/8th-usenix-security-symposium/wh...
GoFetch Side Channel, OpenSSF & Security Education, Fuzzing vs. Formal Verification - ASW #278
March 25, 2024 21:00 - 32 minutes - 143 MB VideoThe GoFetch side channel in Apple CPUs, OpenSSF's plan for secure software developer education, fuzzing vs. formal verification as a security strategy, hard problems in InfoSec (and AppSec), and more! Show Notes: https://securityweekly.com/asw-278
Vulns in Smart Locks, FCC labels for IoT, ZAP's New Home - ASW #277
March 19, 2024 21:00 - 38 minutes - 170 MB VideoInsecure defaults and insecure design in smart locks, FCC adopts Cyber Trust Mark labels for IoT devices, the ZAP project gets a new home, and more! Show Notes: https://securityweekly.com/asw-277
Figuring Out Where Appsec Fits When Starting a Cybersecurity Program - Tyler VonMoll - ASW #277
March 19, 2024 15:34 - 35 minutes - 153 MB VideoLots of companies need cybersecurity programs, as do non-profits. Tyler Von Moll talks about how to get small organizations started on security and how to prioritize initial investments. While an appsec program likely isn't going to be one of the first steps, it's going to be an early one. What decisions can you make at the start that will benefit the program in the years that follow? What does an appsec program look like at a small scale? Segment Resources: "Cybersecurity for Nonprofits"...
TeamCity Authn Bypass, ArtPrompt Attacks, Low Quality Vuln Reports, Secure by Design - ASW #276
March 12, 2024 21:00 - 36 minutes - 162 MB VideoThe trivial tweaks to bypass authentication in TeamCity, ArtPrompt attacks use ASCII art against LLMs, annoying developers with low quality vuln reports, removing dependencies as part of secure by design, removing overhead with secure by design, and more! Show Notes: https://securityweekly.com/asw-276
More API Calls, More Problems: The State of API Security in 2024 - Lebin Cheng - ASW #276
March 12, 2024 16:50 - 35 minutes - 153 MB VideoA majority of internet traffic now originates from APIs, and cybercriminals are taking advantage. Increasingly, APIs are used as a common attack vector because they’re a direct pathway to access sensitive data. In this discussion, Lebin Cheng shares what API attack trends Imperva, a Thales Company has observed over the past year, and what steps organizations can take to protect their APIs. This segment is sponsored by Imperva. Visit https://www.securityweekly.com/imperva to learn more abou...
SAML & Secrets, Serializing AI Models, OWASP ISTG, More Memory Safety - ASW #275
March 06, 2024 10:00 - 38 minutes - 174 MB VideoA SilverSAML example similar to the GoldenSAML attack technique, more about serializing AI models for Hugging Face, OWASP releases 1.0 of the IoT Security Testing Guide, the White House releases more encouragement to move to memory-safe languages, and more! Show Notes: https://securityweekly.com/asw-275
The Simple Mistakes and Complex Seeds of a Vulnerability Management Program - Emily Fox - ASW #275
March 05, 2024 20:13 - 40 minutes - 183 MB VideoThe need for vuln management programs has been around since the first bugs -- but lots of programs remain stuck in the past. We talk about the traps to avoid in VM programs, the easy-to-say yet hard-to-do foundations that VM programs need, and smarter ways to approach vulns based in modern app development. We also explore the ecosystem of acronyms around vulns and figure out what's useful (if anything) in CVSS, SSVC, EPSS, and more. Segment resources: https://www.redhat.com/en/blog/patch...
PrintListener, Post-Quantum Crypto in iMessage, Silent Sabotage, Rust Survey Results - ASW #274
February 27, 2024 22:00 - 22 minutes - 102 MB VideoPrintListener recreates fingerprints, iMessage updates key handling for a PQ3 rating, Silent Sabotage shows supply chain subterfuge against AI models, 2023 Rust survey results, the ways genAI might help developers, and more! Show Notes: https://securityweekly.com/asw-274
Creating the Secure Pipeline Verification Standard - Farshad Abasi - ASW #274
February 27, 2024 15:48 - 34 minutes - 153 MB VideoFarshad Abasi joins us again to talk about creating a new OWASP project, the Secure Pipeline Verification Standard. (Bonus points for not being a top ten list!) We talk about what it takes to pitch a new project and the problems that this new project is trying to solve. For this kind of project to be successful -- as in making a positive impact to how software is built -- it's important to not only identify the right audience, but craft guidance in a way that's understandable and achievable ...
Redefining Threat Modeling - Security Team Goes on Vacation - Jeevan Singh - ASW Vault
February 20, 2024 15:00 - 38 minutes - 167 MB VideoCheck out this interview from the ASW Vault, hand picked by main host Mike Shema! This segment was originally published on Dec 13, 2022. Threat modeling is an important part of a security program, but as companies grow you will choose which features you want to threat model or become a bottleneck. What if I told you, you can have your cake and eat it too. It is possible to scale your program and deliver higher quality threat models. Segment Resources: - Original blog: https://segment.com...
Creating Code Security Through Better Visibility - Christien Rioux - ASW #273
February 13, 2024 18:47 - 45 minutes - 197 MB VideoWe've been scanning code for decades. Sometimes scanning works well -- it finds meaningful flaws to fix. Sometimes it distracts us with false positives. Sometimes it burdens us with too many issues. We talk about finding a scanning strategy that works well and what the definition of "works well" should even be. Segment Resources: https://www.lacework.com/blog/introducing-a-new-approach-to-code-security/ Show Notes: https://securityweekly.com/asw-273
LLMs & Security Tools, Shim Vuln, AI Threat Models, Configuration as Code with Pkl - ASW #273
February 13, 2024 18:47 - 38 minutes - 171 MB VideoLLMs improve fuzzing coverage, the Shim vuln threatens Linux secure boot, considering AI application threat models, a new language for a configuration file format, and more! Show Notes: https://securityweekly.com/asw-273
Sorting Out Glibc Vulns, Apple's Security Research Device, BoringSSL, Old C Vulns - ASW #272
February 06, 2024 22:00 - 36 minutes - 159 MB VideoQualys discloses syslog and qsort vulns in glibc, Apple's jailbroken iPhone for security researchers, moving away from OpenSSL, what an ancient vuln in image parsing can teach us today, and more! Show Notes: https://securityweekly.com/asw-272
Starting an OWASP Project (That's Not a List!) - Grant Ongers - ASW #272
February 06, 2024 14:35 - 37 minutes - 170 MB VideoWe can't talk about OWASP without talking about lists, but we go beyond the lists to talk about a product security framework. Grant shares his insights on what makes lists work (and not work). More importantly, he shares the work he's doing to spearhead a new OWASP project to help scale the creation of appsec programs, whether you're on your own or part of a global org. Segment Resources: https://owasp.org/www-project-product-security-capabilities-framework/ https://github.com/OWASP/ps...
Vulns & Secure Design, MiraclePtr Success, Abandoned Projects & Maven, Old "AI Chip" - ASW #271
January 30, 2024 22:00 - 40 minutes - 177 MB VideoVulns in Jenkins code and Cisco devices that make us think about secure designs, MiraclePtr pulls off a relatively quick miracle, code lasts while domains expire, an "Artificial Intelligence chip" from the 90s, and more! Show Notes: https://securityweekly.com/asw-271
Getting Your First Conference Presentation - Sarah Harvey - ASW #271
January 30, 2024 19:00 - 38 minutes - 167 MB VideoWe return to the practice of presentations, this time with a perspective from a conference organizer. And we have tons of questions! What makes a topic stand out? How can an old, boring topic be given new life? How do you prepare as a first-time presenter? What can conferences do to foster better presentations and new voices? Segment resources: https://bsidessf.org https://infosec.exchange/@worldwise001/111280163638514582 https://www.youtube.com/watch?v=1lVIeh5f4Rg Show Notes: https:...
Security in Wrenches, Vulns in Atlassian and GitLab, 2023's Top Web Hacking Tricks - ASW #270
January 23, 2024 16:30 - 34 minutes - 157 MB VideoVulns throw a wrench in a wrench, more vulns drench Atlassian, vulns send GitLab back to the design bench, voting for the top web hacking techniques of 2023, and more! Show Notes: https://securityweekly.com/asw-270
Dealing with the Burden of Bad Bots - Sandy Carielli - ASW #270
January 23, 2024 16:00 - 34 minutes - 156 MB VideoWhere apps provide something of value, bots are sure to follow. Modern threat models need to include scenarios for bad bots that not only target user credentials, but that will also hoard inventory and increase fraud. Sandy shares her recent research as we talk about bots, API security, and what developers can do to deal with these. Segment resources https://www.forrester.com/blogs/avoid-a-bot-waterloo/ https://www.forrester.com/blogs/are-your-bot-management-tools-up-to-date-to-handle-...
Communicating Technical Topics Without Being Boring - Eve Maler - ASW #269
January 16, 2024 18:37 - 35 minutes - 164 MB VideoIt's time to start thinking about CFPs and presentations for 2024! Eve shares advice on delivering technical topics so that an audience can understand the points you want to make. Then we show how developing these presentation skills for conferences helps with presentations within orgs and why these are useful skills to build for your career. Show Notes: https://securityweekly.com/asw-269
23andMe Blames Users, Abusing Google's OAuth2, Rustls Performance, AI Goes OSINT - ASW #268
January 09, 2024 22:00 - 35 minutes - 163 MB Video23andMe shifts blame to users for poor password practices, abusing Google's OAuth2 through a MultiLogin endpoint, Rustls is memory safe and fast, AI enters OSINT, and more! Show Notes: https://securityweekly.com/asw-268
What's in Store for 2024? - ASW #268
January 09, 2024 16:58 - 35 minutes - 165 MB VideoWe kick off the new year with a discussion of what we're looking forward to and what we're not looking forward to. Then we pick our favorite responses to "appsec in three words" and set our sights on a new theme for 2024. Show Notes: https://securityweekly.com/asw-268
HTTP RFCs Have Evolved, Breaking Into Cloud, Scaling AppSec at Netflix, & Confluence - Keith Hoodlet - ASW Vault
January 01, 2024 10:00 - 33 minutes - 154 MB VideoHTTP RFCs have evolved: A Cloudflare view of HTTP usage trends, Career Advice and Professional Development, Active Exploitation of Confluence CVE-2022-26134 Show Notes: https://securityweekly.com/vault-asw-7
OWASP SAMM - Software Assurance Maturity Model - Sebastian Deleersnyder - ASW Vault
December 25, 2023 10:00 - 34 minutes - 157 MB VideoWe will provide a short introduction to OWASP SAMM, which is a flagship OWASP project allowing organizations to bootstrap and iteratively improve their secure software practice in a measurable way. Seba will explain the SAMM model, consisting of 15 security practices. Every security practice contains a set of activities, structured into 3 maturity levels. The activities on a lower maturity level are typically easier to execute and require less formalization than the ones on a higher maturity...
Nagios and Abandoned Projects, Hacking Trains (to Fix Them), OAuth Threats, 5Ghoul - ASW #267
December 19, 2023 22:00 - 40 minutes - 185 MB VideoNagios gets a review from NCC Group, hackers hack some anti-fixing code to fix trains in Poland, abusing OAuth post-compromise, 5Ghoul flaws in 5G networks, MITRE teases a new threat model for embedded systems, a conversation on vuln scoring systems, and more! Show Notes: https://securityweekly.com/asw-267
Making Service Meshes Work for People - Idit Levine - ASW #267
December 19, 2023 16:44 - 37 minutes - 171 MB VideoService meshes create the opportunity to make security a team sport. They can improve observability and service identity. Turning monoliths into micro services sounds appealing, but maybe not every monolith needs to be broken up. We'll also talk about the maturity and design choices that go into service meshes and when a monolith should just remain a monolith. Segment Resources: https://www.solo.io/blog/kubernetes-security-cloud-native-applications/ https://www.solo.io/blog/apis-data-b...
Prompt Injection Scanners, Better AI Jailbreaks, Purple Llama, Linux Kernel Security - ASW #266
December 12, 2023 22:00 - 38 minutes - 178 MB VideoBenchmarking prompt injection scanners, using generative AI to jailbreak generative AI, Meta's benchmark for LLM risks, tapping a protocol to hack Magic the Gathering, and more! Show Notes: https://securityweekly.com/asw-266
The ABCs of RFCs - Heather Flanagan - ASW #266
December 12, 2023 18:10 - 39 minutes - 179 MB VideoWe have a lot of questions about standards. How do standards emerge? How do standards encourage adoption? How do they stay relevant as development patterns change and security threats evolve? We have standards for web appsec (HTML, HTTP), all sorts of protocols, and all sorts of authentication (OAuth, OpenID). Learning how these standards come about can also inform how your own org documents designs and decisions. Segment resources https://datatracker.ietf.org/doc/html/rfc3552 https:...
Extracting Data from ChatGPT, Vulns Around AI, Secure AI Guidance, LogoFAIL, BLUFFS - ASW #265
December 06, 2023 10:00 - 34 minutes - 160 MB VideoRepetition extracts data from ChatGPT, more vulns in the software that surrounds AI, guidelines for secure AI, LogoFAIL trips a boot, BLUFFS attack on Bluetooth, CISA's first secure by design alert, Okta's updated breach disclosure, and more! Show Notes: https://securityweekly.com/asw-265
All the News -- Just Six Months Later - ASW #265
December 05, 2023 19:03 - 35 minutes - 163 MB VideoWe cover appsec news on a weekly basis, but sometimes that news is merely about the start of a new project, sometimes it's yet another example of a vuln class, and sometimes it's a topic we hope doesn't become a trend. So, what themes have we seen and where do we see them going? Here are a few headline topics that have alternately generated yays and yawns. CISA's Secure by Design and Secure by Default CVSS 4.0 Generative AI MFA mandates Microsoft, Rust, and Memory Safety New TLD...
Randstorm, Nothing Chats, Platform Engineering, PyPI Security Audit - ASW #264
November 28, 2023 22:00 - 33 minutes - 154 MB VideoWeak randomness in old JavaScript crypto, lack of encryption in purported end-to-end encryption, a platform engineering maturity model, PyPI's first security audit, vision for a Rust specification, and more! Show Notes: https://securityweekly.com/asw-264
Starting with Appsec -- Is It More of a Position or a Process? - ASW #264
November 28, 2023 19:04 - 40 minutes - 185 MB VideoThis year we've talked about vulns, clouds, breaches, presentations, and all the variations of Dev, Sec, and Ops. As we end the year, let's talk about starting things -- like starting an appsec program or an appsec career. But is there still a need for an appsec team? Or has it turned into specializations for areas like cloud security and bug bounty programs? We'll cover careers and coding, with an eye towards figuring out what modern software development looks like and where application (or...
Platform Firmware Security - Maggie Jauregui - ASW Vault
November 20, 2023 15:00 - 34 minutes - 157 MB VideoFirmware security is complex and continues to be an industry challenge. In this podcast we'll talk about the reasons firmware security remains a challenge and some best practices around platform security. Segment Resources: https://www.helpnetsecurity.com/2020/04/27/firmware-blind-spots/ https://www.helpnetsecurity.com/2020/09/28/hardware-security-challenges/ https://darkreading.com/application-security/4-open-source-tools-to-add-to-your-security-arsenal https://chipsec.github.io Ha...
Fuzzing Strategies, Responding to CISA's Open Source Security RFI, 35 Year Old Worm - ASW #263
November 14, 2023 22:00 - 37 minutes - 170 MB VideoCNCF's releases a handbook on fuzzing, OpenSSF and OWASP respond to CISA's Open Source Software Security RFI, 14 years of Go, lessons for today from an internet worm from 35 years ago, and more! Show Notes: https://securityweekly.com/asw-263
How 2023 Changed Application Security and What’s to Come in 2024 - Karl Triebes - ASW #263
November 14, 2023 16:43 - 38 minutes - 175 MB VideoIn the rapidly evolving landscape of application security, 2023 brought significant changes with the rise of generative AI tools and an increase in automated threats. In this discussion, Karl Triebes takes a deep dive into the major trends of the past year, examining their impact on the industry and shedding light on what security professionals can anticipate moving forward into 2024. This segment is sponsored by Imperva. Visit https://securityweekly.com/imperva to learn more about them! ...
Citrix Bleed, Atlassian Authz Vuln, OpenJS & jQuery, Secure Future Initiative - ASW #262
November 07, 2023 22:00 - 35 minutes - 163 MB VideoDetails of the Citrix Bleed vuln, exploitation of the Atlassian improper authorization vuln, so many jQuery installations to upgrade, the price of bounties and the cost of fixes, Microsoft's Secure Future Initiative, and more! Show Notes: https://securityweekly.com/asw-262
Security from a Developer's Perspective - Josh Goldberg - ASW #262
November 07, 2023 16:34 - 35 minutes - 164 MB VideoA lot of appsec conferences have presentations for appsec audiences -- but that's not often the group that's building apps. What if more developer conferences had appsec content? We talk with Josh about security from the developer's point of view, both as an audience hearing about it and as a presenter talking about it. We discuss the importance of knowing your audience and finding the hooks in security tools and topics that can resonate with developers. Segment resources: https://www.jos...
Abusing OAuth, State of DevOps, Nightshade and AI, iLeakage, Sandboxing Apps - ASW #261
October 31, 2023 21:00 - 41 minutes - 190 MB VideoOAuth implementation failures, the State of DevOps report, data poisoning generative AIs with Nightshade, implementing spectre attacks with JavaScript and WebAssembly against WebKit, sandboxing apps Show Notes: https://securityweekly.com/asw-261
How Security Tools Must Evolve - Dan Kuykendall - ASW #261
October 31, 2023 18:34 - 44 minutes - 204 MB VideoThe categories of security tools that we're most familiar with have struggled to keep up with how modern apps are designed and what modern devs need. What if instead of being beholden to categories, we created tools that solved problems devs have today in the types of apps they build today? And what if we had more dev leadership to influence security tools as well as secure by design? What would that leadership look like? Segment Resources: https://danondev.com/youtube Show Notes: https:...
Okta Breach, SolarWinds RCEs, CISOs and Boards, Crypto Business Logic, Secure Design - ASW #260
October 24, 2023 21:00 - 39 minutes - 181 MB VideoAppsec lessons from the Okta breach, directory traversal (and appsec) lessons from SolarWinds, how CISOs and Boards rank factors around vulns and patching, revisiting cryptocurrency attacks for lessons in business logic and threat modeling, CISA and friends update guidance on Secure Design, and more! Show Notes: https://securityweekly.com/asw-260
OAuth, WebAuthn, and the Impact of Design Choices - Dan Moore - ASW #260
October 24, 2023 16:27 - 38 minutes - 178 MB VideoWe return to discussions of OAuth and all sorts of authentication. This time around we're looking at the design of authentication protocols, the kinds of trade-offs they weigh for adoption and security, and how a standard evolves over time to keep pace with new attacks and put to rest old mistakes. Segment resources: https://fusionauth.io/docs/v1/tech/core-concepts/modes https://webauthn.wtf/ https://datatracker.ietf.org/doc/html/rfc7636 https://www.ietf.org/about/participate/tao/ ...
HTTP/2 Rapid Reset, Curl's SOCKS5 Bug, Standardizing CycloneDX, AI Bug Bounty - ASW #259
October 17, 2023 21:00 - 39 minutes - 181 MB VideoHow HTTP/2's rapid reset is abused for DDoS, a look at the fix for Curl's recent high severity bug, OWASP moves to make CycloneDX a standard, Microsoft deprecates NTLM, VBScript, and old TLS -- while also introducing an AI bug bounty program. Show Notes: https://securityweekly.com/asw-259