Latest Appsec Podcast Episodes
Demystifying Security Engineering Career Tracks - Karan Dwivedi - ASW #281
Application Security Weekly (Video) - April 16, 2024 14:34 - 35 minutes - Video ★★★★ - 5 ratingsThere are as many paths into infosec as there are disciplines within infosec to specialize in. Karan Dwivedi talks about the recent book he and co-author Raaghav Srinivasan wrote about security engineering. There's an appealing future to security taking on engineering roles and creating solution...
Demystifying Security Engineering Career Tracks - Karan Dwivedi - ASW #281
Application Security Weekly (Audio) - April 15, 2024 14:00 - 1 hour ★★★★★ - 11 ratingsThere are as many paths into infosec as there are disciplines within infosec to specialize in. Karan Dwivedi talks about the recent book he and co-author Raaghav Srinivasan wrote about security engineering. There's an appealing future to security taking on engineering roles and creating solution...
OWASP Breach, Types of Prompt Injection, Device-Bound Sessions, ASVS & APIs - ASW #280
Application Security Weekly (Video) - April 09, 2024 21:00 - 28 minutes - Video ★★★★ - 5 ratingsOWASP leaks resumes, defining different types of prompt injection, a secure design example in device-bound sessions, turning an ASVS requirement into practice, Ivanti has its 2000s-era Microsoft moment, HTTP/2 CONTINUATION flood, and more! Show Notes: https://securityweekly.com/asw-280
Lessons That The XZ Utils Backdoor Spells Out - Farshad Abasi - ASW #280
Application Security Weekly (Audio) - April 09, 2024 14:35 - 1 hour ★★★★★ - 11 ratingsWe look into the supply chain saga of the XZ Utils backdoor. It's a wild story of a carefully planned long con to add malicious code to a commonly used package that many SSH connections rely on. It hits themes from social engineering and abuse of trust to obscuring the changes and suppressing wa...
Lessons That The XZ Utils Backdoor Spells Out - Farshad Abasi - ASW #280
Application Security Weekly (Video) - April 09, 2024 13:36 - 31 minutes - Video ★★★★ - 5 ratingsWe look into the supply chain saga of the XZ Utils backdoor. It's a wild story of a carefully planned long con to add malicious code to a commonly used package that many SSH connections rely on. It hits themes from social engineering and abuse of trust to obscuring the changes and suppressing wa...
Top 10's First Update, Metasploit's Second Update, PHP Prepares Statements, RSA & MS - ASW #279
Application Security Weekly (Video) - April 02, 2024 21:00 - 26 minutes - Video ★★★★ - 5 ratingsThe OWASP Top 10 gets its first update after a year, Metasploit gets its first rewrite (but it's still in Perl), PHP adds support for prepared statements, RSA Conference puts passwords on notice while patching remains hard, and more! Show Notes: https://securityweekly.com/asw-279
Infosec Myths, Mistakes, and Misconceptions - Adrian Sanabria - ASW #279
Application Security Weekly (Audio) - April 02, 2024 16:13 - 1 hour ★★★★★ - 11 ratingsSometimes infosec problems can be summarized succinctly, like "patching is hard". Sometimes a succinct summary sounds convincing, but is based on old data, irrelevant data, or made up data. Adrian Sanabria walks through some of the archeological work he's done to dig up the source of some myths....
Infosec Myths, Mistakes, and Misconceptions - Adrian Sanabria - ASW #279
Application Security Weekly (Video) - April 02, 2024 16:12 - 34 minutes - Video ★★★★ - 5 ratingsSometimes infosec problems can be summarized succinctly, like "patching is hard". Sometimes a succinct summary sounds convincing, but is based on old data, irrelevant data, or made up data. Adrian Sanabria walks through some of the archeological work he's done to dig up the source of some myths....
Successful Security Needs a Streamlined UX - Benedek Gagyi - ASW #278
Application Security Weekly (Video) - March 26, 2024 16:43 - 36 minutes - Video ★★★★ - 5 ratingsOne of the biggest failures in appsec is an attitude that blames users for security problems. A lot of processes and workflows break down because of an insecure design or insecure defaults. Benedek Gagyi chats with us about the impact of the user experience (UX) on security and why it's not only...
Successful Security Needs a Streamlined UX - Benedek Gagyi - ASW #278
Application Security Weekly (Audio) - March 26, 2024 16:10 - 1 hour ★★★★★ - 11 ratingsOne of the biggest failures in appsec is an attitude that blames users for security problems. A lot of processes and workflows break down because of an insecure design or insecure defaults. Benedek Gagyi chats with us about the impact of the user experience (UX) on security and why it's not only...
GoFetch Side Channel, OpenSSF & Security Education, Fuzzing vs. Formal Verification - ASW #278
Application Security Weekly (Video) - March 25, 2024 21:00 - 32 minutes - Video ★★★★ - 5 ratingsThe GoFetch side channel in Apple CPUs, OpenSSF's plan for secure software developer education, fuzzing vs. formal verification as a security strategy, hard problems in InfoSec (and AppSec), and more! Show Notes: https://securityweekly.com/asw-278
Vulns in Smart Locks, FCC labels for IoT, ZAP's New Home - ASW #277
Application Security Weekly (Video) - March 19, 2024 21:00 - 38 minutes - Video ★★★★ - 5 ratingsInsecure defaults and insecure design in smart locks, FCC adopts Cyber Trust Mark labels for IoT devices, the ZAP project gets a new home, and more! Show Notes: https://securityweekly.com/asw-277
Figuring Out Where Appsec Fits When Starting a Cybersecurity Program - Tyler VonMoll - ASW #277
Application Security Weekly (Audio) - March 19, 2024 15:35 - 1 hour ★★★★★ - 11 ratingsLots of companies need cybersecurity programs, as do non-profits. Tyler Von Moll talks about how to get small organizations started on security and how to prioritize initial investments. While an appsec program likely isn't going to be one of the first steps, it's going to be an early one. What ...
Figuring Out Where Appsec Fits When Starting a Cybersecurity Program - Tyler VonMoll - ASW #277
Application Security Weekly (Video) - March 19, 2024 15:34 - 35 minutes - Video ★★★★ - 5 ratingsLots of companies need cybersecurity programs, as do non-profits. Tyler Von Moll talks about how to get small organizations started on security and how to prioritize initial investments. While an appsec program likely isn't going to be one of the first steps, it's going to be an early one. What ...
TeamCity Authn Bypass, ArtPrompt Attacks, Low Quality Vuln Reports, Secure by Design - ASW #276
Application Security Weekly (Video) - March 12, 2024 21:00 - 36 minutes - Video ★★★★ - 5 ratingsThe trivial tweaks to bypass authentication in TeamCity, ArtPrompt attacks use ASCII art against LLMs, annoying developers with low quality vuln reports, removing dependencies as part of secure by design, removing overhead with secure by design, and more! Show Notes: https://securityweekly.com...
More API Calls, More Problems: The State of API Security in 2024 - Lebin Cheng - ASW #276
Application Security Weekly (Video) - March 12, 2024 16:50 - 35 minutes - Video ★★★★ - 5 ratingsA majority of internet traffic now originates from APIs, and cybercriminals are taking advantage. Increasingly, APIs are used as a common attack vector because they’re a direct pathway to access sensitive data. In this discussion, Lebin Cheng shares what API attack trends Imperva, a Thales Compa...
More API Calls, More Problems: The State of API Security in 2024 - Lebin Cheng - ASW #276
Application Security Weekly (Audio) - March 12, 2024 16:50 - 1 hour ★★★★★ - 11 ratingsA majority of internet traffic now originates from APIs, and cybercriminals are taking advantage. Increasingly, APIs are used as a common attack vector because they’re a direct pathway to access sensitive data. In this discussion, Lebin Cheng shares what API attack trends Imperva, a Thales Compa...
SAML & Secrets, Serializing AI Models, OWASP ISTG, More Memory Safety - ASW #275
Application Security Weekly (Video) - March 06, 2024 10:00 - 38 minutes - Video ★★★★ - 5 ratingsA SilverSAML example similar to the GoldenSAML attack technique, more about serializing AI models for Hugging Face, OWASP releases 1.0 of the IoT Security Testing Guide, the White House releases more encouragement to move to memory-safe languages, and more! Show Notes: https://securityweekly.c...
The Simple Mistakes and Complex Seeds of a Vulnerability Management Program - Emily Fox - ASW #275
Application Security Weekly (Video) - March 05, 2024 20:13 - 40 minutes - Video ★★★★ - 5 ratingsThe need for vuln management programs has been around since the first bugs -- but lots of programs remain stuck in the past. We talk about the traps to avoid in VM programs, the easy-to-say yet hard-to-do foundations that VM programs need, and smarter ways to approach vulns based in modern app d...
The Simple Mistakes and Complex Seeds of a Vulnerability Management Program - Emily Fox - ASW #275
Application Security Weekly (Audio) - March 05, 2024 20:13 - 1 hour ★★★★★ - 11 ratingsThe need for vuln management programs has been around since the first bugs -- but lots of programs remain stuck in the past. We talk about the traps to avoid in VM programs, the easy-to-say yet hard-to-do foundations that VM programs need, and smarter ways to approach vulns based in modern app d...
PrintListener, Post-Quantum Crypto in iMessage, Silent Sabotage, Rust Survey Results - ASW #274
Application Security Weekly (Video) - February 27, 2024 22:00 - 22 minutes - Video ★★★★ - 5 ratingsPrintListener recreates fingerprints, iMessage updates key handling for a PQ3 rating, Silent Sabotage shows supply chain subterfuge against AI models, 2023 Rust survey results, the ways genAI might help developers, and more! Show Notes: https://securityweekly.com/asw-274
Creating the Secure Pipeline Verification Standard - Farshad Abasi - ASW #274
Application Security Weekly (Video) - February 27, 2024 15:48 - 34 minutes - Video ★★★★ - 5 ratingsFarshad Abasi joins us again to talk about creating a new OWASP project, the Secure Pipeline Verification Standard. (Bonus points for not being a top ten list!) We talk about what it takes to pitch a new project and the problems that this new project is trying to solve. For this kind of project ...
Creating the Secure Pipeline Verification Standard - Farshad Abasi - ASW #274
Application Security Weekly (Audio) - February 27, 2024 15:48 - 56 minutes ★★★★★ - 11 ratingsFarshad Abasi joins us again to talk about creating a new OWASP project, the Secure Pipeline Verification Standard. (Bonus points for not being a top ten list!) We talk about what it takes to pitch a new project and the problems that this new project is trying to solve. For this kind of project ...
Redefining Threat Modeling - Security Team Goes on Vacation - Jeevan Singh - ASW Vault
Application Security Weekly (Audio) - February 20, 2024 15:00 - 38 minutes ★★★★★ - 11 ratingsCheck out this interview from the ASW Vault, hand picked by main host Mike Shema! This segment was originally published on Dec 13, 2022. Threat modeling is an important part of a security program, but as companies grow you will choose which features you want to threat model or become a bottlen...
Redefining Threat Modeling - Security Team Goes on Vacation - Jeevan Singh - ASW Vault
Application Security Weekly (Video) - February 20, 2024 15:00 - 38 minutes - Video ★★★★ - 5 ratingsCheck out this interview from the ASW Vault, hand picked by main host Mike Shema! This segment was originally published on Dec 13, 2022. Threat modeling is an important part of a security program, but as companies grow you will choose which features you want to threat model or become a bottlen...
Creating Code Security Through Better Visibility - Christien Rioux - ASW #273
Application Security Weekly (Video) - February 13, 2024 18:47 - 45 minutes - Video ★★★★ - 5 ratingsWe've been scanning code for decades. Sometimes scanning works well -- it finds meaningful flaws to fix. Sometimes it distracts us with false positives. Sometimes it burdens us with too many issues. We talk about finding a scanning strategy that works well and what the definition of "works well"...
LLMs & Security Tools, Shim Vuln, AI Threat Models, Configuration as Code with Pkl - ASW #273
Application Security Weekly (Video) - February 13, 2024 18:47 - 38 minutes - Video ★★★★ - 5 ratingsLLMs improve fuzzing coverage, the Shim vuln threatens Linux secure boot, considering AI application threat models, a new language for a configuration file format, and more! Show Notes: https://securityweekly.com/asw-273
Creating Code Security Through Better Visibility - Christien Rioux - ASW #273
Application Security Weekly (Audio) - February 13, 2024 18:46 - 1 hour ★★★★★ - 11 ratingsWe've been scanning code for decades. Sometimes scanning works well -- it finds meaningful flaws to fix. Sometimes it distracts us with false positives. Sometimes it burdens us with too many issues. We talk about finding a scanning strategy that works well and what the definition of "works well"...
Sorting Out Glibc Vulns, Apple's Security Research Device, BoringSSL, Old C Vulns - ASW #272
Application Security Weekly (Video) - February 06, 2024 22:00 - 36 minutes - Video ★★★★ - 5 ratingsQualys discloses syslog and qsort vulns in glibc, Apple's jailbroken iPhone for security researchers, moving away from OpenSSL, what an ancient vuln in image parsing can teach us today, and more! Show Notes: https://securityweekly.com/asw-272
Starting an OWASP Project (That's Not a List!) - Grant Ongers - ASW #272
Application Security Weekly (Audio) - February 06, 2024 15:05 - 1 hour ★★★★★ - 11 ratingsWe can't talk about OWASP without talking about lists, but we go beyond the lists to talk about a product security framework. Grant shares his insights on what makes lists work (and not work). More importantly, he shares the work he's doing to spearhead a new OWASP project to help scale the crea...
Related Appsec Topics