Latest Paulasadoorian Podcast Episodes
Shared Responsibility Models, AI in Offensive Security, Apple's Private Cloud Compute - ASW #289
Application Security Weekly (Video) - June 25, 2024 21:00 - 24 minutes - Video ★★★★ - 5 ratingsThoughts on shared responsibility models after the Snowflake credential attacks, looking at AI's current and future role in offensive security, secure by design lessons from Apple's Private Cloud Computer, and more! Show Notes: https://securityweekly.com/asw-289
OAuth 2.0 from Protecting APIs to Supporting Authorization & Authentication - Aaron Parecki - ASW #289
Application Security Weekly (Video) - June 25, 2024 15:41 - 37 minutes - Video ★★★★ - 5 ratingsOAuth 2.0 is more than just a single spec and it's used to protect more than just APIs. We talk about challenges in maintaining a spec over a decade of changing technologies and new threat models. Not only can OAuth be challenging to secure by default, but it's not even always inter-operable. ...
Learning EBPF - Liz Rice - ASW Vault
Application Security Weekly (Video) - June 18, 2024 16:00 - 37 minutes - Video ★★★★ - 5 ratingsCheck out this interview from the ASW Vault, hand picked by main host Mike Shema! This segment was originally published on April 4, 2023. Following on from her successful title "Container Security", Liz has recently authored "Learning eBPF", published by O'Reilly. eBPF is a revolutionary kerne...
Microsoft Recall's Security & Privacy, Hacking Web APIs, Secure Design Pledge - ASW #288
Application Security Weekly (Video) - June 11, 2024 14:46 - 38 minutes - Video ★★★★ - 5 ratingsLooking at use cases and abuse cases of Microsoft's Recall feature, examples of hacking web APIs, CISA's secure design pledge, what we look for in CVEs, a nod to PHP's history, and more! Show Notes: https://securityweekly.com/asw-288
Bots are Taking Over the Internet & Defining ASPM - Idan Plotnik, Erez Hasson - ASW #287
Application Security Weekly (Video) - June 04, 2024 21:00 - 30 minutes - Video ★★★★ - 5 ratingsApplication security posture management has quickly become a hot commodity in the world of AppSec, but questions remain around what is defined by ASPM. Vendors have cropped up from different corners of the AppSec space to help security teams make their programs more effective, improve their secu...
Open Source Software Supply Chain Security & The Real Crisis Behind XZ Utils - Luis Villa - ASW #287
Application Security Weekly (Video) - June 04, 2024 14:07 - 42 minutes - Video ★★★★ - 5 ratingsOpen source has been a part of the software supply chain for decades, yet many projects and their maintainers remain undersupported by the companies that consume them. The security responsibilities for project owners has increased not only in dealing with security disclosures, but in maintaining...
Securing Shadow Apps & Protecting Data - Guy Guzner, Pranava Adduri - ASW Vault
Application Security Weekly (Video) - May 28, 2024 21:00 - 30 minutes - Video ★★★★ - 5 ratingsWith hundreds or thousands of SaaS apps to secure with no traditional perimeter, Identity becomes the focal point for SaaS Security in the modern enterprise. Yet with Shadow IT, now recast as Business-Led IT, quickly becoming normal practice, it’s more complicated than trying to centralize all i...
Collecting Bounties and Building Communities - Ben Sadeghipour - ASW Vault
Application Security Weekly (Video) - May 28, 2024 17:40 - 36 minutes - Video ★★★★ - 5 ratingsCheck out this interview from the ASW Vault, hand picked by main host Mike Shema! This segment was originally published on April 18, 2023. We talk with Ben about the rewards, hazards, and fun of bug bounty programs. Then we find out different ways to build successful and welcoming communities....
Unpacking XDR & Business Applications - Chris Thomas, Oliver Tavakoli - ASW #286
Application Security Weekly (Video) - May 21, 2024 21:00 - 30 minutes - Video ★★★★ - 5 ratingsThe challenge of evaluating threat alerts in aggregate – what a collection and sequence of threat signals tell us about an attacker’s sophistication and motives – has bedeviled SOC teams since the dawn of the Iron Age. Vectra AI CTO Oliver Tavakoli will discuss how the design principles of our X...
Node.js Secure Coding - Liran Tal - ASW #286
Application Security Weekly (Video) - May 21, 2024 13:42 - 38 minutes - Video ★★★★ - 5 ratingsSecure coding education should be more than a list of issues or repeating generic advice. Liran Tal explains his approach to teaching developers through examples that start with exploiting known vulns and end with discussions on possible fixes. Not only does this create a more engaging experienc...
The Enterprise Browser & AI in Securing Software and Supply Chains - Mike Fey, Josh Lemos - ASW #285
Application Security Weekly (Video) - May 14, 2024 21:00 - 29 minutes - Video ★★★★ - 5 ratingsHow companies are benefiting from the enterprise browser. It's not just security when talking about the enterprise browser. It's the marriage between security AND productivity. In this interview, Mike will provide real live case studies on how different enterprises are benefitting. Segment Res...
Inside the OWASP Top 10 for LLM Applications - Sandy Dunn - ASW #285
Application Security Weekly (Video) - May 14, 2024 16:41 - 37 minutes - Video ★★★★ - 5 ratingsEveryone is interested in generative AIs and LLMs, and everyone is looking for use cases and apps to apply them to. Just as the early days of the web inspired the original OWASP Top 10 over 20 years ago, the experimentation and adoption of LLMs has inspired a Top 10 list of their own. Sandy Dunn...
Hacking AI Bias with Human Techniques - Keith Hoodlet - ASW #284
Application Security Weekly (Video) - May 07, 2024 21:00 - 31 minutes - Video ★★★★ - 5 ratingsWe already have bug bounties for web apps so it was only a matter of time before we would have bounties for AI-related bugs. Keith Hoodlet shares his experience winning first place in the DOD's inaugural AI bias bounty program. He explains how his education in psychology helped fill in the lack ...
AI & Hype & Security (Oh My!) - Caleb Sima - ASW #284
Application Security Weekly (Video) - May 07, 2024 16:00 - 33 minutes - Video ★★★★ - 5 ratingsA lot of AI security has nothing to do with AI -- things like data privacy, access controls, and identity are concerns for any new software and in many cases AI concerns look more like old-school API concerns. But...there are still important aspects to AI safety and security, from prompt injecti...
Random Problems, Protecting Packages, and Vulns in Designs, Defaults & Data Leaks - ASW #283
Application Security Weekly (Video) - April 30, 2024 21:00 - 38 minutes - Video ★★★★ - 5 ratingsMisusing random numbers, protecting platforms for code repos and package repos, vulns that teach us about designs and defaults, and more! Show Notes: https://securityweekly.com/asw-283
Why Companies Continue to Struggle with Supply Chain Security - Melinda Marks - ASW #283
Application Security Weekly (Video) - April 30, 2024 15:56 - 41 minutes - Video ★★★★ - 5 ratingsCompanies deploy tools (usually lots of tools) to address different threats to supply chain security. Melinda Marks shares some of the chaos those companies still face when trying to prioritize investments, measure risk, and scale their solutions to keep pace with their development. Not only are...
XZ & Open Source, PuTTY's Private Keys, LeakyCLI, LLMs Writing Exploits - ASW #282
Application Security Weekly (Video) - April 23, 2024 21:00 - 38 minutes - Video ★★★★ - 5 ratingsCISA chimes in on the XZ Utils backdoor, PuTTY's private keys and maintaining a secure design, LeakyCLI and maintaining secure secrets in CSPs, LLMs and exploit generation, and more! Show Notes: https://securityweekly.com/asw-282
Sustainable Funding of Open Source Tools - Simon Bennetts, Mark Curphey - ASW #282
Application Security Weekly (Video) - April 23, 2024 15:43 - 39 minutes - Video ★★★★ - 5 ratingsHow can open source projects find a funding model that works for them? What are the implications with different sources of funding? Simon Bennetts talks about his stewardship of Zed Attack Proxy and its journey from OWASP to OpenSSF to an Open Source Fellowship with Crash Override. Mark Curphy a...
Arg Parsing in Rust, End of Life Hardware, CSRB & MS, Chrome’s V8 Sandbox - ASW #281
Application Security Weekly (Video) - April 16, 2024 21:00 - 28 minutes - Video ★★★★ - 5 ratingsA Rust advisory highlights the perils of parsing and problems of inconsistent approaches, D-Link (sort of) deals with end of life hardware, CSRB recommends practices and processes for Microsoft, Chrome’s V8 Sandbox increases defense, and more! Show Notes: https://securityweekly.com/asw-281
Demystifying Security Engineering Career Tracks - Karan Dwivedi - ASW #281
Application Security Weekly (Video) - April 16, 2024 14:34 - 35 minutes - Video ★★★★ - 5 ratingsThere are as many paths into infosec as there are disciplines within infosec to specialize in. Karan Dwivedi talks about the recent book he and co-author Raaghav Srinivasan wrote about security engineering. There's an appealing future to security taking on engineering roles and creating solution...
OWASP Breach, Types of Prompt Injection, Device-Bound Sessions, ASVS & APIs - ASW #280
Application Security Weekly (Video) - April 09, 2024 21:00 - 28 minutes - Video ★★★★ - 5 ratingsOWASP leaks resumes, defining different types of prompt injection, a secure design example in device-bound sessions, turning an ASVS requirement into practice, Ivanti has its 2000s-era Microsoft moment, HTTP/2 CONTINUATION flood, and more! Show Notes: https://securityweekly.com/asw-280
Lessons That The XZ Utils Backdoor Spells Out - Farshad Abasi - ASW #280
Application Security Weekly (Video) - April 09, 2024 13:36 - 31 minutes - Video ★★★★ - 5 ratingsWe look into the supply chain saga of the XZ Utils backdoor. It's a wild story of a carefully planned long con to add malicious code to a commonly used package that many SSH connections rely on. It hits themes from social engineering and abuse of trust to obscuring the changes and suppressing wa...
Top 10's First Update, Metasploit's Second Update, PHP Prepares Statements, RSA & MS - ASW #279
Application Security Weekly (Video) - April 02, 2024 21:00 - 26 minutes - Video ★★★★ - 5 ratingsThe OWASP Top 10 gets its first update after a year, Metasploit gets its first rewrite (but it's still in Perl), PHP adds support for prepared statements, RSA Conference puts passwords on notice while patching remains hard, and more! Show Notes: https://securityweekly.com/asw-279
Infosec Myths, Mistakes, and Misconceptions - Adrian Sanabria - ASW #279
Application Security Weekly (Video) - April 02, 2024 16:12 - 34 minutes - Video ★★★★ - 5 ratingsSometimes infosec problems can be summarized succinctly, like "patching is hard". Sometimes a succinct summary sounds convincing, but is based on old data, irrelevant data, or made up data. Adrian Sanabria walks through some of the archeological work he's done to dig up the source of some myths....
Successful Security Needs a Streamlined UX - Benedek Gagyi - ASW #278
Application Security Weekly (Video) - March 26, 2024 16:43 - 36 minutes - Video ★★★★ - 5 ratingsOne of the biggest failures in appsec is an attitude that blames users for security problems. A lot of processes and workflows break down because of an insecure design or insecure defaults. Benedek Gagyi chats with us about the impact of the user experience (UX) on security and why it's not only...
GoFetch Side Channel, OpenSSF & Security Education, Fuzzing vs. Formal Verification - ASW #278
Application Security Weekly (Video) - March 25, 2024 21:00 - 32 minutes - Video ★★★★ - 5 ratingsThe GoFetch side channel in Apple CPUs, OpenSSF's plan for secure software developer education, fuzzing vs. formal verification as a security strategy, hard problems in InfoSec (and AppSec), and more! Show Notes: https://securityweekly.com/asw-278
Vulns in Smart Locks, FCC labels for IoT, ZAP's New Home - ASW #277
Application Security Weekly (Video) - March 19, 2024 21:00 - 38 minutes - Video ★★★★ - 5 ratingsInsecure defaults and insecure design in smart locks, FCC adopts Cyber Trust Mark labels for IoT devices, the ZAP project gets a new home, and more! Show Notes: https://securityweekly.com/asw-277
Figuring Out Where Appsec Fits When Starting a Cybersecurity Program - Tyler VonMoll - ASW #277
Application Security Weekly (Video) - March 19, 2024 15:34 - 35 minutes - Video ★★★★ - 5 ratingsLots of companies need cybersecurity programs, as do non-profits. Tyler Von Moll talks about how to get small organizations started on security and how to prioritize initial investments. While an appsec program likely isn't going to be one of the first steps, it's going to be an early one. What ...
TeamCity Authn Bypass, ArtPrompt Attacks, Low Quality Vuln Reports, Secure by Design - ASW #276
Application Security Weekly (Video) - March 12, 2024 21:00 - 36 minutes - Video ★★★★ - 5 ratingsThe trivial tweaks to bypass authentication in TeamCity, ArtPrompt attacks use ASCII art against LLMs, annoying developers with low quality vuln reports, removing dependencies as part of secure by design, removing overhead with secure by design, and more! Show Notes: https://securityweekly.com...
More API Calls, More Problems: The State of API Security in 2024 - Lebin Cheng - ASW #276
Application Security Weekly (Video) - March 12, 2024 16:50 - 35 minutes - Video ★★★★ - 5 ratingsA majority of internet traffic now originates from APIs, and cybercriminals are taking advantage. Increasingly, APIs are used as a common attack vector because they’re a direct pathway to access sensitive data. In this discussion, Lebin Cheng shares what API attack trends Imperva, a Thales Compa...
Related Paulasadoorian Topics