Latest Sdlcsecurity Podcast Episodes
The Enterprise Browser & AI in Securing Software and Supply Chains - Mike Fey, Josh Lemos - ASW #285
Application Security Weekly (Video) - May 14, 2024 21:00 - 29 minutes - Video ★★★★ - 5 ratingsHow companies are benefiting from the enterprise browser. It's not just security when talking about the enterprise browser. It's the marriage between security AND productivity. In this interview, Mike will provide real live case studies on how different enterprises are benefitting. Segment Res...
Inside the OWASP Top 10 for LLM Applications - Sandy Dunn - ASW #285
Application Security Weekly (Video) - May 14, 2024 16:41 - 37 minutes - Video ★★★★ - 5 ratingsEveryone is interested in generative AIs and LLMs, and everyone is looking for use cases and apps to apply them to. Just as the early days of the web inspired the original OWASP Top 10 over 20 years ago, the experimentation and adoption of LLMs has inspired a Top 10 list of their own. Sandy Dunn...
Hacking AI Bias with Human Techniques - Keith Hoodlet - ASW #284
Application Security Weekly (Video) - May 07, 2024 21:00 - 31 minutes - Video ★★★★ - 5 ratingsWe already have bug bounties for web apps so it was only a matter of time before we would have bounties for AI-related bugs. Keith Hoodlet shares his experience winning first place in the DOD's inaugural AI bias bounty program. He explains how his education in psychology helped fill in the lack ...
AI & Hype & Security (Oh My!) - Caleb Sima - ASW #284
Application Security Weekly (Video) - May 07, 2024 16:00 - 33 minutes - Video ★★★★ - 5 ratingsA lot of AI security has nothing to do with AI -- things like data privacy, access controls, and identity are concerns for any new software and in many cases AI concerns look more like old-school API concerns. But...there are still important aspects to AI safety and security, from prompt injecti...
Random Problems, Protecting Packages, and Vulns in Designs, Defaults & Data Leaks - ASW #283
Application Security Weekly (Video) - April 30, 2024 21:00 - 38 minutes - Video ★★★★ - 5 ratingsMisusing random numbers, protecting platforms for code repos and package repos, vulns that teach us about designs and defaults, and more! Show Notes: https://securityweekly.com/asw-283
Why Companies Continue to Struggle with Supply Chain Security - Melinda Marks - ASW #283
Application Security Weekly (Video) - April 30, 2024 15:56 - 41 minutes - Video ★★★★ - 5 ratingsCompanies deploy tools (usually lots of tools) to address different threats to supply chain security. Melinda Marks shares some of the chaos those companies still face when trying to prioritize investments, measure risk, and scale their solutions to keep pace with their development. Not only are...
XZ & Open Source, PuTTY's Private Keys, LeakyCLI, LLMs Writing Exploits - ASW #282
Application Security Weekly (Video) - April 23, 2024 21:00 - 38 minutes - Video ★★★★ - 5 ratingsCISA chimes in on the XZ Utils backdoor, PuTTY's private keys and maintaining a secure design, LeakyCLI and maintaining secure secrets in CSPs, LLMs and exploit generation, and more! Show Notes: https://securityweekly.com/asw-282
Sustainable Funding of Open Source Tools - Simon Bennetts, Mark Curphey - ASW #282
Application Security Weekly (Video) - April 23, 2024 15:43 - 39 minutes - Video ★★★★ - 5 ratingsHow can open source projects find a funding model that works for them? What are the implications with different sources of funding? Simon Bennetts talks about his stewardship of Zed Attack Proxy and its journey from OWASP to OpenSSF to an Open Source Fellowship with Crash Override. Mark Curphy a...
Arg Parsing in Rust, End of Life Hardware, CSRB & MS, Chrome’s V8 Sandbox - ASW #281
Application Security Weekly (Video) - April 16, 2024 21:00 - 28 minutes - Video ★★★★ - 5 ratingsA Rust advisory highlights the perils of parsing and problems of inconsistent approaches, D-Link (sort of) deals with end of life hardware, CSRB recommends practices and processes for Microsoft, Chrome’s V8 Sandbox increases defense, and more! Show Notes: https://securityweekly.com/asw-281
Demystifying Security Engineering Career Tracks - Karan Dwivedi - ASW #281
Application Security Weekly (Video) - April 16, 2024 14:34 - 35 minutes - Video ★★★★ - 5 ratingsThere are as many paths into infosec as there are disciplines within infosec to specialize in. Karan Dwivedi talks about the recent book he and co-author Raaghav Srinivasan wrote about security engineering. There's an appealing future to security taking on engineering roles and creating solution...
OWASP Breach, Types of Prompt Injection, Device-Bound Sessions, ASVS & APIs - ASW #280
Application Security Weekly (Video) - April 09, 2024 21:00 - 28 minutes - Video ★★★★ - 5 ratingsOWASP leaks resumes, defining different types of prompt injection, a secure design example in device-bound sessions, turning an ASVS requirement into practice, Ivanti has its 2000s-era Microsoft moment, HTTP/2 CONTINUATION flood, and more! Show Notes: https://securityweekly.com/asw-280
Lessons That The XZ Utils Backdoor Spells Out - Farshad Abasi - ASW #280
Application Security Weekly (Video) - April 09, 2024 13:36 - 31 minutes - Video ★★★★ - 5 ratingsWe look into the supply chain saga of the XZ Utils backdoor. It's a wild story of a carefully planned long con to add malicious code to a commonly used package that many SSH connections rely on. It hits themes from social engineering and abuse of trust to obscuring the changes and suppressing wa...
Top 10's First Update, Metasploit's Second Update, PHP Prepares Statements, RSA & MS - ASW #279
Application Security Weekly (Video) - April 02, 2024 21:00 - 26 minutes - Video ★★★★ - 5 ratingsThe OWASP Top 10 gets its first update after a year, Metasploit gets its first rewrite (but it's still in Perl), PHP adds support for prepared statements, RSA Conference puts passwords on notice while patching remains hard, and more! Show Notes: https://securityweekly.com/asw-279
Infosec Myths, Mistakes, and Misconceptions - Adrian Sanabria - ASW #279
Application Security Weekly (Video) - April 02, 2024 16:12 - 34 minutes - Video ★★★★ - 5 ratingsSometimes infosec problems can be summarized succinctly, like "patching is hard". Sometimes a succinct summary sounds convincing, but is based on old data, irrelevant data, or made up data. Adrian Sanabria walks through some of the archeological work he's done to dig up the source of some myths....
Successful Security Needs a Streamlined UX - Benedek Gagyi - ASW #278
Application Security Weekly (Video) - March 26, 2024 16:43 - 36 minutes - Video ★★★★ - 5 ratingsOne of the biggest failures in appsec is an attitude that blames users for security problems. A lot of processes and workflows break down because of an insecure design or insecure defaults. Benedek Gagyi chats with us about the impact of the user experience (UX) on security and why it's not only...
GoFetch Side Channel, OpenSSF & Security Education, Fuzzing vs. Formal Verification - ASW #278
Application Security Weekly (Video) - March 25, 2024 21:00 - 32 minutes - Video ★★★★ - 5 ratingsThe GoFetch side channel in Apple CPUs, OpenSSF's plan for secure software developer education, fuzzing vs. formal verification as a security strategy, hard problems in InfoSec (and AppSec), and more! Show Notes: https://securityweekly.com/asw-278
Vulns in Smart Locks, FCC labels for IoT, ZAP's New Home - ASW #277
Application Security Weekly (Video) - March 19, 2024 21:00 - 38 minutes - Video ★★★★ - 5 ratingsInsecure defaults and insecure design in smart locks, FCC adopts Cyber Trust Mark labels for IoT devices, the ZAP project gets a new home, and more! Show Notes: https://securityweekly.com/asw-277
Figuring Out Where Appsec Fits When Starting a Cybersecurity Program - Tyler VonMoll - ASW #277
Application Security Weekly (Video) - March 19, 2024 15:34 - 35 minutes - Video ★★★★ - 5 ratingsLots of companies need cybersecurity programs, as do non-profits. Tyler Von Moll talks about how to get small organizations started on security and how to prioritize initial investments. While an appsec program likely isn't going to be one of the first steps, it's going to be an early one. What ...
TeamCity Authn Bypass, ArtPrompt Attacks, Low Quality Vuln Reports, Secure by Design - ASW #276
Application Security Weekly (Video) - March 12, 2024 21:00 - 36 minutes - Video ★★★★ - 5 ratingsThe trivial tweaks to bypass authentication in TeamCity, ArtPrompt attacks use ASCII art against LLMs, annoying developers with low quality vuln reports, removing dependencies as part of secure by design, removing overhead with secure by design, and more! Show Notes: https://securityweekly.com...
More API Calls, More Problems: The State of API Security in 2024 - Lebin Cheng - ASW #276
Application Security Weekly (Video) - March 12, 2024 16:50 - 35 minutes - Video ★★★★ - 5 ratingsA majority of internet traffic now originates from APIs, and cybercriminals are taking advantage. Increasingly, APIs are used as a common attack vector because they’re a direct pathway to access sensitive data. In this discussion, Lebin Cheng shares what API attack trends Imperva, a Thales Compa...
SAML & Secrets, Serializing AI Models, OWASP ISTG, More Memory Safety - ASW #275
Application Security Weekly (Video) - March 06, 2024 10:00 - 38 minutes - Video ★★★★ - 5 ratingsA SilverSAML example similar to the GoldenSAML attack technique, more about serializing AI models for Hugging Face, OWASP releases 1.0 of the IoT Security Testing Guide, the White House releases more encouragement to move to memory-safe languages, and more! Show Notes: https://securityweekly.c...
The Simple Mistakes and Complex Seeds of a Vulnerability Management Program - Emily Fox - ASW #275
Application Security Weekly (Video) - March 05, 2024 20:13 - 40 minutes - Video ★★★★ - 5 ratingsThe need for vuln management programs has been around since the first bugs -- but lots of programs remain stuck in the past. We talk about the traps to avoid in VM programs, the easy-to-say yet hard-to-do foundations that VM programs need, and smarter ways to approach vulns based in modern app d...
PrintListener, Post-Quantum Crypto in iMessage, Silent Sabotage, Rust Survey Results - ASW #274
Application Security Weekly (Video) - February 27, 2024 22:00 - 22 minutes - Video ★★★★ - 5 ratingsPrintListener recreates fingerprints, iMessage updates key handling for a PQ3 rating, Silent Sabotage shows supply chain subterfuge against AI models, 2023 Rust survey results, the ways genAI might help developers, and more! Show Notes: https://securityweekly.com/asw-274
Creating the Secure Pipeline Verification Standard - Farshad Abasi - ASW #274
Application Security Weekly (Video) - February 27, 2024 15:48 - 34 minutes - Video ★★★★ - 5 ratingsFarshad Abasi joins us again to talk about creating a new OWASP project, the Secure Pipeline Verification Standard. (Bonus points for not being a top ten list!) We talk about what it takes to pitch a new project and the problems that this new project is trying to solve. For this kind of project ...
Redefining Threat Modeling - Security Team Goes on Vacation - Jeevan Singh - ASW Vault
Application Security Weekly (Video) - February 20, 2024 15:00 - 38 minutes - Video ★★★★ - 5 ratingsCheck out this interview from the ASW Vault, hand picked by main host Mike Shema! This segment was originally published on Dec 13, 2022. Threat modeling is an important part of a security program, but as companies grow you will choose which features you want to threat model or become a bottlen...
Creating Code Security Through Better Visibility - Christien Rioux - ASW #273
Application Security Weekly (Video) - February 13, 2024 18:47 - 45 minutes - Video ★★★★ - 5 ratingsWe've been scanning code for decades. Sometimes scanning works well -- it finds meaningful flaws to fix. Sometimes it distracts us with false positives. Sometimes it burdens us with too many issues. We talk about finding a scanning strategy that works well and what the definition of "works well"...
LLMs & Security Tools, Shim Vuln, AI Threat Models, Configuration as Code with Pkl - ASW #273
Application Security Weekly (Video) - February 13, 2024 18:47 - 38 minutes - Video ★★★★ - 5 ratingsLLMs improve fuzzing coverage, the Shim vuln threatens Linux secure boot, considering AI application threat models, a new language for a configuration file format, and more! Show Notes: https://securityweekly.com/asw-273
Sorting Out Glibc Vulns, Apple's Security Research Device, BoringSSL, Old C Vulns - ASW #272
Application Security Weekly (Video) - February 06, 2024 22:00 - 36 minutes - Video ★★★★ - 5 ratingsQualys discloses syslog and qsort vulns in glibc, Apple's jailbroken iPhone for security researchers, moving away from OpenSSL, what an ancient vuln in image parsing can teach us today, and more! Show Notes: https://securityweekly.com/asw-272
Starting an OWASP Project (That's Not a List!) - Grant Ongers - ASW #272
Application Security Weekly (Video) - February 06, 2024 14:35 - 37 minutes - Video ★★★★ - 5 ratingsWe can't talk about OWASP without talking about lists, but we go beyond the lists to talk about a product security framework. Grant shares his insights on what makes lists work (and not work). More importantly, he shares the work he's doing to spearhead a new OWASP project to help scale the crea...
Vulns & Secure Design, MiraclePtr Success, Abandoned Projects & Maven, Old "AI Chip" - ASW #271
Application Security Weekly (Video) - January 30, 2024 22:00 - 40 minutes - Video ★★★★ - 5 ratingsVulns in Jenkins code and Cisco devices that make us think about secure designs, MiraclePtr pulls off a relatively quick miracle, code lasts while domains expire, an "Artificial Intelligence chip" from the 90s, and more! Show Notes: https://securityweekly.com/asw-271
Related Sdlcsecurity Topics