This week, we welcome Ted Harrington, Executive Partner at Independent Security Evaluators, to discuss Hackable; How to do Application Security Right! In the Application Security News, Implementation pitfalls in parsing JSON, finding all forms of a flaw with CodeQL, more educational resources for hacking apps, engineering and product management practices for DevOps, & more! Show Notes: https://securityweekly.com/asw141 Register for the DevSecOps eSummit for which Ted will be a panelist: http...
Mar 02, 2021•1 hr 8 min
This week, we welcome Brandon Edwards, Co-Founder and Chief Scientist at Capsule8, to discuss Targeting, Exploiting, & Defending Linux! Linux is all over the place (sometimes surprising), why is targeting it different? What types of attacks are used? How can we defend against attacks on Linux? We can incorporate recent attacks against Sudo as a timely reference. In the Application Security News, Dependency confusion for internal packages, Chrome pulls down the Great Suspender, Microsoft high...
Feb 23, 2021•1 hr 8 min
This week, we welcome Alissa Knight, Partner at Knight Ink, to discuss Being a Serial Entrepreneur, Business Leader, & Hacker! Alissa Knight has spent her career going against industry and social norms as both a Transgendered and Lesbian business leader and hacker. Learn more about her, her achievements as a published author, her recent vulnerability research in hacking law enforcement vehicles, mHealth apps and APIs, her life as a hacker, and barriers she's broken down in business. In the A...
Feb 09, 2021•1 hr 9 min
This week, we welcome John Delaroderie, Security Solutions Architect at Qualys, to discuss Groundhog Day - It's Time to Reset the Script on Vulnerabilities! In honor of the movie Groundhog Day, John will take a look at the top 10 most routinely exploited vulnerabilities through a web app security lens. In the Application Security News, Sudo sure does, Libgcrypt flaw, iMessage demonstrates security by design, AWS Lambda shares a message on its design security, & more! Show Notes: https://secu...
Feb 02, 2021•1 hr 8 min
This week, we welcome back Taylor McCaslin, Sr. Product Manager of Secure at GitLab, to discuss Reading Industry Analyst Tea Leaves To Predict The Future! It's analyst season with the new Forrester Wave on SAST recently published as well as Gartner's Application Security Testing Magic Quadrant publishing in April. We'll talk about what are analyst reports, how should you use them, and how should you interpret placement on them as as I like to call it, reading the analyst tea leaves. In the AppSe...
Jan 26, 2021•1 hr 11 min
This week, we welcome Andrei Serban, Co-Founder at Fuzzbuzz, to discuss Fuzz Testing! Fuzzing can be successful AppSec strategy for finding software bugs. And deploying a fuzzer no longer needs to be a cumbersome process. Find out how fuzzing can help secure software beyond just memory safety issues and what the future holds for making this strategy more effective for modern apps. In the AppSec News, Significant source code leak from misconfigured repo, side-channel attack on hardware authentica...
Jan 12, 2021•1 hr 7 min
A premise of adding security to DevOps is we can "shift left" AppSec responsibilities, one of which is building apps so they're secure by design. Yet what resources does the AppSec community provide for this approach to design? We take a look at the OWASP Top 10, Web Security Testing Guide, and Application Security Verification Standard to find a way forward for DevOps teams. In the AppSec News, Microsoft purges malicious SolarWinds presence and highlights a threat model around their source code...
Jan 05, 2021•1 hr 8 min
This week, we welcome Ev Kontsevoy, CEO at Teleport, to discuss Freedom From Computing Environments! In the Application Security News, FireEye shares supply chain subterfuge, researchers show repeated mistakes in TCP/IP stacks, Google open sources Python fuzzing, Cisco and Microsoft patch their patches for vulns in Jabber and printer modules! Show Notes: https://securityweekly.com/asw134 Visit https://securityweekly.com/teleport to learn more about them! Visit https://www.securityweekly.com/asw ...
Dec 16, 2020•1 hr 14 min
This week, we welcome Mike Manrod, CISO of Grand Canyon University, joined by John Delaroderie, Security Solutions Architect at Qualys, to discuss his approach to web application security with an emphasis on improving knowledge of web application vulnerabilities and the external attack surface, and his approach to reducing the number of opportunities an attacker has to compromise our information and infrastructure! In the Application Security News, An old security bug in the Play library still a...
Dec 08, 2020•1 hr 5 min
This week, we welcome back Tim Mackey, Principal Security Strategist at Synopsys, to talk about Security Decisions During Application Development! In the Application Security News, Xbox bug exposed email identities, focusing on prevention for your cloud security strategies, Amazon looking to hire more Rust developers, KubeCon continues push for security, and a DevOps reading list! Show Notes: https://securityweekly.com/asw132 Visit https://securityweekly.com/synopsys to learn more about them! Vi...
Dec 01, 2020•1 hr 8 min
This week, in the first segment, Mike, Adrian, and John discuss Threat Modeling! We threat model every day without realizing it. And, of course, we often threat model with systems and products within our organizations. So how formal does our approach need to be? How do we best guide the "what could go wrong" discussion with DevOps teams? And what's a sign that we're generating useful threat models? In the Application Security News, a manifesto highlights principles and values for threat modeling...
Nov 24, 2020•1 hr 4 min
This week, we welcome Rickard Carlsson, Co-founder & CEO at Detectify, to talk about Automated Hacker Knowledge! In the Application Security News, The Platypus Attack Threatens Intel SGX, a Revitalized Attack Makes for Sad DNS, Bug Hunter Hits DOD With an IDOR, Steps for DevOps, Testing in Prod, Two More Chrome Bugs, and Open Source K8s Tools From Capital One! Show Notes: https://wiki.securityweekly.com/asw130 Visit https://securityweekly.com/detectify to learn more about them! Visit https:/...
Nov 17, 2020•1 hr 6 min
This week, we have the pleasure to welcome back Keith Hoodlet, Senior Manager, Application Experience at Thermo Fisher Scientific, and former Host of Application Security Weekly, to discuss how Security Is a Feature! In the Application Security News, China's top hacking contest turns months of effort into 15 minutes of exploits, an injection flaw in GitHub Actions, understanding post-compromise activity in exploits targeting Solaris and VoIP, security and quality challenges in integrating softwa...
Nov 10, 2020•1 hr 16 min
This week, we welcome Alfred Chung, Sr. Product Manager at Signal Sciences, to discuss Azure App Service & Cloud-Native Signal Sciences Deployments! In the Application Security News, Lax IoT security exposes smart-irrigation systems, Adobe Flash goes truly end of line in one last update, confidential computing gets a turbo boost with Nitro, link previews show security and privacy problems, and security theatre gets an encore! Show Notes: https://wiki.securityweekly.com/asw128 Visit https://s...
Nov 03, 2020•1 hr 9 min
This week, we welcome Cesar Rodriguez, Head of Developer Advocacy at Accurics, to talk about Cyber Resiliency Through Self-Healing Cloud Infrastructure! In the Application Security News, NSA publishes list of top vulnerabilities currently targeted by Chinese hackers, Nvidia Warns Gamers of Severe GeForce Experience Flaws, Addressing cybersecurity risk in industrial IoT and OT, Firefox 'Site Isolation' feature enters user testing, expected next year, Google Patches Actively-Exploited Zero-Day Bug...
Oct 27, 2020•1 hr 11 min
This week, we welcome Taylor McCaslin, Security Product Manager at GitLab, to discuss current trends in the application security testing industry! In the Application Security News, Patch Your Windows - “Ping of Death” bug revealed, 800,000 SonicWall VPNs vulnerable to remote code execution bug, T2 Exploit Team Creates Cable That Hacks Mac, Zoom Rolling Out End-to-End Encryption, and 'BleedingTooth' Bluetooth flaw! Show Notes: https://wiki.securityweekly.com/asw126 Visit https://securityweekly.co...
Oct 20, 2020•1 hr 7 min
This week, we welcome James Manico, CEO at Manicode Security, to talk about Application Security Best Practices! In the Application Security News, Redefining Impossible: XSS without arbitrary JavaScript, API flaws in an "unconventional" smart device, Facebook Bug Bounty Announces "Hacker Plus", Anti-Virus Vulnerabilities, and Chrome Introduces Cache Partitioning! Show Notes: https://wiki.securityweekly.com/asw125 Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on ...
Oct 12, 2020•1 hr 11 min
This week, we welcome Chris Romeo, CEO at Security Journey, to discuss Things Every Developer Should Know About Security! In the Application Security News, DOMOS 5.8 - OS Command Injection, 4G, 5G networks could be vulnerable to exploit due to ‘mishmash’ of old technologies, Google sets up research grant for finding bugs in browser JavaScript engines, Announcing the launch of the Android Partner Vulnerability Initiative, and more! Show Notes: https://wiki.securityweekly.com/asw124 Visit https://...
Oct 06, 2020•1 hr 12 min
This week, Mike, Matt, and John talk about The Difference Between Finding Vulns & Securing Apps! In the Application Security News, 6 Things to Know About the Microsoft 'Zerologon' Flaw, You can bypass TikTok's MFA by logging in via a browser, Instagram RCE: Code Execution Vulnerability in Instagram App for Android and iOS, and more! Show Notes: https://wiki.securityweekly.com/asw123 Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitte...
Sep 28, 2020•1 hr 3 min
This week, we welcome Justin Massey, Product Manager, Security Monitoring at Datadog, to discuss Visualizing and Detecting Threats For Your Custom Application! In the Application Security News, Microsoft announces new Project OneFuzz framework, an open source developer tool to find and fix bugs at scale, Bluetooth Spoofing Bug Affects Billions of IoT Devices, Firefox bug lets you hijack nearby mobile browsers via WiFi, Safeguarding Secrets Within the Pipeline, and more! Show Notes: https://wiki....
Sep 22, 2020•1 hr 13 min
This week, we welcome Frank Catucci, Sr. Director GTP of Application Security at Gartner, to discuss The People & Process of DevOps! In the Application Security News, BLURtooth vulnerability lets attackers overwrite Bluetooth authentication keys, Microsoft Patch Tuesday, Sept. 2020 Edition, XSS->Fix->Bypass: 10000$ bounty in Google Maps, Academics find crypto bugs in 306 popular Android apps, none get patched, using CRYLOGGER to detect crypto misuses dynamically, Remote Code Execution ...
Sep 14, 2020•1 hr 13 min
This week, we welcome Marc Tremsal, Director of Product Management of Security at Datadog, to discuss Detecting Threats & Avoiding Misconfigs In The Cloud-Age! In the Application Security News, A Tale of Escaping a Hardened Docker container, Four More Bugs Patched in Microsoft’s Azure Sphere IoT Platform, Upgrading GitHub to Ruby 2.7, Upgrading GitHub to Ruby 2.7, Redefining What CISO Success Looks Like, and Lessons from Uber: Be crystal clear on the law and your bug bounty policies! Show No...
Sep 01, 2020•1 hr 11 min
This week, we welcome Sundar Krish, CEO & Co-Founder at Sken.ai, to talk about DevOps-First Application Security For Mid-Markets! In the Application Security News, The Confused Mailman: Sending SPF and DMARC passing mail as any Gmail or G Suite customer, ATM makers Diebold and NCR deploy fixes for 'deposit forgery' attacks, Control Flow Guard for Clang/LLVM and Rust, Fuzzing Services Help Push Technology into DevOps Pipeline, and 7 Things to Make DevSecOps a Reality! Show Notes: https://wiki...
Aug 24, 2020•1 hr 8 min
This week, we welcome back Cesar Rodriguez, Head of Developer Advocacy at Accurics, to discuss Immutable Security For Immutable Infrastructure! In the Application Security News, Microsoft Bug Bounty Programs Year in Review: $13.7M in Rewards, In-band key negotiation issue in AWS S3 Crypto SDK for golang, Re VoL TE attack can decrypt 4G (LTE) calls to eavesdrop on conversations, Hardware Security Is Hard: How Hardware Boundaries Define Platform Security, How to make your security team more busine...
Aug 17, 2020•1 hr 8 min
This week, it's Security Weekly Virtual Hacker Summer Camp 2020! In our first segment, we welcome Mike Rothman, President at DisruptOps, to discuss: How Does Sec Live In A DevOps World? In the Application Security News, Using Amazon GuardDuty to Protect Your S3, OkCupid Security Flaw Threatens Intimate Dater Details, Florida teen charged as mastermind in Twitter hack hitting Biden, Bezos, and others, Sandboxing and Workload Isolation, and Microsoft to remove all SHA-1 Windows downloads next week...
Aug 04, 2020•1 hr 3 min
This week, we welcome John Matherly, Founder of Shodan, to talk about Fixing Vulnerabilities Effectively & Efficiently! In the Application Security News, TaskRouter JS SDK Security Incident, Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Read-Only Path Traversal Vulnerability, An EL1/EL3 coldboot vulnerability affecting 7 years of LG Android devices, Towards native security defenses for the web ecosystem, and more! Show Notes: https://wiki.secur...
Jul 27, 2020•1 hr 7 min
This week, we welcome Kris Rajana, President and CTO at Biarca, and Bhasker Nallapothula, Director of Engineering at Biarca, to talk about Cloud Security Posture Management & Governance! In the Application Security News, SIGRed Resolving Your Way into Domain Admin: Exploiting a 17 Year-old Bug in Windows DNS Servers, Introducing Google Cloud Confidential Computing with Confidential VMs, Internet of Things devices: Stick to these security rules or you could face a ban, Google Cloud Unveils 'C...
Jul 20, 2020•1 hr 16 min
This week, we welcome Judy Ngure, Cybersecurity Engineer at Africastalking, to talk about DevSecOps! In the Application Security News, Microsoft OneDrive client for Windows Qt QML module hijack, Zero-day flaw found in Zoom for Windows 7, Protecting your remote workforce from application-based attacks like consent phishing, Verizon Media, PayPal, Twitter Top Bug-Bounty Rankings, Mozilla suspends Firefox Send service while it addresses malware abuse, and Stop Talking About Technical Debt! Show Not...
Jul 14, 2020•1 hr 6 min
This week, we welcome Catherine Chambers and Will Hickie from Irdeto, to discuss Protecting Mobile Applications! In the Application Security News, Would you like some RCE with your Guacamole?, Attackers Will Target Critical PAN-OS Flaw, Security Experts Warn, Microsoft releases emergency security update to fix two bugs in Windows codecs, The Current State of Kubernetes Threat Modelling, and How To Build a Culture of Resilience Through Good Habits! Show Notes: https://wiki.securityweekly.com/ASWE...
Jul 06, 2020•1 hr 10 min
This week, we welcome Cesar Rodriguez, Head of Developer Advocacy at Accurics, to talk about Using IaC to Establish And Analyze Secure Environments! In the Application Security News, DLL Hijacking at the Trend Micro Password Manager, Adobe Prompts Users to Uninstall Flash Player As EOL Date Looms, The State of Open Source Security 2020, Microservices vs. Monoliths: Which is Right for Your Enterprise?, What Modern CI/CD Should Look Like, and Build trust through better privacy! Show Notes: https:/...
Jun 29, 2020•1 hr 6 min
