Application Security Weekly (Audio) - podcast cover

Application Security Weekly (Audio)

Security Weekly Productionssecurityweekly.com
About all things AppSec, DevOps, and DevSecOps. Hosted by Mike Shema and John Kinsella, the podcast focuses on helping its audience find and fix software flaws effectively.
Download Metacast podcast app
Podcasts are better in Metacast mobile app
Don't just listen to podcasts. Learn from them with transcripts, summaries, and chapters for every episode. Skim, search, and bookmark insights. Learn more

Episodes

Stopping Business Logic Attacks: Why a WAF is no Longer Enough - Karl Triebes - ASW #255

The majority of attacks are now automated, with a growing number of attacks targeting business logic via APIs, which is unique to every organization. This shift makes traditional signature-based defenses insufficient to stop targeted business logic attacks on their own. In this discussion, Karl Triebes shares how flaws in business logic design can leave applications and APIs open to attack and what tools organizations need to effectively mitigate these threats. This segment is sponsored by Imper...

Sep 19, 20231 hr 16 min

Building a Scanner and a Community with Zed Attack Proxy - Simon Bennetts - ASW #254

Zed Attack Proxy is an essential tool for web app pentesting. The project just recently moved from OWASP to the Secure Software Project. Hear about the challenges of running an OSS security project, why Simon got involved in the first place, and why successful projects are about more than just code. Segment Resources: - https://www.zaproxy.org/ - https://softwaresecurityproject.org/blog/welcoming-zap-to-the-software-security-project/ - https://owasp.org/www-project-vulnerable-web-applications-di...

Sep 12, 20231 hr 13 min

Broadening What We Call AppSec - Christien Rioux - ASW Vault

Check out this interview from the ASW Vault, hand picked by main host Mike Shema! This segment was originally published on January 10, 2022. There's an understandable focus on "shift left" in modern DevOps and appsec discussions. So what does it take to broaden what we call appsec into something effective for modern apps, whether they're on the web, mobile, or cloud? We'll talk about moving on from niche offerings into successful appsec programs. Show Notes: https://securityweekly.com/vault-asw-...

Sep 05, 202336 min

How Can Security Be Smart About Using AI? - Jeff Pollard - ASW #253

We go deep on LLMs and generative AIs to shine a light on areas that security leaders should focus on. There are technical concerns like prompt injection and access controls, and privacy concerns in training and usage. But there are also areas where security tools are starting to address these concerns as well as areas where security tools are adopting AI themselves. We'll share where we see AI showing promise, as well as where we suspect it's still premature. In the news, a Go Crypto presentati...

Aug 29, 20231 hr 14 min

Security in a Cloud Native World & Mobile App Attacks - ASW #252

Two featured interviews from this year's Black Hat. In the news, Discord.io ceases to be, Azure AD breach to get scrutiny from the CSRB, Zoom's AI stumbles show security concerns, model confusion attacks, a look at how far we have -- and haven't -- come with XSS flaws, an approachable article on AI, and more! Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes:...

Aug 22, 202338 min

Pointers and Perils for Presentations - Josh Goldberg - ASW #251

A key part of modern appsec is communication. From interpersonal skills for fostering collaborations to presentation skills for delivering a message, the ability to tell a story and engage an audience is a skill that doesn't appear on top ten lists and that doesn't come up in secure coding checklists. Josh shares his path to becoming a presenter on technical topics, including stumbles he's made along the way and how he helps others develop their skills for slides. Resources: - https://www.joshua...

Aug 15, 20231 hr 25 min

You've Got Appsec, But Do You Have ArchSec? - Merritt Baer - ASW #250

Mature shops should be looking to a security architecture process to help scale their systems and embrace security by design. We talk about what it means to create a security architecture process, why it's not just another security review, and why it requires security to dig into engineering. Segment Resources: - https://www.lacework.com/ciso-boardbook/ciso/merritt-baer Zap gets a jolt of new support, using Clang for security research, LLM attacks learn models, Rust visualizes dependencies, a Na...

Aug 08, 20231 hr 15 min

Identity and Verifiable Credentials in Cars - Eve Maler - ASW #249

Identity isn't new, but we do have new ways of presenting and protecting identity with things like payment wallets and verifiable credentials. But we also have identity in surprising places -- like cars. We'll answer some questions like: - Why do we even have identities in cars? - What else is your car connected to? - How should devs be thinking about security in this space? In the news segment, Zenbleed in AMD, Google's TAG sees a drop in zero-days, new security testing handbook from Trail of B...

Aug 01, 20231 hr 14 min

Navigating the Complexities of Development to Create Secure APIs - Kristen Bell - ASW #248

Appsec teams and developers must both understand the consequences of what they're doing when building APIs. Appsec teams need to push for collaboration and help implement tools that augment the development process. Dev teams need to wrangle complex architectures and work on addressing classes of vulns rather than just playing BugOps with scanner outputs. In the news, there's a (non-critical, but cool) RCE in ssh-agent forwarding, Node's vm2 bids adieu, zero-day from a CTF eventually makes it to ...

Jul 25, 20231 hr 18 min

Securing Non-Election Election Systems, Modernizing AppSec Education - Brian Glas - ASW #247

While much has been written and argued about the security of election systems - the things that do the actual ballot counting - there's other systems that have to be in place and secured before the vote can occur - voter registration databases, ballot delivery systems, etc. Might it be possible to use modern appsec concepts OWASP SAMM to secure them in a more efficient, targeted, cost-effective manner? Brian Glas joins us to talk about this and his ongoing work around providing students with a m...

Jul 18, 20231 hr 21 min

Software Trust & Adversaries, Developer-Focused Security - Shannon Lietz, Melinda Marks - ASW #246

Infosec is still figuring out useful metrics, how to talk about risk, and how to make resilience more relevant. Shannon talks about a new community effort to measure software trust. She also covers threat modeling and adversary management as steps towards determining an org's resiliency and security. Segment Resources: https://community.ravemetrics.com Melinda will share results from her study last year on developer-focused security, "Walking the Line: Shift Left and GitOps Security" and discuss...

Jul 11, 20231 hr 17 min

The Psychology of Training - Matias Madou - ASW Vault

Check out this interview from the ASW Vault, hand picked by main host Mike Shema! This segment was originally published on May 23, 2022. Developers want bug-free code -- it frees up their time and is easier to maintain. They want secure code for the same reasons. We'll talk about how the definition of secure coding varies among developers and appsec teams, why it's important to understand those perspectives, and how training is just one step towards building a security culture. Visit https://sec...

Jul 05, 202335 min

Latest Web Vulnerability Trends & Best Practices - Patrick Vandenberg - ASW #245

Without visibility and continuous monitoring, dangerous threats expose our blind spots and create risk. Invicti, who brought together Acunetix and Netsparker, analyzes common web application vulns across thousands of assets yearly and releases the Invicti AppSec Indicator for a holistic view of vulnerability trends from automated scan results. In this talk, Invicti Director of Product Patrick Vandenberg shares a deep dive into the trends currently impacting AppSec programs and discusses some of ...

Jun 28, 20231 hr 15 min

Policy Momentum in Coordinated Vulnerability Disclosure - Amit Elazari - ASW Vault

Security is one of the most evolving and impactful landscapes in the regulatory sphere. Proposed initiatives in the areas of Incident Response, Software and Product Assurance, Coordinated Vulnerability Disclosure (CVD), and IoT or Connected Products Regulations are among the most active and developing areas of security policy around the world. This evolving landscape also serves as an opportunity for innovation and research collaboration. Elazari will walk us through some of the most recent tren...

Jun 20, 202338 min

Enhancing Security: App Modernization, Identity Orchestration, & Big IAM Challenge - Eric Olden - ASW #244

Eric Olden, CEO and Co-Founder of Strata Identity, discusses the concept of Identity Orchestration. He covers the evolving identity landscape and how it has evolved to keep pace with modern apps, the challenges encountered during an identity modernization project, how Identity Orchestration helps those modernization projects, and best practices for implementing secure identity. Segment Resources: - [Identity Orchestration Use Cases]( https://www.strata.io/use-cases/ ) - [What is Identity Orchest...

Jun 14, 20231 hr 20 min

What's the Deal with API Security? - Sandy Carielli - ASW #243

Walking the show floor at RSA Conference, you couldn't trip without falling into an application security vendor booth ... and API security specialists were especially plentiful. Join Forrester Principal Analyst Sandy Carielli for her thoughts on RSA Conference and a deep dive into the challenges of API security. Segment Resources: - https://www.forrester.com/blogs/insights-from-the-2023-rsa-conference-generative-ai-quantum-and-innovation-sandbox/ OWASP has a draft for the LLM Top 10, simple vuln...

Jun 06, 20231 hr 17 min

Doing Application Security Right – Farshad Abasi – ASW VAULT

Check out this interview from the ASW VAULT, hand picked by main host Mike Shema! This segment was originally published on March 14, 2022. Cybersecurity is a large and often complex domain, traditionally focused on the infrastructure and general information security, with little or no attention to Application Security. Security providers usually tack-on AppSec services to their existing menu of offering without understanding the domain, and their team of professionals have little or no experienc...

May 30, 202336 min

Ten Things I Hate About Lists - ASW #242

The OWASP Top 10 dates back to 2003, when appsec was just settling on terms like cross-site scripting and SQL injection. It's a list that everyone knows about and everyone talks about. But is it still the right model for modern appsec awareness? What if we put that attention and effort elsewhere? Maybe we could have secure defaults instead. Or linters and build tools that point out these flaws. We'll talk about top 10 lists, what we like about them, what we don't like, and what we'd like to see ...

May 23, 20231 hr 17 min

Securing the App Lifecycle: Strategies for Long-Term Software Security and Mitigating the Threat of Malicious Packages - ASW #241

What happens to an app's security after six months? What about a year or two years? A Secure SDLC needs to maintain security throughout an app's lifetime, but too often the rate of new flaws can outpace the rate of new code within an app. Appsec teams need strategies and processes to keep software secure for as long as possible. Segment Resources: https://www.veracode.com/state-of-software-security-report Learn how hackers are exploiting the trust that mobile app owners place in their customers....

May 16, 20231 hr 8 min

From Security Theater to Resilience: Unveiling New Approaches to Application Security - ASW #240

What does software resilience mean? Why is status quo application security unfit for the modern era of software? How can we move from security theater to security chaos engineering? This segment answers these questions and more. Segment Resources: Book -- https://securitychaoseng.com Blog -- https://kellyshortridge.com/blog/posts/ In the ever-evolving world of cybersecurity, attackers are constantly finding new ways to infiltrate your software supply chains. But with GitGuardian's Honeytoken, yo...

May 09, 20231 hr 11 min

Navigating the Complexities of Application Security: Vulnerability Management, Risk Mitigation, and Business Logic Attacks - ASW #239

Application security is messy and is getting messier. Modern application security teams are struggling to identify what's more important to fix. Cloud security and application security is getting squeezed all together. Modern vulnerability maturity needs a new approach and guidance. Vulnerability management framework and mature defect management is often overlooked as organizations tend to identify issues and stop there. The devil is usually in the details and time gets burned down in identifyin...

May 02, 20231 hr 21 min

Hackers and Policy: Empowering Users and Shaping Discussions at DEF CON, Jeff Moss - ASW #238

Jeff Moss shares some of history of DEF CON, from CFPs to Codes of Conduct, and what makes it a hacker conference. We also discuss the role of hackers and researchers in representing users within policy discussions. Segment links https://defcon.org https://forum.defcon.org https://media.defcon.org https://defcon.social/about Microsoft turns to a weather-based taxonomy, k8s shares a security audit, a GhostToken that can't be exorcised from Google accounts, BrokenSesame RCE, typos and security, ge...

Apr 25, 20231 hr 20 min

Bug Bounty Programs and Community Building: Unveiling Rewards, Challenges, and Exciting Adventures, Ben Sadeghipour (NahamSec) - ASW #237

We talk with Ben about the rewards, hazards, and fun of bug bounty programs. Then we find out different ways to build successful and welcoming communities. A new deps.dev API for supply chain enthusiasts, hacking and modding agricultural devices, guidance from CISA on secure by design (and by default!), Glaze brings adversarial art to AI training, key transparency for WhatsApp, a new appsec myth(?), Android hacking tool list, and a Chrome extension to find web debugging behavior. Visit https://w...

Apr 18, 20231 hr 11 min

Application Security in the Cloud: Safeguarding Data and Preventing Unauthorized Access, Vandana Verma Sehgal - ASW #236

Application security in the cloud is a crucial aspect of protecting data and preventing unauthorized access to applications hosted on cloud platforms. As cloud computing becomes more prevalent, ensuring the security of applications has become a top priority for organizations. This is because cloud environments present unique security challenges, such as shared resources, multi-tenancy, and a lack of physical control. Therefore, it is essential to implement security measures that are specific to ...

Apr 11, 20231 hr 11 min

eBPF: The Future of Security and Infrastructure Tools Revealed, Liz Rice - ASW #235

Following on from her successful title "Container Security", Liz has recently authored "Learning eBPF", published by O'Reilly. eBPF is a revolutionary kernel technology that is enabling a whole new generation of infrastructure tools for networking, observability, and security. Let's explore eBPF and understand its value for security, and how it's used to secure network connectivity in the Cilium project, and for runtime security observability and enforcement in Cilium's sub-project, Tetragon. Se...

Apr 04, 20231 hr 12 min

AI in Production: Unveiling Use Cases, Security Risks, and Real-Life Experiences, Frank Catucci - ASW #234

With the increased interest and use of AI such as GTP 3/4, ChatGPT, GitHub Copilot, and internal modeling, there comes an array of use cases and examples for increased efficiency, but also inherent security risks that organizations should consider. In this talk, Invicti’s CTO & Head of Security Research Frank Catucci discusses potential use cases and talks through real-life examples of using AI in production environments. Frank delves into benefits, as well as security implications, touching...

Mar 28, 20231 hr 15 min

The Power of Static Analysis: Strengthening Application Security from Code Scrutiny, Josh Goldberg - ASW #233

Static analysis is the art of scrutinizing your code without building or running it. Common static analysis tools are formatters (which change whitespace and other trivia), linters (which detect likely best practice and style issues), and type checkers (which detect likely bugs). Each of these can aid in improving application security by detecting real issues at development-time. Segment Resources: https://typescript-eslint.io https://eslint.org https://blog.joshuakgoldberg.com Outlook can leak ...

Mar 21, 20231 hr 17 min

ASW #232 - Josh Grossman

In this segment, Josh will talk about the OWASP ASVS project which he co-leads. He will talk a little about its background and in particular how it is starting to be used within the security industry. We will also discuss some of the practicalities and pitfalls of trying to get development teams to include security activities and considerations in their day-to-day work and examples of how Josh has seen this “in the wild”. Segment Resources: Josh's personal website, https://joshcgrossman.com Josh...

Mar 14, 20231 hr 26 min

ASW #231 - Neatsun Ziv

In this episode, Neatsun Ziv, co-founder and CEO of Ox security takes a deep dive into supply chain security. He focuses on the new Open Software Supply Chain Attack Reference (OSC&R), a consortium of leading cybersecurity leaders. OSC&R the first and only open framework for understanding and evaluating existing threats to entire software supply chain security. Segment Resources: https://pbom.dev/ - https://github.com/pbomdev/ OSCAR WebSocket hijack that leads to a full workspace takeove...

Mar 07, 20231 hr 20 min

ASW #230 - Lina Lau

Join us for this segment with Lina Lau to learn lessons from real incident response engagements covering types of attacks leveraged against the cloud, war stories from supply chain breaches seen in the last 1-2 years, and how defenders and enterprises can better protect and proactively defend against these attacks. Segment Resources: Attacking and Defending the Cloud (Training) https://training.xintra.org/ Blackhat Singapore 2023 Training ADVANCED APT THREAT HUNTING & INCIDENT RESPONSE (VIRT...

Feb 28, 20231 hr 11 min
Hosted on Libsyn
For the best experience, listen in Metacast app for iOS or Android
Open in Metacast