Application Security Weekly (Audio) - podcast cover

Application Security Weekly (Audio)

Security Weekly Productionssecurityweekly.com
About all things AppSec, DevOps, and DevSecOps. Hosted by Mike Shema and John Kinsella, the podcast focuses on helping its audience find and fix software flaws effectively.
Download Metacast podcast app
Podcasts are better in Metacast mobile app
Don't just listen to podcasts. Learn from them with transcripts, summaries, and chapters for every episode. Skim, search, and bookmark insights. Learn more

Episodes

Biometric Frontiers: Unlocking The Future Of Engagement - Andras Cser, Enza Iannopollo - ASW #308

This week's interview dives deep into the state of biometrics with two Forrester Research analysts! This discussion compares and contrasts regional approaches to biometrics; examine the security challenges and benefits of their implementation; and reveal how biometrics holds the keys to a range of engagement models of the future. Andras Cser dives into the technical end of things and explains how biometrics can be resilient to attack. We can't replace our fingerprints or faces, but as Andras exp...

Nov 19, 20241 hr 11 min

Modernizing AppSec - Melinda Marks - ASW #307

In this week's interview, Melinda Marks' joins us to discuss her latest research. Her recent report Modernizing Application Security to Scale for Cloud-Native Development delves into many aspects and trends affecting AppSec as it matures, particularly in cloud-first organizations. We also discuss the fuzzy line between "cloud-native" AppSec and everything else that refuses to disappear, particularly for organizations that weren't born cloud-native and still have legacy workloads to worry about. ...

Nov 12, 20241 hr 9 min

Bug bounties, vulnerability disclosure, PTaaS, fractional pentesting - Grant McCracken - ASW #306

After spending a decade working for appsec vendors, Grant McKracken wanted to give something back. He saw a gap in the market for free or low-cost services for smaller organizations that have real appsec needs, but not a lot of means to pay for it. He founded DarkHorse, who offers VDPs and bug bounties to organizations of all sizes for free, or for as low of cost as possible. While not a non-profit, the company's goal is to make these services as cheap as possible to increase accessibility for s...

Nov 05, 20241 hr 6 min

Making TLS More Secure, Lessons from IPv6, LLMs Finding Vulns - Arnab Bose, Shiven Ramji - ASW #305

Better TLS implementations with Rust, fuzzing, and managing certs, appsec lessons from the everlasting transition to IPv6, LLMs for finding vulns (and whether fuzzing is better), and more! Also check out this presentation from BSides Knoxville that we talked about briefly, https://youtu.be/DLn7Noex_fc?feature=shared Generative AI has been the talk of the technology industry for the past 18+ months. Companies are seeing its value, so generative AI budgets are growing. With more and more AI agents...

Oct 29, 20241 hr 23 min

The Complexities, Configurations, and Challenges in Cloud Security - Scott Piper - ASW #304

Building cloud native apps doesn't mean you're immune to dealing with legacy systems. Cloud services have changed significantly over the last decade, both in the security controls available to them and the sheer volume of services that CSPs provide. Scott Piper shares some history of cloud security, the benefits of account separation, and how ratcheting security helps orgs stay on a paved path. Segment resources: https://www.wiz.io/blog/a-security-community-success-story-of-mitigating-a-misconfi...

Oct 21, 20241 hr 17 min

The Future of Zed Attack Proxy - Simon Bennetts, Ori Bendet - ASW #302

Zed Attack Proxy has been a crucial web app testing tool for decades. It's also had a struggle throughout 2024 to obtain funding that would enable the tool to add more features while remaining true to its open source history. Simon Bennetts, founder of ZAP, and Ori Bendet from Checkmarx update us on that journey, share some exploration of LLM fuzzing that ZAP has been working on, and what the future looks like for this well-loved project. Segment Resources: https://www.zaproxy.org/blog/2024-09-2...

Oct 08, 20241 hr 13 min

Vulnerable APIs and Bot Attacks: Two Interconnected, Growing Security Threats - David Holmes - ASW #300

APIs are essential to modern application architectures, driving rapid development, seamless integration, and improved user experiences. However, their widespread use has made them prime targets for attackers, especially those deploying sophisticated bots. When these bots exploit business logic, they can cause considerable financial and reputational damage. In this discussion, David Holmes offers insights into the latest trends in API and bot attacks and provides strategies to defend against thes...

Sep 24, 20241 hr 8 min

Bringing Secure Coding Concepts to Developers - Dustin Lehr - ASW #299

When a conference positioned as a day of security for developers has to be canceled due to lack of interest from developers, it's important to understand why there was so little interest and why appsec should reconsider its approach to awareness. Dustin Lehr discusses how appsec can better engage and better deliver security concepts in a way that makes developers not only feel like their time is well used, but that the content appeals to them. Segment Resources: - The Security Champion Program S...

Sep 17, 20241 hr 2 min

Close the Security Theater: Enter Resilience - Kelly Shortridge - ASW Vault

Check out this interview from the ASW Vault, hand picked by main host Mike Shema! This segment was originally published on May 9, 2023. What does software resilience mean? Why is status quo application security unfit for the modern era of software? How can we move from security theater to security chaos engineering? This segment answers these questions and more. Segment Resources: Book -- https://securitychaoseng.com Blog -- https://kellyshortridge.com/blog/posts/ Show Notes: https://securitywee...

Sep 02, 202438 min

Changing the Course of IoT's Future from Its Insecure Past - Paddy Harrington - ASW #297

IoT devices are notorious for weak designs, insecure implementations, and a lifecycle that mostly ignores patching. We look at external factors that might lead to change, like the FCC's cybersecurity labeling for IoT. We explore the constraints that often influence poor security on these devices, whether those constraints are as consequential given modern appsec practices, and what the opportunities are to make these devices more secure for everyone. Segment resources: https://www.fcc.gov/docume...

Aug 27, 20241 hr 4 min

The Fallout and Lessons Learned from the CrowdStrike Fiasco - Shimon Modi, Jeff Pollard, Allie Mellen, Boaz Barzel - ASW #296

This week, Jeff Pollard and Allie Mellen join us to discuss the fallout and lessons learned from the CrowdStrike fiasco. They explore the reasons behind running in the kernel, the challenges of software quality, and the distinction between a security incident and an IT incident. They also touch on the need to reduce the attack surface and the importance of clear definitions in the cybersecurity industry. The conversation explores the need for a product security revolution and the importance of t...

Aug 20, 20241 hr 22 min

When Appsec Needs to Start Small - Kalyani Pawar, Danny Jenkins, Nikos Kiourtis - ASW #295

Startups and small orgs don't have the luxury of massive budgets and large teams. How do you choose an appsec approach that complements a startup's needs while keeping it secure. Kalyani Pawar shares her experience at different ends of an appsec maturity spectrum. In complex software ecosystems, individual application risks are compounded. When it comes to mitigating supply chain risk, identifying backdoors or unintended vulnerabilities that can be exploited in your environment is just as critic...

Aug 13, 20241 hr 9 min

Building Successful Security Champions Programs - Marisa Fagan - ASW #294

Even though Security Champions programs look very different across organizations and maturity levels, they share core principles for becoming successful. Marisa shares her experience in building these programs to foster a positive security culture within companies. She explains the incentives and rewards that lead to more engagement from champions and the benefits that come from so many people being engaged with security. Segment Resources: OWASP Security Champions Guide - Get Involved! - https:...

Aug 06, 20241 hr 10 min

A CISO's Perspective on AI, Appsec, and Changing Behaviors - ASW #293

Modern appsec isn't modern because security tools got shifted in one direction or another, or because teams are finding and fixing more vulns. It's modern because appsec is meeting developer needs and supporting the business. Paul Davis talks about how AI is (and isn't) changing appsec, the KPIs that reflect outcomes rather than being busy, and the importance of communication for security teams. Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securitywee...

Jul 30, 202445 min

Where Generative AI Can Actually Help Security (And Where It Doesn't) - Farshad Abasi, Allie Mellen - ASW #292

Generative AI has produced impressive chatbots and content generation, but however fun or impressive those might be, they don't always translate to value for appsec. Allie brings some realistic expectations to how genAI is used by attackers and can be useful to defenders. Segment resources: https://www.forrester.com/blogs/generative-ai-will-not-fulfill-your-autonomous-soc-hopes-or-even-your-demo-dreams/ https://www.forrester.com/blogs/top-5-things-you-need-to-know-about-how-generative-ai-is-used...

Jul 23, 20241 hr 5 min

Producing Secure Code by Leveraging AI - Stuart McClure - ASW #291

How can LLMs be valuable to developers as an assistant in finding and fixing insecure code? There are a lot of implications in trusting AI or LLMs to not only find vulns, but in producing code that fixes an underlying problem without changing an app's intended behavior. Stuart McClure explains how combining LLMs with agents and RAGs helps make AI-influenced tools more effective and useful in the context that developers need -- writing secure code. Cloudflare's 2024 appsec report, reasoning about...

Jul 16, 20241 hr 9 min

State Of Application Security 2024 - Sandy Carielli, Janet Worthington - ASW #290

Sandy Carielli and Janet Worthington, authors of the State Of Application Security 2024 report, join us to discuss their findings on trends this year! Old vulns, more bots, and more targeted supply chain attacks -- we should be better at this by now. We talk about where secure design fits into all this why appsec needs to accelerate to ludicrous speed. Segment resources https://www.forrester.com/blogs/ludicrous-speed-because-light-speed-is-too-slow-to-secure-your-apps/ They're also conducting a ...

Jul 09, 20241 hr 13 min

OAuth 2.0 from Protecting APIs to Supporting Authorization & Authentication - Aaron Parecki - ASW #289

OAuth 2.0 is more than just a single spec and it's used to protect more than just APIs. We talk about challenges in maintaining a spec over a decade of changing technologies and new threat models. Not only can OAuth be challenging to secure by default, but it's not even always inter-operable. Segment Resources: https://oauth.net/2.1 https://oauth.net/specs/ https://oauth2simplified.com/ https://oauth.net/2/dpop/ https://oauth.net/2/oauth-best-practice/ https://oauth.net/fapi/ https://developer.m...

Jun 25, 20241 hr 1 min

Learning EBPF - Liz Rice - ASW Vault

Check out this interview from the ASW Vault, hand picked by main host Mike Shema! This segment was originally published on April 4, 2023. Following on from her successful title "Container Security", Liz has recently authored "Learning eBPF", published by O'Reilly. eBPF is a revolutionary kernel technology that is enabling a whole new generation of infrastructure tools for networking, observability, and security. Let's explore eBPF and understand its value for security, and how it's used to secur...

Jun 18, 202437 min

Open Source Software Supply Chain Security & The Real Crisis Behind XZ Utils - Idan Plotnik, Luis Villa, Erez Hasson - ASW #287

Open source has been a part of the software supply chain for decades, yet many projects and their maintainers remain undersupported by the companies that consume them. The security responsibilities for project owners has increased not only in dealing with security disclosures, but in maintaining secure processes backed by strong authentication and trust. Segment Resources: https://www.cisa.gov/news-events/news/lessons-xz-utils-achieving-more-sustainable-open-source-ecosystem https://www.cisa.gov...

Jun 04, 20241 hr 12 min

Securing Shadow Apps & Protecting Data - Guy Guzner, Pranava Adduri - ASW Vault

With hundreds or thousands of SaaS apps to secure with no traditional perimeter, Identity becomes the focal point for SaaS Security in the modern enterprise. Yet with Shadow IT, now recast as Business-Led IT, quickly becoming normal practice, it’s more complicated than trying to centralize all identities with an Identity Provider (IdP) for Single Sign-On (SSO). So the question becomes, “How do you enable the business while still providing security oversight and governance?” This segment is spons...

May 28, 202431 min

Collecting Bounties and Building Communities - Ben Sadeghipour - ASW Vault

Check out this interview from the ASW Vault, hand picked by main host Mike Shema! This segment was originally published on April 18, 2023. We talk with Ben about the rewards, hazards, and fun of bug bounty programs. Then we find out different ways to build successful and welcoming communities. Show Notes: https://securityweekly.com/vault-asw-9

May 28, 202436 min

Node.js Secure Coding - Oliver Tavakoli, Chris Thomas, Liran Tal - ASW #286

Secure coding education should be more than a list of issues or repeating generic advice. Liran Tal explains his approach to teaching developers through examples that start with exploiting known vulns and end with discussions on possible fixes. Not only does this create a more engaging experience, but it also relies on code that looks familiar to developers rather than contrived or overly simplistic examples. Segment resources: https://github.com/lirantal https://cheatsheetseries.owasp.org/cheat...

May 21, 20241 hr 9 min

Inside the OWASP Top 10 for LLM Applications - Sandy Dunn, Mike Fey, Josh Lemos - ASW #285

Everyone is interested in generative AIs and LLMs, and everyone is looking for use cases and apps to apply them to. Just as the early days of the web inspired the original OWASP Top 10 over 20 years ago, the experimentation and adoption of LLMs has inspired a Top 10 list of their own. Sandy Dunn talks about why the list looks so familiar in many ways -- after all, LLMs are still software. But the list captures some new concepts that anyone looking to use LLMs or generative AIs should be aware of...

May 14, 20241 hr 7 min

AI & Hype & Security (Oh My!) & Hacking AI Bias - Caleb Sima, Keith Hoodlet - ASW #284

A lot of AI security has nothing to do with AI -- things like data privacy, access controls, and identity are concerns for any new software and in many cases AI concerns look more like old-school API concerns. But...there are still important aspects to AI safety and security, from prompt injection to jailbreaking to authenticity. Caleb Sima explains why it's important to understand the different types of AI and the practical tasks necessary to secure how it's used. Segment resources: https://cal...

May 07, 20241 hr 5 min

Why Companies Continue to Struggle with Supply Chain Security - Melinda Marks - ASW #283

Companies deploy tools (usually lots of tools) to address different threats to supply chain security. Melinda Marks shares some of the chaos those companies still face when trying to prioritize investments, measure risk, and scale their solutions to keep pace with their development. Not only are companies still figuring out supply chain, but now they're bracing for the coming of genAI and how that will just further highlight the current struggles they're having with data security and data privac...

Apr 30, 20241 hr 20 min

Sustainable Funding of Open Source Tools - Mark Curphey, Simon Bennetts - ASW #282

How can open source projects find a funding model that works for them? What are the implications with different sources of funding? Simon Bennetts talks about his stewardship of Zed Attack Proxy and its journey from OWASP to OpenSSF to an Open Source Fellowship with Crash Override. Mark Curphy adds how his experience with OWASP and the appsec community motivated him to create Crash Override and help projects like ZAP gain the support they deserve. Segment resources: https://crashoverride.com/blo...

Apr 23, 20241 hr 18 min
Hosted on Libsyn
For the best experience, listen in Metacast app for iOS or Android
Open in Metacast