The Application Security Weekly podcast delivers interviews and news from the worlds of AppSec, DevOps, DevSecOps, and all the other ways people find and fix software flaws. Join hosts Mike Shema, John Kinsella, and Akira Brand on a journey through modern security practices for apps, clouds, containers, and more.
…
continue reading
The Application Security Weekly podcast delivers interviews and news from the worlds of AppSec, DevOps, DevSecOps, and all the other ways people find and fix software flaws. Join hosts Mike Shema, John Kinsella, and Akira Brand on a journey through modern security practices for apps, clouds, containers, and more.
…
continue reading
![Artwork](/static/images/128pixel.png)
1
A 2024 Appsec Report, Preparing for the AIxCC, Secure Design and Post-Quantum Crypto - ASW #291
35:58
35:58
Play later
Play later
Lists
Like
Liked
35:58
Cloudflare's 2024 appsec report, reasoning about the Cyber Reasoning Systems for the upcoming AIxCC semifinals at DEF CON, lessons in secure design from post-quantum cryptography, and more! Show Notes: https://securityweekly.com/asw-291
…
continue reading
![Artwork](/static/images/128pixel.png)
1
Producing Secure Code by Leveraging AI - Stuart McClure - ASW #291
1:09:02
1:09:02
Play later
Play later
Lists
Like
Liked
1:09:02
How can LLMs be valuable to developers as an assistant in finding and fixing insecure code? There are a lot of implications in trusting AI or LLMs to not only find vulns, but in producing code that fixes an underlying problem without changing an app's intended behavior. Stuart McClure explains how combining LLMs with agents and RAGs helps make AI-i…
…
continue reading
![Artwork](/static/images/128pixel.png)
1
Producing Secure Code by Leveraging AI - Stuart McClure - ASW #291
33:06
33:06
Play later
Play later
Lists
Like
Liked
33:06
How can LLMs be valuable to developers as an assistant in finding and fixing insecure code? There are a lot of implications in trusting AI or LLMs to not only find vulns, but in producing code that fixes an underlying problem without changing an app's intended behavior. Stuart McClure explains how combining LLMs with agents and RAGs helps make AI-i…
…
continue reading
![Artwork](/static/images/128pixel.png)
51
State Of Application Security 2024 - Sandy Carielli, Janet Worthington - ASW #290
1:12:41
1:12:41
Play later
Play later
Lists
Like
Liked
1:12:41
Sandy Carielli and Janet Worthington, authors of the State Of Application Security 2024 report, join us to discuss their findings on trends this year! Old vulns, more bots, and more targeted supply chain attacks -- we should be better at this by now. We talk about where secure design fits into all this why appsec needs to accelerate to ludicrous sp…
…
continue reading
![Artwork](/static/images/128pixel.png)
1
State Of Application Security 2024 - Sandy Carielli, Janet Worthington - ASW #290
38:12
38:12
Play later
Play later
Lists
Like
Liked
38:12
Sandy Carielli and Janet Worthington, authors of the State Of Application Security 2024 report, join us to discuss their findings on trends this year! Old vulns, more bots, and more targeted supply chain attacks -- we should be better at this by now. We talk about where secure design fits into all this why appsec needs to accelerate to ludicrous sp…
…
continue reading
![Artwork](/static/images/128pixel.png)
1
Polyfill Empties Trust, regreSSHion, CocoaPods Vulns & Secure Design, LLM Bughunters - ASW #290
34:30
34:30
Play later
Play later
Lists
Like
Liked
34:30
Polyfill loses trust after CDN misuse, an OpenSSH flaw reappears, how to talk about secure design from some old CocoaPods vulns, using LLMs to find bugs, Burp Proxy gets more investment, and more! Show Notes: https://securityweekly.com/asw-290
…
continue reading
![Artwork](/static/images/128pixel.png)
1
Shared Responsibility Models, AI in Offensive Security, Apple's Private Cloud Compute - ASW #289
24:10
24:10
Play later
Play later
Lists
Like
Liked
24:10
Thoughts on shared responsibility models after the Snowflake credential attacks, looking at AI's current and future role in offensive security, secure by design lessons from Apple's Private Cloud Computer, and more! Show Notes: https://securityweekly.com/asw-289
…
continue reading
![Artwork](/static/images/128pixel.png)
1
OAuth 2.0 from Protecting APIs to Supporting Authorization & Authentication - Aaron Parecki - ASW #289
1:01:09
1:01:09
Play later
Play later
Lists
Like
Liked
1:01:09
OAuth 2.0 is more than just a single spec and it's used to protect more than just APIs. We talk about challenges in maintaining a spec over a decade of changing technologies and new threat models. Not only can OAuth be challenging to secure by default, but it's not even always inter-operable. Segment Resources: https://oauth.net/2.1 https://oauth.n…
…
continue reading
![Artwork](/static/images/128pixel.png)
1
OAuth 2.0 from Protecting APIs to Supporting Authorization & Authentication - Aaron Parecki - ASW #289
37:01
37:01
Play later
Play later
Lists
Like
Liked
37:01
OAuth 2.0 is more than just a single spec and it's used to protect more than just APIs. We talk about challenges in maintaining a spec over a decade of changing technologies and new threat models. Not only can OAuth be challenging to secure by default, but it's not even always inter-operable. Segment Resources: https://oauth.net/2.1 https://oauth.n…
…
continue reading
Check out this interview from the ASW Vault, hand picked by main host Mike Shema! This segment was originally published on April 4, 2023. Following on from her successful title "Container Security", Liz has recently authored "Learning eBPF", published by O'Reilly. eBPF is a revolutionary kernel technology that is enabling a whole new generation of …
…
continue reading
Check out this interview from the ASW Vault, hand picked by main host Mike Shema! This segment was originally published on April 4, 2023. Following on from her successful title "Container Security", Liz has recently authored "Learning eBPF", published by O'Reilly. eBPF is a revolutionary kernel technology that is enabling a whole new generation of …
…
continue reading
![Artwork](/static/images/128pixel.png)
1
Microsoft Recall's Security & Privacy, Hacking Web APIs, Secure Design Pledge - ASW #288
38:37
38:37
Play later
Play later
Lists
Like
Liked
38:37
Looking at use cases and abuse cases of Microsoft's Recall feature, examples of hacking web APIs, CISA's secure design pledge, what we look for in CVEs, a nod to PHP's history, and more! Show Notes: https://securityweekly.com/asw-288
…
continue reading
![Artwork](/static/images/128pixel.png)
1
Microsoft Recall's Security & Privacy, Hacking Web APIs, Secure Design Pledge - ASW #288
38:36
38:36
Play later
Play later
Lists
Like
Liked
38:36
Looking at use cases and abuse cases of Microsoft's Recall feature, examples of hacking web APIs, CISA's secure design pledge, what we look for in CVEs, a nod to PHP's history, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-288…
…
continue reading
![Artwork](/static/images/128pixel.png)
1
Bots are Taking Over the Internet & Defining ASPM - Idan Plotnik, Erez Hasson - ASW #287
30:12
30:12
Play later
Play later
Lists
Like
Liked
30:12
Application security posture management has quickly become a hot commodity in the world of AppSec, but questions remain around what is defined by ASPM. Vendors have cropped up from different corners of the AppSec space to help security teams make their programs more effective, improve their security postures, and connect the dots between developers…
…
continue reading
![Artwork](/static/images/128pixel.png)
1
Open Source Software Supply Chain Security & The Real Crisis Behind XZ Utils - Luis Villa - ASW #287
42:04
42:04
Play later
Play later
Lists
Like
Liked
42:04
Open source has been a part of the software supply chain for decades, yet many projects and their maintainers remain undersupported by the companies that consume them. The security responsibilities for project owners has increased not only in dealing with security disclosures, but in maintaining secure processes backed by strong authentication and …
…
continue reading
![Artwork](/static/images/128pixel.png)
1
Open Source Software Supply Chain Security & The Real Crisis Behind XZ Utils - Idan Plotnik, Luis Villa, Erez Hasson - ASW #287
1:12:08
1:12:08
Play later
Play later
Lists
Like
Liked
1:12:08
Open source has been a part of the software supply chain for decades, yet many projects and their maintainers remain undersupported by the companies that consume them. The security responsibilities for project owners has increased not only in dealing with security disclosures, but in maintaining secure processes backed by strong authentication and …
…
continue reading
![Artwork](/static/images/128pixel.png)
1
Securing Shadow Apps & Protecting Data - Guy Guzner, Pranava Adduri - ASW Vault
30:32
30:32
Play later
Play later
Lists
Like
Liked
30:32
With hundreds or thousands of SaaS apps to secure with no traditional perimeter, Identity becomes the focal point for SaaS Security in the modern enterprise. Yet with Shadow IT, now recast as Business-Led IT, quickly becoming normal practice, it’s more complicated than trying to centralize all identities with an Identity Provider (IdP) for Single S…
…
continue reading
![Artwork](/static/images/128pixel.png)
1
Securing Shadow Apps & Protecting Data - Guy Guzner, Pranava Adduri - ASW Vault
30:32
30:32
Play later
Play later
Lists
Like
Liked
30:32
With hundreds or thousands of SaaS apps to secure with no traditional perimeter, Identity becomes the focal point for SaaS Security in the modern enterprise. Yet with Shadow IT, now recast as Business-Led IT, quickly becoming normal practice, it’s more complicated than trying to centralize all identities with an Identity Provider (IdP) for Single S…
…
continue reading
![Artwork](/static/images/128pixel.png)
1
Collecting Bounties and Building Communities - Ben Sadeghipour - ASW Vault
36:23
36:23
Play later
Play later
Lists
Like
Liked
36:23
Check out this interview from the ASW Vault, hand picked by main host Mike Shema! This segment was originally published on April 18, 2023. We talk with Ben about the rewards, hazards, and fun of bug bounty programs. Then we find out different ways to build successful and welcoming communities. Show Notes: https://securityweekly.com/vault-asw-9…
…
continue reading
![Artwork](/static/images/128pixel.png)
1
Collecting Bounties and Building Communities - Ben Sadeghipour - ASW Vault
36:23
36:23
Play later
Play later
Lists
Like
Liked
36:23
Check out this interview from the ASW Vault, hand picked by main host Mike Shema! This segment was originally published on April 18, 2023. We talk with Ben about the rewards, hazards, and fun of bug bounty programs. Then we find out different ways to build successful and welcoming communities. Show Notes: https://securityweekly.com/vault-asw-9…
…
continue reading
![Artwork](/static/images/128pixel.png)
1
Unpacking XDR & Business Applications - Chris Thomas, Oliver Tavakoli - ASW #286
30:29
30:29
Play later
Play later
Lists
Like
Liked
30:29
The challenge of evaluating threat alerts in aggregate – what a collection and sequence of threat signals tell us about an attacker’s sophistication and motives – has bedeviled SOC teams since the dawn of the Iron Age. Vectra AI CTO Oliver Tavakoli will discuss how the design principles of our XDR platform deal with this challenge and how GenAI imp…
…
continue reading
![Artwork](/static/images/128pixel.png)
1
Node.js Secure Coding - Oliver Tavakoli, Chris Thomas, Liran Tal - ASW #286
1:09:05
1:09:05
Play later
Play later
Lists
Like
Liked
1:09:05
Secure coding education should be more than a list of issues or repeating generic advice. Liran Tal explains his approach to teaching developers through examples that start with exploiting known vulns and end with discussions on possible fixes. Not only does this create a more engaging experience, but it also relies on code that looks familiar to d…
…
continue reading
![Artwork](/static/images/128pixel.png)
1
Node.js Secure Coding - Liran Tal - ASW #286
38:36
38:36
Play later
Play later
Lists
Like
Liked
38:36
Secure coding education should be more than a list of issues or repeating generic advice. Liran Tal explains his approach to teaching developers through examples that start with exploiting known vulns and end with discussions on possible fixes. Not only does this create a more engaging experience, but it also relies on code that looks familiar to d…
…
continue reading
![Artwork](/static/images/128pixel.png)
1
The Enterprise Browser & AI in Securing Software and Supply Chains - Mike Fey, Josh Lemos - ASW #285
29:24
29:24
Play later
Play later
Lists
Like
Liked
29:24
How companies are benefiting from the enterprise browser. It's not just security when talking about the enterprise browser. It's the marriage between security AND productivity. In this interview, Mike will provide real live case studies on how different enterprises are benefitting. Segment Resources: https://www.island.io/resources https://www.isla…
…
continue reading
![Artwork](/static/images/128pixel.png)
1
Inside the OWASP Top 10 for LLM Applications - Sandy Dunn, Mike Fey, Josh Lemos - ASW #285
1:06:40
1:06:40
Play later
Play later
Lists
Like
Liked
1:06:40
Everyone is interested in generative AIs and LLMs, and everyone is looking for use cases and apps to apply them to. Just as the early days of the web inspired the original OWASP Top 10 over 20 years ago, the experimentation and adoption of LLMs has inspired a Top 10 list of their own. Sandy Dunn talks about why the list looks so familiar in many wa…
…
continue reading