The Application Security Weekly podcast delivers interviews and news from the worlds of AppSec, DevOps, DevSecOps, and all the other ways people find and fix software flaws. Join hosts Mike Shema, John Kinsella, and Akira Brand on a journey through modern security practices for apps, clouds, containers, and more.
…
continue reading
A lively discussion of the threats affecting supply chain, specifically focused on firmware and low-level code that is a blind spot for many organizations. This podcast will feature guests from the cybersecurity industry discussing the problems surrounding supply chain-related issues and potential solutions.
…
continue reading
1
Securing OT Environments - Dr. Ed Harris - BTS #33
52:54
52:54
Play later
Play later
Lists
Like
Liked
52:54
Ed Harris joins us to discuss how to secure OT environments, implement effective air gaps, and more! This segment is sponsored by Eclypsium. Visit https://securityweekly.com/eclypsium to learn more about them! Show Notes: https://securityweekly.com/bts-33
…
continue reading
1
Shared Responsibility Models, AI in Offensive Security, Apple's Private Cloud Compute - ASW #289
24:10
24:10
Play later
Play later
Lists
Like
Liked
24:10
Thoughts on shared responsibility models after the Snowflake credential attacks, looking at AI's current and future role in offensive security, secure by design lessons from Apple's Private Cloud Computer, and more! Show Notes: https://securityweekly.com/asw-289
…
continue reading
1
OAuth 2.0 from Protecting APIs to Supporting Authorization & Authentication - Aaron Parecki - ASW #289
37:01
37:01
Play later
Play later
Lists
Like
Liked
37:01
OAuth 2.0 is more than just a single spec and it's used to protect more than just APIs. We talk about challenges in maintaining a spec over a decade of changing technologies and new threat models. Not only can OAuth be challenging to secure by default, but it's not even always inter-operable. Segment Resources: https://oauth.net/2.1 https://oauth.n…
…
continue reading
We discuss the various aspects of Mitre Att&ck, including tools, techniques, supply chain aspects, and more! This segment is sponsored by Eclypsium. Visit https://securityweekly.com/eclypsium to learn more about them! Show Notes: https://securityweekly.com/bts-32
…
continue reading
Check out this interview from the ASW Vault, hand picked by main host Mike Shema! This segment was originally published on April 4, 2023. Following on from her successful title "Container Security", Liz has recently authored "Learning eBPF", published by O'Reilly. eBPF is a revolutionary kernel technology that is enabling a whole new generation of …
…
continue reading
1
Microsoft Recall's Security & Privacy, Hacking Web APIs, Secure Design Pledge - ASW #288
38:37
38:37
Play later
Play later
Lists
Like
Liked
38:37
Looking at use cases and abuse cases of Microsoft's Recall feature, examples of hacking web APIs, CISA's secure design pledge, what we look for in CVEs, a nod to PHP's history, and more! Show Notes: https://securityweekly.com/asw-288
…
continue reading
1
Managing Complex Digital Supply Chains - Cassie Crossley - BTS #31
1:03:06
1:03:06
Play later
Play later
Lists
Like
Liked
1:03:06
Cassie has a long history of successfully managing a variety of security programs. Today, she leads supply chain efforts for a very large product company. We will tackle topics such as software supply chain management, SBOMs, third-party supply chain challenges, asset management, and more! This segment is sponsored by Eclypsium. Visit https://secur…
…
continue reading
1
Bots are Taking Over the Internet & Defining ASPM - Idan Plotnik, Erez Hasson - ASW #287
30:12
30:12
Play later
Play later
Lists
Like
Liked
30:12
Application security posture management has quickly become a hot commodity in the world of AppSec, but questions remain around what is defined by ASPM. Vendors have cropped up from different corners of the AppSec space to help security teams make their programs more effective, improve their security postures, and connect the dots between developers…
…
continue reading
1
Open Source Software Supply Chain Security & The Real Crisis Behind XZ Utils - Luis Villa - ASW #287
42:04
42:04
Play later
Play later
Lists
Like
Liked
42:04
Open source has been a part of the software supply chain for decades, yet many projects and their maintainers remain undersupported by the companies that consume them. The security responsibilities for project owners has increased not only in dealing with security disclosures, but in maintaining secure processes backed by strong authentication and …
…
continue reading
1
Securing Shadow Apps & Protecting Data - Guy Guzner, Pranava Adduri - ASW Vault
30:32
30:32
Play later
Play later
Lists
Like
Liked
30:32
With hundreds or thousands of SaaS apps to secure with no traditional perimeter, Identity becomes the focal point for SaaS Security in the modern enterprise. Yet with Shadow IT, now recast as Business-Led IT, quickly becoming normal practice, it’s more complicated than trying to centralize all identities with an Identity Provider (IdP) for Single S…
…
continue reading
1
Collecting Bounties and Building Communities - Ben Sadeghipour - ASW Vault
36:23
36:23
Play later
Play later
Lists
Like
Liked
36:23
Check out this interview from the ASW Vault, hand picked by main host Mike Shema! This segment was originally published on April 18, 2023. We talk with Ben about the rewards, hazards, and fun of bug bounty programs. Then we find out different ways to build successful and welcoming communities. Show Notes: https://securityweekly.com/vault-asw-9…
…
continue reading
1
Systems Of Trust - Robert Martin - BTS #30
55:20
55:20
Play later
Play later
Lists
Like
Liked
55:20
Bob Martin comes on the show to discuss systems of trust, supply chain security and more! This segment is sponsored by Eclypsium. Visit https://securityweekly.com/eclypsium to learn more about them! Show Notes: https://securityweekly.com/bts-30
…
continue reading
1
Unpacking XDR & Business Applications - Chris Thomas, Oliver Tavakoli - ASW #286
30:29
30:29
Play later
Play later
Lists
Like
Liked
30:29
The challenge of evaluating threat alerts in aggregate – what a collection and sequence of threat signals tell us about an attacker’s sophistication and motives – has bedeviled SOC teams since the dawn of the Iron Age. Vectra AI CTO Oliver Tavakoli will discuss how the design principles of our XDR platform deal with this challenge and how GenAI imp…
…
continue reading
1
Node.js Secure Coding - Liran Tal - ASW #286
38:36
38:36
Play later
Play later
Lists
Like
Liked
38:36
Secure coding education should be more than a list of issues or repeating generic advice. Liran Tal explains his approach to teaching developers through examples that start with exploiting known vulns and end with discussions on possible fixes. Not only does this create a more engaging experience, but it also relies on code that looks familiar to d…
…
continue reading
1
The Enterprise Browser & AI in Securing Software and Supply Chains - Mike Fey, Josh Lemos - ASW #285
29:24
29:24
Play later
Play later
Lists
Like
Liked
29:24
How companies are benefiting from the enterprise browser. It's not just security when talking about the enterprise browser. It's the marriage between security AND productivity. In this interview, Mike will provide real live case studies on how different enterprises are benefitting. Segment Resources: https://www.island.io/resources https://www.isla…
…
continue reading
1
Inside the OWASP Top 10 for LLM Applications - Sandy Dunn - ASW #285
37:33
37:33
Play later
Play later
Lists
Like
Liked
37:33
Everyone is interested in generative AIs and LLMs, and everyone is looking for use cases and apps to apply them to. Just as the early days of the web inspired the original OWASP Top 10 over 20 years ago, the experimentation and adoption of LLMs has inspired a Top 10 list of their own. Sandy Dunn talks about why the list looks so familiar in many wa…
…
continue reading
1
Supply Chains, Firmware, And Patching - Jason Kikta - BTS #29
1:06:10
1:06:10
Play later
Play later
Lists
Like
Liked
1:06:10
Jason joins us to discuss the current enterprise landscape for defending against supply chain attacks, remediating firmware issues, and the current challenges with patch management. This segment is sponsored by Eclypsium. Visit https://securityweekly.com/eclypsium to learn more about them! Show Notes: https://securityweekly.com/bts-29…
…
continue reading
1
Hacking AI Bias with Human Techniques - Keith Hoodlet - ASW #284
31:47
31:47
Play later
Play later
Lists
Like
Liked
31:47
We already have bug bounties for web apps so it was only a matter of time before we would have bounties for AI-related bugs. Keith Hoodlet shares his experience winning first place in the DOD's inaugural AI bias bounty program. He explains how his education in psychology helped fill in the lack of resources in testing an AI's bias. Then we discuss …
…
continue reading
1
AI & Hype & Security (Oh My!) - Caleb Sima - ASW #284
33:18
33:18
Play later
Play later
Lists
Like
Liked
33:18
A lot of AI security has nothing to do with AI -- things like data privacy, access controls, and identity are concerns for any new software and in many cases AI concerns look more like old-school API concerns. But...there are still important aspects to AI safety and security, from prompt injection to jailbreaking to authenticity. Caleb Sima explain…
…
continue reading
1
Random Problems, Protecting Packages, and Vulns in Designs, Defaults & Data Leaks - ASW #283
38:40
38:40
Play later
Play later
Lists
Like
Liked
38:40
Misusing random numbers, protecting platforms for code repos and package repos, vulns that teach us about designs and defaults, and more! Show Notes: https://securityweekly.com/asw-283
…
continue reading
1
Why Companies Continue to Struggle with Supply Chain Security - Melinda Marks - ASW #283
41:11
41:11
Play later
Play later
Lists
Like
Liked
41:11
Companies deploy tools (usually lots of tools) to address different threats to supply chain security. Melinda Marks shares some of the chaos those companies still face when trying to prioritize investments, measure risk, and scale their solutions to keep pace with their development. Not only are companies still figuring out supply chain, but now th…
…
continue reading
Casey recently was involved in an event that brought hackers and 5G technology together, tune-in to learn about the results and how we can use bug bounty programs to improve the security of "things". This segment is sponsored by Eclypsium. Visit https://securityweekly.com/eclypsium to learn more about them! Show Notes: https://securityweekly.com/bt…
…
continue reading
1
XZ & Open Source, PuTTY's Private Keys, LeakyCLI, LLMs Writing Exploits - ASW #282
38:28
38:28
Play later
Play later
Lists
Like
Liked
38:28
CISA chimes in on the XZ Utils backdoor, PuTTY's private keys and maintaining a secure design, LeakyCLI and maintaining secure secrets in CSPs, LLMs and exploit generation, and more! Show Notes: https://securityweekly.com/asw-282
…
continue reading
1
Sustainable Funding of Open Source Tools - Simon Bennetts, Mark Curphey - ASW #282
39:29
39:29
Play later
Play later
Lists
Like
Liked
39:29
How can open source projects find a funding model that works for them? What are the implications with different sources of funding? Simon Bennetts talks about his stewardship of Zed Attack Proxy and its journey from OWASP to OpenSSF to an Open Source Fellowship with Crash Override. Mark Curphy adds how his experience with OWASP and the appsec commu…
…
continue reading
1
Arg Parsing in Rust, End of Life Hardware, CSRB & MS, Chrome’s V8 Sandbox - ASW #281
28:12
28:12
Play later
Play later
Lists
Like
Liked
28:12
A Rust advisory highlights the perils of parsing and problems of inconsistent approaches, D-Link (sort of) deals with end of life hardware, CSRB recommends practices and processes for Microsoft, Chrome’s V8 Sandbox increases defense, and more! Show Notes: https://securityweekly.com/asw-281
…
continue reading
1
Demystifying Security Engineering Career Tracks - Karan Dwivedi - ASW #281
35:17
35:17
Play later
Play later
Lists
Like
Liked
35:17
There are as many paths into infosec as there are disciplines within infosec to specialize in. Karan Dwivedi talks about the recent book he and co-author Raaghav Srinivasan wrote about security engineering. There's an appealing future to security taking on engineering roles and creating solutions to problems that orgs face. We talk about the breadt…
…
continue reading
1
Governance, Compliance, and The Digital Supply Chain - Josh Marpet - BTS #27
50:01
50:01
Play later
Play later
Lists
Like
Liked
50:01
In this episode, we discuss digital supply chain governance and compliance, featuring Josh Marpet from Guarded Risk, hosted by Paul Asadoorian and Allan Alford. Specifically, we discuss: The importance of understanding and complying with regulations affecting digital supply chains, such as Executive Order 14028 and the NIST Cybersecurity Framework.…
…
continue reading
1
OWASP Breach, Types of Prompt Injection, Device-Bound Sessions, ASVS & APIs - ASW #280
28:30
28:30
Play later
Play later
Lists
Like
Liked
28:30
OWASP leaks resumes, defining different types of prompt injection, a secure design example in device-bound sessions, turning an ASVS requirement into practice, Ivanti has its 2000s-era Microsoft moment, HTTP/2 CONTINUATION flood, and more! Show Notes: https://securityweekly.com/asw-280
…
continue reading
1
Lessons That The XZ Utils Backdoor Spells Out - Farshad Abasi - ASW #280
31:53
31:53
Play later
Play later
Lists
Like
Liked
31:53
We look into the supply chain saga of the XZ Utils backdoor. It's a wild story of a carefully planned long con to add malicious code to a commonly used package that many SSH connections rely on. It hits themes from social engineering and abuse of trust to obscuring the changes and suppressing warnings. It also has a few lessons about software devel…
…
continue reading