About all things AppSec, DevOps, and DevSecOps. Hosted by Mike Shema and John Kinsella, the podcast focuses on helping its audience find and fix software flaws effectively.
…
continue reading
1
The Future of Zed Attack Proxy - Simon Bennetts, Ori Bendet - ASW #302
1:12:35
1:12:35
बाद में चलाएं
बाद में चलाएं
सूचियाँ
पसंद
पसंद
1:12:35
Zed Attack Proxy has been a crucial web app testing tool for decades. It's also had a struggle throughout 2024 to obtain funding that would enable the tool to add more features while remaining true to its open source history. Simon Bennetts, founder of ZAP, and Ori Bendet from Checkmarx update us on that journey, share some exploration of LLM fuzzi…
…
continue reading
1
More Car Hacks, CUPS Vulns, Microsoft's SFI, Memory Safety, Password Complexity - Farshad Abasi - ASW #301
45:57
45:57
बाद में चलाएं
बाद में चलाएं
सूचियाँ
पसंद
पसंद
45:57
More remote car control via web interfaces, an RCE in CUPS, Microsoft reduces attack surface, migrating to memory safety, dealing with dependency confusion, getting rid of password strength calculators, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-301…
…
continue reading
1
Vulnerable APIs and Bot Attacks: Two Interconnected, Growing Security Threats - David Holmes - ASW #300
1:07:51
1:07:51
बाद में चलाएं
बाद में चलाएं
सूचियाँ
पसंद
पसंद
1:07:51
APIs are essential to modern application architectures, driving rapid development, seamless integration, and improved user experiences. However, their widespread use has made them prime targets for attackers, especially those deploying sophisticated bots. When these bots exploit business logic, they can cause considerable financial and reputational…
…
continue reading
1
Bringing Secure Coding Concepts to Developers - Dustin Lehr - ASW #299
1:02:26
1:02:26
बाद में चलाएं
बाद में चलाएं
सूचियाँ
पसंद
पसंद
1:02:26
When a conference positioned as a day of security for developers has to be canceled due to lack of interest from developers, it's important to understand why there was so little interest and why appsec should reconsider its approach to awareness. Dustin Lehr discusses how appsec can better engage and better deliver security concepts in a way that m…
…
continue reading
1
Paying Down Tech Debt, Rust in Firmware, EUCLEAK, Deploying SSO - ASW #298
56:25
56:25
बाद में चलाएं
बाद में चलाएं
सूचियाँ
पसंद
पसंद
56:25
Considerations in paying down tech debt, make Rust work on bare metal, ECDSA side-channel in Yubikeys, trade-offs in deploying SSO quickly, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-298
…
continue reading
1
Close the Security Theater: Enter Resilience - Kelly Shortridge - ASW Vault
37:48
37:48
बाद में चलाएं
बाद में चलाएं
सूचियाँ
पसंद
पसंद
37:48
Check out this interview from the ASW Vault, hand picked by main host Mike Shema! This segment was originally published on May 9, 2023. What does software resilience mean? Why is status quo application security unfit for the modern era of software? How can we move from security theater to security chaos engineering? This segment answers these quest…
…
continue reading
1
Changing the Course of IoT's Future from Its Insecure Past - Paddy Harrington - ASW #297
1:04:28
1:04:28
बाद में चलाएं
बाद में चलाएं
सूचियाँ
पसंद
पसंद
1:04:28
IoT devices are notorious for weak designs, insecure implementations, and a lifecycle that mostly ignores patching. We look at external factors that might lead to change, like the FCC's cybersecurity labeling for IoT. We explore the constraints that often influence poor security on these devices, whether those constraints are as consequential given…
…
continue reading
1
The Fallout and Lessons Learned from the CrowdStrike Fiasco - Shimon Modi, Jeff Pollard, Allie Mellen, Boaz Barzel - ASW #296
1:21:54
1:21:54
बाद में चलाएं
बाद में चलाएं
सूचियाँ
पसंद
पसंद
1:21:54
This week, Jeff Pollard and Allie Mellen join us to discuss the fallout and lessons learned from the CrowdStrike fiasco. They explore the reasons behind running in the kernel, the challenges of software quality, and the distinction between a security incident and an IT incident. They also touch on the need to reduce the attack surface and the impor…
…
continue reading
1
When Appsec Needs to Start Small - Kalyani Pawar, Danny Jenkins, Nikos Kiourtis - ASW #295
1:08:53
1:08:53
बाद में चलाएं
बाद में चलाएं
सूचियाँ
पसंद
पसंद
1:08:53
Startups and small orgs don't have the luxury of massive budgets and large teams. How do you choose an appsec approach that complements a startup's needs while keeping it secure. Kalyani Pawar shares her experience at different ends of an appsec maturity spectrum. In complex software ecosystems, individual application risks are compounded. When it …
…
continue reading
1
Building Successful Security Champions Programs - Marisa Fagan - ASW #294
1:10:17
1:10:17
बाद में चलाएं
बाद में चलाएं
सूचियाँ
पसंद
पसंद
1:10:17
Even though Security Champions programs look very different across organizations and maturity levels, they share core principles for becoming successful. Marisa shares her experience in building these programs to foster a positive security culture within companies. She explains the incentives and rewards that lead to more engagement from champions …
…
continue reading
1
A CISO's Perspective on AI, Appsec, and Changing Behaviors - ASW #293
45:18
45:18
बाद में चलाएं
बाद में चलाएं
सूचियाँ
पसंद
पसंद
45:18
Modern appsec isn't modern because security tools got shifted in one direction or another, or because teams are finding and fixing more vulns. It's modern because appsec is meeting developer needs and supporting the business. Paul Davis talks about how AI is (and isn't) changing appsec, the KPIs that reflect outcomes rather than being busy, and the…
…
continue reading
1
Where Generative AI Can Actually Help Security (And Where It Doesn't) - Farshad Abasi, Allie Mellen - ASW #292
1:05:00
1:05:00
बाद में चलाएं
बाद में चलाएं
सूचियाँ
पसंद
पसंद
1:05:00
Generative AI has produced impressive chatbots and content generation, but however fun or impressive those might be, they don't always translate to value for appsec. Allie brings some realistic expectations to how genAI is used by attackers and can be useful to defenders. Segment resources: https://www.forrester.com/blogs/generative-ai-will-not-ful…
…
continue reading
1
Producing Secure Code by Leveraging AI - Stuart McClure - ASW #291
1:09:02
1:09:02
बाद में चलाएं
बाद में चलाएं
सूचियाँ
पसंद
पसंद
1:09:02
How can LLMs be valuable to developers as an assistant in finding and fixing insecure code? There are a lot of implications in trusting AI or LLMs to not only find vulns, but in producing code that fixes an underlying problem without changing an app's intended behavior. Stuart McClure explains how combining LLMs with agents and RAGs helps make AI-i…
…
continue reading
1
State Of Application Security 2024 - Sandy Carielli, Janet Worthington - ASW #290
1:12:41
1:12:41
बाद में चलाएं
बाद में चलाएं
सूचियाँ
पसंद
पसंद
1:12:41
Sandy Carielli and Janet Worthington, authors of the State Of Application Security 2024 report, join us to discuss their findings on trends this year! Old vulns, more bots, and more targeted supply chain attacks -- we should be better at this by now. We talk about where secure design fits into all this why appsec needs to accelerate to ludicrous sp…
…
continue reading
1
OAuth 2.0 from Protecting APIs to Supporting Authorization & Authentication - Aaron Parecki - ASW #289
1:01:09
1:01:09
बाद में चलाएं
बाद में चलाएं
सूचियाँ
पसंद
पसंद
1:01:09
OAuth 2.0 is more than just a single spec and it's used to protect more than just APIs. We talk about challenges in maintaining a spec over a decade of changing technologies and new threat models. Not only can OAuth be challenging to secure by default, but it's not even always inter-operable. Segment Resources: https://oauth.net/2.1 https://oauth.n…
…
continue reading
1
Learning EBPF - Liz Rice - ASW Vault
37:16
37:16
बाद में चलाएं
बाद में चलाएं
सूचियाँ
पसंद
पसंद
37:16
Check out this interview from the ASW Vault, hand picked by main host Mike Shema! This segment was originally published on April 4, 2023. Following on from her successful title "Container Security", Liz has recently authored "Learning eBPF", published by O'Reilly. eBPF is a revolutionary kernel technology that is enabling a whole new generation of …
…
continue reading
1
Microsoft Recall's Security & Privacy, Hacking Web APIs, Secure Design Pledge - ASW #288
38:36
38:36
बाद में चलाएं
बाद में चलाएं
सूचियाँ
पसंद
पसंद
38:36
Looking at use cases and abuse cases of Microsoft's Recall feature, examples of hacking web APIs, CISA's secure design pledge, what we look for in CVEs, a nod to PHP's history, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-288…
…
continue reading
1
Open Source Software Supply Chain Security & The Real Crisis Behind XZ Utils - Idan Plotnik, Luis Villa, Erez Hasson - ASW #287
1:12:08
1:12:08
बाद में चलाएं
बाद में चलाएं
सूचियाँ
पसंद
पसंद
1:12:08
Open source has been a part of the software supply chain for decades, yet many projects and their maintainers remain undersupported by the companies that consume them. The security responsibilities for project owners has increased not only in dealing with security disclosures, but in maintaining secure processes backed by strong authentication and …
…
continue reading
1
Securing Shadow Apps & Protecting Data - Guy Guzner, Pranava Adduri - ASW Vault
30:32
30:32
बाद में चलाएं
बाद में चलाएं
सूचियाँ
पसंद
पसंद
30:32
With hundreds or thousands of SaaS apps to secure with no traditional perimeter, Identity becomes the focal point for SaaS Security in the modern enterprise. Yet with Shadow IT, now recast as Business-Led IT, quickly becoming normal practice, it’s more complicated than trying to centralize all identities with an Identity Provider (IdP) for Single S…
…
continue reading
1
Collecting Bounties and Building Communities - Ben Sadeghipour - ASW Vault
36:23
36:23
बाद में चलाएं
बाद में चलाएं
सूचियाँ
पसंद
पसंद
36:23
Check out this interview from the ASW Vault, hand picked by main host Mike Shema! This segment was originally published on April 18, 2023. We talk with Ben about the rewards, hazards, and fun of bug bounty programs. Then we find out different ways to build successful and welcoming communities. Show Notes: https://securityweekly.com/vault-asw-9…
…
continue reading
1
Node.js Secure Coding - Oliver Tavakoli, Chris Thomas, Liran Tal - ASW #286
1:09:05
1:09:05
बाद में चलाएं
बाद में चलाएं
सूचियाँ
पसंद
पसंद
1:09:05
Secure coding education should be more than a list of issues or repeating generic advice. Liran Tal explains his approach to teaching developers through examples that start with exploiting known vulns and end with discussions on possible fixes. Not only does this create a more engaging experience, but it also relies on code that looks familiar to d…
…
continue reading
1
Inside the OWASP Top 10 for LLM Applications - Sandy Dunn, Mike Fey, Josh Lemos - ASW #285
1:06:40
1:06:40
बाद में चलाएं
बाद में चलाएं
सूचियाँ
पसंद
पसंद
1:06:40
Everyone is interested in generative AIs and LLMs, and everyone is looking for use cases and apps to apply them to. Just as the early days of the web inspired the original OWASP Top 10 over 20 years ago, the experimentation and adoption of LLMs has inspired a Top 10 list of their own. Sandy Dunn talks about why the list looks so familiar in many wa…
…
continue reading
1
AI & Hype & Security (Oh My!) & Hacking AI Bias - Caleb Sima, Keith Hoodlet - ASW #284
1:04:57
1:04:57
बाद में चलाएं
बाद में चलाएं
सूचियाँ
पसंद
पसंद
1:04:57
A lot of AI security has nothing to do with AI -- things like data privacy, access controls, and identity are concerns for any new software and in many cases AI concerns look more like old-school API concerns. But...there are still important aspects to AI safety and security, from prompt injection to jailbreaking to authenticity. Caleb Sima explain…
…
continue reading
1
Why Companies Continue to Struggle with Supply Chain Security - Melinda Marks - ASW #283
1:19:42
1:19:42
बाद में चलाएं
बाद में चलाएं
सूचियाँ
पसंद
पसंद
1:19:42
Companies deploy tools (usually lots of tools) to address different threats to supply chain security. Melinda Marks shares some of the chaos those companies still face when trying to prioritize investments, measure risk, and scale their solutions to keep pace with their development. Not only are companies still figuring out supply chain, but now th…
…
continue reading
1
Sustainable Funding of Open Source Tools - Mark Curphey, Simon Bennetts - ASW #282
1:17:57
1:17:57
बाद में चलाएं
बाद में चलाएं
सूचियाँ
पसंद
पसंद
1:17:57
How can open source projects find a funding model that works for them? What are the implications with different sources of funding? Simon Bennetts talks about his stewardship of Zed Attack Proxy and its journey from OWASP to OpenSSF to an Open Source Fellowship with Crash Override. Mark Curphy adds how his experience with OWASP and the appsec commu…
…
continue reading