About all things AppSec, DevOps, and DevSecOps. Hosted by Mike Shema and John Kinsella, the podcast focuses on helping its audience find and fix software flaws effectively.
…
continue reading
1
RCE from Iconv + PHP, Fuzzing a Codec, Fuzzing LLMs, Revisiting Recall - ASW #302
37:03
37:03
Прослушать позже
Прослушать позже
Списки
Нравится
Нравится
37:03
The many lessons to take away from a 24-year old flaw in glibc and the mastery in crafting an exploit in PHP, changing a fuzzer's configuration to find more flaws, fuzzing LLMs for prompt injection and jailbreaks, security hardening of baseband code, revisiting the threat models in Microsoft's Recall, and more! Show Notes: https://securityweekly.co…
…
continue reading
1
The Future of Zed Attack Proxy - Simon Bennetts, Ori Bendet - ASW #302
35:34
35:34
Прослушать позже
Прослушать позже
Списки
Нравится
Нравится
35:34
Zed Attack Proxy has been a crucial web app testing tool for decades. It's also had a struggle throughout 2024 to obtain funding that would enable the tool to add more features while remaining true to its open source history. Simon Bennetts, founder of ZAP, and Ori Bendet from Checkmarx update us on that journey, share some exploration of LLM fuzzi…
…
continue reading
1
More Car Hacks, CUPS Vulns, Microsoft's SFI, Memory Safety, Password Complexity - ASW #301
45:57
45:57
Прослушать позже
Прослушать позже
Списки
Нравится
Нравится
45:57
More remote car control via web interfaces, an RCE in CUPS, Microsoft reduces attack surface, migrating to memory safety, dealing with dependency confusion, getting rid of password strength calculators, and more! Show Notes: https://securityweekly.com/asw-301
…
continue reading
1
Fuzzing for Vulns, GitLab Auth Bypass, JPEG Vulns, Programming Language Ranks - ASW #300
32:45
32:45
Прослушать позже
Прослушать позже
Списки
Нравится
Нравится
32:45
Fuzzing network traffic in OpenWRT, parsing problems lead to GitLab auth bypass, more fuzzing finds vulns in a JPEG parser, and more! Show Notes: https://securityweekly.com/asw-300
…
continue reading
1
Vulnerable APIs and Bot Attacks: Two Interconnected, Growing Security Threats - David Holmes - ASW #300
35:07
35:07
Прослушать позже
Прослушать позже
Списки
Нравится
Нравится
35:07
APIs are essential to modern application architectures, driving rapid development, seamless integration, and improved user experiences. However, their widespread use has made them prime targets for attackers, especially those deploying sophisticated bots. When these bots exploit business logic, they can cause considerable financial and reputational…
…
continue reading
1
A TLD Takeover, An LLM CTF, A Firmware Flaw, 6 Truths of Cyber Risk - ASW #299
29:16
29:16
Прослушать позже
Прослушать позже
Списки
Нравится
Нравится
29:16
A takeover of the MOBI TLD for $20, configuring an LLM for a CTF, firmware flaw in an SSD, Microsoft talks kernel resilience, six truths of cyber risk quantification, and more! Show Notes: https://securityweekly.com/asw-299
…
continue reading
1
Bringing Secure Coding Concepts to Developers - Dustin Lehr - ASW #299
33:10
33:10
Прослушать позже
Прослушать позже
Списки
Нравится
Нравится
33:10
When a conference positioned as a day of security for developers has to be canceled due to lack of interest from developers, it's important to understand why there was so little interest and why appsec should reconsider its approach to awareness. Dustin Lehr discusses how appsec can better engage and better deliver security concepts in a way that m…
…
continue reading
1
Paying Down Tech Debt, Rust in Firmware, EUCLEAK, Deploying SSO - ASW #298
56:25
56:25
Прослушать позже
Прослушать позже
Списки
Нравится
Нравится
56:25
Considerations in paying down tech debt, make Rust work on bare metal, ECDSA side-channel in Yubikeys, trade-offs in deploying SSO quickly, and more! Show Notes: https://securityweekly.com/asw-298
…
continue reading
1
Close the Security Theater: Enter Resilience - Kelly Shortridge - ASW Vault
37:48
37:48
Прослушать позже
Прослушать позже
Списки
Нравится
Нравится
37:48
Check out this interview from the ASW Vault, hand picked by main host Mike Shema! This segment was originally published on May 9, 2023. What does software resilience mean? Why is status quo application security unfit for the modern era of software? How can we move from security theater to security chaos engineering? This segment answers these quest…
…
continue reading
1
Apache HTTPD Vulns, Hacking IoT Speakers, Use Cases for WASM, Slack AI Leak - ASW #297
27:08
27:08
Прослушать позже
Прослушать позже
Списки
Нравится
Нравится
27:08
Research by Orange Tsai into Apache HTTPD's architecture reveals several vulns, NCC Group shows techniques for hacking IoT devices with Sonos speakers, finding use cases for WebAssembly, Slack's AI leaks data, DARPA wants a future of Rust, and more! Show Notes: https://securityweekly.com/asw-297
…
continue reading
1
Changing the Course of IoT's Future from Its Insecure Past - Paddy Harrington - ASW #297
37:21
37:21
Прослушать позже
Прослушать позже
Списки
Нравится
Нравится
37:21
IoT devices are notorious for weak designs, insecure implementations, and a lifecycle that mostly ignores patching. We look at external factors that might lead to change, like the FCC's cybersecurity labeling for IoT. We explore the constraints that often influence poor security on these devices, whether those constraints are as consequential given…
…
continue reading
1
Navigating the Path to Maturity & AI is helping combat cyber threats - Shimon Modi, Boaz Barzel - ASW #296
39:21
39:21
Прослушать позже
Прослушать позже
Списки
Нравится
Нравится
39:21
As development cycles shorten and more responsibilities shift to developers, application security (AppSec) is rapidly evolving. Organizations are increasingly building mature programs that automate and enhance AppSec, moving beyond manual processes. In this discussion, we explore how organizations are adapting their AppSec practices, highlighting t…
…
continue reading
1
The Fallout and Lessons Learned from the CrowdStrike Fiasco - Allie Mellen, Jeff Pollard - ASW #296
42:38
42:38
Прослушать позже
Прослушать позже
Списки
Нравится
Нравится
42:38
This week, Jeff Pollard and Allie Mellen join us to discuss the fallout and lessons learned from the CrowdStrike fiasco. They explore the reasons behind running in the kernel, the challenges of software quality, and the distinction between a security incident and an IT incident. They also touch on the need to reduce the attack surface and the impor…
…
continue reading
1
Reducing Supply Chain Risk & What’s lurking in your phone? - Danny Jenkins, Nikos Kiourtis - ASW #295
34:30
34:30
Прослушать позже
Прослушать позже
Списки
Нравится
Нравится
34:30
In complex software ecosystems, individual application risks are compounded. When it comes to mitigating supply chain risk, identifying backdoors or unintended vulnerabilities that can be exploited in your environment is just as critical as staying current with the latest hacking intel. Understand how to spot and reduce the risk to your environment…
…
continue reading
1
When Appsec Needs to Start Small - Kalyani Pawar - ASW #295
34:22
34:22
Прослушать позже
Прослушать позже
Списки
Нравится
Нравится
34:22
Startups and small orgs don't have the luxury of massive budgets and large teams. How do you choose an appsec approach that complements a startup's needs while keeping it secure. Kalyani Pawar shares her experience at different ends of an appsec maturity spectrum. Show Notes: https://securityweekly.com/asw-295…
…
continue reading
1
Dead Code, CrowdStrike's Kernel Lessons, VMs & Security Boundaries, SLUBStick Attack - ASW #294
33:55
33:55
Прослушать позже
Прослушать позже
Списки
Нравится
Нравится
33:55
The code curation considerations of removing abandoned protocols in OpenSSL, kernel driver lessons from CrowdStrike's crash, choosing isolation primitives, cross-cache attacks made possible by SLUBStick, and more! Show Notes: https://securityweekly.com/asw-294
…
continue reading
1
Building Successful Security Champions Programs - Marisa Fagan - ASW #294
36:24
36:24
Прослушать позже
Прослушать позже
Списки
Нравится
Нравится
36:24
Even though Security Champions programs look very different across organizations and maturity levels, they share core principles for becoming successful. Marisa shares her experience in building these programs to foster a positive security culture within companies. She explains the incentives and rewards that lead to more engagement from champions …
…
continue reading
1
A CISO's Perspective on AI, Appsec, and Changing Behaviors - Paul Davis - ASW #293
45:18
45:18
Прослушать позже
Прослушать позже
Списки
Нравится
Нравится
45:18
Modern appsec isn't modern because security tools got shifted in one direction or another, or because teams are finding and fixing more vulns. It's modern because appsec is meeting developer needs and supporting the business. Paul Davis talks about how AI is (and isn't) changing appsec, the KPIs that reflect outcomes rather than being busy, and the…
…
continue reading
1
SAPwned, Squarespace Domain Hijacks, AIs Fixing Code, Infosec Investments - ASW #292
28:57
28:57
Прослушать позже
Прослушать позже
Списки
Нравится
Нравится
28:57
SAPwned demonstrates tenets of tenant isolation, a weak login flow puts Squarespace domains at risk, how AIs might (or might not) be useful for fixing code, getting buy-in for infosec investments, and more! Show Notes: https://securityweekly.com/asw-292
…
continue reading
1
Where Generative AI Can Actually Help Security (And Where It Doesn't) - Allie Mellen, Farshad Abasi - ASW #292
36:04
36:04
Прослушать позже
Прослушать позже
Списки
Нравится
Нравится
36:04
Generative AI has produced impressive chatbots and content generation, but however fun or impressive those might be, they don't always translate to value for appsec. Allie brings some realistic expectations to how genAI is used by attackers and can be useful to defenders. Segment resources: https://www.forrester.com/blogs/generative-ai-will-not-ful…
…
continue reading
1
A 2024 Appsec Report, Preparing for the AIxCC, Secure Design and Post-Quantum Crypto - ASW #291
35:58
35:58
Прослушать позже
Прослушать позже
Списки
Нравится
Нравится
35:58
Cloudflare's 2024 appsec report, reasoning about the Cyber Reasoning Systems for the upcoming AIxCC semifinals at DEF CON, lessons in secure design from post-quantum cryptography, and more! Show Notes: https://securityweekly.com/asw-291
…
continue reading
1
Producing Secure Code by Leveraging AI - Stuart McClure - ASW #291
33:06
33:06
Прослушать позже
Прослушать позже
Списки
Нравится
Нравится
33:06
How can LLMs be valuable to developers as an assistant in finding and fixing insecure code? There are a lot of implications in trusting AI or LLMs to not only find vulns, but in producing code that fixes an underlying problem without changing an app's intended behavior. Stuart McClure explains how combining LLMs with agents and RAGs helps make AI-i…
…
continue reading
1
State Of Application Security 2024 - Sandy Carielli, Janet Worthington - ASW #290
38:12
38:12
Прослушать позже
Прослушать позже
Списки
Нравится
Нравится
38:12
Sandy Carielli and Janet Worthington, authors of the State Of Application Security 2024 report, join us to discuss their findings on trends this year! Old vulns, more bots, and more targeted supply chain attacks -- we should be better at this by now. We talk about where secure design fits into all this why appsec needs to accelerate to ludicrous sp…
…
continue reading
1
Polyfill Empties Trust, regreSSHion, CocoaPods Vulns & Secure Design, LLM Bughunters - ASW #290
34:30
34:30
Прослушать позже
Прослушать позже
Списки
Нравится
Нравится
34:30
Polyfill loses trust after CDN misuse, an OpenSSH flaw reappears, how to talk about secure design from some old CocoaPods vulns, using LLMs to find bugs, Burp Proxy gets more investment, and more! Show Notes: https://securityweekly.com/asw-290
…
continue reading
1
Shared Responsibility Models, AI in Offensive Security, Apple's Private Cloud Compute - ASW #289
24:10
24:10
Прослушать позже
Прослушать позже
Списки
Нравится
Нравится
24:10
Thoughts on shared responsibility models after the Snowflake credential attacks, looking at AI's current and future role in offensive security, secure by design lessons from Apple's Private Cloud Computer, and more! Show Notes: https://securityweekly.com/asw-289
…
continue reading