Application Security Weekly (Audio)

What makes a threat modeling process effective? Do you need a long list of threat actors? Do you need a long list of terms? What about a short list like STRIDE? Has an effective process ever come out of a list? Farshad Abasi joins our discussion as we explain why the answer to most of those questions is No and describe the kinds of approaches that are more conducive to useful threat models. Resources: https://www.eurekadevsecops.com/agile-devops-and-the-threat-modeling-disconnect-bridging-the-gap-with-developer-insights/ https://www.threatmodelingmanifesto.org https://kellyshortridge.com/blog/posts/security-decision-trees-with-graphviz/ In the news, learning from outage postmortems, an EchoLeak image speaks a 1,000 words from Microsoft 365 Copilot, TokenBreak attack targets tokenizing techniques, Google's layered strategy against prompt injection looks like a lot like defending against XSS, learning about code security from CodeAuditor CTF, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-335

CISA has been championing Secure by Design principles. Many of the principles are universal, like adopting MFA and having opinionated defaults that reduce the need for hardening guides. Matthew Rogers talks about how the approach to Secure by Design has to be tailored for Operational Technology (OT) systems. These systems have strict requirements on safety and many of them rely on protocols that are four (or more!) decades old. He explains how the considerations in this space go far beyond just memory safety concerns. Segment Resources: https://www.cisa.gov/sites/default/files/2025-01/joint-guide-secure-by-demand-priority-considerations-for-ot-owners-and-operators-508c_0.pdf https://www.youtube.com/watch?v=vHSXu1P4ZTo Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-334

The recent popularity of MCPs is surpassed only by the recent examples deficiencies of their secure design. The most obvious challenge is how MCPs, and many more general LLM use cases, have erased two decades of security principles behind separating code and data. We take a look at how developers are using LLMs to generate code and continue our search for where LLMs are providing value to appsec. We also consider what indicators we'd look for as signs of success. For example, are LLMs driving useful commits to overburdened open source developers? Are LLMs climbing the ranks of bug bounty platforms? In the news, more examples of prompt injection techniques against LLM features in GitLab and GitHub, the value (and tradeoffs) in rewriting code, secure design lessons from a history of iOS exploitation, checking for all the ways to root, and NIST's approach to (maybe) measuring likely exploited vulns. Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-333

ArmorCode unveils Anya—the first agentic AI virtual security champion designed specifically for AppSec and product security teams. Anya brings together conversation and context to help AppSec, developers and security teams cut through the noise, prioritize risks, and make faster, smarter decisions across code, cloud, and infrastructure. Built into the ArmorCode ASPM Platform and backed by 25B findings, 285+ integrations, natural language intelligence, and role-aware insights, Anya turns complexity into clarity, helping teams scale securely and close the security skills gap. Anya is now generally available and included as part of the ArmorCode ASPM Platform. Visit https://securityweekly.com/armorcodersac to request a demo! As 'vibe coding", the practice of using AI tools with specialized coding LLMs to develop software, is making waves, what are the implications for security teams? How can this new way of developing applications be made secure? Or have the horses already left the stable? Segment Resources: https://www.backslash.security/press-releases/backslash-security-reveals-in-new-research-that-gpt-4-1-other-popular-llms-generate-insecure-code-unless-explicitly-prompted https://www.backslash.security/blog/vibe-securing-4-1-pillars-of-appsec-for-vibe-coding This segment is sponsored by Backslash. Visit https://securityweekly.com/backslashrsac to learn more about them! The rise of AI has largely mirrored the early days of open source software. With rapid adoption amongst developers who are trying to do more with less time, unmanaged open source AI presents serious risks to organizations. Brian Fox, CTO & Co-founder of Sonatype, will dive into the risks associated with open source AI and best practices to secure it. Segment Resources: https://www.sonatype.com/solutions/open-source-ai https://www.sonatype.com/blog/beyond-open-vs.-closed-understanding-the-spectrum-of-ai-transparency https://www.sonatype.com/resources/whitepapers/modern-development-in-ai-era This segment is sponsored by Sonatype. Visit https://securityweekly.com/sonatypersac to learn more about Sonatype's AI SCA solutions! The surge in AI agents is creating a vast new cyber attack surface with Non-Human Identities (NHIs) becoming a prime target. This segment will explore how SandboxAQ's AQtive Guard Discover platform addresses this challenge by providing real-time vulnerability detection and mitigation for NHIs and cryptographic assets. We'll discuss the platform's AI-driven approach to inventory, threat detection, and automated remediation, and its crucial role in helping enterprises secure their AI-driven future. To take control of your NHI security and proactively address the escalating threats posed by AI agents, visit https://securityweekly.com/sandboxaqrsac to schedule an early deployment and risk assessment. Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-332

In the news, Coinbase deals with bribes and insider threat, the NCSC notes the cross-cutting problem of incentivizing secure design, we cover some research that notes the multitude of definitions for secure design, and discuss the new Cybersecurity Skills Framework from the OpenSSF and Linux Foundation. Then we share two more sponsored interviews from this year's RSAC Conference. With more types of identities, machines, and agents trying to access increasingly critical data and resources, across larger numbers of devices, organizations will be faced with managing this added complexity and identity sprawl. Now more than ever, organizations need to make sure security is not an afterthought, implementing comprehensive solutions for securing, managing, and governing both non-human and human identities across ecosystems at scale. This segment is sponsored by Okta. Visit https://securityweekly.com/oktarsac to learn more about them! At Mend.io, we believe that securing AI-powered applications requires more than just scanning for vulnerabilities in AI-generated code—it demands a comprehensive, enterprise-level strategy. While many AppSec vendors offer limited, point-in-time solutions focused solely on AI code, Mend.io takes a broader and more integrated approach. Our platform is designed to secure not just the code, but the full spectrum of AI components embedded within modern applications. By leveraging existing risk management strategies, processes, and tools, we uncover the unique risks that AI introduces—without forcing organizations to reinvent their workflows. Mend.io's solution ensures that AI security is embedded into the software development lifecycle, enabling teams to assess and mitigate risks proactively and at scale. Unlike isolated AI security startups, Mend.io delivers a single, unified platform that secures an organization's entire codebase—including its AI-driven elements. This approach maximizes efficiency, minimizes disruption, and empowers enterprises to embrace AI innovation with confidence and control. This segment is sponsored by Mend.io. Visit https://securityweekly.com/mendrsac to book a live demo! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-331

Developers are relying on LLMs as coding assistants, so where are the LLM assistants for appsec? The principles behind secure code reviews don't really change based on who write the code, whether human or AI. But more code means more reasons for appsec to scale its practices and figure out how to establish trust in code, packages, and designs. Rey Bango shares his experience with secure code reviews and where developer education fits in among the adoption of LLMs. As businesses rapidly embrace SaaS and AI-powered applications at an unprecedented rate, many small-to-medium sized businesses (SMBs) struggle to keep up due to complex tech stacks and limited visibility into the skyrocketing app sprawl. These modern challenges demand a smarter, more streamlined approach to identity and access management. Learn how LastPass is reimagining access control through “Secure Access Experiences” - starting with the introduction of SaaS Monitoring capabilities designed to bring clarity to even the most chaotic environments. Secure Access Experiences - https://www.lastpass.com/solutions/secure-access This segment is sponsored by LastPass. Visit https://securityweekly.com/lastpassrsac to learn more about them! Cloud Application Detection and Response (CADR) has burst onto the scene as one of the hottest categories in security, with numerous vendors touting a variety of capabilities and making promises on how bringing detection and response to the application-level will be a game changer. In this segment, Gal Elbaz, co-founder and CTO of Oligo Security, will dive into what CADR is, who it helps, and what the future will look like for this game changing technology. Segment Resources - https://www.oligo.security/company/whyoligo To see Oligo in action, please visit https://securityweekly.com/oligorsac Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-330

We catch up on news after a week of BSidesSF and RSAC Conference. Unsurprisingly, AI in all its flavors, from agentic to gen, was inescapable. But perhaps more surprising (and more unfortunate) is how much the adoption of LLMs has increased the attack surface within orgs. The news is heavy on security issues from MCPs and a novel alignment bypass against LLMs. Not everything is genAI as we cover some secure design topics from the Airborne attack against Apple's AirPlay to more calls for companies to show how they're embracing secure design principles and practices. Apiiro CEO & Co-Founder, Idan Plotnik discusses the AI problem in AppSec. This segment is sponsored by Apiiro. Visit https://securityweekly.com/apiirorsac to learn more about them! Gen AI is being adopted faster than company's policy and data security can keep up, and as LLM's become more integrated into company systems and uses leverage more AI enabled applications, they essentially become unintentional data exfiltration points. These tools do not differentiate between what data is sensitive and proprietary and what is not. This interview will examine how the rapid adoption of Gen AI is putting sensitive company data at risk, and the data security considerations and policies organizations should implement before, if, and when their employees may seek to adopt a Gen AI tools to leverage some of their undeniable workplace benefits. Customer case studies: https://www.seclore.com/resources/customer-case-studies/ Seclore Blog: https://www.seclore.com/blog/ This segment is sponsored by Seclore. Visit https://securityweekly.com/seclorersac to learn more about them! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-329

In this live recording from BSidesSF we explore the factors that influence a secure design, talk about how to avoid the bite of UX dragons, and why designs should put classes of vulns into dungeons. But we can't threat model a secure design forever and we can't oversimplify guidance for a design to be "more secure". Kalyani Pawar and Jack Cable join the discussion to provide advice on evaluating secure designs through examples of strong and weak designs we've seen over the years. We highlight the importance of designing systems to serve users and consider what it means to have a secure design with a poor UX. As we talk about the strategy and tactics of secure design, we share why framing this as a challenge in preventing dangerous errors can help devs make practical engineering decisions that improve appsec for everyone. Resources https://owasp.org/Top10/A042021-InsecureDesign/ https://dl.acm.org/doi/10.5555/1251421.1251435 https://www.threatmodelingmanifesto.org https://www.ietf.org/rfc/rfc9700.html https://www.cisa.gov/resources-tools/resources/secure-by-design Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-328

Secrets end up everywhere, from dev systems to CI/CD pipelines to services, certificates, and cloud environments. Vlad Matsiiako shares some of the tactics that make managing secrets more secure as we discuss the distinctions between secure architectures, good policies, and developer friendly tools. We've thankfully moved on from forced 90-day user password rotations, but that doesn't mean there isn't a place for rotating secrets. It means that the tooling and processes for ephemeral secrets should be based on secure, efficient mechanisms rather than putting all the burden on users. And it also means that managing secrets shouldn't become an unmanaged risk with new attack surfaces or new points of failure. Segment Resources: https://infisical.com/blog/solving-secret-zero-problem https://infisical.com/blog/gitops-secrets-management Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-327

The breaches will continue until appsec improves. Janet Worthington and Sandy Carielli share their latest research on breaches from 2024, WAFs in 2025, and where secure by design fits into all this. WAFs are delivering value in a way that orgs are relying on them more for bot management and fraud detection. But adopting phishing-resistant authentication solutions like passkeys and deploying WAFs still seem peripheral to secure by design principles. We discuss what's necessary for establishing a secure environment and why so many orgs still look to tools. And with LLMs writing so much code, we continue to look for ways LLMs can help appsec in addition to all the ways LLMs keep recreating appsec problems. Resources https://www.forrester.com/blogs/breaches-and-lawsuits-and-fines-oh-my-what-we-learned-the-hard-way-from-2024/ https://www.forrester.com/blogs/wafs-are-now-the-center-of-application-protection-suites/ https://www.forrester.com/blogs/are-you-making-these-devsecops-mistakes-the-four-phases-you-need-to-know-before-your-code-becomes-your-vulnerability/ In the news, crates.io logging mistake shows the errors of missing redactions, LLMs give us slopsquatting as a variation on typosquatting, CaMeL kicks sand on prompt injection attacks, using NTLM flaws as lessons for authentication designs, tradeoffs between containers and WebAssembly, research gaps in the world of Programmable Logic Controllers, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-326

We have a top ten list entry for Insecure Design, pledges to CISA's Secure by Design principles, and tons of CVEs that fall into familiar categories of flaws. But what does it mean to have a secure design and how do we get there? There are plenty of secure practices that orgs should implement are supply chains, authentication, and the SDLC. Those practices address important areas of risk, but only indirectly influence a secure design. We look at tactics from coding styles to design councils as we search for guidance that makes software more secure. Segment resources https://owasp.org/Top10/A042021-InsecureDesign/ https://www.cisa.gov/securebydesign/pledge https://www.cisa.gov/securebydesign https://kccnceu2025.sched.com/event/1xBJR/keynote-rust-in-the-linux-kernel-a-new-era-for-cloud-native-performance-and-security-greg-kroah-hartman-linux-kernel-maintainer-fellow-the-linux-foundation https://newsletter.pragmaticengineer.com/p/how-linux-is-built-with-greg-kroah https://daniel.haxx.se/blog/2025/04/07/writing-c-for-curl/ Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-325

We take advantage of April Fools to look at some of appsec's myths, mistakes, and behaviors that lead to bad practices. It's easy to get trapped in a status quo of chasing CVEs or discussing which direction to shift security. But scrutinizing decimal points in CVSS scores or rearranging tools misses the opportunity for more strategic thinking. We satirize some worst practices in order to have a more serious discussion about a future where more software is based on secure designs. Segment resources: https://bsidessf2025.sched.com/event/1x8ST/secure-designs-ux-dragons-vuln-dungeons-application-security-weekly https://bsidessf2025.sched.com/event/1x8TU/preparing-for-dragons-dont-sharpen-swords-set-traps-gather-supplies https://www.rfc-editor.org/rfc/rfc3514.html https://www.rfc-editor.org/rfc/rfc1149.html Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-324

LLMs are helping devs write code, but is it secure code? How are LLMs helping appsec teams? Keith Hoodlet returns to talk about where he's seen value from genAI, where it fits in with tools like source code analysis and fuzzers, and where its limitations mean we'll be relying on humans for a while. Those limitations don't mean appsec should dismiss LLMs as a tool. It means appsec should understand how things like context windows might limit a tool's security analysis to a few files, leaving a security architecture review to humans. Segment resources: https://securing.dev/posts/ai-security-reasoning-and-bias/ https://seclists.org/dailydave/2025/q1/0 https://arxiv.org/pdf/2409.16165 https://arxiv.org/pdf/2410.05229 https://nicholas.carlini.com/writing/2025/thoughts-on-future-ai.html Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-323

The crypto world is rife with smart contracts that have been outsmarted by attackers, with consequences in the millions of dollars (and more!). Shashank shares his research into scanning contracts for flaws, how the classes of contract flaws have changed in the last few years, and how optimistic we can be about the future of this space. Segment Resources: https://scs.owasp.org https://scs.owasp.org/sctop10/ https://solidityscan.com/web3hackhub https://www.web3isgoinggreat.com Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-322

Just three months into 2025 and we already have several hundred CVEs for XSS and SQL injection. Appsec has known about these vulns since the late 90s. Common defenses have been known since the early 2000s. Jack Cable talks about CISA's Secure by Design principles and how they're trying to refocus businesses on addressing vuln classes and prioritizing software quality -- with security one of those important dimensions of quality. Segment Resources: https://www.cisa.gov/securebydesign https://www.cisa.gov/securebydesign/pledge https://www.cisa.gov/resources-tools/resources/product-security-bad-practices https://www.lawfaremedia.org/projects-series/reviews-essays/security-by-design https://corridor.dev Skype hangs up for good, over a million cheap Android devices may be backdoored, parallels between jailbreak research and XSS, impersonating AirTags, network reconnaissance via a memory disclosure vuln in the GFW, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-321

Curl and libcurl are everywhere. Not only has the project maintained success for almost three decades now, but it's done that while being written in C. Daniel Stenberg talks about the challenges in dealing with appsec, the design philosophies that keep it secure, and fostering a community to create one of the most recognizable open source projects in the world. Segment Resources: https://daniel.haxx.se/blog/2025/01/23/cvss-is-dead-to-us/ https://daniel.haxx.se/blog/2024/01/02/the-i-in-llm-stands-for-intelligence/ https://thenewstack.io/curls-daniel-stenberg-on-securing-180000-lines-of-c-code/ Google replacing SMS with QR codes for authentication, MS pulls a VSCode extension due to red flags, threat modeling with TRAIL, threat modeling the Bybit hack, malicious models and malicious AMIs, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-320

Minimizing latency, increasing performance, and reducing compile times are just a part of what makes a development environment better. Throw in useful tests and some useful security tools and you have an even better environment. Dan Moore talks about what motivates some developers to prefer a "local first" approach as we walk through what all of this means for security. Applying forgivable vs. unforgivable criteria to reDoS vulns, what backdoors in LLMs mean for trust in building software, considering some secure AI architectures to minimize prompt injection impact, developer reactions to Rust, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-319

We're getting close to two full decades of celebrating web hacking techniques. James Kettle shares which was his favorite, why the list is important to the web hacking community, and what inspires the kind of research that makes it onto the list. We discuss why we keep seeing eternal flaws like XSS and SQL injection making these lists year after year and how clever research is still finding new attack surfaces in old technologies. But there's a lot of new web technology still to be examined, from HTTP/2 and HTTP/3 to WebAssembly. Segment Resources: Top 10, 2024: https://portswigger.net/research/top-10-web-hacking-techniques-of-2024 Full nomination list: https://portswigger.net/research/top-10-web-hacking-techniques-of-2024-nominations-open Project overview: https://portswigger.net/research/top-10-web-hacking-techniques Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-318

Code scanning is one of the oldest appsec practices. In many cases, simple grep patterns and some fancy regular expressions are enough to find many of the obvious software mistakes. Scott Norberg shares his experience with encountering code scanners that didn't find the .NET vuln classes he needed to find and why that led him to creating a scanner from scratch. We talk about some challenges in testing tools, making smart investments in engineering time, and why working with .NET's compiler made his decisions easier. Segment Resources: -https://github.com/ScottNorberg-NCG/CodeSheriff.NET Identifying and eradicating unforgivable vulns, an unforgivable flaw (and a few others) in DeepSeek's iOS app, academics and industry looking to standardize principles and practices for memory safety, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-317

Threat modeling has been in the appsec toolbox for decades. But it hasn't always been used and it hasn't always been useful. Sandy Carielli shares what she's learned from talking to orgs about what's been successful, and what's failed, when they've approached this practice. Akira Brand joins to talk about her direct experience with building threat models with developers. Speculative data flow attacks demonstrated against Apple chips with SLAP and FLOP, the design and implementation choices that led to OCSP's demise, an appsec angle on AI, updating the threat model and recommendations for implementing OAuth 2.0, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-316

A lot of AI security boils down to the boring, but important, software security topics that appsec teams have been dealing with for decades. Niv Braun explains the distinctions between AI-related and AI-specific security as we avoid the FUD and hype of genAI to figure out where appsec teams can invest their time. He notes that data scientists have been working with ML and sensitive data sets for a long time, and it's good to have more scrutiny on what controls should be present to protect that data. This segment is sponsored by Noma Security. Visit https://securityweekly.com/noma to learn more about them! An open source security project forks in response to license changes (and an echo of how we've been here before), car hacking via spectacularly insecure web apps, hacking a synth via spectacularly cool MIDI messages, cookie parsing problems, the RANsacked paper of 100+ LTE/5G vulns found from fuzzing, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-315

What's in store for appsec in 2025? Sure, there'll be some XSS and SQL injection, but what about trends that might influence how appsec teams plan? Cody Scott shares five cybersecurity and privacy predictions and we take a deep dive into three of them. We talk about finding value to appsec from AI, why IoT and OT need both programmatic and technical changes, and what the implications of the next XZ Utils attack might be. Segment resources: https://www.forrester.com/blogs/predictions-2025-cybersecurity-risk-privacy/ Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-314

There's a pernicious myth that developers don't care about security. In practice, they care about code quality. What developers don't care for is ambiguous requirements. Ixchel Ruiz shares her experience is discussing software designs, the challenges in prioritizing dev efforts, and how to help open source project maintainers with their issue backlog. Segment resources: https://github.com/ossf/scorecard https://www.commonhaus.org/ https://www.hackergarten.net/ Design lessons from PyPI's Quarantine capability, effective ways for appsec to approach phishing, why fishshell is moving to Rust component by component (and why that's a good thing!), what behaviors the Cyber Trust Mark might influence, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-313

All appsec teams need quality tools and all developers benefit from appsec guidance that's focused on meaningful results. Greg Anderson shares his experience in bringing the OWASP DefectDojo project to life and maintaining its value for over a decade. He reminds us that there are tons of appsec teams with low budgets and few members that need tools to help them bring useful insights to developers. Segment Resources: https://owasp.org/www-project-defectdojo/ Three-quarters of CISOs surveyed reported being "overwhelmed" by the growing number of tools and their alerts: https://www.darkreading.com/cloud-security/cisos-throwing-cash-tools-detect-breaches As many as one-fifth of all cybersecurity alerts turn out to be false positives. Among 800 IT professionals surveyed, just under half of them stated that approximately 40% of the alerts they receive are false positives: https://www.securitymagazine.com/articles/97260-one-fifth-of-cybersecurity-alerts-are-false-positives 91% of organizations knowingly released vulnerable applications, 57% of vulnerabilities are left unresolved by developers, 32% of CISOs deploy vulnerable code in the hopes it won't be discovered, 56% of developers struggle to prioritize vulnerability fixes: https://info.checkmarx.com/future-of-application-security-2024 Curl removes a Rust backend, double clickjacking revives an old vuln, a new tool for working with HTTP/3, a brief reminder to verify JWT signatures, design lessons from recursion, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-312

Practices around identity and managing credentials have improved greatly since the days of infosec mandating 90-day password rotations. But those improvements didn't arise from a narrow security view. Hannah Sutor talks about the importance of balancing security with usability, the importance of engaging with users when determining defaults, and setting an example for transparency in security disclosures. Segment resources https://youtu.be/ydg95R2QKwM Curl's oldest bug yet, RCPs (and more!) from AWS re:Invent, possible controls for NPM's malware proliferation, insights and next steps on protecting top 500 packages from the Census III report, the flawed design choice that made Microsoft's OTP (successfully) brute-forceable, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-311

We do our usual end of year look back on the topics, news, and trends that caught our attention. We covered some OWASP projects, the ongoing attention and promises of generative AI, and big events from the XZ Utils backdoor to Microsoft's Recall to Crowdstrike's outage. Segment resources https://prods.ec https://owasp.org/www-project-spvs/ https://genai.owasp.org/resource/owasp-top-10-for-llm-applications-2025/ https://securitychampions.owasp.org/ https://deadliestwebattacks.com/appsec/2024/11/14/ai-and-llms-asw-topic-recap https://www.scworld.com/podcast-episode/3017-infosec-myths-mistakes-and-misconceptions-adrian-sanabria-asw-279 Curl and Python (and others) deal with bad vuln reports generated by LLMs, supply chain attack on Solana, comparing 5 genAI mistakes to OWASP's Top Ten for LLM Applications, a Rust survey, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-310

Observability is a lot more than just sprinkling printf statements throughout a code base. Adriana Villela explains principles behind logging, traceability, and metrics and how the OpenTelemetry project helps developers gather this useful information. She also provides suggestions on starting logging from scratch, how to avoid information overload, and how engaging users about their experience with solutions like OpenTelemetry makes for better software -- a lesson that appsec teams can apply to paved roads and security guardrails. Segment Resources: https://opentelemetry.io https://cncf.io https://adri-v.medium.com/ Fuzzing barcodes and getting projects onboarded with fuzzers, using AI to guide fuzzers, using AI to combat scammers, using CWEs for something, using malicious comments to ban repos, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-309

This week's interview dives deep into the state of biometrics with two Forrester Research analysts! This discussion compares and contrasts regional approaches to biometrics; examine the security challenges and benefits of their implementation; and reveal how biometrics holds the keys to a range of engagement models of the future. Andras Cser dives into the technical end of things and explains how biometrics can be resilient to attack. We can't replace our fingerprints or faces, but as Andras explains, there's no need to, thanks to how biometrics actually work. Then, Enza takes us through the latest on privacy in biometrics - a concern for both consumers, and businesses tasked with complying with privacy regulations and avoiding costly fines. Finally, get a sneak peek into the upcoming Forrester Security & Risk Summit. Whether you're an industry professional or just curious about the implications of biometrics, this episode delivers insights you won't want to miss! This week, in the Application Security News, we dismiss magical thinking and discuss what generative AI will actually be able to do for us. We also discuss whether Secure by Design's goals are practical or not. OSC&R releases a report on software supply chain that should be interesting, though neither of us had time to read it yet. Also, Watchtowr has some fun with Citrix VDI! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-308

In this week's interview, Melinda Marks' joins us to discuss her latest research. Her recent report Modernizing Application Security to Scale for Cloud-Native Development delves into many aspects and trends affecting AppSec as it matures, particularly in cloud-first organizations. We also discuss the fuzzy line between "cloud-native" AppSec and everything else that refuses to disappear, particularly for organizations that weren't born cloud-native and still have legacy workloads to worry about. Integrating security into the SDLC and CI/CD pipelines, infrastructure as code (IaC) trends, best of breed vs platform, and other aspects of AppSec get discussed as well! This week, in the Application Security News, we spend a lot of time on some recent vulnerabilities. We take this opportunity to talk about how to determine whether or not a vulnerability is worth a critical response. Can AI fully automate DevSecOps Governance? Adrian has his reservations, but JLK is bullish. Is it bad that 70% of DevSecOps professionals don't know if code is AI generated or not? All that and more on this week's news segment. Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-307

After spending a decade working for appsec vendors, Grant McKracken wanted to give something back. He saw a gap in the market for free or low-cost services for smaller organizations that have real appsec needs, but not a lot of means to pay for it. He founded DarkHorse, who offers VDPs and bug bounties to organizations of all sizes for free, or for as low of cost as possible. While not a non-profit, the company's goal is to make these services as cheap as possible to increase accessibility for smaller or more budget-constrained organizations. The company has also introduced the concept of "fractional pentesting", access to cyber talent when and how you need it, based on what you can afford. This implies services beyond just offensive security, something we'll dive deeper into in the interview. We don't see DarkHorse ever competing with the larger Bug Bounty platforms, but rather providing services to the organizations too small for the larger platforms to sell to. Microsoft delays Recall AGAIN, Project Zero uses an LLM to find a bugger underflow in SQLite, the scourge of infostealer malware, zero standing privileges is easy if you have unlimited time (but no one does), reverse engineering Nintendo's Alarmo and RedBox's... boxes. Bonus: the book series mentioned in this episode The Lost Fleet by Jack Campbell. Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-306

Better TLS implementations with Rust, fuzzing, and managing certs, appsec lessons from the everlasting transition to IPv6, LLMs for finding vulns (and whether fuzzing is better), and more! Also check out this presentation from BSides Knoxville that we talked about briefly, https://youtu.be/DLn7Noex_fc?feature=shared Generative AI has been the talk of the technology industry for the past 18+ months. Companies are seeing its value, so generative AI budgets are growing. With more and more AI agents expected in the coming years, it's essential that we are securing how consumers interact with generative AI agents and how developers build AI agents into their apps. This is where identity comes in. Shiven Ramji, President of Customer Identity Cloud at Okta, will dive into the importance of protecting the identity of AI agents and Okta's new security tools revealed at Oktane that address some of the largest issues consumers and businesses have with generative AI right now. Segment Resources: https://www.okta.com/oktane/ https://www.okta.com/press-room/press-releases/okta-helps-builders-easily-implement-auth-for-genai-apps-secure-how/ Today, there isn't an identity security standard for enterprise applications that ensures interoperability across all SaaS and IDPs. There also isn't an easy way for an app, resource, workload, API or any other enterprise technology to make itself discoverable, governable, support SSO and SCIM and continuous authentication. This lack of standardization is one of the biggest barriers to cybersecurity today. Arnab Bose, Chief Product Officer, Workforce Identity Cloud at Okta, joins Security Weekly's Mandy Logan to discuss the need for a new, comprehensive identity security standard for enterprise applications, and the work Okta is doing alongside other industry players to institute a framework for SaaS companies to enhance the end-to-end security of their products across every touchpoint of their technology stack. Segment Resources: https://www.okta.com/oktane/ https://www.okta.com/press-room/press-releases/okta-openid-foundation-tech-firms-tackle-todays-biggest-cybersecurity/ https://www.okta.com/press-room/press-releases/okta-is-reducing-the-risk-of-unmanaged-identities-social-engineering/ This segment is sponsored by Oktane, to view all of the CyberRisk TV coverage from Oktane visit https://securityweekly.com/oktane. Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-305

Building cloud native apps doesn't mean you're immune to dealing with legacy systems. Cloud services have changed significantly over the last decade, both in the security controls available to them and the sheer volume of services that CSPs provide. Scott Piper shares some history of cloud security, the benefits of account separation, and how ratcheting security helps orgs stay on a paved path. Segment resources: https://www.wiz.io/blog/a-security-community-success-story-of-mitigating-a-misconfiguration http://flaws.cloud http://flaws2.cloud https://promptairlines.com Get a free demo of Wiz! Flaws that arise from inconsistent parsing of JSON and email addresses, CISA's guide to bad software practices, abusing a security disclosure process to take over a WordPress plugin, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-304

Zed Attack Proxy has been a crucial web app testing tool for decades. It's also had a struggle throughout 2024 to obtain funding that would enable the tool to add more features while remaining true to its open source history. Simon Bennetts, founder of ZAP, and Ori Bendet from Checkmarx update us on that journey, share some exploration of LLM fuzzing that ZAP has been working on, and what the future looks like for this well-loved project. Segment Resources: https://www.zaproxy.org/blog/2024-09-24-zap-has-joined-forces-with-checkmarx/ https://www.zaproxy.org/blog/2024-09-30-improving-fuzzing-payloads-for-llms-with-fuzzai/ https://checkmarx.com/press-releases/checkmarx-joins-forces-with-zap-to-supercharge-dynamic-application-security-testing-dast-for-the-enterprise-and-enhance-community-growth/ KICS: https://github.com/Checkmarx/kics 2MS: https://github.com/Checkmarx/2ms The many lessons to take away from a 24-year old flaw in glibc and the mastery in crafting an exploit in PHP, changing a fuzzer's configuration to find more flaws, fuzzing LLMs for prompt injection and jailbreaks, security hardening of baseband code, revisiting the threat models in Microsoft's Recall, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-302

More remote car control via web interfaces, an RCE in CUPS, Microsoft reduces attack surface, migrating to memory safety, dealing with dependency confusion, getting rid of password strength calculators, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-301

APIs are essential to modern application architectures, driving rapid development, seamless integration, and improved user experiences. However, their widespread use has made them prime targets for attackers, especially those deploying sophisticated bots. When these bots exploit business logic, they can cause considerable financial and reputational damage. In this discussion, David Holmes offers insights into the latest trends in API and bot attacks and provides strategies to defend against these threats. Segment Resources: The Economic Impact of API and Bot Attacks: https://www.imperva.com/resources/resource-library/reports/the-economic-impact-of-api-and-bot-attacks/ The True Cost of API Insecurity and Bot Attacks in 2024: https://www.imperva.com/resources/resource-library/webinars/the-true-cost-of-api-insecurity-and-bot-attacks-in-2024/ This segment is sponsored by Imperva. Visit https://www.securityweekly.com/imperva to learn more about them! In the news, fuzzing network traffic in OpenWRT, parsing problems lead to GitLab auth bypass, more fuzzing finds vulns in a JPEG parser, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-300

When a conference positioned as a day of security for developers has to be canceled due to lack of interest from developers, it's important to understand why there was so little interest and why appsec should reconsider its approach to awareness. Dustin Lehr discusses how appsec can better engage and better deliver security concepts in a way that makes developers not only feel like their time is well used, but that the content appeals to them. Segment Resources: - The Security Champion Program Success Guide -- A free guide that includes all steps necessary to build a successful security champion program, with real-world recommendations and examples: https://securitychampionsuccessguide.org/ - Let's Talk Software Security -- A free global virtual community where we host monthly open discussions on appsec topics: https://www.meetup.com/lets-talk-software-security/ In the news, a takeover of the MOBI TLD for $20, configuring an LLM for a CTF, firmware flaw in an SSD, Microsoft talks kernel resilience, six truths of cyber risk quantification, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-299

Considerations in paying down tech debt, make Rust work on bare metal, ECDSA side-channel in Yubikeys, trade-offs in deploying SSO quickly, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-298

Check out this interview from the ASW Vault, hand picked by main host Mike Shema! This segment was originally published on May 9, 2023. What does software resilience mean? Why is status quo application security unfit for the modern era of software? How can we move from security theater to security chaos engineering? This segment answers these questions and more. Segment Resources: Book -- https://securitychaoseng.com Blog -- https://kellyshortridge.com/blog/posts/ Show Notes: https://securityweekly.com/vault-asw-13

IoT devices are notorious for weak designs, insecure implementations, and a lifecycle that mostly ignores patching. We look at external factors that might lead to change, like the FCC's cybersecurity labeling for IoT. We explore the constraints that often influence poor security on these devices, whether those constraints are as consequential given modern appsec practices, and what the opportunities are to make these devices more secure for everyone. Segment resources: https://www.fcc.gov/document/cybersecurity-labeling-program-internet-things-iot-products Research by Orange Tsai into Apache HTTPD's architecture reveals several vulns, NCC Group shows techniques for hacking IoT devices with Sonos speakers, finding use cases for WebAssembly, Slack's AI leaks data, DARPA wants a future of Rust, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-297

This week, Jeff Pollard and Allie Mellen join us to discuss the fallout and lessons learned from the CrowdStrike fiasco. They explore the reasons behind running in the kernel, the challenges of software quality, and the distinction between a security incident and an IT incident. They also touch on the need to reduce the attack surface and the importance of clear definitions in the cybersecurity industry. The conversation explores the need for a product security revolution and the importance of transparency and trust in security vendors. As development cycles shorten and more responsibilities shift to developers, application security (AppSec) is rapidly evolving. Organizations are increasingly building mature programs that automate and enhance AppSec, moving beyond manual processes. In this discussion, we explore how organizations are adapting their AppSec practices, highlighting the challenges and milestones encountered along the way. Key topics include the integration of security into the development lifecycle, the impact of emerging technologies, and strategies for fostering a security-first culture. Boaz Barzel shares his experiences and offers practical advice on overcoming common obstacles, ensuring that security measures keep pace with rapid technological advancements. This segment serves as a comprehensive guide for organizations striving to enhance their AppSec practices and continuously optimize their posture. This segment is sponsored by OX Security. Visit https://securityweekly.com/oxbh to learn more about them! Given the rapid rise of threat actors utilizing AI for cyber-attacks, security teams need advanced AI capabilities more than ever. Shimon will discuss how Dataminr's Pulse for Cyber Risk uses Dataminr's leading multi-modal AI platform to provide the speed and scale required to build enterprise resilience in the modern cyber threat environment. Dataminr's world-leading AI platform helps companies stay informed - performing trillions of daily computations across billions of public data inputs from more than one million unique public data sources encompassing text, image, video, audio and sensor signals to provide real-time information when you need it most. Segment Resources: https://www.dataminr.com/pulse/cyber-risk/?utmsource=google&utmmedium=paidsearch&utmterm=dataminr%20company&utmcampaign=NORAMDIGIBRG-SearchHDRSMajEntDemo&utmsource=google&utmmedium=paidsearch&hsaacc=8657480186&hsacam=958164645&hsagrp=125093879176&hsaad=654125003504&hsasrc=g&hsatgt=kwd-338332441603&hsakw=dataminr%20company&hsamt=p&hsanet=adwords&hsaver=3&gadsource=1&gclid=CjwKCAjwnqK1BhBvEiwAi7o0XxetJ1k8xcqlYk1Pk5Jsr6Adr2yP-9yhNM7oxISq2-Rbz-UunCxSmhoCYfgQAvD_BwE https://www.dataminr.com/resources/on-demand-webinar/why-cyber-physical-convergence-really-matters This segment is sponsored by Dataminr. Visit https://securityweekly.com/dataminrbh to learn more about their world-leading AI platform perform! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-296

Startups and small orgs don't have the luxury of massive budgets and large teams. How do you choose an appsec approach that complements a startup's needs while keeping it secure. Kalyani Pawar shares her experience at different ends of an appsec maturity spectrum. In complex software ecosystems, individual application risks are compounded. When it comes to mitigating supply chain risk, identifying backdoors or unintended vulnerabilities that can be exploited in your environment is just as critical as staying current with the latest hacking intel. Understand how to spot and reduce the risk to your environment and prevent disruption to your operation. This segment is sponsored by Threatlocker. Visit https://securityweekly.com/threatlockerbh for a free trial! Every mobile device connecting to enterprise assets hosts a unique blend of work and personal apps, creating a complex landscape of innumerable vulnerabilities. Thankfully, methods exist to provide security teams with the real-world insights necessary to proactively address threats and shield against attacks targeting mobile apps and device endpoints. Nikos Kiourtis, CTO at Quokka, shares the latest findings in mobile security, outlining emerging threats and effective measures to reduce your mobile app attack surface – and safeguarding against potential attacks and data breaches. Segment Resources: - Panelcast with SC Magazine: 8 ways attackers target mobile apps to steal your data (and how to stop them) https://www.scmagazine.com/cybercast/8-ways-attackers-target-mobile-apps-to-steal-your-data-and-how-to-stop-them - Ryan Johnson's talk at DEF CON 32, “Android App Usage and Cell Tower Location: Private. Sensitive. Available to Anyone?” https://defcon.org/html/defcon-32/dc-32-speakers.html This segment is sponsored by Quokka. Visit https://securityweekly.com/quokkabh to learn more about their intelligence app solutions! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-295

Even though Security Champions programs look very different across organizations and maturity levels, they share core principles for becoming successful. Marisa shares her experience in building these programs to foster a positive security culture within companies. She explains the incentives and rewards that lead to more engagement from champions and the benefits that come from so many people being engaged with security. Segment Resources: OWASP Security Champions Guide - Get Involved! - https://owasp.org/www-project-security-champions-guidebook/#div-getinvolved OWASP Security Champions Guide - LinkedIn page - https://www.linkedin.com/company/owasp-security-champions-guide/ The Security Champions Success Guide - https://securitychampionsuccessguide.org/ "Building a Successful Security Champions Program... What Does it Take?" - https://www.katilyst.com/post/building-a-successful-security-champions-program-what-does-it-take The code curation considerations of removing abandoned protocols in OpenSSL, kernel driver lessons from CrowdStrike's crash, choosing isolation primitives, cross-cache attacks made possible by SLUBStick, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-294