Podcasts about OWASP

We showcase recordings from this year's RSAC. At RSAC Conference 2026, Scott Clinton, Co-Chair and co-founder of the OWASP GenAI Security Project, shares insights from the project's latest research, including new landscape guides and evolving approaches to securing generative and agentic AI systems. The conversation explores critical gaps in GenAI data security, the rise of AI-assisted development, and the immense growth of the OWASP community and sponsor ecosystem. Looking ahead, he outlines the most urgent risks and priorities shaping AI and agentic security in 2026. Then Merritt Maxim discusses how AI is affecting Identity and Access Management. Expect to hear this topic a lot throughout 2026, especially as the industry tries to figure out what's different or special about securing agent identities. We close with a chat with Janet Worthington about the impact of agents on the SDLC and how orgs are updating their controls to deal with code generated by humans and LLMs alike. Segment Resources: https://genai.owasp.org https://genai.owasp.org/resources/ https://www.scworld.com/podcast-episode/3905-keeping-up-with-the-owasp-genai-project-scott-clinton-asw-381 This segment is sponsored by The OWASP GenAI Security Project. Visit https://securityweekly.com/owasp to learn more about them! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-384

We showcase recordings from this year's RSAC. At RSAC Conference 2026, Scott Clinton, Co-Chair and co-founder of the OWASP GenAI Security Project, shares insights from the project's latest research, including new landscape guides and evolving approaches to securing generative and agentic AI systems. The conversation explores critical gaps in GenAI data security, the rise of AI-assisted development, and the immense growth of the OWASP community and sponsor ecosystem. Looking ahead, he outlines the most urgent risks and priorities shaping AI and agentic security in 2026. Then Merritt Maxim discusses how AI is affecting Identity and Access Management. Expect to hear this topic a lot throughout 2026, especially as the industry tries to figure out what's different or special about securing agent identities. We close with a chat with Janet Worthington about the impact of agents on the SDLC and how orgs are updating their controls to deal with code generated by humans and LLMs alike. Segment Resources: https://genai.owasp.org https://genai.owasp.org/resources/ https://www.scworld.com/podcast-episode/3905-keeping-up-with-the-owasp-genai-project-scott-clinton-asw-381 This segment is sponsored by The OWASP GenAI Security Project. Visit https://securityweekly.com/owasp to learn more about them! Show Notes: https://securityweekly.com/asw-384

We showcase recordings from this year's RSAC. At RSAC Conference 2026, Scott Clinton, Co-Chair and co-founder of the OWASP GenAI Security Project, shares insights from the project's latest research, including new landscape guides and evolving approaches to securing generative and agentic AI systems. The conversation explores critical gaps in GenAI data security, the rise of AI-assisted development, and the immense growth of the OWASP community and sponsor ecosystem. Looking ahead, he outlines the most urgent risks and priorities shaping AI and agentic security in 2026. Then Merritt Maxim discusses how AI is affecting Identity and Access Management. Expect to hear this topic a lot throughout 2026, especially as the industry tries to figure out what's different or special about securing agent identities. We close with a chat with Janet Worthington about the impact of agents on the SDLC and how orgs are updating their controls to deal with code generated by humans and LLMs alike. Segment Resources: https://genai.owasp.org https://genai.owasp.org/resources/ https://www.scworld.com/podcast-episode/3905-keeping-up-with-the-owasp-genai-project-scott-clinton-asw-381 This segment is sponsored by The OWASP GenAI Security Project. Visit https://securityweekly.com/owasp to learn more about them! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-384

We showcase recordings from this year's RSAC. At RSAC Conference 2026, Scott Clinton, Co-Chair and co-founder of the OWASP GenAI Security Project, shares insights from the project's latest research, including new landscape guides and evolving approaches to securing generative and agentic AI systems. The conversation explores critical gaps in GenAI data security, the rise of AI-assisted development, and the immense growth of the OWASP community and sponsor ecosystem. Looking ahead, he outlines the most urgent risks and priorities shaping AI and agentic security in 2026. Then Merritt Maxim discusses how AI is affecting Identity and Access Management. Expect to hear this topic a lot throughout 2026, especially as the industry tries to figure out what's different or special about securing agent identities. We close with a chat with Janet Worthington about the impact of agents on the SDLC and how orgs are updating their controls to deal with code generated by humans and LLMs alike. Segment Resources: https://genai.owasp.org https://genai.owasp.org/resources/ https://www.scworld.com/podcast-episode/3905-keeping-up-with-the-owasp-genai-project-scott-clinton-asw-381 This segment is sponsored by The OWASP GenAI Security Project. Visit https://securityweekly.com/owasp to learn more about them! Show Notes: https://securityweekly.com/asw-384

Send us Fan MailIf you still picture “hackers” as hoodie stereotypes and fast typing in a dark room, this conversation resets the story with real, practical detail. We sit down with Kyle Winters from Learn with Cisco to define ethical hacking and penetration testing the way security teams actually use it: as a sanctioned, scoped way to think like an attacker so you can fix weaknesses before a real threat actor finds them. The heart of the episode is simple: defence tools are not enough unless you test them with an offensive mindset.We dig into how red team, blue team, and purple team workflows differ, when black box testing beats white box testing, and why rules of engagement matter when a scan can lock accounts, crash fragile IoT devices, or disrupt business critical apps. Kyle also shares a hands on learning path through Cisco Networking Academy (NetAcad), including a free ethical hacking course with labs, a mock pen test flow, and Capture the Flag challenges on Cisco U that lead to a non expiring certificate. We also touch on Cisco Talos and why threat intelligence and community training help close the cybersecurity skills gap.Then we pivot to AI security and the uncomfortable truth: generative AI makes phishing, deepfakes, and voice impersonation more convincing, and agentic tooling can automate parts of exploitation faster than many teams expect. At the same time, AI adds a brand new attack surface, from prompt injection to unsafe chatbot connections into databases, which is why AI red teaming, OWASP style LLM risk thinking, zero trust, and least privilege are becoming core security skills.Subscribe for more practical cybersecurity conversations, share this with someone learning ethical hacking, and leave a review. What worries you most about AI in security right now?Connect with Our Guest:https://www.linkedin.com/in/kyle-m-winters/Purchase Chris and Tim's book on AWS Cloud Networking: https://www.amazon.com/Certified-Advanced-Networking-Certification-certification/dp/1835080839/Check out the Monthly Cloud Networking Newshttps://docs.google.com/document/d/1fkBWCGwXDUX9OfZ9_MvSVup8tJJzJeqrauaE6VPT2b0/Visit our website and subscribe: https://www.cables2clouds.com/Follow us on BlueSky: https://bsky.app/profile/cables2clouds.comFollow us on YouTube: https://www.youtube.com/@cables2clouds/Follow us on TikTok: https://www.tiktok.com/@cables2cloudsMerch Store: https://store.cables2clouds.com/Join the Discord Study group: https://artofneteng.com/iaatj

Speed is the most common theme among developers and appsec teams working with LLMs and agents, from trying to keep up with patterns for deploying agents to dealing with more code faster to how the latest models impact code quality and security. The OWASP GenAI Project is helping organizations keep up with the speed of those changes and engaging the appsec community for sharing effective ways to keep systems secure. Scott Clinton shares the latest progress on the the project, its roadmap for the year, and how appsec practitioners can shape its future. Resources: https://genai.owasp.org/2026/04/28/finbot-ctf-is-live-a-hands-on-companion-to-the-owasp-genai-security-project/ https://genai.owasp.org/2025/01/22/announcing-the-owasp-gen-ai-red-teaming-guide/ https://www.scworld.com/podcast-episode/3695-inside-the-owasp-genai-security-project-steve-wilson-asw-352 This segment is sponsored by The OWASP GenAI Security Project. Visit https://securityweekly.com/owasp to learn more about them! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-381

Speed is the most common theme among developers and appsec teams working with LLMs and agents, from trying to keep up with patterns for deploying agents to dealing with more code faster to how the latest models impact code quality and security. The OWASP GenAI Project is helping organizations keep up with the speed of those changes and engaging the appsec community for sharing effective ways to keep systems secure. Scott Clinton shares the latest progress on the the project, its roadmap for the year, and how appsec practitioners can shape its future. Resources: https://genai.owasp.org/2026/04/28/finbot-ctf-is-live-a-hands-on-companion-to-the-owasp-genai-security-project/ https://genai.owasp.org/2025/01/22/announcing-the-owasp-gen-ai-red-teaming-guide/ https://www.scworld.com/podcast-episode/3695-inside-the-owasp-genai-security-project-steve-wilson-asw-352 This segment is sponsored by The OWASP GenAI Security Project. Visit https://securityweekly.com/owasp to learn more about them! Show Notes: https://securityweekly.com/asw-381

Speed is the most common theme among developers and appsec teams working with LLMs and agents, from trying to keep up with patterns for deploying agents to dealing with more code faster to how the latest models impact code quality and security. The OWASP GenAI Project is helping organizations keep up with the speed of those changes and engaging the appsec community for sharing effective ways to keep systems secure. Scott Clinton shares the latest progress on the the project, its roadmap for the year, and how appsec practitioners can shape its future. Resources: https://genai.owasp.org/2026/04/28/finbot-ctf-is-live-a-hands-on-companion-to-the-owasp-genai-security-project/ https://genai.owasp.org/2025/01/22/announcing-the-owasp-gen-ai-red-teaming-guide/ https://www.scworld.com/podcast-episode/3695-inside-the-owasp-genai-security-project-steve-wilson-asw-352 This segment is sponsored by The OWASP GenAI Security Project. Visit https://securityweekly.com/owasp to learn more about them! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-381

Speed is the most common theme among developers and appsec teams working with LLMs and agents, from trying to keep up with patterns for deploying agents to dealing with more code faster to how the latest models impact code quality and security. The OWASP GenAI Project is helping organizations keep up with the speed of those changes and engaging the appsec community for sharing effective ways to keep systems secure. Scott Clinton shares the latest progress on the the project, its roadmap for the year, and how appsec practitioners can shape its future. Resources: https://genai.owasp.org/2026/04/28/finbot-ctf-is-live-a-hands-on-companion-to-the-owasp-genai-security-project/ https://genai.owasp.org/2025/01/22/announcing-the-owasp-gen-ai-red-teaming-guide/ https://www.scworld.com/podcast-episode/3695-inside-the-owasp-genai-security-project-steve-wilson-asw-352 This segment is sponsored by The OWASP GenAI Security Project. Visit https://securityweekly.com/owasp to learn more about them! Show Notes: https://securityweekly.com/asw-381

Something flipped this year. Chatbots were a toy. Useful sometimes, but a toy. Agents are not. Agents take actions, hold credentials, write code, move Kanban cards, and run on cron schedules. The window between "this is interesting" and "this is existential" has closed faster than cloud, faster than Kubernetes, faster than any prior shift. Viktor's read is blunt. One person can now build a bigger business than most mid-size companies have ever managed. That is not hyperbole -- that is a description of what is already happening with a handful of solo-built projects shipping in weeks what used to take a hundred-person org years. The thesis: panic. Not because the sky is falling, but because larger companies cannot turn around overnight, and the gap between the people who get this and the people who are still scheduling meetings about scheduling meetings is widening every week. The conversation walks through what each big provider is actually doing. AWS is not pretending to compete on models -- they want the inference revenue. Microsoft is lost in Copilot button-stuffing. Google is quietly winning on three layers at once: TPUs, models, and inference infrastructure. Anthropic is on the path to becoming the next defining IPO, while OpenAI looks like a place to take money out of, not put more in. The Linux Foundation's new Agentic AI foundation got Anthropic's MCP, Block's Goose, and OpenAI's AGENTS.md spec. Viktor's reaction: those are heavy hitters donating not very much. Then it gets practical. Vendor-provided agents are like hiring a genius engineer who knows nothing about your company. Public skills are mostly nonsense -- if it is in public training data, the model already knows it; what is missing is everything specific to you, which is exactly what no public skill can provide. OWASP just published an Agentic AI Top 10 and most of it is least-privilege rebranded for agents. The cost story is also not what the marketing says: a 00 monthly subscription will not last a day for anyone working full-time with agents. There is a true story in here about a leaked token that turned a 00 monthly spend into 5,000 in two days. The hardest part of the episode is the part nobody likes hearing. If your output stays the same in 2026, you are in trouble. If you multiply your output, you are fine. Companies have always wanted to do more than they could afford to do. Now they can. The middle is where careers used to live. The middle is where the cuts are going.   YouTube channel: https://youtube.com/devopsparadox   Review the podcast on Apple Podcasts: https://www.devopsparadox.com/review-podcast/   Slack: https://www.devopsparadox.com/slack/   Connect with us at: https://www.devopsparadox.com/contact/

A Stripe employee hid a message in his LinkedIn profile telling any AI that read it to include a flan recipe. A month later, an AI recruiter emailed him one. It's funny until you realize the same technique can exfiltrate data, generate phishing content, or hijack automated business processes. What is prompt injection, why does OWASP rank it as the number one risk to large language models, and what should you do about it? Let's find out. Your hosts are Kip Boyle, CISO with Cyber Risk Opportunities, and Jake Bernstein, Partner with K&L Gates.   OWASP Top 10 for LLM Applications -- https://genai.owasp.org

It's one thing to write secure code, it's another to release it into the wild. That code needs to be designed, built, tested, released, and maintained. Farshad Abasi and Cameron Walters explain how the OWASP Secure Pipeline Verification Standard picks up from where ASVS left off, how it complements other supply chain security efforts like SLSA, and why they updated it with explicit coverage for AI. They show what goes into making a project relevant and -- most importantly -- successful at defending how supply chains are attacked. They're also looking for more feedback and participation! If you build software packages, consume software packages, or have an interest in helping organizations stay secure, check it out! Resources https://owasp.org/www-project-spvs/ https://github.com/OWASP/www-project-spvs/blob/main/1.5/ReleaseNotesOWASPSPVS1.5-AI-Pipeline-Security.md https://youtu.be/-WoqGDdivGw?si=kK5-csbnTw8Y4g2J -- The Story Behind OWASP SPVS https://slsa.dev Zero Trust That Actually Ships: Moving From Strategy Decks to Real Security Most enterprise organizations have been working at Zero Trust for years and fail to deliver truly secure environments. Rohan Ravindranath shares insights that Zappsec has gained from guiding the global teams that are succeeding at protecting their orgs. Discover the common pitfalls so you can deploy a solution that works. This segment is sponsored by Zappsec. Visit https://securityweekly.com/zappsecrsac to learn more about them! Cloning Attacker Tradecraft: Why AI Pentesting is Becoming Essential Enterprises ship code continuously, but most security validation still happens in snapshots. Novee CEO and co-founder Ido Geffen explains what “AI penetration testing” means, why it's different from automated scanning, and why it's becoming essential as attackers adopt AI to move faster. He breaks down what separates best-in-class AI pentesting: operator-like reasoning across real environments, validated exploitability, and the ability to uncover business logic flaws and multi-step attack chains. Ido covers the technology behind Novee's AI penetration tester: a proprietary LLM model, built independently of “frontier” LLMs (like Claude, ChatGPT, Cursor, etc.), and consistently outperforming them at browser exploitation tests. Finally, he shares what buyers should demand in a live evaluation and how continuous retesting closes the loop after fixes ship. This segment is sponsored by Novee Security. See what your attackers already know at https://securityweekly.com/noveersac. Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-378

When Anthropic announced Project Glasswing, the headline was the capability: an AI model that found a 27-year-old flaw in OpenBSD and a 17-year-old remote code execution vulnerability in FreeBSD — fully autonomously, no human in the loop after the initial prompt. But the story underneath the capability is a structural one about who gets early intelligence, who sets the disclosure timeline, and what happens to every organization that wasn't in the room. In this edition of Lens Four, Sean Martin examines Project Glasswing through three lenses: the intelligence asymmetry it creates for security programs, what it reveals about the broken assumptions underneath CVE, CVSS, and NIST, and why the equity framing in Glasswing's messaging doesn't survive contact with the data.

It's one thing to write secure code, it's another to release it into the wild. That code needs to be designed, built, tested, released, and maintained. Farshad Abasi and Cameron Walters explain how the OWASP Secure Pipeline Verification Standard picks up from where ASVS left off, how it complements other supply chain security efforts like SLSA, and why they updated it with explicit coverage for AI. They show what goes into making a project relevant and -- most importantly -- successful at defending how supply chains are attacked. They're also looking for more feedback and participation! If you build software packages, consume software packages, or have an interest in helping organizations stay secure, check it out! Resources https://owasp.org/www-project-spvs/ https://github.com/OWASP/www-project-spvs/blob/main/1.5/ReleaseNotesOWASPSPVS1.5-AI-Pipeline-Security.md https://youtu.be/-WoqGDdivGw?si=kK5-csbnTw8Y4g2J -- The Story Behind OWASP SPVS https://slsa.dev Zero Trust That Actually Ships: Moving From Strategy Decks to Real Security Most enterprise organizations have been working at Zero Trust for years and fail to deliver truly secure environments. Rohan Ravindranath shares insights that Zappsec has gained from guiding the global teams that are succeeding at protecting their orgs. Discover the common pitfalls so you can deploy a solution that works. This segment is sponsored by Zappsec. Visit https://securityweekly.com/zappsecrsac to learn more about them! Cloning Attacker Tradecraft: Why AI Pentesting is Becoming Essential Enterprises ship code continuously, but most security validation still happens in snapshots. Novee CEO and co-founder Ido Geffen explains what "AI penetration testing" means, why it's different from automated scanning, and why it's becoming essential as attackers adopt AI to move faster. He breaks down what separates best-in-class AI pentesting: operator-like reasoning across real environments, validated exploitability, and the ability to uncover business logic flaws and multi-step attack chains. Ido covers the technology behind Novee's AI penetration tester: a proprietary LLM model, built independently of "frontier" LLMs (like Claude, ChatGPT, Cursor, etc.), and consistently outperforming them at browser exploitation tests. Finally, he shares what buyers should demand in a live evaluation and how continuous retesting closes the loop after fixes ship. This segment is sponsored by Novee Security. See what your attackers already know at https://securityweekly.com/noveersac. Show Notes: https://securityweekly.com/asw-378

It's one thing to write secure code, it's another to release it into the wild. That code needs to be designed, built, tested, released, and maintained. Farshad Abasi and Cameron Walters explain how the OWASP Secure Pipeline Verification Standard picks up from where ASVS left off, how it complements other supply chain security efforts like SLSA, and why they updated it with explicit coverage for AI. They show what goes into making a project relevant and -- most importantly -- successful at defending how supply chains are attacked. They're also looking for more feedback and participation! If you build software packages, consume software packages, or have an interest in helping organizations stay secure, check it out! Resources https://owasp.org/www-project-spvs/ https://github.com/OWASP/www-project-spvs/blob/main/1.5/ReleaseNotesOWASPSPVS1.5-AI-Pipeline-Security.md https://youtu.be/-WoqGDdivGw?si=kK5-csbnTw8Y4g2J -- The Story Behind OWASP SPVS https://slsa.dev Zero Trust That Actually Ships: Moving From Strategy Decks to Real Security Most enterprise organizations have been working at Zero Trust for years and fail to deliver truly secure environments. Rohan Ravindranath shares insights that Zappsec has gained from guiding the global teams that are succeeding at protecting their orgs. Discover the common pitfalls so you can deploy a solution that works. This segment is sponsored by Zappsec. Visit https://securityweekly.com/zappsecrsac to learn more about them! Cloning Attacker Tradecraft: Why AI Pentesting is Becoming Essential Enterprises ship code continuously, but most security validation still happens in snapshots. Novee CEO and co-founder Ido Geffen explains what "AI penetration testing" means, why it's different from automated scanning, and why it's becoming essential as attackers adopt AI to move faster. He breaks down what separates best-in-class AI pentesting: operator-like reasoning across real environments, validated exploitability, and the ability to uncover business logic flaws and multi-step attack chains. Ido covers the technology behind Novee's AI penetration tester: a proprietary LLM model, built independently of "frontier" LLMs (like Claude, ChatGPT, Cursor, etc.), and consistently outperforming them at browser exploitation tests. Finally, he shares what buyers should demand in a live evaluation and how continuous retesting closes the loop after fixes ship. This segment is sponsored by Novee Security. See what your attackers already know at https://securityweekly.com/noveersac. Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-378

When Anthropic announced Project Glasswing, the headline was the capability: an AI model that found a 27-year-old flaw in OpenBSD and a 17-year-old remote code execution vulnerability in FreeBSD — fully autonomously, no human in the loop after the initial prompt. But the story underneath the capability is a structural one about who gets early intelligence, who sets the disclosure timeline, and what happens to every organization that wasn't in the room. In this edition of Lens Four, Sean Martin examines Project Glasswing through three lenses: the intelligence asymmetry it creates for security programs, what it reveals about the broken assumptions underneath CVE, CVSS, and NIST, and why the equity framing in Glasswing's messaging doesn't survive contact with the data.

It's one thing to write secure code, it's another to release it into the wild. That code needs to be designed, built, tested, released, and maintained. Farshad Abasi and Cameron Walters explain how the OWASP Secure Pipeline Verification Standard picks up from where ASVS left off, how it complements other supply chain security efforts like SLSA, and why they updated it with explicit coverage for AI. They show what goes into making a project relevant and -- most importantly -- successful at defending how supply chains are attacked. They're also looking for more feedback and participation! If you build software packages, consume software packages, or have an interest in helping organizations stay secure, check it out! Resources https://owasp.org/www-project-spvs/ https://github.com/OWASP/www-project-spvs/blob/main/1.5/ReleaseNotesOWASPSPVS1.5-AI-Pipeline-Security.md https://youtu.be/-WoqGDdivGw?si=kK5-csbnTw8Y4g2J -- The Story Behind OWASP SPVS https://slsa.dev Zero Trust That Actually Ships: Moving From Strategy Decks to Real Security Most enterprise organizations have been working at Zero Trust for years and fail to deliver truly secure environments. Rohan Ravindranath shares insights that Zappsec has gained from guiding the global teams that are succeeding at protecting their orgs. Discover the common pitfalls so you can deploy a solution that works. This segment is sponsored by Zappsec. Visit https://securityweekly.com/zappsecrsac to learn more about them! Cloning Attacker Tradecraft: Why AI Pentesting is Becoming Essential Enterprises ship code continuously, but most security validation still happens in snapshots. Novee CEO and co-founder Ido Geffen explains what "AI penetration testing" means, why it's different from automated scanning, and why it's becoming essential as attackers adopt AI to move faster. He breaks down what separates best-in-class AI pentesting: operator-like reasoning across real environments, validated exploitability, and the ability to uncover business logic flaws and multi-step attack chains. Ido covers the technology behind Novee's AI penetration tester: a proprietary LLM model, built independently of "frontier" LLMs (like Claude, ChatGPT, Cursor, etc.), and consistently outperforming them at browser exploitation tests. Finally, he shares what buyers should demand in a live evaluation and how continuous retesting closes the loop after fixes ship. This segment is sponsored by Novee Security. See what your attackers already know at https://securityweekly.com/noveersac. Show Notes: https://securityweekly.com/asw-378

AI-Powered AppSec, OWASP Origins, and Anthropic's "Mythos" Model: Jeff Williams on What Changes Next Cybersecurity Today  would like to thank Meter for their support in bringing you this podcast. Meter delivers a complete networking stack, wired, wireless and cellular in one integrated solution that's built for performance and scale.  You can find them at Meter.com/cst Jim hosts Jeff Williams (Contrast Security co-founder/CTO and former OWASP global chair) for a wide-ranging discussion that begins with Anthropic's new "Mythos" model, described as powerful for finding zero-day vulnerabilities, and expands into how AppSec must evolve. Williams explains Contrast's runtime instrumentation approach, recounts OWASP's early days, the creation of WebGoat and the OWASP Top 10, and notes that many common vulnerabilities persist despite years of maturity models. They debate open source versus commercial security scrutiny, the likely high cost and scalability limits of advanced AI vulnerability discovery, and why finding more bugs matters only if remediation improves too. Williams argues for AI-powered "software factories" with feedback loops, assurance evidence, and runtime monitoring, and flags the EU Product Liability Directive treating software as a product with no-fault liability for security defects, including those from embedded open source. 00:00 AppSec Stuck in Ruts 00:42 Show Intro and Sponsor 01:40 What Contrast Security Does 02:35 OWASP Origins and WebGoat 04:33 Why the Top 10 Persists 06:28 Mythos Model Overview 08:05 Open Source Scrutiny Myth 11:31 Cost and Adoption Barriers 15:04 Finding vs Fixing Bugs 15:55 AI Code Quality Reality 17:46 AI Powered Software Factory 23:11 Building with AI in Practice 25:18 AppSec Metrics and New Approaches 26:42 Staying Optimistic as a CISO 28:00 EU Product Liability Shift 32:13 Bug Bounties in an AI World 34:06 Wrap Up and Outro

Neste episódio comentamos sobre as principais atualizações e desafios no mercado de tecnologia, trazendo uma análise objetiva sobre cibersegurança e proteção de dados. Ao longo da reprodução, você irá descobrir os recentes desdobramentos éticos do uso de inteligência artificial em contextos militares, envolvendo a recusa da Anthropic em aderir aos termos do Departamento de Defesa norte-americano e os impactos disso para a privacidade global. Você também irá aprender sobre o novo marco regulatório do Conselho Federal de Medicina para ferramentas automatizadas na área da saúde, compreendendo como as exigências da LGPD se aplicam à segurança da informação na proteção de dados médicos sensíveis. Além disso, você entenderá os detalhes do recente ataque hacker que causou graves incidentes de segurança no setor financeiro, e saberá identificar as vulnerabilidades críticas na integração de modelos de linguagem via protocolo MCP, como a perigosa injeção de prompts em servidores expostos. O host Guilherme Goulart compartilha ainda sua vivência no evento SecOps Summit, refletindo sobre a importância dos profissionais de segurança na governança corporativa. Por fim, você poderá avaliar como o uso excessivo do ChatGPT pode afetar a criatividade e gerar a homogeneização do pensamento. Para continuar acompanhando nossas discussões, não se esqueça de assinar o podcast na sua plataforma preferida, seguir nossos perfis nas redes sociais e avaliar o programa para apoiar o nosso trabalho. Esta descrição foi realizada a partir do áudio do podcast com o uso de IA, com revisão humana.     Visite nossa campanha de financiamento coletivo e nos apoie!  Conheça o Blog da BrownPipe Consultoria e se inscreva no nosso mailing Acesse WhisperSafe – Transcreva áudio e grave reuniões direto no seu computador, mesmo offline. Rápido, leve e pronto para usar com qualquer IA. Use o cupom SEGLEG50 para 50% de desconto na sua assinatura. ShowNotes Episódio citado – 2013-06-18 – Episódio #28 – PRISM – Privacidade X Segurança The Pentagon formally labels Anthropic a supply-chain risk Anthropic's Claude is suddenly the most popular iPhone app following Pentagon feud Anthropic vs. U.S. Department of War The Pentagon Can't Afford This A.I. Fight Statement from Dario Amodei on our discussions with the Department of War Employees across OpenAI and Google support Anthropic's lawsuit against the Pentagon AI safety leader says ‘world is in peril’ and quits to study poetry Microsoft & Anthropic MCP Servers at Risk of RCE, Cloud Takeovers AI Conundrum: Why MCP Security Can’t Be Patched Away MCP is the backdoor your zero-trust architecture forgot to close Ministério da Educação – REFERENCIAL PARA DESENVOLVIMENTO E USO RESPONSÁVEIS DE INTELIGÊNCIA ARTIFICIAL NA EDUCAÇÃO Nova resolução de uso de IA na CFM Artigo “When ChatGPT is Gone: Creativity Reverts and Homogeneity Persists“ BTG Pactual restabelece operações via Pix após ser alvo de ataque hacker BTG Pactual sofre ataque hacker e suspende operações via Pix PF investiga participação de funcionários no ataque hacker de R$ 100 milhões ao BTG Pactual Imagem do Episódio: A Torre de Babel — Pieter Bruegel

CISA's acting director exits. Trump's pick to lead the NSA hits Senate headwinds. The Pentagon pressures Anthropic over AI guardrails. A new WiFi attack sidesteps encryption. CISA flags flaws in EV chargers. Juniper patches a critical router bug. ManoMano discloses a massive breach. Europol cracks down on The Com. Greece delivers verdicts in Predatorgate. An alleged carding kingpin lands in U.S. custody. Jeff Williams, Founder of OWASP and Co-Founder/CTO of Contrast Security, shares how NIST is rethinking its role in analyzing software vulnerabilities as EU launches GCVE. Meta's mischievous monocles meet their match.  Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you'll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today we have Jeff Williams, Founder of OWASP and Co-Founder/CTO of Contrast Security, sharing how NIST is rethinking its role in analyzing software vulnerabilities as EU launches GCVE. If you enjoyed this conversation, you can hear the full interview over on the Caveat podcast. Selected Reading Gottumukkala out, Andersen in as acting CISA director (CyberScoop) Senator seeks to block Trump's NSA pick, citing civil liberties concerns (The Washington Post) Anthropic Refuses to Bend to Pentagon on AI Safeguards as Dispute Nears Deadline (SecurityWeek) New AirSnitch attack bypasses Wi-Fi encryption in homes, offices, and enterprises (Ars Technica) Critical Vulnerabilities in SWITCH EV Charging Platform Allow Station Impersonation (Beyond Machines) Juniper Networks PTX Routers Affected by Critical Vulnerability (SecurityWeek) 38 Million Allegedly Impacted by ManoMano Data Breach (SecurityWeek) ‘Project Compass' Cracks Down on ‘The Com': 30 Members Arrested (Infosecurity Magazine) Greek court sentences Predator spyware gang (POLITICO) Chilean Carding Shop Operator Extradited to US (SecurityWeek) This App Warns You if Someone Is Wearing Smart Glasses Nearby  (404 Media) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry's most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

This week, Ben and Dave sit down with N2K's Lead Analyst, Ethan Cook, to discuss the Supreme Court's decision to overturn the Trump administration's tariffs, imposed under the International Emergency Economic Powers Act (IEEPA). Additionally, Dave sits down with Jeff Williams, Founder of OWASP and Co-Founder/CTO of Contrast Security, to discuss how NIST is rethinking its role in analyzing software vulnerabilities as the EU launches GCVE. While this show covers legal topics, and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney.  Links to today's stories: ⁠Supreme Court overturns Trump's tariffs. Get the weekly Caveat Briefing delivered to your inbox. Like what you heard? Be sure to check out and subscribe to our ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Caveat Briefing⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠, a weekly newsletter available exclusively to ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠N2K Pro⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ members on ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠N2K CyberWire's⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ website. N2K Pro members receive our Thursday wrap-up covering the latest in privacy, policy, and research news, including incidents, techniques, compliance, trends, and more. This week's Caveat Briefing covers the recent AI declaration signed at India's recent AI Impact Summit. Curious about the details? Head over to the ⁠⁠⁠⁠Caveat Briefing⁠⁠⁠⁠ for the full scoop and additional compelling stories. Got a question you'd like us to answer on our show? You can send your audio file to ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠caveat@thecyberwire.com⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠. Hope to hear from you. Learn more about your ad choices. Visit megaphone.fm/adchoices

Jamie's Links: https://github.com/github/spec-kit https://owasp.org/ https://bsky.app/profile/gaprogman.com https://dotnetcore.show/ https://gaprogman.github.io/OwaspHeaders.Core/ Mike on LinkedIn Coder Radio on Discord Mike's Oryx Review Alice Alice Jumpstart Offer

In 2026, digital privacy and security reflect a global power struggle among governments, corporations, and infrastructure providers. Encryption, once seen as absolute, is now conditional as regulators and companies find ways around it. Reports that Meta can bypass WhatsApp's end-to-end encryption and Ireland's new lawful interception rules illustrate a growing tolerance for backdoors, risking weaker international standards. Meanwhile, data collection grows deeper: TikTok reportedly tracks GPS, AI-interaction metadata, and cross‑platform behavior, leaving frameworks like OWASP as the final defense against mass exploitation.Cyber risk is shifting from isolated vulnerabilities to structural flaws. The OWASP Top 10 for 2025–26 shows that old problems—access control failures, misconfigurations, weak cryptography, and insecure design—remain endemic. Supply-chain insecurity, epitomized by the “PackageGate” (Shai‑Hulud) flaw in JavaScript ecosystems, demonstrates that inconsistent patching and poor governance expose developers system‑wide. Physical systems are no safer: at Pwn2Own Automotive 2026, researchers proved that electric vehicle chargers and infotainment systems can be hacked en masse, making charging a car risky in the same way as connecting to public Wi‑Fi. The lack of hardware‑rooted trust and sandboxing standards leaves even critical infrastructure vulnerable.Corporate and national sovereignty concerns are converging around what some call “digital liberation.” The alleged 1.4‑terabyte Nike breach by the “World Leaks” ransomware group shows how centralization magnifies damage—large, unified data stores become single points of catastrophic failure. In response, the EU's proposed Cloud and AI Development Act aims to build technological independence by funding open, auditable, and locally governed systems. Procurement rules are turning into tools of geopolitical self‑protection. For individuals, reliance on cloud continuity carries personal risks: in one case, a University of Cologne professor lost years of AI‑assisted research after a privacy setting change deleted key files, revealing that even privacy mechanisms can erase digital memory without backup.At the technological frontier, risk extends beyond IT. Ethics, aerospace engineering, and sustainability intersect in new fault lines. Anthropic's “constitutional AI” reframes alignment as a psychological concept, incorporating principles of self‑understanding and empathy—but critics warn this blurs science and philosophy. NASA's decision to modify, rather than redesign, the Orion capsule's heat shield for Artemis II—despite earlier erosion on Artemis I—has raised fears of “normalization of deviance,” where deadlines outweigh risk discipline. Beyond Earth, environmental data show nearly half of the world's largest cities already face severe water stress, exposing the intertwined fragility of digital, physical, and ecological systems.Across these issues, a shared theme emerges: sustainable security now depends not just on technical patches but on redefining how society manages data permanence, institutional transparency, and the planetary limits of infrastructure. The boundary between online safety, physical resilience, and environmental stability is dissolving—revealing that long‑term survival may rest less on innovation itself and more on rebuilding trust across the systems that sustain it.

Send us a textIn this captivating and wide-ranging conversation, Joey Pinz welcomes cybersecurity executive, author, and Brazilian jiu-jitsu enthusiast Caroline Wong. What begins with jiu-jitsu quickly expands into a profound dialogue about humility, body awareness, emotional regulation, and the unexpected personal growth that comes from combat sports—especially as an adult beginner.Caroline opens up about her upcoming book on AI and cybersecurity, explaining how AI isn't just another shift—it's redefining the entire security landscape. She outlines how to evaluate real AI solutions, why transparency matters, and how LLMs make modern social engineering nearly indistinguishable from authentic communication.She also reflects on tech's wobbly job market, why global talent has reshaped the industry, and which cybersecurity markets AI will completely replace in the years ahead. The conversation deepens as Caroline shares her journey through sobriety, the discipline instilled by her Chinese immigrant parents, the challenges of raising resilient kids in a privileged world, and why joy, peace, and positive impact—not titles—define success.

In this episode, Corey LeBleu, a veteran penetration tester, shares a raw and intense story from his early days in offensive security. Corey walks through a social engineering engagement that took a sharp turn, from being closely watched by a security guard to receiving the call that changed everything. What followed was a confrontation with authority, handcuffs, and a moment that forced him to confront the legal and emotional consequences of impersonation.Through honest storytelling, Corey reflects on the pressure of physical security testing, the thin line between authorization and trouble, and the lessons he carried forward in his career. This episode serves as a cautionary tale about understanding boundaries, respecting authority, and the unseen risks behind revealing what's hidden.00:00 Introduction to Corey LeBleu and His Journey03:34 Corey's Early Career and Learning Path06:34 The Role of Mentorship in Pen Testing09:19 Experiences in Social Engineering and Physical Pen Testing12:22 The Handcuff Incident: A Lesson in Risk15:12 Transitioning to Web Application Pen Testing18:01 The Evolution of Pen Testing Practices20:48 The Impact of AI on Pen Testing23:42 The Future of Pen Testing and Learning for Beginners26:28 Navigating Active Directory and Pen Testing Tools27:35 Essential Training for Web App Pen Testing30:34 Advice for Aspiring Pen Testers32:30 Exploring AI and Learning Resources37:05 Personal Interests and Hobbies39:17 Living in Austin and Local Music SceneSYMLINKS[LinkedIn] – https://www.linkedin.com/in/coreylebleu/Primary platform Corey recommends for connecting with him professionally.[Relic Security] – https://www.relixsecurity.com/Cybersecurity consulting firm founded and run by Corey LeBleu, focused primarily on web application penetration testing and offensive security work.[PortSwigger Academy] – https://portswigger.net/web-securityA free and advanced online training platform for web application security, created by the makers of Burp Suite. Recommended by Corey as one of the best learning resources for modern web app pentesting.[Burp Suite] – https://portswigger.net/burpA widely used web application security testing tool. Corey emphasizes learning Burp Suite as a core skill for anyone entering web app penetration testing.[OWASP Juice Shop] – https://owasp.org/www-project-juice-shop/An intentionally vulnerable web application created by OWASP for learning and practicing web security testing.[OWASP – Open Web Application Security Project] – https://owasp.orgA global nonprofit organization focused on improving software security. Corey previously ran an OWASP project and references OWASP tools and resources throughout his career.[SANS Institute] – https://www.sans.orgA major cybersecurity training and certification organization, referenced in relation to early penetration testing education and the high cost of formal training.[Hack The Box] – https://www.hackthebox.comAn online platform for practicing penetration testing skills in simulated environments.[PromptFoo] – https://promptfoo.devA tool for testing, evaluating, and securing LLM prompts. Mentioned in the context of prompt injection and AI security experimentation.[PyTorch] – https://pytorch.orgAn open-source machine learning framework widely used for deep learning and AI research. Corey mentions it as part of his learning path for understanding how LLMs work.[Hugging Face] – https://huggingface.coAn AI platform providing open-source models, datasets, and tools for machine learning and LLM experimentation.

Ken Johnson (cktricky on social media) and Seth Law are happy to announce a special episode of Absolute AppSec with Avi Douglen (sec_tigger on X), long-time OWASP Global Board of Directors member, founder and CEO of Bounce Security and co-author of the Threat Modeling Manifesto. The conversation ranges from Application Privacy related to Application Security, to participating in meetups and conferences, and finally OWASP as an Avi's experience as a board member.

In an era dominated by AI-powered security tools and cloud-native architectures, are traditional Web Application Firewalls still relevant? Join us as we speak with Felipe Zipitria, co-leader of the OWASP Core Rule Set (CRS) project. Felipe has been at the forefront of open-source security, leading the development of one of the world's most widely deployed WAF rule sets, trusted by organizations globally to protect their web applications. Felipe explains why WAFs remain a critical layer in modern defense-in-depth strategies. We'll explore what makes OWASP CRS the go-to choice for security teams, dive into the project's current innovations, and discuss how traditional rule-based security is evolving to work alongside — not against — AI. Segment Resources: github.com/coreruleset/coreruleset coreruleset.org The future of CycloneDX is defined by modularity, API-first design, and deeper contextual insight, enabling transparency that is not just comprehensive, but actionable. At its heart is the Transparency Exchange API, which delivers a normalized, format-agnostic model for sharing SBOMs, attestations, risks, and more across the software supply chain. As genAI transforms every sector of modern business, the security community faces a question: how do we protect systems we can't fully see or understand? In this fireside chat, Aruneesh Salhotra, Project Lead for OWASP AIBOM and Co-Lead of OWASP AI Exchange, discusses two groundbreaking initiatives that are reshaping how organizations approach AI security and supply chain transparency. OWASP AI Exchange has emerged as the go-to single resource for AI security and privacy, providing over 200 pages of practical advice on protecting AI and data-centric systems from threats. Through its official liaison partnership with CEN/CENELEC, the project has contributed 70 pages to ISO/IEC 27090 and 40 pages to the EU AI Act security standard OWASP, achieving OWASP Flagship project status in March 2025. Meanwhile, the OWASP AIBOM Project is establishing a comprehensive framework to provide transparency into how AI models are built, trained, and deployed, extending OWASP's mission of making security visible to the rapidly evolving AI ecosystem. This conversation explores how these complementary initiatives are addressing real-world challenges—from prompt injection and data poisoning to model provenance and supply chain risks—while actively shaping international standards and regulatory frameworks. We'll discuss concrete achievements, lessons learned from global collaboration, and the ambitious roadmap ahead as these projects continue to mature and expand their impact across the AI security landscape. Segment Resources: https://owasp.org/www-project-aibom/ https://www.linkedin.com/posts/aruneeshsalhotra_owasp-ai-aisecurity-activity-7364649799800766465-DJGM/ https://www.youtube.com/@OWASPAIBOM https://www.youtube.com/@RobvanderVeer-ex3gj https://owaspai.org/ Agentic AI introduces unique and complex security challenges that render traditional risk management frameworks insufficient. In this keynote, Ken Huang, CEO of Distributedapps.ai and a key contributor to AI security standards, outlines a new approach to manage these emerging threats. The session will present a practical strategy that integrates the NIST AI Risk Management Framework with specialized tools to address the full lifecycle of Agentic AI. Segment Resources: aivss.owasp.org https://kenhuangus.substack.com/p/owasp-aivss-the-new-framework-for https://cloudsecurityalliance.org/blog/2025/02/06/agentic-ai-threat-modeling-framework-maestro This interview is sponsored by the OWASP GenAI Security Project. Visit https://securityweekly.com/owaspappsec to watch all of CyberRisk TV's interviews from the OWASP 2025 Global AppSec Conference! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-363

In an era dominated by AI-powered security tools and cloud-native architectures, are traditional Web Application Firewalls still relevant? Join us as we speak with Felipe Zipitria, co-leader of the OWASP Core Rule Set (CRS) project. Felipe has been at the forefront of open-source security, leading the development of one of the world's most widely deployed WAF rule sets, trusted by organizations globally to protect their web applications. Felipe explains why WAFs remain a critical layer in modern defense-in-depth strategies. We'll explore what makes OWASP CRS the go-to choice for security teams, dive into the project's current innovations, and discuss how traditional rule-based security is evolving to work alongside — not against — AI. Segment Resources: github.com/coreruleset/coreruleset coreruleset.org The future of CycloneDX is defined by modularity, API-first design, and deeper contextual insight, enabling transparency that is not just comprehensive, but actionable. At its heart is the Transparency Exchange API, which delivers a normalized, format-agnostic model for sharing SBOMs, attestations, risks, and more across the software supply chain. As genAI transforms every sector of modern business, the security community faces a question: how do we protect systems we can't fully see or understand? In this fireside chat, Aruneesh Salhotra, Project Lead for OWASP AIBOM and Co-Lead of OWASP AI Exchange, discusses two groundbreaking initiatives that are reshaping how organizations approach AI security and supply chain transparency. OWASP AI Exchange has emerged as the go-to single resource for AI security and privacy, providing over 200 pages of practical advice on protecting AI and data-centric systems from threats. Through its official liaison partnership with CEN/CENELEC, the project has contributed 70 pages to ISO/IEC 27090 and 40 pages to the EU AI Act security standard OWASP, achieving OWASP Flagship project status in March 2025. Meanwhile, the OWASP AIBOM Project is establishing a comprehensive framework to provide transparency into how AI models are built, trained, and deployed, extending OWASP's mission of making security visible to the rapidly evolving AI ecosystem. This conversation explores how these complementary initiatives are addressing real-world challenges—from prompt injection and data poisoning to model provenance and supply chain risks—while actively shaping international standards and regulatory frameworks. We'll discuss concrete achievements, lessons learned from global collaboration, and the ambitious roadmap ahead as these projects continue to mature and expand their impact across the AI security landscape. Segment Resources: https://owasp.org/www-project-aibom/ https://www.linkedin.com/posts/aruneeshsalhotra_owasp-ai-aisecurity-activity-7364649799800766465-DJGM/ https://www.youtube.com/@OWASPAIBOM https://www.youtube.com/@RobvanderVeer-ex3gj https://owaspai.org/ Agentic AI introduces unique and complex security challenges that render traditional risk management frameworks insufficient. In this keynote, Ken Huang, CEO of Distributedapps.ai and a key contributor to AI security standards, outlines a new approach to manage these emerging threats. The session will present a practical strategy that integrates the NIST AI Risk Management Framework with specialized tools to address the full lifecycle of Agentic AI. Segment Resources: aivss.owasp.org https://kenhuangus.substack.com/p/owasp-aivss-the-new-framework-for https://cloudsecurityalliance.org/blog/2025/02/06/agentic-ai-threat-modeling-framework-maestro This interview is sponsored by the OWASP GenAI Security Project. Visit https://securityweekly.com/owaspappsec to watch all of CyberRisk TV's interviews from the OWASP 2025 Global AppSec Conference! Show Notes: https://securityweekly.com/asw-363

In an era dominated by AI-powered security tools and cloud-native architectures, are traditional Web Application Firewalls still relevant? Join us as we speak with Felipe Zipitria, co-leader of the OWASP Core Rule Set (CRS) project. Felipe has been at the forefront of open-source security, leading the development of one of the world's most widely deployed WAF rule sets, trusted by organizations globally to protect their web applications. Felipe explains why WAFs remain a critical layer in modern defense-in-depth strategies. We'll explore what makes OWASP CRS the go-to choice for security teams, dive into the project's current innovations, and discuss how traditional rule-based security is evolving to work alongside — not against — AI. Segment Resources: github.com/coreruleset/coreruleset coreruleset.org The future of CycloneDX is defined by modularity, API-first design, and deeper contextual insight, enabling transparency that is not just comprehensive, but actionable. At its heart is the Transparency Exchange API, which delivers a normalized, format-agnostic model for sharing SBOMs, attestations, risks, and more across the software supply chain. As genAI transforms every sector of modern business, the security community faces a question: how do we protect systems we can't fully see or understand? In this fireside chat, Aruneesh Salhotra, Project Lead for OWASP AIBOM and Co-Lead of OWASP AI Exchange, discusses two groundbreaking initiatives that are reshaping how organizations approach AI security and supply chain transparency. OWASP AI Exchange has emerged as the go-to single resource for AI security and privacy, providing over 200 pages of practical advice on protecting AI and data-centric systems from threats. Through its official liaison partnership with CEN/CENELEC, the project has contributed 70 pages to ISO/IEC 27090 and 40 pages to the EU AI Act security standard OWASP, achieving OWASP Flagship project status in March 2025. Meanwhile, the OWASP AIBOM Project is establishing a comprehensive framework to provide transparency into how AI models are built, trained, and deployed, extending OWASP's mission of making security visible to the rapidly evolving AI ecosystem. This conversation explores how these complementary initiatives are addressing real-world challenges—from prompt injection and data poisoning to model provenance and supply chain risks—while actively shaping international standards and regulatory frameworks. We'll discuss concrete achievements, lessons learned from global collaboration, and the ambitious roadmap ahead as these projects continue to mature and expand their impact across the AI security landscape. Segment Resources: https://owasp.org/www-project-aibom/ https://www.linkedin.com/posts/aruneeshsalhotra_owasp-ai-aisecurity-activity-7364649799800766465-DJGM/ https://www.youtube.com/@OWASPAIBOM https://www.youtube.com/@RobvanderVeer-ex3gj https://owaspai.org/ Agentic AI introduces unique and complex security challenges that render traditional risk management frameworks insufficient. In this keynote, Ken Huang, CEO of Distributedapps.ai and a key contributor to AI security standards, outlines a new approach to manage these emerging threats. The session will present a practical strategy that integrates the NIST AI Risk Management Framework with specialized tools to address the full lifecycle of Agentic AI. Segment Resources: aivss.owasp.org https://kenhuangus.substack.com/p/owasp-aivss-the-new-framework-for https://cloudsecurityalliance.org/blog/2025/02/06/agentic-ai-threat-modeling-framework-maestro This interview is sponsored by the OWASP GenAI Security Project. Visit https://securityweekly.com/owaspappsec to watch all of CyberRisk TV's interviews from the OWASP 2025 Global AppSec Conference! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-363

In an era dominated by AI-powered security tools and cloud-native architectures, are traditional Web Application Firewalls still relevant? Join us as we speak with Felipe Zipitria, co-leader of the OWASP Core Rule Set (CRS) project. Felipe has been at the forefront of open-source security, leading the development of one of the world's most widely deployed WAF rule sets, trusted by organizations globally to protect their web applications. Felipe explains why WAFs remain a critical layer in modern defense-in-depth strategies. We'll explore what makes OWASP CRS the go-to choice for security teams, dive into the project's current innovations, and discuss how traditional rule-based security is evolving to work alongside — not against — AI. Segment Resources: github.com/coreruleset/coreruleset coreruleset.org The future of CycloneDX is defined by modularity, API-first design, and deeper contextual insight, enabling transparency that is not just comprehensive, but actionable. At its heart is the Transparency Exchange API, which delivers a normalized, format-agnostic model for sharing SBOMs, attestations, risks, and more across the software supply chain. As genAI transforms every sector of modern business, the security community faces a question: how do we protect systems we can't fully see or understand? In this fireside chat, Aruneesh Salhotra, Project Lead for OWASP AIBOM and Co-Lead of OWASP AI Exchange, discusses two groundbreaking initiatives that are reshaping how organizations approach AI security and supply chain transparency. OWASP AI Exchange has emerged as the go-to single resource for AI security and privacy, providing over 200 pages of practical advice on protecting AI and data-centric systems from threats. Through its official liaison partnership with CEN/CENELEC, the project has contributed 70 pages to ISO/IEC 27090 and 40 pages to the EU AI Act security standard OWASP, achieving OWASP Flagship project status in March 2025. Meanwhile, the OWASP AIBOM Project is establishing a comprehensive framework to provide transparency into how AI models are built, trained, and deployed, extending OWASP's mission of making security visible to the rapidly evolving AI ecosystem. This conversation explores how these complementary initiatives are addressing real-world challenges—from prompt injection and data poisoning to model provenance and supply chain risks—while actively shaping international standards and regulatory frameworks. We'll discuss concrete achievements, lessons learned from global collaboration, and the ambitious roadmap ahead as these projects continue to mature and expand their impact across the AI security landscape. Segment Resources: https://owasp.org/www-project-aibom/ https://www.linkedin.com/posts/aruneeshsalhotra_owasp-ai-aisecurity-activity-7364649799800766465-DJGM/ https://www.youtube.com/@OWASPAIBOM https://www.youtube.com/@RobvanderVeer-ex3gj https://owaspai.org/ Agentic AI introduces unique and complex security challenges that render traditional risk management frameworks insufficient. In this keynote, Ken Huang, CEO of Distributedapps.ai and a key contributor to AI security standards, outlines a new approach to manage these emerging threats. The session will present a practical strategy that integrates the NIST AI Risk Management Framework with specialized tools to address the full lifecycle of Agentic AI. Segment Resources: aivss.owasp.org https://kenhuangus.substack.com/p/owasp-aivss-the-new-framework-for https://cloudsecurityalliance.org/blog/2025/02/06/agentic-ai-threat-modeling-framework-maestro This interview is sponsored by the OWASP GenAI Security Project. Visit https://securityweekly.com/owaspappsec to watch all of CyberRisk TV's interviews from the OWASP 2025 Global AppSec Conference! Show Notes: https://securityweekly.com/asw-363

Using OWASP SAMM to assess and improve compliance with the Cyber Resilience Act (CRA) is an excellent strategy, as SAMM provides a framework for secure development practices such as secure by design principles and handling vulns. Segment Resources: https://owaspsamm.org/ https://cybersecuritycoalition.be/resource/a-strategic-approach-to-product-security-with-owasp-samm/ As genAI becomes a more popular tool in software engineering, the definition of “secure coding” is changing. This session explores how artificial intelligence is reshaping the way developers learn, apply, and scale secure coding practices — and how new risks emerge when machines start generating the code themselves. We'll dive into the dual challenge of securing both human-written and AI-assisted code, discuss how enterprises can validate AI outputs against existing security standards, and highlight practical steps teams can take to build resilience into the entire development pipeline. Join us as we look ahead to the convergence of secure software engineering and AI security — where trust, transparency, and tooling will define the future of code safety. Segment Resources: https://manicode.com/ai/ Understand the history of threat modeling with Adam Shostack. Learn how threat modeling has evolved with the Four Question Framework and can work in your organizations in the wake of the AI revolution. Whether you're launching a formal Security Champions program or still figuring out where to start, there's one truth every security leader needs to hear: You already have allies in your org -- they're just waiting to be activated. In this session, we'll explore how identifying and empowering your internal advocates is the fastest, most sustainable way to drive security culture change. These are your early adopters: the developers, engineers, and team leads who already “get it,” even if their title doesn't say “security.” We'll unpack: Why you need help from people outside the security org to actually be effective Where to find your natural allies (hint: it starts with listening, not preaching) How to support and energize those allies so they influence the majority What behavioral science tells us about spreading change across an organization Segment Resources: Security Champion Success Guide: https://securitychampionsuccessguide.org/ Related interviews/podcasts: https://www.youtube.com/playlist?list=PLPb14P8f4T1ITv3p3Y3XtKsyEAA8W526h How to measure success and impact of culture change and champions: https://www.linkedin.com/pulse/from-soft-skills-hard-data-measuring-success-security-yhmse/ Global Community of Champions sign up: https://docs.google.com/forms/d/e/1FAIpQLScyXPAMf9M8idpDMwO4p2h5Ng8I0ffofZuY70BbmgCZNPUS5Q/viewform This interview is sponsored by the OWASP GenAI Security Project. Visit https://securityweekly.com/owaspappsec to watch all of CyberRisk TV's interviews from the OWASP 2025 Global AppSec Conference! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-362

Using OWASP SAMM to assess and improve compliance with the Cyber Resilience Act (CRA) is an excellent strategy, as SAMM provides a framework for secure development practices such as secure by design principles and handling vulns. Segment Resources: https://owaspsamm.org/ https://cybersecuritycoalition.be/resource/a-strategic-approach-to-product-security-with-owasp-samm/ As genAI becomes a more popular tool in software engineering, the definition of "secure coding" is changing. This session explores how artificial intelligence is reshaping the way developers learn, apply, and scale secure coding practices — and how new risks emerge when machines start generating the code themselves. We'll dive into the dual challenge of securing both human-written and AI-assisted code, discuss how enterprises can validate AI outputs against existing security standards, and highlight practical steps teams can take to build resilience into the entire development pipeline. Join us as we look ahead to the convergence of secure software engineering and AI security — where trust, transparency, and tooling will define the future of code safety. Segment Resources: https://manicode.com/ai/ Understand the history of threat modeling with Adam Shostack. Learn how threat modeling has evolved with the Four Question Framework and can work in your organizations in the wake of the AI revolution. Whether you're launching a formal Security Champions program or still figuring out where to start, there's one truth every security leader needs to hear: You already have allies in your org -- they're just waiting to be activated. In this session, we'll explore how identifying and empowering your internal advocates is the fastest, most sustainable way to drive security culture change. These are your early adopters: the developers, engineers, and team leads who already "get it," even if their title doesn't say "security." We'll unpack: Why you need help from people outside the security org to actually be effective Where to find your natural allies (hint: it starts with listening, not preaching) How to support and energize those allies so they influence the majority What behavioral science tells us about spreading change across an organization Segment Resources: Security Champion Success Guide: https://securitychampionsuccessguide.org/ Related interviews/podcasts: https://www.youtube.com/playlist?list=PLPb14P8f4T1ITv3p3Y3XtKsyEAA8W526h How to measure success and impact of culture change and champions: https://www.linkedin.com/pulse/from-soft-skills-hard-data-measuring-success-security-yhmse/ Global Community of Champions sign up: https://docs.google.com/forms/d/e/1FAIpQLScyXPAMf9M8idpDMwO4p2h5Ng8I0ffofZuY70BbmgCZNPUS5Q/viewform This interview is sponsored by the OWASP GenAI Security Project. Visit https://securityweekly.com/owaspappsec to watch all of CyberRisk TV's interviews from the OWASP 2025 Global AppSec Conference! Show Notes: https://securityweekly.com/asw-362

Using OWASP SAMM to assess and improve compliance with the Cyber Resilience Act (CRA) is an excellent strategy, as SAMM provides a framework for secure development practices such as secure by design principles and handling vulns. Segment Resources: https://owaspsamm.org/ https://cybersecuritycoalition.be/resource/a-strategic-approach-to-product-security-with-owasp-samm/ As genAI becomes a more popular tool in software engineering, the definition of "secure coding" is changing. This session explores how artificial intelligence is reshaping the way developers learn, apply, and scale secure coding practices — and how new risks emerge when machines start generating the code themselves. We'll dive into the dual challenge of securing both human-written and AI-assisted code, discuss how enterprises can validate AI outputs against existing security standards, and highlight practical steps teams can take to build resilience into the entire development pipeline. Join us as we look ahead to the convergence of secure software engineering and AI security — where trust, transparency, and tooling will define the future of code safety. Segment Resources: https://manicode.com/ai/ Understand the history of threat modeling with Adam Shostack. Learn how threat modeling has evolved with the Four Question Framework and can work in your organizations in the wake of the AI revolution. Whether you're launching a formal Security Champions program or still figuring out where to start, there's one truth every security leader needs to hear: You already have allies in your org -- they're just waiting to be activated. In this session, we'll explore how identifying and empowering your internal advocates is the fastest, most sustainable way to drive security culture change. These are your early adopters: the developers, engineers, and team leads who already "get it," even if their title doesn't say "security." We'll unpack: Why you need help from people outside the security org to actually be effective Where to find your natural allies (hint: it starts with listening, not preaching) How to support and energize those allies so they influence the majority What behavioral science tells us about spreading change across an organization Segment Resources: Security Champion Success Guide: https://securitychampionsuccessguide.org/ Related interviews/podcasts: https://www.youtube.com/playlist?list=PLPb14P8f4T1ITv3p3Y3XtKsyEAA8W526h How to measure success and impact of culture change and champions: https://www.linkedin.com/pulse/from-soft-skills-hard-data-measuring-success-security-yhmse/ Global Community of Champions sign up: https://docs.google.com/forms/d/e/1FAIpQLScyXPAMf9M8idpDMwO4p2h5Ng8I0ffofZuY70BbmgCZNPUS5Q/viewform This interview is sponsored by the OWASP GenAI Security Project. Visit https://securityweekly.com/owaspappsec to watch all of CyberRisk TV's interviews from the OWASP 2025 Global AppSec Conference! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-362

Using OWASP SAMM to assess and improve compliance with the Cyber Resilience Act (CRA) is an excellent strategy, as SAMM provides a framework for secure development practices such as secure by design principles and handling vulns. Segment Resources: https://owaspsamm.org/ https://cybersecuritycoalition.be/resource/a-strategic-approach-to-product-security-with-owasp-samm/ As genAI becomes a more popular tool in software engineering, the definition of "secure coding" is changing. This session explores how artificial intelligence is reshaping the way developers learn, apply, and scale secure coding practices — and how new risks emerge when machines start generating the code themselves. We'll dive into the dual challenge of securing both human-written and AI-assisted code, discuss how enterprises can validate AI outputs against existing security standards, and highlight practical steps teams can take to build resilience into the entire development pipeline. Join us as we look ahead to the convergence of secure software engineering and AI security — where trust, transparency, and tooling will define the future of code safety. Segment Resources: https://manicode.com/ai/ Understand the history of threat modeling with Adam Shostack. Learn how threat modeling has evolved with the Four Question Framework and can work in your organizations in the wake of the AI revolution. Whether you're launching a formal Security Champions program or still figuring out where to start, there's one truth every security leader needs to hear: You already have allies in your org -- they're just waiting to be activated. In this session, we'll explore how identifying and empowering your internal advocates is the fastest, most sustainable way to drive security culture change. These are your early adopters: the developers, engineers, and team leads who already "get it," even if their title doesn't say "security." We'll unpack: Why you need help from people outside the security org to actually be effective Where to find your natural allies (hint: it starts with listening, not preaching) How to support and energize those allies so they influence the majority What behavioral science tells us about spreading change across an organization Segment Resources: Security Champion Success Guide: https://securitychampionsuccessguide.org/ Related interviews/podcasts: https://www.youtube.com/playlist?list=PLPb14P8f4T1ITv3p3Y3XtKsyEAA8W526h How to measure success and impact of culture change and champions: https://www.linkedin.com/pulse/from-soft-skills-hard-data-measuring-success-security-yhmse/ Global Community of Champions sign up: https://docs.google.com/forms/d/e/1FAIpQLScyXPAMf9M8idpDMwO4p2h5Ng8I0ffofZuY70BbmgCZNPUS5Q/viewform This interview is sponsored by the OWASP GenAI Security Project. Visit https://securityweekly.com/owaspappsec to watch all of CyberRisk TV's interviews from the OWASP 2025 Global AppSec Conference! Show Notes: https://securityweekly.com/asw-362

Jeff Williams is the Co-Founder and CTO of Contrast Security, where he leads innovation in runtime-based application security. A pioneer in modern AppSec and co-founder of OWASP, Jeff has spent more than two decades helping organizations understand and manage software risk through instrumentation, context, and continuous learning.You can find Jeff on the following sites:LinkedInXHere are some links provided by Jeff:Contrast SecurityContrast Security X PLEASE SUBSCRIBE TO THE PODCASTSpotifyApple PodcastsYouTube MusicAmazon MusicRSS FeedYou can check out more episodes of Coffee and Open Source on https://www.coffeeandopensource.comCoffee and Open Source is hosted by Isaac Levin

OWASP Top 10 2025 Release Candidate OWASP published a release candidate for the 2025 version of its Top 10 list https://owasp.org/Top10/2025/0x00_2025-Introduction/ Citrix/Cisco Exploitation Details Amazon detailed how Citrix and Cisco vulnerabilities were used by advanced actors to upload webshells https://aws.amazon.com/blogs/security/amazon-discovers-apt-exploiting-cisco-and-citrix-zero-days/ Testing Quantum Readyness A website tests your services for post-quantum computing-resistant cryptographic algorithms https://qcready.com/

In this week's show Patrick Gray and Adam Boileau discuss the week's cybersecurity news, including: The KK Park scam compound in Myanmar gets blasted with actual dynamite China sentences more scammers TO DEATH While Singapore is opting to lash them with the cane Chinese security firm KnownSec leaks a bunch of documents Necromancy continues on NSO Group, with a Trump associate in charge OWASP freshens up the Top 10, you won't believe what's number three! This week's episode is sponsored by Thinkst Canary. Big bird Haroon Meer joins and, as usual, makes a good point. If you're going to trust a vendor to do something risky like put a box on your network, they have an obligation to explain how they make that safe. Thinkst has a /security page that does exactly that. So why do we let Palo Alto and Fortinet get away with “trust me, bro”? This episode is also available on Youtube. Show notes Myanmar Junta Dynamites Scam Hub in PR Move as Global Pressure Grows China sentences 5 Myanmar scam kingpins to death | The Record from Recorded Future News Law passed for scammers, mules to be caned after victims in Singapore lose almost $4b since 2020 | The Straits Times KnownSec breach: What we know so far. - NetAskari Risky Bulletin: Another Chinese security firm has its data leaked Inside Congress Live The Government Shutdown Is a Ticking Cybersecurity Time Bomb | WIRED Former Trump official named NSO Group executive chairman | The Record from Recorded Future News Short-term renewal of cyber information sharing law appears in bill to end shutdown | The Record from Recorded Future News Jaguar Land Rover hack hurt the U.K.'s GDP, Bank of England says Monetary Policy Report - November 2025 | Bank of England SonicWall says state-linked actor behind attacks against cloud backup service | Cybersecurity Dive Japanese media giant Nikkei reports Slack breach exposing employee and partner records | The Record from Recorded Future News "Intel sues former employee for allegedly stealing confidential data" Post by @campuscodi.risky.biz — Bluesky Introduction - OWASP Top 10:2025 RC1

Most organizations have security champions. Few have a real security culture.In this episode of AppSec Contradictions, Sean Martin explores why AppSec awareness efforts stall, why champion programs struggle to gain traction, and what leaders can do to turn intent into impact.

Episode 302 of Absolute AppSec has hosts Ken Johnson and Seth Law speculating on the upcoming Global AppSec DC conference, predicting the announcement of the OWASP Top Ten 2025 edition, with Brian Glass scheduled to discuss it on the podcast. The conversation shifts to a technical discussion of OpenAI's new browser, Atlas, which is built on Chromium and includes AI capabilities. The hosts noted concern over the discovered prompt instructions for Atlas, which direct the ChatGPT agent to use browser history and available APIs to find data from the user's logged-in sites to answer ambiguous queries or fulfill requests. This functionality raises significant security concerns, as the agent's ability to comb the cache and logged-in sites could be exploited, effectively creating a "honeypot for cross-site scripting" with malicious potential like unauthorized money transfers. The hosts discussed the lack of talk submissions on Mobile Context Protocol (MCP) security at the conference, despite its growing relevance in a world of AI agents and tooling. Finally, they highlighted a new tool called SlopGuard, developed to prevent the risk of AI hallucinating non-existent, potentially malicious packages (which occurs 5-21% of the time) and attempting to install them from registries like NPM.

In this special episode of the Application Security Podcast we meet nine of the OWASP Board of Directors candidates. Each candidate discusses their unique qualifications, experiences, and vision for OWASP's future. Topics include enhancing OWASP's impact, improving outreach and education, securing funding, and engaging local chapters. Don't miss this insightful debate as these candidates share their strategies to help secure a brighter future for OWASP. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Interest and participation in the OWASP GenAI Security Project has exploded over the last two years. Steve Wilson explains why it was important for the project to grow beyond just a Top Ten list and address more audiences than just developers. He also talks about how the growth of AI Agents influences the areas that appsec teams need to focus on. Whether apps are created by genAI or directly use genAI, the future of securing software is going to be busy. Resources https://genai.owasp.org https://genai.owasp.org/llm-top-10/ LLM security book on Amazon at https://a.co/d/6LZoXxQ This segment is sponsored by The OWASP GenAI Security Project. Visit https://securityweekly.com/owasp to learn more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-352

Interest and participation in the OWASP GenAI Security Project has exploded over the last two years. Steve Wilson explains why it was important for the project to grow beyond just a Top Ten list and address more audiences than just developers. He also talks about how the growth of AI Agents influences the areas that appsec teams need to focus on. Whether apps are created by genAI or directly use genAI, the future of securing software is going to be busy. Resources https://genai.owasp.org https://genai.owasp.org/llm-top-10/ LLM security book on Amazon at https://a.co/d/6LZoXxQ This segment is sponsored by The OWASP GenAI Security Project. Visit https://securityweekly.com/owasp to learn more! Show Notes: https://securityweekly.com/asw-352

Interest and participation in the OWASP GenAI Security Project has exploded over the last two years. Steve Wilson explains why it was important for the project to grow beyond just a Top Ten list and address more audiences than just developers. He also talks about how the growth of AI Agents influences the areas that appsec teams need to focus on. Whether apps are created by genAI or directly use genAI, the future of securing software is going to be busy. Resources https://genai.owasp.org https://genai.owasp.org/llm-top-10/ LLM security book on Amazon at https://a.co/d/6LZoXxQ This segment is sponsored by The OWASP GenAI Security Project. Visit https://securityweekly.com/owasp to learn more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-352

Rick Doten, cybersecurity startup advisor and AI researcher, joins the show to unpack how AI-assisted development is reshaping software—and what it means for security. From startups rushing to ship faster code to the unseen risks of “vibe coding,” Rick explains how engineering teams can balance innovation with secure, resilient design.If your dev team is using AI tools to boost velocity, this conversation might change how you think about your SDLC, code review, and even your threat model.Key Takeaways• AI-assisted coding speeds up output but can multiply security risks if context isn't baked in.• Startups often trade speed for security early on—and that can be expensive to unwind later.• Traditional fundamentals like OWASP and BSIMM still apply, even as architectures evolve with agents and MCP.• AI creates a widening gap between companies that can secure their models and those that can't.• “Vibe coding”—non-devs using AI to build—introduces a new wave of shadow code leaders must prepare for.Timestamped Highlights[02:09] The real range of how startups are using AI-assisted tools—and why security is often an afterthought.[05:12] Why AI-generated code is not just another form of third-party code.[09:40] The hidden risk: code volume grows faster than your ability to secure it.[15:51] How AI is widening the gap between resource-rich enterprises and everyone else.[18:25] The new fragility of systems—where architecture and resilience start to break.[22:07] Rethinking SDLC: integrating AI tools without losing security fundamentals.[25:29] “Vibe coding” and what happens when non-engineers start shipping code.Memorable Insight“AI isn't lazy like humans—it doesn't just fix one thing. It rewrites everything. That's why every line has to be re-scrutinized.”Pro TipsIf your startup doesn't have a dedicated security function yet, start with the basics: integrate OWASP checks into your CI/CD, use non-human accounts correctly, and automate code review gates early. Don't wait until production to harden your systems.Call to ActionIf this episode sparked ideas for your dev or security team, share it with someone who's experimenting with AI-assisted tools. Follow The Tech Trek for more conversations at the intersection of engineering, AI, and leadership.

Dealing with vulns tends to be a discussion about prioritization. After all, there a tons of CVEs and dependencies with known vulns. It's important to figure out how to present developers with useful vuln info that doesn't overwhelm them. Francesco Cipollone shares how to redirect that discussion to focus on remediation and how to incorporate LLMs into this process without losing your focus or losing your budget. In the news, supply chain security in Ruby and Rust, protecting package repositories, refining CodeQL queries for security, refactoring and Rust, an OWASP survey, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-350

Dealing with vulns tends to be a discussion about prioritization. After all, there a tons of CVEs and dependencies with known vulns. It's important to figure out how to present developers with useful vuln info that doesn't overwhelm them. Francesco Cipollone shares how to redirect that discussion to focus on remediation and how to incorporate LLMs into this process without losing your focus or losing your budget. In the news, supply chain security in Ruby and Rust, protecting package repositories, refining CodeQL queries for security, refactoring and Rust, an OWASP survey, and more! Show Notes: https://securityweekly.com/asw-350

Dealing with vulns tends to be a discussion about prioritization. After all, there a tons of CVEs and dependencies with known vulns. It's important to figure out how to present developers with useful vuln info that doesn't overwhelm them. Francesco Cipollone shares how to redirect that discussion to focus on remediation and how to incorporate LLMs into this process without losing your focus or losing your budget. In the news, supply chain security in Ruby and Rust, protecting package repositories, refining CodeQL queries for security, refactoring and Rust, an OWASP survey, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-350

This week, we chat with Scott Clinton, board member and co-chain of the OWASP GenAI Security Project. This project has become a massive organization within OWASP with hundreds of volunteers and thousands of contributors. This team has been cranking out new tools, reports and guidance for practitioners month after month for over a year now. We start off discussing how Scott and other leaders have managed to keep up with the crazy rate of change in the AI world. We pivot to discussing some of the specific projects the team is working on, and finally discuss some of the biggest AI security challenges before wrapping up the conversation. If you're neck-deep in AI like we are, I highly recommend checking out this conversation, and consider joining this OWASP project, sponsoring them, or just checking out what they have to offer (which is all free, of course). Segment Resources: Get started with the OWASP GenAI Security Project Register for the GenAI Application Security & Risk Summit on October 9th, 11am - 4pm EST This segment is sponsored by The OWASP GenAI Security Project. Visit https://securityweekly.com/owasp to learn more about them! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-348

This week, we chat with Scott Clinton, board member and co-chain of the OWASP GenAI Security Project. This project has become a massive organization within OWASP with hundreds of volunteers and thousands of contributors. This team has been cranking out new tools, reports and guidance for practitioners month after month for over a year now. We start off discussing how Scott and other leaders have managed to keep up with the crazy rate of change in the AI world. We pivot to discussing some of the specific projects the team is working on, and finally discuss some of the biggest AI security challenges before wrapping up the conversation. If you're neck-deep in AI like we are, I highly recommend checking out this conversation, and consider joining this OWASP project, sponsoring them, or just checking out what they have to offer (which is all free, of course). Segment Resources: Get started with the OWASP GenAI Security Project Register for the GenAI Application Security & Risk Summit on October 9th, 11am - 4pm EST This segment is sponsored by The OWASP GenAI Security Project. Visit https://securityweekly.com/owasp to learn more about them! Show Notes: https://securityweekly.com/asw-348

Porn bombing the celestial zoom room and Astro Oblivion, FreePBX, GitHub, OWASP, Promptlock, Claude Aaran Leyland, and More, on this edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-507