About all things AppSec, DevOps, and DevSecOps. Hosted by Mike Shema and John Kinsella, the podcast focuses on helping its audience find and fix software flaws effectively.
…
continue reading
About all things AppSec, DevOps, and DevSecOps. Hosted by Mike Shema and John Kinsella, the podcast focuses on helping its audience find and fix software flaws effectively.
…
continue reading
Chris Romeo and Robert Hurlbut dig into the tips, tricks, projects, and tactics that make various application security professionals successful. They cover all facets of application security, from threat modeling and OWASP to DevOps+security and security champions. They approach these stories in an educational light, explaining the details in a way those new to the discipline can understand. Chris Romeo is the CEO of Devici and a General Partner at Kerr Ventures, and Robert Hurlbut is a Prin ...
…
continue reading
The Future of Application Security is a podcast for ambitious leaders who want to build a modern and effective AppSec program. Doing application security right is really hard and we want to help other experts build the future of AppSec by curating the best industry insights, tips and resources. What’s the most important security metric to measure in 2024? It’s Mean Time to Remediate (MTTR). Download our new MTTR guide: https://lnkd.in/evjcf4Vt
…
continue reading
![Artwork](/static/images/128pixel.png)
1
Mehran Koushkebaghi -- Security as a Systemic Concern: How to develop Anti-Requirements
45:08
45:08
Toista myöhemmin
Toista myöhemmin
Listat
Tykkää
Tykätty
45:08Mehran Koushkebaghi, a seasoned engineering expert, delves into the intricacies of systemic security. He draws parallels between civil engineering and IT systems, and explains the importance of holistic thinking in security design. Discover the difference between semantic and syntactic vulnerabilities and understand how anti-requirements play a cri…
…
continue reading
![Artwork](/static/images/128pixel.png)
1
Unforgivable Vulns, DeepSeek iOS App Security Flaws, Memory Safety Standards - ASW #317
35:52
35:52
Toista myöhemmin
Toista myöhemmin
Listat
Tykkää
Tykätty
35:52Identifying and eradicating unforgivable vulns, an unforgivable flaw (and a few others) in DeepSeek's iOS app, academics and industry looking to standardize principles and practices for memory safety, and more! Show Notes: https://securityweekly.com/asw-317
…
continue reading
![Artwork](/static/images/128pixel.png)
1
Code Scanning That Works With Your Code - Scott Norberg - ASW #317
1:12:52
1:12:52
Toista myöhemmin
Toista myöhemmin
Listat
Tykkää
Tykätty
1:12:52Code scanning is one of the oldest appsec practices. In many cases, simple grep patterns and some fancy regular expressions are enough to find many of the obvious software mistakes. Scott Norberg shares his experience with encountering code scanners that didn't find the .NET vuln classes he needed to find and why that led him to creating a scanner …
…
continue reading
![Artwork](/static/images/128pixel.png)
1
Code Scanning That Works With Your Code - Scott Norberg - ASW #317
37:01
37:01
Toista myöhemmin
Toista myöhemmin
Listat
Tykkää
Tykätty
37:01Code scanning is one of the oldest appsec practices. In many cases, simple grep patterns and some fancy regular expressions are enough to find many of the obvious software mistakes. Scott Norberg shares his experience with encountering code scanners that didn't find the .NET vuln classes he needed to find and why that led him to creating a scanner …
…
continue reading
![Artwork](/static/images/128pixel.png)
1
New SLAP & FLOP Attacks, OCSP Fades Away, DeepSeek's ClickHouse, OAuth 2.0 Security - ASW #316
34:47
34:47
Toista myöhemmin
Toista myöhemmin
Listat
Tykkää
Tykätty
34:47Speculative data flow attacks demonstrated against Apple chips with SLAP and FLOP, the design and implementation choices that led to OCSP's demise, an appsec angle on AI, updating the threat model and recommendations for implementing OAuth 2.0, and more! Show Notes: https://securityweekly.com/asw-316…
…
continue reading
![Artwork](/static/images/128pixel.png)
1
Kalyani Pawar -- Shaping AppSec at Startups
39:52
39:52
Toista myöhemmin
Toista myöhemmin
Listat
Tykkää
Tykätty
39:52Kalyani Pawar shares critical strategies for integrating security early and effectively in AppSec for startups. She recommends that startups begin focusing on AppSec around the 30-employee mark, with an ideal ratio of one AppSec professional per 10 engineers as the company grows. Pawar emphasizes the importance of building a security culture throug…
…
continue reading
![Artwork](/static/images/128pixel.png)
1
Threat Modeling That Helps the Business - Akira Brand, Sandy Carielli - ASW #316
1:11:39
1:11:39
Toista myöhemmin
Toista myöhemmin
Listat
Tykkää
Tykätty
1:11:39Threat modeling has been in the appsec toolbox for decades. But it hasn't always been used and it hasn't always been useful. Sandy Carielli shares what she's learned from talking to orgs about what's been successful, and what's failed, when they've approached this practice. Akira Brand joins to talk about her direct experience with building threat …
…
continue reading
![Artwork](/static/images/128pixel.png)
1
Threat Modeling That Helps the Business - Sandy Carielli, Akira Brand - ASW #316
36:54
36:54
Toista myöhemmin
Toista myöhemmin
Listat
Tykkää
Tykätty
36:54Threat modeling has been in the appsec toolbox for decades. But it hasn't always been used and it hasn't always been useful. Sandy Carielli shares what she's learned from talking to orgs about what's been successful, and what's failed, when they've approached this practice. Akira Brand joins to talk about her direct experience with building threat …
…
continue reading
![Artwork](/static/images/128pixel.png)
1
Opengrep & Semgrep, Hacking Subarus, Hacking Synths, Stealing Cookies, and RANsacked - ASW #315
34:57
34:57
Toista myöhemmin
Toista myöhemmin
Listat
Tykkää
Tykätty
34:57An open source security project forks in response to license changes (and an echo of how we've been here before), car hacking via spectacularly insecure web apps, hacking a synth via spectacularly cool MIDI messages, cookie parsing problems, the RANsacked paper of 100+ LTE/5G vulns found from fuzzing, and more! Show Notes: https://securityweekly.co…
…
continue reading
![Artwork](/static/images/128pixel.png)
1
Security the AI SDLC - Niv Braun - ASW #315
33:38
33:38
Toista myöhemmin
Toista myöhemmin
Listat
Tykkää
Tykätty
33:38A lot of AI security boils down to the boring, but important, software security topics that appsec teams have been dealing with for decades. Niv Braun explains the distinctions between AI-related and AI-specific security as we avoid the FUD and hype of genAI to figure out where appsec teams can invest their time. He notes that data scientists have …
…
continue reading
![Artwork](/static/images/128pixel.png)
1
Security the AI SDLC - Niv Braun - ASW #315
1:08:34
1:08:34
Toista myöhemmin
Toista myöhemmin
Listat
Tykkää
Tykätty
1:08:34A lot of AI security boils down to the boring, but important, software security topics that appsec teams have been dealing with for decades. Niv Braun explains the distinctions between AI-related and AI-specific security as we avoid the FUD and hype of genAI to figure out where appsec teams can invest their time. He notes that data scientists have …
…
continue reading
![Artwork](/static/images/128pixel.png)
1
Appsec Predictions for 2025 - Cody Scott - ASW #314
52:10
52:10
Toista myöhemmin
Toista myöhemmin
Listat
Tykkää
Tykätty
52:10What’s in store for appsec in 2025? Sure, there'll be some XSS and SQL injection, but what about trends that might influence how appsec teams plan? Cody Scott shares five cybersecurity and privacy predictions and we take a deep dive into three of them. We talk about finding value to appsec from AI, why IoT and OT need both programmatic and technica…
…
continue reading
![Artwork](/static/images/128pixel.png)
1
Appsec Predictions for 2025 - Cody Scott - ASW #314
52:10
52:10
Toista myöhemmin
Toista myöhemmin
Listat
Tykkää
Tykätty
52:10What’s in store for appsec in 2025? Sure, there'll be some XSS and SQL injection, but what about trends that might influence how appsec teams plan? Cody Scott shares five cybersecurity and privacy predictions and we take a deep dive into three of them. We talk about finding value to appsec from AI, why IoT and OT need both programmatic and technica…
…
continue reading
![Artwork](/static/images/128pixel.png)
1
PyPI's Quarantine, Phishing & Awareness, Porting Fishshell to Rust, Cyber Trust Mark - ASW #313
31:43
31:43
Toista myöhemmin
Toista myöhemmin
Listat
Tykkää
Tykätty
31:43Design lessons from PyPI's Quarantine capability, effective ways for appsec to approach phishing, why fishshell is moving to Rust component by component (and why that's a good thing!), what behaviors the Cyber Trust Mark might influence, and more! Show Notes: https://securityweekly.com/asw-313
…
continue reading
![Artwork](/static/images/128pixel.png)
1
Milan Williams -- AppSec Metrics
36:16
36:16
Toista myöhemmin
Toista myöhemmin
Listat
Tykkää
Tykätty
36:16Milan Williams discusses the importance of application security metrics and how to make them both meaningful and actionable. She explains that metrics are crucial for tracking progress in what can often feel like an overwhelming security landscape, and they're valuable for career advancement and securing resources. We discuss metrics categories and…
…
continue reading
![Artwork](/static/images/128pixel.png)
1
Discussing Useful Security Requirements with Developers - Ixchel Ruiz - ASW #313
1:07:41
1:07:41
Toista myöhemmin
Toista myöhemmin
Listat
Tykkää
Tykätty
1:07:41There's a pernicious myth that developers don't care about security. In practice, they care about code quality. What developers don't care for is ambiguous requirements. Ixchel Ruiz shares her experience is discussing software designs, the challenges in prioritizing dev efforts, and how to help open source project maintainers with their issue backl…
…
continue reading
![Artwork](/static/images/128pixel.png)
1
Discussing Useful Security Requirements with Developers - Ixchel Ruiz - ASW #313
36:04
36:04
Toista myöhemmin
Toista myöhemmin
Listat
Tykkää
Tykätty
36:04There's a pernicious myth that developers don't care about security. In practice, they care about code quality. What developers don't care for is ambiguous requirements. Ixchel Ruiz shares her experience is discussing software designs, the challenges in prioritizing dev efforts, and how to help open source project maintainers with their issue backl…
…
continue reading
![Artwork](/static/images/128pixel.png)
1
MO Sadek -- Building an AppSec Program from Scratch
48:50
48:50
Toista myöhemmin
Toista myöhemmin
Listat
Tykkää
Tykätty
48:50Mo Sadek shares his unique journey of building an Application Security program from scratch at Roblox. Mo discusses his unconventional path, including temporarily joining the infrastructure team to truly understand engineering challenges. He emphasizes that security isn't about mandating rules, but about making processes easier and more secure by d…
…
continue reading
![Artwork](/static/images/128pixel.png)
1
Removing Rust, Double Clickjacking, h3i CLI, JWT Mistakes, Reviewing Recursion - ASW #312
33:24
33:24
Toista myöhemmin
Toista myöhemmin
Listat
Tykkää
Tykätty
33:24Curl removes a Rust backend, double clickjacking revives an old vuln, a new tool for working with HTTP/3, a brief reminder to verify JWT signatures, design lessons from recursion, and more! Show Notes: https://securityweekly.com/asw-312
…
continue reading
![Artwork](/static/images/128pixel.png)
1
DefectDojo and Bringing Quality Appsec Tools to Small Appsec Teams - Greg Anderson - ASW #312
33:48
33:48
Toista myöhemmin
Toista myöhemmin
Listat
Tykkää
Tykätty
33:48All appsec teams need quality tools and all developers benefit from appsec guidance that's focused on meaningful results. Greg Anderson shares his experience in bringing the OWASP DefectDojo project to life and maintaining its value for over a decade. He reminds us that there are tons of appsec teams with low budgets and few members that need tools…
…
continue reading
![Artwork](/static/images/128pixel.png)
1
DefectDojo and Bringing Quality Appsec Tools to Small Appsec Teams - Greg Anderson - ASW #312
1:07:10
1:07:10
Toista myöhemmin
Toista myöhemmin
Listat
Tykkää
Tykätty
1:07:10All appsec teams need quality tools and all developers benefit from appsec guidance that's focused on meaningful results. Greg Anderson shares his experience in bringing the OWASP DefectDojo project to life and maintaining its value for over a decade. He reminds us that there are tons of appsec teams with low budgets and few members that need tools…
…
continue reading
![Artwork](/static/images/128pixel.png)
1
Applying Usability and Transparency to Security - Hannah Sutor - ASW #311
1:09:42
1:09:42
Toista myöhemmin
Toista myöhemmin
Listat
Tykkää
Tykätty
1:09:42Practices around identity and managing credentials have improved greatly since the days of infosec mandating 90-day password rotations. But those improvements didn't arise from a narrow security view. Hannah Sutor talks about the importance of balancing security with usability, the importance of engaging with users when determining defaults, and se…
…
continue reading
![Artwork](/static/images/128pixel.png)
1
Ancient Curl Bug, AWS re:Invent, Malware in NPM, Census III Report, MS OTP - ASW #311
35:35
35:35
Toista myöhemmin
Toista myöhemmin
Listat
Tykkää
Tykätty
35:35Curl's oldest bug yet, RCPs (and more!) from AWS re:Invent, possible controls for NPM's malware proliferation, insights and next steps on protecting top 500 packages from the Census III report, the flawed design choice that made Microsoft's OTP (successfully) brute-forceable, and more! 00:00 - Intro & Cyber Resilience Insights 01:20 - The 25-Year-O…
…
continue reading