About all things AppSec, DevOps, and DevSecOps. Hosted by Mike Shema and John Kinsella, the podcast focuses on helping its audience find and fix software flaws effectively.
…
continue reading
About all things AppSec, DevOps, and DevSecOps. Hosted by Mike Shema and John Kinsella, the podcast focuses on helping its audience find and fix software flaws effectively.
…
continue reading
Chris Romeo and Robert Hurlbut dig into the tips, tricks, projects, and tactics that make various application security professionals successful. They cover all facets of application security, from threat modeling and OWASP to DevOps+security and security champions. They approach these stories in an educational light, explaining the details in a way those new to the discipline can understand. Chris Romeo is the CEO of Devici and a General Partner at Kerr Ventures, and Robert Hurlbut is a Prin ...
…
continue reading
The Future of Application Security is a podcast for ambitious leaders who want to build a modern and effective AppSec program. Doing application security right is really hard and we want to help other experts build the future of AppSec by curating the best industry insights, tips and resources. What’s the most important security metric to measure in 2024? It’s Mean Time to Remediate (MTTR). Download our new MTTR guide: https://lnkd.in/evjcf4Vt
…
continue reading
1
AI fixes everything, C++ the actual worst, IAM is hard - ASW #308
37:14
37:14
Daha Sonra Çal
Daha Sonra Çal
Listeler
Beğen
Beğenildi
37:14
This week, in the Application Security News, we dismiss magical thinking and discuss what generative AI will actually be able to do for us. We also discuss whether Secure by Design's goals are practical or not. OSC&R releases a report on software supply chain that should be interesting, though neither of us had time to read it yet. Also, Watchtowr …
…
continue reading
1
Biometric Frontiers: Unlocking The Future Of Engagement - Andras Cser, Enza Iannopollo - ASW #308
1:10:32
1:10:32
Daha Sonra Çal
Daha Sonra Çal
Listeler
Beğen
Beğenildi
1:10:32
This week's interview dives deep into the state of biometrics with two Forrester Research analysts! This discussion compares and contrasts regional approaches to biometrics; examine the security challenges and benefits of their implementation; and reveal how biometrics holds the keys to a range of engagement models of the future. Andras Cser dives …
…
continue reading
1
Matin Mavaddat - Understanding Security as a Systemic Concern: The Role of Anti-Requirements
50:20
50:20
Daha Sonra Çal
Daha Sonra Çal
Listeler
Beğen
Beğenildi
50:20
Matin Mavaddat discusses his perspective on security as a systemic concern, developed from his background in requirements engineering and systems architecture. He introduces the concept of "anti-requirements" - defining what a system should not do - and distinguishes between "syntactic security" (addressing technical vulnerabilities that are always…
…
continue reading
1
Biometric Frontiers: Unlocking The Future Of Engagement - Andras Cser, Enza Iannopollo - ASW #308
33:19
33:19
Daha Sonra Çal
Daha Sonra Çal
Listeler
Beğen
Beğenildi
33:19
This week's interview dives deep into the state of biometrics with two Forrester Research analysts! This discussion compares and contrasts regional approaches to biometrics; examine the security challenges and benefits of their implementation; and reveal how biometrics holds the keys to a range of engagement models of the future. Andras Cser dives …
…
continue reading
1
Typosquatting NPM, vulnerability analysis, and AI challenges - ASW #307
35:50
35:50
Daha Sonra Çal
Daha Sonra Çal
Listeler
Beğen
Beğenildi
35:50
This week, in the Application Security News, we spend a lot of time on some recent vulnerabilities. We take this opportunity to talk about how to determine whether or not a vulnerability is worth a critical response. Can AI fully automate DevSecOps Governance? Adrian has his reservations, but JLK is bullish. Is it bad that 70% of DevSecOps professi…
…
continue reading
1
Modernizing AppSec - Melinda Marks - ASW #307
1:09:29
1:09:29
Daha Sonra Çal
Daha Sonra Çal
Listeler
Beğen
Beğenildi
1:09:29
In this week's interview, Melinda Marks' joins us to discuss her latest research. Her recent report Modernizing Application Security to Scale for Cloud-Native Development delves into many aspects and trends affecting AppSec as it matures, particularly in cloud-first organizations. We also discuss the fuzzy line between "cloud-native" AppSec and eve…
…
continue reading
1
Modernizing AppSec - Melinda Marks - ASW #307
33:41
33:41
Daha Sonra Çal
Daha Sonra Çal
Listeler
Beğen
Beğenildi
33:41
In this week's interview, Melinda Marks' joins us to discuss her latest research. Her recent report Modernizing Application Security to Scale for Cloud-Native Development delves into many aspects and trends affecting AppSec as it matures, particularly in cloud-first organizations. We also discuss the fuzzy line between "cloud-native" AppSec and eve…
…
continue reading
1
Total Recall? LLM finds bug in SQLite, C++ safety failures, zero time for zero privs - ASW #306
33:29
33:29
Daha Sonra Çal
Daha Sonra Çal
Listeler
Beğen
Beğenildi
33:29
Microsoft delays Recall AGAIN, Project Zero uses an LLM to find a bugger underflow in SQLite, the scourge of infostealer malware, zero standing privileges is easy if you have unlimited time (but no one does), reverse engineering Nintendo's Alarmo and RedBox's... boxes. Bonus: the book series mentioned in this episode The Lost Fleet by Jack Campbell…
…
continue reading
1
Bug bounties, vulnerability disclosure, PTaaS, fractional pentesting - Grant McCracken - ASW #306
32:08
32:08
Daha Sonra Çal
Daha Sonra Çal
Listeler
Beğen
Beğenildi
32:08
After spending a decade working for appsec vendors, Grant McKracken wanted to give something back. He saw a gap in the market for free or low-cost services for smaller organizations that have real appsec needs, but not a lot of means to pay for it. He founded DarkHorse, who offers VDPs and bug bounties to organizations of all sizes for free, or for…
…
continue reading
1
Bug bounties, vulnerability disclosure, PTaaS, fractional pentesting - Grant McCracken - ASW #306
1:05:35
1:05:35
Daha Sonra Çal
Daha Sonra Çal
Listeler
Beğen
Beğenildi
1:05:35
After spending a decade working for appsec vendors, Grant McKracken wanted to give something back. He saw a gap in the market for free or low-cost services for smaller organizations that have real appsec needs, but not a lot of means to pay for it. He founded DarkHorse, who offers VDPs and bug bounties to organizations of all sizes for free, or for…
…
continue reading
1
Protecting Identity of AI Agents & Standardizing Identity Security for SaaS Apps - Shiven Ramji, Arnab Bose - ASW #305
30:42
30:42
Daha Sonra Çal
Daha Sonra Çal
Listeler
Beğen
Beğenildi
30:42
Generative AI has been the talk of the technology industry for the past 18+ months. Companies are seeing its value, so generative AI budgets are growing. With more and more AI agents expected in the coming years, it’s essential that we are securing how consumers interact with generative AI agents and how developers build AI agents into their apps. …
…
continue reading
1
Making TLS More Secure, Lessons from IPv6, LLMs Finding Vulns - ASW #305
53:04
53:04
Daha Sonra Çal
Daha Sonra Çal
Listeler
Beğen
Beğenildi
53:04
Better TLS implementations with Rust, fuzzing, and managing certs, appsec lessons from the everlasting transition to IPv6, LLMs for finding vulns (and whether fuzzing is better), and more! Also check out this presentation from BSides Knoxville that we talked about briefly, https://youtu.be/DLn7Noex_fc?feature=shared Show Notes: https://securityweek…
…
continue reading
1
Making TLS More Secure, Lessons from IPv6, LLMs Finding Vulns - Arnab Bose, Shiven Ramji - ASW #305
1:22:48
1:22:48
Daha Sonra Çal
Daha Sonra Çal
Listeler
Beğen
Beğenildi
1:22:48
Better TLS implementations with Rust, fuzzing, and managing certs, appsec lessons from the everlasting transition to IPv6, LLMs for finding vulns (and whether fuzzing is better), and more! Also check out this presentation from BSides Knoxville that we talked about briefly, https://youtu.be/DLn7Noex_fc?feature=shared Generative AI has been the talk …
…
continue reading
1
Kayra Otaner -- DevSecOps
32:46
32:46
Daha Sonra Çal
Daha Sonra Çal
Listeler
Beğen
Beğenildi
32:46
Kayra Otaner joins the podcast today to discuss DevSecOps and answer the question, is it dead? Kayra is the Director of DevSecOps at Roche and is highly involved in the DevSecOps community. Kayra states that DevSecOps in its traditional form is “dead” and that each organization should approach its needs based on their size. Otaner introduces the co…
…
continue reading
1
François Proulx - Arbitrary Code Execution 0-day in Build Pipeline of Popular Open Source Packages
45:31
45:31
Daha Sonra Çal
Daha Sonra Çal
Listeler
Beğen
Beğenildi
45:31
François Proulx shares his discovery of security vulnerabilities in build pipelines. Francois has found that attackers can exploit this often overlooked side of the software supply chain. To help address this, his team developed an open source scanner called Poutine that can identify vulnerable build pipelines at scale and provide remediation guida…
…
continue reading
1
JSON Parsing, Email Parsing, CISA's Bad Practices Guide, Abusing Disclosure Policies - ASW #304
38:34
38:34
Daha Sonra Çal
Daha Sonra Çal
Listeler
Beğen
Beğenildi
38:34
Flaws that arise from inconsistent parsing of JSON and email addresses, CISA's guide to bad software practices, abusing a security disclosure process to take over a WordPress plugin, and more! Show Notes: https://securityweekly.com/asw-304
…
continue reading
1
The Complexities, Configurations, and Challenges in Cloud Security - Scott Piper - ASW #304
38:53
38:53
Daha Sonra Çal
Daha Sonra Çal
Listeler
Beğen
Beğenildi
38:53
Building cloud native apps doesn't mean you're immune to dealing with legacy systems. Cloud services have changed significantly over the last decade, both in the security controls available to them and the sheer volume of services that CSPs provide. Scott Piper shares some history of cloud security, the benefits of account separation, and how ratch…
…
continue reading
1
The Complexities, Configurations, and Challenges in Cloud Security - Scott Piper - ASW #304
1:17:25
1:17:25
Daha Sonra Çal
Daha Sonra Çal
Listeler
Beğen
Beğenildi
1:17:25
Building cloud native apps doesn't mean you're immune to dealing with legacy systems. Cloud services have changed significantly over the last decade, both in the security controls available to them and the sheer volume of services that CSPs provide. Scott Piper shares some history of cloud security, the benefits of account separation, and how ratch…
…
continue reading
1
Perl & PHP Vulns, Fuzzing & Parsers, Protecting Multi-Hosted Tenants, Secure Design - ASW #303
42:00
42:00
Daha Sonra Çal
Daha Sonra Çal
Listeler
Beğen
Beğenildi
42:00
Looking at vulnerable code in Ivanti (Perl) and Magento (PHP), fuzzing is perfect for parsers, handling tenant isolation when training LLMs, Microsoft's small steps towards secure design, and more! Show Notes: https://securityweekly.com/asw-303
…
continue reading
1
RCE from Iconv + PHP, Fuzzing a Codec, Fuzzing LLMs, Revisiting Recall - ASW #302
37:03
37:03
Daha Sonra Çal
Daha Sonra Çal
Listeler
Beğen
Beğenildi
37:03
The many lessons to take away from a 24-year old flaw in glibc and the mastery in crafting an exploit in PHP, changing a fuzzer's configuration to find more flaws, fuzzing LLMs for prompt injection and jailbreaks, security hardening of baseband code, revisiting the threat models in Microsoft's Recall, and more! Show Notes: https://securityweekly.co…
…
continue reading
1
The Future of Zed Attack Proxy - Simon Bennetts, Ori Bendet - ASW #302
35:34
35:34
Daha Sonra Çal
Daha Sonra Çal
Listeler
Beğen
Beğenildi
35:34
Zed Attack Proxy has been a crucial web app testing tool for decades. It's also had a struggle throughout 2024 to obtain funding that would enable the tool to add more features while remaining true to its open source history. Simon Bennetts, founder of ZAP, and Ori Bendet from Checkmarx update us on that journey, share some exploration of LLM fuzzi…
…
continue reading
1
The Future of Zed Attack Proxy - Simon Bennetts, Ori Bendet - ASW #302
1:12:35
1:12:35
Daha Sonra Çal
Daha Sonra Çal
Listeler
Beğen
Beğenildi
1:12:35
Zed Attack Proxy has been a crucial web app testing tool for decades. It's also had a struggle throughout 2024 to obtain funding that would enable the tool to add more features while remaining true to its open source history. Simon Bennetts, founder of ZAP, and Ori Bendet from Checkmarx update us on that journey, share some exploration of LLM fuzzi…
…
continue reading
1
More Car Hacks, CUPS Vulns, Microsoft's SFI, Memory Safety, Password Complexity - Farshad Abasi - ASW #301
45:57
45:57
Daha Sonra Çal
Daha Sonra Çal
Listeler
Beğen
Beğenildi
45:57
More remote car control via web interfaces, an RCE in CUPS, Microsoft reduces attack surface, migrating to memory safety, dealing with dependency confusion, getting rid of password strength calculators, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-301…
…
continue reading
1
Steve Wilson -- The Developer's Playbook for Large Language Model Security: Building Secure AI Applications
36:32
36:32
Daha Sonra Çal
Daha Sonra Çal
Listeler
Beğen
Beğenildi
36:32
Steve Wilson, the author of 'The Developer's Playbook for Large Language Model Security’ is back to dive into topics from his book like AI hallucinations, trust, and the future of AI. Steve has been at the forefront of the explosion of activity at the intersection of AppSec, LLM, and AI. We discuss the biggest fears surrounding LLMs and AI, and exp…
…
continue reading