))
About all things AppSec, DevOps, and DevSecOps. Hosted by Mike Shema and John Kinsella, the podcast focuses on helping its audience find and fix software flaws effectively.
…
continue reading
About all things AppSec, DevOps, and DevSecOps. Hosted by Mike Shema and John Kinsella, the podcast focuses on helping its audience find and fix software flaws effectively.
…
continue reading
Chris Romeo and Robert Hurlbut dig into the tips, tricks, projects, and tactics that make various application security professionals successful. They cover all facets of application security, from threat modeling and OWASP to DevOps+security and security champions. They approach these stories in an educational light, explaining the details in a way those new to the discipline can understand. Chris Romeo is the CEO of Devici and a General Partner at Kerr Ventures, and Robert Hurlbut is a Prin ...
…
continue reading
The Future of Application Security is a podcast for ambitious leaders who want to build a modern and effective AppSec program. Doing application security right is really hard and we want to help other experts build the future of AppSec by curating the best industry insights, tips and resources. What’s the most important security metric to measure in 2024? It’s Mean Time to Remediate (MTTR). Download our new MTTR guide: https://lnkd.in/evjcf4Vt
…
continue reading
1
PyPI's Quarantine, Phishing & Awareness, Porting Fishshell to Rust, Cyber Trust Mark - ASW #313
31:43
31:43
Spela senare
Spela senare
Listor
Gilla
Gillad
31:43
Design lessons from PyPI's Quarantine capability, effective ways for appsec to approach phishing, why fishshell is moving to Rust component by component (and why that's a good thing!), what behaviors the Cyber Trust Mark might influence, and more! Show Notes: https://securityweekly.com/asw-313
…
continue reading
Milan Williams discusses the importance of application security metrics and how to make them both meaningful and actionable. She explains that metrics are crucial for tracking progress in what can often feel like an overwhelming security landscape, and they're valuable for career advancement and securing resources. We discuss metrics categories and…
…
continue reading
1
Discussing Useful Security Requirements with Developers - Ixchel Ruiz - ASW #313
1:07:41
1:07:41
Spela senare
Spela senare
Listor
Gilla
Gillad
1:07:41
There's a pernicious myth that developers don't care about security. In practice, they care about code quality. What developers don't care for is ambiguous requirements. Ixchel Ruiz shares her experience is discussing software designs, the challenges in prioritizing dev efforts, and how to help open source project maintainers with their issue backl…
…
continue reading
1
Discussing Useful Security Requirements with Developers - Ixchel Ruiz - ASW #313
36:04
36:04
Spela senare
Spela senare
Listor
Gilla
Gillad
36:04
There's a pernicious myth that developers don't care about security. In practice, they care about code quality. What developers don't care for is ambiguous requirements. Ixchel Ruiz shares her experience is discussing software designs, the challenges in prioritizing dev efforts, and how to help open source project maintainers with their issue backl…
…
continue reading
1
MO Sadek -- Building an AppSec Program from Scratch
48:50
48:50
Spela senare
Spela senare
Listor
Gilla
Gillad
48:50
Mo Sadek shares his unique journey of building an Application Security program from scratch at Roblox. Mo discusses his unconventional path, including temporarily joining the infrastructure team to truly understand engineering challenges. He emphasizes that security isn't about mandating rules, but about making processes easier and more secure by d…
…
continue reading
1
Removing Rust, Double Clickjacking, h3i CLI, JWT Mistakes, Reviewing Recursion - ASW #312
33:24
33:24
Spela senare
Spela senare
Listor
Gilla
Gillad
33:24
Curl removes a Rust backend, double clickjacking revives an old vuln, a new tool for working with HTTP/3, a brief reminder to verify JWT signatures, design lessons from recursion, and more! Show Notes: https://securityweekly.com/asw-312
…
continue reading
1
DefectDojo and Bringing Quality Appsec Tools to Small Appsec Teams - Greg Anderson - ASW #312
1:07:10
1:07:10
Spela senare
Spela senare
Listor
Gilla
Gillad
1:07:10
All appsec teams need quality tools and all developers benefit from appsec guidance that's focused on meaningful results. Greg Anderson shares his experience in bringing the OWASP DefectDojo project to life and maintaining its value for over a decade. He reminds us that there are tons of appsec teams with low budgets and few members that need tools…
…
continue reading
1
DefectDojo and Bringing Quality Appsec Tools to Small Appsec Teams - Greg Anderson - ASW #312
33:48
33:48
Spela senare
Spela senare
Listor
Gilla
Gillad
33:48
All appsec teams need quality tools and all developers benefit from appsec guidance that's focused on meaningful results. Greg Anderson shares his experience in bringing the OWASP DefectDojo project to life and maintaining its value for over a decade. He reminds us that there are tons of appsec teams with low budgets and few members that need tools…
…
continue reading
1
Applying Usability and Transparency to Security - Hannah Sutor - ASW #311
1:09:42
1:09:42
Spela senare
Spela senare
Listor
Gilla
Gillad
1:09:42
Practices around identity and managing credentials have improved greatly since the days of infosec mandating 90-day password rotations. But those improvements didn't arise from a narrow security view. Hannah Sutor talks about the importance of balancing security with usability, the importance of engaging with users when determining defaults, and se…
…
continue reading
1
Ancient Curl Bug, AWS re:Invent, Malware in NPM, Census III Report, MS OTP - ASW #311
35:35
35:35
Spela senare
Spela senare
Listor
Gilla
Gillad
35:35
Curl's oldest bug yet, RCPs (and more!) from AWS re:Invent, possible controls for NPM's malware proliferation, insights and next steps on protecting top 500 packages from the Census III report, the flawed design choice that made Microsoft's OTP (successfully) brute-forceable, and more! 00:00 - Intro & Cyber Resilience Insights 01:20 - The 25-Year-O…
…
continue reading
1
Applying Usability and Transparency to Security - Hannah Sutor - ASW #311
34:09
34:09
Spela senare
Spela senare
Listor
Gilla
Gillad
34:09
Practices around identity and managing credentials have improved greatly since the days of infosec mandating 90-day password rotations. But those improvements didn't arise from a narrow security view. Hannah Sutor talks about the importance of balancing security with usability, the importance of engaging with users when determining defaults, and se…
…
continue reading
1
AI's Junk Vulns, Web3 Backdoor, LLM CTFs, 5 GenAI Mistakes, Top Ten for LLMs - ASW #310
29:02
29:02
Spela senare
Spela senare
Listor
Gilla
Gillad
29:02
Curl and Python (and others) deal with bad vuln reports generated by LLMs, supply chain attack on Solana, comparing 5 genAI mistakes to OWASP's Top Ten for LLM Applications, a Rust survey, and more! Show Notes: https://securityweekly.com/asw-310
…
continue reading
We do our usual end of year look back on the topics, news, and trends that caught our attention. We covered some OWASP projects, the ongoing attention and promises of generative AI, and big events from the XZ Utils backdoor to Microsoft's Recall to Crowdstrike's outage. Segment resources https://prods.ec https://owasp.org/www-project-spvs/ https://…
…
continue reading
We do our usual end of year look back on the topics, news, and trends that caught our attention. We covered some OWASP projects, the ongoing attention and promises of generative AI, and big events from the XZ Utils backdoor to Microsoft's Recall to Crowdstrike's outage. Segment resources https://prods.ec https://owasp.org/www-project-spvs/ https://…
…
continue reading
1
Brett Crawley -- Threat Modeling Gameplay with EoP
45:28
45:28
Spela senare
Spela senare
Listor
Gilla
Gillad
45:28
Brett Crawley discusses the Elevation of Privilege (EoP) card game, a powerful tool for threat modeling in software development. The discussion explores recent extensions to the game including privacy-focused suits and TRIM (Transfer, Retention/Removal, Inference, Minimization) categories. Crawley emphasizes that threat modeling shouldn't end with …
…
continue reading
1
Fuzzing Barcodes, Fuzzing with AI, AI vs. Scammers, CWEs, Repo Swatting - ASW #309
36:34
36:34
Spela senare
Spela senare
Listor
Gilla
Gillad
36:34
Fuzzing barcodes and getting projects onboarded with fuzzers, using AI to guide fuzzers, using AI to combat scammers, using CWEs for something, using malicious comments to ban repos, and more! Show Notes: https://securityweekly.com/asw-309
…
continue reading
1
Adding Observability with OpenTelemetry - Adriana Villela - ASW #309
1:10:55
1:10:55
Spela senare
Spela senare
Listor
Gilla
Gillad
1:10:55
Observability is a lot more than just sprinkling printf statements throughout a code base. Adriana Villela explains principles behind logging, traceability, and metrics and how the OpenTelemetry project helps developers gather this useful information. She also provides suggestions on starting logging from scratch, how to avoid information overload,…
…
continue reading
1
Adding Observability with OpenTelemetry - Adriana Villela - ASW #309
34:24
34:24
Spela senare
Spela senare
Listor
Gilla
Gillad
34:24
Observability is a lot more than just sprinkling printf statements throughout a code base. Adriana Villela explains principles behind logging, traceability, and metrics and how the OpenTelemetry project helps developers gather this useful information. She also provides suggestions on starting logging from scratch, how to avoid information overload,…
…
continue reading
1
AI fixes everything, C++ the actual worst, IAM is hard - ASW #308
37:14
37:14
Spela senare
Spela senare
Listor
Gilla
Gillad
37:14
This week, in the Application Security News, we dismiss magical thinking and discuss what generative AI will actually be able to do for us. We also discuss whether Secure by Design's goals are practical or not. OSC&R releases a report on software supply chain that should be interesting, though neither of us had time to read it yet. Also, Watchtowr …
…
continue reading
1
Biometric Frontiers: Unlocking The Future Of Engagement - Andras Cser, Enza Iannopollo - ASW #308
33:19
33:19
Spela senare
Spela senare
Listor
Gilla
Gillad
33:19
This week's interview dives deep into the state of biometrics with two Forrester Research analysts! This discussion compares and contrasts regional approaches to biometrics; examine the security challenges and benefits of their implementation; and reveal how biometrics holds the keys to a range of engagement models of the future. Andras Cser dives …
…
continue reading
1
Biometric Frontiers: Unlocking The Future Of Engagement - Andras Cser, Enza Iannopollo - ASW #308
1:10:32
1:10:32
Spela senare
Spela senare
Listor
Gilla
Gillad
1:10:32
This week's interview dives deep into the state of biometrics with two Forrester Research analysts! This discussion compares and contrasts regional approaches to biometrics; examine the security challenges and benefits of their implementation; and reveal how biometrics holds the keys to a range of engagement models of the future. Andras Cser dives …
…
continue reading
1
Typosquatting NPM, vulnerability analysis, and AI challenges - ASW #307
35:50
35:50
Spela senare
Spela senare
Listor
Gilla
Gillad
35:50
This week, in the Application Security News, we spend a lot of time on some recent vulnerabilities. We take this opportunity to talk about how to determine whether or not a vulnerability is worth a critical response. Can AI fully automate DevSecOps Governance? Adrian has his reservations, but JLK is bullish. Is it bad that 70% of DevSecOps professi…
…
continue reading
1
Modernizing AppSec - Melinda Marks - ASW #307
33:41
33:41
Spela senare
Spela senare
Listor
Gilla
Gillad
33:41
In this week's interview, Melinda Marks' joins us to discuss her latest research. Her recent report Modernizing Application Security to Scale for Cloud-Native Development delves into many aspects and trends affecting AppSec as it matures, particularly in cloud-first organizations. We also discuss the fuzzy line between "cloud-native" AppSec and eve…
…
continue reading
1
Modernizing AppSec - Melinda Marks - ASW #307
1:09:29
1:09:29
Spela senare
Spela senare
Listor
Gilla
Gillad
1:09:29
In this week's interview, Melinda Marks' joins us to discuss her latest research. Her recent report Modernizing Application Security to Scale for Cloud-Native Development delves into many aspects and trends affecting AppSec as it matures, particularly in cloud-first organizations. We also discuss the fuzzy line between "cloud-native" AppSec and eve…
…
continue reading
