About all things AppSec, DevOps, and DevSecOps. Hosted by Mike Shema and John Kinsella, the podcast focuses on helping its audience find and fix software flaws effectively.
…
continue reading
About all things AppSec, DevOps, and DevSecOps. Hosted by Mike Shema and John Kinsella, the podcast focuses on helping its audience find and fix software flaws effectively.
…
continue reading

1
Appsec News & Interviews from RSAC on Identity and AI - Charlotte Wylie, Rami Saas - ASW #331
1:01:48
1:01:48
Play later
Play later
Lists
Like
Liked
1:01:48In the news, Coinbase deals with bribes and insider threat, the NCSC notes the cross-cutting problem of incentivizing secure design, we cover some research that notes the multitude of definitions for secure design, and discuss the new Cybersecurity Skills Framework from the OpenSSF and Linux Foundation. Then we share two more sponsored interviews f…
…
continue reading

1
Appsec News & Interviews from RSAC on Identity and AI - Rami Saas, Charlotte Wylie - ASW #331
1:01:48
1:01:48
Play later
Play later
Lists
Like
Liked
1:01:48In the news, Coinbase deals with bribes and insider threat, the NCSC notes the cross-cutting problem of incentivizing secure design, we cover some research that notes the multitude of definitions for secure design, and discuss the new Cybersecurity Skills Framework from the OpenSSF and Linux Foundation. Then we share two more sponsored interviews f…
…
continue reading

1
Secure Code Reviews, LLM Coding Assistants, and Trusting Code - Rey Bango, Karim Toubba, Gal Elbaz - ASW #330
1:09:38
1:09:38
Play later
Play later
Lists
Like
Liked
1:09:38Developers are relying on LLMs as coding assistants, so where are the LLM assistants for appsec? The principles behind secure code reviews don't really change based on who write the code, whether human or AI. But more code means more reasons for appsec to scale its practices and figure out how to establish trust in code, packages, and designs. Rey …
…
continue reading

1
Secure Code Reviews, LLM Coding Assistants, and Trusting Code - Rey Bango, Karim Toubba, Gal Elbaz - ASW #330
1:09:38
1:09:38
Play later
Play later
Lists
Like
Liked
1:09:38Developers are relying on LLMs as coding assistants, so where are the LLM assistants for appsec? The principles behind secure code reviews don't really change based on who write the code, whether human or AI. But more code means more reasons for appsec to scale its practices and figure out how to establish trust in code, packages, and designs. Rey …
…
continue reading

1
AI Era, New Risks: How Data-Centric Security Reduces Emerging AppSec Threats - Vishal Gupta, Idan Plotnik - ASW #329
1:03:03
1:03:03
Play later
Play later
Lists
Like
Liked
1:03:03We catch up on news after a week of BSidesSF and RSAC Conference. Unsurprisingly, AI in all its flavors, from agentic to gen, was inescapable. But perhaps more surprising (and more unfortunate) is how much the adoption of LLMs has increased the attack surface within orgs. The news is heavy on security issues from MCPs and a novel alignment bypass a…
…
continue reading

1
AI Era, New Risks: How Data-Centric Security Reduces Emerging AppSec Threats - Idan Plotnik, Vishal Gupta - ASW #329
1:03:03
1:03:03
Play later
Play later
Lists
Like
Liked
1:03:03We catch up on news after a week of BSidesSF and RSAC Conference. Unsurprisingly, AI in all its flavors, from agentic to gen, was inescapable. But perhaps more surprising (and more unfortunate) is how much the adoption of LLMs has increased the attack surface within orgs. The news is heavy on security issues from MCPs and a novel alignment bypass a…
…
continue reading

1
Secure Designs, UX Dragons, Vuln Dungeons - Jack Cable - ASW #328
44:08
44:08
Play later
Play later
Lists
Like
Liked
44:08In this live recording from BSidesSF we explore the factors that influence a secure design, talk about how to avoid the bite of UX dragons, and why designs should put classes of vulns into dungeons. But we can't threat model a secure design forever and we can't oversimplify guidance for a design to be "more secure". Kalyani Pawar and Jack Cable joi…
…
continue reading

1
Secure Designs, UX Dragons, Vuln Dungeons - Jack Cable - ASW #328
44:08
44:08
Play later
Play later
Lists
Like
Liked
44:08In this live recording from BSidesSF we explore the factors that influence a secure design, talk about how to avoid the bite of UX dragons, and why designs should put classes of vulns into dungeons. But we can't threat model a secure design forever and we can't oversimplify guidance for a design to be "more secure". Kalyani Pawar and Jack Cable joi…
…
continue reading

1
Managing Secrets - Vlad Matsiiako - ASW #327
1:03:03
1:03:03
Play later
Play later
Lists
Like
Liked
1:03:03Secrets end up everywhere, from dev systems to CI/CD pipelines to services, certificates, and cloud environments. Vlad Matsiiako shares some of the tactics that make managing secrets more secure as we discuss the distinctions between secure architectures, good policies, and developer friendly tools. We've thankfully moved on from forced 90-day user…
…
continue reading

1
Managing Secrets - Vlad Matsiiako - ASW #327
1:03:03
1:03:03
Play later
Play later
Lists
Like
Liked
1:03:03Secrets end up everywhere, from dev systems to CI/CD pipelines to services, certificates, and cloud environments. Vlad Matsiiako shares some of the tactics that make managing secrets more secure as we discuss the distinctions between secure architectures, good policies, and developer friendly tools. We've thankfully moved on from forced 90-day user…
…
continue reading

1
More WAFs in Blocking Mode and More Security Headaches from LLMs - Sandy Carielli, Janet Worthington - ASW #326
1:14:45
1:14:45
Play later
Play later
Lists
Like
Liked
1:14:45The breaches will continue until appsec improves. Janet Worthington and Sandy Carielli share their latest research on breaches from 2024, WAFs in 2025, and where secure by design fits into all this. WAFs are delivering value in a way that orgs are relying on them more for bot management and fraud detection. But adopting phishing-resistant authentic…
…
continue reading

1
More WAFs in Blocking Mode and More Security Headaches from LLMs - Sandy Carielli, Janet Worthington - ASW #326
1:14:45
1:14:45
Play later
Play later
Lists
Like
Liked
1:14:45The breaches will continue until appsec improves. Janet Worthington and Sandy Carielli share their latest research on breaches from 2024, WAFs in 2025, and where secure by design fits into all this. WAFs are delivering value in a way that orgs are relying on them more for bot management and fraud detection. But adopting phishing-resistant authentic…
…
continue reading

1
In Search of Secure Design - ASW #325
1:07:36
1:07:36
Play later
Play later
Lists
Like
Liked
1:07:36We have a top ten list entry for Insecure Design, pledges to CISA's Secure by Design principles, and tons of CVEs that fall into familiar categories of flaws. But what does it mean to have a secure design and how do we get there? There are plenty of secure practices that orgs should implement are supply chains, authentication, and the SDLC. Those p…
…
continue reading

1
In Search of Secure Design - ASW #325
1:07:36
1:07:36
Play later
Play later
Lists
Like
Liked
1:07:36We have a top ten list entry for Insecure Design, pledges to CISA's Secure by Design principles, and tons of CVEs that fall into familiar categories of flaws. But what does it mean to have a secure design and how do we get there? There are plenty of secure practices that orgs should implement are supply chains, authentication, and the SDLC. Those p…
…
continue reading

1
Avoiding Appsec's Worst Practices - ASW #324
1:11:19
1:11:19
Play later
Play later
Lists
Like
Liked
1:11:19We take advantage of April Fools to look at some of appsec's myths, mistakes, and behaviors that lead to bad practices. It's easy to get trapped in a status quo of chasing CVEs or discussing which direction to shift security. But scrutinizing decimal points in CVSS scores or rearranging tools misses the opportunity for more strategic thinking. We s…
…
continue reading

1
Avoiding Appsec's Worst Practices - ASW #324
1:11:19
1:11:19
Play later
Play later
Lists
Like
Liked
1:11:19We take advantage of April Fools to look at some of appsec's myths, mistakes, and behaviors that lead to bad practices. It's easy to get trapped in a status quo of chasing CVEs or discussing which direction to shift security. But scrutinizing decimal points in CVSS scores or rearranging tools misses the opportunity for more strategic thinking. We s…
…
continue reading

1
Finding a Use for GenAI in AppSec - Keith Hoodlet - ASW #323
54:08
54:08
Play later
Play later
Lists
Like
Liked
54:08LLMs are helping devs write code, but is it secure code? How are LLMs helping appsec teams? Keith Hoodlet returns to talk about where he's seen value from genAI, where it fits in with tools like source code analysis and fuzzers, and where its limitations mean we'll be relying on humans for a while. Those limitations don't mean appsec should dismiss…
…
continue reading

1
Finding a Use for GenAI in AppSec - Keith Hoodlet - ASW #323
54:08
54:08
Play later
Play later
Lists
Like
Liked
54:08LLMs are helping devs write code, but is it secure code? How are LLMs helping appsec teams? Keith Hoodlet returns to talk about where he's seen value from genAI, where it fits in with tools like source code analysis and fuzzers, and where its limitations mean we'll be relying on humans for a while. Those limitations don't mean appsec should dismiss…
…
continue reading

1
Redlining the Smart Contract Top 10 - Shashank . - ASW #322
53:01
53:01
Play later
Play later
Lists
Like
Liked
53:01The crypto world is rife with smart contracts that have been outsmarted by attackers, with consequences in the millions of dollars (and more!). Shashank shares his research into scanning contracts for flaws, how the classes of contract flaws have changed in the last few years, and how optimistic we can be about the future of this space. Segment Res…
…
continue reading

1
Redlining the Smart Contract Top 10 - Shashank - ASW #322
53:01
53:01
Play later
Play later
Lists
Like
Liked
53:01The crypto world is rife with smart contracts that have been outsmarted by attackers, with consequences in the millions of dollars (and more!). Shashank shares his research into scanning contracts for flaws, how the classes of contract flaws have changed in the last few years, and how optimistic we can be about the future of this space. Segment Res…
…
continue reading

1
Skype Hangs Up, Android Backdoors, Jailbreak Research, Pretend AirTags, Wallbleed - ASW #321
33:17
33:17
Play later
Play later
Lists
Like
Liked
33:17Skype hangs up for good, over a million cheap Android devices may be backdoored, parallels between jailbreak research and XSS, impersonating AirTags, network reconnaissance via a memory disclosure vuln in the GFW, and more! Show Notes: https://securityweekly.com/asw-321
…
continue reading

1
CISA's Secure by Design Principles, Pledge, and Progress - Jack Cable - ASW #321
40:34
40:34
Play later
Play later
Lists
Like
Liked
40:34Just three months into 2025 and we already have several hundred CVEs for XSS and SQL injection. Appsec has known about these vulns since the late 90s. Common defenses have been known since the early 2000s. Jack Cable talks about CISA's Secure by Design principles and how they're trying to refocus businesses on addressing vuln classes and prioritizi…
…
continue reading

1
CISA's Secure by Design Principles, Pledge, and Progress - Jack Cable - ASW #321
1:13:50
1:13:50
Play later
Play later
Lists
Like
Liked
1:13:50Just three months into 2025 and we already have several hundred CVEs for XSS and SQL injection. Appsec has known about these vulns since the late 90s. Common defenses have been known since the early 2000s. Jack Cable talks about CISA's Secure by Design principles and how they're trying to refocus businesses on addressing vuln classes and prioritizi…
…
continue reading

1
QR Codes Replacing SMS, MS Pulls VSCode Extension, Threat Modeling, Bybit Hack - ASW #320
33:55
33:55
Play later
Play later
Lists
Like
Liked
33:55Google replacing SMS with QR codes for authentication, MS pulls a VSCode extension due to red flags, threat modeling with TRAIL, threat modeling the Bybit hack, malicious models and malicious AMIs, and more! Show Notes: https://securityweekly.com/asw-320
…
continue reading

1
Keeping Curl Successful and Secure Over the Decades - Daniel Stenberg - ASW #320
1:09:02
1:09:02
Play later
Play later
Lists
Like
Liked
1:09:02Curl and libcurl are everywhere. Not only has the project maintained success for almost three decades now, but it's done that while being written in C. Daniel Stenberg talks about the challenges in dealing with appsec, the design philosophies that keep it secure, and fostering a community to create one of the most recognizable open source projects …
…
continue reading

1
Keeping Curl Successful and Secure Over the Decades - Daniel Stenberg - ASW #320
35:08
35:08
Play later
Play later
Lists
Like
Liked
35:08Curl and libcurl are everywhere. Not only has the project maintained success for almost three decades now, but it's done that while being written in C. Daniel Stenberg talks about the challenges in dealing with appsec, the design philosophies that keep it secure, and fostering a community to create one of the most recognizable open source projects …
…
continue reading