About all things AppSec, DevOps, and DevSecOps. Hosted by Mike Shema and John Kinsella, the podcast focuses on helping its audience find and fix software flaws effectively.
…
continue reading
Applicationsecurityweekly Podcasts
About all things AppSec, DevOps, and DevSecOps. Hosted by Mike Shema and John Kinsella, the podcast focuses on helping its audience find and fix software flaws effectively.
…
continue reading

1
Changing the Vuln Conversation from Volume to Remediation - Francesco Cipollone - ASW #350
1:14:32
1:14:32
Play later
Play later
Lists
Like
Liked
1:14:32Dealing with vulns tends to be a discussion about prioritization. After all, there a tons of CVEs and dependencies with known vulns. It's important to figure out how to present developers with useful vuln info that doesn't overwhelm them. Francesco Cipollone shares how to redirect that discussion to focus on remediation and how to incorporate LLMs …
…
continue reading

1
Changing the Vuln Conversation from Volume to Remediation - Francesco Cipollone - ASW #350
1:14:32
1:14:32
Play later
Play later
Lists
Like
Liked
1:14:32Dealing with vulns tends to be a discussion about prioritization. After all, there a tons of CVEs and dependencies with known vulns. It's important to figure out how to present developers with useful vuln info that doesn't overwhelm them. Francesco Cipollone shares how to redirect that discussion to focus on remediation and how to incorporate LLMs …
…
continue reading

1
Design Errors in Entra ID, Design Defenses in iOS, Design Difficulties in DeepSeek - ASW #349
58:43
58:43
Play later
Play later
Lists
Like
Liked
58:43In the news, Microsoft encounters a new cascade of avoidable errors with Entra ID, Apple improves iOS with hardware-backed memory safety, DeepSeek demonstrates the difficulty in reviewing models, curl reduces risk by eliminating code, preserving the context of code reviews, and more! Show Notes: https://securityweekly.com/asw-349…
…
continue reading

1
Design Errors in Entra ID, Design Defenses in iOS, Design Difficulties in DeepSeek - ASW #349
58:43
58:43
Play later
Play later
Lists
Like
Liked
58:43In the news, Microsoft encounters a new cascade of avoidable errors with Entra ID, Apple improves iOS with hardware-backed memory safety, DeepSeek demonstrates the difficulty in reviewing models, curl reduces risk by eliminating code, preserving the context of code reviews, and more! Visit https://www.securityweekly.com/asw for all the latest episo…
…
continue reading

1
How OWASP's GenAI Security Project keeps up with the pace of AI/Agentic changes - Scott Clinton - ASW #348
1:08:00
1:08:00
Play later
Play later
Lists
Like
Liked
1:08:00This week, we chat with Scott Clinton, board member and co-chain of the OWASP GenAI Security Project. This project has become a massive organization within OWASP with hundreds of volunteers and thousands of contributors. This team has been cranking out new tools, reports and guidance for practitioners month after month for over a year now. We start…
…
continue reading

1
How OWASP's GenAI Security Project keeps up with the pace of AI/Agentic changes - Scott Clinton - ASW #348
1:08:00
1:08:00
Play later
Play later
Lists
Like
Liked
1:08:00This week, we chat with Scott Clinton, board member and co-chain of the OWASP GenAI Security Project. This project has become a massive organization within OWASP with hundreds of volunteers and thousands of contributors. This team has been cranking out new tools, reports and guidance for practitioners month after month for over a year now. We start…
…
continue reading

1
Limitations and Liabilities of LLM Coding - Ted Shorter, Seemant Sehgal - ASW #347
1:17:09
1:17:09
Play later
Play later
Lists
Like
Liked
1:17:09Up first, the ASW news of the week. At Black Hat 2025, Doug White interviews Ted Shorter, CTO of Keyfactor, about the quantum revolution already knocking on cybersecurity’s door. They discuss the terrifying reality of quantum computing’s power to break RSA and ECC encryption—the very foundations of modern digital life. With 2030 set as the deadline…
…
continue reading

1
Limitations and Liabilities of LLM Coding - Seemant Sehgal, Ted Shorter - ASW #347
1:17:09
1:17:09
Play later
Play later
Lists
Like
Liked
1:17:09Up first, the ASW news of the week. At Black Hat 2025, Doug White interviews Ted Shorter, CTO of Keyfactor, about the quantum revolution already knocking on cybersecurity’s door. They discuss the terrifying reality of quantum computing’s power to break RSA and ECC encryption—the very foundations of modern digital life. With 2030 set as the deadline…
…
continue reading

1
AI, APIs, and the Next Cyber Battleground: Black Hat 2025 - Chris Boehm, Idan Plotnik, Josh Lemos, Michael Callahan - ASW #346
1:08:11
1:08:11
Play later
Play later
Lists
Like
Liked
1:08:11In this must-see BlackHat 2025 interview, Doug White sits down with Michael Callahan, CMO at Salt Security, for a high-stakes conversation about Agentic AI, Model Context Protocol (MCP) servers, and the massive API security risks reshaping the cyber landscape. Broadcast live from the CyberRisk TV studio at Mandalay Bay, Las Vegas, the discussion pu…
…
continue reading

1
AI, APIs, and the Next Cyber Battleground: Black Hat 2025 - Michael Callahan, Idan Plotnik, Josh Lemos, Chris Boehm - ASW #346
1:08:11
1:08:11
Play later
Play later
Lists
Like
Liked
1:08:11In this must-see BlackHat 2025 interview, Doug White sits down with Michael Callahan, CMO at Salt Security, for a high-stakes conversation about Agentic AI, Model Context Protocol (MCP) servers, and the massive API security risks reshaping the cyber landscape. Broadcast live from the CyberRisk TV studio at Mandalay Bay, Las Vegas, the discussion pu…
…
continue reading

1
Translating Security Regulations into Secure Projects - Emily Fox, Roman Zhukov - ASW #345
1:13:31
1:13:31
Play later
Play later
Lists
Like
Liked
1:13:31The EU Cyber Resilience Act joins the long list of regulations intended to improve the security of software delivered to users. Emily Fox and Roman Zhukov share their experience education regulators on open source software and educating open source projects on security. They talk about creating a baseline for security that addresses technical items…
…
continue reading

1
Translating Security Regulations into Secure Projects - Roman Zhukov, Emily Fox - ASW #345
1:13:31
1:13:31
Play later
Play later
Lists
Like
Liked
1:13:31The EU Cyber Resilience Act joins the long list of regulations intended to improve the security of software delivered to users. Emily Fox and Roman Zhukov share their experience education regulators on open source software and educating open source projects on security. They talk about creating a baseline for security that addresses technical items…
…
continue reading

1
Managing the Minimization of a Container Attack Surface - Neil Carpenter - ASW #344
1:08:17
1:08:17
Play later
Play later
Lists
Like
Liked
1:08:17A smaller attack surface should lead to a smaller list of CVEs to track, which in turn should lead to a smaller set of vulns that you should care about. But in practice, keeping something like a container image small has a lot of challenges in terms of what should be considered minimal. Neil Carpenter shares advice and anecdotes on what it takes to…
…
continue reading

1
Managing the Minimization of a Container Attack Surface - Neil Carpenter - ASW #344
1:08:17
1:08:17
Play later
Play later
Lists
Like
Liked
1:08:17A smaller attack surface should lead to a smaller list of CVEs to track, which in turn should lead to a smaller set of vulns that you should care about. But in practice, keeping something like a container image small has a lot of challenges in terms of what should be considered minimal. Neil Carpenter shares advice and anecdotes on what it takes to…
…
continue reading

1
The Future of Supply Chain Security - Janet Worthington - ASW #343
42:13
42:13
Play later
Play later
Lists
Like
Liked
42:13Open source software is a massive contribution that provides everything from foundational frameworks to tiny single-purpose libraries. We walk through the dimensions of trust and provenance in the software supply chain with Janet Worthington. And we discuss how even with new code generated by LLMs and new terms like slopsquatting, a lot of the most…
…
continue reading

1
The Future of Supply Chain Security - Janet Worthington - ASW #343
42:13
42:13
Play later
Play later
Lists
Like
Liked
42:13Open source software is a massive contribution that provides everything from foundational frameworks to tiny single-purpose libraries. We walk through the dimensions of trust and provenance in the software supply chain with Janet Worthington. And we discuss how even with new code generated by LLMs and new terms like slopsquatting, a lot of the most…
…
continue reading

1
Uniting software development and application security - Jonathan Schneider, Will Vandevanter - ASW #342
58:07
58:07
Play later
Play later
Lists
Like
Liked
58:07Maintaining code is a lot more than keeping dependencies up to date. It involved everything from keeping old code running to changing frameworks to even changing implementation languages. Jonathan Schneider talks about the engineering considerations of refactoring and rewriting code, why code maintenance is important to appsec, and how to build con…
…
continue reading

1
Uniting software development and application security - Will Vandevanter, Jonathan Schneider - ASW #342
58:07
58:07
Play later
Play later
Lists
Like
Liked
58:07Maintaining code is a lot more than keeping dependencies up to date. It involved everything from keeping old code running to changing frameworks to even changing implementation languages. Jonathan Schneider talks about the engineering considerations of refactoring and rewriting code, why code maintenance is important to appsec, and how to build con…
…
continue reading

1
How Product-Led Security Leads to Paved Roads - Julia Knecht - ASW #341
1:04:11
1:04:11
Play later
Play later
Lists
Like
Liked
1:04:11A successful strategy in appsec is to build platforms with defaults and designs that ease the burden of security choices for developers. But there's an important difference between expecting (or requiring!) developers to use a platform and building a platform that developers embrace. Julia Knecht shares her experience in building platforms with an …
…
continue reading

1
How Product-Led Security Leads to Paved Roads - Julia Knecht - ASW #341
1:04:11
1:04:11
Play later
Play later
Lists
Like
Liked
1:04:11A successful strategy in appsec is to build platforms with defaults and designs that ease the burden of security choices for developers. But there's an important difference between expecting (or requiring!) developers to use a platform and building a platform that developers embrace. Julia Knecht shares her experience in building platforms with an …
…
continue reading

1
Rise of Compromised LLMs - Sohrob Kazerounian - ASW #340
1:06:35
1:06:35
Play later
Play later
Lists
Like
Liked
1:06:35AI is more than LLMs. Machine learning algorithms have been part of infosec solutions for a long time. For appsec practitioners, a key concern is always going to be how to evaluate the security of software or a system. In some cases, it doesn't matter if a human or an LLM generated code -- the code needs to be reviewed for common flaws and design p…
…
continue reading

1
Rise of Compromised LLMs - Sohrob Kazerounian - ASW #340
1:06:35
1:06:35
Play later
Play later
Lists
Like
Liked
1:06:35AI is more than LLMs. Machine learning algorithms have been part of infosec solutions for a long time. For appsec practitioners, a key concern is always going to be how to evaluate the security of software or a system. In some cases, it doesn't matter if a human or an LLM generated code -- the code needs to be reviewed for common flaws and design p…
…
continue reading

1
Getting Started with Security Basics on the Way to Finding a Specialization - ASW #339
1:07:50
1:07:50
Play later
Play later
Lists
Like
Liked
1:07:50What are some appsec basics? There's no monolithic appsec role. Broadly speaking, appsec tends to branch into engineering or compliance paths, each with different areas of focus despite having shared vocabularies and the (hopefully!) shared goal of protecting software, data, and users. The better question is, "What do you want to secure?" We discus…
…
continue reading

1
Getting Started with Security Basics on the Way to Finding a Specialization - ASW #339
1:07:50
1:07:50
Play later
Play later
Lists
Like
Liked
1:07:50What are some appsec basics? There's no monolithic appsec role. Broadly speaking, appsec tends to branch into engineering or compliance paths, each with different areas of focus despite having shared vocabularies and the (hopefully!) shared goal of protecting software, data, and users. The better question is, "What do you want to secure?" We discus…
…
continue reading

1
Checking in on the State of Appsec in 2025 - Janet Worthington, Sandy Carielli - ASW #338
1:07:15
1:07:15
Play later
Play later
Lists
Like
Liked
1:07:15Appsec still deals with ancient vulns like SQL injection and XSS. And now LLMs are generating code along side humans. Sandy Carielli and Janet Worthington join us once again to discuss what all this new code means for appsec practices. On a positive note, the prevalence of those ancient vulns seems to be diminishing, but the rising use of LLMs is e…
…
continue reading

1
Checking in on the State of Appsec in 2025 - Sandy Carielli, Janet Worthington - ASW #338
1:07:15
1:07:15
Play later
Play later
Lists
Like
Liked
1:07:15Appsec still deals with ancient vulns like SQL injection and XSS. And now LLMs are generating code along side humans. Sandy Carielli and Janet Worthington join us once again to discuss what all this new code means for appsec practices. On a positive note, the prevalence of those ancient vulns seems to be diminishing, but the rising use of LLMs is e…
…
continue reading