About all things AppSec, DevOps, and DevSecOps. Hosted by Mike Shema and John Kinsella, the podcast focuses on helping its audience find and fix software flaws effectively.
…
continue reading
Applicationsecurityweekly Podcasts
About all things AppSec, DevOps, and DevSecOps. Hosted by Mike Shema and John Kinsella, the podcast focuses on helping its audience find and fix software flaws effectively.
…
continue reading
1
Secure Coding as Critical Thinking Instead of Vulnspotting - Matias Madou - ASW #357
1:03:41
1:03:41
Play later
Play later
Lists
Like
Liked
1:03:41
Secure code should be grounded more in concepts like secure by default and secure by design than by "spot the vuln" thinking. Matias Madou shares his experience in secure coding training and the importance of teaching critical thinking. He also discusses why critical thinking is so closely related to threat modeling and how LLMs can be a tool for h…
…
continue reading
1
Secure Coding as Critical Thinking Instead of Vulnspotting - Matias Madou - ASW #357
1:03:41
1:03:41
Play later
Play later
Lists
Like
Liked
1:03:41
Secure code should be grounded more in concepts like secure by default and secure by design than by "spot the vuln" thinking. Matias Madou shares his experience in secure coding training and the importance of teaching critical thinking. He also discusses why critical thinking is so closely related to threat modeling and how LLMs can be a tool for h…
…
continue reading
1
Ransomware, Defaults, and Proactive Defenses - Rob Allen - ASW #356
1:11:26
1:11:26
Play later
Play later
Lists
Like
Liked
1:11:26
Just how bad can things get if someone clicks on a link? Rob Allen joins us again to talk about ransomware, why putting too much attention on clicking links misses the larger picture of effective defenses, and what orgs can do to prepare for an influx of holiday-infused ransomware targeting. Segment resources https://www.bleepingcomputer.com/news/s…
…
continue reading
1
Ransomware, Defaults, and Proactive Defenses - Rob Allen - ASW #356
1:11:26
1:11:26
Play later
Play later
Lists
Like
Liked
1:11:26
Just how bad can things get if someone clicks on a link? Rob Allen joins us again to talk about ransomware, why putting too much attention on clicking links misses the larger picture of effective defenses, and what orgs can do to prepare for an influx of holiday-infused ransomware targeting. Segment resources https://www.bleepingcomputer.com/news/s…
…
continue reading
1
Researching and Remediating RCEs via GitHub Actions - Bar Kaduri, Roi Nisimi - ASW #355
1:08:08
1:08:08
Play later
Play later
Lists
Like
Liked
1:08:08
Pull requests are a core part of collaboration, whether in open or closed source. GitHub has documented some of the security consequences of misconfiguring how PRs can trigger actions. But what happens when repo owners don't read the docs? Bar Kaduri and Roi Nisimi walk through their experience in reading docs, finding vulns, demonstrating exploits…
…
continue reading
1
Researching and Remediating RCEs via GitHub Actions - Bar Kaduri, Roi Nisimi - ASW #355
1:08:08
1:08:08
Play later
Play later
Lists
Like
Liked
1:08:08
Pull requests are a core part of collaboration, whether in open or closed source. GitHub has documented some of the security consequences of misconfiguring how PRs can trigger actions. But what happens when repo owners don't read the docs? Bar Kaduri and Roi Nisimi walk through their experience in reading docs, finding vulns, demonstrating exploits…
…
continue reading
1
Quantum Computing Isn't A Threat To Blockchains - Yet - Martha Bennett, Sandy Carielli - ASW #354
58:52
58:52
Play later
Play later
Lists
Like
Liked
58:52
The post quantum encryption migration is going to be a challenge, but how much of a challenge? There are several reasons why it is different from every other protocol and cypher iteration in the past. Is today's hardware up to the task? Is it just swapping out a library, or is there more to it? What is the extent of software, systems, and architect…
…
continue reading
1
Quantum Computing Isn't A Threat To Blockchains - Yet - Sandy Carielli, Martha Bennett - ASW #354
58:52
58:52
Play later
Play later
Lists
Like
Liked
58:52
The post quantum encryption migration is going to be a challenge, but how much of a challenge? There are several reasons why it is different from every other protocol and cypher iteration in the past. Is today's hardware up to the task? Is it just swapping out a library, or is there more to it? What is the extent of software, systems, and architect…
…
continue reading
1
Reacting to Ransomware and Setting Secure Defaults - Rob Allen - ASW #353
1:03:39
1:03:39
Play later
Play later
Lists
Like
Liked
1:03:39
Ransomware attacks typically don't care about memory safety and dependency scanning, they often target old, unpatched vulns and too often they succeed. Rob Allen shares some of the biggest cases he's seen, what they have in common, and what appsec teams could do better to help them. Too much software still requires custom configuration to make it m…
…
continue reading
1
Reacting to Ransomware and Setting Secure Defaults - Rob Allen - ASW #353
1:03:39
1:03:39
Play later
Play later
Lists
Like
Liked
1:03:39
Ransomware attacks typically don't care about memory safety and dependency scanning, they often target old, unpatched vulns and too often they succeed. Rob Allen shares some of the biggest cases he's seen, what they have in common, and what appsec teams could do better to help them. Too much software still requires custom configuration to make it m…
…
continue reading
1
Inside the OWASP GenAI Security Project - Steve Wilson - ASW #352
1:07:32
1:07:32
Play later
Play later
Lists
Like
Liked
1:07:32
Interest and participation in the OWASP GenAI Security Project has exploded over the last two years. Steve Wilson explains why it was important for the project to grow beyond just a Top Ten list and address more audiences than just developers. He also talks about how the growth of AI Agents influences the areas that appsec teams need to focus on. W…
…
continue reading
1
Inside the OWASP GenAI Security Project - Steve Wilson - ASW #352
1:07:32
1:07:32
Play later
Play later
Lists
Like
Liked
1:07:32
Interest and participation in the OWASP GenAI Security Project has exploded over the last two years. Steve Wilson explains why it was important for the project to grow beyond just a Top Ten list and address more audiences than just developers. He also talks about how the growth of AI Agents influences the areas that appsec teams need to focus on. W…
…
continue reading
1
Finding Large Bounties with Large Language Models - Nico Waisman - ASW #351
53:52
53:52
Play later
Play later
Lists
Like
Liked
53:52
…
continue reading
1
Finding Large Bounties with Large Language Models - Nico Waisman - ASW #351
53:52
53:52
Play later
Play later
Lists
Like
Liked
53:52
…
continue reading
1
Changing the Vuln Conversation from Volume to Remediation - Francesco Cipollone - ASW #350
1:14:32
1:14:32
Play later
Play later
Lists
Like
Liked
1:14:32
Dealing with vulns tends to be a discussion about prioritization. After all, there a tons of CVEs and dependencies with known vulns. It's important to figure out how to present developers with useful vuln info that doesn't overwhelm them. Francesco Cipollone shares how to redirect that discussion to focus on remediation and how to incorporate LLMs …
…
continue reading
1
Changing the Vuln Conversation from Volume to Remediation - Francesco Cipollone - ASW #350
1:14:32
1:14:32
Play later
Play later
Lists
Like
Liked
1:14:32
Dealing with vulns tends to be a discussion about prioritization. After all, there a tons of CVEs and dependencies with known vulns. It's important to figure out how to present developers with useful vuln info that doesn't overwhelm them. Francesco Cipollone shares how to redirect that discussion to focus on remediation and how to incorporate LLMs …
…
continue reading
1
Design Errors in Entra ID, Design Defenses in iOS, Design Difficulties in DeepSeek - ASW #349
58:43
58:43
Play later
Play later
Lists
Like
Liked
58:43
In the news, Microsoft encounters a new cascade of avoidable errors with Entra ID, Apple improves iOS with hardware-backed memory safety, DeepSeek demonstrates the difficulty in reviewing models, curl reduces risk by eliminating code, preserving the context of code reviews, and more! Visit https://www.securityweekly.com/asw for all the latest episo…
…
continue reading
1
Design Errors in Entra ID, Design Defenses in iOS, Design Difficulties in DeepSeek - ASW #349
58:43
58:43
Play later
Play later
Lists
Like
Liked
58:43
In the news, Microsoft encounters a new cascade of avoidable errors with Entra ID, Apple improves iOS with hardware-backed memory safety, DeepSeek demonstrates the difficulty in reviewing models, curl reduces risk by eliminating code, preserving the context of code reviews, and more! Show Notes: https://securityweekly.com/asw-349…
…
continue reading
1
How OWASP's GenAI Security Project keeps up with the pace of AI/Agentic changes - Scott Clinton - ASW #348
1:08:00
1:08:00
Play later
Play later
Lists
Like
Liked
1:08:00
This week, we chat with Scott Clinton, board member and co-chain of the OWASP GenAI Security Project. This project has become a massive organization within OWASP with hundreds of volunteers and thousands of contributors. This team has been cranking out new tools, reports and guidance for practitioners month after month for over a year now. We start…
…
continue reading
1
How OWASP's GenAI Security Project keeps up with the pace of AI/Agentic changes - Scott Clinton - ASW #348
1:08:00
1:08:00
Play later
Play later
Lists
Like
Liked
1:08:00
This week, we chat with Scott Clinton, board member and co-chain of the OWASP GenAI Security Project. This project has become a massive organization within OWASP with hundreds of volunteers and thousands of contributors. This team has been cranking out new tools, reports and guidance for practitioners month after month for over a year now. We start…
…
continue reading
1
Limitations and Liabilities of LLM Coding - Ted Shorter, Seemant Sehgal - ASW #347
1:17:09
1:17:09
Play later
Play later
Lists
Like
Liked
1:17:09
Up first, the ASW news of the week. At Black Hat 2025, Doug White interviews Ted Shorter, CTO of Keyfactor, about the quantum revolution already knocking on cybersecurity's door. They discuss the terrifying reality of quantum computing's power to break RSA and ECC encryption—the very foundations of modern digital life. With 2030 set as the deadline…
…
continue reading
1
Limitations and Liabilities of LLM Coding - Seemant Sehgal, Ted Shorter - ASW #347
1:17:09
1:17:09
Play later
Play later
Lists
Like
Liked
1:17:09
Up first, the ASW news of the week. At Black Hat 2025, Doug White interviews Ted Shorter, CTO of Keyfactor, about the quantum revolution already knocking on cybersecurity's door. They discuss the terrifying reality of quantum computing's power to break RSA and ECC encryption—the very foundations of modern digital life. With 2030 set as the deadline…
…
continue reading
1
AI, APIs, and the Next Cyber Battleground: Black Hat 2025 - Chris Boehm, Idan Plotnik, Josh Lemos, Michael Callahan - ASW #346
1:08:11
1:08:11
Play later
Play later
Lists
Like
Liked
1:08:11
In this must-see BlackHat 2025 interview, Doug White sits down with Michael Callahan, CMO at Salt Security, for a high-stakes conversation about Agentic AI, Model Context Protocol (MCP) servers, and the massive API security risks reshaping the cyber landscape. Broadcast live from the CyberRisk TV studio at Mandalay Bay, Las Vegas, the discussion pu…
…
continue reading
1
AI, APIs, and the Next Cyber Battleground: Black Hat 2025 - Michael Callahan, Idan Plotnik, Josh Lemos, Chris Boehm - ASW #346
1:08:11
1:08:11
Play later
Play later
Lists
Like
Liked
1:08:11
In this must-see BlackHat 2025 interview, Doug White sits down with Michael Callahan, CMO at Salt Security, for a high-stakes conversation about Agentic AI, Model Context Protocol (MCP) servers, and the massive API security risks reshaping the cyber landscape. Broadcast live from the CyberRisk TV studio at Mandalay Bay, Las Vegas, the discussion pu…
…
continue reading
1
Translating Security Regulations into Secure Projects - Roman Zhukov, Emily Fox - ASW #345
1:13:31
1:13:31
Play later
Play later
Lists
Like
Liked
1:13:31
The EU Cyber Resilience Act joins the long list of regulations intended to improve the security of software delivered to users. Emily Fox and Roman Zhukov share their experience education regulators on open source software and educating open source projects on security. They talk about creating a baseline for security that addresses technical items…
…
continue reading
1
Translating Security Regulations into Secure Projects - Emily Fox, Roman Zhukov - ASW #345
1:13:31
1:13:31
Play later
Play later
Lists
Like
Liked
1:13:31
The EU Cyber Resilience Act joins the long list of regulations intended to improve the security of software delivered to users. Emily Fox and Roman Zhukov share their experience education regulators on open source software and educating open source projects on security. They talk about creating a baseline for security that addresses technical items…
…
continue reading
