Best Attack Surface Management Podcasts (2025)

1
Researching and Remediating RCEs via GitHub Actions - Bar Kaduri, Roi Nisimi - ASW #355 1:08:08

Play Pause

6d ago1:08:08

1:08:08

Pull requests are a core part of collaboration, whether in open or closed source. GitHub has documented some of the security consequences of misconfiguring how PRs can trigger actions. But what happens when repo owners don't read the docs? Bar Kaduri and Roi Nisimi walk through their experience in reading docs, finding vulns, demonstrating exploits…

1
Quantum Computing Isn't A Threat To Blockchains - Yet - Sandy Carielli, Martha Bennett - ASW #354 58:52

14d ago58:52

58:52

The post quantum encryption migration is going to be a challenge, but how much of a challenge? There are several reasons why it is different from every other protocol and cypher iteration in the past. Is today's hardware up to the task? Is it just swapping out a library, or is there more to it? What is the extent of software, systems, and architect…

1
Reacting to Ransomware and Setting Secure Defaults - Rob Allen - ASW #353 1:03:39

21d ago1:03:39

1:03:39

Ransomware attacks typically don't care about memory safety and dependency scanning, they often target old, unpatched vulns and too often they succeed. Rob Allen shares some of the biggest cases he's seen, what they have in common, and what appsec teams could do better to help them. Too much software still requires custom configuration to make it m…

1
Inside the OWASP GenAI Security Project - Steve Wilson - ASW #352 1:07:32

23d ago1:07:32

1:07:32

Interest and participation in the OWASP GenAI Security Project has exploded over the last two years. Steve Wilson explains why it was important for the project to grow beyond just a Top Ten list and address more audiences than just developers. He also talks about how the growth of AI Agents influences the areas that appsec teams need to focus on. W…

1
Finding Large Bounties with Large Language Models - Nico Waisman - ASW #351 53:52

1M ago53:52

53:52

1
Changing the Vuln Conversation from Volume to Remediation - Francesco Cipollone - ASW #350 1:14:32

1M ago1:14:32

1:14:32

Dealing with vulns tends to be a discussion about prioritization. After all, there a tons of CVEs and dependencies with known vulns. It's important to figure out how to present developers with useful vuln info that doesn't overwhelm them. Francesco Cipollone shares how to redirect that discussion to focus on remediation and how to incorporate LLMs …

1
20. Ransomware Landscape Update: More Groups, More Victims 50:04

1M ago50:04

50:04

In this episode of The Dark Dive we check in on the ransomware landscape, following major developments identified by the Searchlight Cyber threat intelligence team. Luke Donovan, Head of Threat Intelligence at Searchlight Cyber, shares trends that his team has identified from the dark web in 2025 including: an escalation in the number of ransomware…

1
Design Errors in Entra ID, Design Defenses in iOS, Design Difficulties in DeepSeek - ASW #349 58:43

1M ago58:43

58:43

In the news, Microsoft encounters a new cascade of avoidable errors with Entra ID, Apple improves iOS with hardware-backed memory safety, DeepSeek demonstrates the difficulty in reviewing models, curl reduces risk by eliminating code, preserving the context of code reviews, and more! Show Notes: https://securityweekly.com/asw-349…

1
How OWASP's GenAI Security Project keeps up with the pace of AI/Agentic changes - Scott Clinton - ASW #348 1:08:00

2M ago1:08:00

1:08:00

This week, we chat with Scott Clinton, board member and co-chain of the OWASP GenAI Security Project. This project has become a massive organization within OWASP with hundreds of volunteers and thousands of contributors. This team has been cranking out new tools, reports and guidance for practitioners month after month for over a year now. We start…

1
Limitations and Liabilities of LLM Coding - Ted Shorter, Seemant Sehgal - ASW #347 1:17:09

2M ago1:17:09

1:17:09

Up first, the ASW news of the week. At Black Hat 2025, Doug White interviews Ted Shorter, CTO of Keyfactor, about the quantum revolution already knocking on cybersecurity's door. They discuss the terrifying reality of quantum computing's power to break RSA and ECC encryption—the very foundations of modern digital life. With 2030 set as the deadline…

1
AI, APIs, and the Next Cyber Battleground: Black Hat 2025 - Michael Callahan, Idan Plotnik, Josh Lemos, Chris Boehm - ASW #346 1:08:11

2M ago1:08:11

1:08:11

In this must-see BlackHat 2025 interview, Doug White sits down with Michael Callahan, CMO at Salt Security, for a high-stakes conversation about Agentic AI, Model Context Protocol (MCP) servers, and the massive API security risks reshaping the cyber landscape. Broadcast live from the CyberRisk TV studio at Mandalay Bay, Las Vegas, the discussion pu…

1
Translating Security Regulations into Secure Projects - Emily Fox, Roman Zhukov - ASW #345 1:13:31

3M ago1:13:31

1:13:31

The EU Cyber Resilience Act joins the long list of regulations intended to improve the security of software delivered to users. Emily Fox and Roman Zhukov share their experience education regulators on open source software and educating open source projects on security. They talk about creating a baseline for security that addresses technical items…

1
Managing the Minimization of a Container Attack Surface - Neil Carpenter - ASW #344 1:08:17

3M ago1:08:17

1:08:17

A smaller attack surface should lead to a smaller list of CVEs to track, which in turn should lead to a smaller set of vulns that you should care about. But in practice, keeping something like a container image small has a lot of challenges in terms of what should be considered minimal. Neil Carpenter shares advice and anecdotes on what it takes to…

1
The Future of Supply Chain Security - Janet Worthington - ASW #343 42:13

3M ago42:13

42:13

Open source software is a massive contribution that provides everything from foundational frameworks to tiny single-purpose libraries. We walk through the dimensions of trust and provenance in the software supply chain with Janet Worthington. And we discuss how even with new code generated by LLMs and new terms like slopsquatting, a lot of the most…

1
Uniting software development and application security - Jonathan Schneider, Will Vandevanter - ASW #342 58:07

3M ago58:07

58:07

Maintaining code is a lot more than keeping dependencies up to date. It involved everything from keeping old code running to changing frameworks to even changing implementation languages. Jonathan Schneider talks about the engineering considerations of refactoring and rewriting code, why code maintenance is important to appsec, and how to build con…

1
How Product-Led Security Leads to Paved Roads - Julia Knecht - ASW #341 1:04:11

3M ago1:04:11

1:04:11

A successful strategy in appsec is to build platforms with defaults and designs that ease the burden of security choices for developers. But there's an important difference between expecting (or requiring!) developers to use a platform and building a platform that developers embrace. Julia Knecht shares her experience in building platforms with an …

1
Rise of Compromised LLMs - Sohrob Kazerounian - ASW #340 1:06:35

4M ago1:06:35

1:06:35

AI is more than LLMs. Machine learning algorithms have been part of infosec solutions for a long time. For appsec practitioners, a key concern is always going to be how to evaluate the security of software or a system. In some cases, it doesn't matter if a human or an LLM generated code -- the code needs to be reviewed for common flaws and design p…

1
19. A Deep Dive Into The LockBit Data Leaks 40:38

4M ago40:38

40:38

On May 7th, 2025 the notorious ransomware group LockBit’s dark web leak site displayed an unusual message: “Don’t do crime, crime is bad xoxo from Prague”. Alongside this text was the link to an archive file, containing data that appeared to have been stolen from the LockBit ransomware group itself. In this month's episode of The Dark Dive, members…

1
Getting Started with Security Basics on the Way to Finding a Specialization - ASW #339 1:07:50

4M ago1:07:50

1:07:50

What are some appsec basics? There's no monolithic appsec role. Broadly speaking, appsec tends to branch into engineering or compliance paths, each with different areas of focus despite having shared vocabularies and the (hopefully!) shared goal of protecting software, data, and users. The better question is, "What do you want to secure?" We discus…

1
Checking in on the State of Appsec in 2025 - Sandy Carielli, Janet Worthington - ASW #338 1:07:15

4M ago1:07:15

1:07:15

Appsec still deals with ancient vulns like SQL injection and XSS. And now LLMs are generating code along side humans. Sandy Carielli and Janet Worthington join us once again to discuss what all this new code means for appsec practices. On a positive note, the prevalence of those ancient vulns seems to be diminishing, but the rising use of LLMs is e…

1
Simple Patterns for Complex Secure Code Reviews - Louis Nyffenegger - ASW #337 38:26

4M ago38:26

38:26

Manual secure code reviews can be tedious and time intensive if you're just going through checklists. There's plenty of room for linters and compilers and all the grep-like tools to find flaws. Louis Nyffenegger describes the steps of a successful code review process. It's a process that starts with understanding code, which can even benefit from a…

1
18. ASM in the Age of CTEM 56:28

5M ago56:28

56:28

This month's episode of The Dark Dive revisits the topic of Attack Surface Management. In particular, how it relates to a relatively new cybersecurity term, CTEM: Continuous Threat Exposure Management. In a lively discussion, guests Michael Gianarakis and Ben Jones help define CTEM, a security process that has quickly gained traction thanks to bein…

1
How Fuzzing Barcodes Raises the Bar for Secure Code - Artur Cygan - ASW #336 1:01:18

5M ago1:01:18

1:01:18

Fuzzing has been one of the most successful ways to improve software quality. And it demonstrates how improving software quality improves security. Artur Cygan shares his experience in building and applying fuzzers to barcode scanners, smart contracts, and just about any code you can imagine. We go through the useful relationship between unit tests…

1
Threat Modeling With Good Questions and Without Checklists - Farshad Abasi - ASW #335 1:08:00

5M ago1:08:00

1:08:00

What makes a threat modeling process effective? Do you need a long list of threat actors? Do you need a long list of terms? What about a short list like STRIDE? Has an effective process ever come out of a list? Farshad Abasi joins our discussion as we explain why the answer to most of those questions is No and describe the kinds of approaches that …

1
Bringing CISA's Secure by Design Principles to OT Systems - Matthew Rogers - ASW #334 1:09:09

5M ago1:09:09

1:09:09

CISA has been championing Secure by Design principles. Many of the principles are universal, like adopting MFA and having opinionated defaults that reduce the need for hardening guides. Matthew Rogers talks about how the approach to Secure by Design has to be tailored for Operational Technology (OT) systems. These systems have strict requirements o…

1
AIs, MCPs, and the Acutal Work that LLMs Are Generating - ASW #333 39:06

5M ago39:06

39:06

The recent popularity of MCPs is surpassed only by the recent examples deficiencies of their secure design. The most obvious challenge is how MCPs, and many more general LLM use cases, have erased two decades of security principles behind separating code and data. We take a look at how developers are using LLMs to generate code and continue our sea…

1
AI in AppSec: Agentic Tools, Vibe Coding Risks & Securing Non-Human Identities - Mo Aboul-Magd, Brian Fox, Mark Lambert, Shahar Man - ASW #332 1:04:35

6M ago1:04:35

1:04:35

ArmorCode unveils Anya—the first agentic AI virtual security champion designed specifically for AppSec and product security teams. Anya brings together conversation and context to help AppSec, developers and security teams cut through the noise, prioritize risks, and make faster, smarter decisions across code, cloud, and infrastructure. Built into …

1
Appsec News & Interviews from RSAC on Identity and AI - Charlotte Wylie, Rami Saas - ASW #331 1:01:48

6M ago1:01:48

1:01:48

In the news, Coinbase deals with bribes and insider threat, the NCSC notes the cross-cutting problem of incentivizing secure design, we cover some research that notes the multitude of definitions for secure design, and discuss the new Cybersecurity Skills Framework from the OpenSSF and Linux Foundation. Then we share two more sponsored interviews f…

1
17. Hacktivism 46:43

6M ago46:43

46:43

This month's episode of The Dark Dive tackles the thorny issue of hacktivism: hackers that are driven by ideological - rather than financial - motivations. Threat intelligence experts Luke Donovan and Vlad join the podcast to discuss how hacktivism has evolved from the "digital utopia" era, to the anti-establishment antics of Anonymous, to the stat…

1
Secure Code Reviews, LLM Coding Assistants, and Trusting Code - Rey Bango, Karim Toubba, Gal Elbaz - ASW #330 1:09:38

6M ago1:09:38

1:09:38

Developers are relying on LLMs as coding assistants, so where are the LLM assistants for appsec? The principles behind secure code reviews don't really change based on who write the code, whether human or AI. But more code means more reasons for appsec to scale its practices and figure out how to establish trust in code, packages, and designs. Rey …

1
AI Era, New Risks: How Data-Centric Security Reduces Emerging AppSec Threats - Idan Plotnik, Vishal Gupta - ASW #329 1:03:03

6M ago1:03:03

1:03:03

We catch up on news after a week of BSidesSF and RSAC Conference. Unsurprisingly, AI in all its flavors, from agentic to gen, was inescapable. But perhaps more surprising (and more unfortunate) is how much the adoption of LLMs has increased the attack surface within orgs. The news is heavy on security issues from MCPs and a novel alignment bypass a…

1
Secure Designs, UX Dragons, Vuln Dungeons - Jack Cable - ASW #328 44:08

6M ago44:08

44:08

In this live recording from BSidesSF we explore the factors that influence a secure design, talk about how to avoid the bite of UX dragons, and why designs should put classes of vulns into dungeons. But we can't threat model a secure design forever and we can't oversimplify guidance for a design to be "more secure". Kalyani Pawar and Jack Cable joi…

1
Managing Secrets - Vlad Matsiiako - ASW #327 1:03:03

7M ago1:03:03

1:03:03

Secrets end up everywhere, from dev systems to CI/CD pipelines to services, certificates, and cloud environments. Vlad Matsiiako shares some of the tactics that make managing secrets more secure as we discuss the distinctions between secure architectures, good policies, and developer friendly tools. We've thankfully moved on from forced 90-day user…

1
More WAFs in Blocking Mode and More Security Headaches from LLMs - Sandy Carielli, Janet Worthington - ASW #326 1:14:45

7M ago1:14:45

1:14:45

The breaches will continue until appsec improves. Janet Worthington and Sandy Carielli share their latest research on breaches from 2024, WAFs in 2025, and where secure by design fits into all this. WAFs are delivering value in a way that orgs are relying on them more for bot management and fraud detection. But adopting phishing-resistant authentic…

1
In Search of Secure Design - ASW #325 1:07:36

7M ago1:07:36

1:07:36

We have a top ten list entry for Insecure Design, pledges to CISA's Secure by Design principles, and tons of CVEs that fall into familiar categories of flaws. But what does it mean to have a secure design and how do we get there? There are plenty of secure practices that orgs should implement are supply chains, authentication, and the SDLC. Those p…

1
16. Attack Surface Management 101 48:06

7M ago48:06

48:06

This bumper episode of The Dark Dive features no fewer than four co-founders, as the CEO and CTO of Searchlight Cyber (Ben Jones and Gareth Owenson) are joined by their counterparts from the Attack Surface Management company Assetnote (Michael Gianarakis and Shubham Shah). Together, we discuss the background of Assetnote and origins of its founders…

1
Avoiding Appsec's Worst Practices - ASW #324 1:11:19

7M ago1:11:19

1:11:19

We take advantage of April Fools to look at some of appsec's myths, mistakes, and behaviors that lead to bad practices. It's easy to get trapped in a status quo of chasing CVEs or discussing which direction to shift security. But scrutinizing decimal points in CVSS scores or rearranging tools misses the opportunity for more strategic thinking. We s…

1
Finding a Use for GenAI in AppSec - Keith Hoodlet - ASW #323 54:08

8M ago54:08

54:08

LLMs are helping devs write code, but is it secure code? How are LLMs helping appsec teams? Keith Hoodlet returns to talk about where he's seen value from genAI, where it fits in with tools like source code analysis and fuzzers, and where its limitations mean we'll be relying on humans for a while. Those limitations don't mean appsec should dismiss…

1
Redlining the Smart Contract Top 10 - Shashank - ASW #322 53:01

8M ago53:01

53:01

The crypto world is rife with smart contracts that have been outsmarted by attackers, with consequences in the millions of dollars (and more!). Shashank shares his research into scanning contracts for flaws, how the classes of contract flaws have changed in the last few years, and how optimistic we can be about the future of this space. Segment Res…

1
15. Dark Web Threats Against Individuals 48:41

8M ago48:41

48:41

In this episode of The Dark Dive we look at how specific individuals - Executives, VIPs, and high-net worths - are targeted by cybercriminals and on the dark web. Ahead of the launch of their Digital Footprint Review service, NCC Group's Matt Hull joins us to discuss the threats facing individuals - including social engineering and Business Email C…

1
Skype Hangs Up, Android Backdoors, Jailbreak Research, Pretend AirTags, Wallbleed - ASW #321 33:17

8M ago33:17

33:17

Skype hangs up for good, over a million cheap Android devices may be backdoored, parallels between jailbreak research and XSS, impersonating AirTags, network reconnaissance via a memory disclosure vuln in the GFW, and more! Show Notes: https://securityweekly.com/asw-321

1
CISA's Secure by Design Principles, Pledge, and Progress - Jack Cable - ASW #321 40:34

8M ago40:34

40:34

Just three months into 2025 and we already have several hundred CVEs for XSS and SQL injection. Appsec has known about these vulns since the late 90s. Common defenses have been known since the early 2000s. Jack Cable talks about CISA's Secure by Design principles and how they're trying to refocus businesses on addressing vuln classes and prioritizi…

1
QR Codes Replacing SMS, MS Pulls VSCode Extension, Threat Modeling, Bybit Hack - ASW #320 33:55

8M ago33:55

33:55

Google replacing SMS with QR codes for authentication, MS pulls a VSCode extension due to red flags, threat modeling with TRAIL, threat modeling the Bybit hack, malicious models and malicious AMIs, and more! Show Notes: https://securityweekly.com/asw-320

1
Keeping Curl Successful and Secure Over the Decades - Daniel Stenberg - ASW #320 35:08

8M ago35:08

35:08

Curl and libcurl are everywhere. Not only has the project maintained success for almost three decades now, but it's done that while being written in C. Daniel Stenberg talks about the challenges in dealing with appsec, the design philosophies that keep it secure, and fostering a community to create one of the most recognizable open source projects …

1
Regex DoS, LLM Backdoors, Secure AI Architectures, Rust Survey - ASW #319 36:26

9M ago36:26

36:26

Applying forgivable vs. unforgivable criteria to reDoS vulns, what backdoors in LLMs mean for trust in building software, considering some secure AI architectures to minimize prompt injection impact, developer reactions to Rust, and more! Show Notes: https://securityweekly.com/asw-319

1
Developer Environments, Developer Experience, and Security - Dan Moore - ASW #319 33:56

9M ago33:56

33:56

Minimizing latency, increasing performance, and reducing compile times are just a part of what makes a development environment better. Throw in useful tests and some useful security tools and you have an even better environment. Dan Moore talks about what motivates some developers to prefer a "local first" approach as we walk through what all of th…

1
Top 10 Web Hacking Techniques of 2024 - James Kettle - ASW #318 44:57

9M ago44:57

44:57

We're getting close to two full decades of celebrating web hacking techniques. James Kettle shares which was his favorite, why the list is important to the web hacking community, and what inspires the kind of research that makes it onto the list. We discuss why we keep seeing eternal flaws like XSS and SQL injection making these lists year after ye…

1
14. The Dark Web in 2025 54:11

9M ago54:11

54:11

In the first episode back of the year we've assembled two of Searchlight Cyber's threat intelligence experts to give their take on what we can expect from the dark web in 2025. Louise Ferrett and Luke Donovan say what they think 2024 will be remembered for, choose one news story that might have gone under the radar, and (are forced into) making a p…

1
Unforgivable Vulns, DeepSeek iOS App Security Flaws, Memory Safety Standards - ASW #317 35:52

9M ago35:52

35:52

Identifying and eradicating unforgivable vulns, an unforgivable flaw (and a few others) in DeepSeek's iOS app, academics and industry looking to standardize principles and practices for memory safety, and more! Show Notes: https://securityweekly.com/asw-317

1
Code Scanning That Works With Your Code - Scott Norberg - ASW #317 37:01

9M ago37:01

37:01

Code scanning is one of the oldest appsec practices. In many cases, simple grep patterns and some fancy regular expressions are enough to find many of the obvious software mistakes. Scott Norberg shares his experience with encountering code scanners that didn't find the .NET vuln classes he needed to find and why that led him to creating a scanner …