About all things AppSec, DevOps, and DevSecOps. Hosted by Mike Shema and John Kinsella, the podcast focuses on helping its audience find and fix software flaws effectively.
…
continue reading

1
Bringing CISA's Secure by Design Principles to OT Systems - Matthew Rogers - ASW #334
1:09:09
1:09:09
Play later
Play later
Lists
Like
Liked
1:09:09CISA has been championing Secure by Design principles. Many of the principles are universal, like adopting MFA and having opinionated defaults that reduce the need for hardening guides. Matthew Rogers talks about how the approach to Secure by Design has to be tailored for Operational Technology (OT) systems. These systems have strict requirements o…
…
continue reading

1
AIs, MCPs, and the Acutal Work that LLMs Are Generating - ASW #333
39:06
39:06
Play later
Play later
Lists
Like
Liked
39:06The recent popularity of MCPs is surpassed only by the recent examples deficiencies of their secure design. The most obvious challenge is how MCPs, and many more general LLM use cases, have erased two decades of security principles behind separating code and data. We take a look at how developers are using LLMs to generate code and continue our sea…
…
continue reading

1
AI in AppSec: Agentic Tools, Vibe Coding Risks & Securing Non-Human Identities - Mo Aboul-Magd, Shahar Man, Brian Fox, Mark Lambert - ASW #332
1:04:35
1:04:35
Play later
Play later
Lists
Like
Liked
1:04:35ArmorCode unveils Anya—the first agentic AI virtual security champion designed specifically for AppSec and product security teams. Anya brings together conversation and context to help AppSec, developers and security teams cut through the noise, prioritize risks, and make faster, smarter decisions across code, cloud, and infrastructure. Built into …
…
continue reading

1
Appsec News & Interviews from RSAC on Identity and AI - Rami Saas, Charlotte Wylie - ASW #331
1:01:48
1:01:48
Play later
Play later
Lists
Like
Liked
1:01:48In the news, Coinbase deals with bribes and insider threat, the NCSC notes the cross-cutting problem of incentivizing secure design, we cover some research that notes the multitude of definitions for secure design, and discuss the new Cybersecurity Skills Framework from the OpenSSF and Linux Foundation. Then we share two more sponsored interviews f…
…
continue reading

1
Secure Code Reviews, LLM Coding Assistants, and Trusting Code - Rey Bango, Karim Toubba, Gal Elbaz - ASW #330
1:09:38
1:09:38
Play later
Play later
Lists
Like
Liked
1:09:38Developers are relying on LLMs as coding assistants, so where are the LLM assistants for appsec? The principles behind secure code reviews don't really change based on who write the code, whether human or AI. But more code means more reasons for appsec to scale its practices and figure out how to establish trust in code, packages, and designs. Rey …
…
continue reading

1
AI Era, New Risks: How Data-Centric Security Reduces Emerging AppSec Threats - Vishal Gupta, Idan Plotnik - ASW #329
1:03:03
1:03:03
Play later
Play later
Lists
Like
Liked
1:03:03We catch up on news after a week of BSidesSF and RSAC Conference. Unsurprisingly, AI in all its flavors, from agentic to gen, was inescapable. But perhaps more surprising (and more unfortunate) is how much the adoption of LLMs has increased the attack surface within orgs. The news is heavy on security issues from MCPs and a novel alignment bypass a…
…
continue reading

1
Secure Designs, UX Dragons, Vuln Dungeons - Jack Cable - ASW #328
44:08
44:08
Play later
Play later
Lists
Like
Liked
44:08In this live recording from BSidesSF we explore the factors that influence a secure design, talk about how to avoid the bite of UX dragons, and why designs should put classes of vulns into dungeons. But we can't threat model a secure design forever and we can't oversimplify guidance for a design to be "more secure". Kalyani Pawar and Jack Cable joi…
…
continue reading

1
Managing Secrets - Vlad Matsiiako - ASW #327
1:03:03
1:03:03
Play later
Play later
Lists
Like
Liked
1:03:03Secrets end up everywhere, from dev systems to CI/CD pipelines to services, certificates, and cloud environments. Vlad Matsiiako shares some of the tactics that make managing secrets more secure as we discuss the distinctions between secure architectures, good policies, and developer friendly tools. We've thankfully moved on from forced 90-day user…
…
continue reading

1
More WAFs in Blocking Mode and More Security Headaches from LLMs - Sandy Carielli, Janet Worthington - ASW #326
1:14:45
1:14:45
Play later
Play later
Lists
Like
Liked
1:14:45The breaches will continue until appsec improves. Janet Worthington and Sandy Carielli share their latest research on breaches from 2024, WAFs in 2025, and where secure by design fits into all this. WAFs are delivering value in a way that orgs are relying on them more for bot management and fraud detection. But adopting phishing-resistant authentic…
…
continue reading

1
In Search of Secure Design - ASW #325
1:07:36
1:07:36
Play later
Play later
Lists
Like
Liked
1:07:36We have a top ten list entry for Insecure Design, pledges to CISA's Secure by Design principles, and tons of CVEs that fall into familiar categories of flaws. But what does it mean to have a secure design and how do we get there? There are plenty of secure practices that orgs should implement are supply chains, authentication, and the SDLC. Those p…
…
continue reading

1
Avoiding Appsec's Worst Practices - ASW #324
1:11:19
1:11:19
Play later
Play later
Lists
Like
Liked
1:11:19We take advantage of April Fools to look at some of appsec's myths, mistakes, and behaviors that lead to bad practices. It's easy to get trapped in a status quo of chasing CVEs or discussing which direction to shift security. But scrutinizing decimal points in CVSS scores or rearranging tools misses the opportunity for more strategic thinking. We s…
…
continue reading

1
Finding a Use for GenAI in AppSec - Keith Hoodlet - ASW #323
54:08
54:08
Play later
Play later
Lists
Like
Liked
54:08LLMs are helping devs write code, but is it secure code? How are LLMs helping appsec teams? Keith Hoodlet returns to talk about where he's seen value from genAI, where it fits in with tools like source code analysis and fuzzers, and where its limitations mean we'll be relying on humans for a while. Those limitations don't mean appsec should dismiss…
…
continue reading

1
Redlining the Smart Contract Top 10 - Shashank . - ASW #322
53:01
53:01
Play later
Play later
Lists
Like
Liked
53:01The crypto world is rife with smart contracts that have been outsmarted by attackers, with consequences in the millions of dollars (and more!). Shashank shares his research into scanning contracts for flaws, how the classes of contract flaws have changed in the last few years, and how optimistic we can be about the future of this space. Segment Res…
…
continue reading

1
CISA's Secure by Design Principles, Pledge, and Progress - Jack Cable - ASW #321
1:13:50
1:13:50
Play later
Play later
Lists
Like
Liked
1:13:50Just three months into 2025 and we already have several hundred CVEs for XSS and SQL injection. Appsec has known about these vulns since the late 90s. Common defenses have been known since the early 2000s. Jack Cable talks about CISA's Secure by Design principles and how they're trying to refocus businesses on addressing vuln classes and prioritizi…
…
continue reading

1
Keeping Curl Successful and Secure Over the Decades - Daniel Stenberg - ASW #320
1:09:02
1:09:02
Play later
Play later
Lists
Like
Liked
1:09:02Curl and libcurl are everywhere. Not only has the project maintained success for almost three decades now, but it's done that while being written in C. Daniel Stenberg talks about the challenges in dealing with appsec, the design philosophies that keep it secure, and fostering a community to create one of the most recognizable open source projects …
…
continue reading

1
Developer Environments, Developer Experience, and Security - Dan Moore - ASW #319
1:10:21
1:10:21
Play later
Play later
Lists
Like
Liked
1:10:21Minimizing latency, increasing performance, and reducing compile times are just a part of what makes a development environment better. Throw in useful tests and some useful security tools and you have an even better environment. Dan Moore talks about what motivates some developers to prefer a "local first" approach as we walk through what all of th…
…
continue reading

1
Top 10 Web Hacking Techniques of 2024 - James Kettle - ASW #318
44:57
44:57
Play later
Play later
Lists
Like
Liked
44:57We're getting close to two full decades of celebrating web hacking techniques. James Kettle shares which was his favorite, why the list is important to the web hacking community, and what inspires the kind of research that makes it onto the list. We discuss why we keep seeing eternal flaws like XSS and SQL injection making these lists year after ye…
…
continue reading

1
Code Scanning That Works With Your Code - Scott Norberg - ASW #317
1:12:52
1:12:52
Play later
Play later
Lists
Like
Liked
1:12:52Code scanning is one of the oldest appsec practices. In many cases, simple grep patterns and some fancy regular expressions are enough to find many of the obvious software mistakes. Scott Norberg shares his experience with encountering code scanners that didn't find the .NET vuln classes he needed to find and why that led him to creating a scanner …
…
continue reading

1
Threat Modeling That Helps the Business - Akira Brand, Sandy Carielli - ASW #316
1:11:39
1:11:39
Play later
Play later
Lists
Like
Liked
1:11:39Threat modeling has been in the appsec toolbox for decades. But it hasn't always been used and it hasn't always been useful. Sandy Carielli shares what she's learned from talking to orgs about what's been successful, and what's failed, when they've approached this practice. Akira Brand joins to talk about her direct experience with building threat …
…
continue reading

1
Security the AI SDLC - Niv Braun - ASW #315
1:08:34
1:08:34
Play later
Play later
Lists
Like
Liked
1:08:34A lot of AI security boils down to the boring, but important, software security topics that appsec teams have been dealing with for decades. Niv Braun explains the distinctions between AI-related and AI-specific security as we avoid the FUD and hype of genAI to figure out where appsec teams can invest their time. He notes that data scientists have …
…
continue reading

1
Appsec Predictions for 2025 - Cody Scott - ASW #314
52:10
52:10
Play later
Play later
Lists
Like
Liked
52:10What’s in store for appsec in 2025? Sure, there'll be some XSS and SQL injection, but what about trends that might influence how appsec teams plan? Cody Scott shares five cybersecurity and privacy predictions and we take a deep dive into three of them. We talk about finding value to appsec from AI, why IoT and OT need both programmatic and technica…
…
continue reading

1
Discussing Useful Security Requirements with Developers - Ixchel Ruiz - ASW #313
1:07:41
1:07:41
Play later
Play later
Lists
Like
Liked
1:07:41There's a pernicious myth that developers don't care about security. In practice, they care about code quality. What developers don't care for is ambiguous requirements. Ixchel Ruiz shares her experience is discussing software designs, the challenges in prioritizing dev efforts, and how to help open source project maintainers with their issue backl…
…
continue reading

1
DefectDojo and Bringing Quality Appsec Tools to Small Appsec Teams - Greg Anderson - ASW #312
1:07:10
1:07:10
Play later
Play later
Lists
Like
Liked
1:07:10All appsec teams need quality tools and all developers benefit from appsec guidance that's focused on meaningful results. Greg Anderson shares his experience in bringing the OWASP DefectDojo project to life and maintaining its value for over a decade. He reminds us that there are tons of appsec teams with low budgets and few members that need tools…
…
continue reading

1
Applying Usability and Transparency to Security - Hannah Sutor - ASW #311
1:09:42
1:09:42
Play later
Play later
Lists
Like
Liked
1:09:42Practices around identity and managing credentials have improved greatly since the days of infosec mandating 90-day password rotations. But those improvements didn't arise from a narrow security view. Hannah Sutor talks about the importance of balancing security with usability, the importance of engaging with users when determining defaults, and se…
…
continue reading
We do our usual end of year look back on the topics, news, and trends that caught our attention. We covered some OWASP projects, the ongoing attention and promises of generative AI, and big events from the XZ Utils backdoor to Microsoft's Recall to Crowdstrike's outage. Segment resources https://prods.ec https://owasp.org/www-project-spvs/ https://…
…
continue reading