Application Security Weekly (Audio)

By Mike Shema, John Kinsella, Matt Alderman - Security Weekly

Listen to a podcast, please open Podcast Republic app. Available on Google Play Store.


Category: Tech News

Open in Apple Podcasts


Open RSS feed


Open Website


Rate for this podcast

Subscribers: 60
Reviews: 0

Description

Application Security Weekly decrypts development for the Security Professional - exploring how to inject security into their organization’s Software Development Lifecycle (SDLC) in a fluid and transparent way; Learn the tools, techniques, and processes necessary to move at the speed of DevOps (even if you aren’t a DevOps shop yet). The target audience for Application Security Weekly spans the gamut of Security Engineers and Practitioners that need to level-up their skills in the Application Security space - as well as enabling “Cyber Curious” developers to get involved in the Application Security process at their organizations. To a lesser extent, we hope to arm Security Managers and Executives with the knowledge to be conversational in the realm of DevOps - and to provide the right questions to ask their colleagues in development, along with the metrics to think critically about the answers they receive.

Episode Date
ASW #213 - Janet Worthington
01:22:48

Applications are the most frequent external attack vector for companies. However, application security can improve only if developers either code securely or remediate existing security flaws — unfortunately, many don’t receive training with proper security know-how. In this session, we will talk about the state of application security education and what you can do to secure what you sell.

Segment Resources: - https://www.forrester.com/blogs/school-is-in-session-but-appsec-is-still-on-vacation/?ref_search=3502061_1663615159889 https://www.wisporg.com/events-calendar/2022/11/8/security-amp-risk-conference-forrester https://www.veracode.com/events/hacker-games https://blogs.microsoft.com/blog/2021/10/28/america-faces-a-cybersecurity-skills-crisis-microsoft-launches-national-campaign-to-help-community-colleges-expand-the-cybersecurity-workforce/

Wiz reveals authorization bypass in Oracle Cloud, Python 15-year old path traversal flaw, Prototype Pollution in Chrome, PS4 flaw reappears in PS5, Why security products fail

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/secweekly

Like us on Facebook: https://www.facebook.com/secweekly

Show Notes: https://securityweekly.com/asw213

Sep 27, 2022
ASW #212 - Sam Placette
01:21:41

Appsec places a lot of importance on secure SDLC practices, API security, integrating security tools, and collaborating with developers. What does this look like from a developer's perspective? We'll cover API security, effective ways to test code, and what appsec teams can do to help developers create secure code.

This segment is sponsored by ThreatX. Visit https://securityweekly.com/threatx to learn more about them!

 

Appsec dimensions of the Uber breach, Rust creates a security team, MiraclePtr addresses C++ heap mistakes for Chrome, a critical reading of the NSA/CISA Supply Chain guidance, talking about careers

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/secweekly

Like us on Facebook: https://www.facebook.com/secweekly

 

Show Notes: https://securityweekly.com/asw212

Sep 20, 2022
ASW #211 - Sonali Shah
01:17:34

Go releases their own curated vuln management resources, OSS-Fuzz finds command injection, Microsoft gets rid of Basic Auth in Exchange, NSA provides guidance on securing SDLC practices, reflections on pentesting, comments on e2e

 

Shifting left has been a buzzword in the application security space for several years now, and with good reason – making security an integral part of development is the only practical approach for modern agile workflows. But in their drive to build security testing into development as early as possible, many organizations are neglecting application security in later phases and losing sight of the big picture. In this talk, Invicti’s Chief Product Officer Sonali Shah discusses the challenges and misunderstandings around shifting left, and provides tips on how organizations can implement web application security program without tradeoffs throughout the whole application security lifecycle.

This segment is sponsored by Invicti. Visit https://securityweekly.com/invicti to learn more about them!

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/secweekly

Like us on Facebook: https://www.facebook.com/secweekly

 

Show Notes: https://securityweekly.com/asw211

Sep 13, 2022
ASW #210 - Doug Dooley
01:22:26

We will review the primary needs for cloud security: - Guardrails against misconfiguration - Continuously Identify and Remediate Vulnerabilities in Cloud APIs, Apps, and Services - Observability, Protection, and Reporting against Compliance and Risk Policies - We will also review CNAPP -- Cloud Native Application Protection Platform -- and why companies need to take a closer look for the best cloud security

Segment Resources:

- https://www.datatheorem.com/news/2021/data-theorem-representative-vendor-cnapp-2021-gartner-innovation-insight-report

 

Twitter whistleblower complaint lessons for appsec (and beyond), the LastPass breach, building a culture of threat modeling, signed binaries become vectors for ransomware, a look back to the birth of Nmap and the beginning of Linux.

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/secweekly

Like us on Facebook: https://www.facebook.com/secweekly

 

Show Notes: https://securityweekly.com/asw210

Aug 30, 2022
ASW #209 - Kiran Kamity
01:18:56

The unique nature of cloud native apps, Kubernetes, and microservices based architectures introduces new risks and opportunities that require AppSec practitioners to adapt their approach to security tooling, integration with the CI/CD pipeline, and how they engage developers to fix vulnerabilities. In this episode, we’ll discuss how AppSec teams can effectively manage the transition from securing traditional monolithic applications to modern cloud native applications and the types of security tooling needed to provide coverage across custom application code, dependencies, container images, and web/API interfaces. Finally, we’ll conclude with tips and tricks that will help make your developers more efficient at fixing vulnerabilities earlier in the SDLC and your pen testers more effective.

Segment Resources:

https://www.deepfactor.io/kubernetes-security-essentials-securing-cloud-native-applications/

https://www.deepfactor.io/resource/observing-application-behavior-via-api-interception/

https://www.deepfactor.io/developer-security-demo-video/

 

Ideas on debugging with IDEs, Wiz.io shares technical details behind PostgreSQL attacks in cloud service providers, looking at the attack surface of source code management systems, a Xiaomi flaw that could enable forged payments, defensive appsec design from Signal, what targeted attacks mean for threat models when the targeting goes awry

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/secweekly

Like us on Facebook: https://www.facebook.com/secweekly

 

Show Notes: https://securityweekly.com/asw209

Aug 23, 2022
ASW #208 - Tanya Janca
01:16:06

Let's talk about adding security tools to a CI/CD, the difference between "perfect" and "good" appsec, and my upcoming book. Segment Resources: https://community.wehackpurple.com #CyberMentoringMonday on Twitter Microsoft fixes an old bounty from 2019, rewards almost $14M on bounties in the past year, and releases a security layer for Edge; Black Hat talks on bounties and desync attacks, Google's bounties for the Linux kernel, modifying browser behavior, and the Excel championships.

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/secweekly

Like us on Facebook: https://www.facebook.com/secweekly

 

Show Notes: https://securityweekly.com/asw208

Aug 17, 2022
ASW #207 - Chen Gour Arie
01:18:18

In today's high-tech industries, security is struggling to keep up with rapidly changing production systems and the chaos that agile development introduces into workflows. Application security (AppSec) teams are fighting an uphill battle to gain visibility and control over their environments. Rather than invest their time in critical activities, teams are overwhelmed by gaps in visibility and tools to govern the process. As a result, many digital services remain improperly protected. In this episode, we plan to address and discuss the current state of AppSec, and point out a few common failure points. Afterwards we plan to discuss what agile AppSec looks like, and how a reorganization, and a shift in management strategy could greatly transform the field, and allow business to truly address the risk of under-protected software.

 

Segment Resources:

https://appsecmap.com/

 

Nextauth.js account takeover due to parsing flaw, URL parsing flaw in Go's net/url, another path traversal, Slack exposes password hashes (whaaat!?), Twitter exposes 5.4 million accounts, ransomware and research against PyPI and GitHub, videos from fwd:cloudsec 2022.

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/secweekly

Like us on Facebook: https://www.facebook.com/secweekly

 

Show Notes: https://securityweekly.com/asw207

Aug 09, 2022
ASW #206 - Manish Gupta
01:15:23

In our first segment, we are joined by Manish Gupt, the CEO and Co-Founder of ShiftLeft for A discussion of how the changes and advancements in static application security testing (SAST) and intelligent software composition analysis (SCA) have helped development and DevSecOps teams work better together to fix security issues faster! In the AppSec News: Multiple vulns in a smart lock, Office Macros finally disabled by default, data breach costs and threat modeling, designing migration paths for 2FA, & more!

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/secweekly

Like us on Facebook: https://www.facebook.com/secweekly

 

Show Notes: https://securityweekly.com/asw206

Aug 04, 2022
ASW #199 - Nikhil Gupta
01:16:36

Nikhil will be discussing the pain points that leaders in the application security space are facing, which can cover how software development has evolved, as well as how this has impacted development teams and security teams as well as the occurrence of shifting left. He would also like to speak to the solution he has found to this problem, specifically being that of developing a community, the Purple Book Community. This closely connects to the final topics he would like to cover, which include how breaches have continued to occur at an increasingly rapid pace, leading to the importance behind why and how companies should be prepared for when, not if, a cyber attack will occur. The talk will also cover how the Purple Book of Software Security came about and how it has now morphed into a global movement by security leaders, for security leaders, to develop secure software.

Segment Resources:

https://www.armorcode.com/

https://www.thepurplebook.club/

https://www.armorcode.com/what-is-appsecops

https://www.armorcode.com/platform-overview

https://www.armorcode.com/news

https://www.armorcode.com/integrations

 

This week in the AppSec News: Pwn2own results, reading the DBIR for appsec insights, XMPP flaws in Zoom, $10M bounty for a blockchain bridge vuln, researcher puts malicious payloads in ancient packages, Argo patches JWT handling, & more!

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/secweekly

Like us on Facebook: https://www.facebook.com/secweekly

 

Show Notes: https://securityweekly.com/asw199

Jul 28, 2022
ASW #205 - Ferruh Mavituna
01:16:46

Vuln in an Atlassian Confluence app, "Dirty Dancing" in OAuth flows, security audits of sigstore and slf4j, flaws in fleet management app, conducting tabletop exercises.

 

Pressured by the speed of innovation, organizations are struggling to achieve the continuous web application security they need in the face of mounting threats and compliance requirements. What does it take in order for your AppSec program to be both effective and agile? In this segment, Ferruh Mavituna, founder and strategic advisor of Invicti Security, discusses best practices to help you implement an effective, agile, and – most importantly – continuous approach to application security.

This segment is sponsored by Invicti. Visit https://securityweekly.com/invicti to learn more about them!

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/secweekly

Like us on Facebook: https://www.facebook.com/secweekly

 

Show Notes: https://securityweekly.com/asw205

Jul 25, 2022
ASW #204 - Larry Maccherone
01:14:18

0-day vulnerabilities pose a high risk because cybercriminals race to exploit them and vulnerable systems are exposed until a patch is issued & installed. These types of software vulnerabilities can be found through continuous detection but even then may not always have a patch available. It’s important for software teams to set up tools that continually look for these types of flaws, as well as defenses that let software adapt itself to an evolving threat landscape. In this episode, we will discuss the ins and outs of 0-day vulnerabilities and what the future of managing them looks like.

Segment Resources:

Recent 0-day blog: https://www.contrastsecurity.com/security-influencers/contrast-protect-eliminates-another-zero-day-headache

What is Contrast Security video: https://www.youtube.com/watch?v=8FwY6zJX1ms

The Contrast Secure Code Platform video: https://www.youtube.com/watch?v=k5CycR4R6bg

 

This segment is sponsored by Contrast Security. Visit https://securityweekly.com/contrast to learn more about them!

 

This week in the AppSec News: speculative execution attack with retbleed, CSRB's report on log4j, one-line lowercase action leads to a vuln, approaching SOC2 with secure engineering principles, free online Mac Malware book

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/secweekly

Like us on Facebook: https://www.facebook.com/secweekly

 

Show Notes: https://securityweekly.com/asw204

Jul 20, 2022
ASW #203 - Farshad Abasi
01:09:56

This week in the AppSec News: Apple introduces Lockdown Mode, PyPI hits 2FA trouble, cataloging cloud vulns, practical attacks on ML, NIST's post-quantum algorithms, & more!

 

Appsec starts with the premise that we need to build secure code, but it also has to be able to recommend effective practices and tools that help developers. This also means appsec teams need to work with developers to create criteria for security solutions, whether it's training or scanners, in order to make sure their investments of time and money lead to more secure apps.

Segment Resources: https://forwardsecurity.com/2022/04/24/embedding-security-into-software-during-development/

https://forwardsecurity.com/2022/03/15/application-security-for-busy-tech-execs/ https://forwardsecurity.com/2022/03/09/sast-sca-dast-iast-rasp-what-they-are-and-how-you-can-automate-application-security/

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Follow us on Twitter: https://www.twitter.com/secweekly

Like us on Facebook: https://www.facebook.com/secweekly

 

Show Notes: https://securityweekly.com/asw203

Jul 15, 2022
ASW #202 - Mike Benjamin
01:15:00

Both GraphQL and template engines have the potential for injection attacks, from potentially exposing data due to weak authorization in APIs to the slew of OGNL-related vulns in Java this past year. We take a look at both of these technologies in order to understand the similarities in what could go wrong, while also examining the differences in how each one influences modern application architectures.

 

This week in the AppSec News: Lessons learned from fuzzing, OT:ICEFALL report on insecure designs, CSA's Top Threats to Cloud Computing, Twitter apologizes for misusing data collection, & State of Open Source Security report!

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/secweekly

Like us on Facebook: https://www.facebook.com/secweekly

 

Show Notes: https://securityweekly.com/asw202

Jul 14, 2022
ASW #201 - IE11 Goes to Zero
01:03:45

This week in the AppSec News: SynLapse shows shell injection via ODBC, Java deserialization example, MFA for Ruby Gems ecosystem, simple flaws in firmware, the decade-long journey of a Safari vuln, & more!

 

IE has gone to 11 and is no more. There's some notable history related to IE11 and bug bounty programs. In 2008, Katie Moussouris and others from Microsoft announced their vulnerability disclosure program. In 2013 this evolved into a bug bounty program piloted with IE11, with award ranges from $500 to $11,000. Ten years later, that bounty range is still common across the industry. The technical goals of the program remain similar as well -- RCEs, universal XSS, and sandbox escapes are all vulns that can easily gain $10,000+ (or an order of magnitude greater) in modern browser bounty programs. So, even if we've finally moved on from a browser with an outdated security architecture, we're still dealing with critical patches in modern browsers. Fortunately, the concept of bounty programs continues.

References:

- https://www.blackhat.com/presentations/bh-usa-08/Reavey/MSRC.pdf

- https://media.blackhat.com/bh-usa-08/video/bh-us-08-Reavey/black-hat-usa-08-reavey-securetheplanet-hires.m4v

- https://web.archive.org/web/20130719064943/http://www.microsoft.com/security/msrc/report/IE11.aspx

- https://web.archive.org/web/20190507215514/https://blogs.technet.microsoft.com/bluehat/2013/07/03/new-bounty-programs-one-week-in/

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/secweekly

Like us on Facebook: https://www.facebook.com/secweekly

 

Show Notes: https://securityweekly.com/asw201

Jul 12, 2022
ASW #200 - Keith Hoodlet
01:08:25

HTTP RFCs have evolved: A Cloudflare view of HTTP usage trends, Career Advice and Professional Development, Active Exploitation of Confluence CVE-2022-26134

Seamlessly Connect & Protect Entire IT Ecosystem

The new business reality is that everything is connected, and everyone is vulnerable. In today’s world, security resilience is imperative, and Cisco believes it requires an open, unified security platform that crosses hybrid multi-cloud environments. Our vision for the Cisco Security Cloud will reshape the way organizations approach and protect the integrity of the entire IT ecosystem.

 

Segment Resources:

 

Cisco Security Resilience: https://www.cisco.com/c/en/us/products/security/security-resilience.html

This segment is sponsored by Cisco. Visit https://securityweekly.com/cisco to learn more about them!

 

The Culture Blindspot: Harmonizing DevSecOps Helps Curb Burnout Recent data shows that security and development teams are still stressed, and they’re taking that stress home with them. Not only are they spending unnecessary hours addressing security issues that they could have otherwise prevented with modern tools and best practices, but also these teams are taking time out of their personal lives during holidays and on weekends to manage critical issues, contributing to burnout and ultimately churn. There’s good news, though: relationships between security and development are steadily improving, and with the right support and modern tooling at hand, you can transform the lives of cybersecurity professionals while also boosting your organization’s security posture, too.

This segment is sponsored by Invicti. Visit https://securityweekly.com/invicti to learn more about them!

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Follow us on Twitter: https://www.twitter.com/secweekly

Like us on Facebook: https://www.facebook.com/secweekly

Show Notes: https://securityweekly.com/asw200

Jul 08, 2022
ASW #198 - Matias Madou
01:11:49

Developers want bug-free code -- it frees up their time and is easier to maintain. They want secure code for the same reasons. Matias Madou joins to talk about how the definition of secure coding varies among developers and appsec teams, why it's important to understand those perspectives, and how training is just one step towards building a security culture. This week in the AppSec News: OWASP Top 10 for Kubernetes, Firefox improves security with process isolation, CNCF releases guidance on Secure Software Factories and Cloud Native Security, & the DOJ clarifies its policy on CFAA!

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/secweekly

Like us on Facebook: https://www.facebook.com/secweekly

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw198

Jun 22, 2022
ASW #197 - Brian Glas
01:19:39

This week, in the first segment, Brian Glas answers the questions surrounding the next generations of AppSec professionals: What does it look like to try teaching cybersecurity at an undergraduate level? What are the goals and challenges faced when trying to help future generations learn what they need to know to contribute to this industry? Then, in the AppSec News: Typosquatting spreads to Rust, curl fixes flaws in mishandling dots and slashes, OpenSSF invests in a mobilization plan for open source, &interesting AppSec from Black Hat Asia!

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/secweekly

Like us on Facebook: https://www.facebook.com/secweekly

Show Notes: https://securityweekly.com/asw197

May 20, 2022
ASW #196 - Christoph Nagy
01:13:06

This week, Mike and John kick off the show with an interview of Christoph Nagy, the CEO of SecurityBridge! Then, in the AppSec News: Secure coding practices and smart contracts, lessons from the Heroku breach, Real World Crypto conference highlights, and an entertaining bug in Google Docs, & more!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw196

May 10, 2022
ASW #195 - Lynn Marks
01:13:32

This week, Mike and John interview Lynn Marks, Product Manager at Imperva, & discuss Bad Bots: The Automated Threat Targeting Your Websites, Apps, & APIs! In the AppSec News: ExtraReplica in Azure, Chrome disfavors document.domain, appsec presentations highlighted in the latest Thinkst Quarterly, Nimbuspwn Vuln in Linux, & more!

This segment is sponsored by Imperva.

Visit https://securityweekly.com/imperva to learn more about them!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw195

May 03, 2022
ASW #194 - Dr. Chenxi Wang
01:10:43

How should we empower developers to embrace the NIST software development practices? Because from here on out, developers need to view themselves as the front lines of defense for the end-consumer. A more secure-aware developer leads to a more-protected consumer. Dr. Wang will offer her perspectives! In the AppSec News: Java's ECDSA implementation is all for nought, writing a modern Linux kernel RCE, lessons learned from the Okta breach, lessons repeated from a log4shell hot patch, a strategy for bug bounties, Microsoft finally disables SMB1!

 

Show Notes: https://securityweekly.com/asw194

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Apr 26, 2022
ASW #193 - AppSec (& adjacent) Metrics
01:17:06

We can create top 10 lists and we can count vulns that we find with scanners and pen tests, but those aren't effective metrics for understanding and improving an appsec program. So, what should we focus on? How do we avoid the trap of focusing on the metrics that are easy to gather and shift to metrics that have clear ways that teams can influence them? In the AppSec News: OAuth tokens compromised, five flaws in a medical robot, lessons from ASN.1 parsing, XSS and bad UX, proactive security & engineering culture at Chime!

 

Show Notes: https://securityweekly.com/asw193

Segment resources:

- https://www.philvenables.com/post/10-fundamental-but-really-hard-security-metrics

- https://cloud.google.com/blog/products/devops-sre/using-the-four-keys-to-measure-your-devops-performance

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Apr 19, 2022
ASW #192 - William Morgan
01:16:42

The zero trust approach can be applied to almost every technology choice in the modern enterprise, and Kubernetes is no exception. For Kubernetes network security particularly, adopting a zero trust model involves some radical changes, including moving from a security perimeter defined by firewalls, IP addresses, and cluster boundaries to a granular approach that treats the network itself as adversarial and moves the security boundary down to the pod level. William will discuss why the zero trust approach is increasingly necessary for comprehensive Kubernetes security, the dos and don’ts when adopting Kubernetes, the implications for operators and security teams, and where tooling like service mesh plays a role. In the Application Security News: SSRF at a FinTech leads to admin account takeover, Zoom's bounty payouts for 2021, SLSA demonstrates Build Provenance, Go's supply chain philosophy, Raspberry Pi credentials, & more!

 

Show Notes: https://securityweekly.com/asw192

Segment Resources:

- https://github.com/linkerd

- https://linkerd.io/

- https://buoyant.io/mtls-guide/

- https://buoyant.io/service-mesh-academy/

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Apr 12, 2022
ASW #191 - Eric Allard
01:18:50

Making a positive impact to how we package software to make developer's lives easier in how they have to manage security. FORCEDENTRY implications for the BlastDoor sandbox, Spring RCE, Zlib flaw resurfaces, security for startups, verifying Rust models, two HTML parsers lead to one flaw!

 

Show Notes: https://securityweekly.com/asw191

Segment Resources:

- https://app.soos.io/demo

- https://soos.io/

- https://youtu.be/Y8jvhCHGQg8

Visit https://securityweekly.com/soos to learn more about them!

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Apr 05, 2022
ASW #190 - Harshil Parikh
01:17:31

Developers ignore security issues. But can we really blame them? After all, security folks bombard them with an endless stream of issues that need to be addressed with no way for them to separate what’s actually critical from all the noise, all while they are expected to release software more frequently and faster than ever before. It makes sense why developers view security as something that just gets in their way and slows them down. To make application security easy, we must make it developer-first. This is the future of AppSec. In the AppSec News: Okta breach, fuzzing Rust find ReDos, SQL injection and the age of code, Log4j numbers paint a not-pretty picture.

 

Show Notes: https://securityweekly.com/asw190

Segment Resources:

- https://techbeacon.com/devops/5-steps-building-developer-first-application-security-program

- https://www.forbes.com/sites/forbestechcouncil/2022/02/14/what-organizations-get-wrong-about-developer-first-application-security/?sh=1dad6eb58e7c

- https://www.tromzo.com/state-of-modern-application-security

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Mar 29, 2022
ASW #189 - Alvaro Muñoz
01:15:58

This week in the AppSec News: A great escape isn't always as great as it sounds, Solana cryptocurrency logic isn't always as great as intended, some people's idea of "peace" isn't that great at all, and some great security suggestions for package maintainers. - Past research such as JNDI Injection, Unsafe deserialization, Struts RCEs - OSS security: CodeQL, Dependabot, collaboration between researchers and developers, OWASP Top Ten Proactive Controls, CVD for OSS.

 

Show Notes: https://securityweekly.com/asw189

Segment Resources:

- [Write more secure code with the OWASP Top 10 Proactive Controls](https://github.blog/2021-12-06-write-more-secure-code-owasp-top-10-proactive-controls/)

- [An analysis on developer-security researcher interactions in the vulnerability disclosure process](https://github.blog/2021-09-09-analysis-developer-security-researcher-interactions-vulnerability-disclosure/)

- [Building security researcher and developer collaboration](https://www.securitymagazine.com/articles/97066-how-to-build-security-researcher-and-software-developer-collaboration)

- [Coordinated vulnerability disclosure (CVD) for open source projects](https://github.blog/2022-02-09-coordinated-vulnerability-disclosure-cvd-open-source-projects/)

- [GitHub Advisory Database now open to community contributions](https://github.blog/2022-02-22-github-advisory-database-now-open-to-community-contributions/)

- [Blue-teaming for Exiv2: creating a security advisory process](https://github.blog/2021-11-02-blue-teaming-create-security-advisory-process/)

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Mar 22, 2022
ASW #188 - Farshad Abasi
01:16:28

Cybersecurity is a large and often complex domain, traditionally focused on the infrastructure and general information security, with little or no attention to Application Security. Security providers usually tack-on AppSec services to their existing menu of offering without understanding the domain, and their team of professionals have little or no experience with software development or inner workings of modern application architectures. As the world turns Digital at a rapid pace accelerated by the recent pandemic, applications become common place in our lives, providing attackers more opportunities to exploit these poorly protected applications. As such, it is important to know what is actually required to build and run software securely, and how to do application security right. This week in the AppSec News: Dirty Pipe vuln hits the Linux Kernel, AutoWarp vuln hits Azure Automation, TLStorm hits critical infrastructure, & hacking the Mazda RX8 ECU!

 

Show Notes: https://securityweekly.com/asw188

Segment Resources: https://forwardsecurity.com/2022/03/07/application-security-for-busy-tech-execs/

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Mar 16, 2022
ASW #187 - Lebin Cheng
01:07:28

As the volume of API traffic increases, it becomes a greater threat to an organization’s sensitive data. Motivated attackers will increasingly target APIs as the pathway to the underlying infrastructure and database. Imperva API Security is a new product that delivers rapid API discovery and data classification -- helping an organization truly protect all paths to the data, without slowing down the application development lifecycle. In the AppSec News: Finding vulns in markdown parsers, Census II and widespread open source dependencies, inside iCloud Private Relay, and cloud pentesting tools!

 

Show Notes: https://securityweekly.com/asw187

Visit https://securityweekly.com/imperva to learn more about them!

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Mar 08, 2022
Good People - ASW #186
01:18:19

This week, we welcome Steve Wilson, Chief Product Officer at Contrast Security, to discuss Integrating Appsec Tools for DevOps Teams! In the AppSec news: Salesforce reveals their bounty totals for 2021, GitHub opens its advisory database for collaboration, a year in review of ICS vulns, automating WordPress plugin security analysis, the Secure Software Factory from CNCF, Samsung's encryption mistakes, filling in the missing semester of Computer Science!

 

Show Notes: https://securityweekly.com/asw186

Visit https://securityweekly.com/contrast to learn more about them!

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Mar 01, 2022
The DIY Lab - ASW #185
01:04:04

Lots of web hacking can be done directly from the browser. Throw in a proxy like Burp plus the browser's developer tools window and you've got a nearly complete toolkit. But nearly complete means there's still room for improvement. We'll talk about the tools to keep on hand, setting up practice targets, participating in bug bounties, and more resources to help you learn along the way! Then, this week in the Application Security News: RCE in Cassandra, why pixelization isn't good redaction, Rust's compiler is friendly, Edge adds arbitrary code guard to its WASM interpreter, & the difference between secure code and a secure product (as demonstrated by a DAO)

For tips on labs beyond just appsec, be sure to check out the Security Weekly webcast on "Do It Yourself: Building a Security Lab At Home" at https://securityweekly.com/webcasts/do-it-yourself-building-a-security-lab-at-home/

Segment resources: - https://www.darkreading.com/careers-and-people/want-to-be-an-ethical-hacker-here-s-where-to-begin 

https://github.com/AdminTurnedDevOps/DevOps-The-Hard-Way-AWS

https://owasp.org/www-project-juice-shop/

https://owasp.org/www-project-vulnerable-web-applications-directory/

https://portswigger.net/web-security

https://azeria-labs.com/writing-arm-assembly-part-1/

https://twitter.com/0xAs1F/status/1480604655952433155

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Show Notes: https://securityweekly.com/asw185

Feb 22, 2022
Tasty Beverage - ASW #184
01:21:04

Doug Kersten, CISO of Appfire, will discuss how the nature of vulnerabilities today makes it critical for developers to make sure they’re building projects in a secure manner in order to quickly mitigate vulnerabilities – or they risk being left scrambling to respond when a threat hits. In the AppSec News: Docker and security boundaries, Google's year in vuln awards, 2021's year in web hacks, Apple AirTags and privacy, turning AIs onto RFCs for security, & facial recognition research!

 

Show Notes: https://securityweekly.com/asw184

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Feb 15, 2022
Internal Jokes - ASW #183
01:16:36

Security is one of the most evolving and impactful landscapes in the regulatory sphere. Proposed initiatives in the areas of Incident Response, Software and Product Assurance, Coordinated Vulnerability Disclosure (CVD), and IoT or Connected Products Regulations are among the most active and developing areas of security policy around the world. This evolving landscape also serves as an opportunity for innovation and research collaboration. Elazari will walk us through some of the most recent trends in policy proposals shaping the future of security. We will also talk about bug bounties and vulnerability disclosure, what are some of the industry's best practices in this area, how to implement these programs to foster security, collaboration and transparency, and how this connects to the policy momentum and its impact on security researchers. In the AppSec News, Vulns in an HTTP/3 server, path traversal in Argo CD, Log4Shell from the perspective of Log4j devs, DHS launches Cyber Safety Review Board, OSSF launches Alpha and Omega projects, resources for learning reverse engineering and appsec!

 

Show Notes: https://securityweekly.com/asw183

Segment Resources:

- Project Circuit Breaker: https://www.intel.com/content/www/us/en/newsroom/news/intel-launches-project-circuit-breaker.html

- Project Circuit Breaker Landing Page: https://www.projectcircuitbreaker.com/

- Intel’s 2021 Product Security Report: https://www.intel.com/content/www/us/en/security/intel-2021-product-security-report.html

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Feb 08, 2022
Perfect Direction - ASW #182
01:15:38

This week, we welcome Larry Maccherone, DevSecOps Transformation at Contrast Security, to discuss Shift Left, NOT S#!T LEFT! In the AppSec News: PwnKit LPE in Linux, two different smart contract logic flaws in two different hacks, a $100K bounty for Safari, Python NaN coercion, and AppSec games!

 

Show Notes: https://securityweekly.com/asw182

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Feb 01, 2022
Cheesy Tomato Dreams - ASW #181
01:09:42

It is hard, if not impossible, to secure something you don’t know exists. While security professionals spend countless hours on complex yet interesting issues that *may* be exploitable in the future, basic attacks are occurring every day against flaws in code that receives little review. For example, a “dated trend” by effective yet lazy hackers is to search for APIs unknown by security teams, coined “Shadow APIs”, then connect to these APIs and extract data. SQL Injection used to be the hack of choice, as a few simple SQL commands would either mean pay dirt or “move on to the next target”. Now the same can be said for Shadow API: Find, Connect, Extract. Himanshu will discuss one of many methods that are used in the wild to target Shadow APIs and export large volumes of data with a few clicks of a button or a few lines of code in Python. In the AppSec News, Safari fixes a privacy leak in IndexedDB, integer arithmetic flaw leads to Linux kernel bug, a look back on Zoom security, SSRF from an URL allow list bypass, a security engineering course and lectures, 25 years of HTTP/1.1

 

Show Notes: https://securityweekly.com/asw181

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Jan 25, 2022
Something For Everybody - ASW #180
01:03:22

This isn't a story about NPM even though it's inspired by NPM. Twice. The maintainer of the "colors" NPM library intentionally changed the library's behavior from its expected functionality to printing garbage messages. The library was exhibiting the type of malicious activity that typically comes from a compromised package. Only this time users of the library, which easily number in the thousands, discovered this was sabotage by the package maintainer himself. This opens up a broader discussion on supply chain security than just provenance. How do we ensure open source tools receive the investments they need -- security or otherwise? For that matter, how do we ensure internal tools receive the investments they need? Log4j was just one recent example of seeing old code appear in surprising places.

 

Scams and security flaws in (so-called) web3 and when decentralization looks centralized, SSRF from a URL parsing problem, vuln in AWS Glue, 10 vulns used for CI/CD compromises!

 

Show Notes: https://securityweekly.com/asw180

Segment resources:

- https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/

- https://www.zdnet.com/article/when-open-source-developers-go-bad/

- https://www.zdnet.com/article/log4j-after-white-house-meeting-google-calls-for-list-of-critical-open-source-projects/

- https://www.theregister.com/2022/01/17/open_source_closed_wallets_big/

- https://blog.google/technology/safety-security/making-open-source-software-safer-and-more-secure/

- https://docs.linuxfoundation.org/lfx/security/onboarding-your-project

- https://arstechnica.com/information-technology/2016/03/rage-quit-coder-unpublished-17-lines-of-javascript-and-broke-the-internet/

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Jan 20, 2022
Big Smiles - ASW #179
01:13:58

There's an understandable focus on "shift left" in modern DevOps and appsec discussions. So what does it take to broaden what we call appsec into something effective for modern apps, whether they're on the web, mobile, or cloud? We'll talk about moving on from niche offerings into successful appsec programs. The FTC issues a warning about taking log4j seriously, JNDI is elsewhere, cache poisoning shows challenges in normalizing strings, semgrep for refactoring configs with security in mind, the Q4 2021 ThinkstScape quarterly, Salesforce to require MFA!

 

Show Notes: https://securityweekly.com/asw179

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Jan 11, 2022
Fuzzing Like It's 1999 - ASW #178
01:14:26

What does a collaborative approach to security testing look like? What does it take to tackle an entire attack class as opposed to fixing a bunch of bugs? If we can shift from vulnerability mitigation to vulnerability elimination, then appsec would be able to demonstrate some significant wins -- and they need a partnership with DevOps teams in order to do this successfully. Log4j has more updates and more vulns (but probably not more heartburn...), revisiting outages and whether availability has made it into your threat models, deep dive into hardware security, another data point on bug bounty awards, and looking at risk topics for the next year. This completes another year of the podcast! A very heartfelt thank you to all our listeners! And a special thank you and shout out to the crew that helps make this possible every week -- Johnny, Gus, Sam, and Renee. We'll keep the New Wave / Post-Punk, movie, and pop culture references coming for all the appsec and DevOps topics you can throw our way. Thanks again everyone!!

 

Show Notes: https://securityweekly.com/asw178

Segment Resources:

- https://blog.trailofbits.com/

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

 

Dec 21, 2021
Vulnerability Phone - ASW #177
01:10:15

This week, we welcome Francesco Cipollone - CEO & Founder - AppSec Phoenix Ltd, to discuss DevSecOps, Compliance GRC, and the Future of Application Security! In the AppSec News, Mike & John talk: All about Log4Shell, Mozilla's BigFix bug and new sandbox, Rust in the Linux kernel, path traversals, reflections on the security profession, & more!

 

Show Notes: https://securityweekly.com/asw177

Segment Resources:

- AppSec Cali 19 Talk:

https://www.youtube.com/watch?v=cegMUjo25Zc

- ADDO19: https://www.youtube.com/watch?v=x1p3exzkTIY

- Open Security Summit 20

- https://www.youtube.com/watch?v=8myMG36gq4o , https://www.youtube.com/watch?v=mh_P1C1a-CM

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Dec 14, 2021
Cyber Monday - ASW #176
01:15:58

In today’s session Chris Wysopal will address a number of topics with Mike, including systemic risk in software development and how developers and security teams can work together to meet common goals and solve the speed vs. security dilemma. Specifically, they’ll discuss processes for fixing more vulnerabilities faster and tools for ensuring developer success. And they’ll talk about improving the overall maturity of DevOps teams through good development practices, good testing, remediation, and training. In the AppSec News: Bug bounty payout practices, Edge goes super duper secure mode, WebKit CSP flaw has consequences for OAuth, GoDaddy breach, vuln in MediaTek audio DSP, & more!

 

Show Notes: https://securityweekly.com/asw176

Segment Resources:

Veracode State of Sofware Security v11 https://www.veracode.com/state-of-software-security-report

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Nov 30, 2021
Max Headroom - ASW #175
01:09:32

This week, we welcome Liam Randall, CEO at Cosmonic, to talk about wasmCloud - Distributed Computing With WebAssembly! CNCF wasmCloud helps developers to build distributed microservices in WebAssembly that they can run across clouds, browsers, and everywhere securely! In the AppSec News: What would CVEs for CSPs look like, clever C2 in malicious Python packages, diversity in bounty programs, shared responsibility and secure defaults, breach costs to influence AppSec programs!

 

Show Notes: https://securityweekly.com/asw175

Segment Resources:

https://webassembly.org/

https://wasmcloud.com/

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Nov 23, 2021
Eyes Open - ASW #174
01:10:42

This week, we welcome Ryan Lloyd, Chief Product Officer at Guardsquare, to discuss Mobile Application Security! Mobile applications have a unique attack surface. The tools and techniques being used to compromise these environments are constantly evolving. We'll talk about how to harden mobile apps against modern threats. In the AppSec news: Disclosure decisions and CVE-2021-3064, technical details behind ChaosDB in Azure, fuzzing BusyBox, Prossimo and Rust, vulns in Nucleus RTOS, & HTML smuggling!

 

Show Notes: https://securityweekly.com/asw174

Visit https://securityweekly.com/guardsquare to learn more about them!

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Nov 16, 2021
Schools of Magic - ASW #173
01:13:58

This week, Mike, John and Dan McKinney from Cloudsmith will be discussing SBOM and what that looks like for your applications. Other topics include: cloud-native tooling for your software supply chain, the history of provenance, GPG Keys & signing commits, package consumption, understanding threat modeling, and knowing the roles and responsibilities when it comes to security of your assets.

 

In the AppSec News, Mike and John talk: Excel gains support for JavaScript data types and functions, arbitrary code execution in Linux kernel TIPC, more malware in npm packages, threat models and OTP/2FA bots, NIST Security Labels!

 

Show Notes: https://securityweekly.com/asw173

Visit https://securityweekly.com/cloudsmith to learn more about them!

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Nov 09, 2021
Actual Secrets - ASW #172
01:16:58

This week, we welcome Peter Klimek, Director of Technology, Office of the CTO at Imperva! Peter will talk to the challenges he's hearing from customers and partners about managing the security of APIs and what considerations organizations need to make in 2022 to better protect these growing ecosystems. In the AppSec News, Mike & John talk: Discourse SNS webhook RCE, a checklist for a Minimum Viable Secure Product, WhatsApp security assessment, privacy engineering specialties, & DevOps presentations!

 

Show Notes: https://securityweekly.com/asw172

Visit https://securityweekly.com/imperva to learn more about them!

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Nov 02, 2021
Horror Stories - ASW #171
01:14:17

This week, we welcome Ashish Rajan, Head of Security & Podcast Host at Cloud Security Podcast, to discuss Security Champions in an Online First World! Ashish will talk about building a security champion in an online world and how SAST as it stands today will die in the world of DevOps and Cloud. This week in the AppSec News: Malware in the UAParser.js npm package, security vuln in Squirrel scripting language, a blueprint for securing software development, L0phtCrack now open source, appsec videos on Android exploitation, macOS security, & more!

 

Show Notes: https://securityweekly.com/asw171

Segment Resources:

www.cloudsecuritypodcast.tv

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Oct 26, 2021
Highly Technical - ASW #170
01:16:04

This week, we welcome Nuno Loureiro, CEO at Probely, and Tiago Mendo, CTO at Probely, to talk about Dev(Sec)Ops Scanning Challenges & Tips! There's a plenitude of ways to do Dev(Sec)Ops, and each organization or even each team uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important to understand how to integrate a security scanner in your DevSecOps processes. It all comes down to speed, how fast can I scan the new deployment? Discussion around the challenges on how to integrate a DAST scanner in DevSecOps and some tips to make it easier. In the AppSec News: View source good / vuln bad, IoT bad / rick-roll good, analyzing the iOS 15.0.2 patch to develop an exploit, bypassing reviews with GitHub Actions, & more NIST DevSecOps guidance!

 

Show Notes: https://securityweekly.com/asw170

Visit https://securityweekly.com/probely to learn more about them!

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Oct 19, 2021
Halloween Horror - ASW #169
01:13:40

This week, we welcome Tom Gibson, Senior Staff Engineer at Cloudsmith, to talk about Modernizing the Management of Your Software Supply Chain! This week in the AppSec News, Mike and John talk: The Twitch breach, a path traversal in Apache httpd, Microsoft disables macros by default after almost 30 years, factors in a great cybersecurity program, & more!

 

Show Notes: https://securityweekly.com/asw169

Visit https://securityweekly.com/cloudsmith to learn more about them!

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Oct 12, 2021
Opposite Direction - ASW #168
01:10:16

This week, we welcome Hillary Benson, Director, Product Management of Secure & Protect at Gitlab, to discuss The Power of Developer-First Security! In the AppSec News, John and Mike discuss Prototype pollution vulns, funding open source project hardening, Let's Encrypt root CA expires, and Marian Trench scanner for Android and Java!

 

Show Notes: https://securityweekly.com/asw168

Visit https://securityweekly.com/gitlab to learn more about them!

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Oct 05, 2021
Skills & Knowledge - ASW #167
01:11:48

This week, we welcome Anita D'Amico, VP, Market Development at Synopsys, and Patrick Carey, Senior Director of Product Marketing at Synopsys, to discuss AppSec Orchestration/Correlation & DevSecOps Efficiency! In the AppSec News: The Great Leak flaw in Exchange's auto discover feature, common flaws in VMware and Nagios, memory issues and SSRF in Apache's HTTP server, Chrome's plans for memory safety, State of DevOps report, OWASP's 20th anniversary, & more!

 

Show Notes: https://securityweekly.com/asw167

Visit https://securityweekly.com/synopsys to learn more about them!

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Sep 28, 2021
Don't Hate the Player, Hate the Game - ASW #166
01:09:50

This week, we welcome Jeff Williams, Co-Founder and Chief Technology Officer at Contrast Security, to discuss Transforming Modern Software Development with Developer-first Application Security! Modern software development demands a different approach to application security. Contrast’s developer-first Application Security Platform empowers developers to accelerate the release of secure code with highly accurate results that include context-aware, how-to-fix vulnerability remediation guidance.

 

In the AppSec News, Mike and John talk: RCE in Azure OMI, punching a hole in iMessage BlastDoor, Travis CI exposes sensitive environment variables, keeping code ownership accurate, deploying security as a product, IoT Device Criteria (aka nutrition labels), & more!

 

Show Notes: https://securityweekly.com/asw166

Segment Resources:

2021 Application Security Observability Report: https://view-su2.highspot.com/viewer/612ff3a8c6485f4687834782

White Paper: Pipeline-native Scanning for Modern Application Development https://view-su2.highspot.com/viewer/612ff3e4cc0bb2392d968b25

DevSecOps Requires a Platform Approach to Application Security https://view-su2.highspot.com/viewer/612ff42ecb2d1b6cd60f3f65

 

Visit https://securityweekly.com/contrast to learn more about them!

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Sep 21, 2021
Drive - ASW #165
01:13:47

This week, we welcome Manish Gupta, CEO and Co-Founder of ShiftLeft, to discuss Findings From the 2021 AppSec Shift Left Progress Report! Data from the ShiftLeft customer report shows that companies that have rebuilt their core testing processes around faster and more accurate static analysis are able to release more secure code at scale, scan more frequently, fixes earlier in the software development life cycle, have less security debt, and maintain more security fixes overall.

 

In the AppSec News, Mike and John talk: OWASP Top 10 draft for 2021, bad practices noted by CISA, Azurescape cross-account takeover, Confluence RCE, WhatsApp image handling, API security tokens survey, & more!

 

Show Notes: https://securityweekly.com/asw165

Segment Resources:

http://shiftleft.io/resources/appsec-shift-left-progress-report-2021?utm_source=cyber_risk_alliance&utm_medium=podcast

Visit https://securityweekly.com/shiftleft to learn more about them!

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Sep 14, 2021
Magical Forest - ASW #164
01:06:45

This week, we welcome Caroline Wong, Chief Strategy Officer at Cobalt, to discuss A DevOps Perspective on Risk Tolerance & Risk Transfer! In the segment Mike and Caroline will discuss Risk Tolerance and Risk Transfer. They'll touch on the following: risk ranking, risk transfer in supply chain, how to diversify security controls, time vs risk reduction vs vulnerability exposure all from a DevOps perspective. While also touching upon how security is not (and should not) be a gate.

 

In the Application Security News, Mike and John talk: Flaws in Azure's CosmosDB, OpenSSL vulns in string handling, dating app location security, cloud security orienteering, detailed S3 threat model, & more!

 

Show Notes: https://securityweekly.com/asw164

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Aug 31, 2021
Strange New Clouds - ASW #163
01:11:18

This week, we welcome Shubhra Kar, Global CTO and GM of Products & IT at The Linux Foundation, to discuss Challenges in Open Source Application Security! In the AppSec News: BlackBerry addresses BadAlloc bugs, glibc fixes a fix, more snprintf misuse that leads to command injection, ProxyLogon technical details, & more!

 

Show Notes: https://securityweekly.com/asw163

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Aug 24, 2021
Time Traveling - ASW #162
01:08:27

This week, we welcome Mike Rothman, President & Co-founder at DisruptOps, to discuss DevSecOps - Making It Real! In the AppSec News, Bug bounty report that cleverly manipulates a hash for profit, Allstar GitHub app to enforce security policies, choosing a programming language, what an app should log, adding security to DevOps, & manipulating natural-language models!

 

Show Notes: https://securityweekly.com/scw83

Segment Resources:
cybersecuritygatebreakers.org

Visit https://www.securityweekly.com/scw for all the latest episodes!

 

Follow us on Twitter: https://twitter.com/securityweekly

Follow us on Facebook: https://facebook.com/secweekly

Aug 17, 2021
Thinking Alike - ASW #161
01:06:12

This week, we welcome Tom Hudson, Security Research Team Lead at Detectify, to discuss Securing Modern Web Apps: Development Techniques are Changing! In the AppSec News, Hardware hacking for authn bypass and analyzing IoT RNG, Request Smuggling in HTTP/2, Kindle Fuzzing, Kubernetes Hardening, Countering Dependency Confusion, ATO Checklist, & more!

 

Show Notes: https://securityweekly.com/asw161

Visit https://securityweekly.com/detectify to learn more about them!

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Follow us on Twitter: https://twitter.com/securityweekly

Follow us on Facebook: https://facebook.com/secweekly

Aug 10, 2021
Shrug & Move On - ASW #160
01:12:11

This week, we welcome Maggie Jauregui, Offensive Security Researcher at Intel, to discuss Platform Firmware Security! Firmware security is complex and continues to be an industry challenge. In this podcast we'll talk about the reasons firmware security remains a challenge and some best practices around platform security.

 

In the AppSec News: PunkSpider coming to DEF CON, Google matures its VRP, $50K bounty for an access token, RCE in PyPI, kernel vuln via eBPF, top vulns reported by CISA, & the importance of testing!

 

Show Notes: https://securityweekly.com/asw160

Segment Resources:
- https://www.helpnetsecurity.com/2020/04/27/firmware-blind-spots/

- https://www.helpnetsecurity.com/2020/09/28/hardware-security-challenges/

- https://darkreading.com/application-security/4-open-source-tools-to-add-to-your-security-arsenal

- https://chipsec.github.io

Hardware Hacking created by Maggie:
https://securityweekly.com/wp-content/uploads/2021/08/eArt-2.png

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Aug 03, 2021
Policy of Truth - ASW #159
01:14:18

This week, we welcome Peter Klimek, Director of Technology, Office of the CTO at Imperva, to discuss Navigating the seas of security in serverless functions!

In the AppSec News: CWE releases the top 25 vulns for 2021, findings bugs in similar code, Sequoia vuln in the Linux kernel, Twitter transparency for account security, a future for cloud security, & more!

 

Show Notes: https://securityweekly.com/asw159

Segment Resources:
Details on Imperva Serverless Protection: https://www.imperva.com/company/press_releases/imperva-launches-new-product-to-secure-serverless-functions-with-visibility-into-the-application-layer-code-level-vulnerabilities/

Free trial of the product: https://www.imperva.com/serverless-protection-demo

Visit https://securityweekly.com/imperva to learn more about them!

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly


Like us on Facebook: https://www.facebook.com/secweekly

Jul 27, 2021
Fall On Our Sword - ASW #158
01:15:01

This week, we welcome David DeSanto, Senior Director, Product Management, Dev & Sec at Gitlab! In the wake of events such as the Solarwinds breach, there has been a lot of misinformation about the role of open source in DevSecOps. GitLab believes everyone benefits when everyone can contribute. Open source plays a key role in how GitLab addresses DevSecOps. We will discuss GitLab's view of the role of open source in DevSecOps including recent contributions to the open source community as well as GitLab's plans for the future.

 

In the AppSec News: Security from code comments, visualizing decision trees, bypassing Windows Hello, security analysis of Telegram, paying for patient bug bounty programs, cloud risks, & more!

 

Show Notes: https://securityweekly.com/asw158

Visit https://securityweekly.com/gitlab to learn more about them!

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Jul 20, 2021
Drink Our Own Champagne - ASW #157
01:12:51

In the AppSec news, a password manager makes predictable mistakes, Trusted Types terminate DOM XSS, waking up from PrintNightmare, understanding hardware fault injections.

 

The truth is, most web app and API security tools were designed for a very different era. A time before developers and security practitioners worked together, before applications were globally distributed and API-based. But attackers are developers too, and they aren’t bogged down by the limitations of legacy solutions. It’s never been more clear that it’s time for a change. Sean will outline new rules for web application and API security that respect the way modern applications are built.

 

Show Notes: https://securityweekly.com/asw157

https://www.fastly.com/blog/the-new-rules-for-web-application-and-api-security

This segment is sponsored by Fastly. Visit https://securityweekly.com/fastly to learn more about them!

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Jul 13, 2021
Everything Looks Crazy - ASW #156
01:16:56

This week, we welcome Clint Gibler, Head of Security Research at r2c, to discuss Scaling Your Application Security Program! In the AppSec News: Visual Studio Code's Workplace Trust, Injured Android an insecure mobile app, Microsoft accidentally signed driver with rootkits, The NSA funds a new sister Matrix to ATT&CK: D3FEND, & "Ransomware: maybe it's you, not them?", and more!

 

Show Notes: https://securityweekly.com/asw156

Segment Resources:

https://semgrep.dev/

https://github.com/returntocorp/semgrep

https://github.com/returntocorp/semgrep-rules

2020 GlobalAppSec SF https://docs.google.com/presentation/d/14PjOViz2dE6iToOyoFk_BQ_RUfkEHGX-celIiybDQZA/edit

https://tldrsec.com/

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Jun 29, 2021
Crawling Like a Human - ASW #155
01:14:29

This week, we welcome Nuno Loureiro & Tiago Mendo from Probely to discuss some Challenges of DAST Scanners, and their Adoption by Developers! Then, in the AppSec News John and Mike discuss: SLSA framework for supply chain integrity, Wi-Fi network of doom for iPhones, seven-year old systemd privesc, $30K for an API call, Codecov refactors from Bash, using the AST to refactor Python, shifting left and right, and more!

This segment is sponsored by Probely.

Visit https://securityweekly.com/probely to learn more about them!

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw155

Jun 22, 2021
Dead Simple - ASW #154
01:09:55

This week, we welcome Sebastian Deleersnyder, CTO at Toreon, to talk about OWASP SAMM - Software Assurance Maturity Model! In the AppSec News, Mike and John talk: ALPACA surveys protocol confusion, lessons from the EA breach, forgotten lessons about sprintf, Go fuzzing goes beta, security lessons from Kubernetes Goat, basic lessons for OT from CISA, & more!

 

Show Notes: https://securityweekly.com/asw154

Segment Resources:

- https://owaspsamm.org/

- https://github.com/OWASPsamm

- https://app.slack.com/client/T04T40NHX/C0VF1EJGH

- https://www.youtube.com/channel/UCEZDbvQrj5APg5cEET49A_g

- https://twitter.com/OwaspSAMM

- https://www.linkedin.com/company/18910344/admin/

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Jun 15, 2021
Something's Out There - ASW #153
01:13:12

This week, we welcome Daniel Hampton, Senior Solutions Architect at Fastly, to discuss API Security: Understanding Threats to Better Protect Your Organization! In the AppSec News, Tyler Robinson joins Mike & John to discuss: HTTP/3 and QUIC, bounties for product abuse, Amazon Sidewalk security & privacy, security & human behavior, authentication bypass postmortem, M1RACLES, & more!

 

Show Notes: https://securityweekly.com/asw153

Visit https://securityweekly.com/fastly to learn more about them!

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Jun 08, 2021
Everybody's Looking For Something - ASW #152
01:11:03

This week, we welcome Manish Gupta, CEO and Co-Founder at ShiftLeft, to discuss Bringing Appsec to a Modern CI Pipeline! Appsec in a modern CI pipeline needs a combination of tools, collaboration, and processes to be successful. Importantly, it also needs to scale. We can't just shift responsibility left and assume that will be successful. So, how can an appsec team bring tools and security knowledge to developers? In the AppSec News segment, Mike and John talk: HTTP bug bothers IIS, Android platform security, supply chain security (new and old), brief (very brief) history of browser security, & more!

 

Show Notes: https://securityweekly.com/asw152

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Visit https://securityweekly.com/shiftleft to learn more about them!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

 

May 25, 2021
Hot Potato - ASW #151
01:14:42

This week, we welcome Aanand Krishnan, CEO at Tala Security, Inc., to discuss Third Party Software Risk on the Web! Web applications are highly dependent on third party content and JavaScript. This creates a significant set of vulnerabilities that attackers are exploiting. How do you prevent a Solarwinds type hack on your website?

 

In the AppSec News, CNCF releases a whitepaper on supply chain security, Frag attacks against WiFi devices, security webhooks, trusting terraform plans, shared credentials and app access, complexity vs. security vs. design.

 

Show Notes: https://securityweekly.com/asw151

https://go.talasecurity.io/blog/data-in-the-browser-is-data-at-risk

https://www.talasecurity.io/protect/#how

https://go.talasecurity.io/blog/how-i-hacked-your-website

 

Visit https://securityweekly.com/talasecurity to learn more about them!

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

May 18, 2021
Talking Heads - ASW #150
01:14:42

While the vision for app security is relatively clear, executing on that vision is still somewhat of a work in progress. Fast-moving, interdependent pieces—custom code and open source packages, infrastructure and network configurations, user entitlements—make for complex systems. In this episode, we discuss the challenge in addressing each piece independently and consider how consolidated, multi-purpose tools may present an emerging solution. This Week in the AppSec News, Mike and John talk: "Find My threat model" with AirTags, Qualcomm modem vuln hits lots of Android, an Exim update patches lots of vulns, measuring hardened binaries, a maturity model for k8s, & more!

 

Show Notes: https://securityweekly.com/asw150

Visit https://securityweekly.com/prismacloud to learn more about them!

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

May 11, 2021
Alert Your Star Destroyers - ASW #149
01:11:29

Rey Bango will be digging into the developer security training conundrum based on his own experiences with secure coding and security training.

He'll cover:

• The types of security training that work

• The role of security champions

• How the security and development teams can work together to ensure code is create securely from the start

In the AppSec News: Microsoft discloses "BadAlloc" bugs, macOS Gatekeeper logic falters, authentication issues in KDCs and ADs, Spectre gains another vector, followup on the UMN Linux kernel vulns study!

 

Show Notes: https://securityweekly.com/asw149

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

May 04, 2021
Minimum Safe Distance - ASW #148
01:13:13

We start with the article about "Researchers Secretly Tried To Add Vulnerabilities to Linux Kernel, Ended Up Getting Banned" and explore its range of issues from ethics to securing huge, distributed software projects. It's hardly novel to point out that bad actors can attempt to introduce subtle and exploitable bugs. More generally, we've also seen impacts from package owners who have revoked their code, like NPM leftpad, or who transfer ownership to actors who later on abuse the package's reputation, as we've seen in Chrome Plugins. So, what could have been a better research focus? In the era of more pervasive fuzzing, how much should we continue to rely on people for security code review? This week in the AppSec News: Signal points out parsing problems, privacy preserving improvements to AirDrop, Homebrew disclosure, WhatsApp workflows, adversarial data ordering for ML, & more!

 

Show Notes: https://securityweekly.com/asw148

Visit https://www.securityweekly.com/asw for all the latest episodes!

Read the research paper at https://github.com/QiushiWu/QiushiWu.github.io/blob/main/papers/OpenSourceInsecurity.pdf

 

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

 

Apr 27, 2021
That Will Bite Ya - ASW #147
01:08:12

This week, we welcome Doug Barbin, Managing Partner at Schellman & Company, LLC, to discuss Supply Chain Management! Supply chain security isn't new, despite the renewed attention from the Solar Winds attack. It has old challenges, like having an accurate asset or app inventory, and new opportunities, like Software Bill of Materials. From consequences to code integrity, DevOps teams need to understand how to protect their own code from others' components.

 

In the AppSec News, Mike and John discuss Rust in Android and the Linux kernel, vuln disclosure policy changes from Project Zero, security and DevOps collaboration, XSS with NULL, & a BootHole follow-up!

 

Show Notes: https://securityweekly.com/asw147

Additional resources:

- National Supply Chain Integrity Month, https://www.cisa.gov/supply-chain-integrity-month

- SCRM vendor template, https://www.cisa.gov/publication/ict-scrm-task-force-vendor-template

- CWE VIEW: Hardware Design, https://cwe.mitre.org/data/definitions/1194.html

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Apr 20, 2021
Contortions - ASW #146
01:12:43

This week, we welcome Leif Dreizler - Engineering Manager, Product Security - Segment, to talk about Shifting Right: What Security Engineers Can Learn From DevSecOps! In the AppSec News, PHP deals with two malicious commits, SSO and OAuth attack vectors to remember for your threat models, zines for your DevSecOps education!

 

Show Notes: https://securityweekly.com/asw146

Segment Resources: https://segment.com/blog/shifting-engineering-right/

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Apr 06, 2021
Grab A Sword - ASW #145
01:11:47

This week, we welcome Andrew van der Stock, Executive Director at OWASP Foundation, to talk about the OWASP Top 10 of 2021! The OWASP Top 10 2021 is in development. A public survey has just been released. We have finished collecting data. I would like to discuss what the plans are for the OWASP Top 10 2021, and when it will be released, and how you can get involved.

 

In the AppSec News, Security and privacy technical analysis of TikTok, subtle parsing problems, chain of trust through a CI/CD pipeline, faster fuzzing even without source code, interplay of application security and application safety!

 

Show Notes: https://securityweekly.com/asw145

https://owasp.org/www-project-top-ten/

https://github.com/OWASP/Top10

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Mar 30, 2021
The Cure - ASW #144
01:07:54

This week, we welcome Johanna Ydergard, VP of Detectify Crowdsource at Detectify, and Roberto Giachetta, Engineering Manager at Detectify, to discuss Approaching AppSec Like a Hacker! Security is struggling to keep up with securing modern web applications and the fast pace of wild web hacks. Detectify is building automated app scanners that can think like a hacker and shorten vulnerability detection time down to minutes and hours, whilst helping ethical hackers do bug bounty/disclosures in a scalable way. In the AppSec News: Supply chain security in Azure SDK and macOS Xcode, GitHub's postmortem on a session handling flaw, six GCP vulns from 2020, & information resources for hacking the cloud!

 

Show Notes: https://securityweekly.com/asw144

Visit https://securityweekly.com/detectify to learn more about them!

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Mar 23, 2021
Always Interesting - ASW #143
01:02:25

This week, we welcome John Morello, VP of Product at Palo Alto Networks, joins us to talk about Cloud Native Security Platforms! Modern appsec demonstrates the importance of a cloud native strategy for enterprise security and how much that strategy must integrate with DevOps tools and workflows. Security solutions need to come from a cohesive platform that addresses the problems DevOps teams face in how they're building apps today.

 

In the AppSec News, Software safety to mitigate the impact of unauthenticated RCEs, exploding regex patterns, web and browser security in the face of Spectre side-channels, signing software artifacts, 8 roles for today's security teams. This segment is sponsored by Prisma Cloud/ Palo Alto Networks.

 

Show Notes: https://securityweekly.com/asw143

Visit https://securityweekly.com/prismacloud to learn more about them!

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Mar 16, 2021
Check Your Alibis - ASW #142
01:03:32

This week, we welcome Cynthia Burke, Compliance Manager at Capsule8, to discuss Privacy, Data Security & Compliance! In most IT shops, privacy, data security and compliance often resided under the same umbrella of ownership. While all 50 States in the US have data breach notification laws, we are seeing a shift in focus on data privacy globally. Privacy and data security compliance are often used interchangeably but this misuse in terminology (and the associated requirements for all IT organizations) creates a lot of confusion in an already complicated industry. Cynthia will explore some of the key factors in 2021 as to and why we need to get it right.

 

In the AppSec News, Making security engineering successful, Go's supply chain, mitigating JSON interoperability flaws, automating the hunt for deserialization flaws, the importance of observability, and what to do about Exchange!

 

Show Notes: https://securityweekly.com/asw142

Visit https://securityweekly.com/capsule8 to learn more about them!

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Mar 09, 2021
New Wave Post Punk Security Hour - ASW #141
01:07:48

This week, we welcome Ted Harrington, Executive Partner at Independent Security Evaluators, to discuss Hackable; How to do Application Security Right! In the Application Security News, Implementation pitfalls in parsing JSON, finding all forms of a flaw with CodeQL, more educational resources for hacking apps, engineering and product management practices for DevOps, & more!

 

Show Notes: https://securityweekly.com/asw141

Register for the DevSecOps eSummit for which Ted will be a panelist: https://onlinexperiences.com/Launch/QReg.htm?ShowUUID=5673DA7C-B8C2-4A3E-B675-C6BBF45DC04F

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Mar 02, 2021
Goose Egg - ASW #140
01:07:39

This week, we welcome Brandon Edwards, Co-Founder and Chief Scientist at Capsule8, to discuss Targeting, Exploiting, & Defending Linux! Linux is all over the place (sometimes surprising), why is targeting it different? What types of attacks are used? How can we defend against attacks on Linux? We can incorporate recent attacks against Sudo as a timely reference. In the Application Security News, Dependency confusion for internal packages, Chrome pulls down the Great Suspender, Microsoft highlights web shells, some strategies on scaling AppSec, & more!

 

Show Notes: https://securityweekly.com/asw140

Visit https://securityweekly.com/capsule8 to learn more about them!

To register for Capsule8's upcoming webcast "Preparing Linux Hosts for Unexpected Threats" visit https://attendee.gotowebinar.com/register/1056145103342240783?source=SW

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Feb 23, 2021
Total Recall - ASW #139
01:08:42

This week, we welcome Alissa Knight, Partner at Knight Ink, to discuss Being a Serial Entrepreneur, Business Leader, & Hacker! Alissa Knight has spent her career going against industry and social norms as both a Transgendered and Lesbian business leader and hacker. Learn more about her, her achievements as a published author, her recent vulnerability research in hacking law enforcement vehicles, mHealth apps and APIs, her life as a hacker, and barriers she's broken down in business. In the AppSec News, Funding bounties or finding bugs, how should we invest? Talks from Enigma Conference on memory unsafety and 0-days. Coming trends in API security and a review of research from 2020!

 

Show Notes: https://securityweekly.com/asw139

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Feb 09, 2021
The Sound of Silence - ASW #138
01:07:45

This week, we welcome John Delaroderie, Security Solutions Architect at Qualys, to discuss Groundhog Day - It's Time to Reset the Script on Vulnerabilities! In honor of the movie Groundhog Day, John will take a look at the top 10 most routinely exploited vulnerabilities through a web app security lens. In the Application Security News, Sudo sure does, Libgcrypt flaw, iMessage demonstrates security by design, AWS Lambda shares a message on its design security, & more!

 

Show Notes: https://securityweekly.com/asw138

Visit https://securityweekly.com/qualys to learn more about them!

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Feb 02, 2021
A Tree of Woe - ASW #137
01:10:31

This week, we welcome back Taylor McCaslin, Sr. Product Manager of Secure at GitLab, to discuss Reading Industry Analyst Tea Leaves To Predict The Future! It's analyst season with the new Forrester Wave on SAST recently published as well as Gartner's Application Security Testing Magic Quadrant publishing in April. We'll talk about what are analyst reports, how should you use them, and how should you interpret placement on them as as I like to call it, reading the analyst tea leaves.

 

In the AppSec News, an overflow and a flawed regex paint an RCE picture for Kindle, messaging apps miss the message on secure state machines, three pillars of a data security strategy for the cloud, where DoH might fit into AppSec, and all the things that can go wrong when you give up root in your Kubernetes pod!

 

Show Notes: https://securityweekly.com/asw137

Visit https://securityweekly.com/GitLab to learn more about them!

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Jan 26, 2021
Breaking John - ASW #136
01:06:54

This week, we welcome Andrei Serban, Co-Founder at Fuzzbuzz, to discuss Fuzz Testing! Fuzzing can be successful AppSec strategy for finding software bugs. And deploying a fuzzer no longer needs to be a cumbersome process. Find out how fuzzing can help secure software beyond just memory safety issues and what the future holds for making this strategy more effective for modern apps. In the AppSec News, Significant source code leak from misconfigured repo, side-channel attack on hardware authentication keys, a third bug bounty for the U.S. Army, the cost of poor software quality, and the benefits of DevOps approaches to building systems!

 

Show Notes: https://securityweekly.com/asw136

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Jan 12, 2021
Pokémon & Synthwave & Hair & Hats - ASW #135
01:07:40

A premise of adding security to DevOps is we can "shift left" AppSec responsibilities, one of which is building apps so they're secure by design. Yet what resources does the AppSec community provide for this approach to design? We take a look at the OWASP Top 10, Web Security Testing Guide, and Application Security Verification Standard to find a way forward for DevOps teams. In the AppSec News, Microsoft purges malicious SolarWinds presence and highlights a threat model around their source code, the tl;drsec crew provides a hardening guide for Kubernetes, Apples provides a user guide for hardening accounts, and Firefox provides a new storage system to defeat side channel abuse!

 

Show Notes: https://securityweekly.com/asw135

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Jan 05, 2021
Dark & Scary - ASW #134
01:14:20

This week, we welcome Ev Kontsevoy, CEO at Teleport, to discuss Freedom From Computing Environments! In the Application Security News, FireEye shares supply chain subterfuge, researchers show repeated mistakes in TCP/IP stacks, Google open sources Python fuzzing, Cisco and Microsoft patch their patches for vulns in Jabber and printer modules!

 

Show Notes: https://securityweekly.com/asw134

Visit https://securityweekly.com/teleport to learn more about them!

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Dec 16, 2020
A Cesspool of Images - ASW #133
01:05:22

This week, we welcome Mike Manrod, CISO of Grand Canyon University, joined by John Delaroderie, Security Solutions Architect at Qualys, to discuss his approach to web application security with an emphasis on improving knowledge of web application vulnerabilities and the external attack surface, and his approach to reducing the number of opportunities an attacker has to compromise our information and infrastructure! In the Application Security News, An old security bug in the Play library still affects 8% of apps in Google Play, Project Zero researcher spends six months to reboot an iPhone (in an epic manner), GitHub looks at the security of repos within its Octoverse, the OWASP Web Security Testing Guide gets a minor bump, and XS-Leaks get more attention.

 

Show Notes: https://securityweekly.com/asw133

Visit https://securityweekly.com/qualys to learn more about them!

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Dec 08, 2020
Talking Cookies - ASW #132
01:08:25

This week, we welcome back Tim Mackey, Principal Security Strategist at Synopsys, to talk about Security Decisions During Application Development! In the Application Security News, Xbox bug exposed email identities, focusing on prevention for your cloud security strategies, Amazon looking to hire more Rust developers, KubeCon continues push for security, and a DevOps reading list!

 

Show Notes: https://securityweekly.com/asw132

Visit https://securityweekly.com/synopsys to learn more about them!

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Dec 01, 2020
Thunderdome Technique - ASW #131
01:04:03

This week, in the first segment, Mike, Adrian, and John discuss Threat Modeling! We threat model every day without realizing it. And, of course, we often threat model with systems and products within our organizations. So how formal does our approach need to be? How do we best guide the "what could go wrong" discussion with DevOps teams? And what's a sign that we're generating useful threat models? In the Application Security News, a manifesto highlights principles and values for threat modeling, the CNCF releases a Cloud Native Security Whitepaper, Microsoft put security in the CPU with Pluton, mass scanning for secrets, ancient flaws resurface in Drupal, and steps for implementing source composition analysis!

 

Show Notes: https://wiki.securityweekly.com/asw131

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Nov 24, 2020
Black Friday - ASW #130
01:06:08

This week, we welcome Rickard Carlsson, Co-founder & CEO at Detectify, to talk about Automated Hacker Knowledge! In the Application Security News, The Platypus Attack Threatens Intel SGX, a Revitalized Attack Makes for Sad DNS, Bug Hunter Hits DOD With an IDOR, Steps for DevOps, Testing in Prod, Two More Chrome Bugs, and Open Source K8s Tools From Capital One!

 

Show Notes: https://wiki.securityweekly.com/asw130

Visit https://securityweekly.com/detectify to learn more about them!

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Nov 17, 2020
Snowy Clouds - ASW #129
01:16:17

This week, we have the pleasure to welcome back Keith Hoodlet, Senior Manager, Application Experience at Thermo Fisher Scientific, and former Host of Application Security Weekly, to discuss how Security Is a Feature! In the Application Security News, China's top hacking contest turns months of effort into 15 minutes of exploits, an injection flaw in GitHub Actions, understanding post-compromise activity in exploits targeting Solaris and VoIP, security and quality challenges in integrating software from multiple vendors, and CVE naming turns into wibbly wobbly timey wimey stuff!

 

Show Notes: https://wiki.securityweekly.com/asw129

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Nov 10, 2020
Exploding Decompression - ASW #128
01:08:53

This week, we welcome Alfred Chung, Sr. Product Manager at Signal Sciences, to discuss Azure App Service & Cloud-Native Signal Sciences Deployments! In the Application Security News, Lax IoT security exposes smart-irrigation systems, Adobe Flash goes truly end of line in one last update, confidential computing gets a turbo boost with Nitro, link previews show security and privacy problems, and security theatre gets an encore!

 

Show Notes: https://wiki.securityweekly.com/asw128

Visit https://securityweekly.com/signalsciences to learn more about them!

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Nov 03, 2020
The Spookiest Month - ASW #127
01:10:36

This week, we welcome Cesar Rodriguez, Head of Developer Advocacy at Accurics, to talk about Cyber Resiliency Through Self-Healing Cloud Infrastructure! In the Application Security News, NSA publishes list of top vulnerabilities currently targeted by Chinese hackers, Nvidia Warns Gamers of Severe GeForce Experience Flaws, Addressing cybersecurity risk in industrial IoT and OT, Firefox 'Site Isolation' feature enters user testing, expected next year, Google Patches Actively-Exploited Zero-Day Bug in Chrome Browser, and Exit Stage Left: Eradicating Security Theater!

 

Show Notes: https://wiki.securityweekly.com/asw127

Visit https://securityweekly.com/accurics to learn more about them!

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Oct 27, 2020
Way Over My Head - ASW #126
01:07:16

This week, we welcome Taylor McCaslin, Security Product Manager at GitLab, to discuss current trends in the application security testing industry! In the Application Security News, Patch Your Windows - “Ping of Death” bug revealed, 800,000 SonicWall VPNs vulnerable to remote code execution bug, T2 Exploit Team Creates Cable That Hacks Mac, Zoom Rolling Out End-to-End Encryption, and 'BleedingTooth' Bluetooth flaw!

 

Show Notes: https://wiki.securityweekly.com/asw126

Visit https://securityweekly.com/GitLab to learn more about them!

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Oct 20, 2020
Still Raging - ASW #125
01:11:02

This week, we welcome James Manico, CEO at Manicode Security, to talk about Application Security Best Practices! In the Application Security News, Redefining Impossible: XSS without arbitrary JavaScript, API flaws in an "unconventional" smart device, Facebook Bug Bounty Announces "Hacker Plus", Anti-Virus Vulnerabilities, and Chrome Introduces Cache Partitioning!

 

Show Notes: https://wiki.securityweekly.com/asw125

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Oct 12, 2020
The Laughing Isn't Helping - ASW #124
01:11:40

This week, we welcome Chris Romeo, CEO at Security Journey, to discuss Things Every Developer Should Know About Security! In the Application Security News, DOMOS 5.8 - OS Command Injection, 4G, 5G networks could be vulnerable to exploit due to ‘mishmash’ of old technologies, Google sets up research grant for finding bugs in browser JavaScript engines, Announcing the launch of the Android Partner Vulnerability Initiative, and more!

 

Show Notes: https://wiki.securityweekly.com/asw124

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Oct 06, 2020
Hot Off the Press - ASW #123
01:03:22

This week, Mike, Matt, and John talk about The Difference Between Finding Vulns & Securing Apps! In the Application Security News, 6 Things to Know About the Microsoft 'Zerologon' Flaw, You can bypass TikTok's MFA by logging in via a browser, Instagram RCE: Code Execution Vulnerability in Instagram App for Android and iOS, and more!

 

Show Notes: https://wiki.securityweekly.com/asw123

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Sep 28, 2020
One Love, One Fuzz - ASW #122
01:13:00

This week, we welcome Justin Massey, Product Manager, Security Monitoring at Datadog, to discuss Visualizing and Detecting Threats For Your Custom Application! In the Application Security News, Microsoft announces new Project OneFuzz framework, an open source developer tool to find and fix bugs at scale, Bluetooth Spoofing Bug Affects Billions of IoT Devices, Firefox bug lets you hijack nearby mobile browsers via WiFi, Safeguarding Secrets Within the Pipeline, and more!

 

Show Notes: https://wiki.securityweekly.com/asw122

Visit https://securityweekly.com/datadog to learn more about them!

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Sep 22, 2020
The Wire Stripper - ASW #121
01:13:06

This week, we welcome Frank Catucci, Sr. Director GTP of Application Security at Gartner, to discuss The People & Process of DevOps! In the Application Security News, BLURtooth vulnerability lets attackers overwrite Bluetooth authentication keys, Microsoft Patch Tuesday, Sept. 2020 Edition, XSS->Fix->Bypass: 10000$ bounty in Google Maps, Academics find crypto bugs in 306 popular Android apps, none get patched, using CRYLOGGER to detect crypto misuses dynamically, Remote Code Execution as SYSTEM/root via Backblaze, and more!

 

Show Notes: https://wiki.securityweekly.com/asw121

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Sep 14, 2020
Little Bit Too High - ASW #120
01:11:08

This week, we welcome Marc Tremsal, Director of Product Management of Security at Datadog, to discuss Detecting Threats & Avoiding Misconfigs In The Cloud-Age! In the Application Security News, A Tale of Escaping a Hardened Docker container, Four More Bugs Patched in Microsoft’s Azure Sphere IoT Platform, Upgrading GitHub to Ruby 2.7, Upgrading GitHub to Ruby 2.7, Redefining What CISO Success Looks Like, and Lessons from Uber: Be crystal clear on the law and your bug bounty policies!

 

Show Notes: https://wiki.securityweekly.com/asw120

Visit https://securityweekly.com/datadog to learn more about them!

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Sep 01, 2020
Heavy Pressure - ASW #119
01:08:13

This week, we welcome Sundar Krish, CEO & Co-Founder at Sken.ai, to talk about DevOps-First Application Security For Mid-Markets! In the Application Security News, The Confused Mailman: Sending SPF and DMARC passing mail as any Gmail or G Suite customer, ATM makers Diebold and NCR deploy fixes for 'deposit forgery' attacks, Control Flow Guard for Clang/LLVM and Rust, Fuzzing Services Help Push Technology into DevOps Pipeline, and 7 Things to Make DevSecOps a Reality!

 

Show Notes: https://wiki.securityweekly.com/asw119

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Aug 24, 2020
Positive Drift - ASW #118
01:07:38

This week, we welcome back Cesar Rodriguez, Head of Developer Advocacy at Accurics, to discuss Immutable Security For Immutable Infrastructure! In the Application Security News, Microsoft Bug Bounty Programs Year in Review: $13.7M in Rewards, In-band key negotiation issue in AWS S3 Crypto SDK for golang, Re VoL TE attack can decrypt 4G (LTE) calls to eavesdrop on conversations, Hardware Security Is Hard: How Hardware Boundaries Define Platform Security, How to make your security team more business savvy, and more!

 

Show Notes: https://wiki.securityweekly.com/asw118

Visit https://securityweekly.com/accurics to learn more about them!

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Aug 17, 2020
Maximum Isolation - ASW #117
01:03:29

This week, it's Security Weekly Virtual Hacker Summer Camp 2020! In our first segment, we welcome Mike Rothman, President at DisruptOps, to discuss: How Does Sec Live In A DevOps World? In the Application Security News, Using Amazon GuardDuty to Protect Your S3, OkCupid Security Flaw Threatens Intimate Dater Details, Florida teen charged as mastermind in Twitter hack hitting Biden, Bezos, and others, Sandboxing and Workload Isolation, and Microsoft to remove all SHA-1 Windows downloads next week!

 

Show Notes: https://wiki.securityweekly.com/asw117

Try it out free of charge and experience the future of security operations. Visit https://disruptops.com/free-evaluation/

 

Join the Security Weekly Discord Server: https://discord.gg/pqSwWm4

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Aug 04, 2020
It Makes No Sense - ASW #116
01:07:09

This week, we welcome John Matherly, Founder of Shodan, to talk about Fixing Vulnerabilities Effectively & Efficiently! In the Application Security News, TaskRouter JS SDK Security Incident, Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Read-Only Path Traversal Vulnerability, An EL1/EL3 coldboot vulnerability affecting 7 years of LG Android devices, Towards native security defenses for the web ecosystem, and more!

 

Show Notes: https://wiki.securityweekly.com/asw116

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Jul 27, 2020
Back in the 90's - ASW #115
01:16:09

This week, we welcome Kris Rajana, President and CTO at Biarca, and Bhasker Nallapothula, Director of Engineering at Biarca, to talk about Cloud Security Posture Management & Governance! In the Application Security News, SIGRed Resolving Your Way into Domain Admin: Exploiting a 17 Year-old Bug in Windows DNS Servers, Introducing Google Cloud Confidential Computing with Confidential VMs, Internet of Things devices: Stick to these security rules or you could face a ban, Google Cloud Unveils 'Confidential VMs' to Protect Data in Use, and more!

 

Show Notes: https://wiki.securityweekly.com/asw115

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Jul 20, 2020
Absolutely Useless - ASW #114
01:05:42

This week, we welcome Judy Ngure, Cybersecurity Engineer at Africastalking, to talk about DevSecOps! In the Application Security News, Microsoft OneDrive client for Windows Qt QML module hijack, Zero-day flaw found in Zoom for Windows 7, Protecting your remote workforce from application-based attacks like consent phishing, Verizon Media, PayPal, Twitter Top Bug-Bounty Rankings, Mozilla suspends Firefox Send service while it addresses malware abuse, and Stop Talking About Technical Debt!

 

Show Notes: https://wiki.securityweekly.com/ASWEpisode114

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Jul 14, 2020
Crunchy Crunchy! - ASW #113
01:09:49

This week, we welcome Catherine Chambers and Will Hickie from Irdeto, to discuss Protecting Mobile Applications! In the Application Security News, Would you like some RCE with your Guacamole?, Attackers Will Target Critical PAN-OS Flaw, Security Experts Warn, Microsoft releases emergency security update to fix two bugs in Windows codecs, The Current State of Kubernetes Threat Modelling, and How To Build a Culture of Resilience Through Good Habits!

 

Show Notes: https://wiki.securityweekly.com/ASWEpisode113

To download the white paper, visit: https://securityweekly.com/irdeto

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Jul 06, 2020
Completely Forgotten - ASW #112
01:05:38

This week, we welcome Cesar Rodriguez, Head of Developer Advocacy at Accurics, to talk about Using IaC to Establish And Analyze Secure Environments! In the Application Security News, DLL Hijacking at the Trend Micro Password Manager, Adobe Prompts Users to Uninstall Flash Player As EOL Date Looms, The State of Open Source Security 2020, Microservices vs. Monoliths: Which is Right for Your Enterprise?, What Modern CI/CD Should Look Like, and Build trust through better privacy!

 

Show Notes: https://wiki.securityweekly.com/ASWEpisode112

To learn more about Accurics, visit: https://securityweekly.com/accurics

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

 

Jun 29, 2020
The Boy Who Cried Wolf - ASW #111
01:08:16

This week, we welcome Michelle Dennedy, CEO of DrumWave, to discuss Data Mapping & Data Value Journey! In the Application Security News, CallStranger hits the horror trope where the call is coming from inside the house, SMBleedingGhost Writeup expands on prior SMB flaws that exposed kernel memory, Misconfigured Kubeflow workloads are a security risk, Verizon Data Breach Investigations Report, and more!

 

Show Notes: https://wiki.securityweekly.com/ASWEpisode111

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Jun 15, 2020
Full of Ideas - ASW #110
01:06:42

This week, we welcome Phillip Maddux, Sr. Technical Account Manager at Signal Sciences, to talk about The Future State of AppSec! In the Application Security News, Two vulnerabilities in Zoom could lead to code execution, Zero-day in Sign in with Apple, Focus on Speed Doesn t Mean Focus on Automation, Apple pushes fix across ALL devices for unc0ver jailbreak flaw, and more!

 

Show Notes: https://wiki.securityweekly.com/ASWEpisode110

To learn more about Signal Sciences, visit: https://securityweekly.com/signalsciences

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Jun 09, 2020
Prohibitively Expensive - ASW #109
01:08:04

This week, we speak with John Chirhart, Customer Experience Engineer at Google Cloud, to discuss How to Prevent Account Takeover Attacks! In our second segment, we welcome Catherine Chambers, Senior Product Manager at Irdeto, to talk about why Apps Are the New Endpoint!

 

Show Notes: https://wiki.securityweekly.com/ASWEpisode109

To learn more about Irdeto, visit: https://securityweekly.com/irdeto

To learn more about Google Cloud and reCAPTCHA, visit: https://securityweekly.com/recaptcha

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Jun 01, 2020
Shake My Head - ASW #108
01:11:37

This week, we welcome Jack Zarris, Senior Sales Engineer at Signal Sciences, to talk about Using Rate Limiting to Protect Web Apps and APIs! In our second segment, we welcome Tim Mackey, Principal Security Strategist at Synopsys, to discuss the Highlights From the New Open Source Security and Risk Analysis Report!

 

Show Notes: https://wiki.securityweekly.com/ASWEpisode108

To learn more about Synopsys, visit: https://securityweekly.com/synopsys

To learn more about Signal Sciences, visit: https://securityweekly.com/signalsciences

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

May 18, 2020
A Perfect Ten - ASW #107
01:10:21

This week, we welcome back Joe Garcia, DevOps Security Engineer at CyberArk, to discuss How Can Security Work TOGETHER, Not Against, Developers! In the Application Security News, Cloud servers hacked via critical SaltStack vulnerabilities, Samsung Confirms Critical Security Issue For Millions: Every Galaxy After 2014 Affected, Mitigating vulnerabilities in endpoint network stacks, Microsoft Shells Out $100K for IoT Security, and Secure your team s code with code scanning and secret scanning!

 

Show Notes: https://wiki.securityweekly.com/ASWEpisode107

To learn more about CyberArk, visit: https://securityweekly.com/cyberark

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

May 11, 2020
Swiss Cheese - ASW #106
01:12:36

This week, we welcome Gareth Rushgrove, Director of Product Management at Snyk, to talk about Modern Application Security and Container Security! In the Application Security News, Psychic Paper demonstrates why a lack of safe and consistent parsing of XML is disturbing, Beware of the GIF: Account Takeover Vulnerability in Microsoft Teams, Salt Bugs Allow Full RCE as Root on Cloud Servers, and Love Bug's creator tracked down to repair shop in Manila!

 

Show Notes: https://wiki.securityweekly.com/ASWEpisode106

To learn more about Snyk, visit: https://securityweekly.com/snyk

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

May 04, 2020
Blinky Lights - ASW #105
01:05:58

This week, we welcome Avi Douglen, Founder and CEO of Bounce Security, to talk about Threat Modeling in Application Security, DevSecOps, and how Application Security is mapping Security culture! In the Application Security News, Nintendo Confirms Breach of 160,000 Accounts via a legacy endpoint, NSA shares list of vulnerabilities commonly exploited to plant web shells, Code Patterns for API Authorization: Designing for Security, Health Prognosis on the Security of IoMT Devices? Not Good, and 8 Tips to Create an Accurate and Helpful Post-Mortem Incident Report!

 

Show Notes: https://wiki.securityweekly.com/ASWEpisode105

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Apr 27, 2020
Crabby Code - ASW #104
01:10:50

This week, we welcome Rebecca Black, Senior Staff Application Security Engineer at Avalara, to talk about Building an AppSec Ecosystem! This week in the Application Security News, JSON Web Token Validation Bypass in Auth0 Authentication API, Mining for malicious Ruby gems, A Brief History of a Rootable Docker Image, Privacy In The Time Of COVID, and Threat modeling explained: A process for anticipating cyber attacks!

 

Show Notes: https://wiki.securityweekly.com/ASWEpisode104

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Apr 20, 2020
Some Good Meatiness - ASW #103
01:11:33

This week, we welcome Brad Geesaman, Co-Founder of Darkbit, to talk about Making Kubernetes a Hostile Place for Attackers! In the Application Security News, Zoom Taps Ex-Facebook CISO Amid Security Snafus, Lawsuit, How we abused Slack's TURN servers to gain access to internal services, Moving from reCAPTCHA to hCaptcha, Automate Security Testing with ZAP and GitHub Actions, Shift-Right Testing: The Emergence of TestOps, and Building Secure and Reliable Systems!

 

Show Notes: https://wiki.securityweekly.com/ASWEpisode103

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Apr 14, 2020
The Sky Is Falling - ASW #102
01:11:41

This week, we welcome Grant Ongers, Co-Founder of Secure Delivery, to discuss why "You re (probably) Doing AppSec Wrong"! In the Application Security News, Zoom is gaining lots of attention for flaws, Popular Digital Wallet Exposes Millions to Risk in Huge Data Leak, 12k+ Android apps contain master passwords, secret access keys, secret commands in not-so-secret client-side code identified by a research tool Inputscope, and more!

 

Show Notes: https://wiki.securityweekly.com/ASWEpisode102

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Apr 06, 2020
Syncing of the Minds - ASW #101
01:12:19

This week, we welcome Adam Hughes, Chief Software Architect at Sylabs Inc., to discuss Singularity: A Different Take on Container Security! In the second segment, we welcome Utsav Sanghani, Senior Product Manager at Synopsys, to discuss Why combining SAST and SCA in your IDE produces higher quality, secure software faster!

 

To learn more about Synopsys, visit: https://securityweekly.com/synopsys

Show Notes: https://wiki.securityweekly.com/ASWEpisode101

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Mar 23, 2020
100 Years - ASW #100
01:12:26

This week, we welcome Clint Gibler, Research Director at NCC Group, to discuss DevSecOps and Scaling Security! In the Application Security News, Data of millions of eBay and Amazon shoppers exposed as another supply chain casualty, Announcing Bottlerocket, a new open-source Linux-based operating system purpose-built to run containers, and The DevOps Sweet Spot: Inserting Security at Pull Requests (Part 1)!

 

Show Notes: https://wiki.securityweekly.com/ASWEpisode100

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Mar 17, 2020
Party Like It's '99 - ASW #99
01:13:46

This week, we welcome Guy Podjarny, Snyk's Founder and President! In the Application Security News, Revoking certain certificates on March 4 and Why 3 million Let s Encrypt certificates are being killed off today, Gandalf: An Intelligent, End-To-End Analytics Service for Safe Deployment in Large-Scale Cloud Infrastructure and slides, and CISOs Who Want a Seat at the DevOps Table Better Bring Value!

 

Show Notes: https://wiki.securityweekly.com/ASWEpisode99

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Mar 11, 2020
Fabric of Confidence - ASW #98
01:10:06

This week, we welcome Dan Petit, to discuss his upcoming 2-day workshop at InfoSec World 2020! The workshop is a "deep survey" into all things DevSecOps. In the Application Security News, CVE-2020-1938: Ghostcat vulnerability in the Tomcat Apache JServ Protocol, APIs are becoming a major target for credential stuffing attacks and don't have to target the login workflow, SSL/TLS certificate validity chopped down to one year by Apple s Safari and how this can drive secure DevOps behaviors, and 5 key areas for tech leaders to watch in 2020!

 

Show Notes: https://wiki.securityweekly.com/ASWEpisode98

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Mar 03, 2020
Really Windy - ASW #97
01:03:25

This week, live from RSAC 2020, we interview Chris Eng, Chief Research Officer at Veracode! Chris provides an update on Veracode including 2019 growth, new product announcements, Veracode Security Labs, and booth activities at RSA Conference 2020! In the RSAC Application Security News, 6 of the 10 vendors at Innovation Sandbox are application security companies, F5 Empowers Customers with End-to-End App Security, Checkmarx Simplifies Automation of Application Security Testing for Modern Development and DevOps Environments, and more RSA Conference News!

 

Show Notes: https://wiki.securityweekly.com/ASWEpisode97

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Feb 26, 2020
Over the Edge - ASW #96
01:12:39

This week, we welcome Doug DePerry, Director of Defense at Datadog, to discuss Lessons Learned From The DevSecOps Trenches! In the Application Security News, SweynTooth: Unleashing Mayhem over Bluetooth Low Energy, RetireJS, What Is DevSecOps and How to Enable It on Your SDLC? and more!

 

Show Notes: https://wiki.securityweekly.com/ASWEpisode96

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Feb 18, 2020
The Toothbrush of Trust - ASW #95
01:08:07

This week, Mike and John interview Shaun Lamb about strategies for how to best design applications so they are "secure by default" and have fewer incidents and vulnerabilities, and more! In the Application Security News, Dropbox bug bounty program has paid out over $1,000,000, Report Pins Cloud Security Woes on Flawed DevOps Processes, Ghost in the shell: Investigating web shell attacks, An Incident Impacting your Account Identity, and more!

 

Show Notes: https://wiki.securityweekly.com/ASWEpisode95

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Feb 11, 2020
Totally Thrilled - ASW #94
54:36

This week, Mike, John, and Matt review the presentation given by Clint Gilber at AppSec Cali, An Opinionated Guide to Scaling Your Company's Security! In the Application Security News, Xbox Bounty Program, Magento 2.3.4 Patches Critical Code Execution Vulnerabilities, Remote Cloud Execution - Critical Vulnerabilities in Azure Cloud Infrastructure, RCE in OpenSMTPD library impacts BSD and Linux distros, Fintechs divided on screen scraping ban, and Zero trust architecture design principles!

 

Show Notes: https://wiki.securityweekly.com/ASWEpisode94

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Feb 04, 2020
Running Out of Fingers - ASW #93
01:07:43

This week, we welcome John Butler, Solutions Engineer at Guardsquare, to discuss Dynamically Protecting Mobile Applications with RASP! In the Application Security News, Insecure configurations expose GE Healthcare devices to attacks demonstrate more simple flaws with high impacts, NSA Offers Guidance on Mitigating Cloud Vulnerabilities, Enumerating Docker Registries with go-pillage-registries for pentesters searching for useful information, and more!

 

Show Notes: https://wiki.securityweekly.com/ASWEpisode93

To request a demo with Guardsquare, please visit: https://securityweekly.com/guardsquare

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Jan 28, 2020
Warm & Fuzzy - ASW #92
01:08:35

This week in our first segment, Mike, Matt, and John, discuss Protecting Data in Apps and Protecting Apps from Data! In the Application Security News, PoC Exploits Published For Microsoft Crypto Bug disclosed by NSA, Introducing Microsoft Application Inspector, Vulnerability management requires good people and patching skills, and DevSecOps: 10 Best Practices to Embed Security into DevOps are more like 10 verbs related to DevOps responsibilities!

 

Show Notes: https://wiki.securityweekly.com/ASWEpisode92

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Jan 21, 2020
Carrot in the Cliff - ASW #91
01:09:09

This week, we welcome Hillel Solow, CTO at Check Point, to discuss The Evolution of DevSecOps and AppSec Trends in 2020! In the Application Security News, Policy and Disclosure: 2020 Edition, A look back & forward for bug bounties over the past decade, 4 Ring Employees Fired For Spying on Customers, Exploit Fully Breaks SHA-1, Lowers the Attack Bar, The Open Source Licence Debate: Comprehension Consternations & Stipulation Frustrations, Synopsys Buys Tinfoil, and Rotate Your Amazon RDS, Aurora, and Amazon DocumentDB (with MongoDB compatibility) Certificates!

 

 

Show Notes: https://wiki.securityweekly.com/ASWEpisode91

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

 

Jan 14, 2020
Learn & Improve - ASW #90
57:21

This week on Application Security Weekly, Mike Shema and Matt Alderman discuss Privacy by Design - The 7 Foundational Principles! In the Application Security News, Featured Flaws and Big Breaches, Cloud, Code and Controls (Python is dead. Long live Python!), Learning and Tools (Breaking Down the OWASP API Security Top 10), and Food for Thought (Facebook will stop mining contacts with your 2FA number, 6 Security Team Goals for DevSecOps in 2020, 7 security incidents that cost CISOs their jobs)!

 

Show Notes: https://wiki.securityweekly.com/ASWEpisode90

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Jan 07, 2020
Backup & Restore - ASW #89
01:12:20

This week, we welcome Dave Ferguson, Director of Product Management and WAS at Qualys! Dave will discuss the issue of latent vulnerabilities and how they may linger in your custom-coded web applications and APIs, presenting an enticing target for attackers. In the Application Security News, GitLab Doles Out Half a Million Bucks to White Hats, How can we integrate security into the DevOps pipelines?, Go passwordless to strengthen security and reduce costs - and design your app to support these types of workflows, including account recovery.

 

Show Notes: https://wiki.securityweekly.com/ASWEpisode89

To learn more, visit: https://securityweekly.com/qualys

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Dec 17, 2019
Dad Jokes - ASW #88
01:08:10

This week, we welcome Allan Friedman, Director of Cybersecurity Initiatives at the NTIA US Department of Commerce, to talk about the Software Bill of Materials! In the Application Security News, GitHub Seeks Security Dominance With Developers, IoT and Agile Framework Partners in Efficacy, WhiteSource acquires & open sources Renovate dependency update toolset, and Java vs. Python: Which should you choose?

 

Show Notes: https://wiki.securityweekly.com/ASWEpisode88

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

 

Dec 10, 2019
Low Hanging Fruit - ASW #87
01:04:06

This week, we welcome Sandy Carielli, Principal Analyst at Forrester Research, to discuss the impact of good and bad bots on enterprises and how it is both a security and customer experience problem! In the Application Security News, Analysis of Jira Bug Stresses Impact of SSRF in Public Cloud, DevSecOps Adoption and the Web Security Myth, Facebook, Twitter profiles slurped by mobile apps using malicious SDKs, Firefox gets tough on tracking tricks that sneakily sap your privacy, and Decoding the Modern Enterprise Software Spaghetti!

 

Show Notes: https://wiki.securityweekly.com/ASWEpisode87

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Dec 03, 2019
Snarky Ways - ASW #86
01:05:31

This week, we welcome Tim Mackey, Principal Security Strategist at Synopsys! In the Application Security News, $1M Google Hacking Prize, 1.2B Records Exposed in Massive Server Leak, How Attackers Could Hijack Your Android Camera to Spy on You, XSS in GMail s AMP4Email via DOM Clobbering, and more!

 

Show Notes: https://wiki.securityweekly.com/ASWEpisode86

To learn more about Synopsys, visit: https://securityweekly.com/synopsys

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Nov 26, 2019
Notoriously Targeted - ASW #85
01:05:49

This week, we welcome back Pawan Shankar, Senior Product Marketing Manager of Sysdig, to announce the launch of Sysdig Secure 3.0! In the Application Security News, Mirantis' Docker Enterprise acquisition a lifeline as industry shifts to Kubernetes, Attackers' Costs Increasing as Businesses Focus on Security, Soft Skills: 6 Nontechnical Traits CISOs Need to Succeed, and Three Ways Developers Can Worry Less About Security!

 

Show Notes: https://wiki.securityweekly.com/ASWEpisode85

To learn more about Sysdig, visit: https://securityweekly.com/sysdig

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Nov 19, 2019
Destroying Your Tree - ASW #84
01:05:32

This week, in the first segment, Mike, Matt, and John talk Security Testing! In the Application Security News, Pwn2Own Tokyo Roundup: Amazon Echo, Routers, Smart TVs Fall to Hackers, Robinhood Traders Discovered a Glitch That Gave Them 'Infinite Leverage', Bugcrowd Pays Out Over $500K in Bounties in One Week, GWP-ASan: Sampling heap memory error detection in-the-wild, and more!

 

Show Notes: https://wiki.securityweekly.com/ASWEpisode84

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Nov 13, 2019
Disrupting the Office - ASW #83
01:06:34

This week, we interview Daniel Lowrie and Justin Dennison, Edutainers at ITProTV, to discuss how to bridge the gap between a Developer and Security! In the Application Security News, Stable Channel Update for Desktop Chrome users should upgrade to, Overcoming the container security conundrum: What enterprises need to know, Security Think Tank: In the cloud, the buck stops with you, PHP Bug Allows Remote Code-Execution on NGINX, Servers and patch details at Sec Bug #78599, Raising Security Awareness: Why Tools Can't Replace People, and much more!

 

To learn more about ITProTV, visit: https://securityweekly.com/itprotv

Show Notes: https://wiki.securityweekly.com/ASWEpisode83

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

 

Nov 05, 2019
The Scary World - ASW #82
01:05:38

This week, Mike Shema, Matt Alderman, and John Kinsella talk about Bug Bounties, Pentesting, & Scanners! In the Application Security News, Top cloud security controls you should be using, State of Software Security X, Developers: The Cause of and Solution to Security's Biggest Problems, and much more!

 

Show Notes: https://wiki.securityweekly.com/ASWEpisode82

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Oct 29, 2019
Exceedingly Happy - ASW #81
01:10:26

This week, we welcome Doug Coburn, Director of Professional Services at Signal Sciences, discussing Containers, Layer 7, and Application Security! In the Application Security News, From Stackoverflow to CVE, with some laughs along the way, Four-Year-Old Critical Linux Wi-Fi Bug Allows System Compromise, Recent Site Isolation improvements in Chrome, policy_sentry is an IAM Least Privilege Policy Generator, auditor, and analysis database, and much more!

 

Show Notes: https://wiki.securityweekly.com/ASWEpisode81

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Oct 22, 2019
Spaghetti Code - ASW #80
01:05:23

This week, we welcome Francois Lacelles, Field CTO of Ping Identity for an interview! In the Application Security News, Key takeaways from Imperva breach, From Automated Cloud Deployment to Progressive Delivery, Designing Your First App in Kubernetes: An Overview Food for Thought, Autonomy and the death of CVEs?, and AppSec 'Spaghetti on the Wall' Tool Strategy Undermining Security!

 

To learn more about Ping Identity, visit: https://securityweekly.com/ping

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Show Notes: https://wiki.securityweekly.com/ASWEpisode80

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

 

Oct 15, 2019
A Sea of Orange - ASW #79
01:15:45

This week, Mike, Matt, and John talk about Cloud Security for Small Teams! In the Application Security News, Ex-Yahoo Engineer Abused Access to Hack 6,000 User Accounts, American Express Insider Breaches Cardholder Information, How a double-free bug in, WhatsApp turns to RCE, Flare-on 6 2019 Writeups, and Five Trends Shaping the Future of Container Security!

 

Show Notes: https://wiki.securityweekly.com/ASWEpisode79

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

 

Oct 08, 2019
The Notorious Bucket - ASW #78
01:03:19

This week, we welcome Ryan Kelso, Application Security Engineer at 10-Sec, Inc., to discuss Information Disclosure Vulnerabilities! In the Application Security News, Threat Actors Use Percentage-Based URL Encoding to Bypass Email Gateways, Intelligent Tracking Prevention 2.3 and a discussion to Limit the length of the Referer header with some background on Browser Side Channels, Serverless Security Threats Loom as Enterprises Go Cloud Native, and much more!

 

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode78

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Oct 01, 2019
Something Should Exist - ASW #77
01:08:38

This week, we welcome Nicolas Valcarcel, Security Engineer at NextRoll! In the Application Security News, BSIMM10 Emphasizes DevOps' Role in Software Security and the BSIMM10 report, Crowdsourced Security & the Gig Economy, Lessons learned through 15 years of SDL at work, Software eats the world, jobs double US employment growth rate, and more!

 

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode77

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Sep 23, 2019
Pick Your Example - ASW #76
01:13:20

This week, we welcome Jay Durga, IT Architect at CIRCOR International, to discuss the excel tool he developed, and how it can be used to measure metrics or as a guidance document for testing effectiveness of security controls put in place in your SDLC and DevOps process! In the Application Security News, Simjacker Next Generation Spying Over Mobile, Intel CPUs Vulnerable to Sensitive Data Leakage in NetCAT Attack and NetCAT: Practical Cache Attacks from the Network, What is PSD2? And how it will impact the payments processing industry, Better Together: Why Software-Development Toolmakers Should Embrace Integration, and more!

 

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode76

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Sep 16, 2019
The Man With A Plan - ASW #75
01:11:52

Ty Sbano is the Cloud Chief Information Security Officer of Sisense. Ty will be discussing Tools in the DevOps Pipeline, Component Analysis, and Anything Application Security! ***** A very deep dive into iOS Exploit chains found in the wild followed by Heap Exploit Development, Twitter turns off SMS texting after @Jack hijacking, CVE-2019-15846: Unauthenticated Remote Command Execution Flaw Disclosed for Exim, 7 Steps to Web App Security, Fuzzing 101: Why Bug Hunters Still Love It After All These Years, and more!

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode75 Visit https://www.securityweekly.com/asw for all the latest episodes!

Sep 10, 2019
Still Alive - ASW #74
01:06:54

This week, we welcome Pawan Shankar, Senior Product Marketing Manager of Sysdig! In our second segment, we air two pre-recorded interviews with Azi Cohen, Co-Founder of WhiteSource, and Jeff Hudson, CEO of Venafi from BlackHat USA 2019!

 

To learn more about Sysdig, visit: https://securityweekly.com/sysdig

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode74

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Aug 27, 2019
The Dark Data - ASW #73
01:21:18

This week, in the Application Security News, HTTP/2 Denial of Service Advisory with seven vulns that affects the protocol implemented by several vendors, SSH certificate authentication for GitHub Enterprise Cloud works well with tools like Sharkey and BLESS, Polaris Points the Way to Kubernetes Best Practices, and much more! In our second segment, we air three pre-recorded interviews from Black Hat 2019, with Ameya Talwalker from Cequence, Mark Batchelor from PING Identity, and Michael Krueger from NowSecure!

 

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode73

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Aug 20, 2019
Highly Distributed - ASW #72
01:04:08

This week, Mike Shema and Matt Alderman discuss Hacker Summer Camp as the Security Weekly team has returned from Las Vegas all in one piece! In the Application Security News, From Equifax to Capital One: The problem with web application security, Apple extends its bug bounty program to cover macOS with $1 million in rewards, Azure Security Lab: a new space for Azure research and collaboration, Awarding Google Cloud Vulnerability Research, and more!

 

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode72

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Visit https://www.securityweekly.com/asw for all the latest episodes!

Aug 14, 2019
Off Guard - Application Security Weekly #71
01:14:13

This week, in the Application Security News, Rare Steganography Hack Can Compromise Fully Patched Websites, Bug Bounties Continue to Rise as Google Boosts its Payouts, Snyk Acquires DevSecCon to Boost DevSecOps Community, and much more! In our second segment, we welcome Murray Goldschmidt, COO & Co-founder of Sense of Security, to talk about The State of Container Security in the Enterprise!

 

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode71

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Jul 30, 2019
Help Us! - Application Security Weekly #70
01:05:20

This week, we welcome Ian Eyberg, CEO of NanoVMs! In the Application Security News, detecting malware in package manager repositories, Attacking SSL VPN, Solving Digital Transformation Cybersecurity Concerns With DevSecOps, How I Could Have Hacked Any Instagram Account, Tracking Anonymized Bluetooth Devices and Bluetooth Bug, and more!

 

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode70

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Jul 23, 2019
Paving the Road - Application Security Weekly #69
01:14:59

This week, we welcome Gururaj Pandurangi, Founder and CEO of Cloudneeti, to discuss Security in Multi-Cloud Environments! In the Application Security News, yes, the Zoom thing, 50 ways to leak your data in 1,300 popular Android apps access data, without proper permissions, GE Aviation exposed internal configs via open Jenkins instance, and more!

 

To learn more about Cloudneeti, visit: https://securityweekly.com/cloudneeti

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode69

 

Visit our website: https://www.securityweekly.com

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Jul 16, 2019
Wise Words - Application Security Weekly #68
01:04:11

This week, Mike Shema, John Kinsella, and Matt Alderman talk Cloud Native from an application perspective! In the Application Security News, WordPress Plugin WP Statistics Patches XSS Flaw, Three RCEs in Android's Media framework, Nine Best Practices For Integrating Application Security Testing Into DevOps, 6 Traits That Define DevSecOps, and much more!

 

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode68

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Jul 09, 2019
Everybody Learns Differently - Application Security Weekly #67
01:04:28

This week, Mike Shema, John Kinsella, & Matt Alderman discuss security training for Devs! In the Application Security News, GKE improves authentication with Workload Identity, AWS reinforce reveals traffic tools and security solutions that improve support for DevOps, Brief history of Trusted Execution Environments, From the Enterprise's Project: How to Explain Service Mesh in Plain English, and Developers and Security Teams Under Pressure to Collaborate!

 

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode67

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Jul 02, 2019
Breaking Down the Walls - Application Security Weekly #66
01:05:58

This week, Matt, John, and Mike discuss a guide to API Security! They also discuss Public vs. Private APIs, and if the best practice should be segregation of the two! In the Application Security News, Mozilla pushes a patch onto an Array, Netflix shares a stream of patches, Breach to bankruptcy for healthcare company, Osquery becomes a foundational tool, Avoiding DevOps dangers, and Assigning DevOps directions!

 

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode66

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Jun 25, 2019
Buzzword Bingo - Application Security Weekly #65
01:09:40

This week, we interview Shannon Lietz, the Director Information Security at Intuit, to talk about DevOps! In the Application Security News, there's no escape that will save you..., the privilege of running a Chrome extension, and Four practices towards DevSecOps!

 

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode65

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Visit our website: https://www.securityweekly.com

Follow us on Twitter: https://www.twitter.com/securityweekly

Jun 18, 2019
Everyone Looks Smart - Application Security Weekly #64
01:09:56

This week, we welcome Tanya Janca, also known as SheHacksPurple, a senior cloud advocate for Microsoft, specializing in application, cloud security, and more! Tanya is joining us on the show to talk about DevSecOps and Securing Software Supply Chains! In the Application Security News, "Waiting for the worms to come." -- Pink Floyd and RDP's CVE-2019-0708. Even the NSA warns about the population of exposed systems, A patch commands attention for mail servers, In macOS Catalina and iOS 13, Apples finds a way to find devices and not lose privacy, iOS App Transport Security has strong benefits, but weak adoption, and much more!

 

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode64

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Jun 11, 2019
Rainbows - Application Security Weekly #63
57:39

This week, Mike and John delve into some DevSecOps topics. They discuss good design patterns that emerged from cloud native environments, Kubernetes and containers, and building blocks of unique services in the AppSec world. In the Application Security News, Duo reveals a path from a Docker container to its host, Google fumbles some password functionality, GitHub makes dependency tracking more dependable, and more!

 

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode63

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Visit our website: https://www.securityweekly.com

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Jun 04, 2019
Third Degree Sunburns - Application Security Weekly #62
01:03:10

This week, we welcome Cody Wood, AppSec Product Support Engineer at Signal Sciences! In the AppSec News, Cisco Expressway goes off path and a Cisco IOS XE vuln goes for emojis, More erosion of CPU data boundaries, RDP patches a pre-auth problem and even resuscitates a patch process for XP, Microsoft's Attack Surface Analyzer gives DevSecOps teams more data, Clear design goals for better privacy and security, and Google Security blogs that basics are best!

 

To get involved with Signal Sciences, visit: https://securityweekly.com/signalsciences

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode62

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Visit our website: https://www.securityweekly.com

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

May 21, 2019
The Right Direction - Application Security Weekly #61
01:11:04

This week, Derek Weeks joins us to talk about DevSecOps and Securing Software Supply Chains! Derek is the VP and DevOps Advocate at Sonatype! In the Application News, Chrome constrains the cookies and Edge pushes privacy, Windows builds a sandbox for Linux, Android Q for more quarantined code with more LLVM features, Steve Singh stepping down as Docker CEO, and Verizon releases its 2019 DBIR!

 

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode61

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Visit our website: https://www.securityweekly.com

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

May 14, 2019
Defense In Depth - Application Security Weekly #60
01:09:52

This week, we welcome Sven Morgenroth, Security Researcher at Netsparker to talk about securing our applications, web applications, and how we can make it easier to build applications! In the AppSec News, Firefox gives more scrutiny to add-ons but Firefox also forgot to give more scrutiny to a cert, Path traversals trampled by ransomware, Secure Software Design: The Next Frontier In Cybersecurity, Trust the Stack, Not the People, VRT adds a CAN, and MDM, parental controls, and security!

 

To learn more about Netsparker, visit: https://securityweekly.com/netsparker

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode60

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Visit our website: https://www.securityweekly.com

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

May 07, 2019
The Other Side - Application Security Weekly #59
01:05:16

This week, we welcome Larry Maccherone, Senior Director of Comcast, to talk about the world of SecOps vs. DevSecOps! In the Application Security News, Software update gums up fingerprints, a counterproductive security practice expires thanks to well-considered guidelines, Docker Hub breach response, a path to hacking Ruby Gems, 5 Security Challenges to API Protection, and more!

 

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode59

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Visit our website: https://www.securityweekly.com

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Apr 30, 2019
Hacking for Lazy People - Application Security Weekly #58
01:11:22

This week, we welcome Thomas Hatch, the creator of the Salt open source software project, and is the CTO of SaltStack, the company behind Salt! In the Application Security News, Breach at IT outsourcer Wipro, SCP serves the file it wants, Confluence Path traverses to RCE, another Local PrivEsc on Windows, easier sandboxing for C and C++ APIs, and Computer Science plus Ethics!

 

To learn more about SaltStack, visit: https://securityweekly.com/saltstack

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode58

 

Visit our website: https://www.securityweekly.com

Follow us on Twitter: https://www.twitter.com/securityweekly

Apr 23, 2019
Containers and Kubernetes - Application Security Weekly #57
01:02:09

This last week was pretty busy with announcements and presentations from the Google Next Conference. In 2018 they previewed some security tools and this year many of them are now GA along with a lot of other developer-focused services. In the news, 3D fingerprints and unlocking Android, Ticking off another command injection, Alexa, audio, and annotations, STS no longer just for HTTP, and Hardenize goes beyond TLS.

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode57 Follow us on Twitter: https://www.twitter.com/securityweekly

Apr 16, 2019
Underlying Capabilities - Application Security Weekly #56
01:20:03

This week, we welcome Loris Degioanni from Sysdig to discuss their open source container native runtime security project called Falco! In the News segment, The Matrix turns 20, Containers are Weakest Security Leak Again, The Evolution of Application Security in the Serverless World, and more!

To learn more about Sysdig, visit: https://securityweekly.com/sysdig

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode56

Visit https://www.securityweekly.com/asw for all the latest episodes!

Visit our website: https://www.securityweekly.com

Follow us on Twitter: https://www.twitter.com/securityweekly

Apr 09, 2019
Until Next Time - Application Security Weekly #55
01:08:47

This week, we welcome Mike Shema, Product Security Lead of Square! Mike joins us on the show to talk about where the wins and challenges are in AppSec! In the Application Security News, XSS Vulnerability in Abandoned Cart Plugin Leads to WordPress Site Takeover, The RedMonk Programming Language Rankings: January 2019, I Deleted Facebook Last Year; Here's What Changed (and What Didn't), CommitStrip: Over-excited, and more!

 

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode55

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Visit our website: https://www.securityweekly.com

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Mar 28, 2019
A Bittersweet Ending - Application Security Weekly #54
01:02:53

This week, we welcome Jamie Duncan, a recovering history major who has been at Red Hat for just over 7 years! Beginning with his role as a TAM, his focus has increasingly centered on the operations-oriented features of OpenShift, including the May 2018 publication of OpenShift In Action by Manning Publishing. Jamie has had this discussion with customers, OpenShift advocates, and technology fans on multiple continents to date. In the Application Security News, Owner of MAGA-Friendly Yelp Knockoff Threatens to Call FBI After Researcher Exposes Security Holes, Chinese Data Breach Exposes 'Breed Ready' Status Of Almost 2 Million Women, Dozens of companies leaked sensitive data thanks to misconfigured Box accounts, DARPA Is Building a $10 Million, Open Source, Secure Voting System, and much more!

 

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode54

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Visit our website: https://www.securityweekly.com

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Mar 20, 2019
Spot On - Application Security Weekly #53
57:15

This week, Keith and Paul discuss the structure and experiences of 2019's RSA Conference! In the Application Security News, WordPress accounted for 90 percent of all hacked CMS sites in 2018, Japanese police charge 13-year-old for sharing 'unclosable popup' prank online, Facebook exploit – Confirm website visitor identities, NSA's top policy advisor: It's time to start putting teeth in cyber deterrence, study shows programmers will take the easy way out and not implement proper password security, and the CommitStrip for the week on Why check for incognito mode?

 

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode53

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Visit our website: https://www.securityweekly.com

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Mar 15, 2019
Lose Weight - Application Security Weekly #52
01:00:47

This week, many websites threatened by highly critical code-execution bug in Drupal, UK parliament calls for antitrust, data abuse probe of Facebook, CommitStrip: Get rich quick, Google says the built-in microphone it never told Nest users about was 'never supposed to be a secret', and more! In our second segment, we welcome Matt Springfield, is the Founder of 12Feet, Inc., an information security consulting firm based in the Dallas area! Matt has more than 23 years of information security experience spanning operations, architecture and consulting with a focus on large scale retail and service provider environments!

 

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode52

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Visit our website: https://www.securityweekly.com

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Feb 27, 2019
Level of Trust - Application Security Weekly #51
52:12

This week, Matt and Paul interview Gurpreet S. Sachdeva, the Assistant Vice President of Technology for Altran! Gurpreet will be discussing "Integrating Security into DevOps"! In the Application Security News, A PNG Android Vulnerability, 620 million stolen accounts for sale on the dark web, how shifting security left speeds development, and more!

 

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode51

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Visit our website: https://www.securityweekly.com

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Feb 20, 2019
The World Traveler - Application Security Weekly #50
57:02

This week, Paul is joined by Joff Thyer to interview Tim Eades, CEO of vArmour, to talk about basic flow of problem, solution, and value! In the Application Security News, many popular iPhone apps secretly record your screen without asking, MongoDB databases still being held for ransom, most of the Fortune 100 still use flawed software that led to the Equifax breach, and a Chrome extension with millions of users is now serving popup ads!

 

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode50

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Visit our website: https://www.securityweekly.com

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Feb 13, 2019
The Golden Generation - Application Security Weekly #49
01:01:14

This week, Keith and Paul discuss the current state of privacy and software development! They discuss how Facebook pays teens to install VPN that spies on them, how Apple blocks Facebook from running its internal iOS apps, and more! In the Application Security News, Three UK customer details exposed in homepage blunder, Microsoft cloud services see global authentication outage, the age of surveillance capitalism, the rise of DevXOps, and much more!

 

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode49

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Visit our website: https://www.securityweekly.com

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Feb 06, 2019
The Human Brain - Application Security Weekly #48
01:10:13

This week, Keith and Paul start the show with the Application Security News, discussing concerns about WordPress’ new “White Screen of Death”, Google Chrome changes could ‘destroy’ ad-blockers, Mozilla is adding and ad-blocker to Firefox Focus 9.0, websites can steal browser data via extensions APIs, and a Fortnite security issue would have granted hackers access to accounts! In the second segment, Keith and Paul interview Jing Xie, Product Manager at Venafi, to talk about Static Analysis, Secure Code Signing, and more!!

 

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode48

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Visit our website: https://www.securityweekly.com

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Jan 30, 2019
Different Checkpoints - Application Security Weekly #47
52:14

This week on Application Security Weekly, Matt Alderman takes the reigns and is joined by Co-Host James Wickett, who is the Head of Research at Signal Sciences! They talk about the human element of application security training and testing! In the Application Security News, Oracle patches 284 vulnerabilities, a bug in Twitter Android app exposed protected tweets, four tips for better API Security in 2019, and more!

 

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode47

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Visit our website: https://www.securityweekly.com

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Jan 23, 2019
The Wind Beneath My Wings - Application Security Weekly #46
55:43

This week, Keith and Paul interview Rey Bango, Security Advocate for Microsoft! Rey is focused on helping the community build secure systems & being a voice for researchers within MS! In the Application Security News, Another server security lapse at NASA exposed staff and project data, CRLF Injection Into PHP’s cURL Options, System Down: A systemd-journald exploit, GitHub now gives free users unlimited private repositories, Twitter is broken, Government shutdown: TLS certificates not renewed, many websites are down, and much more!

 

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode46

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Visit our website: https://www.securityweekly.com

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Jan 16, 2019
The Iceberg Problem - Application Security Weekly #45
01:00:03

This week, Keith and Paul interview Ken Johnson, Application Security Engineer at GitHub! Ken joins us to discuss approaching AppSec the right way, "running a scanner without context", getting the right context/importance of context, and how to figure what's real and what's legit! In the Application Security News, Wormable stored XSS on WordPress.org, a security lapse revealed private complaints from Silicon Valley employees, hackers hijack thousands of Chromecasts to warn of latest security bug, a linting tool for checking accessibility, speed, and security, host websites on GitHub, and more!

 

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode45

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Visit our website: https://www.securityweekly.com

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Jan 09, 2019
In Flames - Application Security Weekly #44
01:00:52

This week, Keith and Paul interview Harry Sverdlove, CTO and Founder of Edgewise! Harry joins us to discuss what Edgewise does in the AppSec world, segmentation, cloud migration, trying different architectures, and more! In the Application Security News, Facebook bug exposed private photos of 6.8 million users, thousands of Jenkins servers will let anonymous users become admins, Signal app can't include a backdoor for the Australian government, WordPress plugs bug that led to Google indexing some user passwords, and more!

 

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode44

To get involved with Edgewise, go to: https://www.edgewise.net/securityweekly

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Visit https://www.activecountermeasures/asw to sign up for a demo or buy our AI Hunter!

Visit our website: https://www.securityweekly.com

 

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Follow us on Twitter: https://www.twitter.com/securityweekly

Dec 19, 2018
Top Secret - Application Security Weekly #43
50:47

This week, Keith and Paul interview Chris Elgee, the Technical Engineer at Counter Hack Challenges! Chris joins Keith and Paul this week to talk about the Counter Hack Challenge, how it’s been working on the challenge vs. playing it, and more! In the Application Security News, Kubernetes instances are being hijacked worldwide, malicious sites abuse 11-year old Firefox bug that Mozilla failed to fix, Google is on a Witch Hunt for Internal Leakers, and more!

 

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode43

Visit https://www.securityweekly.com/asw for all the latest episodes!

Visit https://www.activecountermeasures/asw to sign up for a demo or buy our AI Hunter!

 

Visit our website: https://www.securityweekly.com

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Dec 12, 2018
Stuck In My Teeth - Application Security Weekly #42
01:00:48

This week, Keith and Paul interview Aleksei Tiurin, Senior Security Researcher at Acunetix! Aleksei joins Keith and Paul this week for a Technical Segment on reverse proxies using WebLogic, Nginx, and Tomcat! In the Application Security News, hackers are opening SMB ports on routers to infect PC’s with NSA malware, bug detectives whip up smarter version of classic AFL fuzzer to hunt code vulnerabilities, malware & rogue users can spy on some apps' HTTPS crypto, exploiting developer infrastructure is insanely easy, and more!

 

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode42

To learn more about Acunetix, go to: www.acunetix.com/securityweekly

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Visit https://www.activecountermeasures/asw to sign up for a demo or buy our AI Hunter!

 

Visit our website: https://www.securityweekly.com

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Dec 05, 2018
Good Ol' Days - Application Security Weekly #41
01:11:18

This week, Keith and Paul interview Brent Dukes! Brent is a hacker, and Director of Information Security for an established manufacturing company. He joins Keith and Paul this week to talk about WAF’s, Pentesting, Burp Suite, and more! In the Application Security News, Hackers use Drupalgeddon 2 and Dirty COW exploits to take over web servers, second WordPress hacking campaign underway, USPS took a year to fix a vulnerability that exposed all 60 million users' data, this JavaScript can snoop on other Browser Tabs to work out what you're visiting, and more!

 

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode41

Visit https://www.securityweekly.com/asw for all the latest episodes!

Visit https://www.activecountermeasures/asw to sign up for a demo or buy our AI Hunter!

 

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Follow us on Twitter: https://www.twitter.com/securityweekly

Nov 28, 2018
Buffet Overflow - Application Security Weekly #40
01:04:57

This week, Keith and Paul interview John Kinsella, Vice President of Container Security at Qualys! John discusses Qualys’ Container Security, continuous discovery, and tracking for containers and images! In the Application Security News, Instagram leaks passwords to the public, Clickjacking on Google MyAccount Worth $7,500, James Wickett's thread on Open Source SAST options, an advanced search tool for sensitive information stored in GitHub repos, and more!

 

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode40

Visit https://www.securityweekly.com/asw for all the latest episodes!

Visit https://www.activecountermeasures/asw to sign up for a demo or buy our AI Hunter!

 

Visit our website: https://www.securityweekly.com

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Nov 21, 2018
Boston Accent - Application Security Weekly #39
01:02:04

This week, Keith and Paul interview Brian Kelly, Head of Conjur Engineering at CyberArk! Brian focuses on creating products that add much-needed security and identity management to the landscape of DevOps tools and cloud systems. In the Application Security News, DJI Drone Vulnerability, Hackers are increasingly destroying logs to hide attacks, Adobe ColdFusion servers under attack from APT group, understanding Open Source Code use in your business, and more!

 

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode39

To learn more about Conjur, go to: www.conjur.org/asw

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Visit https://www.activecountermeasures/asw to sign up for a demo or buy our AI Hunter!

 

Visit our website: https://www.securityweekly.com

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Nov 14, 2018
Ultimate Nirvana - Application Security Weekly #38
51:48

This week, Keith and Paul interview Daniel Cuthbert, Global Head of Security Research for Banco Santander! In the Application Security News, a nasty DHCPv6 packet can Pwn vulnerable Linux Boxes, 'Stalkerware' website let anyone intercept texts of tens of thousands of people, twelve malicious Python libraries found and removed from PyPI, the U.S. Department of Defense Guide for "Detecting Agile BS", and more!

 

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode38

Visit https://www.securityweekly.com/asw for all the latest episodes!

Visit https://www.activecountermeasures/asw to sign up for a demo or buy our AI Hunter!

 

Visit our website: https://www.securityweekly.com

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Nov 07, 2018
Eggplant Volcanoes - Application Security Weekly #37
01:09:32

This week, Keith and Paul interview Johnny Xmas, Director of Field Engineering at Kasada.io! In the Application Security News, Millions of passengers affected by Cathay Pacific Airline Hack, China has been hijacking the internet backbone of Western countries, how proficient are developers at fixing Application Security flaws, MicroTik Router Bug is as bad as it gets, and more!

 

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode37

Visit https://www.securityweekly.com/asw for all the latest episodes!

Visit https://www.activecountermeasures/asw to sign up for a demo or buy our AI Hunter!

 

Visit our website: https://www.securityweekly.com

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

Oct 31, 2018
Two Phones - Application Security Weekly #36
56:51

This week, Paul and April Wright discuss a jQuery Plugin that has been exploited for years is finally getting patched, a flaw in LibSSH leaves thousands of servers at risk, a remote code implantation flaw found in Medtronic Cardiac Programmers, hackers hiding Cryptocurrency malware in Adobe flash updates, how the government is finally rolling out 2 Factor Authentication for Federal Agency Domains, and how Disney is helping women from across their company to become Developers!

 

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode36

Visit https://www.securityweekly.com/asw for all the latest episodes!

Visit https://www.activecountermeasures/asw to sign up for a demo or buy our AI Hunter!

 

Visit our website: https://www.securityweekly.com

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly 

Oct 24, 2018
Git On That - Application Security Weekly #35
01:00:36

This week, Keith and Paul interview Garrett Gross, Senior Solutions Engineer at Rapid7! They talk about catching bugs earlier in the process of development, what can lead to certain successes in development, and more! In the Application Security News, Git Project patches Remote Code Execution Vulnerability, Google is shutting down Google+ after 500k accounts potentially affected by a data breach, Facebook wants people to Invite its cameras into their homes, GitHub introduces user blocking notifications, DevOps producing more insecure apps than ever, and more on this episode of Application Security Weekly!

 

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode35

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Visit https://www.activecountermeasures/asw to sign up for a demo or buy our AI Hunter!

 

→Visit our website: https://www.securityweekly.com

→Follow us on Twitter: https://www.twitter.com/securityweekly

→Like us on Facebook: https://www.facebook.com/secweekly

Oct 17, 2018
Bring Yoga Pants - Application Security Weekly #34
01:03:00

This week, Keith and Paul talk about landing a job in Application Security! They discuss attending local meetups and conferences, practicing your coding skills, getting educated by World Class security researchers, doing your homework, and much more! In the Application Security News, Facebook discloses the loss of at least 50 millions access tokens, Google admits to allowing hundreds of companies to read your email, FireFox Monitor will alert you when your accounts have been Pwned, Microsoft releases MS-DOS v1.25 and v2.0 as Open Source, and more on this episode of Application Security Weekly!

 

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode34

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Visit https://www.activecountermeasures/asw to sign up for a demo or buy our AI Hunter!

 

→Visit our website: https://www.securityweekly.com

→Follow us on Twitter: https://www.twitter.com/securityweekly

→Like us on Facebook: https://www.facebook.com/secweekly

Oct 03, 2018
Don't Hit Me Up - Application Security Weekly #33
01:16:19

This week, Keith and special guest host April Wright interview Ron Gula, Founder of Tenable and Gula Tech Adventures! They discuss security in the upcoming elections, how to maintain separation of duties, attack simulation, and more! In the Application Security News, Hackers stole customer credit cards in Newegg data breach, John Hancock now requires monitoring bracelets to buy insurance, the man who broke Ticketmaster, new security settings available in iOS 12, State Department confirms data breach exposed employee data, and more!

 

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode33

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Visit https://www.activecountermeasures/asw to sign up for a demo or buy our AI Hunter!

 

→Visit our website: https://www.securityweekly.com

→Follow us on Twitter: https://www.twitter.com/securityweekly

→Like us on Facebook: https://www.facebook.com/secweekly

Sep 26, 2018
Sharks With Laser Beams - Application Security Weekly #32
01:11:42

This week, Keith Hoodlet and Paul Asadoorian interview April Wright from ArchitectSecurity.org! Next, bugs, breaches, and more in the Application Security News!

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode32

Visit https://www.securityweekly.com/asw for all the latest episodes!

Sep 19, 2018
Around the World - Application Security Weekly #31
01:16:22

This week, Keith and Paul interview Zane Lackey, Chief Security Officer and Founder of Signal Sciences! In the news, U.S. government releases Post-mortem on Equifax, Microsoft Windows Zero-Day found in Task Scheduler, British Airways breached via XSS, Windows subsystem Linux for Linux Distros, Bug Bounties and mental health, and more on this episode of Application Security Weekly!

 

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode31

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Visit https://www.activecountermeasures/asw to sign up for a demo or buy our AI Hunter!

 

→Visit our website: https://www.securityweekly.com

→Follow us on Twitter: https://www.twitter.com/securityweekly

→Like us on Facebook: https://www.facebook.com/secweekly

Sep 12, 2018
A Mixture of Spices - Application Security Weekly #30
59:22

This week, Keith and Paul discuss The Apache Struts2 RCE Vulnerability! In the news, Using Signal Sciences to defend against Apache Struts, PHP flaw puts WordPress sites at risk, Oracle will charge for Java starting in 2019, how Netflix does Failovers in 7 minutes flat, Burp Suite 2.0 Beta released, even anonymous coders leave fingerprints, and more on this episode of Application Security Weekly!

 

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode30

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Visit https://www.activecountermeasures/asw to sign up for a demo or buy our AI Hunter!

 

→Visit our website: https://www.securityweekly.com

→Follow us on Twitter: https://www.twitter.com/securityweekly

→Like us on Facebook: https://www.facebook.com/secweekly

Aug 29, 2018
Always More to Learn - Application Security Weekly #29
01:01:23

This week, Keith and Paul interview Tom McLaughlin, Founder of ServerlessOps! In the final segment, we air a Pre-Recorded segment with Paul and Matt Alderman, as they sat down at DEF CON to talk all things AppSec, vendors that were there, and companies they had briefings with from our pool cabana!

 

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode29

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Visit https://www.activecountermeasures/asw to sign up for a demo or buy our AI Hunter!

 

→Visit our website: https://www.securityweekly.com

→Follow us on Twitter: https://www.twitter.com/securityweekly

→Like us on Facebook: https://www.facebook.com/secweekly

Aug 22, 2018
Don't Trust Them - Application Security Weekly #28
01:05:14

This week, Keith is joined by Dr. Doug White to discuss Secure Coding Practices! In the news, Comcast security flaws, Facebook plans to partner with banks, hacker finds ‘God Mode’ in x86 CPU’s, bypassing CSP using polyglot JPEGs, and more on this episode of Application Security Weekly!

 

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode28

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Visit https://www.activecountermeasures/asw to sign up for a demo or buy our AI Hunter!

 

→Visit our website: https://www.securityweekly.com

→Follow us on Twitter: https://www.twitter.com/securityweekly

→Like us on Facebook: https://www.facebook.com/secweekly

Aug 15, 2018
We Do Not Discriminate - Application Security Weekly #27
01:02:23

This week, Keith and James Wickett interview Galen Hunt, Distinguished Engineer and Director at Microsoft! In the news, hackers automate the laundering of money via Clash of Clans, Epic Games sidesteps the Play Store with Fortnite for Android launch, the most exciting game, and more on this episode of Application Security Weekly!

 

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode27

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Visit https://www.activecountermeasures/asw to sign up for a demo or buy our AI Hunter!

 

→Visit our website: https://www.securityweekly.com

→Follow us on Twitter: https://www.twitter.com/securityweekly

→Like us on Facebook: https://www.facebook.com/secweekly

Aug 08, 2018
Wu-Tang for Life - Application Security Weekly #26
01:00:49

This week, Keith and Paul interview Jessica Rozhin, Security Engineer at Marqeta! In the news, New Spectre attack can remotely steal secrets, Microsoft discovers supply chain attack at unnamed maker of PDF Software, XSS filter in edge, and OWASP iGoat is a vulnerable swift application for iOS!

 

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode26

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Visit https://www.activecountermeasures/asw to sign up for a demo or buy our AI Hunter!

 

→Visit our website: https://www.securityweekly.com

→Follow us on Twitter: https://www.twitter.com/securityweekly

→Like us on Facebook: https://www.facebook.com/secweekly

Aug 01, 2018
A Friendly Tip - Application Security Weekly #25
01:10:15

This week, Keith and Paul interview Joe Garcia, Global Corporate Solutions Engineer at CyberArk! In the news, Venmo caught publishing all transactions publicly, Oracle releases critical patches, Microsoft releases PowerShell Core for Linux, Health insurers are vacuuming up details about you, changing your screen to Grayscale can help fight phone addiction, and more on this episode of Application Security Weekly!

 

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode25

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Visit https://www.activecountermeasures/asw to sign up for a demo or buy our AI Hunter!

 

→Visit our website: https://www.securityweekly.com

→Follow us on Twitter: https://www.twitter.com/securityweekly

→Like us on Facebook: https://www.facebook.com/secweekly

Jul 25, 2018
The World of History - Application Security Weekly #24
01:05:13

This week, Keith and Paul discuss AppSec Solutions is a DevOps World! In the news, Compromised JavaScript Package Caught Stealing npm Credentials, remote iOS bugs, a $39 device that can defeat iOS USB Restricted mode, Broadcom buys CA Technologies, and more on this episode of Application Security Weekly!

 

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode24

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Visit https://www.activecountermeasures/asw to sign up for a demo or buy our AI Hunter!

 

→Visit our website: https://www.securityweekly.com

→Follow us on Twitter: https://www.twitter.com/securityweekly

→Like us on Facebook: https://www.facebook.com/secweekly

Jul 18, 2018
Uncle Teeth - Application Security Weekly #23
58:05

This week, Keith and Paul talk The Hardest Problem in Application Security: Visibility. In the news, Google patches critical remote code execution bugs in Android OS, JavaScript API for face recognition in the browser with tensorflow.js, Social media apps are 'deliberately' addictive to users, and more on this episode of Application Security Weekly!

 

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode23

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Visit https://www.activecountermeasures/asw to sign up for a demo or buy our AI Hunter!!

 

→Visit our website: https://www.securityweekly.com

→Follow us on Twitter: https://www.twitter.com/securityweekly

→Like us on Facebook: https://www.facebook.com/secweekly

Jul 11, 2018
A Bunch Of Robots - Application Security Weekly #23
01:08:11

This week, Keith is joined by James Wickett from Signal Sciences to interview Thomas GX, CEO of Yelda and Founder of CommitStrip! In the news, Keith and James talk GitHub Hackers, Ticketmaster breach, Sniffing network traffic, and more on this episode of Application Security Weekly!

 

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode22

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

→Visit our website: https://www.securityweekly.com

→Follow us on Twitter: https://www.twitter.com/securityweekly

→Like us on Facebook: https://www.facebook.com/secweekly

Jul 06, 2018
Close The Pod Bay Doors - Application Security Weekly #21
01:05:13

This week, Keith and Paul interview Dan Kuykendall, Sr. Director of Application Security Products at Rapid7! In the news, Flaw in macOS 'Quick Look' could reveal encrypted data, the man who was fired by a machine, Deploy to Azure with Docker and VS Code, and more on this episode of Application Security Weekly!

 

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode21

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

→Visit our website: https://www.securityweekly.com

→Follow us on Twitter: https://www.twitter.com/securityweekly

→Like us on Facebook: https://www.facebook.com/secweekly

Jun 27, 2018
It's All Working - Application Security Weekly #20
01:37:42

This week, we share our Pre-Recorded interview with Ron Gula, Founder of Gula Tech Adventures! In the news, Paul is joined by Business Security Weekly host Michael Santarcangelo to discuss Microsoft Windows remote kernel crash vulnerability, Cops are confident that iPhone hackers found a workaround to Apple's new security feature, and more on this episode of Application Security Weekly!

 

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode20

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

→Visit our website: https://www.securityweekly.com

→Follow us on Twitter: https://www.twitter.com/securityweekly

→Like us on Facebook: https://www.facebook.com/secweekly

Jun 20, 2018
Off The Cuff - Application Security Weekly #19
01:07:05

This week, Keith and Paul interview Peter Chestna, Director of Developer Engagement at Veracode! In the news, Windows 10 update April 2018 update breaks SMBv1, GitHub vs. GitLab, ThoughtWorks Technology Radar, DevOps brings value to security, and more on this episode of Application Security Weekly!



Full Show Notes: https://wiki.securityweekly.com/ASW_Episode19

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

→Visit our website: https://www.securityweekly.com

→Follow us on Twitter: https://www.twitter.com/securityweekly

→Like us on Facebook: https://www.facebook.com/secweekly

Jun 13, 2018
Eyeballs Everywhere - Application Security Weekly #18
01:01:09

This week, Keith and Paul discuss what the difference is between Agile and DevOps! In the Learning and Tools, OWASP Top 10 Proactive Controls v3.0 released, VS Live Share, Bob Ross Lorem Ipsum, and more! In the news, we have updates from Oracle, Microsoft, GDPR, and more on this episode of Application Security Weekly!

 

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode18

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

→Visit our website: https://www.securityweekly.com

→Follow us on Twitter: https://www.twitter.com/securityweekly

→Like us on Facebook: https://www.facebook.com/secweekly

Jun 06, 2018
Just Go With It - Application Security Weekly #17
01:03:44

This week, Keith and Paul interview James Wickett, Head of Research at Signal Sciences! In the news, we have updates from Nest, Node.js, Google, F.Secure, and more on this episode of Application Security Weekly!

 

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode17

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

May 23, 2018
Happy Dances - Application Security Weekly #16
57:56

This week, Keith and Paul interview Adam Gordon, Edutainer at ITPro.TV! In the news, we have updates from Uber, WhatsApp, Microsoft, and more on this episode of Application Security Weekly!

 

→Full Show Notes: https://wiki.securityweekly.com/ASW_Episode16

 

→Visit https://www.securityweekly.com/asw for all the latest episodes!

May 16, 2018
Creating An Awesome Dish - Application Security Weekly #15
01:04:43

This week, Keith and Paul continue to talk about building your AppSec program! In the Learning and Tools Segment, Keith and Paul discuss Snipe-IT: Open Source Asset Management, Astra: Automated Security Testing for REST API's, GREP: A whiteboard by Julia Evans, and more! In the news, we have updates from Twitter, Meltdown, JavaScript, and more on this episode of Application Security Weekly!

 

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode15

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

May 09, 2018
Save The Developers Time - Application Security Weekly #14
58:08

This week, Paul and Keith discuss Building Your AppSec Program and how to get started! In the news, we have updates from Microsoft, Android, the FDA, and more on this episode of Application Security Weekly!

 

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode14

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

May 02, 2018
Bigger Than My Home - Application Security Weekly #13
01:09:50

This week, Paul and Keith discuss Drupal 7 and 8 core critical releases, Irony of Leaky App at RSAC not lost on attendees, avoiding XSS in React is still hard, and more! In our Pre-Recorded interview, Paul and Keith sit down with Rami Sass, CEO and Co-Founder of WhiteSource, and more on this episode of Application Security Weekly!

 

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode13

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

May 01, 2018
Classy and Illustrious - Application Security Weekly #12
01:00:21

This week, Paul and Keith discuss Github's 10th Anniversary and talk about Open Source Software! In the news, we have updates from Rapid7, a new MacOS backdoor, your Windows PC can be hacked by just visiting a site, and more on this episode of Application Security Weekly!

 

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode12

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Apr 17, 2018
Don't Pull My Nerd Card - Application Security Weekly #11
57:53

This week, Paul and Keith discuss One Language to Rule Them All: Node-Based Operating System, NodeOS! In the news, we have updates from Cloudflare, Slack, NASA’s Voyager 1 spacecraft, how Georgia passed an Anti-Infosec Legislation, and more on this episode of Application Security Weekly!

 

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode11

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Apr 09, 2018
Coming Up 7's - Application Security Weekly #10
53:01

This week, Keith and Paul have the debate as to whether it's DevOps or DevSecOps, they discuss OWASP vulnerable web apps directory project, Red Team wisdom, and more on this episode of Application Security Weekly!

 

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode10

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Apr 03, 2018
More Crypto, More Problems - Application Security Weekly #09
57:28

This week, Keith and Paul discuss Uber's open source tool for adversarial simulation, AMD processors, Hijacked MailChimp accounts  used to distribute banking malware, and more on this episode of Application Security Weekly!

 

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode09

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Mar 19, 2018
Early Bird Gets The Worm - Application Security Weekly #08
53:39

This week, Paul and Keith talk about “The Phoenix Project”, Amazon admits Alexa is creepily laughing at people, Ethereum fixes serious ‘eclipse’ flaw, Kali Linux is now an app in the Windows App Store, Docker + Minecraft = Dockercraft, and more on this episode of Application Security Weekly!

 

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode08

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Mar 12, 2018
Everything Old Is New Again - Application Security Weekly #07
56:39

This week, Keith and Paul discuss Facebook’s mandatory malware scan, GitLeaks: Check git repos for secrets and keys, New York quietly working to prevent a major cyber attack, and more on this episode of Application Security Weekly!

 

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode07

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Mar 05, 2018
It's Just Beautiful - Application Security Weekly #06
58:32

This week, Keith and Paul discuss Data Security and Bug Bounty programs! In the news, Lenovo warns of critical Wifi vulnerability, Russian nuclear scientists arrested for Bitcoin mining plot, remote workers outperforming office workers, and more on this episode of Application Security Weekly!

 

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode06

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Feb 17, 2018
Jim Carrey Hacked My Facebook - Application Security Weekly #05
50:41

This week, Keith and Paul continue to discuss OWASP Application Security Verification Standard! In the news, Cisco investigation reveals ASA vulnerability is worse than originally thought, Google Chrome HTTPS certificate apocalypse, Intel made smart glasses that look normal, and more on this episode of Application Security Weekly!

 

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode05

 

Visit https://www.securityweekly.com/ for all the latest episodes!

Feb 10, 2018
Stay Classy - Application Security Weekly #04
58:43

This week, Keith and Paul discuss OWASP Application Security Verification Standard! In the news, Intel warns Chinese companies of chip flaw before U.S. government, bypassing CloudFair using Internet-wide scan data, and more on this episode of Application Security Weekly!

 

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode04

 

Visit https://www.securityweekly.com/ for all the latest episodes!

Feb 05, 2018
The Doctor's Here - Application Security Weekly #03
59:15

This week, Keith is joined by Doug White, host of Secure Digital Life! Matias Madou of Secure Code Warrior joins us for an interview! In the news, Red Hat has now reverted CPU patches for Spectre, Russian Twitterbots are blaming the US shutdown on Democrats, and more on this episode of Application Security Weekly!

 

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode03

 

Visit https://www.securityweekly.com/ for all the latest episodes!

Jan 27, 2018
Punishing Trojan Horses - Application Security Weekly #02
57:40

This week, Paul and Keith discuss the second half of the OWASP 2017 Top Ten! In the news, Facebook can track you by the dust on your camera lens, Apple health data used in murder trial, the stress of remote working, and more on this episode of Application Security Weekly!

 

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode02

 

Visit https://www.securityweekly.com/ for all the latest episodes!

Jan 19, 2018
Pushing To Master - Application Security Weekly #01
01:01:08

This week, Paul and Keith will discuss the ten most critical web application risks! In the news, how malicious NPM packages could harvest credit card numbers and passwords, NVIDIA updates video drivers to help address CPU memory security, multiple vulnerabilities in PHP could allow for arbitrary code execution, and more on this episode of Application Security Weekly!

 

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode01

 

Visit https://www.securityweekly.com/ for all the latest episodes!

Jan 15, 2018
Where's My Starbucks - Application Security Weekly #00
53:13

Paul Asadoorian and Keith Hoodlet bring you our brand new show, Application Security Weekly! On our first episode, Paul and Keith will discuss the history of application security and software security! In the news, what you need to know about CPU vulnerabilities, negative results testing Intel CPU design, Mozilla Firefox patches, and Starbucks Wi-Fi mines Monero via CoinHive! All that and more, on the first episode of Application Security Weekly!

 

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode00

 

Visit https://www.securityweekly.com/psw for all the latest episodes!

Jan 08, 2018