Application Security Weekly (Video)

Mike Shema
  • 0,0 (0)
  • ACTUALITÉS TECHNOLOGIQUES
  • TOUTES LES 2 SEMAINES

About all things AppSec, DevOps, and DevSecOps. Hosted by Mike Shema and John Kinsella, the podcast focuses on helping its audience find and fix software flaws effectively.

  1. AppSec News Roundup on Claude Code Leak, Axios NPM Compromise, Secure Design - Idan Plotnik, Raj Mallempati - ASW #377

    -1 J ·  VIDÉO

    AppSec News Roundup on Claude Code Leak, Axios NPM Compromise, Secure Design - Idan Plotnik, Raj Mallempati - ASW #377

    Security problems aren't changing very much even though security teams are. We catch up on the implications of the Claude Code source leak, the very human lessons from the axios NPM compromise, and what secure design looks like when it involves agents, humans, or both. AppSec has always celebrated interesting and impactful vulns. And LLMs are now a favored tool for finding flaws. We shouldn't forget the success and effectiveness of fuzzers like OSS-Fuzz, which has improved security for over 1,000 projects and found over 50,000 bugs. But we can't ignore the ease of prompting an agent to go find -- and exploit -- a vuln when the UX and overhead of doing so is hardly more than writing some markdown. The SDLC Blind Spot: Why Breaches Start with Identity, Not Code Developers have access to source code, CI/CD pipelines, and cloud infrastructure — and attackers know it. Target lost 860GB of source code through a single compromised credential. Recruitment fraud campaigns have pivoted from a compromised developer to cloud admin in under 10 minutes. As agents join human developers, contractors, and service accounts in the SDLC, the attack surface is expanding faster than static security tools can track. Security teams need real-time visibility beyond code and into who has access and what they're actually doing. This segment is sponsored by Apiiro. To lean more, visit https://securityweekly.com/apiirorsac. How AI-Driven Development is Reshaping the Application Risk Landscape Agent coding assistants are accelerating software development, generating more code and more change than security teams were built to handle. In this interview, Idan Plotnik discusses how AI-driven development is reshaping the application risk landscape and why traditional vulnerability management models can't keep up. Make sure to schedule a free SDLC Risk Assessment with BlueFlag Security - 30 minutes to deploy. 48 hours to results. Please visit https://securityweekly.com/blueflagrsac. Show Notes: https://securityweekly.com/asw-377

    1 h 9 min
  2. Developing the Skills Needed for Modern Software Development - Keith Hoodlet, Ron Rasin, Shashwat Sehgal - ASW #376

    31 MARS ·  VIDÉO

    Developing the Skills Needed for Modern Software Development - Keith Hoodlet, Ron Rasin, Shashwat Sehgal - ASW #376

    The future of secure software is going through a mix of skills expected of humans and skills files created for LLMs. We might even posit that appsec as a discipline will fade (and that might not even be a bad thing!). Keith Hoodlet describes the skills he was looking for in building teams of security researchers and why there's still an emphasis on the ability to learn about and understand how software is built. But figuring out what skills will get you hired and what skills are valuable to invest in still feels daunting to new grads and others entering the security industry. We discuss where the role of appsec seems to be heading and a few of the security and software fundamentals that can help you follow that direction. Segment resources https://bsidessf2026.sched.com/event/2E1h4/we-pwn-the-night-growing-leading-an-31337-security-research-team?iframe=yes&w=100%&sidebar=yes&bg=no https://drive.google.com/file/d/1_zLH8vuHU1XOjEyk85WecQwSByDwxAmQ/view?pli=1 https://securing.dev/posts/if-i-were-eighteen-again/ https://research.nvidia.com/labs/lpr/slm-agents/ Then, we rebroadcast two interviews from RSAC 2026. The Identity Crisis of Agentic AI Identity security is being stretched between legacy infrastructure that was never built to be secure and rapidly emerging AI agents and non-human identities that organizations are quickly adopting. As AI accelerates, identity risk grows alongside it, making agentic security fundamentally an identity challenge—because the more access AI has, the greater both its power and potential risk. In this session, Ron Rasin explores how past gaps in areas like Active Directory and machine identities created today's blind spots, and why identity must now act as the control plane for AI-driven enterprises, with real-time enforcement before access is granted. He also highlights new innovations and partnerships enabling embedded identity controls across human, non-human, and AI identities, emphasizing that at machine speed, reactive security is no longer enough. To learn more about Silverfort and their AI Agent product, visit https://securityweekly.com/silverfortrsac. Privileged by Design: AI Agents and the New Identity Risk to Production Systems At RSAC this year, the AI conversation is getting more practical. Less "look what agents can do" and more "who's actually in control when an autonomous system can take real actions across business apps and infrastructure." The Moltbook breach and the growing attention on OpenClaw-style agent vulnerabilities put real weight behind that question because they show how quickly agent ecosystems can scale past oversight. Today we're talking with Shashwath, CEO of P0 Security, about why identity and authorization are the quiet enablers of modern AI, where teams are losing control as non-human identities explode and what security leaders can do to keep innovation moving without turning access sprawl into enterprise risk. To learn more about P0 Security, visit: https://securityweekly.com/p0rsac. Show Notes: https://securityweekly.com/asw-376

    1 h 16 min
  3. Why Proactive Security Is Far Better Than Patching - Erik Nost - ASW #375

    24 MARS ·  VIDÉO

    Why Proactive Security Is Far Better Than Patching - Erik Nost - ASW #375

    So much of appsec's efforts can be consumed by vuln management and a race to patch security flaws. But that's more a symptom of the ease of scanning and the volume of CVEs. Erik Nost walks through the principles behind proactive security, why the concept sounds familiar to secure by design, and why organizations still struggle with creating effective practices for visibility. Resources https://www.forrester.com/blogs/proactive-security-platforms-will-cumulate-visibility-prioritization-and-remediation/ Show Notes: https://securityweekly.com/asw-375

    38 min
  4. Creating Better Security Guidance and Code with LLMs - Mark Curphey - ASW #374

    17 MARS ·  VIDÉO

    Creating Better Security Guidance and Code with LLMs - Mark Curphey - ASW #374

    What happens when secure coding guidance goes stale? What happens LLMs write code from scratch? Mark Curphy walks us through his experience updating documentation for writing secure code in Go and recreating one of his own startups. One of the themes of this conversation is how important documentation is, whether it's intended for humans or for prompts to LLMs. Importantly, LLMs don't innovate on their own -- they rely on the data they're trained on. And that means there should be good authoritative sources for what secure code looks like. It also means that instructions to LLMs need to be clear and precise enough to produce something useful. Watch what happens when Mark prompts his agents to run a live demo for us! Show Notes: https://securityweekly.com/asw-374

    1 h 4 min
  5. Making Medical Devices Secure - Tamil Mathi - ASW #373

    10 MARS ·  VIDÉO

    Making Medical Devices Secure - Tamil Mathi - ASW #373

    Medical devices are a special segment of the IoT world where availability and patient safety are paramount. Tamil Mathi explains why many devices need to fail open -- the opposite of what traditional appsec approaches might initially think -- and what makes threat modeling these devices interesting and unique. He also covers how to get started in this space, from where to learn hardware hacking basics to reviewing firmware and moving up the stack to the application layer. Segment Resources: https://www.defconbiohackingvillage.org https://medium.com/@tamilmathimaddytamilthurai/securing-the-future-of-iot-with-trusted-execution-environments-tees-a-secure-scalable-and-1376f94e755c Show Notes: https://securityweekly.com/asw-373

    1 h 3 min
  6. Modern AppSec that keeps pace with AI development - James Wickett - ASW #372

    3 MARS ·  VIDÉO

    Modern AppSec that keeps pace with AI development - James Wickett - ASW #372

    As more developers turn to LLMs to generate code, more appsec teams are turning to LLMs to conduct security code reviews. One of the biggest themes in all the discussion around LLMs, agents, and code is speed -- more code created faster. James Wickett shares why speed continues to pose a challenge to appsec teams and why that's often because teams haven't invested enough in foundational appsec principles. Show Notes: https://securityweekly.com/asw-372

    48 min
  7. Helping Users with Practical Advice to Protect their Digital Devices - Runa Sandvik - ASW #371

    24 FÉVR. ·  VIDÉO

    Helping Users with Practical Advice to Protect their Digital Devices - Runa Sandvik - ASW #371

    Journalists put a lot of effort into collecting information and protecting their sources, but everyone can benefit from having a digital environment that's more secure and more privacy protecting. Runa Sandvik shares her experience working with journalists and targeted groups to craft plans for how they use their devices and manage their information. And she also makes the point that the burden of security should not be just for users -- platforms and software providers should be evaluating secure defaults and secure designs that improve protections for everyone. Resources https://techcrunch.com/2025/03/13/apples-lockdown-mode-is-good-for-security-but-its-notifications-are-baffling/ https://www.glitchcat.xyz/p/lessons-learned-from-the-2021-arrest https://gijn.org/resource/introduction-investigative-journalism-digital-security/ https://cpj.org/ Show Notes: https://securityweekly.com/asw-371

    1 h
  8. Conducting Secure Code Analysis with LLMs - ASW #370

    17 FÉVR. ·  VIDÉO

    Conducting Secure Code Analysis with LLMs - ASW #370

    A major premise of appsec is figuring out effective ways to answer the question, "What security flaws are in this code?" The nature of the question doesn't really change depending on who or what wrote the code. In other words, LLMs writing code really just means there's mode code to secure. So, what about using LLMs to find security flaws? Just how effective and efficient are they? We talk with Adrian Sanabria and John Kinsella about the latest appsec articles that show a range of results from finding memory corruption bugs in open source software to spending an inordinate amount of manual effort validating persuasive, but ultimately incorrect, security findings from an LLM. Show Notes: https://securityweekly.com/asw-370

    46 min
Tout afficher (704)

À propos

About all things AppSec, DevOps, and DevSecOps. Hosted by Mike Shema and John Kinsella, the podcast focuses on helping its audience find and fix software flaws effectively.

Informations

  • Création
    Mike Shema
  • Années d’activité
    2018 - 2026
  • Épisodes
    704
  • Classification
    Tous publics
  • Copyright
    © 2024 CyberRisk Alliance
  • Site web de l’émission
    Application Security Weekly (Video)

Vous aimeriez peut‑être aussi