Application Security Weekly (Audio)

Mike Shema

About all things AppSec, DevOps, and DevSecOps. Hosted by Mike Shema and John Kinsella, the podcast focuses on helping its audience find and fix software flaws effectively.

  1. BadHost, Dead CTFs, Exploding NPMs, and the Verizon DBIR - ASW #385

    -17 ч

    BadHost, Dead CTFs, Exploding NPMs, and the Verizon DBIR - ASW #385

    We dedicate an episode to catching up on appsec news with Kalyani Pawar. We see parsing problems that led to the BadHost vuln, which exposed lots of LLMs, MCPs, and agents to potential compromise. We wonder where to look for security education and practice as the camaraderie of the CTF community becomes infiltrated by LLMs. We talk about the tradeoffs in trust between using public packages vs. having agents write replacements from scratch. And we examine some of the appsec details that the Verizon DBIR reveals about how orgs are being attacked -- and how orgs might use that information to protect themselves. Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-385

    45 мин.
  2. AppSec Conversations on Agents, LLMs, and OWASP from RSAC - Merritt Maxim, Scott Clinton, Janet Worthington - ASW #384

    26 мая

    AppSec Conversations on Agents, LLMs, and OWASP from RSAC - Merritt Maxim, Scott Clinton, Janet Worthington - ASW #384

    We showcase recordings from this year's RSAC. At RSAC Conference 2026, Scott Clinton, Co-Chair and co-founder of the OWASP GenAI Security Project, shares insights from the project's latest research, including new landscape guides and evolving approaches to securing generative and agentic AI systems. The conversation explores critical gaps in GenAI data security, the rise of AI-assisted development, and the immense growth of the OWASP community and sponsor ecosystem. Looking ahead, he outlines the most urgent risks and priorities shaping AI and agentic security in 2026. Then Merritt Maxim discusses how AI is affecting Identity and Access Management. Expect to hear this topic a lot throughout 2026, especially as the industry tries to figure out what's different or special about securing agent identities. We close with a chat with Janet Worthington about the impact of agents on the SDLC and how orgs are updating their controls to deal with code generated by humans and LLMs alike. Segment Resources: https://genai.owasp.org https://genai.owasp.org/resources/ https://www.scworld.com/podcast-episode/3905-keeping-up-with-the-owasp-genai-project-scott-clinton-asw-381 This segment is sponsored by The OWASP GenAI Security Project. Visit https://securityweekly.com/owasp to learn more about them! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-384

    1 ч.
  3. The State of AI & AppSec - Keith Hoodlet - ASW #383

    19 мая

    The State of AI & AppSec - Keith Hoodlet - ASW #383

    This year has been a dichotomy of established secure design fundamentals and burgeoning chaos of LLM-driven vuln discovery. Keith Hoodlet returns to share his latest observations on what the recent news about Mythos, models, and harnesses means for appsec. He walks through the problems of misalignment, the potential development doom that looms behind a volume of vulns, and what modern code creation looks like. Along the way we touch on the economics of tokens and the principles behind secure software. Keith gave a preview of his upcoming presentation (May 22nd) on these topics. Check out https://securing.dev/about/ for the slides and more of his writing on appsec. Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-383

    1 ч. 3 мин.
  4. Why Basic Security Practices Still Work - Rob Allen - ASW #382

    12 мая

    Why Basic Security Practices Still Work - Rob Allen - ASW #382

    If you have to ditch your entire appsec strategy because you expect 2026 to bring more vulns more quickly, then you probably didn't have a good strategy in the first place. Rob Allen shares how the mentality of "assume breach" doesn't have to be a defeatist attitude and can instead be a way to change a catastrophic breach into a more contained one. We also talk about proactive security and what an "avoid breach" attitude could look like, including how to apply the macro lessons of default deny and network isolation to writing secure code. Resources https://www.threatlocker.com/blog/the-claude-mythos-preview-proves-now-is-the-time-for-zero-trust?utmsource=cyberriskalliance&utmmedium=sponsor&utmcampaign=claudemythosaswq226&utmcontent=claudemythosasw-&utm_term=podcast https://www.threatlocker.com/capabilities/zero-trust-network-access?utmsource=cyberriskalliance&utmmedium=sponsor&utmcampaign=ztnaq226&utmcontent=ztna-&utm_term=podcast https://www.threatlocker.com/capabilities/zero-trust-cloud-access?utmsource=cyberriskalliance&utmmedium=sponsor&utmcampaign=ztcaq226&utmcontent=ztca-&utm_term=podcast This segment is sponsored by ThreatLocker. Visit https://securityweekly.com/threatlocker to learn more about them! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-382

    1 ч. 12 мин.
  5. Keeping Up With the OWASP GenAI Project - Scott Clinton - ASW #381

    5 мая

    Keeping Up With the OWASP GenAI Project - Scott Clinton - ASW #381

    Speed is the most common theme among developers and appsec teams working with LLMs and agents, from trying to keep up with patterns for deploying agents to dealing with more code faster to how the latest models impact code quality and security. The OWASP GenAI Project is helping organizations keep up with the speed of those changes and engaging the appsec community for sharing effective ways to keep systems secure. Scott Clinton shares the latest progress on the the project, its roadmap for the year, and how appsec practitioners can shape its future. Resources: https://genai.owasp.org/2026/04/28/finbot-ctf-is-live-a-hands-on-companion-to-the-owasp-genai-security-project/ https://genai.owasp.org/2025/01/22/announcing-the-owasp-gen-ai-red-teaming-guide/ https://www.scworld.com/podcast-episode/3695-inside-the-owasp-genai-security-project-steve-wilson-asw-352 This segment is sponsored by The OWASP GenAI Security Project. Visit https://securityweekly.com/owasp to learn more about them! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-381

    1 ч. 9 мин.
  6. Top 10 Web Hacking Techniques of 2025 and a Hint for 2026 - James Kettle - ASW #380

    28 апр.

    Top 10 Web Hacking Techniques of 2025 and a Hint for 2026 - James Kettle - ASW #380

    Portswigger's list of web hacking techniques is a long-running celebration of curiosity and research from the web hacking community. James Kettle shares his thoughts on the entries from 2025 and how he expects LLMs and agents to influence what the list will look like for next year. He also shares some insights on using LLMs for his own blackbox research, giving us a peek into the work he'll be sharing at Black Hat USA this summer. Resources https://portswigger.net/research/top-10-web-hacking-techniques-of-2025 https://blackhat.com/us-26/briefings/schedule/index.html#can-ai-do-novel-security-research-meet-the-http-terminator-51894 Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-380

    45 мин.
  7. The Human Aspect of Red Teams - Brian Fox, Tom Tovar, T. Gwyddon 'Data' Owen - ASW #379

    21 апр.

    The Human Aspect of Red Teams - Brian Fox, Tom Tovar, T. Gwyddon 'Data' Owen - ASW #379

    Red team exercises set goals to see if a particular outcome can be accomplished through a simulated attack, but the ultimate outcome should be educating the org about how to improve tools and processes that make attacks more difficult to succeed. Gwyddon "Data" Owen shares his experience building a red team, creating an exercise, and leveraging the results to improve security. And while the adoption of LLMs will accelerate a red team's activities, there are still plenty of foundational security controls that orgs can establish that would require a red team to be more than just fast, but fast and very careful. Coding Agents Are Getting More Cautious, But Not Safer A new study finds that while frontier AI coding models are hallucinating less than they did a year ago, they still preserve a significant amount of avoidable software risk when left ungrounded. Sonatype's research shows that connecting these models to real-time software intelligence dramatically improves remediation quality and reduces critical and high-severity vulnerability exposure by 60–70%. The takeaway is clear: safer AI-assisted development will depend not just on better models, but on grounding them in accurate, current dependency and vulnerability data. This segment is sponsored by Sonatype. Read the study: https://securityweekly.com/sonatypersac How We Achieve Agentic Outcomes in CyberSecurity: The "Do-It-For-Me" Mobile Defense If you look at deepfakes, synthetic identity, social engineering, and new malware variants coming to market, it seems like attackers have a first-mover advantage in using AI. The volume and variety of threats are growing faster than the current cyber stack can address. Against this backdrop, organizations are moving away from "do-it-yourself" delivery models (more tools, more alerts, more headcount) to "do-it-for-me" agentic AI delivery models (using platforms that unify data, execute policy, and automate outcomes). The emphasis outside of cyber is on empowering the expert human-in-the-loop — so teams spend less time in the noise and more time delivering business outcomes. This segment explores how cybersecurity leaders can make the most of the AI Age, leveraging it for good while staying relevant amid the explosive AI adoption curve. This segment is sponsored by Appdome. Visit https://securityweekly.com/appdomersac to learn more about them! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-379

    1 ч. 13 мин.
  8. Securing Software's Journey with the OWASP SPVS - Ido Geffen, Rohan Ravindranath, Cameron W., Farshad Abasi - ASW #378

    14 апр.

    Securing Software's Journey with the OWASP SPVS - Ido Geffen, Rohan Ravindranath, Cameron W., Farshad Abasi - ASW #378

    It's one thing to write secure code, it's another to release it into the wild. That code needs to be designed, built, tested, released, and maintained. Farshad Abasi and Cameron Walters explain how the OWASP Secure Pipeline Verification Standard picks up from where ASVS left off, how it complements other supply chain security efforts like SLSA, and why they updated it with explicit coverage for AI. They show what goes into making a project relevant and -- most importantly -- successful at defending how supply chains are attacked. They're also looking for more feedback and participation! If you build software packages, consume software packages, or have an interest in helping organizations stay secure, check it out! Resources https://owasp.org/www-project-spvs/ https://github.com/OWASP/www-project-spvs/blob/main/1.5/ReleaseNotesOWASPSPVS1.5-AI-Pipeline-Security.md https://youtu.be/-WoqGDdivGw?si=kK5-csbnTw8Y4g2J -- The Story Behind OWASP SPVS https://slsa.dev Zero Trust That Actually Ships: Moving From Strategy Decks to Real Security Most enterprise organizations have been working at Zero Trust for years and fail to deliver truly secure environments. Rohan Ravindranath shares insights that Zappsec has gained from guiding the global teams that are succeeding at protecting their orgs. Discover the common pitfalls so you can deploy a solution that works. This segment is sponsored by Zappsec. Visit https://securityweekly.com/zappsecrsac to learn more about them! Cloning Attacker Tradecraft: Why AI Pentesting is Becoming Essential Enterprises ship code continuously, but most security validation still happens in snapshots. Novee CEO and co-founder Ido Geffen explains what "AI penetration testing" means, why it's different from automated scanning, and why it's becoming essential as attackers adopt AI to move faster. He breaks down what separates best-in-class AI pentesting: operator-like reasoning across real environments, validated exploitability, and the ability to uncover business logic flaws and multi-step attack chains. Ido covers the technology behind Novee's AI penetration tester: a proprietary LLM model, built independently of "frontier" LLMs (like Claude, ChatGPT, Cursor, etc.), and consistently outperforming them at browser exploitation tests. Finally, he shares what buyers should demand in a live evaluation and how continuous retesting closes the loop after fixes ship. This segment is sponsored by Novee Security. See what your attackers already know at https://securityweekly.com/noveersac. Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-378

    1 ч. 10 мин.
См. все (399)

Об этом подкасте

About all things AppSec, DevOps, and DevSecOps. Hosted by Mike Shema and John Kinsella, the podcast focuses on helping its audience find and fix software flaws effectively.

Информация

  • Автор
    Mike Shema
  • Годы выхода
    2018 - 2026
  • Выпуски
    399
  • Ограничения
    Без ненормативной лексики
  • Авторские права
    © 2024 CyberRisk Alliance
  • Сайт подкаста
    Application Security Weekly (Audio)

Вам может также понравиться