207 episodes

Application Security Weekly decrypts development for the Security Professional - exploring how to inject security into their organization’s Software Development Lifecycle (SDLC) in a fluid and transparent way; Learn the tools, techniques, and processes necessary to move at the speed of DevOps (even if you aren’t a DevOps shop yet). The target audience for Application Security Weekly spans the gamut of Security Engineers and Practitioners that need to level-up their skills in the Application Security space - as well as enabling “Cyber Curious” developers to get involved in the Application Security process at their organizations. To a lesser extent, we hope to arm Security Managers and Executives with the knowledge to be conversational in the realm of DevOps - and to provide the right questions to ask their colleagues in development, along with the metrics to think critically about the answers they receive.

Application Security Weekly (Audio‪)‬ Mike Shema, John Kinsella, Matt Alderman - Security Weekly

    • News
    • 4.9 • 9 Ratings

Application Security Weekly decrypts development for the Security Professional - exploring how to inject security into their organization’s Software Development Lifecycle (SDLC) in a fluid and transparent way; Learn the tools, techniques, and processes necessary to move at the speed of DevOps (even if you aren’t a DevOps shop yet). The target audience for Application Security Weekly spans the gamut of Security Engineers and Practitioners that need to level-up their skills in the Application Security space - as well as enabling “Cyber Curious” developers to get involved in the Application Security process at their organizations. To a lesser extent, we hope to arm Security Managers and Executives with the knowledge to be conversational in the realm of DevOps - and to provide the right questions to ask their colleagues in development, along with the metrics to think critically about the answers they receive.

    ASW #206 - Manish Gupta

    ASW #206 - Manish Gupta

    In our first segment, we are joined by Manish Gupt, the CEO and Co-Founder of ShiftLeft for A discussion of how the changes and advancements in static application security testing (SAST) and intelligent software composition analysis (SCA) have helped development and DevSecOps teams work better together to fix security issues faster! In the AppSec News: Multiple vulns in a smart lock, Office Macros finally disabled by default, data breach costs and threat modeling, designing migration paths for 2FA, & more!
     
    Visit https://www.securityweekly.com/asw for all the latest episodes!
    Follow us on Twitter: https://www.twitter.com/secweekly
    Like us on Facebook: https://www.facebook.com/secweekly
     
    Show Notes: https://securityweekly.com/asw206

    • 1 hr 15 min
    ASW #199 - Nikhil Gupta

    ASW #199 - Nikhil Gupta

    Nikhil will be discussing the pain points that leaders in the application security space are facing, which can cover how software development has evolved, as well as how this has impacted development teams and security teams as well as the occurrence of shifting left. He would also like to speak to the solution he has found to this problem, specifically being that of developing a community, the Purple Book Community. This closely connects to the final topics he would like to cover, which include how breaches have continued to occur at an increasingly rapid pace, leading to the importance behind why and how companies should be prepared for when, not if, a cyber attack will occur. The talk will also cover how the Purple Book of Software Security came about and how it has now morphed into a global movement by security leaders, for security leaders, to develop secure software.
    Segment Resources:
    https://www.armorcode.com/
    https://www.thepurplebook.club/
    https://www.armorcode.com/what-is-appsecops
    https://www.armorcode.com/platform-overview
    https://www.armorcode.com/news
    https://www.armorcode.com/integrations
     
    This week in the AppSec News: Pwn2own results, reading the DBIR for appsec insights, XMPP flaws in Zoom, $10M bounty for a blockchain bridge vuln, researcher puts malicious payloads in ancient packages, Argo patches JWT handling, & more!
     
    Visit https://www.securityweekly.com/asw for all the latest episodes!
    Follow us on Twitter: https://www.twitter.com/secweekly
    Like us on Facebook: https://www.facebook.com/secweekly
     
    Show Notes: https://securityweekly.com/asw199

    • 1 hr 16 min
    ASW #205 - Ferruh Mavituna

    ASW #205 - Ferruh Mavituna

    Vuln in an Atlassian Confluence app, "Dirty Dancing" in OAuth flows, security audits of sigstore and slf4j, flaws in fleet management app, conducting tabletop exercises.
     
    Pressured by the speed of innovation, organizations are struggling to achieve the continuous web application security they need in the face of mounting threats and compliance requirements. What does it take in order for your AppSec program to be both effective and agile? In this segment, Ferruh Mavituna, founder and strategic advisor of Invicti Security, discusses best practices to help you implement an effective, agile, and – most importantly – continuous approach to application security.
    This segment is sponsored by Invicti. Visit https://securityweekly.com/invicti to learn more about them!
     
    Visit https://www.securityweekly.com/asw for all the latest episodes!
    Follow us on Twitter: https://www.twitter.com/secweekly
    Like us on Facebook: https://www.facebook.com/secweekly
     
    Show Notes: https://securityweekly.com/asw205

    • 1 hr 16 min
    ASW #204 - Larry Maccherone

    ASW #204 - Larry Maccherone

    0-day vulnerabilities pose a high risk because cybercriminals race to exploit them and vulnerable systems are exposed until a patch is issued & installed. These types of software vulnerabilities can be found through continuous detection but even then may not always have a patch available. It’s important for software teams to set up tools that continually look for these types of flaws, as well as defenses that let software adapt itself to an evolving threat landscape. In this episode, we will discuss the ins and outs of 0-day vulnerabilities and what the future of managing them looks like.
    Segment Resources:
    Recent 0-day blog: https://www.contrastsecurity.com/security-influencers/contrast-protect-eliminates-another-zero-day-headache
    What is Contrast Security video: https://www.youtube.com/watch?v=8FwY6zJX1ms
    The Contrast Secure Code Platform video: https://www.youtube.com/watch?v=k5CycR4R6bg
     
    This segment is sponsored by Contrast Security. Visit https://securityweekly.com/contrast to learn more about them!
     
    This week in the AppSec News: speculative execution attack with retbleed, CSRB's report on log4j, one-line lowercase action leads to a vuln, approaching SOC2 with secure engineering principles, free online Mac Malware book
     
    Visit https://www.securityweekly.com/asw for all the latest episodes!
    Follow us on Twitter: https://www.twitter.com/secweekly
    Like us on Facebook: https://www.facebook.com/secweekly
     
    Show Notes: https://securityweekly.com/asw204

    • 1 hr 14 min
    ASW #203 - Farshad Abasi

    ASW #203 - Farshad Abasi

    This week in the AppSec News: Apple introduces Lockdown Mode, PyPI hits 2FA trouble, cataloging cloud vulns, practical attacks on ML, NIST's post-quantum algorithms, & more!
     
    Appsec starts with the premise that we need to build secure code, but it also has to be able to recommend effective practices and tools that help developers. This also means appsec teams need to work with developers to create criteria for security solutions, whether it's training or scanners, in order to make sure their investments of time and money lead to more secure apps.
    Segment Resources: https://forwardsecurity.com/2022/04/24/embedding-security-into-software-during-development/
    https://forwardsecurity.com/2022/03/15/application-security-for-busy-tech-execs/ https://forwardsecurity.com/2022/03/09/sast-sca-dast-iast-rasp-what-they-are-and-how-you-can-automate-application-security/
     
    Visit https://www.securityweekly.com/asw for all the latest episodes!
     
    Follow us on Twitter: https://www.twitter.com/secweekly
    Like us on Facebook: https://www.facebook.com/secweekly
     
    Show Notes: https://securityweekly.com/asw203

    • 1 hr 9 min
    ASW #202 - Mike Benjamin

    ASW #202 - Mike Benjamin

    Both GraphQL and template engines have the potential for injection attacks, from potentially exposing data due to weak authorization in APIs to the slew of OGNL-related vulns in Java this past year. We take a look at both of these technologies in order to understand the similarities in what could go wrong, while also examining the differences in how each one influences modern application architectures.
     
    This week in the AppSec News: Lessons learned from fuzzing, OT:ICEFALL report on insecure designs, CSA's Top Threats to Cloud Computing, Twitter apologizes for misusing data collection, & State of Open Source Security report!
     
    Visit https://www.securityweekly.com/asw for all the latest episodes!
    Follow us on Twitter: https://www.twitter.com/secweekly
    Like us on Facebook: https://www.facebook.com/secweekly
     
    Show Notes: https://securityweekly.com/asw202

    • 1 hr 15 min

Customer Reviews

4.9 out of 5
9 Ratings

9 Ratings

jrod d ,

Great show

Best show I’ve found so far related to AppSec

Top Podcasts In News

The New York Times
NPR
The Daily Wire
New York Times Opinion
Crooked Media
Cumulus Podcast Network | Dan Bongino

You Might Also Like

Paul Asadoorian
Chris Romeo and Robert Hurlbut
Allen Underwood, Michael Outlaw, Joe Zack
Cybereason
Johannes B. Ullrich
Jerry Bell and Andrew Kalat