272 episodes

The Application Security Weekly podcast delivers interviews and news from the worlds of AppSec, DevOps, DevSecOps, and all the other ways people find and fix software flaws.

Join hosts Mike Shema, John Kinsella, and Akira Brand on a journey through modern security practices for apps, clouds, containers, and more.

Application Security Weekly (Audio‪)‬ Security Weekly

    • Technology
    • 4.9 • 11 Ratings

The Application Security Weekly podcast delivers interviews and news from the worlds of AppSec, DevOps, DevSecOps, and all the other ways people find and fix software flaws.

Join hosts Mike Shema, John Kinsella, and Akira Brand on a journey through modern security practices for apps, clouds, containers, and more.

    Starting with Appsec -- Is It More of a Position or a Process? - ASW #264

    Starting with Appsec -- Is It More of a Position or a Process? - ASW #264

    This year we've talked about vulns, clouds, breaches, presentations, and all the variations of Dev, Sec, and Ops. As we end the year, let's talk about starting things -- like starting an appsec program or an appsec career. But is there still a need for an appsec team? Or has it turned into specializations for areas like cloud security and bug bounty programs? We'll cover careers and coding, with an eye towards figuring out what modern software development looks like and where application (or product!) security fits in that model.
    Segment resources
    https://owaspsamm.org https://www.microsoft.com/en-us/security/blog/2023/11/02/announcing-microsoft-secure-future-initiative-to-advance-security-engineering/ https://www.cisa.gov/resources-tools/resources/secure-by-design Weak randomness in old JavaScript crypto, lack of encryption in purported end-to-end encryption, a platform engineering maturity model, PyPI's first security audit, vision for a Rust specification, and more!
    Visit https://securityweekly.com/asw for all the latest episodes!
    Follow us on Twitter: https://www.twitter.com/secweekly
    Like us on Facebook: https://www.facebook.com/secweekly
    Visit https://securityweekly.com/asw for all the latest episodes!
    Follow us on Twitter: https://www.twitter.com/secweekly
    Like us on Facebook: https://www.facebook.com/secweekly
    Show Notes: https://securityweekly.com/asw-264

    • 1 hr 13 min
    Platform Firmware Security - Maggie Jauregui - ASW Vault

    Platform Firmware Security - Maggie Jauregui - ASW Vault

    Firmware security is complex and continues to be an industry challenge. In this podcast we'll talk about the reasons firmware security remains a challenge and some best practices around platform security.
    Segment Resources:
    https://www.helpnetsecurity.com/2020/04/27/firmware-blind-spots/
    https://www.helpnetsecurity.com/2020/09/28/hardware-security-challenges/
    https://darkreading.com/application-security/4-open-source-tools-to-add-to-your-security-arsenal
    https://chipsec.github.io
    Hardware Hacking created by Maggie: https://securityweekly.com/wp-content/uploads/2021/08/eArt-2.png
    Visit https://securityweekly.com/asw for all the latest episodes!
    Follow us on Twitter: https://www.twitter.com/secweekly
    Like us on Facebook: https://www.facebook.com/secweekly
    Show Notes: https://securityweekly.com/vault-asw-5

    • 34 min
    How 2023 Changed Application Security and What’s to Come in 2024 - Karl Triebes - ASW #263

    How 2023 Changed Application Security and What’s to Come in 2024 - Karl Triebes - ASW #263

    In the rapidly evolving landscape of application security, 2023 brought significant changes with the rise of generative AI tools and an increase in automated threats. In this discussion, Karl Triebes takes a deep dive into the major trends of the past year, examining their impact on the industry and shedding light on what security professionals can anticipate moving forward into 2024.
    This segment is sponsored by Imperva. Visit https://securityweekly.com/imperva to learn more about them!
    CNCF's releases a handbook on fuzzing, OpenSSF and OWASP respond to CISA's Open Source Software Security RFI, 14 years of Go, lessons for today from an internet worm from 35 years ago, and more!
    Visit https://securityweekly.com/asw for all the latest episodes!
    Follow us on Twitter: https://www.twitter.com/secweekly
    Like us on Facebook: https://www.facebook.com/secweekly
    Show Notes: https://securityweekly.com/asw-263

    • 1 hr 15 min
    Security from a Developer's Perspective - Josh Goldberg - ASW #262

    Security from a Developer's Perspective - Josh Goldberg - ASW #262

    A lot of appsec conferences have presentations for appsec audiences -- but that's not often the group that's building apps. What if more developer conferences had appsec content? We talk with Josh about security from the developer's point of view, both as an audience hearing about it and as a presenter talking about it. We discuss the importance of knowing your audience and finding the hooks in security tools and topics that can resonate with developers.
    Segment resources:
    https://www.joshuakgoldberg.com/speaking/ Details of the Citrix Bleed vuln, exploitation of the Atlassian improper authorization vuln, so many jQuery installations to upgrade, the price of bounties and the cost of fixes, Microsoft's Secure Future Initiative, and more!
    Visit https://securityweekly.com/asw for all the latest episodes!
    Follow us on Twitter: https://www.twitter.com/secweekly
    Like us on Facebook: https://www.facebook.com/secweekly
    Show Notes: https://securityweekly.com/asw-262

    • 1 hr 11 min
    How Security Tools Must Evolve - Dan Kuykendall - ASW #261

    How Security Tools Must Evolve - Dan Kuykendall - ASW #261

    The categories of security tools that we're most familiar with have struggled to keep up with how modern apps are designed and what modern devs need. What if instead of being beholden to categories, we created tools that solved problems devs have today in the types of apps they build today? And what if we had more dev leadership to influence security tools as well as secure by design? What would that leadership look like?
    Segment Resources:
    https://danondev.com/youtube In the news, OAuth implementation failures, the State of DevOps report, data poisoning generative AIs with Nightshade, implementing spectre attacks with JavaScript and WebAssembly against WebKit, sandboxing apps
    Visit https://securityweekly.com/asw for all the latest episodes!
    Follow us on Twitter: https://www.twitter.com/secweekly
    Like us on Facebook: https://www.facebook.com/secweekly
    Show Notes: https://securityweekly.com/asw-261

    OAuth, WebAuthn, & The Impact of Design Choices - Dan Moore - ASW #260

    OAuth, WebAuthn, & The Impact of Design Choices - Dan Moore - ASW #260

    We return to discussions of OAuth and all sorts of authentication. This time around we're looking at the design of authentication protocols, the kinds of trade-offs they weigh for adoption and security, and how a standard evolves over time to keep pace with new attacks and put to rest old mistakes.
    Segment resources:
    https://fusionauth.io/docs/v1/tech/core-concepts/modes https://webauthn.wtf/ https://datatracker.ietf.org/doc/html/rfc7636 https://www.ietf.org/about/participate/tao/ In the news, appsec lessons from the Okta breach, directory traversal (and appsec) lessons from SolarWinds, how CISOs and Boards rank factors around vulns and patching, revisiting cryptocurrency attacks for lessons in business logic and threat modeling, CISA and friends update guidance on Secure Design, and more!
    Visit https://securityweekly.com/asw for all the latest episodes!
    Follow us on Twitter: https://www.twitter.com/secweekly
    Like us on Facebook: https://www.facebook.com/secweekly
    Show Notes: https://securityweekly.com/asw-260

    • 1 hr 18 min

Customer Reviews

4.9 out of 5
11 Ratings

11 Ratings

DMLou ,

Great show

Amazing show with great news and tips on making sure you code is secure.

jrod d ,

Great show

Best show I’ve found so far related to AppSec

Top Podcasts In Technology

The New York Times
Lex Fridman
Ben Gilbert and David Rosenthal
Boston Consulting Group BCG
Jason Calacanis
NPR

You Might Also Like

Johannes B. Ullrich
Security Weekly
TWiT
Jack Rhysider
Chris Romeo and Robert Hurlbut
Security Weekly