222 episodes

Application Security Weekly decrypts development for the Security Professional - exploring how to inject security into their organization’s Software Development Lifecycle (SDLC) in a fluid and transparent way; Learn the tools, techniques, and processes necessary to move at the speed of DevOps (even if you aren’t a DevOps shop yet). The target audience for Application Security Weekly spans the gamut of Security Engineers and Practitioners that need to level-up their skills in the Application Security space - as well as enabling “Cyber Curious” developers to get involved in the Application Security process at their organizations. To a lesser extent, we hope to arm Security Managers and Executives with the knowledge to be conversational in the realm of DevOps - and to provide the right questions to ask their colleagues in development, along with the metrics to think critically about the answers they receive.

Application Security Weekly (Audio‪)‬ Security Weekly

    • News
    • 4.9 • 9 Ratings

Application Security Weekly decrypts development for the Security Professional - exploring how to inject security into their organization’s Software Development Lifecycle (SDLC) in a fluid and transparent way; Learn the tools, techniques, and processes necessary to move at the speed of DevOps (even if you aren’t a DevOps shop yet). The target audience for Application Security Weekly spans the gamut of Security Engineers and Practitioners that need to level-up their skills in the Application Security space - as well as enabling “Cyber Curious” developers to get involved in the Application Security process at their organizations. To a lesser extent, we hope to arm Security Managers and Executives with the knowledge to be conversational in the realm of DevOps - and to provide the right questions to ask their colleagues in development, along with the metrics to think critically about the answers they receive.

    ASW #221 - Kenn White

    ASW #221 - Kenn White

    Crossing tenants with AWS AppSync, more zeros in C++ to defeat vulns, HTTP/3 connection contamination, Thinkst Quarterly review of research, building a research team
     
    MongoDB recently announced the industry’s first encrypted search scheme using breakthrough cryptography engineering called Queryable Encryption. This technology gives developers the ability to query encrypted sensitive data in a simple and intuitive way without impacting performance, with zero cryptography experience required. Data remains encrypted at all times on the database, including in memory and in the CPU; keys never leave the application and cannot be accessed by the database server. While adoption of cloud computing continues to increase, many organizations across healthcare, financial services, and government are still risk-averse. They don’t want to entrust another provider with sensitive workloads. This encryption capability removes the need to ever trust an outside party with your data. This end-to-end client-side encryption uses novel encrypted index data structures in such a way that for the first time, developers can run expressive queries on fully encrypted confidential workloads. Queryable Encryption is based on well-tested and established standard NIST cryptographic primitives to provide strong protection from attacks against the database, including insider threats, highly privileged administrators and cloud infrastructure staff. So even another Capital One type breach is not possible.
    Segment Resources:
    - https://www.mongodb.com/products/queryable-encryption
    - https://www.wired.com/story/mongodb-queryable-encryption-databases/
    - https://www.youtube.com/watch?v=mDKfZlQJO3k
    - https://thenewstack.io/mongodb-6-0-offers-client-side-end-to-end-encryption/
     
    Visit https://www.securityweekly.com/asw for all the latest episodes!
    Follow us on Twitter: https://www.twitter.com/secweekly
    Like us on Facebook: https://www.facebook.com/secweekly
     
    Show Notes: https://securityweekly.com/asw221

    • 1 hr 20 min
    ASW #220 - Daniel Krivelevich

    ASW #220 - Daniel Krivelevich

    CosMiss in Azure, $70k bounty for a Pixel Lock Screen bypass, finding path traversal with Raspberry Pi-based emulators, NSA guidance on moving to memory safe languages, implementing phishing-resistant MFA, egress filtering, and how to approach code reviews
     
    Cider Security’s recently published research of the Top 10 CI/CD Security Risks acts to identify vulnerabilities to help defenders focus on areas to secure their CI/CD ecosystem. They created a free learning tool with a deliberately vulnerable environment to demonstrate these flaws -- “CI/CD Goat”. Like similar tools, this helps appsec and devops teams gain a better understanding of major CI/CD security risks and, importantly, their appropriate countermeasures.
    Segment Resources:
    - https://www.cidersecurity.io/top-10-cicd-security-risks/
    - https://github.com/cider-security-research/top-10-cicd-security-risks
    - https://www.cidersecurity.io/blog/research/ci-cd-goat/
    - https://github.com/cider-security-research/cicd-goat
     
    Visit https://www.securityweekly.com/asw for all the latest episodes!
    Follow us on Twitter: https://www.twitter.com/secweekly
    Like us on Facebook: https://www.facebook.com/secweekly
     
    Show Notes: https://securityweekly.com/asw220

    • 1 hr 27 min
    ASW #219 - Karl Triebes

    ASW #219 - Karl Triebes

    While APIs enable innovation, they’re increasingly targeted as a pathway to data. API abuses are often carried out through automated attacks, in which a botnet floods the API with unwanted traffic—seeking vulnerable applications and unprotected data. In this discussion, Karl Triebes shares what you need to know about the automated bot threats targeting your APIs with guidance on how to protect your applications and APIs from these attacks.
    This segment is sponsored by Imperva. Visit https://securityweekly.com/imperva to learn more about them!
     
    The punycode parsing in OpenSSL, missing authentication in Azure Cosmos DB Notebooks, the importance of documentation in security, labeling IoT security, bad response to a security disclosure
     
    Visit https://www.securityweekly.com/asw for all the latest episodes!
    Follow us on Twitter: https://www.twitter.com/secweekly
    Like us on Facebook: https://www.facebook.com/secweekly
     
    Show Notes: https://securityweekly.com/asw219

    • 1 hr 21 min
    ASW #218 - Sandy Carielli, Martha Bennett

    ASW #218 - Sandy Carielli, Martha Bennett

    A critical OpenSSL vuln is coming this Tuesday, a SQLite vuln, Apple blogs about memory safety and bug bounties, determining a random shuffle
     
    The Web3 ecosystem is chock full of applications and projects that have lost money (and their customers’ money) due to breaches, code flaws, or outright fraud. How can security teams do a better job of protecting Web3 apps? Web3 applications (including NFTs) aren’t just vulnerable to attack, they often present a broader attack surface (due to the distributed nature of blockchains) at the same time as being a desirable target because of the value association with tokens. Join us for a lively discussion about key threats to Web3 apps – both on-chain and off-chain - what we can do to mitigate them…and what we absolutely should not do.
    Additional resources
    - https://www.bloomberg.com/features/2022-the-crypto-story/
    - https://web3isgoinggreat.com
    - https://blog.trailofbits.com/2022/06/21/are-blockchains-decentralized/
     
    Visit https://www.securityweekly.com/asw for all the latest episodes!
    Follow us on Twitter: https://www.twitter.com/secweekly
    Like us on Facebook: https://www.facebook.com/secweekly
     
     
    Show Notes: https://securityweekly.com/asw218

    • 1 hr 21 min
    ASW #217 - Kong Yew Chan

    ASW #217 - Kong Yew Chan

    Learn what keeps DevOps and SecOps up at night when securing Kubernetes, container, and cloud native applications, what tactics are best for developers and application architects to consider when securing your latest cloud application and hardening your CI/CD pipeline and processes.
    This segment is sponsored by Qualys. Visit https://securityweekly.com/qualys to learn more about them!
     
    Text4Shell isn't a new patching hell, using supply chain info with GUAC, OpenSSF Scorecards and metrics, Toner Deaf firmware persistence, upcoming OWASP Board Elections, Chrome browser exploitation
     
    Visit https://www.securityweekly.com/asw for all the latest episodes!
    Follow us on Twitter: https://www.twitter.com/secweekly
    Like us on Facebook: https://www.facebook.com/secweekly
     
    Show Notes: https://securityweekly.com/asw217

    • 1 hr 18 min
    ASW #216 - Jason Recla

    ASW #216 - Jason Recla

    Exploiting FortiOS with HTTP client headers, mishandling memory in Linux kernel Wi-Fi stack, a field guide to security communities, secure coding resources from the OpenSSF, Linux kernel exploitation Cybersecurity is a data problem. Accelerated AI enables 100 percent data visibility and faster threat detection and remediation. Find out how NVIDIA used AI to reduce cybersecurity events from 100M per week to up to 10 actionable events per day, and accelerate threat detection from weeks to minutes.
     
    Segment Resources:
    Morpheus new digital fingerprinting GTC Fall 22 Demo Video: https://www.youtube.com/watch?v=8rEPkHRvDq0
    Morpheus Web Page: https://developer.nvidia.com/morpheus-cybersecurity
    Morpheus Digital Fingerprinting Blog: https://developer.nvidia.com/blog/fingerprinting-every-network-user-and-asset-with-morpheus/
    Detecting Threats Faster with AI-Based Cybersecurity Blog: https://developer.nvidia.com/blog/detecting-threats-faster-with-ai-based-cybersecurity/
    Enroll in our free, self-paced, 1-hour DLI course : https://courses.nvidia.com/courses/course-v1:DLI+T-DS-02+V1/
    Try Morpheus in NVIDIA LaunchPad: https://www.nvidia.com/try-morpheus
    Download Morpheus from NVIDIA GPU Cloud: https://catalog.ngc.nvidia.com/orgs/nvidia/teams/morpheus/collections/morpheus_
    Get started with Morpheus in GitHub: https://github.com/nvidia/morpheus
     
    This segment is sponsored by NVIDIA. Visit https://securityweekly.com/nvidia to learn more about them!
     
    Visit https://www.securityweekly.com/asw for all the latest episodes!
    Follow us on Twitter: https://www.twitter.com/secweekly
    Like us on Facebook: https://www.facebook.com/secweekly
     
    Show Notes: https://securityweekly.com/asw216

    • 1 hr 19 min

Customer Reviews

4.9 out of 5
9 Ratings

9 Ratings

jrod d ,

Great show

Best show I’ve found so far related to AppSec

Top Podcasts In News

Rachel Maddow, MSNBC
The New York Times
NPR
The Daily Wire
Crooked Media
MSW Media

You Might Also Like

Johannes B. Ullrich
CyberWire Inc.
CyberWire, Inc.
TWiT
Cybereason
Chris Romeo and Robert Hurlbut