306 episodes

The Application Security Weekly podcast delivers interviews and news from the worlds of AppSec, DevOps, DevSecOps, and all the other ways people find and fix software flaws.

Join hosts Mike Shema, John Kinsella, and Akira Brand on a journey through modern security practices for apps, clouds, containers, and more.

Application Security Weekly (Audio‪)‬ Security Weekly Productions

    • Technology
    • 4.9 • 11 Ratings

The Application Security Weekly podcast delivers interviews and news from the worlds of AppSec, DevOps, DevSecOps, and all the other ways people find and fix software flaws.

Join hosts Mike Shema, John Kinsella, and Akira Brand on a journey through modern security practices for apps, clouds, containers, and more.

    Where Generative AI Can Actually Help Security (And Where It Doesn't) - Farshad Abasi, Allie Mellen - ASW #292

    Where Generative AI Can Actually Help Security (And Where It Doesn't) - Farshad Abasi, Allie Mellen - ASW #292

    Generative AI has produced impressive chatbots and content generation, but however fun or impressive those might be, they don't always translate to value for appsec. Allie brings some realistic expectations to how genAI is used by attackers and can be useful to defenders.
    Segment resources:
    https://www.forrester.com/blogs/generative-ai-will-not-fulfill-your-autonomous-soc-hopes-or-even-your-demo-dreams/ https://www.forrester.com/blogs/top-5-things-you-need-to-know-about-how-generative-ai-is-used-in-security-tools/ https://www.forrester.com/blogs/the-blob-is-poisoning-the-security-industry/ SAPwned demonstrates tenets of tenant isolation, a weak login flow puts Squarespace domains at risk, how AIs might (or might not) be useful for fixing code, getting buy-in for infosec investments, and more!
    Visit https://www.securityweekly.com/asw for all the latest episodes!
    Show Notes: https://securityweekly.com/asw-292

    • 1 hr 5 min
    Producing Secure Code by Leveraging AI - Stuart McClure - ASW #291

    Producing Secure Code by Leveraging AI - Stuart McClure - ASW #291

    How can LLMs be valuable to developers as an assistant in finding and fixing insecure code? There are a lot of implications in trusting AI or LLMs to not only find vulns, but in producing code that fixes an underlying problem without changing an app's intended behavior. Stuart McClure explains how combining LLMs with agents and RAGs helps make AI-influenced tools more effective and useful in the context that developers need -- writing secure code.
    Cloudflare's 2024 appsec report, reasoning about the Cyber Reasoning Systems for the upcoming AIxCC semifinals at DEF CON, lessons in secure design from post-quantum cryptography, and more!
    Visit https://www.securityweekly.com/asw for all the latest episodes!
    Show Notes: https://securityweekly.com/asw-291

    • 1 hr 9 min
    State Of Application Security 2024 - Sandy Carielli, Janet Worthington - ASW #290

    State Of Application Security 2024 - Sandy Carielli, Janet Worthington - ASW #290

    Sandy Carielli and Janet Worthington, authors of the State Of Application Security 2024 report, join us to discuss their findings on trends this year! Old vulns, more bots, and more targeted supply chain attacks -- we should be better at this by now. We talk about where secure design fits into all this why appsec needs to accelerate to ludicrous speed.
    Segment resources
    https://www.forrester.com/blogs/ludicrous-speed-because-light-speed-is-too-slow-to-secure-your-apps/ They're also conducting a survey on how orgs use Top 10 lists. Provide your response at https://forrester.co1.qualtrics.com/jfe/form/SV_9Z7ARUQjuzNQf0q Polyfill loses trust after CDN misuse, an OpenSSH flaw reappears, how to talk about secure design from some old CocoaPods vulns, using LLMs to find bugs, Burp Proxy gets more investment, and more!
    Visit https://www.securityweekly.com/asw for all the latest episodes!
    Show Notes: https://securityweekly.com/asw-290

    • 1 hr 12 min
    OAuth 2.0 from Protecting APIs to Supporting Authorization & Authentication - Aaron Parecki - ASW #289

    OAuth 2.0 from Protecting APIs to Supporting Authorization & Authentication - Aaron Parecki - ASW #289

    OAuth 2.0 is more than just a single spec and it's used to protect more than just APIs. We talk about challenges in maintaining a spec over a decade of changing technologies and new threat models. Not only can OAuth be challenging to secure by default, but it's not even always inter-operable.
    Segment Resources:
    https://oauth.net/2.1 https://oauth.net/specs/ https://oauth2simplified.com/ https://oauth.net/2/dpop/ https://oauth.net/2/oauth-best-practice/ https://oauth.net/fapi/ https://developer.mozilla.org/en-US/docs/Web/API/FedCM_API Thoughts on shared responsibility models after the Snowflake credential attacks, looking at AI's current and future role in offensive security, secure by design lessons from Apple's Private Cloud Computer, and more!
    Visit https://www.securityweekly.com/asw for all the latest episodes!
    Show Notes: https://securityweekly.com/asw-289

    • 1 hr 1 min
    Learning EBPF - Liz Rice - ASW Vault

    Learning EBPF - Liz Rice - ASW Vault

    Check out this interview from the ASW Vault, hand picked by main host Mike Shema! This segment was originally published on April 4, 2023.
    Following on from her successful title "Container Security", Liz has recently authored "Learning eBPF", published by O'Reilly. eBPF is a revolutionary kernel technology that is enabling a whole new generation of infrastructure tools for networking, observability, and security. Let's explore eBPF and understand its value for security, and how it's used to secure network connectivity in the Cilium project, and for runtime security observability and enforcement in Cilium's sub-project, Tetragon.
    Segment Resources:
    Download "Learning eBPF": https://isovalent.com/learning-ebpf Buy "Learning eBPF" from Amazon: https://www.amazon.com/Learning-eBPF-Programming-Observability-Networking/dp/1098135121 Cilium project: https://cilium.io Tetragon project: https://tetragon.cilium.io/
    Show Notes: https://securityweekly.com/vault-asw-11

    • 37 min
    Microsoft Recall's Security & Privacy, Hacking Web APIs, Secure Design Pledge - ASW #288

    Microsoft Recall's Security & Privacy, Hacking Web APIs, Secure Design Pledge - ASW #288

    Looking at use cases and abuse cases of Microsoft's Recall feature, examples of hacking web APIs, CISA's secure design pledge, what we look for in CVEs, a nod to PHP's history, and more!
    Visit https://www.securityweekly.com/asw for all the latest episodes!
    Show Notes: https://securityweekly.com/asw-288

    • 38 min

Customer Reviews

4.9 out of 5
11 Ratings

11 Ratings

DMLou ,

Great show

Amazing show with great news and tips on making sure you code is secure.

jrod d ,

Great show

Best show I’ve found so far related to AppSec

Top Podcasts In Technology

Acquired
Ben Gilbert and David Rosenthal
All-In with Chamath, Jason, Sacks & Friedberg
All-In Podcast, LLC
Lex Fridman Podcast
Lex Fridman
Hard Fork
The New York Times
Underserved
Andrew Gelina
TED Radio Hour
NPR

You Might Also Like

Business Security Weekly (Audio)
Security Weekly Productions
Risky Business News
risky.biz
Risky Business
Patrick Gray
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
Johannes B. Ullrich
The Application Security Podcast
Chris Romeo and Robert Hurlbut
Enterprise Security Weekly (Audio)
Security Weekly Productions