444 episodes

Application Security Weekly decrypts development for the Security Professional - exploring how to inject security into their organization’s Software Development Lifecycle (SDLC) in a fluid and transparent way; Learn the tools, techniques, and processes necessary to move at the speed of DevOps (even if you aren’t a DevOps shop yet). The target audience for Application Security Weekly spans the gamut of Security Engineers and Practitioners that need to level-up their skills in the Application Security space - as well as enabling “Cyber Curious” developers to get involved in the Application Security process at their organizations. To a lesser extent, we hope to arm Security Managers and Executives with the knowledge to be conversational in the realm of DevOps - and to provide the right questions to ask their colleagues in development, along with the metrics to think critically about the answers they receive.

Application Security Weekly (Video‪)‬ Security Weekly

    • News
    • 4.0 • 4 Ratings

Application Security Weekly decrypts development for the Security Professional - exploring how to inject security into their organization’s Software Development Lifecycle (SDLC) in a fluid and transparent way; Learn the tools, techniques, and processes necessary to move at the speed of DevOps (even if you aren’t a DevOps shop yet). The target audience for Application Security Weekly spans the gamut of Security Engineers and Practitioners that need to level-up their skills in the Application Security space - as well as enabling “Cyber Curious” developers to get involved in the Application Security process at their organizations. To a lesser extent, we hope to arm Security Managers and Executives with the knowledge to be conversational in the realm of DevOps - and to provide the right questions to ask their colleagues in development, along with the metrics to think critically about the answers they receive.

    • video
    AWS AppSync Vuln, Zero-Initialization, HTTP/3 Connections, Thinkst Quarterly - ASW #221

    AWS AppSync Vuln, Zero-Initialization, HTTP/3 Connections, Thinkst Quarterly - ASW #221

    Crossing tenants with AWS AppSync, more zeros in C++ to defeat vulns, HTTP/3 connection contamination, Thinkst Quarterly review of research, building a research team
     
    Visit https://www.securityweekly.com/asw for all the latest episodes!
    Show Notes: https://securityweekly.com/asw221

    • 43 min
    • video
    Searching on Encrypted Data: MongoDB’s Queryable Encryption - Kenn White - ASW #221

    Searching on Encrypted Data: MongoDB’s Queryable Encryption - Kenn White - ASW #221

    MongoDB recently announced the industry’s first encrypted search scheme using breakthrough cryptography engineering called Queryable Encryption. This technology gives developers the ability to query encrypted sensitive data in a simple and intuitive way without impacting performance, with zero cryptography experience required. Data remains encrypted at all times on the database, including in memory and in the CPU; keys never leave the application and cannot be accessed by the database server. While adoption of cloud computing continues to increase, many organizations across healthcare, financial services, and government are still risk-averse. They don’t want to entrust another provider with sensitive workloads. This encryption capability removes the need to ever trust an outside party with your data. This end-to-end client-side encryption uses novel encrypted index data structures in such a way that for the first time, developers can run expressive queries on fully encrypted confidential workloads. Queryable Encryption is based on well-tested and established standard NIST cryptographic primitives to provide strong protection from attacks against the database, including insider threats, highly privileged administrators and cloud infrastructure staff. So even another Capital One type breach is not possible.
     
    Segment Resources:
    - https://www.mongodb.com/products/queryable-encryption
    - https://www.wired.com/story/mongodb-queryable-encryption-databases/
    - https://www.youtube.com/watch?v=mDKfZlQJO3k
    - https://thenewstack.io/mongodb-6-0-offers-client-side-end-to-end-encryption/
     
    Visit https://www.securityweekly.com/asw for all the latest episodes!
    Show Notes: https://securityweekly.com/asw221

    • 37 min
    • video
    CosMiss, Pixel Lock Screen Bypass, IIoT Path Traversal, NSA on C & C++, Code Reviews - ASW #220

    CosMiss, Pixel Lock Screen Bypass, IIoT Path Traversal, NSA on C & C++, Code Reviews - ASW #220

    CosMiss in Azure, $70k bounty for a Pixel Lock Screen bypass, finding path traversal with Raspberry Pi-based emulators, NSA guidance on moving to memory safe languages, implementing phishing-resistant MFA, egress filtering, and how to approach code reviews
     
    Visit https://www.securityweekly.com/asw for all the latest episodes!
    Show Notes: https://securityweekly.com/asw220

    • 44 min
    • video
    The Top 10 CI/CD Security Risks and CI/CD Goat - Daniel Krivelevich - ASW #220

    The Top 10 CI/CD Security Risks and CI/CD Goat - Daniel Krivelevich - ASW #220

    Cider Security’s recently published research of the Top 10 CI/CD Security Risks acts to identify vulnerabilities to help defenders focus on areas to secure their CI/CD ecosystem. They created a free learning tool with a deliberately vulnerable environment to demonstrate these flaws -- “CI/CD Goat”. Like similar tools, this helps appsec and devops teams gain a better understanding of major CI/CD security risks and, importantly, their appropriate countermeasures.
     
    Segment Resources:
    - https://www.cidersecurity.io/top-10-cicd-security-risks/
    - https://github.com/cider-security-research/top-10-cicd-security-risks
    - https://www.cidersecurity.io/blog/research/ci-cd-goat/
    - https://github.com/cider-security-research/cicd-goat
     
    Visit https://www.securityweekly.com/asw for all the latest episodes!
    Show Notes: https://securityweekly.com/asw220

    • 42 min
    • video
    Punycode in OpenSSL, Authn in Cosmos DB Notebooks, Documenting Security, IoT Labels - ASW #219

    Punycode in OpenSSL, Authn in Cosmos DB Notebooks, Documenting Security, IoT Labels - ASW #219

    The punycode parsing in OpenSSL, missing authentication in Azure Cosmos DB Notebooks, the importance of documentation in security, labeling IoT security, bad response to a security disclosure
     
    Visit https://www.securityweekly.com/asw for all the latest episodes!
    Show Notes: https://securityweekly.com/asw219

    • 41 min
    • video
    Bad Bots are Targeting Your APIs: What You Need to Know - Karl Triebes - ASW #219

    Bad Bots are Targeting Your APIs: What You Need to Know - Karl Triebes - ASW #219

    While APIs enable innovation, they’re increasingly targeted as a pathway to data. API abuses are often carried out through automated attacks, in which a botnet floods the API with unwanted traffic—seeking vulnerable applications and unprotected data. In this discussion, Karl Triebes shares what you need to know about the automated bot threats targeting your APIs with guidance on how to protect your applications and APIs from these attacks.
    This segment is sponsored by Imperva. Visit https://securityweekly.com/imperva to learn more about them!
     
    Visit https://www.securityweekly.com/asw for all the latest episodes!
    Show Notes: https://securityweekly.com/asw219

    • 39 min

Customer Reviews

4.0 out of 5
4 Ratings

4 Ratings

jdtangney ,

Occasional good content

Keith occasionally has something worth saying, but he lacks solid experience with hardcore software development, and knows almost nothing about lean/agile. He approaches software like an operations problem.

Paul is unpleasant to listen to and seldom adds anything of value. I wouild not listent to this podcast at all if Paul was the only contributor.

This week's episode is particularlt vexing, as the bros bray on about American Football. Please find another forum for that. Your listeners are here to bone up on AppSec.

Top Podcasts In News

Rachel Maddow, MSNBC
MSW Media
The New York Times
NPR
The Daily Wire
Serial Productions & The New York Times

You Might Also Like

Chris Romeo and Robert Hurlbut
Johannes B. Ullrich
CISO Series
ITWC
Michael Bazzell
TWiT