Application Security Weekly (Video‪)‬ Security Weekly

SAPwned demonstrates tenets of tenant isolation, a weak login flow puts Squarespace domains at risk, how AIs might (or might not) be useful for fixing code, getting buy-in for infosec investments, and more!
Show Notes: https://securityweekly.com/asw-292

Generative AI has produced impressive chatbots and content generation, but however fun or impressive those might be, they don't always translate to value for appsec. Allie brings some realistic expectations to how genAI is used by attackers and can be useful to defenders.
Segment resources:
https://www.forrester.com/blogs/generative-ai-will-not-fulfill-your-autonomous-soc-hopes-or-even-your-demo-dreams/ https://www.forrester.com/blogs/top-5-things-you-need-to-know-about-how-generative-ai-is-used-in-security-tools/ https://www.forrester.com/blogs/the-blob-is-poisoning-the-security-industry/ Show Notes: https://securityweekly.com/asw-292

Cloudflare's 2024 appsec report, reasoning about the Cyber Reasoning Systems for the upcoming AIxCC semifinals at DEF CON, lessons in secure design from post-quantum cryptography, and more!
Show Notes: https://securityweekly.com/asw-291

How can LLMs be valuable to developers as an assistant in finding and fixing insecure code? There are a lot of implications in trusting AI or LLMs to not only find vulns, but in producing code that fixes an underlying problem without changing an app's intended behavior. Stuart McClure explains how combining LLMs with agents and RAGs helps make AI-influenced tools more effective and useful in the context that developers need -- writing secure code.
Show Notes: https://securityweekly.com/asw-291

Sandy Carielli and Janet Worthington, authors of the State Of Application Security 2024 report, join us to discuss their findings on trends this year! Old vulns, more bots, and more targeted supply chain attacks -- we should be better at this by now. We talk about where secure design fits into all this why appsec needs to accelerate to ludicrous speed.
Segment resources
https://www.forrester.com/blogs/ludicrous-speed-because-light-speed-is-too-slow-to-secure-your-apps/ They're also conducting a survey on how orgs use Top 10 lists. Provide your response at https://forrester.co1.qualtrics.com/jfe/form/SV_9Z7ARUQjuzNQf0q Show Notes: https://securityweekly.com/asw-290

Polyfill loses trust after CDN misuse, an OpenSSH flaw reappears, how to talk about secure design from some old CocoaPods vulns, using LLMs to find bugs, Burp Proxy gets more investment, and more!
Show Notes: https://securityweekly.com/asw-290