Application Security Weekly (Video)

Security Weekly
  • 4.8 (4)
  • 科技新闻
  • 两周一更

About all things AppSec, DevOps, and DevSecOps. Hosted by Mike Shema and John Kinsella, the podcast focuses on helping its audience find and fix software flaws effectively.

  1. Uniting software development and application security - Jonathan Schneider, Will Vandevanter - ASW #342

    4小时前 · 视频

    Uniting software development and application security - Jonathan Schneider, Will Vandevanter - ASW #342

    Maintaining code is a lot more than keeping dependencies up to date. It involved everything from keeping old code running to changing frameworks to even changing implementation languages. Jonathan Schneider talks about the engineering considerations of refactoring and rewriting code, why code maintenance is important to appsec, and how to build confidence that adding automation to a migration results in code that has the same workflows as before. Resources https://docs.openrewrite.org https://github.com/openrewrite Then, instead of our usual news segment, we do a deep dive on some recent vulns NVIDIA's Triton Inference Server disclosed by Trail of Bits' Will Vandevanter. Will talks about the thought process and tools that go into identify potential vulns, the analysis in determining whether they're exploitable, and the disclosure process with vendors. He makes the important point that even if something doesn't turn out to be a vuln, there's still benefit to the learning process and gaining experience in seeing the different ways that devs design software. Of course, it's also more fun when you find an exploitable vuln -- which Will did here! Resources https://nvidia.custhelp.com/app/answers/detail/a_id/5687 https://github.com/triton-inference-server/server https://blog.trailofbits.com/2025/07/31/hijacking-multi-agent-systems-in-your-pajamas/ https://blog.trailofbits.com/2025/07/28/we-built-the-security-layer-mcp-always-needed/ Show Notes: https://securityweekly.com/asw-342

    58 分钟
  2. How Product-Led Security Leads to Paved Roads - Julia Knecht - ASW #341

    7月29日 · 视频

    How Product-Led Security Leads to Paved Roads - Julia Knecht - ASW #341

    A successful strategy in appsec is to build platforms with defaults and designs that ease the burden of security choices for developers. But there's an important difference between expecting (or requiring!) developers to use a platform and building a platform that developers embrace. Julia Knecht shares her experience in building platforms with an attention to developer needs, developer experience, and security requirements. She brings attention to the product management skills and feedback loops that make paved roads successful -- as well as the areas where developers may still need or choose their own alternatives. After all, the impact of a paved road isn't in its creation, it's in its adoption. Show Notes: https://securityweekly.com/asw-341

    1 小时 4 分钟
  3. Rise of Compromised LLMs - Sohrob Kazerounian - ASW #340

    7月22日 · 视频

    Rise of Compromised LLMs - Sohrob Kazerounian - ASW #340

    AI is more than LLMs. Machine learning algorithms have been part of infosec solutions for a long time. For appsec practitioners, a key concern is always going to be how to evaluate the security of software or a system. In some cases, it doesn't matter if a human or an LLM generated code -- the code needs to be reviewed for common flaws and design problems. But the creation of MCP servers and LLM-based agents is also adding a concern about what an unattended or autonomous piece of software is doing. Sohrob Kazerounian gives us context on how LLMs are designed, what to expect from them, and where they pose risk and reward to modern software engineering. Resources https://www.vectra.ai/research Show Notes: https://securityweekly.com/asw-340

    1 小时 7 分钟
  4. Getting Started with Security Basics on the Way to Finding a Specialization - ASW #339

    7月15日 · 视频

    Getting Started with Security Basics on the Way to Finding a Specialization - ASW #339

    What are some appsec basics? There's no monolithic appsec role. Broadly speaking, appsec tends to branch into engineering or compliance paths, each with different areas of focus despite having shared vocabularies and the (hopefully!) shared goal of protecting software, data, and users. The better question is, "What do you want to secure?" We discuss the Cybersecurity Skills Framework put together by the OpenSSF and the Linux Foundation and how you might prepare for one of its job families. The important basics aren't about memorizing lists or technical details, but demonstrating experience in working with technologies, understanding how they can fail, and being able to express concerns, recommendations, and curiosity about their security properties. Resources: https://cybersecurityframework.io https://owasp.org/www-project-cheat-sheets/ https://blog.cloudflare.com/rfc-8446-aka-tls-1-3/ https://aflplus.plus/ https://writings.stephenwolfram.com/2023/02/what-is-chatgpt-doing-and-why-does-it-work/ Show Notes: https://securityweekly.com/asw-339

    1 小时 8 分钟
  5. Checking in on the State of Appsec in 2025 - Sandy Carielli, Janet Worthington - ASW #338

    7月8日 · 视频

    Checking in on the State of Appsec in 2025 - Sandy Carielli, Janet Worthington - ASW #338

    Appsec still deals with ancient vulns like SQL injection and XSS. And now LLMs are generating code along side humans. Sandy Carielli and Janet Worthington join us once again to discuss what all this new code means for appsec practices. On a positive note, the prevalence of those ancient vulns seems to be diminishing, but the rising use of LLMs is expanding a new (but not very different) attack surface. We look at where orgs are investing in appsec, who appsec teams are collaborating with, and whether we need security awareness training for LLMs. Resources: https://www.forrester.com/blogs/application-security-2025-yes-ai-just-made-it-harder-to-do-this-right/ Show Notes: https://securityweekly.com/asw-338

    1 小时 7 分钟
  6. Simple Patterns for Complex Secure Code Reviews - Louis Nyffenegger - ASW #337

    7月1日 · 视频

    Simple Patterns for Complex Secure Code Reviews - Louis Nyffenegger - ASW #337

    Manual secure code reviews can be tedious and time intensive if you're just going through checklists. There's plenty of room for linters and compilers and all the grep-like tools to find flaws. Louis Nyffenegger describes the steps of a successful code review process. It's a process that starts with understanding code, which can even benefit from an LLM assistant, and then applies that understanding to a search for developer patterns that lead to common mistakes like mishandling data, not enforcing a control flow, or not defending against unexpected application states. He explains how finding those kinds of more impactful bugs are rewarding for the reviewer and valuable to the code owner. It involves reading a lot of code, but Louis offers tips on how to keep notes, keep an app's context in mind, and keep code secure. Segment Resources: https://pentesterlab.com/live-training/ https://pentesterlab.com/appsecschool https://deepwiki.com https://daniel.haxx.se/blog/2025/05/29/decomplexification/ Show Notes: https://securityweekly.com/asw-337

    38 分钟
  7. How Fuzzing Barcodes Raises the Bar for Secure Code - Artur Cygan - ASW #336

    6月24日 · 视频

    How Fuzzing Barcodes Raises the Bar for Secure Code - Artur Cygan - ASW #336

    Fuzzing has been one of the most successful ways to improve software quality. And it demonstrates how improving software quality improves security. Artur Cygan shares his experience in building and applying fuzzers to barcode scanners, smart contracts, and just about any code you can imagine. We go through the useful relationship between unit tests and fuzzing coverage, nudging fuzzers into deeper code paths, and how LLMs can help guide a fuzzer into using better inputs for its testing. Resources https://blog.trailofbits.com/2024/10/31/fuzzing-between-the-lines-in-popular-barcode-software/ https://github.com/crytic/echidna https://github.com/crytic/medusa https://lcamtuf.blogspot.com/2014/11/pulling-jpegs-out-of-thin-air.html Show Notes: https://securityweekly.com/asw-336

    1 小时 1 分钟
  8. Threat Modeling With Good Questions and Without Checklists - Farshad Abasi - ASW #335

    6月17日 · 视频

    Threat Modeling With Good Questions and Without Checklists - Farshad Abasi - ASW #335

    What makes a threat modeling process effective? Do you need a long list of threat actors? Do you need a long list of terms? What about a short list like STRIDE? Has an effective process ever come out of a list? Farshad Abasi joins our discussion as we explain why the answer to most of those questions is No and describe the kinds of approaches that are more conducive to useful threat models. Resources: https://www.eurekadevsecops.com/agile-devops-and-the-threat-modeling-disconnect-bridging-the-gap-with-developer-insights/ https://www.threatmodelingmanifesto.org https://kellyshortridge.com/blog/posts/security-decision-trees-with-graphviz/ In the news, learning from outage postmortems, an EchoLeak image speaks a 1,000 words from Microsoft 365 Copilot, TokenBreak attack targets tokenizing techniques, Google's layered strategy against prompt injection looks like a lot like defending against XSS, learning about code security from CodeAuditor CTF, and more! Show Notes: https://securityweekly.com/asw-335

    1 小时 8 分钟
查看全部 669 集

评分及评论

4.8
共 5 分
4 个评分

关于

About all things AppSec, DevOps, and DevSecOps. Hosted by Mike Shema and John Kinsella, the podcast focuses on helping its audience find and fix software flaws effectively.

信息

你可能还喜欢