Uniting software development and application security - Jonathan Schneider, Will Vandevanter - ASW #342

Maintaining code is a lot more than keeping dependencies up to date. It involved everything from keeping old code running to changing frameworks to even changing implementation languages. Jonathan Schneider talks about the engineering considerations of refactoring and rewriting code, why code maintenance is important to appsec, and how to build confidence that adding automation to a migration results in code that has the same workflows as before.

Resources

• https://docs.openrewrite.org
• https://github.com/openrewrite

Then, instead of our usual news segment, we do a deep dive on some recent vulns NVIDIA's Triton Inference Server disclosed by Trail of Bits' Will Vandevanter. Will talks about the thought process and tools that go into identify potential vulns, the analysis in determining whether they're exploitable, and the disclosure process with vendors. He makes the important point that even if something doesn't turn out to be a vuln, there's still benefit to the learning process and gaining experience in seeing the different ways that devs design software. Of course, it's also more fun when you find an exploitable vuln -- which Will did here!

Resources

• https://nvidia.custhelp.com/app/answers/detail/a_id/5687
• https://github.com/triton-inference-server/server
• https://blog.trailofbits.com/2025/07/31/hijacking-multi-agent-systems-in-your-pajamas/
• https://blog.trailofbits.com/2025/07/28/we-built-the-security-layer-mcp-always-needed/

Show Notes: https://securityweekly.com/asw-342