Welcome to the Security Weekly Podcast Network, your all-in-one source for the latest in cybersecurity! This feed features a diverse lineup of shows, including Application Security Weekly, Business Security Weekly, Paul's Security Weekly, Enterprise Security Weekly, and Security Weekly News. Whether you're a cybersecurity professional, business leader, or tech enthusiast, we cover all angles of the cybersecurity landscape. Tune in for in-depth panel discussions, expert guest interviews, and ...
…
continue reading
Player FM - Internet Radio Done Right
Checked 1d ago
Toegevoegd vijf jaar geleden
Inhoud geleverd door Security Weekly Productions. Alle podcastinhoud, inclusief afleveringen, afbeeldingen en podcastbeschrijvingen, wordt rechtstreeks geüpload en geleverd door Security Weekly Productions of hun podcastplatformpartner. Als u denkt dat iemand uw auteursrechtelijk beschermde werk zonder uw toestemming gebruikt, kunt u het hier beschreven proces https://nl.player.fm/legal volgen.
Overeenkomstig met Application Security Weekly (Audio)
Android Backstage, a podcast by and for Android developers. Hosted by developers from the Android engineering team, this show covers topics of interest to Android programmers, with in-depth discussions and interviews with engineers on the Android team at Google. Subscribe to Android Developers YouTube → https://goo.gle/AndroidDevs
…
continue reading
On The Bike Shed, hosts Joël Quenneville and Stephanie Minn discuss development experiences and challenges at thoughtbot with Ruby, Rails, JavaScript, and whatever else is drawing their attention, admiration, or ire this week.
…
continue reading
Download This Show is your weekly guide to the world of media, culture, and technology. From social media to gadgets, streaming services to privacy issues. Each week Rae Johnston and guests take a fun, deep dive into how technology is reshaping our lives.
…
continue reading
Africa-focused technology, digital and innovation ecosystem insight and commentary.
…
continue reading
Show notes are at https://stevelitchfield.com/sshow/chat.html
…
continue reading
A podcast featuring panelists of engineers from Netflix, Twitch, & Atlassian talking over drinks about all things software engineering.
…
continue reading
Material is a weekly discussion about the Google and Android universe. Your intrepid hosts try to answer the question, “What holds up the digital world?” The answer, so far, is that it’s Google all the way down. Hosted by Andy Ihnatko and Florence Ion.
…
continue reading
The director’s commentary track for Daring Fireball. Long digressions on Apple, technology, design, movies, and more.
…
continue reading
Tech Life discovers and explains the ways technology is changing our lives, wherever we are in the world. We meet the people with bright ideas for rethinking the way we work, learn and play, and get hands-on with the products they dream up. We hold tech giants to account for their huge power to affect our lives, and ask who wins, and who loses, in the technology transformation. Tech Life is your guide to a future being made, and remade, at lightning speed in front of our eyes.
…
continue reading
Player FM - Podcast-app
Ga offline met de app Player FM !
Ga offline met de app Player FM !
))
Daily Deals
Podcasts die het beluisteren waard zijn
GESPONSORDE
Not many artists actually hail from Tennessee, but the scenic valleys and rolling hills of The Volunteer State are part of Dustin Lynch’s DNA. In this episode of On the Bus, Country Thunder CEO Troy Vollhoffer sits down with Dustin to discuss his journey from playing fraternity parties and weddings across the southeast to being the first country artist with a club residency at the Wynn in Las Vegas. Plus, stick around for our new segment, Thunder Strike, where Troy features upcoming festival performer Riley Green’s hit song “Damn Good Day to Leave” to give you a taste of what’s to come at Country Thunder in 2025.…
Modernizing AppSec - Melinda Marks - ASW #307
Manage episode 449795515 series 2794635
Inhoud geleverd door Security Weekly Productions. Alle podcastinhoud, inclusief afleveringen, afbeeldingen en podcastbeschrijvingen, wordt rechtstreeks geüpload en geleverd door Security Weekly Productions of hun podcastplatformpartner. Als u denkt dat iemand uw auteursrechtelijk beschermde werk zonder uw toestemming gebruikt, kunt u het hier beschreven proces https://nl.player.fm/legal volgen.
In this week's interview, Melinda Marks' joins us to discuss her latest research. Her recent report Modernizing Application Security to Scale for Cloud-Native Development delves into many aspects and trends affecting AppSec as it matures, particularly in cloud-first organizations.
We also discuss the fuzzy line between "cloud-native" AppSec and everything else that refuses to disappear, particularly for organizations that weren't born cloud-native and still have legacy workloads to worry about.
Integrating security into the SDLC and CI/CD pipelines, infrastructure as code (IaC) trends, best of breed vs platform, and other aspects of AppSec get discussed as well!
This week, in the Application Security News, we spend a lot of time on some recent vulnerabilities. We take this opportunity to talk about how to determine whether or not a vulnerability is worth a critical response.
Can AI fully automate DevSecOps Governance? Adrian has his reservations, but JLK is bullish.
Is it bad that 70% of DevSecOps professionals don't know if code is AI generated or not?
All that and more on this week's news segment.
Visit https://www.securityweekly.com/asw for all the latest episodes!
Show Notes: https://securityweekly.com/asw-307
338 afleveringen
DelenManage episode 449795515 series 2794635
Inhoud geleverd door Security Weekly Productions. Alle podcastinhoud, inclusief afleveringen, afbeeldingen en podcastbeschrijvingen, wordt rechtstreeks geüpload en geleverd door Security Weekly Productions of hun podcastplatformpartner. Als u denkt dat iemand uw auteursrechtelijk beschermde werk zonder uw toestemming gebruikt, kunt u het hier beschreven proces https://nl.player.fm/legal volgen.
In this week's interview, Melinda Marks' joins us to discuss her latest research. Her recent report Modernizing Application Security to Scale for Cloud-Native Development delves into many aspects and trends affecting AppSec as it matures, particularly in cloud-first organizations.
We also discuss the fuzzy line between "cloud-native" AppSec and everything else that refuses to disappear, particularly for organizations that weren't born cloud-native and still have legacy workloads to worry about.
Integrating security into the SDLC and CI/CD pipelines, infrastructure as code (IaC) trends, best of breed vs platform, and other aspects of AppSec get discussed as well!
This week, in the Application Security News, we spend a lot of time on some recent vulnerabilities. We take this opportunity to talk about how to determine whether or not a vulnerability is worth a critical response.
Can AI fully automate DevSecOps Governance? Adrian has his reservations, but JLK is bullish.
Is it bad that 70% of DevSecOps professionals don't know if code is AI generated or not?
All that and more on this week's news segment.
Visit https://www.securityweekly.com/asw for all the latest episodes!
Show Notes: https://securityweekly.com/asw-307
338 afleveringen
Alle afleveringen
×
1 Avoiding Appsec's Worst Practices - ASW #324 1:11:19
1:11:19 
Later Afspelen 
Later Afspelen 
Lijsten 
Vind ik leuk 
Leuk1:11:19
Later Afspelen Later Afspelen Lijsten Vind ik leuk LeukWe take advantage of April Fools to look at some of appsec's myths, mistakes, and behaviors that lead to bad practices. It's easy to get trapped in a status quo of chasing CVEs or discussing which direction to shift security. But scrutinizing decimal points in CVSS scores or rearranging tools misses the opportunity for more strategic thinking. We satirize some worst practices in order to have a more serious discussion about a future where more software is based on secure designs. Segment resources: https://bsidessf2025.sched.com/event/1x8ST/secure-designs-ux-dragons-vuln-dungeons-application-security-weekly https://bsidessf2025.sched.com/event/1x8TU/preparing-for-dragons-dont-sharpen-swords-set-traps-gather-supplies https://www.rfc-editor.org/rfc/rfc3514.html https://www.rfc-editor.org/rfc/rfc1149.html Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-324…
LLMs are helping devs write code, but is it secure code? How are LLMs helping appsec teams? Keith Hoodlet returns to talk about where he's seen value from genAI, where it fits in with tools like source code analysis and fuzzers, and where its limitations mean we'll be relying on humans for a while. Those limitations don't mean appsec should dismiss LLMs as a tool. It means appsec should understand how things like context windows might limit a tool's security analysis to a few files, leaving a security architecture review to humans. Segment resources: https://securing.dev/posts/ai-security-reasoning-and-bias/ https://seclists.org/dailydave/2025/q1/0 https://arxiv.org/pdf/2409.16165 https://arxiv.org/pdf/2410.05229 https://nicholas.carlini.com/writing/2025/thoughts-on-future-ai.html Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-323…
The crypto world is rife with smart contracts that have been outsmarted by attackers, with consequences in the millions of dollars (and more!). Shashank shares his research into scanning contracts for flaws, how the classes of contract flaws have changed in the last few years, and how optimistic we can be about the future of this space. Segment Resources: https://scs.owasp.org https://scs.owasp.org/sctop10/ https://solidityscan.com/web3hackhub https://www.web3isgoinggreat.com Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-322…
1 CISA's Secure by Design Principles, Pledge, and Progress - Jack Cable - ASW #321 1:13:50
1:13:50 Later Afspelen Later Afspelen Lijsten Vind ik leuk Leuk1:13:50
Later Afspelen Later Afspelen Lijsten Vind ik leuk LeukJust three months into 2025 and we already have several hundred CVEs for XSS and SQL injection. Appsec has known about these vulns since the late 90s. Common defenses have been known since the early 2000s. Jack Cable talks about CISA's Secure by Design principles and how they're trying to refocus businesses on addressing vuln classes and prioritizing software quality -- with security one of those important dimensions of quality. Segment Resources: https://www.cisa.gov/securebydesign https://www.cisa.gov/securebydesign/pledge https://www.cisa.gov/resources-tools/resources/product-security-bad-practices https://www.lawfaremedia.org/projects-series/reviews-essays/security-by-design https://corridor.dev Skype hangs up for good, over a million cheap Android devices may be backdoored, parallels between jailbreak research and XSS, impersonating AirTags, network reconnaissance via a memory disclosure vuln in the GFW, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-321…
1 Keeping Curl Successful and Secure Over the Decades - Daniel Stenberg - ASW #320 1:09:02
1:09:02 Later Afspelen Later Afspelen Lijsten Vind ik leuk Leuk1:09:02
Later Afspelen Later Afspelen Lijsten Vind ik leuk LeukCurl and libcurl are everywhere. Not only has the project maintained success for almost three decades now, but it's done that while being written in C. Daniel Stenberg talks about the challenges in dealing with appsec, the design philosophies that keep it secure, and fostering a community to create one of the most recognizable open source projects in the world. Segment Resources: https://daniel.haxx.se/blog/2025/01/23/cvss-is-dead-to-us/ https://daniel.haxx.se/blog/2024/01/02/the-i-in-llm-stands-for-intelligence/ https://thenewstack.io/curls-daniel-stenberg-on-securing-180000-lines-of-c-code/ Google replacing SMS with QR codes for authentication, MS pulls a VSCode extension due to red flags, threat modeling with TRAIL, threat modeling the Bybit hack, malicious models and malicious AMIs, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-320…
1 Developer Environments, Developer Experience, and Security - Dan Moore - ASW #319 1:10:21
1:10:21 Later Afspelen Later Afspelen Lijsten Vind ik leuk Leuk1:10:21
Later Afspelen Later Afspelen Lijsten Vind ik leuk LeukMinimizing latency, increasing performance, and reducing compile times are just a part of what makes a development environment better. Throw in useful tests and some useful security tools and you have an even better environment. Dan Moore talks about what motivates some developers to prefer a "local first" approach as we walk through what all of this means for security. Applying forgivable vs. unforgivable criteria to reDoS vulns, what backdoors in LLMs mean for trust in building software, considering some secure AI architectures to minimize prompt injection impact, developer reactions to Rust, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-319…
We're getting close to two full decades of celebrating web hacking techniques. James Kettle shares which was his favorite, why the list is important to the web hacking community, and what inspires the kind of research that makes it onto the list. We discuss why we keep seeing eternal flaws like XSS and SQL injection making these lists year after year and how clever research is still finding new attack surfaces in old technologies. But there's a lot of new web technology still to be examined, from HTTP/2 and HTTP/3 to WebAssembly. Segment Resources: Top 10, 2024: https://portswigger.net/research/top-10-web-hacking-techniques-of-2024 Full nomination list: https://portswigger.net/research/top-10-web-hacking-techniques-of-2024-nominations-open Project overview: https://portswigger.net/research/top-10-web-hacking-techniques Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-318…
1 Code Scanning That Works With Your Code - Scott Norberg - ASW #317 1:12:52
1:12:52 Later Afspelen Later Afspelen Lijsten Vind ik leuk Leuk1:12:52
Later Afspelen Later Afspelen Lijsten Vind ik leuk LeukCode scanning is one of the oldest appsec practices. In many cases, simple grep patterns and some fancy regular expressions are enough to find many of the obvious software mistakes. Scott Norberg shares his experience with encountering code scanners that didn't find the .NET vuln classes he needed to find and why that led him to creating a scanner from scratch. We talk about some challenges in testing tools, making smart investments in engineering time, and why working with .NET's compiler made his decisions easier. Segment Resources: - https://github.com/ScottNorberg-NCG/CodeSheriff.NET Identifying and eradicating unforgivable vulns, an unforgivable flaw (and a few others) in DeepSeek's iOS app, academics and industry looking to standardize principles and practices for memory safety, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-317…
1 Threat Modeling That Helps the Business - Akira Brand, Sandy Carielli - ASW #316 1:11:39
1:11:39 Later Afspelen Later Afspelen Lijsten Vind ik leuk Leuk1:11:39
Later Afspelen Later Afspelen Lijsten Vind ik leuk LeukThreat modeling has been in the appsec toolbox for decades. But it hasn't always been used and it hasn't always been useful. Sandy Carielli shares what she's learned from talking to orgs about what's been successful, and what's failed, when they've approached this practice. Akira Brand joins to talk about her direct experience with building threat models with developers. Speculative data flow attacks demonstrated against Apple chips with SLAP and FLOP, the design and implementation choices that led to OCSP's demise, an appsec angle on AI, updating the threat model and recommendations for implementing OAuth 2.0, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-316…
1 Security the AI SDLC - Niv Braun - ASW #315 1:08:34
1:08:34 Later Afspelen Later Afspelen Lijsten Vind ik leuk Leuk1:08:34
Later Afspelen Later Afspelen Lijsten Vind ik leuk LeukA lot of AI security boils down to the boring, but important, software security topics that appsec teams have been dealing with for decades. Niv Braun explains the distinctions between AI-related and AI-specific security as we avoid the FUD and hype of genAI to figure out where appsec teams can invest their time. He notes that data scientists have been working with ML and sensitive data sets for a long time, and it's good to have more scrutiny on what controls should be present to protect that data. This segment is sponsored by Noma Security. Visit https://securityweekly.com/noma to learn more about them! An open source security project forks in response to license changes (and an echo of how we've been here before), car hacking via spectacularly insecure web apps, hacking a synth via spectacularly cool MIDI messages, cookie parsing problems, the RANsacked paper of 100+ LTE/5G vulns found from fuzzing, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-315…
What’s in store for appsec in 2025? Sure, there'll be some XSS and SQL injection, but what about trends that might influence how appsec teams plan? Cody Scott shares five cybersecurity and privacy predictions and we take a deep dive into three of them. We talk about finding value to appsec from AI, why IoT and OT need both programmatic and technical changes, and what the implications of the next XZ Utils attack might be. Segment resources: https://www.forrester.com/blogs/predictions-2025-cybersecurity-risk-privacy/ Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-314…
1 Discussing Useful Security Requirements with Developers - Ixchel Ruiz - ASW #313 1:07:41
1:07:41 Later Afspelen Later Afspelen Lijsten Vind ik leuk Leuk1:07:41
Later Afspelen Later Afspelen Lijsten Vind ik leuk LeukThere's a pernicious myth that developers don't care about security. In practice, they care about code quality. What developers don't care for is ambiguous requirements. Ixchel Ruiz shares her experience is discussing software designs, the challenges in prioritizing dev efforts, and how to help open source project maintainers with their issue backlog. Segment resources: https://github.com/ossf/scorecard https://www.commonhaus.org/ https://www.hackergarten.net/ Design lessons from PyPI's Quarantine capability, effective ways for appsec to approach phishing, why fishshell is moving to Rust component by component (and why that's a good thing!), what behaviors the Cyber Trust Mark might influence, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-313…
1 DefectDojo and Bringing Quality Appsec Tools to Small Appsec Teams - Greg Anderson - ASW #312 1:07:10
1:07:10 Later Afspelen Later Afspelen Lijsten Vind ik leuk Leuk1:07:10
Later Afspelen Later Afspelen Lijsten Vind ik leuk LeukAll appsec teams need quality tools and all developers benefit from appsec guidance that's focused on meaningful results. Greg Anderson shares his experience in bringing the OWASP DefectDojo project to life and maintaining its value for over a decade. He reminds us that there are tons of appsec teams with low budgets and few members that need tools to help them bring useful insights to developers. Segment Resources: https://owasp.org/www-project-defectdojo/ Three-quarters of CISOs surveyed reported being "overwhelmed" by the growing number of tools and their alerts: https://www.darkreading.com/cloud-security/cisos-throwing-cash-tools-detect-breaches As many as one-fifth of all cybersecurity alerts turn out to be false positives. Among 800 IT professionals surveyed, just under half of them stated that approximately 40% of the alerts they receive are false positives: https://www.securitymagazine.com/articles/97260-one-fifth-of-cybersecurity-alerts-are-false-positives 91% of organizations knowingly released vulnerable applications, 57% of vulnerabilities are left unresolved by developers, 32% of CISOs deploy vulnerable code in the hopes it won’t be discovered, 56% of developers struggle to prioritize vulnerability fixes: https://info.checkmarx.com/future-of-application-security-2024 Curl removes a Rust backend, double clickjacking revives an old vuln, a new tool for working with HTTP/3, a brief reminder to verify JWT signatures, design lessons from recursion, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-312…
1 Applying Usability and Transparency to Security - Hannah Sutor - ASW #311 1:09:42
1:09:42 Later Afspelen Later Afspelen Lijsten Vind ik leuk Leuk1:09:42
Later Afspelen Later Afspelen Lijsten Vind ik leuk LeukPractices around identity and managing credentials have improved greatly since the days of infosec mandating 90-day password rotations. But those improvements didn't arise from a narrow security view. Hannah Sutor talks about the importance of balancing security with usability, the importance of engaging with users when determining defaults, and setting an example for transparency in security disclosures. Segment resources https://youtu.be/ydg95R2QKwM Curl's oldest bug yet, RCPs (and more!) from AWS re:Invent, possible controls for NPM's malware proliferation, insights and next steps on protecting top 500 packages from the Census III report, the flawed design choice that made Microsoft's OTP (successfully) brute-forceable, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! 00:00 Welcome to Application Security Weekly! 01:49 Meet the Experts 03:28 What Are Non-Human Identities? 06:17 Balancing Security & Usability 08:24 MFA Challenges & Admin Security 12:09 Navigating Breaking Changes 16:05 Security by Design in Action 18:42 Identity Management for Startups 20:18 Secure by Design: Real Impact 24:03 Transparency After a Critical Vulnerability 31:39 Looking Ahead to 2025 32:45 Application Security in Three Words 34:10 - Intro & Cyber Resilience Insights 35:30 - The 25-Year-Old Curl Bug Story 38:27 - Fuzzing for Security: A Missed Opportunity? 42:56 - AWS re:Invent Security Highlights 46:04 - NPM Malware Surge 50:43 - Small Packages, Big Risks in NPM 54:05 - Open Source Security Trends 58:37 - Microsoft MFA Vulnerability Explained 62:38 - Hardware Hacking & DMA Exploits 65:05 - Auditing Ruby’s Package Ecosystem 68:12 - Looking Ahead to 2025 Show Notes: https://securityweekly.com/asw-311…
We do our usual end of year look back on the topics, news, and trends that caught our attention. We covered some OWASP projects, the ongoing attention and promises of generative AI, and big events from the XZ Utils backdoor to Microsoft's Recall to Crowdstrike's outage. Segment resources https://prods.ec https://owasp.org/www-project-spvs/ https://genai.owasp.org/resource/owasp-top-10-for-llm-applications-2025/ https://securitychampions.owasp.org/ https://deadliestwebattacks.com/appsec/2024/11/14/ai-and-llms-asw-topic-recap https://www.scworld.com/podcast-episode/3017-infosec-myths-mistakes-and-misconceptions-adrian-sanabria-asw-279 Curl and Python (and others) deal with bad vuln reports generated by LLMs, supply chain attack on Solana, comparing 5 genAI mistakes to OWASP's Top Ten for LLM Applications, a Rust survey, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-310…
Welkom op Player FM!
Player FM scant het web op podcasts van hoge kwaliteit waarvan u nu kunt genieten. Het is de beste podcast-app en werkt op Android, iPhone en internet. Aanmelden om abonnementen op verschillende apparaten te synchroniseren.
Daily Deals
Overeenkomstig met Application Security Weekly (Audio)
Welcome to the Security Weekly Podcast Network, your all-in-one source for the latest in cybersecurity! This feed features a diverse lineup of shows, including Application Security Weekly, Business Security Weekly, Paul's Security Weekly, Enterprise Security Weekly, and Security Weekly News. Whether you're a cybersecurity professional, business leader, or tech enthusiast, we cover all angles of the cybersecurity landscape. Tune in for in-depth panel discussions, expert guest interviews, and ...
…
continue reading
Android Backstage, a podcast by and for Android developers. Hosted by developers from the Android engineering team, this show covers topics of interest to Android programmers, with in-depth discussions and interviews with engineers on the Android team at Google. Subscribe to Android Developers YouTube → https://goo.gle/AndroidDevs
…
continue reading
On The Bike Shed, hosts Joël Quenneville and Stephanie Minn discuss development experiences and challenges at thoughtbot with Ruby, Rails, JavaScript, and whatever else is drawing their attention, admiration, or ire this week.
…
continue reading
Download This Show is your weekly guide to the world of media, culture, and technology. From social media to gadgets, streaming services to privacy issues. Each week Rae Johnston and guests take a fun, deep dive into how technology is reshaping our lives.
…
continue reading
Africa-focused technology, digital and innovation ecosystem insight and commentary.
…
continue reading
Show notes are at https://stevelitchfield.com/sshow/chat.html
…
continue reading
A podcast featuring panelists of engineers from Netflix, Twitch, & Atlassian talking over drinks about all things software engineering.
…
continue reading
Material is a weekly discussion about the Google and Android universe. Your intrepid hosts try to answer the question, “What holds up the digital world?” The answer, so far, is that it’s Google all the way down. Hosted by Andy Ihnatko and Florence Ion.
…
continue reading
The director’s commentary track for Daring Fireball. Long digressions on Apple, technology, design, movies, and more.
…
continue reading
Tech Life discovers and explains the ways technology is changing our lives, wherever we are in the world. We meet the people with bright ideas for rethinking the way we work, learn and play, and get hands-on with the products they dream up. We hold tech giants to account for their huge power to affect our lives, and ask who wins, and who loses, in the technology transformation. Tech Life is your guide to a future being made, and remade, at lightning speed in front of our eyes.
…
continue reading
Player FM - Podcast-app
Ga offline met de app Player FM !
Ga offline met de app Player FM !
))
