x

75% of people globally want unbiased news (Pew Research) but are concerned they're not getting that.

Get balanced coverage with Symby. See how stories are covered across diverse outlets and spot when one side covers a story the other skips.

PODCAST

Application Security Weekly (Audio)

Security Weekly Productions

About all things AppSec, DevOps, and DevSecOps. Hosted by Mike Shema and John Kinsella, the podcast focuses on helping its audience find and fix software flaws effectively.

technology tech news

All Episodes

01:08:17

Managing the Minimization of a Container Attack...

Application Security Weekly (Audio) ·

2025/08/19

A smaller attack surface should lead to a smaller list of CVEs to track, which in turn should lead to a smaller set of vulns that you should care about. But in practice, keeping something like a container image small has a lot of challenges in terms of what should be considered minimal. Neil Carpenter shares advice and anecdotes on what it takes to refine a container image and to change an org's expectations that every CVE needs to be fixed. Visit https://www.securityweekly.com/asw for all the

en

42:13

The Future of Supply Chain Security - Janet...

Application Security Weekly (Audio) ·

2025/08/12

Open source software is a massive contribution that provides everything from foundational frameworks to tiny single-purpose libraries. We walk through the dimensions of trust and provenance in the software supply chain with Janet Worthington. And we discuss how even with new code generated by LLMs and new terms like slopsquatting, a lot of the most effective solutions are old techniques. Resources https://www.forrester.com/blogs/make-no-mistake-software-is-a-supply-chain-and-its-under-attack/

en

58:07

Uniting software development and application security...

Application Security Weekly (Audio) ·

2025/08/05

Maintaining code is a lot more than keeping dependencies up to date. It involved everything from keeping old code running to changing frameworks to even changing implementation languages. Jonathan Schneider talks about the engineering considerations of refactoring and rewriting code, why code maintenance is important to appsec, and how to build confidence that adding automation to a migration results in code that has the same workflows as before. Resources https://docs.openrewrite.org

en

01:04:11

How Product-Led Security Leads to Paved Roads - Julia...

Application Security Weekly (Audio) ·

2025/07/29

A successful strategy in appsec is to build platforms with defaults and designs that ease the burden of security choices for developers. But there's an important difference between expecting (or requiring!) developers to use a platform and building a platform that developers embrace. Julia Knecht shares her experience in building platforms with an attention to developer needs, developer experience, and security requirements. She brings attention to the product management skills and feedback loops

en

01:06:35

Rise of Compromised LLMs - Sohrob Kazerounian - ASW #340

Application Security Weekly (Audio) ·

2025/07/22

AI is more than LLMs. Machine learning algorithms have been part of infosec solutions for a long time. For appsec practitioners, a key concern is always going to be how to evaluate the security of software or a system. In some cases, it doesn't matter if a human or an LLM generated code -- the code needs to be reviewed for common flaws and design problems. But the creation of MCP servers and LLM-based agents is also adding a concern about what an unattended or autonomous piece of software is doing

en

01:07:50

Getting Started with Security Basics on the Way to...

Application Security Weekly (Audio) ·

2025/07/15

What are some appsec basics? There's no monolithic appsec role. Broadly speaking, appsec tends to branch into engineering or compliance paths, each with different areas of focus despite having shared vocabularies and the (hopefully!) shared goal of protecting software, data, and users. The better question is, "What do you want to secure?" We discuss the Cybersecurity Skills Framework put together by the OpenSSF and the Linux Foundation and how you might prepare for one of its job families. The

en

01:07:15

Checking in on the State of Appsec in 2025 - Janet...

Application Security Weekly (Audio) ·

2025/07/08

Appsec still deals with ancient vulns like SQL injection and XSS. And now LLMs are generating code along side humans. Sandy Carielli and Janet Worthington join us once again to discuss what all this new code means for appsec practices. On a positive note, the prevalence of those ancient vulns seems to be diminishing, but the rising use of LLMs is expanding a new (but not very different) attack surface. We look at where orgs are investing in appsec, who appsec teams are collaborating with, and

en

38:26

Simple Patterns for Complex Secure Code Reviews -...

Application Security Weekly (Audio) ·

2025/07/01

Manual secure code reviews can be tedious and time intensive if you're just going through checklists. There's plenty of room for linters and compilers and all the grep-like tools to find flaws. Louis Nyffenegger describes the steps of a successful code review process. It's a process that starts with understanding code, which can even benefit from an LLM assistant, and then applies that understanding to a search for developer patterns that lead to common mistakes like mishandling data, not enforcing

en

01:01:18

How Fuzzing Barcodes Raises the Bar for Secure Code -...

Application Security Weekly (Audio) ·

2025/06/24

Fuzzing has been one of the most successful ways to improve software quality. And it demonstrates how improving software quality improves security. Artur Cygan shares his experience in building and applying fuzzers to barcode scanners, smart contracts, and just about any code you can imagine. We go through the useful relationship between unit tests and fuzzing coverage, nudging fuzzers into deeper code paths, and how LLMs can help guide a fuzzer into using better inputs for its testing. Resources

en

01:08:00

Threat Modeling With Good Questions and Without...

Application Security Weekly (Audio) ·

2025/06/17

What makes a threat modeling process effective? Do you need a long list of threat actors? Do you need a long list of terms? What about a short list like STRIDE? Has an effective process ever come out of a list? Farshad Abasi joins our discussion as we explain why the answer to most of those questions is No and describe the kinds of approaches that are more conducive to useful threat models. Resources:

en

01:09:09

Bringing CISA's Secure by Design Principles to OT...

Application Security Weekly (Audio) ·

2025/06/10

CISA has been championing Secure by Design principles. Many of the principles are universal, like adopting MFA and having opinionated defaults that reduce the need for hardening guides. Matthew Rogers talks about how the approach to Secure by Design has to be tailored for Operational Technology (OT) systems. These systems have strict requirements on safety and many of them rely on protocols that are four (or more!) decades old. He explains how the considerations in this space go far beyond just

en

39:06

AIs, MCPs, and the Acutal Work that LLMs Are...

Application Security Weekly (Audio) ·

2025/06/03

The recent popularity of MCPs is surpassed only by the recent examples deficiencies of their secure design. The most obvious challenge is how MCPs, and many more general LLM use cases, have erased two decades of security principles behind separating code and data. We take a look at how developers are using LLMs to generate code and continue our search for where LLMs are providing value to appsec. We also consider what indicators we'd look for as signs of success. For example, are LLMs driving useful

en

01:04:35

AI in AppSec: Agentic Tools, Vibe Coding Risks &...

Application Security Weekly (Audio) ·

2025/05/27

ArmorCode unveils Anya—the first agentic AI virtual security champion designed specifically for AppSec and product security teams. Anya brings together conversation and context to help AppSec, developers and security teams cut through the noise, prioritize risks, and make faster, smarter decisions across code, cloud, and infrastructure. Built into the ArmorCode ASPM Platform and backed by 25B findings, 285+ integrations, natural language intelligence, and role-aware insights, Anya turns complexity

en

01:01:48

Appsec News & Interviews from RSAC on Identity and AI...

Application Security Weekly (Audio) ·

2025/05/20

In the news, Coinbase deals with bribes and insider threat, the NCSC notes the cross-cutting problem of incentivizing secure design, we cover some research that notes the multitude of definitions for secure design, and discuss the new Cybersecurity Skills Framework from the OpenSSF and Linux Foundation. Then we share two more sponsored interviews from this year's RSAC Conference. With more types of identities, machines, and agents trying to access increasingly critical data and resources, across

en

01:09:38

Secure Code Reviews, LLM Coding Assistants, and...

Application Security Weekly (Audio) ·

2025/05/13

Developers are relying on LLMs as coding assistants, so where are the LLM assistants for appsec? The principles behind secure code reviews don't really change based on who write the code, whether human or AI. But more code means more reasons for appsec to scale its practices and figure out how to establish trust in code, packages, and designs. Rey Bango shares his experience with secure code reviews and where developer education fits in among the adoption of LLMs. As businesses rapidly embrace SaaS

en

01:03:03

AI Era, New Risks: How Data-Centric Security Reduces...

Application Security Weekly (Audio) ·

2025/05/06

We catch up on news after a week of BSidesSF and RSAC Conference. Unsurprisingly, AI in all its flavors, from agentic to gen, was inescapable. But perhaps more surprising (and more unfortunate) is how much the adoption of LLMs has increased the attack surface within orgs. The news is heavy on security issues from MCPs and a novel alignment bypass against LLMs. Not everything is genAI as we cover some secure design topics from the Airborne attack against Apple's AirPlay to more calls for companies to

en

44:08

Secure Designs, UX Dragons, Vuln Dungeons - Jack...

Application Security Weekly (Audio) ·

2025/04/29

In this live recording from BSidesSF we explore the factors that influence a secure design, talk about how to avoid the bite of UX dragons, and why designs should put classes of vulns into dungeons. But we can't threat model a secure design forever and we can't oversimplify guidance for a design to be "more secure". Kalyani Pawar and Jack Cable join the discussion to provide advice on evaluating secure designs through examples of strong and weak designs we've seen over the years. We highlight the

en

01:03:03

Managing Secrets - Vlad Matsiiako - ASW #327

Application Security Weekly (Audio) ·

2025/04/22

Secrets end up everywhere, from dev systems to CI/CD pipelines to services, certificates, and cloud environments. Vlad Matsiiako shares some of the tactics that make managing secrets more secure as we discuss the distinctions between secure architectures, good policies, and developer friendly tools. We've thankfully moved on from forced 90-day user password rotations, but that doesn't mean there isn't a place for rotating secrets. It means that the tooling and processes for ephemeral secrets should

en

01:14:45

More WAFs in Blocking Mode and More Security...

Application Security Weekly (Audio) ·

2025/04/15

The breaches will continue until appsec improves. Janet Worthington and Sandy Carielli share their latest research on breaches from 2024, WAFs in 2025, and where secure by design fits into all this. WAFs are delivering value in a way that orgs are relying on them more for bot management and fraud detection. But adopting phishing-resistant authentication solutions like passkeys and deploying WAFs still seem peripheral to secure by design principles. We discuss what's necessary for establishing a

en

01:07:36

In Search of Secure Design - ASW #325

Application Security Weekly (Audio) ·

2025/04/08

We have a top ten list entry for Insecure Design, pledges to CISA's Secure by Design principles, and tons of CVEs that fall into familiar categories of flaws. But what does it mean to have a secure design and how do we get there? There are plenty of secure practices that orgs should implement are supply chains, authentication, and the SDLC. Those practices address important areas of risk, but only indirectly influence a secure design. We look at tactics from coding styles to design councils as we

en

378 results

Similar Podcasts

Lead With AI

Tamara Nall

Linux in the Ham Shack

Black Sparrow Media

Data Engineering Podcast

Tobias Macey

Eye On A.I.

Craig S. Smith

Reflections

Livewire Labs