x

75% of people globally want unbiased news (Pew Research) but are concerned they're not getting that.

Get balanced coverage with Symby. See how stories are covered across diverse outlets and spot when one side covers a story the other skips.

PODCAST

Application Security Weekly (Video)

Security Weekly Productions

About all things AppSec, DevOps, and DevSecOps. Hosted by Mike Shema and John Kinsella, the podcast focuses on helping its audience find and fix software flaws effectively.

news tech news

All Episodes

01:14:45

More WAFs in Blocking Mode and More Security...

Application Security Weekly (Video) ·

2025/04/15

The breaches will continue until appsec improves. Janet Worthington and Sandy Carielli share their latest research on breaches from 2024, WAFs in 2025, and where secure by design fits into all this. WAFs are delivering value in a way that orgs are relying on them more for bot management and fraud detection. But adopting phishing-resistant authentication solutions like passkeys and deploying WAFs still seem peripheral to secure by design principles. We discuss what's necessary for establishing a

en

01:07:36

In Search of Secure Design - ASW #325

Application Security Weekly (Video) ·

2025/04/08

We have a top ten list entry for Insecure Design, pledges to CISA's Secure by Design principles, and tons of CVEs that fall into familiar categories of flaws. But what does it mean to have a secure design and how do we get there? There are plenty of secure practices that orgs should implement are supply chains, authentication, and the SDLC. Those practices address important areas of risk, but only indirectly influence a secure design. We look at tactics from coding styles to design councils as we

en

01:11:19

Avoiding Appsec's Worst Practices - ASW #324

Application Security Weekly (Video) ·

2025/04/01

We take advantage of April Fools to look at some of appsec's myths, mistakes, and behaviors that lead to bad practices. It's easy to get trapped in a status quo of chasing CVEs or discussing which direction to shift security. But scrutinizing decimal points in CVSS scores or rearranging tools misses the opportunity for more strategic thinking. We satirize some worst practices in order to have a more serious discussion about a future where more software is based on secure designs. Segment resources:

en

54:08

Finding a Use for GenAI in AppSec - Keith Hoodlet -...

Application Security Weekly (Video) ·

2025/03/25

LLMs are helping devs write code, but is it secure code? How are LLMs helping appsec teams? Keith Hoodlet returns to talk about where he's seen value from genAI, where it fits in with tools like source code analysis and fuzzers, and where its limitations mean we'll be relying on humans for a while. Those limitations don't mean appsec should dismiss LLMs as a tool. It means appsec should understand how things like context windows might limit a tool's security analysis to a few files, leaving a

en

53:01

Redlining the Smart Contract Top 10 - Shashank - ASW...

Application Security Weekly (Video) ·

2025/03/18

The crypto world is rife with smart contracts that have been outsmarted by attackers, with consequences in the millions of dollars (and more!). Shashank shares his research into scanning contracts for flaws, how the classes of contract flaws have changed in the last few years, and how optimistic we can be about the future of this space. Segment Resources: https://scs.owasp.org https://scs.owasp.org/sctop10/ https://solidityscan.com/web3hackhub https://www.web3isgoinggreat.com Show Notes:

en

33:17

Skype Hangs Up, Android Backdoors, Jailbreak...

Application Security Weekly (Video) ·

2025/03/11

Skype hangs up for good, over a million cheap Android devices may be backdoored, parallels between jailbreak research and XSS, impersonating AirTags, network reconnaissance via a memory disclosure vuln in the GFW, and more! Show Notes: https://securityweekly.com/asw-321

en

40:34

CISA's Secure by Design Principles, Pledge, and...

Application Security Weekly (Video) ·

2025/03/11

Just three months into 2025 and we already have several hundred CVEs for XSS and SQL injection. Appsec has known about these vulns since the late 90s. Common defenses have been known since the early 2000s. Jack Cable talks about CISA's Secure by Design principles and how they're trying to refocus businesses on addressing vuln classes and prioritizing software quality -- with security one of those important dimensions of quality. Segment Resources: https://www.cisa.gov/securebydesign

en

33:55

QR Codes Replacing SMS, MS Pulls VSCode Extension,...

Application Security Weekly (Video) ·

2025/03/04

Google replacing SMS with QR codes for authentication, MS pulls a VSCode extension due to red flags, threat modeling with TRAIL, threat modeling the Bybit hack, malicious models and malicious AMIs, and more! Show Notes: https://securityweekly.com/asw-320

en

35:08

Keeping Curl Successful and Secure Over the Decades -...

Application Security Weekly (Video) ·

2025/03/04

Curl and libcurl are everywhere. Not only has the project maintained success for almost three decades now, but it's done that while being written in C. Daniel Stenberg talks about the challenges in dealing with appsec, the design philosophies that keep it secure, and fostering a community to create one of the most recognizable open source projects in the world. Segment Resources: https://daniel.haxx.se/blog/2025/01/23/cvss-is-dead-to-us/

en

34:57

Opengrep & Semgrep, Hacking Subarus, Hacking Synths,...

Application Security Weekly (Video) ·

2025/01/28

An open source security project forks in response to license changes (and an echo of how we've been here before), car hacking via spectacularly insecure web apps, hacking a synth via spectacularly cool MIDI messages, cookie parsing problems, the RANsacked paper of 100+ LTE/5G vulns found from fuzzing, and more! Show Notes: https://securityweekly.com/asw-315

en

33:38

Security the AI SDLC - Niv Braun - ASW #315

Application Security Weekly (Video) ·

2025/01/28

A lot of AI security boils down to the boring, but important, software security topics that appsec teams have been dealing with for decades. Niv Braun explains the distinctions between AI-related and AI-specific security as we avoid the FUD and hype of genAI to figure out where appsec teams can invest their time. He notes that data scientists have been working with ML and sensitive data sets for a long time, and it's good to have more scrutiny on what controls should be present to protect that data

en

31:43

PyPI's Quarantine, Phishing & Awareness, Porting...

Application Security Weekly (Video) ·

2025/01/14

Design lessons from PyPI's Quarantine capability, effective ways for appsec to approach phishing, why fishshell is moving to Rust component by component (and why that's a good thing!), what behaviors the Cyber Trust Mark might influence, and more! Show Notes: https://securityweekly.com/asw-313

en

36:04

Discussing Useful Security Requirements with...

Application Security Weekly (Video) ·

2025/01/14

There's a pernicious myth that developers don't care about security. In practice, they care about code quality. What developers don't care for is ambiguous requirements. Ixchel Ruiz shares her experience is discussing software designs, the challenges in prioritizing dev efforts, and how to help open source project maintainers with their issue backlog. Segment resources: https://github.com/ossf/scorecard https://www.commonhaus.org/ https://www.hackergarten.net/ Show Notes:

en

36:34

Fuzzing Barcodes, Fuzzing with AI, AI vs. Scammers,...

Application Security Weekly (Video) ·

2024/12/03

Fuzzing barcodes and getting projects onboarded with fuzzers, using AI to guide fuzzers, using AI to combat scammers, using CWEs for something, using malicious comments to ban repos, and more! Show Notes: https://securityweekly.com/asw-309

en

34:24

Adding Observability with OpenTelemetry - Adriana...

Application Security Weekly (Video) ·

2024/12/03

Observability is a lot more than just sprinkling printf statements throughout a code base. Adriana Villela explains principles behind logging, traceability, and metrics and how the OpenTelemetry project helps developers gather this useful information. She also provides suggestions on starting logging from scratch, how to avoid information overload, and how engaging users about their experience with solutions like OpenTelemetry makes for better software -- a lesson that appsec teams can apply to

en

32:45

Fuzzing for Vulns, GitLab Auth Bypass, JPEG Vulns,...

Application Security Weekly (Video) ·

2024/09/24

Fuzzing network traffic in OpenWRT, parsing problems lead to GitLab auth bypass, more fuzzing finds vulns in a JPEG parser, and more! Show Notes: https://securityweekly.com/asw-300

en

35:07

Vulnerable APIs and Bot Attacks: Two Interconnected,...

Application Security Weekly (Video) ·

2024/09/24

APIs are essential to modern application architectures, driving rapid development, seamless integration, and improved user experiences. However, their widespread use has made them prime targets for attackers, especially those deploying sophisticated bots. When these bots exploit business logic, they can cause considerable financial and reputational damage. In this discussion, David Holmes offers insights into the latest trends in API and bot attacks and provides strategies to defend against these

en

29:16

A TLD Takeover, An LLM CTF, A Firmware Flaw, 6 Truths...

Application Security Weekly (Video) ·

2024/09/17

A takeover of the MOBI TLD for $20, configuring an LLM for a CTF, firmware flaw in an SSD, Microsoft talks kernel resilience, six truths of cyber risk quantification, and more! Show Notes: https://securityweekly.com/asw-299

en

33:10

Bringing Secure Coding Concepts to Developers -...

Application Security Weekly (Video) ·

2024/09/17

When a conference positioned as a day of security for developers has to be canceled due to lack of interest from developers, it's important to understand why there was so little interest and why appsec should reconsider its approach to awareness. Dustin Lehr discusses how appsec can better engage and better deliver security concepts in a way that makes developers not only feel like their time is well used, but that the content appeals to them. Segment Resources: - The Security Champion Program

en

56:25

Paying Down Tech Debt, Rust in Firmware, EUCLEAK,...

Application Security Weekly (Video) ·

2024/09/10

Considerations in paying down tech debt, make Rust work on bare metal, ECDSA side-channel in Yubikeys, trade-offs in deploying SSO quickly, and more! Show Notes: https://securityweekly.com/asw-298

en

61 results

Similar Podcasts

Expres Ráno

Expres FM

PBS News Hour - Full Show

PBS News

CD Voice

China Daily

Israel Today: Ongoing War Report

Noa Levi

Jeffrey Epstein: The Coverup Chronicles

Bobby Capucci