x

75% of people globally want unbiased news (Pew Research) but are concerned they're not getting that.

Get balanced coverage with Symby. See how stories are covered across diverse outlets and spot when one side covers a story the other skips.

PODCAST

Application Security Weekly (Audio)

Security Weekly Productions

About all things AppSec, DevOps, and DevSecOps. Hosted by Mike Shema and John Kinsella, the podcast focuses on helping its audience find and fix software flaws effectively.

technology tech news

All Episodes

01:17:25

The Complexities, Configurations, and Challenges in...

Application Security Weekly (Audio) ·

2024/10/21

Building cloud native apps doesn't mean you're immune to dealing with legacy systems. Cloud services have changed significantly over the last decade, both in the security controls available to them and the sheer volume of services that CSPs provide. Scott Piper shares some history of cloud security, the benefits of account separation, and how ratcheting security helps orgs stay on a paved path. Segment resources:

en

01:12:35

The Future of Zed Attack Proxy - Simon Bennetts, Ori...

Application Security Weekly (Audio) ·

2024/10/08

Zed Attack Proxy has been a crucial web app testing tool for decades. It's also had a struggle throughout 2024 to obtain funding that would enable the tool to add more features while remaining true to its open source history. Simon Bennetts, founder of ZAP, and Ori Bendet from Checkmarx update us on that journey, share some exploration of LLM fuzzing that ZAP has been working on, and what the future looks like for this well-loved project. Segment Resources:

en

45:57

More Car Hacks, CUPS Vulns, Microsoft's SFI, Memory...

Application Security Weekly (Audio) ·

2024/10/02

More remote car control via web interfaces, an RCE in CUPS, Microsoft reduces attack surface, migrating to memory safety, dealing with dependency confusion, getting rid of password strength calculators, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-301

en

01:07:51

Vulnerable APIs and Bot Attacks: Two Interconnected,...

Application Security Weekly (Audio) ·

2024/09/24

APIs are essential to modern application architectures, driving rapid development, seamless integration, and improved user experiences. However, their widespread use has made them prime targets for attackers, especially those deploying sophisticated bots. When these bots exploit business logic, they can cause considerable financial and reputational damage. In this discussion, David Holmes offers insights into the latest trends in API and bot attacks and provides strategies to defend against these

en

01:02:26

Bringing Secure Coding Concepts to Developers -...

Application Security Weekly (Audio) ·

2024/09/17

When a conference positioned as a day of security for developers has to be canceled due to lack of interest from developers, it's important to understand why there was so little interest and why appsec should reconsider its approach to awareness. Dustin Lehr discusses how appsec can better engage and better deliver security concepts in a way that makes developers not only feel like their time is well used, but that the content appeals to them. Segment Resources: - The Security Champion Program

en

56:25

Paying Down Tech Debt, Rust in Firmware, EUCLEAK,...

Application Security Weekly (Audio) ·

2024/09/10

Considerations in paying down tech debt, make Rust work on bare metal, ECDSA side-channel in Yubikeys, trade-offs in deploying SSO quickly, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-298

en

37:48

Close the Security Theater: Enter Resilience - Kelly...

Application Security Weekly (Audio) ·

2024/09/02

Check out this interview from the ASW Vault, hand picked by main host Mike Shema! This segment was originally published on May 9, 2023. What does software resilience mean? Why is status quo application security unfit for the modern era of software? How can we move from security theater to security chaos engineering? This segment answers these questions and more. Segment Resources: Book -- https://securitychaoseng.com Blog -- https://kellyshortridge.com/blog/posts/ Show Notes:

en

01:04:28

Changing the Course of IoT's Future from Its Insecure...

Application Security Weekly (Audio) ·

2024/08/27

IoT devices are notorious for weak designs, insecure implementations, and a lifecycle that mostly ignores patching. We look at external factors that might lead to change, like the FCC's cybersecurity labeling for IoT. We explore the constraints that often influence poor security on these devices, whether those constraints are as consequential given modern appsec practices, and what the opportunities are to make these devices more secure for everyone. Segment resources:

en

01:21:54

The Fallout and Lessons Learned from the CrowdStrike...

Application Security Weekly (Audio) ·

2024/08/20

This week, Jeff Pollard and Allie Mellen join us to discuss the fallout and lessons learned from the CrowdStrike fiasco. They explore the reasons behind running in the kernel, the challenges of software quality, and the distinction between a security incident and an IT incident. They also touch on the need to reduce the attack surface and the importance of clear definitions in the cybersecurity industry. The conversation explores the need for a product security revolution and the importance of

en

01:08:53

When Appsec Needs to Start Small - Kalyani Pawar,...

Application Security Weekly (Audio) ·

2024/08/13

Startups and small orgs don't have the luxury of massive budgets and large teams. How do you choose an appsec approach that complements a startup's needs while keeping it secure. Kalyani Pawar shares her experience at different ends of an appsec maturity spectrum. In complex software ecosystems, individual application risks are compounded. When it comes to mitigating supply chain risk, identifying backdoors or unintended vulnerabilities that can be exploited in your environment is just as critical

en

01:10:17

Building Successful Security Champions Programs -...

Application Security Weekly (Audio) ·

2024/08/06

Even though Security Champions programs look very different across organizations and maturity levels, they share core principles for becoming successful. Marisa shares her experience in building these programs to foster a positive security culture within companies. She explains the incentives and rewards that lead to more engagement from champions and the benefits that come from so many people being engaged with security. Segment Resources: OWASP Security Champions Guide - Get Involved! -

en

45:18

A CISO's Perspective on AI, Appsec, and Changing...

Application Security Weekly (Audio) ·

2024/07/30

Modern appsec isn't modern because security tools got shifted in one direction or another, or because teams are finding and fixing more vulns. It's modern because appsec is meeting developer needs and supporting the business. Paul Davis talks about how AI is (and isn't) changing appsec, the KPIs that reflect outcomes rather than being busy, and the importance of communication for security teams. Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes:

en

01:05:00

Where Generative AI Can Actually Help Security (And...

Application Security Weekly (Audio) ·

2024/07/23

Generative AI has produced impressive chatbots and content generation, but however fun or impressive those might be, they don't always translate to value for appsec. Allie brings some realistic expectations to how genAI is used by attackers and can be useful to defenders. Segment resources: https://www.forrester.com/blogs/generative-ai-will-not-fulfill-your-autonomous-soc-hopes-or-even-your-demo-dreams/

en

01:09:02

Producing Secure Code by Leveraging AI - Stuart...

Application Security Weekly (Audio) ·

2024/07/16

How can LLMs be valuable to developers as an assistant in finding and fixing insecure code? There are a lot of implications in trusting AI or LLMs to not only find vulns, but in producing code that fixes an underlying problem without changing an app's intended behavior. Stuart McClure explains how combining LLMs with agents and RAGs helps make AI-influenced tools more effective and useful in the context that developers need -- writing secure code. Cloudflare's 2024 appsec report, reasoning about the

en

01:12:41

State Of Application Security 2024 - Sandy Carielli,...

Application Security Weekly (Audio) ·

2024/07/09

Sandy Carielli and Janet Worthington, authors of the State Of Application Security 2024 report, join us to discuss their findings on trends this year! Old vulns, more bots, and more targeted supply chain attacks -- we should be better at this by now. We talk about where secure design fits into all this why appsec needs to accelerate to ludicrous speed. Segment resources https://www.forrester.com/blogs/ludicrous-speed-because-light-speed-is-too-slow-to-secure-your-apps/ They're also conducting a

en

01:01:09

OAuth 2.0 from Protecting APIs to Supporting...

Application Security Weekly (Audio) ·

2024/06/25

OAuth 2.0 is more than just a single spec and it's used to protect more than just APIs. We talk about challenges in maintaining a spec over a decade of changing technologies and new threat models. Not only can OAuth be challenging to secure by default, but it's not even always inter-operable. Segment Resources: https://oauth.net/2.1 https://oauth.net/specs/ https://oauth2simplified.com/ https://oauth.net/2/dpop/ https://oauth.net/2/oauth-best-practice/ https://oauth.net/fapi/

en

37:16

Learning EBPF - Liz Rice - ASW Vault

Application Security Weekly (Audio) ·

2024/06/18

Check out this interview from the ASW Vault, hand picked by main host Mike Shema! This segment was originally published on April 4, 2023. Following on from her successful title "Container Security", Liz has recently authored "Learning eBPF", published by O'Reilly. eBPF is a revolutionary kernel technology that is enabling a whole new generation of infrastructure tools for networking, observability, and security. Let's explore eBPF and understand its value for security, and how it's used to secure

en

38:36

Microsoft Recall's Security & Privacy, Hacking Web...

Application Security Weekly (Audio) ·

2024/06/11

Looking at use cases and abuse cases of Microsoft's Recall feature, examples of hacking web APIs, CISA's secure design pledge, what we look for in CVEs, a nod to PHP's history, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-288

en

01:12:08

Open Source Software Supply Chain Security & The Real...

Application Security Weekly (Audio) ·

2024/06/04

Open source has been a part of the software supply chain for decades, yet many projects and their maintainers remain undersupported by the companies that consume them. The security responsibilities for project owners has increased not only in dealing with security disclosures, but in maintaining secure processes backed by strong authentication and trust. Segment Resources: https://www.cisa.gov/news-events/news/lessons-xz-utils-achieving-more-sustainable-open-source-ecosystem

en

30:32

Securing Shadow Apps & Protecting Data - Guy Guzner,...

Application Security Weekly (Audio) ·

2024/05/28

With hundreds or thousands of SaaS apps to secure with no traditional perimeter, Identity becomes the focal point for SaaS Security in the modern enterprise. Yet with Shadow IT, now recast as Business-Led IT, quickly becoming normal practice, it’s more complicated than trying to centralize all identities with an Identity Provider (IdP) for Single Sign-On (SSO). So the question becomes, “How do you enable the business while still providing security oversight and governance?” This segment is sponsored

en

378 results

Similar Podcasts

Lead With AI

Tamara Nall

Linux in the Ham Shack

Black Sparrow Media

Data Engineering Podcast

Tobias Macey

Eye On A.I.

Craig S. Smith

Reflections

Livewire Labs