Application Security Weekly (Video) (Security Weekly)

There's no escape that will save you..., the privilege of running a Chrome extension, and Four practices towards DevSecOps!

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode65

Follow us on Twitter: https://www.twitter.com/securityweekly

The categories of security tools that we're most familiar with have struggled to keep up with how modern apps are designed and what modern devs need. What if instead of being beholden to categories, we created tools that solved problems devs have today in the types of apps they build today? And what if we had more dev leadership to influence security tools as well as secure by design? What would that leadership look like?

Segment Resources:

• https://danondev.com/youtube

Show Notes: https://securityweekly.com/asw-261

Dr. Jing Xie is the senior threat intelligence researcher for Venafi, the market leading cybersecurity company in machine identity protection. As a member of the Venafi thought leadership group, she leads Venafi Labs.

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode48 Follow us on Twitter: https://www.twitter.com/securityweekly

Identity isn't new, but we do have new ways of presenting and protecting identity with things like payment wallets and verifiable credentials. But we also have identity in surprising places -- like cars.

We'll answer some questions like:

• Why do we even have identities in cars?
• What else is your car connected to?
• How should devs be thinking about security in this space?

And, yeah, we'll have that song (https://youtu.be/MkeO7ThL8yg?feature=shared) you're thinking about stuck in our heads the whole time. 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw-249

An overflow and a flawed regex paint an RCE picture for Kindle, messaging apps miss the message on secure state machines, three pillars of a data security strategy for the cloud, where DoH might fit into appsec, and all the things that can go wrong when you give up root in your Kubernetes pod.

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw137

In the news, compromised JavaScript package caught stealing npm credentials, remote iOS bugs, a $39 device that can defeat iOS USB Restricted mode, Broadcom buys CA Technologies, Burp Suite Automation Tool, & more on this episode of Application Security Weekly!

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode24 Follow us on Twitter: https://www.twitter.com/securityweekly

Zed Attack Proxy has been a crucial web app testing tool for decades. It's also had a struggle throughout 2024 to obtain funding that would enable the tool to add more features while remaining true to its open source history. Simon Bennetts, founder of ZAP, and Ori Bendet from Checkmarx update us on that journey, share some exploration of LLM fuzzing that ZAP has been working on, and what the future looks like for this well-loved project.

Segment Resources:

• https://www.zaproxy.org/blog/2024-09-24-zap-has-joined-forces-with-checkmarx/
• https://www.zaproxy.org/blog/2024-09-30-improving-fuzzing-payloads-for-llms-with-fuzzai/
• https://checkmarx.com/press-releases/checkmarx-joins-forces-with-zap-to-supercharge-dynamic-application-security-testing-dast-for-the-enterprise-and-enhance-community-growth/
• KICS: https://github.com/Checkmarx/kics
• 2MS: https://github.com/Checkmarx/2ms

Show Notes: https://securityweekly.com/asw-302

How HTTP/2's rapid reset is abused for DDoS, a look at the fix for Curl's recent high severity bug, OWASP moves to make CycloneDX a standard, Microsoft deprecates NTLM, VBScript, and old TLS -- while also introducing an AI bug bounty program.

Show Notes: https://securityweekly.com/asw-259

Thomas GX is a French entrepreneur specialized in Automation, AI, Assistants & Bots, handling creation and development as well as project management processes.

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode22 Follow us on Twitter: https://www.twitter.com/securityweekly

Ron started his cybersecurity career as a network penetration tester for the NSA. at BBN, he developed network honeypots to lure hackers and he ran US Internetworking's team of penetration testers and incident responders.

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode20 Follow us on Twitter: https://www.twitter.comsecurityweekly

In the news, Drupal 7 and 8 core critical releases, Irony of Leaky App at #RSAC Not Lost on Attendees, US FDA seeking Congressional Authority for new requirements, Facebook fuels broad privacy debate by tracking non-users, & more on this episode of Application Security Weekly!

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode13 Visit our website: http://securityweekly.com

Follow us on Twitter: https://www.twitter.comsecurityweekly

This week in the AppSec News, Tyler Robinson joins Mike & John to discuss: HTTP/3 and QUIC, bounties for product abuse, Amazon Sidewalk security & privacy, security & human behavior, authentication bypass postmortem, M1RACLES, & more!

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw153

In the Application Security News, a manifesto highlights principles and values for threat modeling, the CNCF releases a Cloud Native Security Whitepaper, Microsoft put security in the CPU with Pluton, mass scanning for secrets, ancient flaws resurface in Drupal, and steps for implementing source composition analysis!

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://wiki.securityweekly.com/asw131

This week in the AppSec News: Bug bounty payout practices, Edge goes super duper secure mode, WebKit CSP flaw has consequences for OAuth, GoDaddy breach, vuln in MediaTek audio DSP, & more!

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw176

This week, we welcome Avi Douglen, Founder and CEO of Bounce Security, to talk about Threat Modeling in Application Security, DevSecOps, and how Application Security is mapping Security culture!

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://wiki.securityweekly.com/ASWEpisode105

Attend local meetups and conferences, practice your coding skills, get educated by World Class security researchers, do your homework, there's no substitute for Practice, OWASP Juice Shop, and much more!

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode34 Follow us on Twitter: https://www.twitter.com/securityweekly

Mid-markets do have AppSec expertise, the current AppSec products are focused on large enterprises and require AppSec expertise. Sken.ai is the new and the only AppSec scan tool, focused on mid-markets where DevOps can get started without any AppSec expertise.

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://wiki.securityweekly.com/asw119

Zed Attack Proxy is an essential tool for web app pentesting. The project just recently moved from OWASP to the Secure Software Project. Hear about the challenges of running an OSS security project, why Simon got involved in the first place, and why successful projects are about more than just code.

Segment Resources:

• https://www.zaproxy.org/ 
• https://softwaresecurityproject.org/blog/welcoming-zap-to-the-software-security-project/
• https://owasp.org/www-project-vulnerable-web-applications-directory/

Show Notes: https://securityweekly.com/asw-254 

This week Mike & John discuss: BlackBerry addresses BadAlloc bugs, glibc fixes a fix, more snprintf misuse that leads to command injection, ProxyLogon technical details, & more in the AppSec News!

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw163

DARPA unleashes an AI Cyber Challenge to find flaws, CISA asks for input on securing open source software and memory safety, what five years of vuln research shows for vuln management programs, siphoning security tokens from VS Code, and more!

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw-251 

Multiple vulns in a smart lock, Office Macros finally disabled by default, data breach costs and threat modeling, designing migration paths for 2FA

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw206

SBOM: What does it really tell you and the importance of having one for your organization.

- Finding and fixing known vulnerabilities in dependencies and container images

- Building a source of truth for packages to avoid malicious packages getting through

- Combining continuous packaging and security into a CI/CD pipeline

- Establishing Trust & Provenance in your Software Supply Chain

- Visibility in your Software Supply Chain with upstreams and signatures

This segment is sponsored by Cloudsmith. Visit https://securityweekly.com/cloudsmith to learn more about them!

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw169

Matias Madou is the CTO of Secure Code Warrior where he is responsible for leading the company’s technology vision and overseeing the engineering team. He joins Keith this week for the feature interview!

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode03 Subscribe to our YouTube channel: https://www.youtube.com/securityweekly

Visit our website: http://securityweekly.com

Follow us on Twitter: https://www.twitter.comsecurityweekly

Alibaba Cloud Security team discovers Apache spark rest API remote code execution exploit, Comcast security flaws exposed partial address, Hacker finds hidden 'God Mode' in old x86 CPUs, and more!

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode28

Follow us on Twitter: https://www.twitter.com/securityweekly

Misusing random numbers, protecting platforms for code repos and package repos, vulns that teach us about designs and defaults, and more!

Show Notes: https://securityweekly.com/asw-283

In the News segment, The Matrix turns 20, Containers are Weakest Security Leak Again, The Evolution of Application Security in the Serverless World, and more!

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode56 Follow us on Twitter: https://www.twitter.com/securityweekly

We start with the article about "Researchers Secretly Tried To Add Vulnerabilities to Linux Kernel, Ended Up Getting Banned" and explore its range of issues from ethics to securing huge, distributed software projects. It's hardly novel to point out that bad actors can attempt to introduce subtle and exploitable bugs. More generally, we've also seen impacts from package owners who have revoked their code, like NPM leftpad, or who transfer ownership to actors who later on abuse the package's reputation, as we've seen in Chrome Plugins. So, what could have been a better research focus? In the era of more pervasive fuzzing, how much should we continue to rely on people for security code review? 

For additional resources please visit:

Deceptive Diffs From Subversive Submitters - ASW #148 Featuring: John Kinsella (https://www.linkedin.com/in/jlkinsel), Mike Shema (https://www.linkedin.com/in/zombie). 

Read the research paper at https://github.com/QiushiWu/QiushiWu.github.io/blob/main/papers/OpenSourceInsecurity.pdf

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw148

A majority of internet traffic now originates from APIs, and cybercriminals are taking advantage. Increasingly, APIs are used as a common attack vector because they’re a direct pathway to access sensitive data. In this discussion, Lebin Cheng shares what API attack trends Imperva, a Thales Company has observed over the past year, and what steps organizations can take to protect their APIs.

This segment is sponsored by Imperva. Visit https://www.securityweekly.com/imperva to learn more about them!

Show Notes: https://securityweekly.com/asw-276

Application Security is changing rapidly, and with changes to automation and tooling will look vastly different 5 years from now than it does today. Discuss what those changes will look like, including what we're already seeing today.

To learn more about Signal Sciences, visit: https://securityweekly.com/signalsciences

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://wiki.securityweekly.com/ASWEpisode110

GKE improves authentication with Workload Identity, AWS reinforce reveals traffic tools and security solutions that improve support for DevOps, Brief history of Trusted Execution Environments, From the Enterprise's Project: How to Explain Service Mesh in Plain English, Developers and Security Teams Under Pressure to Collaborate!

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode67 Follow us on Twitter: https://www.twitter.com/securityweekly

We speak with Dr. David Movshovitz about There Is No Average Behavior!

Segment Resources:

White paper: https://www.reveal.security/lp/white-paper/

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw227

This week in the Application Security News: RCE in Cassandra, why pixelization isn't good redaction, Rust's compiler is friendly, Edge adds arbitrary code guard to its WASM interpreter, & the difference between secure code and a secure product (as demonstrated by a DAO)

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw185

Breach disclosures from T-Mobile and PayPal, SSRF in Azure services, Google Threat Horizons report, integer overflows and more, Rust in Chromium, ML for web scanning, Top 10 web hacking techniques of 2022

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw226

In the news, researchers say AMD processors have serious vulnerabilities and backdoors, hijacked MailChimp accounts used to distribute malware banking, Voodoo Kali, for Equifax executive charged with insider trading after data breach, & more on this episode of Application Security Weekly!

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode09 Visit our website: http://securityweekly.com

Follow us on Twitter: https://www.twitter.comsecurityweekly

DJI Drone Vulnerability, Hackers are increasingly destroying logs to hide attacks, Adobe ColdFusion servers under attack from APT group, understanding Open Source Code use in your business, and more!

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode39 Follow us on Twitter: https://www.twitter.com/securityweekly

This week in the AppSec News, Mike and John talk: RCE in Azure OMI, punching a hole in iMessage BlastDoor, Travis CI exposes sensitive environment variables, keeping code ownership accurate, deploying security as a product, IoT Device Criteria (aka nutrition labels), & more!

Show Notes: https://securityweekly.com/asw166

Visit https://www.securityweekly.com/asw for all the latest episodes!

Mike Shema is the Product Security Lead of Square. Mike joins us on the show to talk about where the wins and challenges are in appsec!

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode55

Follow us on Twitter: https://www.twitter.com/securityweekly

Two XSS vulns via postMessage methods in Azure, how to choose (and move on from) a web research topic, OpenSSF finances a security developer-in-residence for Python, more infosec myths, free cybersecurity training resources

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw-245 

OWASP has a draft for the LLM Top 10, simple vulns in a modern SaaS app, ancient vuln in a Wordpress plugin, PyPI moves to secure its package manager accounts, ThinkstScape Quarterly research report, having fun with memory variables, DNS, and logins.

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw-243 

IoT devices are notorious for weak designs, insecure implementations, and a lifecycle that mostly ignores patching. We look at external factors that might lead to change, like the FCC's cybersecurity labeling for IoT. We explore the constraints that often influence poor security on these devices, whether those constraints are as consequential given modern appsec practices, and what the opportunities are to make these devices more secure for everyone.

Segment resources:

• https://www.fcc.gov/document/cybersecurity-labeling-program-internet-things-iot-products

Show Notes: https://securityweekly.com/asw-297

Attackers impersonate Dependabot commits, an alg of "none" plagues a JWT, CISA calls for hardware bills of materials, OpenSSF lists its critical projects, Exim (finally! maybe?) has some patches, bug bounties and open source projects, and more!

Show Notes: https://securityweekly.com/asw-257

What do you do if your ambition is to provide security for all the mobile apps in the world? You hire a data scientist! Machine Learning is more than just a buzz word, it is the science behind making decisions quickly and at scale. Catherine Chambers returns to Application Security Weekly with Irdeto's lead data scientist Will Hickie to describe how they turned Mobile Application Security into a data science problem, and what that means for your mobile app.

To download the white paper, visit: https://securityweekly.com/irdeto

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://wiki.securityweekly.com/ASWEpisode113

Application news, DevOps food for thought, learning & tools from BitHubLab, and bugs, breaches, and more! Full Show Notes: https://wiki.securityweekly.com/ASW_Episode19 Follow us on Twitter: https://www.twitter.comsecurityweekly

Keith, Paul, and Johnny Xmas discuss airport security, penetration testing, the top 5 payment apps, and DevOps infused conversation! Full Show Notes: https://wiki.securityweekly.com/ASW_Episode37 Follow us on Twitter: https://www.twitter.com/securityweekly

While much has been written and argued about the security of election systems - the things that do the actual ballot counting - there's other systems that have to be in place and secured before the vote can occur - voter registration databases, ballot delivery systems, etc. Might it be possible to use modern appsec concepts OWASP SAMM to secure them in a more efficient, targeted, cost-effective manner? Brian Glas joins us to talk about this and his ongoing work around providing students with a modern application security education.

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw-247 

NSA publishes list of top vulnerabilities currently targeted by Chinese hackers, Nvidia Warns Gamers of Severe GeForce Experience Flaws, Addressing cybersecurity risk in industrial IoT and OT, Firefox 'Site Isolation' feature enters user testing, expected next year, Google Patches Actively-Exploited Zero-Day Bug in Chrome Browser, and Exit Stage Left: Eradicating Security Theater!

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://wiki.securityweekly.com/asw127

With 77 percent of all financial transactions touching an SAP system, SAP is the backbone and heart of most organizations. Add to this the vast amounts of customer facing personal data used within SAP, and you can see why SAP security is critical. However, SAP’s complexity - in the form of extensive customization, thousands of configurations, and typical misunderstandings about who and which group is responsible – make SAP security a challenge. Hear SecurityBridge CEO Christoph Nagy discuss with Security Weekly how organizations can navigate and address these challenges by taking critical steps such as patching, creating baselines, and developing roadmaps for risk prioritization and more to become SAP security heroes.

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw196

PrintListener recreates fingerprints, iMessage updates key handling for a PQ3 rating, Silent Sabotage shows supply chain subterfuge against AI models, 2023 Rust survey results, the ways genAI might help developers, and more!

Show Notes: https://securityweekly.com/asw-274

One of the biggest failures in appsec is an attitude that blames users for security problems. A lot of processes and workflows break down because of an insecure design or insecure defaults. Benedek Gagyi chats with us about the impact of the user experience (UX) on security and why it's not only important to understand how to make a user's life easier, but in defining who that user is in the first place.

Segment resources:

• https://www.usenix.org/conference/8th-usenix-security-symposium/why-johnny-cant-encrypt-usability-evaluation-pgp-50

Show Notes: https://securityweekly.com/asw-278

Building cloud native apps doesn't mean you're immune to dealing with legacy systems. Cloud services have changed significantly over the last decade, both in the security controls available to them and the sheer volume of services that CSPs provide. Scott Piper shares some history of cloud security, the benefits of account separation, and how ratcheting security helps orgs stay on a paved path.

Segment resources:

• https://www.wiz.io/blog/a-security-community-success-story-of-mitigating-a-misconfiguration
• http://flaws.cloud
• http://flaws2.cloud
• https://promptairlines.com

Show Notes: https://securityweekly.com/asw-304

This week, in the Application Security News, we dismiss magical thinking and discuss what generative AI will actually be able to do for us.

We also discuss whether Secure by Design's goals are practical or not.

OSC&R releases a report on software supply chain that should be interesting, though neither of us had time to read it yet.

Also, Watchtowr has some fun with Citrix VDI!

Show Notes: https://securityweekly.com/asw-308

We talk with Ben about the rewards, hazards, and fun of bug bounty programs. Then we find out different ways to build successful and welcoming communities.

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw237 

Everything you want to build, anywhere you want to build it, can be done with JavaScript. This week Paul and Keith discuss One Language to Rule Them All: Node-based Operating System, NodeOS!

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode11 Visit our website: http://securityweekly.com

Follow us on Twitter: https://www.twitter.comsecurityweekly

Application security posture management has quickly become a hot commodity in the world of AppSec, but questions remain around what is defined by ASPM. Vendors have cropped up from different corners of the AppSec space to help security teams make their programs more effective, improve their security postures, and connect the dots between developers and security. Apiiro is setting the diamond standard for ASPM, combining deep code analysis, runtime context, and native risk detection with a 100% open platform approach, providing more valuable prioritization and a more powerful policy engine.

This segment is sponsored by Apiiro. Visit https://securityweekly.com/apiirorsac to learn more about them!

Bots accounted for nearly half of all internet traffic in 2023, with bad bot traffic rising for a fifth consecutive year. Malicious bot activity is a significant risk for businesses as it can result in account compromise, higher infrastructure and support costs, customer churn, and more. Tune in to learn about the security risks of these automated threats and what trends Imperva has monitored.

This segment is sponsored by Imperva. Visit https://securityweekly.com/impervarsac to learn more about them!

Show Notes: https://securityweekly.com/asw-287

Check out this interview from the ASW Vault, hand picked by main host Mike Shema! This segment was originally published on April 4, 2023.

Following on from her successful title "Container Security", Liz has recently authored "Learning eBPF", published by O'Reilly. eBPF is a revolutionary kernel technology that is enabling a whole new generation of infrastructure tools for networking, observability, and security. Let's explore eBPF and understand its value for security, and how it's used to secure network connectivity in the Cilium project, and for runtime security observability and enforcement in Cilium's sub-project, Tetragon.

Segment Resources:

Download "Learning eBPF": https://isovalent.com/learning-ebpf Buy "Learning eBPF" from Amazon: https://www.amazon.com/Learning-eBPF-Programming-Observability-Networking/dp/1098135121 Cilium project: https://cilium.io Tetragon project: https://tetragon.cilium.io/

Show Notes: https://securityweekly.com/vault-asw-11

This week in the Application Security News, Zoom Taps Ex-Facebook CISO Amid Security Snafus, Lawsuit, How we abused Slack's TURN servers to gain access to internal services, Moving from reCAPTCHA to hCaptcha, Automate Security Testing with ZAP and GitHub Actions, Shift-Right Testing: The Emergence of TestOps, and Building Secure and Reliable Systems!

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://wiki.securityweekly.com/ASWEpisode103

We will provide a short introduction to OWASP SAMM, which is a flagship OWASP project allowing organizations to bootstrap and iteratively improve their secure software practice in a measurable way. Seba will explain the SAMM model, consisting of 15 security practices. Every security practice contains a set of activities, structured into 3 maturity levels. The activities on a lower maturity level are typically easier to execute and require less formalization than the ones on a higher maturity level. A the end we will cover how you can engage with the SAMM community and provide an overview of what happened at our latest SAMM User Day which happened on May 27th.

Segment Resources:

• https://owaspsamm.org/

• https://github.com/OWASPsamm

• https://app.slack.com/client/T04T40NHX/C0VF1EJGH

-https://www.youtube.com/channel/UCEZDbvQrj5APg5cEET49A_g

• https://twitter.com/OwaspSAMM

• https://www.linkedin.com/company/18910344/admin/

Show Notes: https://securityweekly.com/vault-asw-6

It's no surprise that OT security has fared poorly over the last 30+ years. To many appsec folks, these systems have uncommon programming languages, unfamiliar hardware, and brittle networking stacks. They also tend to have different threat scenarios. Many of these systems are designed, successfully, to maintain availability. But when a port scan can freeze or crash a device, that availability seems like it hasn't put enough consideration into adversarial environments. We chat about the common failures of OT design and discuss a few ways that systems designed today might still be secure 30 years from now.

Segment Resources: https://linktr.ee/huxley_barbee

BSidesNYC: LinkedIn: https://www.linkedin.com/company/bsidesnyc/ Mastodon: https://infosec.exchange/@BSidesNYC

runZero has a tool that can safely discover your entire OT network: Free trial: https://www.runzero.com/try/signup/

Show Notes: https://securityweekly.com/asw-259

A remote code execution vulnerability is discovered in Electron, the Azure CTO reveals details about Azure confidential computing, and part 1 of 3 on the ways of DevSecOps.

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode16 Visit our website: http://securityweekly.com

Follow us on Twitter: https://www.twitter.comsecurityweekly

With GitHub's 10-year Anniversary, it's about time we talk Open Source! Visit: https://github.com/ten to read about their anniversary!

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode12 Visit our website: http://securityweekly.com

Follow us on Twitter: https://www.twitter.comsecurityweekly

Web applications are highly dependent on third party content and JavaScript. This creates a significant set of vulnerabilities that attackers are exploiting. How do you prevent a Solarwinds type hack on your website?

Segment Resources:

https://go.talasecurity.io/blog/data-in-the-browser-is-data-at-risk

https://www.talasecurity.io/protect/#how

https://go.talasecurity.io/blog/how-i-hacked-your-website

This segment is sponsored by Tala Security. Visit https://securityweekly.com/talasecurity to learn more about them!

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw151

This week in the AppSec News: Visual Studio Code's Workplace Trust, Injured Android an insecure mobile app, Microsoft accidentally signed driver with rootkits, The NSA funds a new sister Matrix to ATT&CK: D3FEND, & "Ransomware: maybe it's you, not them?", and more!

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw156

We return to the practice of presentations, this time with a perspective from a conference organizer. And we have tons of questions! What makes a topic stand out? How can an old, boring topic be given new life? How do you prepare as a first-time presenter? What can conferences do to foster better presentations and new voices?

Segment resources:

• https://bsidessf.org
• https://infosec.exchange/@worldwise001/111280163638514582
• https://www.youtube.com/watch?v=1lVIeh5f4Rg

Show Notes: https://securityweekly.com/asw-271

Analysis of Jira Bug Stresses Impact of SSRF in Public Cloud, DevSecOps Adoption and the Web Security Myth, Facebook, Twitter profiles slurped by mobile apps using malicious SDKs, Firefox gets tough on tracking tricks that sneakily sap your privacy, and Decoding the Modern Enterprise Software Spaghetti.

Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/ASWEpisode87

This week in the AppSec News: Lessons learned from fuzzing, OT:ICEFALL report on insecure designs, CSA's Top Threats to Cloud Computing, Twitter apologizes for misusing data collection, & State of Open Source Security report!

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw202

Thoughts on shared responsibility models after the Snowflake credential attacks, looking at AI's current and future role in offensive security, secure by design lessons from Apple's Private Cloud Computer, and more!

Show Notes: https://securityweekly.com/asw-289

This week in the AppSec News, Mike and John talk: The Twitch breach, a path traversal in Apache httpd, Microsoft disables macros by default after almost 30 years, factors in a great cybersecurity program, & more!

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw169

'GDPR-Lite', Testing Firefox, refactoring in VS Code, sniff network traffic from our iOS device, Gentoo GitHub organization is hacked, and what does it mean to experience fulfillment? All that and more, here on Application Security Weekly!Full Show Notes: https://wiki.securityweekly.com/ASW_Episode22 Follow us on Twitter: https://www.twitter.com/securityweekly

Insecure defaults and insecure design in smart locks, FCC adopts Cyber Trust Mark labels for IoT devices, the ZAP project gets a new home, and more!

Show Notes: https://securityweekly.com/asw-277

In complex software ecosystems, individual application risks are compounded. When it comes to mitigating supply chain risk, identifying backdoors or unintended vulnerabilities that can be exploited in your environment is just as critical as staying current with the latest hacking intel. Understand how to spot and reduce the risk to your environment and prevent disruption to your operation.

Every mobile device connecting to enterprise assets hosts a unique blend of work and personal apps, creating a complex landscape of innumerable vulnerabilities. Thankfully, methods exist to provide security teams with the real-world insights necessary to proactively address threats and shield against attacks targeting mobile apps and device endpoints. Nikos Kiourtis, CTO at Quokka, shares the latest findings in mobile security, outlining emerging threats and effective measures to reduce your mobile app attack surface – and safeguarding against potential attacks and data breaches.

Segment Resources: - Panelcast with SC Magazine: 8 ways attackers target mobile apps to steal your data (and how to stop them) https://www.scmagazine.com/cybercast/8-ways-attackers-target-mobile-apps-to-steal-your-data-and-how-to-stop-them - Ryan Johnson’s talk at DEF CON 32, “Android App Usage and Cell Tower Location: Private. Sensitive. Available to Anyone?” https://defcon.org/html/defcon-32/dc-32-speakers.html

This segment is sponsored by Threatlocker. Visit https://securityweekly.com/threatlockerbh for a free trial!

This segment is sponsored by Quokka. Visit https://securityweekly.com/quokkabh to learn more about their intelligence app solutions!

Show Notes: https://securityweekly.com/asw-295

Data of millions of eBay and Amazon shoppers exposed as another supply chain casualty, Announcing Bottlerocket, a new open source Linux-based operating system purpose-built to run containers, and The DevOps Sweet Spot: Inserting Security at Pull Requests (Part 1). Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/ASWEpisode100

6 of the 10 vendors at Innovation Sandbox are application security companies, F5 Empowers Customers with End-to-End App Security, Checkmarx Simplifies Automation of Application Security Testing for Modern Development and DevOps Environments, and more RSA Conference News!

Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/ASWEpisode97

In today's high-tech industries, security is struggling to keep up with rapidly changing production systems and the chaos that agile development introduces into workflows. Application security (AppSec) teams are fighting an uphill battle to gain visibility and control over their environments. Rather than invest their time in critical activities, teams are overwhelmed by gaps in visibility and tools to govern the process. As a result, many digital services remain improperly protected. In this episode, we plan to address and discuss the current state of AppSec, and point out a few common failure points. Afterwards we plan to discuss what agile AppSec looks like, and how a reorganization, and a shift in management strategy could greatly transform the field, and allow business to truly address the risk of under-protected software.

Segment Resources:

https://appsecmap.com/

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw207

Modern applications are transforming how businesses serve their customers, employees, and partners. But they also challenge security teams with limited to no visibility or control while expanding an organization’s attack surface. Jason Rolleston, vice president and general manager of VMware Carbon Black, discusses how security teams can enable their companies to safely adopt modern application environments.

Segment Resources:

• https://blogs.vmware.com/security/2023/07/announcing-cloud-native-detection-and-response-for-carbon-black.html

This segment is sponsored by VMWare Carbon Black. Visit https://securityweekly.com/vmwarebh to learn more about them!

In today's mobile-first world, where Android and iOS apps are crucial for customer engagement, companies often overlook the vulnerability of their applications - which poses a growing risk to the enterprise. While business cybersecurity measures are robust, hackers exploit the app path to circumvent server-side security. To help you understand the risks and safeguard your mobile apps and your customer PII, Asaf Ashkenazi will talk about the top mobile app attacks, the real-world implications, the blind spot in many company security teams, and easy ways to protect, detect and respond to this growing threat.

Segment Resources:

• [Asaf Ashkenazi introduces Verimatrix XTD](https://youtu.be/j3mJoc8OSY8)
• [Verimatrix XTD](https://www.verimatrix.com/cybersecurity/verimatrix-xtd/)
• [Verimatrix’s Triple-Threat Initiative Enhances Mobile App Security](https://www.itsecurityguru.org/2023/04/13/verimatrixs-triple-threat-initiative-enhances-mobile-app-security/)

This segment is sponsored by Verimatrix. Visit https://securityweekly.com/verimatrixbh to learn more about them!

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw-252 

In a fast-paced tech environment, keeping up with security research can be overwhelming for companies. Automation is a must to keep up - but you also need human ingenuity to make sure automation adds value and not noise. Combining software automation with the knowledge of elite hackers is the key to ensure both speed and relevance.

This segment is sponsored by Detectify. Visit https://securityweekly.com/detectify to learn more about them!

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://wiki.securityweekly.com/asw130

A premise of adding security to DevOps is we can "shift left" AppSec responsibilities, one of which is building apps so they're secure by design. Yet what resources does the AppSec community provide for this approach to design? We take a look at the OWASP Top 10, Web Security Testing Guide, and Application Security Verification Standard to find a way forward for DevOps teams.

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw135

In today’s session Chris Wysopal will address a number of topics with Mike, including systemic risk in software development and how developers and security teams can work together to meet common goals and solve the speed vs. security dilemma. Specifically, they’ll discuss processes for fixing more vulnerabilities faster and tools for ensuring developer success. And they’ll talk about improving the overall maturity of DevOps teams through good development practices, good testing, remediation, and training.

Segment Resources:

- Veracode State of Sofware Security v11 https://www.veracode.com/state-of-software-security-report

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw176

A slew of XSS in Azure's HDInsights, CNCF releases fuzzing and security audits on Kyverno and Dragonfly2, CISA shares a roadmap for security open source software, race conditions and repojacking in GitHub, and more!

Show Notes: https://securityweekly.com/asw-255

Francois is a member of the Ping Identity Office of the CTO. He provides product and strategic direction to customers and partners with a focus on API infrastructures security and API cybersecurity.

To learn more about Ping Identity, visit: https://securityweekly.com/ping

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://wiki.securityweekly.com/ASWEpisode80

A stroll back through the Apache Struts breach of Equifax, CISA's list of Known Exploited Vulnerabilities, Rust's replacement for OpenSSL, Go no longer throws programmers for a loop, complexity vs. design (that leads to better security).

Show Notes: https://securityweekly.com/asw-256

Lax IoT security exposes smart-irrigation systems, Adobe Flash goes truly end of line in one last update, confidential computing gets a turbo boost with Nitro, link previews show security and privacy problems, and security theatre gets an encore!

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://wiki.securityweekly.com/asw128

This week's interview dives deep into the state of biometrics with two Forrester Research analysts!

This discussion compares and contrasts regional approaches to biometrics; examine the security challenges and benefits of their implementation; and reveal how biometrics holds the keys to a range of engagement models of the future.

Andras Cser dives into the technical end of things and explains how biometrics can be resilient to attack. We can't replace our fingerprints or faces, but as Andras explains, there's no need to, thanks to how biometrics actually work. Then, Enza takes us through the latest on privacy in biometrics - a concern for both consumers, and businesses tasked with complying with privacy regulations and avoiding costly fines.

Finally, get a sneak peek into the upcoming Forrester Security & Risk Summit. Whether you're an industry professional or just curious about the implications of biometrics, this episode delivers insights you won't want to miss!

Show Notes: https://securityweekly.com/asw-308

This week in the AppSec News segment, Mike and John talk: HTTP bug bothers IIS, Android platform security, supply chain security (new and old), brief (very brief) history of browser security, & more!

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw152

Open Source is the new mainstream of software development. However not much attention is paid on security in the upstream community for creating robust and secure software. At the LF, we are working on some initiatives and tools to help bridge the gap between functional and secure code, so that the benefits flow downstream to all users of OSS.

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw163

This week, Doug and Keith discuss the last of the top ten most critical web application security risks! They discuss security misconfiguration, insecure deserialization, insufficient logging and monitoring, and more on this episode of Application Security Weekly!

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode03 Subscribe to our YouTube channel: https://www.youtube.com/securityweekly

Visit our website: http://securityweekly.com

Follow us on Twitter: https://www.twitter.comsecurityweekly

This week, SIGRed – Resolving Your Way into Domain Admin: Exploiting a 17 Year-old Bug in Windows DNS Servers, Introducing Google Cloud Confidential Computing with Confidential VMs, Internet of Things devices: Stick to these security rules or you could face a ban, Google Cloud Unveils 'Confidential VMs' to Protect Data in Use, and more!

Show Notes: https://wiki.securityweekly.com/asw115

Visit https://www.securityweekly.com/asw for all the latest episodes! 

Microsoft Bug Bounty Programs Year in Review: $13.7M in Rewards, In-band key negotiation issue in AWS S3 Crypto SDK for golang, Re­VoL­TE attack can decrypt 4G (LTE) calls to eavesdrop on conversations, Hardware Security Is Hard: How Hardware Boundaries Define Platform Security, How to make your security team more business savvy, and more!

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://wiki.securityweekly.com/asw118

SweynTooth: Unleashing Mayhem over Bluetooth Low Energy, OWASP SAMM version 2, Understanding Trusted Execution Environments and Arm TrustZone, Security Researchers Partner With Chrome To Take Down Browser Extension Fraud Network Affecting Millions of Users with a revisit to CRXcavator and a look at one of its components, RetireJS, It's the Boot for TLS 1.0 and TLS 1.1 and it's only been about six to nine years since major protocol attacks were demonstrated. How does your organization manage tech debt?, What Is DevSecOps and How to Enable It on Your SDLC?

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://wiki.securityweekly.com/ASWEpisode96

Software safety to mitigate the impact of unauthenticated RCEs, exploding regex patterns, web and browser security in the face of Spectre side-channels, signing software artifacts, 8 roles for today's security teams.

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw143

In honor of the movie Groundhog Day, John will take a look at the top 10 most routinely exploited vulnerabilities through a web app security lens.

This segment is sponsored by Qualys. Visit https://securityweekly.com/qualys to learn more about them!

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw138

In the news, A Boeing 757 was hacked remotely while it sat on the runway, Twitter says all 336 million users should change their passwords, Meltdown patches return kernel page table directory to user space, somebody tried to hide a backdoor in a popular JavaScript npm Package, & more on this episode of Application Security Weekly!

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode15 Visit our website: http://securityweekly.com

Follow us on Twitter: https://www.twitter.comsecurityweekly

There's an understandable focus on "shift left" in modern DevOps and appsec discussions. So what does it take to broaden what we call appsec into something effective for modern apps, whether they're on the web, mobile, or cloud? We'll talk about moving on from niche offerings into successful appsec programs.

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw179

Paul and Keith host the first show of Application Security Weekly! Today, they discuss the brief history of application security, software, and software security! With application security on the rise, hackers and attackers over time have evolved into organized groups from individuals, that construct acts of maliciousness for financial or political gains.

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode00 Subscribe to our YouTube channel: https://www.youtube.com/securityweekly

Visit our website: http://securityweekly.com

Follow us on Twitter: https://www.twitter.comsecurityweekly

This week, Paul and Keith talk about "The Phoenix Project: A Novel about IT, DevOps, and Helping Your Business Win!"

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode08 Visit our website: http://securityweekly.com

Follow us on Twitter: https://www.twitter.comsecurityweekly

Sometimes infosec problems can be summarized succinctly, like "patching is hard". Sometimes a succinct summary sounds convincing, but is based on old data, irrelevant data, or made up data. Adrian Sanabria walks through some of the archeological work he's done to dig up the source of some myths. We talk about some of our favorite (as in most disliked) myths to point out how oversimplified slogans and oversimplified threat models lead to bad advice -- and why bad advice can make users less secure.

Segment resources:

• https://www.oreilly.com/library/view/cybersecurity-myths-and/9780137929214/

Show Notes: https://securityweekly.com/asw-279

More remote car control via web interfaces, an RCE in CUPS, Microsoft reduces attack surface, migrating to memory safety, dealing with dependency confusion, getting rid of password strength calculators, and more!

Show Notes: https://securityweekly.com/asw-301

This week, we welcome Gareth Rushgrove, Director of Product Management at Snyk, to talk about Modern Application Security and Container Security! They also discuss Configuration Management, how developers are writing more Docker and Kubernetes Container files, and more!

To learn more about Snyk, visit: https://securityweekly.com/snyk

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://wiki.securityweekly.com/ASWEpisode106

The Web3 ecosystem is chock full of applications and projects that have lost money (and their customers’ money) due to breaches, code flaws, or outright fraud. How can security teams do a better job of protecting Web3 apps? Web3 applications (including NFTs) aren’t just vulnerable to attack, they often present a broader attack surface (due to the distributed nature of blockchains) at the same time as being a desirable target because of the value association with tokens. Join us for a lively discussion about key threats to Web3 apps – both on-chain and off-chain - what we can do to mitigate them…and what we absolutely should not do.

Additional resources

- https://www.bloomberg.com/features/2022-the-crypto-story/

- https://web3isgoinggreat.com

- https://blog.trailofbits.com/2022/06/21/are-blockchains-decentralized/

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw218

While APIs enable innovation, they’re increasingly targeted as a pathway to data. API abuses are often carried out through automated attacks, in which a botnet floods the API with unwanted traffic—seeking vulnerable applications and unprotected data. In this discussion, Karl Triebes shares what you need to know about the automated bot threats targeting your APIs with guidance on how to protect your applications and APIs from these attacks.

This segment is sponsored by Imperva. Visit https://securityweekly.com/imperva to learn more about them!

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw219

In the news, SEC fines Yahoo $35 million for not reporting cyber breach, hackers found using a new code injection technique to evade detection, Microsoft dismantles it's Windows Development Group, & more on this episode of Application Security Weekly!

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode14 Visit our website: http://securityweekly.com

Follow us on Twitter: https://www.twitter.comsecurityweekly