The Application Security Weekly podcast delivers interviews and news from the worlds of AppSec, DevOps, DevSecOps, and all the other ways people find and fix software flaws. Join hosts Mike Shema, John Kinsella, and Akira Brand on a journey through modern security practices for apps, clouds, containers, and more.
…
continue reading
The Application Security Weekly podcast delivers interviews and news from the worlds of AppSec, DevOps, DevSecOps, and all the other ways people find and fix software flaws. Join hosts Mike Shema, John Kinsella, and Akira Brand on a journey through modern security practices for apps, clouds, containers, and more.
…
continue reading
The Future of Application Security is a podcast for ambitious leaders who want to build a modern and effective AppSec program. Doing application security right is really hard and we want to help other experts build the future of AppSec by curating the best industry insights, tips and resources. What’s the most important security metric to measure in 2024? It’s Mean Time to Remediate (MTTR). Download our new MTTR guide: https://lnkd.in/evjcf4Vt
…
continue reading
Chris Romeo and Robert Hurlbut dig into the tips, tricks, projects, and tactics that make various application security professionals successful. They cover all facets of application security, from threat modeling and OWASP to DevOps+security and security champions. They approach these stories in an educational light, explaining the details in a way those new to the discipline can understand. Chris Romeo is the CEO of Devici and a General Partner at Kerr Ventures, and Robert Hurlbut is a Prin ...
…
continue reading
The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of software. Our mission is to make software security visible, so that individuals and organizations are able to make informed decisions. OWASP is in a unique position to provide impartial, practical information about AppSec to individuals, corporations, universities, government agencies, and other organizations worldwide. Operating as a communit ...
…
continue reading
1
EP 57 — Clari's Steve Lukose on Using SLAs as Benchmarks for Businesses
27:05
27:05
เล่นในภายหลัง
เล่นในภายหลัง
ลิสต์
ถูกใจ
ที่ถูกใจแล้ว
27:05
In this episode of the Future of Application Security, Harshil speaks with Steve Lukose, Vice President of Security at Clari, about how security is becoming a business enabler rather than just an organization. Steve explains why SLAs will become one of the benchmarks for security experts to use, but that it won’t necessarily be for all aspects of s…
…
continue reading
1
Successful Security Needs a Streamlined UX - Benedek Gagyi - ASW #278
36:36
36:36
เล่นในภายหลัง
เล่นในภายหลัง
ลิสต์
ถูกใจ
ที่ถูกใจแล้ว
36:36
One of the biggest failures in appsec is an attitude that blames users for security problems. A lot of processes and workflows break down because of an insecure design or insecure defaults. Benedek Gagyi chats with us about the impact of the user experience (UX) on security and why it's not only important to understand how to make a user's life eas…
…
continue reading
1
Meghan Jacquot -- Assumed Breach Red Team Engagements for AppSec
40:55
40:55
เล่นในภายหลัง
เล่นในภายหลัง
ลิสต์
ถูกใจ
ที่ถูกใจแล้ว
40:55
AppSec specialist Megan Jacquot joins Chris and Robert for a compelling conversation about community, career paths, and productive red team exercises. Megan shares her unique cybersecurity origin story, tracing her interest in the field from childhood influences through her tenure as an educator and her formal return to academia to pivot into a tec…
…
continue reading
1
Successful Security Needs a Streamlined UX - Benedek Gagyi - ASW #278
1:09:03
1:09:03
เล่นในภายหลัง
เล่นในภายหลัง
ลิสต์
ถูกใจ
ที่ถูกใจแล้ว
1:09:03
One of the biggest failures in appsec is an attitude that blames users for security problems. A lot of processes and workflows break down because of an insecure design or insecure defaults. Bender Gagyi chats with us about the impact of the user experience (UX) on security and why it's not only important to understand how to make a user's life easi…
…
continue reading
1
GoFetch Side Channel, OpenSSF & Security Education, Fuzzing vs. Formal Verification - ASW #278
32:33
32:33
เล่นในภายหลัง
เล่นในภายหลัง
ลิสต์
ถูกใจ
ที่ถูกใจแล้ว
32:33
The GoFetch side channel in Apple CPUs, OpenSSF's plan for secure software developer education, fuzzing vs. formal verification as a security strategy, hard problems in InfoSec (and AppSec), and more! Show Notes: https://securityweekly.com/asw-278
…
continue reading
1
Vulns in Smart Locks, FCC labels for IoT, ZAP's New Home - ASW #277
38:20
38:20
เล่นในภายหลัง
เล่นในภายหลัง
ลิสต์
ถูกใจ
ที่ถูกใจแล้ว
38:20
Insecure defaults and insecure design in smart locks, FCC adopts Cyber Trust Mark labels for IoT devices, the ZAP project gets a new home, and more! Show Notes: https://securityweekly.com/asw-277
…
continue reading
1
Figuring Out Where Appsec Fits When Starting a Cybersecurity Program - Tyler VonMoll - ASW #277
1:13:20
1:13:20
เล่นในภายหลัง
เล่นในภายหลัง
ลิสต์
ถูกใจ
ที่ถูกใจแล้ว
1:13:20
Lots of companies need cybersecurity programs, as do non-profits. Tyler Von Moll talks about how to get small organizations started on security and how to prioritize initial investments. While an appsec program likely isn't going to be one of the first steps, it's going to be an early one. What decisions can you make at the start that will benefit …
…
continue reading
1
Figuring Out Where Appsec Fits When Starting a Cybersecurity Program - Tyler VonMoll - ASW #277
35:06
35:06
เล่นในภายหลัง
เล่นในภายหลัง
ลิสต์
ถูกใจ
ที่ถูกใจแล้ว
35:06
Lots of companies need cybersecurity programs, as do non-profits. Tyler Von Moll talks about how to get small organizations started on security and how to prioritize initial investments. While an appsec program likely isn't going to be one of the first steps, it's going to be an early one. What decisions can you make at the start that will benefit …
…
continue reading
1
TeamCity Authn Bypass, ArtPrompt Attacks, Low Quality Vuln Reports, Secure by Design - ASW #276
36:56
36:56
เล่นในภายหลัง
เล่นในภายหลัง
ลิสต์
ถูกใจ
ที่ถูกใจแล้ว
36:56
The trivial tweaks to bypass authentication in TeamCity, ArtPrompt attacks use ASCII art against LLMs, annoying developers with low quality vuln reports, removing dependencies as part of secure by design, removing overhead with secure by design, and more! Show Notes: https://securityweekly.com/asw-276…
…
continue reading
1
More API Calls, More Problems: The State of API Security in 2024 - Lebin Cheng - ASW #276
35:28
35:28
เล่นในภายหลัง
เล่นในภายหลัง
ลิสต์
ถูกใจ
ที่ถูกใจแล้ว
35:28
A majority of internet traffic now originates from APIs, and cybercriminals are taking advantage. Increasingly, APIs are used as a common attack vector because they’re a direct pathway to access sensitive data. In this discussion, Lebin Cheng shares what API attack trends Imperva, a Thales Company has observed over the past year, and what steps org…
…
continue reading
1
More API Calls, More Problems: The State of API Security in 2024 - Lebin Cheng - ASW #276
1:12:17
1:12:17
เล่นในภายหลัง
เล่นในภายหลัง
ลิสต์
ถูกใจ
ที่ถูกใจแล้ว
1:12:17
A majority of internet traffic now originates from APIs, and cybercriminals are taking advantage. Increasingly, APIs are used as a common attack vector because they’re a direct pathway to access sensitive data. In this discussion, Lebin Cheng shares what API attack trends Imperva, a Thales Company has observed over the past year, and what steps org…
…
continue reading
1
Bill Sempf -- Development, Security, and Teaching the Next Generation
39:44
39:44
เล่นในภายหลัง
เล่นในภายหลัง
ลิสต์
ถูกใจ
ที่ถูกใจแล้ว
39:44
Robert is joined by Bill Sempf, an application security architect with over 20 years of experience in software development and security. Bill shares his security origins as a curious child immersed in technology, leading to his lifelong dedication to application security. They discuss CodeMash, a developer conference in Ohio, and recount Bill's pre…
…
continue reading
1
SAML & Secrets, Serializing AI Models, OWASP ISTG, More Memory Safety - ASW #275
38:54
38:54
เล่นในภายหลัง
เล่นในภายหลัง
ลิสต์
ถูกใจ
ที่ถูกใจแล้ว
38:54
A SilverSAML example similar to the GoldenSAML attack technique, more about serializing AI models for Hugging Face, OWASP releases 1.0 of the IoT Security Testing Guide, the White House releases more encouragement to move to memory-safe languages, and more! Show Notes: https://securityweekly.com/asw-275…
…
continue reading
1
The Simple Mistakes and Complex Seeds of a Vulnerability Management Program - Emily Fox - ASW #275
40:38
40:38
เล่นในภายหลัง
เล่นในภายหลัง
ลิสต์
ถูกใจ
ที่ถูกใจแล้ว
40:38
The need for vuln management programs has been around since the first bugs -- but lots of programs remain stuck in the past. We talk about the traps to avoid in VM programs, the easy-to-say yet hard-to-do foundations that VM programs need, and smarter ways to approach vulns based in modern app development. We also explore the ecosystem of acronyms …
…
continue reading
1
The Simple Mistakes and Complex Seeds of a Vulnerability Management Program - Emily Fox - ASW #275
1:19:26
1:19:26
เล่นในภายหลัง
เล่นในภายหลัง
ลิสต์
ถูกใจ
ที่ถูกใจแล้ว
1:19:26
The need for vuln management programs has been around since the first bugs -- but lots of programs remain stuck in the past. We talk about the traps to avoid in VM programs, the easy-to-say yet hard-to-do foundations that VM programs need, and smarter ways to approach vulns based in modern app development. We also explore the ecosystem of acronyms …
…
continue reading
1
Hendrik Ewerlin -- Threat Modeling of Threat Modeling
33:50
33:50
เล่นในภายหลัง
เล่นในภายหลัง
ลิสต์
ถูกใจ
ที่ถูกใจแล้ว
33:50
Robert and Chris talk with Hendrik Ewerlin, a threat modeling advocate and trainer. Hendrik believes you can threat model anything, and he recently applied threat modeling to the process of threat modeling itself. His conclusions are published in the document Threat Modeling of Threat Modeling, where he aims to help practitioners, in his own words,…
…
continue reading
1
EP 56 — Aruneesh Salhotra on Why Security is Everyone’s Job
24:49
24:49
เล่นในภายหลัง
เล่นในภายหลัง
ลิสต์
ถูกใจ
ที่ถูกใจแล้ว
24:49
In this episode of the Future of Application Security, Harshil speaks with Aruneesh Salhotra, CEO and Fractional CISO, SNM Consulting Inc. They discuss the unique challenges and opportunities of application security in the financial sector, including how the "necessary evil" of regulations is increasing accountability around security efforts. They …
…
continue reading
1
PrintListener, Post-Quantum Crypto in iMessage, Silent Sabotage, Rust Survey Results - ASW #274
22:49
22:49
เล่นในภายหลัง
เล่นในภายหลัง
ลิสต์
ถูกใจ
ที่ถูกใจแล้ว
22:49
PrintListener recreates fingerprints, iMessage updates key handling for a PQ3 rating, Silent Sabotage shows supply chain subterfuge against AI models, 2023 Rust survey results, the ways genAI might help developers, and more! Show Notes: https://securityweekly.com/asw-274
…
continue reading
1
Creating the Secure Pipeline Verification Standard - Farshad Abasi - ASW #274
34:16
34:16
เล่นในภายหลัง
เล่นในภายหลัง
ลิสต์
ถูกใจ
ที่ถูกใจแล้ว
34:16
Farshad Abasi joins us again to talk about creating a new OWASP project, the Secure Pipeline Verification Standard. (Bonus points for not being a top ten list!) We talk about what it takes to pitch a new project and the problems that this new project is trying to solve. For this kind of project to be successful -- as in making a positive impact to …
…
continue reading
1
Creating the Secure Pipeline Verification Standard - Farshad Abasi - ASW #274
56:59
56:59
เล่นในภายหลัง
เล่นในภายหลัง
ลิสต์
ถูกใจ
ที่ถูกใจแล้ว
56:59
Farshad Abasi joins us again to talk about creating a new OWASP project, the Secure Pipeline Verification Standard. (Bonus points for not being a top ten list!) We talk about what it takes to pitch a new project and the problems that this new project is trying to solve. For this kind of project to be successful -- as in making a positive impact to …
…
continue reading
1
Jason Nelson -- Three Pillars of Threat Modeling Success: Consistency, Repeatability, and Efficacy
53:52
53:52
เล่นในภายหลัง
เล่นในภายหลัง
ลิสต์
ถูกใจ
ที่ถูกใจแล้ว
53:52
Jason Nelson, an accomplished expert in information security management, joins Chris to share insights on establishing successful threat modeling programs in data-intensive industries like finance and healthcare. Jason presents his three main pillars to consider when establishing a threat modeling program: consistency, repeatability, and efficacy. …
…
continue reading
1
Redefining Threat Modeling - Security Team Goes on Vacation - Jeevan Singh - ASW Vault
38:29
38:29
เล่นในภายหลัง
เล่นในภายหลัง
ลิสต์
ถูกใจ
ที่ถูกใจแล้ว
38:29
Check out this interview from the ASW Vault, hand picked by main host Mike Shema! This segment was originally published on Dec 13, 2022. Threat modeling is an important part of a security program, but as companies grow you will choose which features you want to threat model or become a bottleneck. What if I told you, you can have your cake and eat …
…
continue reading
1
Redefining Threat Modeling - Security Team Goes on Vacation - Jeevan Singh - ASW Vault
38:29
38:29
เล่นในภายหลัง
เล่นในภายหลัง
ลิสต์
ถูกใจ
ที่ถูกใจแล้ว
38:29
Check out this interview from the ASW Vault, hand picked by main host Mike Shema! This segment was originally published on Dec 13, 2022. Threat modeling is an important part of a security program, but as companies grow you will choose which features you want to threat model or become a bottleneck. What if I told you, you can have your cake and eat …
…
continue reading
1
Erik Cabetas -- Cracking Codes on Screen and in Contests: An Expert's View on Hacking, Vulnerabilities, and the Evolution of Cybersecurity Language
51:12
51:12
เล่นในภายหลัง
เล่นในภายหลัง
ลิสต์
ถูกใจ
ที่ถูกใจแล้ว
51:12
Erik Cabetas joins Robert and Chris for a thought-provoking discussion about modern software security. They talk about the current state of vulnerabilities, the role of memory-safe languages in AppSec, and why IncludeSec takes a highly systematic approach to security assessments and bans OWASP language. Along the way, Erik shares his entry into cyb…
…
continue reading