Application Security Weekly (Audio)

Everyone is interested in generative AIs and LLMs, and everyone is looking for use cases and apps to apply them to. Just as the early days of the web inspired the original OWASP Top 10 over 20 years ago, the experimentation and adoption of LLMs has inspired a Top 10 list of their own. Sandy Dunn talks about why the list looks so familiar in many ways -- after all, LLMs are still software. But the list captures some new concepts that anyone looking to use LLMs or generative AIs should be aware of. https://llmtop10.com/ https://github.com/OWASP/www-project-top-10-for-large-language-model-applications/wiki/Educational-Resources https://owasp.org/www-project-ai-security-and-privacy-guide/ https://gandalf.lakera.ai/ https://quarkiq.com/blog How companies are benefiting from the enterprise browser. It's not just security when talking about the enterprise browser. It's the marriage between security AND productivity. In this interview, Mike will provide real live case studies on how different enterprises are benefitting. Segment Resources: https://www.island.io/resources https://www.island.io/press This segment is sponsored by Island. Visit https://www.securityweekly.com/islandrsac to learn more about them! The cybersecurity landscape continues to transform, with a growing focus on mitigating supply chain vulnerabilities, enforcing data governance, and incorporating AI into security measures. This transformation promises to steer DevSecOps teams toward software development processes with efficiency and security at the forefront. Josh Lemos, Chief Information Security Officer at GitLab will discuss the role of AI in securing software and data supply chains and helping developers work more efficiently while creating more secure code. This segment is sponsored by GitLab. Visit https://securityweekly.com/gitlabrsac to learn more about them! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-285

A lot of AI security has nothing to do with AI -- things like data privacy, access controls, and identity are concerns for any new software and in many cases AI concerns look more like old-school API concerns. But...there are still important aspects to AI safety and security, from prompt injection to jailbreaking to authenticity. Caleb Sima explains why it's important to understand the different types of AI and the practical tasks necessary to secure how it's used. Segment resources: https://calebsima.com/2023/08/16/demystifing-llms-and-threats/ https://www.youtube.com/watch?v=qgDtOu17E&t=1s We already have bug bounties for web apps so it was only a matter of time before we would have bounties for AI-related bugs. Keith Hoodlet shares his experience winning first place in the DOD's inaugural AI bias bounty program. He explains how his education in psychology helped fill in the lack of resources in testing an AI's bias. Then we discuss how organizations should approach the very different concepts of AI security and AI safety. Segment Resources: https://securing.dev/posts/hacking-ai-bias/ https://www.defense.gov/News/Releases/Release/Article/3659519/cdao-launches-first-dod-ai-bias-bounty-focused-on-unknown-risks-in-llms/ Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-284

Companies deploy tools (usually lots of tools) to address different threats to supply chain security. Melinda Marks shares some of the chaos those companies still face when trying to prioritize investments, measure risk, and scale their solutions to keep pace with their development. Not only are companies still figuring out supply chain, but now they're bracing for the coming of genAI and how that will just further highlight the current struggles they're having with data security and data privacy. Segment Resources: Complete Survey Results: The Growing Complexity of Securing the Software Supply Chain https://research.esg-global.com/reportaction/515201781/Toc Misusing random numbers, protecting platforms for code repos and package repos, vulns that teach us about designs and defaults, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-283

How can open source projects find a funding model that works for them? What are the implications with different sources of funding? Simon Bennetts talks about his stewardship of Zed Attack Proxy and its journey from OWASP to OpenSSF to an Open Source Fellowship with Crash Override. Mark Curphy adds how his experience with OWASP and the appsec community motivated him to create Crash Override and help projects like ZAP gain the support they deserve. Segment resources: https://crashoverride.com/blog/welcome-zap-to-the-open-source-fellowship https://www.zaproxy.org https://crashoverride.com/blog/are-there-too-many-bubbles-of-similar-security-efforts CISA chimes in on the XZ Utils backdoor, PuTTY's private keys and maintaining a secure design, LeakyCLI and maintaining secure secrets in CSPs, LLMs and exploit generation, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-282

There are as many paths into infosec as there are disciplines within infosec to specialize in. Karan Dwivedi talks about the recent book he and co-author Raaghav Srinivasan wrote about security engineering. There's an appealing future to security taking on engineering roles and creating solutions to problems that orgs face. We talk about the breadth and depth of security engineering and ways to build the skills that will help you in your appsec career. Segment resources: https://kickstartseceng.com A Rust advisory highlights the perils of parsing and problems of inconsistent approaches, D-Link (sort of) deals with end of life hardware, CSRB recommends practices and processes for Microsoft, Chrome's V8 Sandbox increases defense, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-281

We look into the supply chain saga of the XZ Utils backdoor. It's a wild story of a carefully planned long con to add malicious code to a commonly used package that many SSH connections rely on. It hits themes from social engineering and abuse of trust to obscuring the changes and suppressing warnings. It also has a few lessons about software development, the social and economic dynamics of open source, and strategies for patching software. It's an exciting topic partially because so much other appsec is boring. And that boring stuff is important to get right first. We also talk about what parts of this that orgs should be worried about and what types of threats they should be prioritizing instead. Segment Resources: https://tukaani.org/xz-backdoor/ https://news.risky.biz/risky-biz-news-supply-chain-attack-in-linuxland/ https://www.zdnet.com/article/this-backdoor-almost-infected-linux-everywhere-the-xz-utils-close-call/#ftag=RSSbaffb68 https://therecord.media/malicious-backdoor-code-linux-red-hat-cisa https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094 https://duo.com/decipher/carefully-crafted-campaign-led-to-xz-utils-backdoor https://boehs.org/node/everything-i-know-about-the-xz-backdoor OWASP leaks resumes, defining different types of prompt injection, a secure design example in device-bound sessions, turning an ASVS requirement into practice, Ivanti has its 2000s-era Microsoft moment, HTTP/2 CONTINUATION flood, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-280

Sometimes infosec problems can be summarized succinctly, like "patching is hard". Sometimes a succinct summary sounds convincing, but is based on old data, irrelevant data, or made up data. Adrian Sanabria walks through some of the archeological work he's done to dig up the source of some myths. We talk about some of our favorite (as in most disliked) myths to point out how oversimplified slogans and oversimplified threat models lead to bad advice -- and why bad advice can make users less secure. Segment resources: https://www.oreilly.com/library/view/cybersecurity-myths-and/9780137929214/ The OWASP Top 10 gets its first update after a year, Metasploit gets its first rewrite (but it's still in Perl), PHP adds support for prepared statements, RSA Conference puts passwords on notice while patching remains hard, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-279

One of the biggest failures in appsec is an attitude that blames users for security problems. A lot of processes and workflows break down because of an insecure design or insecure defaults. Benedek Gagyi chats with us about the impact of the user experience (UX) on security and why it's not only important to understand how to make a user's life easier, but in defining who that user is in the first place. Segment resources: https://www.usenix.org/conference/8th-usenix-security-symposium/why-johnny-cant-encrypt-usability-evaluation-pgp-50 The GoFetch side channel in Apple CPUs, OpenSSF's plan for secure software developer education, fuzzing vs. formal verification as a security strategy, hard problems in InfoSec (and AppSec), and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-278

Lots of companies need cybersecurity programs, as do non-profits. Tyler Von Moll talks about how to get small organizations started on security and how to prioritize initial investments. While an appsec program likely isn't going to be one of the first steps, it's going to be an early one. What decisions can you make at the start that will benefit the program in the years that follow? What does an appsec program look like at a small scale? Segment Resources: "Cybersecurity for Nonprofits", https://docs.google.com/presentation/d/18HuKtwgwGMtEJ87CgkMqHp1JDVRUXPP--zptjMpF0/edit?usp=sharing https://www.verizon.com/business/resources/reports/dbir/2023/master-guide/ Insecure defaults and insecure design in smart locks, FCC adopts Cyber Trust Mark labels for IoT devices, the ZAP project gets a new home, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-277

A majority of internet traffic now originates from APIs, and cybercriminals are taking advantage. Increasingly, APIs are used as a common attack vector because they're a direct pathway to access sensitive data. In this discussion, Lebin Cheng shares what API attack trends Imperva, a Thales Company has observed over the past year, and what steps organizations can take to protect their APIs. This segment is sponsored by Imperva. Visit https://www.securityweekly.com/imperva to learn more about them! The trivial tweaks to bypass authentication in TeamCity, ArtPrompt attacks use ASCII art against LLMs, annoying developers with low quality vuln reports, removing dependencies as part of secure by design, removing overhead with secure by design, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-276

The need for vuln management programs has been around since the first bugs -- but lots of programs remain stuck in the past. We talk about the traps to avoid in VM programs, the easy-to-say yet hard-to-do foundations that VM programs need, and smarter ways to approach vulns based in modern app development. We also explore the ecosystem of acronyms around vulns and figure out what's useful (if anything) in CVSS, SSVC, EPSS, and more. Segment resources: https://www.redhat.com/en/blog/patch-management-needs-a-revolution-part-1 https://next.redhat.com/blog/ https://www.first.org/cvss/v4-0/ https://www.first.org/epss/ https://deadliestwebattacks.com/appsec/2010/02/19/primordial-cross-site-scripting-xss-exploits -- For a bit of history, one of the earliest "bugs bounty" from 1995. A SilverSAML example similar to the GoldenSAML attack technique, more about serializing AI models for Hugging Face, OWASP releases 1.0 of the IoT Security Testing Guide, the White House releases more encouragement to move to memory-safe languages, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-275

Farshad Abasi joins us again to talk about creating a new OWASP project, the Secure Pipeline Verification Standard. (Bonus points for not being a top ten list!) We talk about what it takes to pitch a new project and the problems that this new project is trying to solve. For this kind of project to be successful -- as in making a positive impact to how software is built -- it's important to not only identify the right audience, but craft guidance in a way that's understandable and achievable for that audience. This is also a chance to learn more about a project in its early days and the opportunities for participating in its development! Segment resources https://github.com/OWASP/www-project-secure-pipeline-verification-standard--spvs- (coming soon!) PrintListener recreates fingerprints, iMessage updates key handling for a PQ3 rating, Silent Sabotage shows supply chain subterfuge against AI models, 2023 Rust survey results, the ways genAI might help developers, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-274

Check out this interview from the ASW Vault, hand picked by main host Mike Shema! This segment was originally published on Dec 13, 2022. Threat modeling is an important part of a security program, but as companies grow you will choose which features you want to threat model or become a bottleneck. What if I told you, you can have your cake and eat it too. It is possible to scale your program and deliver higher quality threat models. Segment Resources: - Original blog: https://segment.com/blog/redefining-threat-modeling/ - Open Sourced slides: https://github.com/segmentio/threat-modeling-training Show Notes: https://securityweekly.com/vault-asw-8

We've been scanning code for decades. Sometimes scanning works well -- it finds meaningful flaws to fix. Sometimes it distracts us with false positives. Sometimes it burdens us with too many issues. We talk about finding a scanning strategy that works well and what the definition of "works well" should even be. Segment Resources: https://www.lacework.com/blog/introducing-a-new-approach-to-code-security/ LLMs improve fuzzing coverage, the Shim vuln threatens Linux secure boot, considering AI application threat models, a new language for a configuration file format, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-273

We can't talk about OWASP without talking about lists, but we go beyond the lists to talk about a product security framework. Grant shares his insights on what makes lists work (and not work). More importantly, he shares the work he's doing to spearhead a new OWASP project to help scale the creation of appsec programs, whether you're on your own or part of a global org. Segment Resources: https://owasp.org/www-project-product-security-capabilities-framework/ https://github.com/OWASP/pscf https://prods.ec/ https://owaspsamm.org https://iso25000.com/index.php/en/iso-25000-standards/iso-25010 https://www.scmagazine.com/podcast-episode/application-security-weekly-242 Qualys discloses syslog and qsort vulns in glibc, Apple's jailbroken iPhone for security researchers, moving away from OpenSSL, what an ancient vuln in image parsing can teach us today, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-272

We return to the practice of presentations, this time with a perspective from a conference organizer. And we have tons of questions! What makes a topic stand out? How can an old, boring topic be given new life? How do you prepare as a first-time presenter? What can conferences do to foster better presentations and new voices? Segment resources: https://bsidessf.org https://infosec.exchange/@worldwise001/111280163638514582 https://www.youtube.com/watch?v=1lVIeh5f4Rg Vulns in Jenkins code and Cisco devices that make us think about secure designs, MiraclePtr pulls off a relatively quick miracle, code lasts while domains expire, an "Artificial Intelligence chip" from the 90s, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-271

Where apps provide something of value, bots are sure to follow. Modern threat models need to include scenarios for bad bots that not only target user credentials, but that will also hoard inventory and increase fraud. Sandy shares her recent research as we talk about bots, API security, and what developers can do to deal with these. Segment resources https://www.forrester.com/blogs/avoid-a-bot-waterloo/ https://www.forrester.com/blogs/are-your-bot-management-tools-up-to-date-to-handle-the-holiday-season/ In the news, vulns throw a wrench in a wrench, more vulns drench Atlassian, vulns send GitLab back to the design bench, voting for the top web hacking techniques of 2023, and more! Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/asw-270

It's time to start thinking about CFPs and presentations for 2024! Eve shares advice on delivering technical topics so that an audience can understand the points you want to make. Then we show how developing these presentation skills for conferences helps with presentations within orgs and why these are useful skills to build for your career. Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/asw-269

We kick off the new year with a discussion of what we're looking forward to and what we're not looking forward to. Then we pick our favorite responses to "appsec in three words" and set our sights on a new theme for 2024. In the news, 23andMe shifts blame to users for poor password practices, abusing Google's OAuth2 through a MultiLogin endpoint, Rustls is memory safe and fast, AI enters OSINT, and more! Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/asw-268

HTTP RFCs have evolved: A Cloudflare view of HTTP usage trends, Career Advice and Professional Development, Active Exploitation of Confluence CVE-2022-26134 Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/vault-asw-7

We will provide a short introduction to OWASP SAMM, which is a flagship OWASP project allowing organizations to bootstrap and iteratively improve their secure software practice in a measurable way. Seba will explain the SAMM model, consisting of 15 security practices. Every security practice contains a set of activities, structured into 3 maturity levels. The activities on a lower maturity level are typically easier to execute and require less formalization than the ones on a higher maturity level. A the end we will cover how you can engage with the SAMM community and provide an overview of what happened at our latest SAMM User Day which happened on May 27th. Segment Resources: https://owaspsamm.org/ https://github.com/OWASPsamm https://app.slack.com/client/T04T40NHX/C0VF1EJGH -https://www.youtube.com/channel/UCEZDbvQrj5APg5cEET49A_g https://twitter.com/OwaspSAMM https://www.linkedin.com/company/18910344/admin/ Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/vault-asw-6

Service meshes create the opportunity to make security a team sport. They can improve observability and service identity. Turning monoliths into micro services sounds appealing, but maybe not every monolith needs to be broken up. We'll also talk about the maturity and design choices that go into service meshes and when a monolith should just remain a monolith. Segment Resources: https://www.solo.io/blog/kubernetes-security-cloud-native-applications/ https://www.solo.io/blog/apis-data-breach-zero-trust/ https://www.solo.io/blog/api-gateways-productivity-resilience-security-cloud-applications/ In the news, Nagios gets a review from NCC Group, hackers hack some anti-fixing code to fix trains in Poland, abusing OAuth post-compromise, 5Ghoul flaws in 5G networks, MITRE teases a new threat model for embedded systems, a conversation on vuln scoring systems, and more! Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Instagram: https://www.instagram.com/secweekly/ Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/asw-267

We have a lot of questions about standards. How do standards emerge? How do standards encourage adoption? How do they stay relevant as development patterns change and security threats evolve? We have standards for web appsec (HTML, HTTP), all sorts of protocols, and all sorts of authentication (OAuth, OpenID). Learning how these standards come about can also inform how your own org documents designs and decisions. Segment resources https://datatracker.ietf.org/doc/html/rfc3552 https://identiverse.com/video/the-butterfly-effect-of-standards-development/ https://sphericalcowconsulting.com https://datatracker.ietf.org/doc/html/rfc6919 In the news, benchmarking prompt injection scanners, using generative AI to jailbreak generative AI, Meta's benchmark for LLM risks, tapping a protocol to hack Magic the Gathering, and more! Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/asw-266

We cover appsec news on a weekly basis, but sometimes that news is merely about the start of a new project, sometimes it's yet another example of a vuln class, and sometimes it's a topic we hope doesn't become a trend. So, what themes have we seen and where do we see them going? Here are a few headline topics that have alternately generated yays and yawns. CISA's Secure by Design and Secure by Default CVSS 4.0 Generative AI MFA mandates Microsoft, Rust, and Memory Safety New TLDs OAuth OpenSSF and OWASP In the news, repetition extracts data from ChatGPT, more vulns in the software that surrounds AI, guidelines for secure AI, LogoFAIL trips a boot, BLUFFS attack on Bluetooth, CISA's first secure by design alert, Okta's updated breach disclosure, and more! Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/asw-265

This year we've talked about vulns, clouds, breaches, presentations, and all the variations of Dev, Sec, and Ops. As we end the year, let's talk about starting things -- like starting an appsec program or an appsec career. But is there still a need for an appsec team? Or has it turned into specializations for areas like cloud security and bug bounty programs? We'll cover careers and coding, with an eye towards figuring out what modern software development looks like and where application (or product!) security fits in that model. Segment resources https://owaspsamm.org https://www.microsoft.com/en-us/security/blog/2023/11/02/announcing-microsoft-secure-future-initiative-to-advance-security-engineering/ https://www.cisa.gov/resources-tools/resources/secure-by-design Weak randomness in old JavaScript crypto, lack of encryption in purported end-to-end encryption, a platform engineering maturity model, PyPI's first security audit, vision for a Rust specification, and more! Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/asw-264

Firmware security is complex and continues to be an industry challenge. In this podcast we'll talk about the reasons firmware security remains a challenge and some best practices around platform security. Segment Resources: https://www.helpnetsecurity.com/2020/04/27/firmware-blind-spots/ https://www.helpnetsecurity.com/2020/09/28/hardware-security-challenges/ https://darkreading.com/application-security/4-open-source-tools-to-add-to-your-security-arsenal https://chipsec.github.io Hardware Hacking created by Maggie: https://securityweekly.com/wp-content/uploads/2021/08/eArt-2.png Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/vault-asw-5

In the rapidly evolving landscape of application security, 2023 brought significant changes with the rise of generative AI tools and an increase in automated threats. In this discussion, Karl Triebes takes a deep dive into the major trends of the past year, examining their impact on the industry and shedding light on what security professionals can anticipate moving forward into 2024. This segment is sponsored by Imperva. Visit https://securityweekly.com/imperva to learn more about them! CNCF's releases a handbook on fuzzing, OpenSSF and OWASP respond to CISA's Open Source Software Security RFI, 14 years of Go, lessons for today from an internet worm from 35 years ago, and more! Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/asw-263

A lot of appsec conferences have presentations for appsec audiences -- but that's not often the group that's building apps. What if more developer conferences had appsec content? We talk with Josh about security from the developer's point of view, both as an audience hearing about it and as a presenter talking about it. We discuss the importance of knowing your audience and finding the hooks in security tools and topics that can resonate with developers. Segment resources: https://www.joshuakgoldberg.com/speaking/ Details of the Citrix Bleed vuln, exploitation of the Atlassian improper authorization vuln, so many jQuery installations to upgrade, the price of bounties and the cost of fixes, Microsoft's Secure Future Initiative, and more! Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/asw-262

The categories of security tools that we're most familiar with have struggled to keep up with how modern apps are designed and what modern devs need. What if instead of being beholden to categories, we created tools that solved problems devs have today in the types of apps they build today? And what if we had more dev leadership to influence security tools as well as secure by design? What would that leadership look like? Segment Resources: https://danondev.com/youtube In the news, OAuth implementation failures, the State of DevOps report, data poisoning generative AIs with Nightshade, implementing spectre attacks with JavaScript and WebAssembly against WebKit, sandboxing apps Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/asw-261

We return to discussions of OAuth and all sorts of authentication. This time around we're looking at the design of authentication protocols, the kinds of trade-offs they weigh for adoption and security, and how a standard evolves over time to keep pace with new attacks and put to rest old mistakes. Segment resources: https://fusionauth.io/docs/v1/tech/core-concepts/modes https://webauthn.wtf/ https://datatracker.ietf.org/doc/html/rfc7636 https://www.ietf.org/about/participate/tao/ In the news, appsec lessons from the Okta breach, directory traversal (and appsec) lessons from SolarWinds, how CISOs and Boards rank factors around vulns and patching, revisiting cryptocurrency attacks for lessons in business logic and threat modeling, CISA and friends update guidance on Secure Design, and more! Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/asw-260

It's no surprise that OT security has fared poorly over the last 30+ years. To many appsec folks, these systems have uncommon programming languages, unfamiliar hardware, and brittle networking stacks. They also tend to have different threat scenarios. Many of these systems are designed, successfully, to maintain availability. But when a port scan can freeze or crash a device, that availability seems like it hasn't put enough consideration into adversarial environments. We chat about the common failures of OT design and discuss a few ways that systems designed today might still be secure 30 years from now. In the news, how HTTP/2's rapid reset is abused for DDoS, a look at the fix for Curl's recent high severity bug, OWASP moves to make CycloneDX a standard, Microsoft deprecates NTLM, VBScript, and old TLS -- while also introducing an AI bug bounty program. Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Visit https://securityweekly.com/asw for all the latest episodes!

What if all these recommendations to shift left were more about shifting focus? It's all too easy to become preoccupied with vulns, whether figuring out how to find them earlier in the SDLC or spending time fixing them within specific number of days. Successful DevSecOps approaches can be so much more than just vulns and so much more than just tools. Sure, tools are useful for identifying known vulns in dependencies and new vulns in code, but teams that emphasize people and culture will find it easier to shift their attention to the security of their product and creating secure designs. In the news, anticipating Curl's upcoming patch for a high severity flaw, the Looney Tunables flaw in Glibc, ShellTorch flaw hits PyTorch and lots of AI, lessons from some X.Org security patches, and more! Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly

Communication is a skill that doesn't appear on top 10 lists, rarely appears as a conference topic, and doesn't appear enough on job requirements. Yet communication is one of the critical ways that security teams influence developers, convey risk, and share knowledge with others. Even our own Security Weekly site falls a little short with only a podcast category for "Training" instead of more options around communication and collaboration. Lina shares her experience presenting to executives and boards in high-stress situations, as well as training incident responders on real-world scenarios. Segment resources https://training.xintra.org https://www.scmagazine.com/podcast-episode/2839-pointers-and-perils-for-presentations-josh-goldberg-asw-251 In the news segment, attackers impersonate Dependabot commits, an alg of "none" plagues a JWT, CISA calls for hardware bills of materials, OpenSSF lists its critical projects, Exim (finally! maybe?) has some patches, bug bounties and open source projects, and more! Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/asw-257

Supply chain has been a hot topic for a few years now, but so many things we need to do for a secure supply chain aren't new at all. We'll cover SBOMs, vuln management, and putting together a secure pipeline. Segment resources: https://www.solarwinds.com/assets/solarwinds/swresources/whitepaper/2111swiwhitepaper_nextgenbuild.pdf https://next.redhat.com/project/tekton-chains/ https://tekton.dev/ In the news, a stroll back through the Apache Struts breach of Equifax, CISA's list of Known Exploited Vulnerabilities, Rust's replacement for OpenSSL, Go no longer throws programmers for a loop, complexity vs. design (that leads to better security), and more! Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/asw-256

The majority of attacks are now automated, with a growing number of attacks targeting business logic via APIs, which is unique to every organization. This shift makes traditional signature-based defenses insufficient to stop targeted business logic attacks on their own. In this discussion, Karl Triebes shares how flaws in business logic design can leave applications and APIs open to attack and what tools organizations need to effectively mitigate these threats. This segment is sponsored by Imperva. Visit https://securityweekly.com/imperva to learn more about them! In the news segment, a slew of XSS in Azure's HDInsights, CNCF releases fuzzing and security audits on Kyverno and Dragonfly2, CISA shares a roadmap for security open source software, race conditions and repojacking in GitHub, and more! Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/asw-255

Zed Attack Proxy is an essential tool for web app pentesting. The project just recently moved from OWASP to the Secure Software Project. Hear about the challenges of running an OSS security project, why Simon got involved in the first place, and why successful projects are about more than just code. Segment Resources: - https://www.zaproxy.org/ - https://softwaresecurityproject.org/blog/welcoming-zap-to-the-software-security-project/ - https://owasp.org/www-project-vulnerable-web-applications-directory/ In the news segment, a key compromised from a crash dump (and the many, many lessons that followed), more examples of mishandling secrets, URL parsing mismatches show path traversal works well in Rust, an old Linux kernel bug shows how brittle code can be (even when it's heavily audited), an example of keeping OSS projects alive, a quick note on BLASTPASS, and a look at privacy in cars, and more! Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/asw-254

Check out this interview from the ASW Vault, hand picked by main host Mike Shema! This segment was originally published on January 10, 2022. There's an understandable focus on "shift left" in modern DevOps and appsec discussions. So what does it take to broaden what we call appsec into something effective for modern apps, whether they're on the web, mobile, or cloud? We'll talk about moving on from niche offerings into successful appsec programs. Show Notes: https://securityweekly.com/vault-asw-4

We go deep on LLMs and generative AIs to shine a light on areas that security leaders should focus on. There are technical concerns like prompt injection and access controls, and privacy concerns in training and usage. But there are also areas where security tools are starting to address these concerns as well as areas where security tools are adopting AI themselves. We'll share where we see AI showing promise, as well as where we suspect it's still premature. In the news, a Go Crypto presentation from Real World Crypto, Excel releases support for Python, protecting users from malware like the Luna Grabber and WinRAR RCE, DARPA's V-SPELLS project, and more! Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Visit https://securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-253

Two featured interviews from this year's Black Hat. In the news, Discord.io ceases to be, Azure AD breach to get scrutiny from the CSRB, Zoom's AI stumbles show security concerns, model confusion attacks, a look at how far we have -- and haven't -- come with XSS flaws, an approachable article on AI, and more! Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/asw-252

A key part of modern appsec is communication. From interpersonal skills for fostering collaborations to presentation skills for delivering a message, the ability to tell a story and engage an audience is a skill that doesn't appear on top ten lists and that doesn't come up in secure coding checklists. Josh shares his path to becoming a presenter on technical topics, including stumbles he's made along the way and how he helps others develop their skills for slides. Resources: - https://www.joshuakgoldberg.com/blog/how-i-apply-to-conferences https://www.joshuakgoldberg.com/blog/how-i-apply-to-conferences-faqs https://www.joshuakgoldberg.com/blog/how-i-apply-to-conferences-faqs/#what-are-your-favorite-conference-talks-youve-seen https://www.youtube.com/watch?v=mPPZ-NUnR-4&t=25743s&ab_channel=JSWORLDConference Then in the news segment, DARPA unleashes an AI Cyber Challenge to find flaws, CISA asks for input on securing open source software and memory safety, what five years of vuln research shows for vuln management programs, siphoning security tokens from VS Code, and more! Follow us on Mastodon: https://infosec.exchange/@AppSecWeekly Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Visit https://securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-251

Mature shops should be looking to a security architecture process to help scale their systems and embrace security by design. We talk about what it means to create a security architecture process, why it's not just another security review, and why it requires security to dig into engineering. Segment Resources: - https://www.lacework.com/ciso-boardbook/ciso/merritt-baer Zap gets a jolt of new support, using Clang for security research, LLM attacks learn models, Rust visualizes dependencies, a National Cyber Workforce and Education Strategy, and more! Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/asw-250

Identity isn't new, but we do have new ways of presenting and protecting identity with things like payment wallets and verifiable credentials. But we also have identity in surprising places -- like cars. We'll answer some questions like: - Why do we even have identities in cars? - What else is your car connected to? - How should devs be thinking about security in this space? In the news segment, Zenbleed in AMD, Google's TAG sees a drop in zero-days, new security testing handbook from Trail of Bits, Phil Venables' advice on public speaking, car battery monitor that monitors location(!?), more news on TETRA, Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Mastodon: https://infosec.exchange/@AppSecWeekly Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/asw-249

Appsec teams and developers must both understand the consequences of what they're doing when building APIs. Appsec teams need to push for collaboration and help implement tools that augment the development process. Dev teams need to wrangle complex architectures and work on addressing classes of vulns rather than just playing BugOps with scanner outputs. In the news, there's a (non-critical, but cool) RCE in ssh-agent forwarding, Node's vm2 bids adieu, zero-day from a CTF eventually makes it to a bug bounty program, Bad.Build, and more! This segment is sponsored by GuidePoint. Visit https://securityweekly.com/guidepoint to learn more about them! Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/asw-248

While much has been written and argued about the security of election systems - the things that do the actual ballot counting - there's other systems that have to be in place and secured before the vote can occur - voter registration databases, ballot delivery systems, etc. Might it be possible to use modern appsec concepts OWASP SAMM to secure them in a more efficient, targeted, cost-effective manner? Brian Glas joins us to talk about this and his ongoing work around providing students with a modern application security education. It's a busy news week - We explore what happens when people trust plugging cables into their EVs in public, how an APT is leveraging docker and kubernetes to build a botnet, why you should be careful running code from "researchers," and much more Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Visit https://securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-247

Infosec is still figuring out useful metrics, how to talk about risk, and how to make resilience more relevant. Shannon talks about a new community effort to measure software trust. She also covers threat modeling and adversary management as steps towards determining an org's resiliency and security. Segment Resources: https://community.ravemetrics.com Melinda will share results from her study last year on developer-focused security, "Walking the Line: Shift Left and GitOps Security" and discuss trends to help security keep up with modern software development. Segment Resources: ESG Complete Survey Results: Walking the Line: GitOps and Shift Left Security: https://research.esg-global.com/reportaction/515201532/Toc Addressing the confusion around shift-left cloud security | TechTarget: https://www.techtarget.com/searchsecurity/opinion/Addressing-the-confusion-around-shift-left-cloud-security Melinda Marks's Most Recent Content: https://www.techtarget.com/contributor/Melinda-Marks Visit [securityweekly.com/asw](https://securityweekly.com/asw) for all the latest episodes! Follow us on Twitter: [@SecWeekly](https://www.twitter.com/secweekly) Like us on Facebook: [facebook.com/secweekly](https://www.facebook.com/secweekly) Visit https://securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-246

Check out this interview from the ASW Vault, hand picked by main host Mike Shema! This segment was originally published on May 23, 2022. Developers want bug-free code -- it frees up their time and is easier to maintain. They want secure code for the same reasons. We'll talk about how the definition of secure coding varies among developers and appsec teams, why it's important to understand those perspectives, and how training is just one step towards building a security culture. Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/vault-asw-3

Without visibility and continuous monitoring, dangerous threats expose our blind spots and create risk. Invicti, who brought together Acunetix and Netsparker, analyzes common web application vulns across thousands of assets yearly and releases the Invicti AppSec Indicator for a holistic view of vulnerability trends from automated scan results. In this talk, Invicti Director of Product Patrick Vandenberg shares a deep dive into the trends currently impacting AppSec programs and discusses some of the best practices that will help organizations achieve efficiencies in their programs. Segment Resources: - [AppSec Indicator Spring 2023 edition | Invicti](https://www.invicti.com/clp/appsec-indicator/?utm_medium=contentsyn&utm_source=sc_media&utm_campaign=i-syn_CRA-ASW-Jun2023&utm_content=230424-ga_spring-appsec-indicator&utm_term=brand) This segment is sponsored by Invicti. Visit [securityweekly.com/invicti](https://securityweekly.com/invicti) to learn more about them! In the news, two XSS vulns via postMessage methods in Azure, how to choose (and move on from) a web research topic, OpenSSF finances a security developer-in-residence for Python, more infosec myths, free cybersecurity training resources. Visit [securityweekly.com/asw](https://securityweekly.com/asw) for all the latest episodes! Follow us on Twitter: [@SecWeekly](https://www.twitter.com/secweekly) Like us on Facebook: [facebook.com/secweekly](https://www.facebook.com/secweekly) Visit https://securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-245

Security is one of the most evolving and impactful landscapes in the regulatory sphere. Proposed initiatives in the areas of Incident Response, Software and Product Assurance, Coordinated Vulnerability Disclosure (CVD), and IoT or Connected Products Regulations are among the most active and developing areas of security policy around the world. This evolving landscape also serves as an opportunity for innovation and research collaboration. Elazari will walk us through some of the most recent trends in policy proposals shaping the future of security. We will also talk about bug bounties and vulnerability disclosure, what are some of the industry's best practices in this area, how to implement these programs to foster security, collaboration and transparency, and how this connects to the policy momentum and its impact on security researchers. Segment Resources: Project Circuit Breaker: https://www.intel.com/content/www/us/en/newsroom/news/intel-launches-project-circuit-breaker.html Project Circuit Breaker Landing Page: https://www.projectcircuitbreaker.com/ Intel's 2021 Product Security Report: https://www.intel.com/content/www/us/en/security/intel-2021-product-security-report.html Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/vault-asw-2

Eric Olden, CEO and Co-Founder of Strata Identity, discusses the concept of Identity Orchestration. He covers the evolving identity landscape and how it has evolved to keep pace with modern apps, the challenges encountered during an identity modernization project, how Identity Orchestration helps those modernization projects, and best practices for implementing secure identity. Segment Resources: - [Identity Orchestration Use Cases](https://www.strata.io/use-cases/) - [What is Identity Orchestration WhitePaper](https://www.strata.io/resources/whitepapers/what-is-identity-orchestration-and-why-you-need-it-to-succeed-with-multi-cloud/) This segment is sponsored by Strata. Visit https://securityweekly.com/strata to learn more about them! This year's Verizon DBIR is out, CVSS is updating its methodology, poor password reset design, SQL injection in MOVEit, a CTF for AWS IAM Visit https://www.securityweekly.com/asw for all the latest episodes! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-244

Walking the show floor at RSA Conference, you couldn't trip without falling into an application security vendor booth ... and API security specialists were especially plentiful. Join Forrester Principal Analyst Sandy Carielli for her thoughts on RSA Conference and a deep dive into the challenges of API security. Segment Resources: - https://www.forrester.com/blogs/insights-from-the-2023-rsa-conference-generative-ai-quantum-and-innovation-sandbox/ OWASP has a draft for the LLM Top 10, simple vulns in a modern SaaS app, ancient vuln in a Wordpress plugin, PyPI moves to secure its package manager accounts, ThinkstScape Quarterly research report, having fun with memory variables, DNS, and logins. Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-243