Podcasts by Application Security Weekly (Video)

The DIY AppSec Lab - ASW #185 from 2022-02-21T22:00

Lots of web hacking can be done directly from the browser. Throw in a proxy like Burp plus the browser's developer tools window and you've got a nearly complete toolkit. But nearly complete mean...

Docker Boundaries, Google Bounties, 2021's Top Web Hacks, Apple AirTags, AI vs. RFCs - ASW #184 from 2022-02-15T10:00

In the AppSec News: Docker and security boundaries, Google's year in vuln awards, 2021's year in web hacks, Apple AirTags and privacy, turning AIs onto RFCs for security, & facial recognition re...

The Modern Developer Must be Security Minded, Too - Doug Kersten - ASW #184 from 2022-02-14T22:00

In light of the far-reaching Log4j vulnerability, it’s become increasingly clear that the modern developer can’t operate without a solid level of security expertise. Vulnerability management is ...

HTTP/3 Streams, Argo CD Paths, Log4j Devs, Cyber Safety Review Board, OSSF Projects - ASW #183 from 2022-02-08T10:00

Vulns in an HTTP/3 server, path traversal in Argo CD, Log4Shell from the perspective of Log4j devs, DHS launches Cyber Safety Review Board, OSSF launches Alpha and Omega projects, resources for ...

Policy Momentum in Coordinated Vulnerability Disclosure - Amit Elazari - ASW #183 from 2022-02-07T22:00

Security is one of the most evolving and impactful landscapes in the regulatory sphere. Proposed initiatives in the areas of Incident Response, Software and Product Assurance, Coordinated Vulner...

PwnKit, Qubit Hack, Multichain Hack, Safari Bounty, & Python NaN - ASW #182 from 2022-02-01T10:00

PwnKit LPE in Linux, two different smart contract logic flaws in two different hacks, a $100K bounty for Safari, Python NaN coercion, appsec games

Visit Listen

Shift Left, NOT S#!T LEFT - Larry Maccherone - ASW #182 from 2022-01-31T22:00

If you attempt to shift security left without adaptation, it'll feel a lot more like S#!T LEFT to the development teams but most security groups lack the mindset and skills to do it in a way tha...

IndexedDB Leak, Linux Kernel Bug, Zoom Security, SSRF & Allow Lists, Security Courses - ASW #181 from 2022-01-25T10:00

In the AppSec News, Safari fixes a privacy leak in IndexedDB, integer arithmetic flaw leads to Linux kernel bug, a look back on Zoom security, SSRF from an URL allow list bypass, a security engi...

API Security (Shadow APIs) - Himanshu Dwivedi - ASW #181 from 2022-01-24T22:00

It is hard, if not impossible, to secure something you don’t know exists. While security professionals spend countless hours on complex yet interesting issues that *may* be exploitable in the fu...

Scams and Security in Web3*, URL Parsing Problems, AWS Glue, CI/CD Compromises - ASW #180 from 2022-01-19T10:00

Scams and security flaws in (so-called) web3 and when decentralization looks centralized, SSRF from a URL parsing problem, vuln in AWS Glue, 10 vulns used for CI/CD compromises

V...

Investing in Open Source Security - ASW #180 from 2022-01-18T22:00

This isn't a story about NPM even though it's inspired by NPM. Twice. The maintainer of the "colors" NPM library intentionally changed the library's behavior from its expected functionality to p...

Log4j for FTC, More JNDI, Cache Poisoning, Improving Default Configs, ThinkstScapes - ASW #179 from 2022-01-11T10:00

The FTC issues a warning about taking log4j seriously, JNDI is elsewhere, cache poisoning shows challenges in normalizing strings, semgrep for refactoring configs with security in mind, the Q4 2...

Broadening What We Call AppSec - Christien Rioux - ASW #179 from 2022-01-10T22:00

There's an understandable focus on "shift left" in modern DevOps and appsec discussions. So what does it take to broaden what we call appsec into something effective for modern apps, whether the...

Latest Log4j, Outages & Availability, FPGA Security Concepts, & Bug Bounty Awards - ASW #178 from 2021-12-21T10:00

Log4j has more updates and more vulns (but probably not more heartburn...), revisiting outages and whether availability has made it into your threat models, deep dive into hardware security, ano...

Evolving Security Testing - Dan Guido - ASW #178 from 2021-12-20T22:00

What does a collaborative approach to security testing look like? What does it take to tackle an entire attack class as opposed to fixing a bunch of bugs? If we can shift from vulnerability miti...

Log4Shell, Mozilla's BigFix & New Sandbox, Rust in Linux Kernel, Path Traversal in Go - ASW #177 from 2021-12-14T10:00

This week in the AppSec News, Mike & John talk: All about Log4Shell, Mozilla's BigFix bug and new sandbox, Rust in the Linux kernel, path traversals, reflections on the security profession, & mo...

DevSecOps, Compliance GRC, and the Future of Application Security - Francesco Cipollone - ASW #177 from 2021-12-13T22:00

DevSecOps has been traditionally very people centric. It is hard to measure software security and the landscape is becoming increasingly more complex with container, cloud, and infrastructure. D...

Bug Bounties in Windows/WebKit, Edge Hardening, OAuth Hardening, & GoDaddy Breach - ASW #176 from 2021-11-30T10:00

This week in the AppSec News: Bug bounty payout practices, Edge goes super duper secure mode, WebKit CSP flaw has consequences for OAuth, GoDaddy breach, vuln in MediaTek audio DSP, & more!

Solving Systemic Risk in Software Development - Chris Wysopal - ASW #176 from 2021-11-29T19:55:36

In today’s session Chris Wysopal will address a number of topics with Mike, including systemic risk in software development and how developers and security teams can work together to meet common...

CVEs 4 CSPs, Malicious PyPi, Bounty Programs, Shared Responsibility, & Breach Costs - ASW #175 from 2021-11-23T10:00

This week in the AppSec News: What would CVEs for CSPs look like, clever C2 in malicious Python packages, diversity in bounty programs, shared responsibility and secure defaults, breach costs to...

wasmCloud - Distributed Computing With WebAssembly - Liam Randall - ASW #175 from 2021-11-22T22:00

CNCF wasmCloud helps developers to build distributed microservices in WebAssembly that they can run across clouds, browsers, and everywhere securely.

Segment Resources:

- ...

PAN-OS Vuln, ChaosDB, Fuzzing BusyBox, Refactoring in Rust, HTML Smuggling - ASW #174 from 2021-11-16T18:07:23

In the AppSec news: Disclosure decisions and CVE-2021-3064, technical details behind ChaosDB in Azure, fuzzing BusyBox, Prossimo and Rust, vulns in Nucleus RTOS, & HTML smuggling!

Mobile Application Security - Ryan Lloyd - ASW #174 from 2021-11-15T22:00

Mobile applications have a unique attack surface. The tools and techniques being used to compromise these environments are constantly evolving. We'll talk about how to harden mobile apps against...

Linux Kernel TIPC RCE, NPM Malware, OTP 2FA Bots, & Security Labels - ASW #173 from 2021-11-09T10:00

This week in the AppSec News, Mike and John talk: Excel gains support for JavaScript data types and functions, arbitrary code execution in Linux kernel TIPC, more malware in npm packages, threat...

A Standardized Approach to SBOM - Dan McKinney - ASW #173 from 2021-11-08T22:00

In this segment, Mike and Dan McKinney from Cloudsmith will be discussing SBOM and what that looks like for your applications. Other topics include: cloud-native tooling for your software supply...

Discourse RCE, Trojan Source, WhatsApp Security, & Privacy Engineering - ASW #172 from 2021-11-02T09:00

This week in the AppSec News, Mike & John talk: Discourse SNS webhook RCE, a checklist for a Minimum Viable Secure Product, WhatsApp security assessment, privacy engineering specialties, & DevOp...

Untangling API Security in 2022 - Peter Klimek - ASW #172 from 2021-11-01T21:00

Peter will talk to the challenges he's hearing from customers and partners about managing the security of APIs and what considerations organizations need to make in 2022 to better protect these ...

UAParser.js Malware in NPM, Squirrel Sandbox Escape, Securing CI/CD, & AppSec Videos - ASW #171 from 2021-10-26T09:00

This week in the AppSec News: Malware in the UAParser.js npm package, security vuln in Squirrel scripting language, a blueprint for securing software development, L0phtCrack now open source, app...

Security Champions in an Online First World - Ashish Rajan - ASW #171 from 2021-10-25T21:00

Ashish will talk about building a security champion in an online world and how SAST as it stands today will die in the world of DevOps and Cloud.

Segment Resources:

Listen

View Source, Bindiff for Vuln Analysis, Bypass with GitHub Actions, & NIST DevSecOps - ASW #170 from 2021-10-19T09:00

This Week in the AppSec News: View source good / vuln bad, IoT bad / rick-roll good, analyzing the iOS 15.0.2 patch to develop an exploit, bypassing reviews with GitHub Actions, & more NIST DevS...

Dev(Sec)Ops Scanning Challenges & Tips - Nuno Loureiro, Tiago Mendo - ASW #170 from 2021-10-18T21:00

There's a plenitude of ways to do Dev(Sec)Ops, and each organization or even each team uses a different approach. Questions such as how many environments you have and the frequency of deployment...

Twitch Breach, HTTPd Path Traversal, Disabling Macros, & Great Cybersecurity Programs - ASW #169 from 2021-10-12T09:00

This week in the AppSec News, Mike and John talk: The Twitch breach, a path traversal in Apache httpd, Microsoft disables macros by default after almost 30 years, factors in a great cybersecurit...

Modernizing the Management of Your Software Supply Chain - Tom Gibson - ASW #169 from 2021-10-11T21:00

SBOM: What does it really tell you and the importance of having one for your organization.

- Finding and fixing known vulnerabilities in dependencies and container images

- Buildin...

Prototype Pollution, Funding Open Source Security, Expiring Root CA, Mariana Trench - ASW #168 from 2021-10-05T09:00

In the AppSec News, John and Mike discuss Prototype pollution vulns, funding open source project hardening, Let's Encrypt root CA expires, and Marian Trench scanner for Android and Java!

...

The Power of Developer-First Security - Hillary Benson - ASW #168 from 2021-10-04T21:00

Developers want to write good code. Secure code. Security tools that optimize developer workflows for handling security issues can take a large burden off security practitioners and make triagin...

AppSec Orchestration/Correlation & DevSecOps Efficiency - Anita D'Amico, Patrick Carey - ASW #167 from 2021-09-28T13:08:13

In its 2019 Hype Cycle for Application Security report, Gartner revealed a new, “high-priority” category called Application Security Orchestration and Correlation (ASOC). ASOC delivers three pri...

Exchange's Great Leak, RCE in VMware, IoT Bug in MQTT, & Chrome's Memory Safety Nets - ASW #167 from 2021-09-27T19:44:43

This week in the AppSec News: The Great Leak flaw in Exchange's auto discover feature, common flaws in VMware and Nagios, memory issues and SSRF in Apache's HTTP server, Chrome's plans for memor...

OMIGOD, FORCEDENTRY, Code Ownership, Security as a Product, & IoT Device Criteria - ASW #166 from 2021-09-21T09:00

This week in the AppSec News, Mike and John talk: RCE in Azure OMI, punching a hole in iMessage BlastDoor, Travis CI exposes sensitive environment variables, keeping code ownership accurate, dep...

Transforming Modern Software Development with Developer-First AppSec - Jeff Williams - ASW #166 from 2021-09-20T21:30

Modern software development demands a different approach to application security. Contrast’s developer-first Application Security Platform empowers developers to accelerate the release of secure...

OWASP Top 10, CISA Bad Practices, Azurescape, Confluence RCE, & API Security Tokens - ASW #165 from 2021-09-14T09:00

This week in the AppSec News, Mike and John talk: OWASP Top 10 draft for 2021, bad practices noted by CISA, Azurescape cross-account takeover, Confluence RCE, WhatsApp image handling, API securi...

Findings From the 2021 AppSec Shift Left Progress Report - Manish Gupta - ASW #165 from 2021-09-13T21:00

Data from the ShiftLeft customer report shows that companies that have rebuilt their core testing processes around faster and more accurate static analysis are able to release more secure code a...

ChaosDB, OpenSSL String Bugs, Revealing Locations, & More Top 15 Vulns - ASW #164 from 2021-08-31T09:00

This week in the Application Security News, Mike and John talk: Flaws in Azure's CosmosDB, OpenSSL vulns in string handling, dating app location security, cloud security orienteering, detailed S...

A DevOps Perspective on Risk Tolerance & Risk Transfer - Caroline Wong - ASW #164 from 2021-08-30T21:00

In the segment Mike and Caroline will discuss Risk Tolerance and Risk Transfer. They'll touch on the following: risk ranking, risk transfer in supply chain, how to diversify security controls, t...

BlackBerry's BadAlloc, Glibc's NULL, Backtick Command Injection, & ProxyLogon Details - ASW #163 from 2021-08-24T09:00

This week Mike & John discuss: BlackBerry addresses BadAlloc bugs, glibc fixes a fix, more snprintf misuse that leads to command injection, ProxyLogon technical details, & more in the AppSec New...

Challenges in Open Source Application Security - Shubhra Kar - ASW #163 from 2021-08-23T21:00

Open Source is the new mainstream of software development. However not much attention is paid on security in the upstream community for creating robust and secure software. At the LF, we are wor...

Cracked Concatenation, Injection Against DNS, Allstar GitHub, & DEF CON Highlights - ASW #162 from 2021-08-17T09:00

This week in the AppSec News: Bug bounty report that cleverly manipulates a hash for profit, Allstar GitHub app to enforce security policies, choosing a programming language, what an app should ...

DevSecOps - Making It Real - Mike Rothman - ASW #162 from 2021-08-16T21:00

DevSecOps is an aspirational vision for many teams. With a number of macro changes occurring in modern application development, this segment will explore what tangible, practical things can be d...

Securing Modern Web Apps: Development Techniques are Changing - Tom Hudson - ASW #161 from 2021-08-16T17:52:07

The use of web apps, SPAs, and APIs are growing steadily and traditional scanning methods don't provide enough coverage. The appsec tools need to innovate and become smarter and more contextual ...

Router Auth Bypass, Weak IoT RNG, HTTP/2 Request Smuggling, & Kindle Fuzzing - ASW #161 from 2021-08-10T09:00

This week in the AppSec News: Hardware hacking for authn bypass and analyzing IoT RNG, Request Smuggling in HTTP/2, Kindle Fuzzing, Kubernetes Hardening, Countering Dependency Confusion, ATO Che...

PunkSpider, Bug Bounties, RCE in PyPI, Kernel Pwning With eBPF, & Top Vulns From CISA - ASW #160 from 2021-08-03T09:00

This week in the AppSec News: PunkSpider coming to DEF CON, Google matures its VRP, $50K bounty for an access token, RCE in PyPI, kernel vuln via eBPF, top vulns reported by CISA, & the importan...

Platform Firmware Security - Maggie Jauregui - ASW #160 from 2021-08-02T21:00

Firmware security is complex and continues to be an industry challenge. In this podcast we'll talk about the reasons firmware security remains a challenge and some best practices around platform...

CWE Top 25, Bugs in Inconstancies, Sequoia Vuln, Twitter Transparency, & Cloud Risks - ASW #159 from 2021-07-27T17:03:47

This week in the AppSec News: CWE releases the top 25 vulns for 2021, findings bugs in similar code, Sequoia vuln in the Linux kernel, Twitter transparency for account security, a future for clo...

Navigating the Seas of Security in Serverless Functions - Peter Klimek - ASW #159 from 2021-07-27T17:02:55

Adoption of serverless functions is rapidly growing, which means security teams will be challenged to deliver protection for data and applications in these complex environments in the coming mon...

Code Comments, Decision Trees, Windows Hello, Telegram Analysis, & Cloud Risks - ASW #158 from 2021-07-20T09:00

This week in the AppSec News: Security from code comments, visualizing decision trees, bypassing Windows Hello, security analysis of Telegram, paying for patient bug bounty programs, cloud risks...

The Role of Open Source in DevSecOps - David DeSanto - ASW #158 from 2021-07-19T21:00

In the wake of events such as the Solarwinds breach, there has been a lot of misinformation about the role of open source in DevSecOps. GitLab believes everyone benefits when everyone can contri...

Password Mismanager, Trusted Types vs. DOM XSS, PrintNightmare, & Fault Injections - ASW #157 from 2021-07-13T18:19:13

In the AppSec news, a password manager makes predictable mistakes, Trusted Types terminate DOM XSS, waking up from PrintNightmare, understanding hardware fault injections.

Visit ...

Web App and API Security Needs to Be Modernized: Here’s How - Sean Leach - ASW #157 from 2021-07-13T18:18:51

The truth is, most web app and API security tools were designed for a very different era. A time before developers and security practitioners worked together, before applications were globally d...

Semgrep, Microsoft Signs With Rootkits, ATT&CK/D3FEND, & Injured Android - ASW #156 from 2021-06-29T09:00

This week in the AppSec News: Visual Studio Code's Workplace Trust, Injured Android an insecure mobile app, Microsoft accidentally signed driver with rootkits, The NSA funds a new sister Matrix ...

Scaling Your Application Security Program - Clint Gibler - ASW #156 from 2021-06-28T21:00

In this segment with Clint Gibler, learn:

* Why secure defaults are higher ROI than finding vulnerabilities

* How modern AppSec teams are working with their engineering counterpart...

Supply Chain Integrity, Format Strings, Systemd Bug, Instagram Bounty, & Refactoring - ASW #155 from 2021-06-22T09:00

This week in the AppSec Weekly News John and Mike discuss: SLSA framework for supply chain integrity, Wi-Fi network of doom for iPhones, seven-year old systemd privesc, $30K for an API call, Cod...

Challenges of DAST Scanners / Adoption by Developers - Nuno Loureiro, Tiago Mendo - ASW #155 from 2021-06-21T21:00

What are some of the DAST scanners challenges, like coverage of modern apps, point & shoot, scan time, partial scans, or scanning at scale? What do developers look for in a DAST scanner?

...

ALPACA, EA Breach, sprintf Lives, Go Fuzzing, K8s Goat, & OT Basics - ASW #154 from 2021-06-15T09:00

This week in the AppSec News, Mike and John talk: ALPACA surveys protocol confusion, lessons from the EA breach, forgotten lessons about sprintf, Go fuzzing goes beta, security lessons from Kube...

OWASP SAMM - Software Assurance Maturity Model - Sebastian Deleersnyder - ASW #154 from 2021-06-14T21:00

We will provide a short introduction to OWASP SAMM, which is a flagship OWASP project allowing organizations to bootstrap and iteratively improve their secure software practice in a measurable w...

HTTP Goes QUIC, Security & Humans, Amazon Sidewalk Privacy, & Product Abuse - ASW #153 from 2021-06-08T09:00

This week in the AppSec News, Tyler Robinson joins Mike & John to discuss: HTTP/3 and QUIC, bounties for product abuse, Amazon Sidewalk security & privacy, security & human behavior, authenticat...

API Security: Understanding Threats to Better Protect Your Organization - Daniel Hampton - ASW #153 from 2021-06-07T21:00

While web application security is a highly researched topic with a lot of subject familiarity among security professionals, it’s still not easy for security and development teams to navigate mod...

IIS Bug, Browsers & Androids & Supply Chains Oh My! - ASW #152 from 2021-05-25T09:00

This week in the AppSec News segment, Mike and John talk: HTTP bug bothers IIS, Android platform security, supply chain security (new and old), brief (very brief) history of browser security, & ...

Bringing AppSec to a Modern CI Pipeline - Manish Gupta - ASW #152 from 2021-05-24T21:00

Appsec in a modern CI pipeline needs a combination of tools, collaboration, and processes to be successful. Importantly, it also needs to scale. We can't just shift responsibility left and assum...

CNCF Supply Chain, Frag Attacks, Securing Webhooks, & Complexity vs. Security - ASW #151 from 2021-05-18T21:00

CNCF releases a whitepaper on supply chain security, Frag attacks against WiFi devices, security webhooks, trusting terraform plans, shared credentials and app access, complexity vs. security vs...

Third Party Software Risk on the Web - Aanand Krishnan - ASW #151 from 2021-05-18T09:00

Web applications are highly dependent on third party content and JavaScript. This creates a significant set of vulnerabilities that attackers are exploiting. How do you prevent a Solarwinds type...

AirTags & Threat Models, Qualcomm Modem Vuln, Exim RCE(s), & Binary Hardening - ASW #150 from 2021-05-11T09:00

This Week in the AppSec News, Mike and John talk: "Find My threat model" with AirTags, Qualcomm modem vuln hits lots of Android, an Exim update patches lots of vulns, measuring hardened binaries...

Delivering On the Promise of Application Security - Ankur Shah - ASW #150 from 2021-05-10T21:00

While the vision for app security is relatively clear, executing on that vision is still somewhat of a work in progress. Fast-moving, interdependent pieces—custom code and open source packages, ...

BadAlloc Vulns, Gatekeeper Bypass, & More Spectre in Micro-Op Caches - ASW #149 from 2021-05-04T09:00

This week in the AppSec News: Microsoft discloses "BadAlloc" bugs, macOS Gatekeeper logic falters, authentication issues in KDCs and ADs, Spectre gains another vector, followup on the UMN Linux ...

Why Developers Need to Think Differently About Software Security - Rey Bango - ASW #149 from 2021-05-03T21:00

Rey will be digging into the developer security training conundrum based on his own experiences with secure coding and security training. He'll cover:

• The types of security training tha...

Signal Aesthetics, AirDrop Privacy, Safety vs. Security, & Data Ordering Attacks - ASW #148 from 2021-04-27T09:00

This week in the AppSec News: Signal points out parsing problems, privacy preserving improvements to AirDrop, Homebrew disclosure, WhatsApp workflows, adversarial data ordering for ML, & more! Listen

Deceptive Diffs From Subversive Submitters - ASW #148 from 2021-04-26T21:00

We start with the article about "Researchers Secretly Tried To Add Vulnerabilities to Linux Kernel, Ended Up Getting Banned" and explore its range of issues from ethics to securing huge, distrib...

Rust in Android, Vuln Disclosure, Postmortems, & BootHole Follow-Up - ASW #147 from 2021-04-20T09:00

This week in the AppSec News, Mike and John discuss Rust in Android and the Linux kernel, vuln disclosure policy changes from Project Zero, security and DevOps collaboration, XSS with NULL, & a ...

Supply Chain Management - Doug Barbin - ASW #147 from 2021-04-19T21:00

Supply chain security isn't new, despite the renewed attention from the Solar Winds attack. It has old challenges, like having an accurate asset or app inventory, and new opportunities, like Sof...

Malicious PHP Commits, OAuth Attacks & XML Injection, & Zines For DevSecOps - ASW #146 from 2021-04-06T09:00

PHP deals with two malicious commits, SSO and OAuth attack vectors to remember for your threat models, zines for your DevSecOps education!

Visit Listen

Shifting Right: What Security Engineers Can Learn From DevSecOps - Leif Dreizler - ASW #146 from 2021-04-05T21:00

The security industry generally agrees on the value of enabling developers in an agile environment—although we don't agree on what to call it… “Shifting Left,” “Creating a Paved Path,” “DevSecOp...

TikTok Analysis, Patching Patches, CI/CD Integrity, Faster Fuzzing, & Slack Safety - ASW #145 from 2021-03-30T09:00

Security and privacy technical analysis of TikTok, subtle parsing problems, chain of trust through a CI/CD pipeline, faster fuzzing even without source code, interplay of application security an...

OWASP Top 10 of 2021 - Andrew van der Stock - ASW #145 from 2021-03-29T21:00

The OWASP Top 10 2021 is in development. A public survey has just been released. We have finished collecting data. I would like to discuss what the plans are for the OWASP Top 10 2021, and when ...

Supply Chains in Azure SDK/Xcode, GitHub Sessions, & GCP VRP - ASW #144 from 2021-03-23T09:00

In the AppSec News: Supply chain security in Azure SDK and macOS Xcode, GitHub's postmortem on a session handling flaw, six GCP vulns from 2020, & information resources for hacking the cloud! Listen

Approaching AppSec Like a Hacker - Johanna Ydergard, Roberto Giachetta - ASW #144 from 2021-03-22T21:00

Security is struggling to keep up with securing modern web applications and the fast pace of wild web hacks. Detectify is building automated app scanners that can think like a hacker and shorten...

Unauth'd RCE, "Regexploits", Post-Spectre Web, & SigStore Signing - ASW #143 from 2021-03-16T09:00

Software safety to mitigate the impact of unauthenticated RCEs, exploding regex patterns, web and browser security in the face of Spectre side-channels, signing software artifacts, 8 roles for t...

Cloud Native Security Platforms - John Morello - ASW #143 from 2021-03-15T21:23:19

Modern appsec demonstrates the importance of a cloud native strategy for enterprise security and how much that strategy must integrate with DevOps tools and workflows. Security solutions need to...

Security Engineering, Evil Packages, Exchange SSRF, & Observability - ASW #142 from 2021-03-09T10:00

Making security engineering successful, Go's supply chain, mitigating JSON interoperability flaws, automating the hunt for deserialization flaws, the importance of observability, and what to do ...

Privacy, Data Security & Compliance - Cynthia Burke - ASW #142 from 2021-03-08T22:00

In most IT shops, privacy, data security and compliance often resided under the same umbrella of ownership. While all 50 States in the US have data breach notification laws, we are seeing a shif...

JSON, OpenSSL, Educational Resources, & Flaws in CodeQL - ASW #141 from 2021-03-02T10:00

This week on the Application Security News, Implementation pitfalls in parsing JSON, finding all forms of a flaw with CodeQL, more educational resources for hacking apps, engineering and product...

Hackable; How to do Application Security Right - Ted Harrington - ASW #141 from 2021-03-01T22:00

In looking at how to do application security right we talk about understanding the difference between defining types of security testing and the goals that security testing should be aiming for....

Dependency Confusion, Suspender Falls, Web Shells, & AppSec Scale - ASW #140 from 2021-02-23T10:00

This week on the Application Security News, Dependency confusion for internal packages, Chrome pulls down the Great Suspender, Microsoft highlights web shells, some strategies on scaling AppSec,...

Targeting, Exploiting, & Defending Linux - Brandon Edwards - ASW #140 from 2021-02-22T22:00

Linux is all over the place (sometimes surprising), why is targeting it different? What types of attacks are used? How can we defend against attacks on Linux? We can incorporate recent attacks a...

BBPLR, API Security Trends, Memory Unsafety, & Patching 0-Days - ASW #139 from 2021-02-09T10:00

Funding bounties or finding bugs, how should we invest? Talks from Enigma Conference on memory unsafety and 0-days. Coming trends in API security and a review of research from 2020.

Being a Serial Entrepreneur, Business Leader, & Hacker - Alissa Knight - ASW #139 from 2021-02-08T22:00

Alissa Knight has spent her career going against industry and social norms as both a Transgendered and Lesbian business leader and hacker. Learn more about her, her achievements as a published a...

Sudo Vuln, Libgcrypt, BlastDoor on iMessage, & AWS Lambda security - ASW #138 from 2021-02-02T10:00

This week in the Application Security News, Sudo sure does, Libgcrypt flaw, iMessage demonstrates security by design, AWS Lambda shares a message on its design security, & more!

...

Groundhog Day - It's Time to Reset the Script on Vulnerabilities - John Delaroderie - ASW #138 from 2021-02-01T22:00

In honor of the movie Groundhog Day, John will take a look at the top 10 most routinely exploited vulnerabilities through a web app security lens.

This segment is sponsored by Qu...

FireFox, Windows 10, DevOps, and BitHubLab - Application Security Weekly #19 from 2021-01-31T22:10:42.023393

Application news, DevOps food for thought, learning & tools from BitHubLab, and bugs, breaches, and more! Full Show Notes: https://wiki.s...

Guacamole RCE, PAN-OS Flaw, & A Culture of Resilience - ASW #113 from 2021-01-31T22:10:42.023393

Would you like some RCE with your Guacamole?, Attackers Will Target Critical PAN-OS Flaw, Security Experts Warn, Microsoft releases emergency security update to fix two bugs in Windows codecs, T...

Ghostcat, Apache, Networks, Starliner - ASW #98 from 2021-01-31T22:10:42.023393

CVE-2020-1938: Ghostcat vulnerability in the Tomcat Apache JServ Protocol. IMP4GT: IMPersonation Attacks in 4G NeTworks demonstrates a proven insecurity on a layer above provably secure protocol...

Ping Identity, Cequence, & NowSecure - ASW #73 from 2021-01-31T22:10:42.023393

At Black Hat 2019, we interviewed: Ameya Talwalker from Cequence, Mark Batchelor from PING Identity, and Michael Krueger from NowSecure!

Full Show Notes: Listen

Zane Lackey, Signal Sciences - Application Security Weekly #31 from 2021-01-31T22:10:42.023393

Zane Lackey is the Founder/Chief Security Officer at Signal Sciences. Zane Lackey explains how we the security industry needs to shift left when it comes to applications and patching.

Ful...

KindleDrip, State of Messaging State Machines, DoH, & Data Security Strategies - ASW #137 from 2021-01-26T10:00

An overflow and a flawed regex paint an RCE picture for Kindle, messaging apps miss the message on secure state machines, three pillars of a data security strategy for the cloud, where DoH might...

Reading Industry Analyst Tea Leaves To Predict The Future - Taylor McCaslin - ASW #137 from 2021-01-25T22:00

It's analyst season with the new Forrester Wave on SAST recently published as well as Gartner's Application Security Testing Magic Quadrant publishing in April. We'll talk about what are analyst...

Google 2FA Cloning, Speed vs. Security, & "Hack The Army" Bug Bounty 3.0 - ASW #136 from 2021-01-12T10:00

Significant source code leak from misconfigured repo, side-channel attack on hardware authentication keys, a third bug bounty for the U.S. Army, the cost of poor software quality, the benefits o...

Fuzz Testing - Andrei Serban - ASW #136 from 2021-01-11T22:00

Fuzzing can be successful appsec strategy for finding software bugs. And deploying a fuzzer no longer needs to be a cumbersome process. Find out how fuzzing can help secure software beyond just ...

Kubernetes Clusters, Microsoft Solarigate, & Apple's Security DIY - ASW #135 from 2021-01-05T10:00

Microsoft purges malicious SolarWinds presence and highlights a threat model around their source code, the tl;drsec crew provides a hardening guide for Kubernetes, Apples provides a user guide f...

Security By Design - ASW #135 from 2021-01-04T22:00

A premise of adding security to DevOps is we can "shift left" AppSec responsibilities, one of which is building apps so they're secure by design. Yet what resources does the AppSec community pro...

Atheris Python Fuzzer, Bronze Bit Attack, & FireEye Highlights - ASW #134 from 2020-12-15T10:00

FireEye shares supply chain subterfuge, researchers show repeated mistakes in TCP/IP stacks, Google open sources Python fuzzing, Cisco and Microsoft patch their patches for vulns in Jabber and p...

Freedom From Computing Environments - Ev Kontsevoy - ASW #134 from 2020-12-14T22:43:17

We built OSS Teleport to provide a Unified Access Plane that consolidates access controls and auditing across all environments - infrastructure, applications, and data.

This segm...

Google Play Bug, GitHub, iPhone Radio Reboots, & Docker Hub Vulns - ASW #133 from 2020-12-08T10:00

An old security bug in the Play library still affects 8% of apps in Google Play, Project Zero researcher spends six months to reboot an iPhone (in an epic manner), GitHub looks at the security o...

Security Web Applications Against Modern Threats - John Delaroderie, Mike Manrod - ASW #133 from 2020-12-07T22:14:05

Mike Manrod, CISO of Grand Canyon University, joined by John Delaroderie, Security Solutions Architect at Qualys, will discuss his approach to web application security with an emphasis on improv...

Top CyberSec Skills for 2021, Xbox Gamertag Bug, & MobileIron RCE Flaw - ASW #132 from 2020-12-01T10:00

Xbox bug exposed email identities, focusing on prevention for your cloud security strategies, Amazon looking to hire more Rust developers, KubeCon continues push for security, and a DevOps readi...

Security Decisions During Application Development - Tim Mackey - ASW #132 from 2020-11-30T22:00

The security of any application is a function of the decisions made during development. Measuring the risk of those decisions isn't something contained within a single tool, but instead requires...

Drupal Flaws, DevSecOps Implementation, & Cloud Native Security White Paper - ASW #131 from 2020-11-24T10:00

In the Application Security News, a manifesto highlights principles and values for threat modeling, the CNCF releases a Cloud Native Security Whitepaper, Microsoft put security in the CPU with P...

Threat Modeling Deep Dive - ASW #131 from 2020-11-23T22:00

We threat model every day without realizing it. And, of course, we often threat model with systems and products within our organizations. So how formal does our approach need to be? How do we be...

'Platypus' Attack, IDOR DOD Bug, & 2 More Chrome 0-Days - ASW #130 from 2020-11-17T10:00

In the Application Security News, The Platypus Attack Threatens Intel SGX, a Revitalized Attack Makes for Sad DNS, Bug Hunter Hits DOD With an IDOR, Steps for Devops, Testing in Prod, Two More C...

Automated Hacker Knowledge - Rickard Carlsson - ASW #130 from 2020-11-16T22:00

In a fast-paced tech environment, keeping up with security research can be overwhelming for companies. Automation is a must to keep up - but you also need human ingenuity to make sure automation...

Security Is a Feature - Keith Hoodlet - ASW #129 from 2020-11-10T10:00

What does it take to manage security teams and security initiatives? Find out the importance of people in security, whether it's keeping a team engaged or encouraging a team to rethink how they ...

China's Top Hacking Contest, GitHub Actions, & Vulnonym - ASW #129 from 2020-11-09T22:00

China's top hacking contest turns months of effort into 15 minutes of exploits, an injection flaw in GitHub Actions, understanding post-compromise activity in exploits targeting Solaris and VoIP...

Lax IoT, Adobe Flash Croaks, Link Preview Vulns, & Security Theatre! - ASW #128 from 2020-11-03T10:00

Lax IoT security exposes smart-irrigation systems, Adobe Flash goes truly end of line in one last update, confidential computing gets a turbo boost with Nitro, link previews show security and pr...

Azure App Service & Cloud-Native Signal Sciences Deployments - Alfred Chung - ASW #128 from 2020-11-02T22:00

Discussing what enterprises have to do while adapting legacy apps in to Azure, while doing in a secure, steady way without leaving any gaps. Signal Sciences site extension makes sure your apps a...

Cyber Risk in Industrial IoT, Firefox 'Site Isolation', & Chrome 0-Day Bug - ASW #127 from 2020-10-27T09:00

NSA publishes list of top vulnerabilities currently targeted by Chinese hackers, Nvidia Warns Gamers of Severe GeForce Experience Flaws, Addressing cybersecurity risk in industrial IoT and OT, F...

Cyber Resiliency Through Self-Healing Cloud Infrastructure - Cesar Rodriguez - ASW #127 from 2020-10-26T21:00

With the increased development velocity in cloud environments, cyber resilience is now more important than ever. To achieve cyber resiliency, security needs to be codified through the developmen...

Windows "Ping of Death", SonicWall VPN RCE , & MediaTek BootROM Glitch - ASW #126 from 2020-10-20T09:00

Patch Your Windows - “Ping of Death” bug revealed, 800,000 SonicWall VPNs vulnerable to remote code execution bug, T2 Exploit Team Creates Cable That Hacks Mac, Zoom Rolling Out End-to-End Encry...

The Future of Application Security Testing (AST) - Taylor McCaslin - ASW #126 from 2020-10-19T21:00

Join Taylor McCaslin, Security Product Manager at GitLab to discuss current trends in the application security testing industry. We'll chat about where the industry is at today and discuss advan...

Fortinet SIEM RCE, Facebook Bug Bounty, & Anti-Virus Vulnerabilities - ASW #125 from 2020-10-13T09:00

Redefining Impossible: XSS without arbitrary JavaScript, API flaws in an "unconventional" smart device, Facebook Bug Bounty Announces "Hacker Plus", Anti-Virus Vulnerabilities, and Chrome Introd...

Application Security Best Practices - James Manico - ASW #125 from 2020-10-12T21:00

Managing passwords is a critical developer task. Developers tasked with building or augmenting legacy authentication systems have a daunting task when facing modern adversaries. This session wil...

DOMOS 5.8 OS Command Injection, API Shield, & TRB245 Vulnerabilities - ASW #124 from 2020-10-06T09:00

DOMOS 5.8 - OS Command Injection, 4G, 5G networks could be vulnerable to exploit due to ‘mishmash’ of old technologies, Google sets up research grant for finding bugs in browser JavaScript engin...

Things Every Developer Should Know About Security - Chris Romeo - ASW #124 from 2020-10-05T21:00

Developers are at the center of properly securing applications. A large number of security issues bury developers. We must understand the things every developer must know about security in order...

Bypassing TikTok's MFA, Instragram RCE, & Chrome Security Updates - ASW #123 from 2020-09-29T09:00

6 Things to Know About the Microsoft 'Zerologon' Flaw, You can bypass TikTok's MFA by logging in via a browser, Instagram RCE: Code Execution Vulnerability in Instagram App for Android and iOS, ...

The Difference Between Finding Vulns & Securing Apps - ASW #123 from 2020-09-28T21:00

There's a big difference between finding vulns and securing apps. When we hear the phrase "shift left", what are we actually shifting? Maybe there's something more that security can learn when w...

Project OneFuzz, Bluetooth Spoofing Bug, & Safeguarding Secrets - ASW #122 from 2020-09-22T09:00

Microsoft announces new Project OneFuzz framework, an open source developer tool to find and fix bugs at scale, Bluetooth Spoofing Bug Affects Billions of IoT Devices, Firefox bug lets you hijac...

Visualizing & Detecting Threats For Your Custom Application - Justin Massey - ASW #122 from 2020-09-21T21:00

Application logs are critical to DevOps teams for monitoring the performance and health of their apps. Those same logs are just as critical to understanding the security of apps, whether detecti...

RCE via BACKBLAZE, Microsoft Patch Tuesday, & CRYLOGGER - ASW #121 from 2020-09-15T09:00

BLURtooth vulnerability lets attackers overwrite Bluetooth authentication keys, Microsoft Patch Tuesday, Sept. 2020 Edition, XSS->Fix->Bypass: 10000$ bounty in Google Maps, Academics find crypto...

The People & Process of DevOps - Frank Catucci - ASW #121 from 2020-09-14T21:00

Developer friendly appsec; the people, process and culture of DevSecOps. The basics for some and struggles for others.

Visit https:/...

GitHub to Ruby 2.7, CISO Success, & Lessons From Uber - ASW #120 from 2020-09-01T09:00

A Tale of Escaping a Hardened Docker container, Four More Bugs Patched in Microsoft’s Azure Sphere IoT Platform, Upgrading GitHub to Ruby 2.7, Upgrading GitHub to Ruby 2.7, Redefining What CISO ...

Detecting Threats & Avoiding Misconfigs In The Cloud-Age - Marc Tremsal - ASW #120 from 2020-08-31T21:00

What are challenges for companies moving to the cloud in forms of security? Marc Tremsal, Director of Product Management - Security at Datadog, will discuss these challenges and how he helps sec...

ATM Attacks, gcploit, & ClusterFuzz - ASW #119 from 2020-08-25T09:00

The Confused Mailman: Sending SPF and DMARC passing mail as any Gmail or G Suite customer, ATM makers Diebold and NCR deploy fixes for 'deposit forgery' attacks, Control Flow Guard for Clang/LLV...

DevOps-First Application Security For Mid-Markets - Sundar Krish - ASW #119 from 2020-08-24T21:00

Mid-markets do have AppSec expertise, the current AppSec products are focused on large enterprises and require AppSec expertise. Sken.ai is the new and the only AppSec scan tool, focused on mid-...

AWS S3 Crypto SDK, ReVoLTE Attack, & Microsoft Bug Bounties - ASW #118 from 2020-08-18T09:00

Microsoft Bug Bounty Programs Year in Review: $13.7M in Rewards, In-band key negotiation issue in AWS S3 Crypto SDK for golang, Re­VoL­TE attack can decrypt 4G (LTE) calls to eavesdrop on conver...

Immutable Security For Immutable Infrastructure - Cesar Rodriguez - ASW #118 from 2020-08-17T21:00

Cesar will demonstrate breach path prediction as well as other features.

This segment is sponsored by Accurics. Visit https://secur...

SWVHSC: Amazon GuardDuty, Sandboxing & Workload Isolation, & No More SHA-1 - ASW #117 from 2020-08-04T21:00

Using Amazon GuardDuty to Protect Your S3, OkCupid Security Flaw Threatens Intimate Dater Details, Florida teen charged as “mastermind” in Twitter hack hitting Biden, Bezos, and others, Sandboxi...

SWVHSC: How Does Sec Live In A DevOps World? - Mike Rothman - ASW #117 from 2020-08-04T09:00

As you go full DevSecOps, where does that leave security operations? Who makes changes that are required? How do you empower (or deputize) app folks or ops folks (DevOps) to make those operation...

TaskRouter JS SDK, EL1/EL3 Vulnerability, & 234 Alexa Skills Store Violations - ASW #116 from 2020-07-28T09:00

TaskRouter JS SDK Security Incident, Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Read-Only Path Traversal Vulnerability, An EL1/EL3 coldboot vul...

Fixing Vulnerabilities Effectively & Efficiently - John Matherly - ASW #116 from 2020-07-27T21:00

What does it take to fix vulns effectively and efficiently? There's no lack of vulns identified from bug bounties and vuln reporting programs, but not every vuln needs the same attention and not...

SIGRed RCE, Google Cloud 'Confidential VMs', & Twitter Hack Crypto Scam - ASW #115 from 2020-07-21T09:00

This week, SIGRed – Resolving Your Way into Domain Admin: Exploiting a 17 Year-old Bug in Windows DNS Servers, Introducing Google Cloud Confidential Computing with Confidential VMs, Internet of ...

Cloud Security Posture Management & Governance - Bhasker Nallapothula, Kris Rajana - ASW #115 from 2020-07-20T21:00

Digital transformation is taking the IT industry by storm. As the pace of adoption of public cloud increases, security posture management and governance is usually not top of the mind of cloud e...

Top Bug Bounty Rankings, Zoom 0-Day, & Firefox Send Malware - ASW #114 from 2020-07-14T09:00

Microsoft OneDrive client for Windows Qt QML module hijack, Zero-day flaw found in Zoom for Windows 7, Protecting your remote workforce from application-based attacks like consent phishing, Veri...

DevSecOps - Judy Ngure - ASW #114 from 2020-07-13T21:00

DevSecOps helps build secure applications and part of that approach means security testing. It takes more than knowing the OWASP Top 10 to make bug bounties successful. From techniques for findi...

Protecting Mobile Applications - Catherine Chambers, Will Hickie - ASW #113 from 2020-07-06T21:00

What do you do if your ambition is to provide security for all the mobile apps in the world? You hire a data scientist! Machine Learning is more than just a buzz word, it is the science behind m...

DLL Hijacking, Trust Through Privacy, & Adobe EOL Data - ASW #112 from 2020-06-30T09:00

DLL Hijacking at the Trend Micro Password Manager, Adobe Prompts Users to Uninstall Flash Player As EOL Date Looms, The State of Open Source Security 2020, Microservices vs. Monoliths: Which is ...

Using IaC to Establish & Analyze Secure Environments - Cesar Rodriguez - ASW #112 from 2020-06-29T21:00

Teams building Infrastructure as Code still need to ensure that the infrastructure deployed matches the code they created. Not only can IaC help establish secure environments, analyzing that cod...

CallStranger, SMBleedingGhost, & Misconfigured Kubeflow - ASW #111 from 2020-06-16T09:00

CallStranger hits the horror trope where the call is coming from inside the house, SMBleedingGhost Writeup expands on prior SMB flaws that exposed kernel memory, Misconfigured Kubeflow workloads...

Data Mapping & Data Value Journey - Michelle Dennedy - ASW #111 from 2020-06-15T21:00

Data management can transform a company. This digital transformation is about more than changing the way users relate to their data. It is about revolutionizing how we work with and think about ...

Zoom Vulns, Apple 0-Days, & Abandoned Domains - ASW #110 from 2020-06-09T09:00

Two vulnerabilities in Zoom could lead to code execution, Zero-day in Sign in with Apple, Focus on Speed Doesn’t Mean Focus on Automation, Apple pushes fix across ALL devices for “unc0ver” jailb...

The Future State of AppSec - Phillip Maddux - ASW #110 from 2020-06-08T21:00

Application Security is changing rapidly, and with changes to automation and tooling will look vastly different 5 years from now than it does today. Discuss what those changes will look like, in...

Apps Are the New Endpoint - Catherine Chambers - ASW #109 from 2020-06-02T09:00

Apps are everywhere. Increasingly apps are the main entry point for daily services such as banking, home security or even unlocking a car. But mobile devices are untrustworthy: a place where hac...

How to Prevent Account Takeover Attacks - John Chirhart - ASW #109 from 2020-06-01T21:00

Attackers are using methods such as password spraying and credential theft to commit fraud against websites at an alarming rate. Automated bots are aiding the attacker to conduct these operation...

Highlights From the New Open Source Security and Risk Analysis Report - Tim Mackey - ASW #108 from 2020-05-19T09:00

The 2020 OSSRA report shows that 91% of commercial applications contain outdated or abandoned open source components. The report, produced by the Synopsys Cybersecurity Research Center (CyRC), e...

Using Rate Limiting to Protect Web Apps and APIs - Jack Zarris - ASW #108 from 2020-05-18T21:00

Rate limiting can be used to protect against a number of modern web application and API attacks. We’ll discuss some of those attacks, including Object ID enumeration, in detail, will demo an att...

Samsung RCE 0-Click, Whispers, & Compromising Pluton - ASW #107 from 2020-05-12T09:00

In the Application Security News, Cloud servers hacked via critical SaltStack vulnerabilities, Samsung Confirms Critical Security Issue For Millions: Every Galaxy After 2014 Affected, Mitigating...

How Can Security Work TOGETHER, Not Against, Developers - Joe Garcia - ASW #107 from 2020-05-11T21:00

DevOps and Agile IT practices have been around for a while. However, security teams are just now catching up. We will discuss how security teams can stop being “showstoppers” for the developers ...

Psychic Paper, Salt RCE, & Love Bugs - ASW #106 from 2020-05-05T09:00

This week in the Application Security News, “Psychic Paper” demonstrates why a lack of safe and consistent parsing of XML is disturbing, Beware of the GIF: Account Takeover Vulnerability in Micr...

Modern Application Security & Container Security - Gareth Rushgrove - ASW #106 from 2020-05-04T21:00

This week, we welcome Gareth Rushgrove, Director of Product Management at Snyk, to talk about Modern Application Security and Container Security! They also discuss Configuration Management, how ...

Nintendo Breach, NSA Advisory, & Security of IoMT - ASW #105 from 2020-04-28T09:00

This week, in the Application Security News, Nintendo Confirms Breach of 160,000 Accounts via a legacy endpoint, NSA shares list of vulnerabilities commonly exploited to plant web shells, Code P...

Threat Modeling in AppSec - Avi Douglen - ASW #105 from 2020-04-27T21:00

This week, we welcome Avi Douglen, Founder and CEO of Bounce Security, to talk about Threat Modeling in Application Security, DevSecOps, and how Application Security is mapping Security culture!...

Malicious Ruby Gems & JSON Web Token Bypass - ASW #104 from 2020-04-21T09:00

This week in the Application Security News, JSON Web Token Validation Bypass in Auth0 Authentication API, Mining for malicious Ruby gems, A Brief History of a Rootable Docker Image, Privacy In T...

Building an AppSec Ecosystem - Rebecca Deck - ASW #104 from 2020-04-20T21:00

It's possible to check the boxes and have an AppSec program that looks great on paper, but still not have positive results. We will cover using continuous feedback from AppSec testing activities...

Zooming Alex Stamos & Building Security TestOps - ASW #103 from 2020-04-14T09:00

This week in the Application Security News, Zoom Taps Ex-Facebook CISO Amid Security Snafus, Lawsuit, How we abused Slack's TURN servers to gain access to internal services, Moving from reCAPTCH...

Making Kubernetes a Hostile Place for Attackers - Brad Geesaman - ASW #103 from 2020-04-13T21:00

Kubernetes is conceptually simple, but in practical terms, a highly complex distributed system with thousands of interdependent settings that drive behavior and security posture. That said, focu...

Zoom Flaws, 'Zombie' win32k Bug, & Inputscope - ASW #102 from 2020-04-07T09:00

This week in the Application Security News, Zoom is gaining lots of attention for flaws and serves as a good exercise in threat modeling and communicating security trade-offs, Popular Digital Wa...

You're (probably) Doing AppSec Wrong - Grant Ongers - ASW #102 from 2020-04-06T21:00

Most security programs generally get in the way of delivery (if they don't, to all intents and purposes, prevent it altogether) and are probably also failing to provide the required level of act...

The Benefits of SAST and SCA in Your IDE - Utsav Sanghani - ASW #101 from 2020-03-23T21:36:23

Static application security testing (SAST) is critical for uncovering and eliminating issues in proprietary code. However, over 60% of the code in an average application today is composed of ope...

Singularity: A Different Take on Container Security - Adam Hughes - ASW #101 from 2020-03-23T20:49:59

Singularity is a container runtime that was built from the ground up to live in multi-user environments where POSIX permissions must be respected. In addition to a novel runtime approach, the Si...

Bottlerocket, Supply Chain Casualty, DevOps Sweet Spot - ASW #100 from 2020-03-17T15:43:18

Data of millions of eBay and Amazon shoppers exposed as another supply chain casualty, Announcing Bottlerocket, a new open source Linux-based operating system purpose-built to run containers, an...

DevSecOps / Scaling Security - Clint Gibler - ASW #100 from 2020-03-17T15:10:09

Due to a combination of a) development teams embracing Agile and DevOps and b) that security teams are often outnumbered by developers 100:1 or more in many companies, there's been a fundamental...

CISOs, CVE, DevOps, Gandalf - ASW #99 from 2020-03-09T20:26:37

CVE-2020-0688 Losing the keys to your kingdom, which is why Multiple nation-state groups are hacking Microsoft Exchange servers, Revoking certain certificates on March 4 and Why 3 million Let’s ...

Guy Podjarny, Snyk - Guy Podjarny - ASW #99 from 2020-03-09T20:25:15

Guy Podjarny (@guypod) is Snyk's Founder and President, focusing on using open source and staying secure. Guy was previously CTO at Akamai following their acquisition of his startup, Blaze.io, a...

InfoSec World Workshop: DevSecOps and Cultural Transformation - Dan Petit - ASW #98 from 2020-03-02T20:24:29

Dan discusses his upcoming 2-day workshop at InfoSec World. The workshop is a "deep survey" into all things DevSecOps. Visit https://www.securitywee...

Application News - RSA Conference News and Activities - ASW #97 from 2020-02-26T10:00

6 of the 10 vendors at Innovation Sandbox are application security companies, F5 Empowers Customers with End-to-End App Security, Checkmarx Simplifies Automation of Application Security Testing ...

Chris Eng Interview - What's New with Veracode - Chris Eng - ASW #97 from 2020-02-25T05:37:20

Chris Eng, Chief Research Officer at Veracode, provides an update on Veracode including 2019 growth, new product announcements, Veracode Security Labs, and booth activities at RSA Conference 202...

SweynTooth, OWASP, CRXcavator, DevSecOps - ASW #96 from 2020-02-19T10:00

SweynTooth: Unleashing Mayhem over Bluetooth Low Energy, OWASP SAMM version 2, Understanding Trusted Execution Environments and Arm TrustZone, Security Researchers Partner With Chrome To Take Do...

Lessons Learned From The DevSecOps Trenches - Doug DePerry - ASW #96 from 2020-02-17T19:27:58

Doug DePerry has held multiple positions in his three years at Datadog, including Director of Product Security and currently, Director of Defense. Prior to his current position, Doug lead the bu...

WhatsApp Flaw, Dropbox Bug Bounty Program, Investigating Web Shell Attacks - ASW #95 from 2020-02-12T10:00

This week in the Application Security News, Mike and John cover the following news stories: Critical Security Flaw Found in WhatsApp Desktop Platform Allowing Cybercriminals Read From The File S...

Mitigating at Design Time - Shaun Lamb - ASW #95 from 2020-02-11T10:00

In this interview segment, Mike and John interview Shaun Lamb about strategies for how best to design applications so they are "secure by default" and have fewer incidents and vulnerabilities, H...

Scaling an AppSec Program - ASW #94 from 2020-02-03T19:10:50

Mike, John, and Matt review the presentation given by Clint Gilber at AppSec Cali, An Opinionated Guide to Scaling Your Company's Security.

Visit Listen

Xbox Bounty Program, Magento Patch, RCE in OpenSMTPD - ASW #94 from 2020-02-03T19:10:18

This week in the Application Security News, Mike, John, and Matt cover the following news stories: Xbox Bounty Program, Magento 2.3.4 Patches Critical Code Execution Vulnerabilities, Remote Clou...

Pwn2Own In Miami, Cloud Vuln., Deconstructing Web Cache Deception Attacks - ASW #93 from 2020-01-29T10:00

Pwn2Own Miami -- Schedule and Live Results show just how profitable deserialization, information leaks, and out-of-bounds flaws are, Insecure configurations expose GE Healthcare devices to attac...

Dynamically Protecting Mobile Applications With RASP - John Butler - ASW #93 from 2020-01-28T10:00

Mobile applications are a rapidly growing attack surface and the tools and techniques being used to compromise these environments are constantly evolving. As the provider in mobile application p...

Crypto Bugs, IoT Planes and Application Inspectors, Oh My! - ASW #92 from 2020-01-22T10:00

PoC Exploits Published For Microsoft Crypto Bug disclosed by NSA, Pratt & Whitney Expects GTF Engine Software Update on A220 Jet in Spring, Building a more private web: A path towards making thi...

Protecting Data in Apps and Protecting Apps from Data - ASW #92 from 2020-01-21T15:48:40

Apps must protect the data they collect. How can DevOps teams apply effective controls like strong authentication and authorization? How do cloud services help or hinder encrypting data? Envelop...

The Evolution of DevSecOps and AppSec Trends in 2020 - Hillel Solow - ASW #91 from 2020-01-14T10:00

Hillel Solow is the CTO at Check Point. Much has evolved in a few short years with DevSecOps and application development and security. But just when we think we see everything clearly and have i...

Application News - ASW #91 from 2020-01-14T10:00

This week on the Application Security News, Mike Shema, Matt Alderman and John Kinsella cover the following news stories: Policy and Disclosure: 2020 Edition, A look back & forward for bug bount...

Application News - ASW #90 from 2020-01-08T10:00

This week, on the Application Security News, Mike Shema and Matt Alderman discuss Featured Flaws and Big Breaches (Cisco kicks off 2020 with 12 CVEs in Cisco Data Center Network Manager), Cloud,...

Privacy by Design - ASW #90 from 2020-01-07T10:00

This week on Application Security Weekly, Mike Shema and Matt Alderman discuss Privacy by Design - The 7 Foundational Principles. This discussion includes these topics: Proactive not Reactive; P...

Binary Planting, GitLab, and DevOps Pipelines - ASW #89 from 2019-12-18T10:00

Binary Planting with the npm CLI is another way to describe one of our favorite attacks, GitLab Doles Out Half a Million Bucks to White Hats, Speculation & leakage: Timing side channels & multi-...

API Security - Dave Ferguson - ASW #89 from 2019-12-17T10:00

Dave Ferguson is the Director of Product Management, WAS at Qualys. Dave will discuss the issue of latent vulnerabilities and how they may linger in your custom-coded web applications and APIs, ...

The World Runs On Open-Source, But Who's Paying For Gas? - ASW #88 from 2019-12-11T10:00

In the Application Security News, GitHub Seeks Security Dominance With Developers, IoT and Agile Framework Partners in Efficacy, WhiteSource acquires & open sources Renovate dependency update to...

Software Bill of Materials (SBOM) - Allan Friedman - ASW #88 from 2019-12-10T10:00

Allan Friedman is the Director of Cybersecurity Initiatives of NTIA (National Telecommunication and Information Administration) US Dept of Commerce. The problem: unknown software supply chain. F...

Facebook, Twitter, & Firefox - ASW #87 from 2019-12-04T10:00

Analysis of Jira Bug Stresses Impact of SSRF in Public Cloud, DevSecOps Adoption and the Web Security Myth, Facebook, Twitter profiles slurped by mobile apps using malicious SDKs, Firefox gets t...

Bot Management - Sandy Carielli - ASW #87 from 2019-12-03T10:00

Sandy Carielli is the Principal Analyst at Forrester Research. Discuss the impact of good and bad bots on enterprises and how it is both a security and customer experience problem. Review how th...

Application News - ASW #86 from 2019-11-28T10:00

$1M Google Hacking Prize, 1.2B Records Exposed in Massive Server Leak, How Attackers Could Hijack Your Android Camera to Spy on You, XSS in GMail’s AMP4Email via DOM Clobbering, and much more! Listen

Development Decisions Affect The Security Of Any Application - Tim Mackey - ASW #86 from 2019-11-27T10:00

Tim Mackey is the Principal Security Strategist at Synopsys. Measuring the risk of those decisions isn't something contained within a single tool, but instead requires a set of perspectives on h...

Sysdig Secure 3.0 - Pawan Shankar - ASW #85 from 2019-11-20T10:00

Pawan Shankar is the Senior Product Marketing Manager of Sysdig. Sysdig is very excited to announce the launch of Sysdig Secure 3.0! Listen

Mirantis' Docker, CISOs, & End of Life Dates - ASW #85 from 2019-11-19T10:00

This site maintains quick links for checking End Of Life dates for various tools and technologies, Mirantis' Docker Enterprise acquisition a lifeline as industry shifts to Kubernetes, Website, K...

Application News - ASW #84 from 2019-11-14T10:00

Pwn2Own Tokyo Roundup: Amazon Echo, Routers, Smart TVs Fall to Hackers, Robinhood Traders Discovered a Glitch That Gave Them 'Infinite Leverage', Bugcrowd Pays Out Over $500K in Bounties in One ...

Security Testing - ASW #84 from 2019-11-13T10:00

Mike, Matt, and John talk about security testing.

Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: Listen

Application News - ASW #83 from 2019-11-06T10:00

Stable Channel Update for Desktop Chrome users should upgrade to, Overcoming the container security conundrum: What enterprises need to know, Security Think Tank: In the cloud, the buck stops wi...

Teaching Security In Software Development - Daniel Lowrie, Justin Dennison - ASW #83 from 2019-11-05T10:00

We interview Daniel Lowrie, who is an Edutainer at ITProTV and Justin Dennison, who is also an Edutainer at ITProTV. Dan and Justin talk about how to bridge the gap between a developer and secur...

Application News - ASW #82 from 2019-10-30T09:00

Top cloud security controls you should be using, State of Software Security X, Developers: The Cause of and Solution to Security's Biggest Problems, and much more!

Visit Listen

Bug Bounties, Pentesting, & Scanners - ASW #82 from 2019-10-29T09:00

Mike Shema, Matt Alderman, and John Kinsella, talk about Bug Bounties, Pentesting, & Scanners.

Visit https://www.securityweekly.com/asw f...

Application News - ASW #81 from 2019-10-23T09:00

From Stackoverflow to CVE, with some laughs along the way, Four-Year-Old Critical Linux Wi-Fi Bug Allows System Compromise, Recent Site Isolation improvements in Chrome, policy_sentry is an IAM ...

Doug Coburn, Signal Sciences - Doug Coburn - ASW #81 from 2019-10-22T09:00

Doug Coburn is the Director, Professional Services at Signal Sciences. Doug will be discussing Containers, Layer 7, and application security. Visit ...

Application News - ASW #80 from 2019-10-16T09:00

In the Application Security News, Key takeaways from Imperva breach, From Automated Cloud Deployment to Progressive Delivery, Designing Your First App in Kubernetes: An Overview Food for Thought...

Francois Lascelles, Ping Identity - ASW #80 from 2019-10-15T09:00

Francois is a member of the Ping Identity Office of the CTO. He provides product and strategic direction to customers and partners with a focus on API infrastructures security and API cybersecur...

Application News - ASW #79 from 2019-10-09T09:00

Ex-Yahoo Engineer Abused Access to Hack 6,000 User Accounts, American Express Insider Breaches Cardholder Information, How a double-free bug in, WhatsApp turns to RCE, Flare-on 6 2019 Writeups, ...

Cloud Security for Small Teams - ASW #79 from 2019-10-08T09:00

How to step in and help with small cloud security teams.

Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes...

Application News - ASW #78 from 2019-10-02T09:00

Threat Actors Use Percentage-Based URL Encoding to Bypass Email Gateways, Intelligent Tracking Prevention 2.3 and a discussion to Limit the length of the Referer header with some background on B...

Information Disclosure Vulnerabilities - Ryan Kelso - ASW #78 from 2019-10-01T09:00

Ryan Kelso is the Application Security Engineer at 10-Sec, Inc. Former developer turned application security engineer with a passion for giving back to the security community that has helped me ...

Training For Developers - Nicolas Valcárcel - ASW #77 from 2019-09-24T09:00

Nicolas Valcárcel is the Security Engineer at AdRoll. Nicolas Developers and security professional have vastly different views of the world, so it's not uncommon that trainings created by the la...

Application News - ASW #77 from 2019-09-23T18:57:19

BSIMM10 Emphasizes DevOps' Role in Software Security and the BSIMM10 report, Crowdsourced Security & the Gig Economy, Lessons learned through 15 years of SDL at work, Software eats the world, jo...

Bugs, Breaches, & More - ASW #76 from 2019-09-18T09:00

Simjacker – Next Generation Spying Over Mobile, Intel CPUs Vulnerable to Sensitive Data Leakage in NetCAT Attack and NetCAT: Practical Cache Attacks from the Network, What is PSD2? And how it wi...

OWASP Application Security Verification Standard - ASW #76 from 2019-09-16T18:55:06

The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls and also provides developers with a list of requireme...

Bugs, Breaches, & More - ASW #75 from 2019-09-11T09:00

A very deep dive into iOS Exploit chains found in the wild followed by Heap Exploit Development, Twitter turns off SMS texting after @Jack hijacking, CVE-2019-15846: Unauthenticated Remote Comma...

Tools in the DevOps Pipeline: Ty Sbano, Sisense - ASW #75 from 2019-09-10T09:00

Ty Sbano is the Cloud Chief Information Security Officer of Sisense. Ty will be discussing Tools in the DevOps Pipeline, Component Analysis, and Anything Application Security!

Full Show N...

Black Hat Interviews - WhiteSource and Venafi - ASW #74 from 2019-08-28T09:00

We interview Azi Cohen the Co-founder of WhiteSource. He will be talking about Application security has undergone a transition in recent years, as information security teams testing products bef...

Container Security With Sysdig Secure 2.4 - Pawan Shankar - ASW #74 from 2019-08-26T20:55:29

Pawan Shankar is the Senior Product Marketing Manager of Sysdig. Sysdig is very excited to announce the launch of Sysdig Secure 2.4! With this release, Sysdig adds runtime profiling to enhance a...

Bugs, Breaches, and More! - ASW #73 from 2019-08-21T09:00

CVE-2019-1162 showcases elevation of privilege in an ancient Windows component. HTTP/2 Denial of Service Advisory with seven vulns that affects the protocol implemented by several vendors, SSH c...

Application News - ASW - News #72 from 2019-08-14T09:00

From Equifax to Capital One: The problem with web application security, Upcoming Change to Chrome's Identity Indicators means the EV UI Moving to Page Info, Apple extends its bug bounty program ...

Hacker Summer Camp Round-UP - ASW - Topic #72 from 2019-08-13T14:19:01

Mike Shema and Matt Alderman discuss Hacker Summer Camp as the Security Weekly team has returned from Las Vegas.

Full Show Notes: ...

Application News - Application Security Weekly #71 from 2019-07-31T09:00

Rare Steganography Hack Can Compromise Fully Patched Websites, Bug Bounties Continue to Rise as Google Boosts its Payouts, Snyk Acquires DevSecCon to Boost DevSecOps Community, and much more! Listen

Container Security Today - Application Security Weekly #71 from 2019-07-30T09:00

Murray Goldschmidt is the COO & Co-founder of Sense of Security. Murray talks about The state of container security in the enterprise.

Full Show Notes: Listen

Application News - Application Security Weekly #70 from 2019-07-24T09:00

SupPy Chain Malware - Detecting malware in package manager repositories, Attacking SSL VPN, Solving Digital Transformation Cybersecurity Concerns With DevSecOps, How I Could Have Hacked Any Inst...

Secure App Deployment With Unikernels - Application Security Weekly #70 from 2019-07-23T09:00

Ian Eyber is the CEO of NanoVMs. Unikernels are an emerging trend in software deployment because of their isolation, performance and size. However they are still very much new so it's good to le...

Application News - Application Security Weekly #69 from 2019-07-17T09:00

Yes, the zoom thing, 50 Ways to Leak Your Data in 1,300 Popular Android Apps Access Data, Without Proper Permissions, GE Aviation exposed internal configs via open Jenkins instance, Preparing yo...

Securing Multi-Cloud Environments - Application Security Weekly #69 from 2019-07-16T09:00

Gururaj Pandurangi is a founder and CEO of Cloudneeti, a software-as-a-service company focused on continuous cloud security, data privacy and compliance assurance. Gururaj is coming on the show ...

Application News - Application Security Weekly #68 from 2019-07-10T09:00

WordPress Plugin WP Statistics Patches XSS Flaw, Three RCEs in Android's Media framework, Nine Best Practices For Integrating Application Security Testing Into DevOps, 6 Traits That Define DevSe...

Cloud Native - Application Security Weekly #68 from 2019-07-09T09:00

Mike Shema, John Kinsella, and Matt Alderman talk cloud native from an application perspective.

Full Show Notes: https://wiki.secu...

Security Training for Devs - Application Security Weekly #67 from 2019-07-03T09:00

Mike Shema, John Kinsella, & Matt Alderman discuss security training for Devs!

Full Show Notes: https://wiki.securityweekly.com/AS...

GKE, AWS, & S3 Buckets - Application Security Weekly #67 from 2019-07-02T09:00

GKE improves authentication with Workload Identity, AWS reinforce reveals traffic tools and security solutions that improve support for DevOps, Brief history of Trusted Execution Environments, F...

Don't Ignore APIs - Application Security Weekly #66 from 2019-06-26T09:00

API are now over 80% of the HTTP traffic and enterprise application breaches through compromised APIs are mounting!. A guide to API Security. They also discuss Public VS Private APIs and if the ...

Osquery, Netflix, & Mozilla - Application Security Weekly #66 from 2019-06-25T09:00

Mozilla pushes a patch onto an Array, Netflix shares a stream of patches, Breach to bankruptcy for healthcare company, Osquery becomes a foundational tool, Avoiding DevOps dangers, and Assigning...

Bugs, Breaches, and More! - Application Security Weekly #65 from 2019-06-19T09:00

There's no escape that will save you..., the privilege of running a Chrome extension, and Four practices towards DevSecOps!

Full Show Notes: Listen

Shannon Lietz, Intuit - Application Security Weekly #65 from 2019-06-18T09:00

Mike Shema and John Kinsella interview Shannon Lietz, the Director Information Security at Intuit about DevOps.

Full Show Notes: h...

MacOS Catalina, OpenShift, & Pink Floyd - Application Security Weekly #64 from 2019-06-12T09:00

"Waiting for the worms to come." -- Pink Floyd and RDP's CVE-2019-0708. Even the NSA warns about the population of exposed systems, A patch commands attention for mail servers, In macOS Catalina...

DevSecOps & Software Supply Chains, Microsoft - Application Security Weekly #64 from 2019-06-10T18:02:55

Tanya Janca, also known as SheHacksPurple, is a senior cloud advocate for Microsoft, specializing in application, cloud security, and more! Tanya is joining us on the show to talk about DevSecOp...

Application News - Application Security Weekly #63 from 2019-06-05T09:30

This week, Duo reveals a path from a Docker container to its host, Google fumbles some password functionality, GitHub makes dependency tracking more dependable, and more!

Full Show Notes:...

Major Identities & Micro Services - Application Security Weekly #63 from 2019-06-04T09:00

Mike and John delve into some DevSecOps topics. They discuss good design patterns that emerged from cloud native environments, Kubernetes and containers, and building blocks of unique services i...

Application News - Application Security Weekly #62 from 2019-05-22T09:00

Cisco Expressway goes off path and a Cisco IOS XE vuln goes for emojis, More erosion of CPU data boundaries, RDP patches a pre-auth problem and even resuscitates a patch process for XP, Microsof...

Cody Wood, Signal Sciences - Application Security Weekly #62 from 2019-05-21T09:00

Mike Shema and John Kinsella interview Cody Wood. Cody Wood is the AppSec Product Support Engineer at Signal Sciences.

To get involved with Signal Sciences, visit: Listen

Application News - Application Security Weekly #61 from 2019-05-16T09:00

In the Application News, Chrome constrains the cookies and Edge pushes privacy, Windows builds a sandbox for Linux, Android Q for more quarantined code with more LLVM features, Steve Singh stepp...

Securing Software Supply Chains - Application Security Weekly #61 from 2019-05-15T09:00

This week, Derek Weeks joins us to talk about DevSecOps and Securing Software Supply Chains. Derek is the VP and DevOps Advocate at Sonatype. Derek is the world's foremost researcher on the topi...

Sven Morgenroth, Netsparker - Application Security Weekly #60 from 2019-05-08T09:00

Sven joins us to talk about securing our applications, how confident can we be about the security of web applications, and how we can make it easier to build applications that we don't need to w...

Application News - Application Security Weekly #60 from 2019-05-07T16:08:16

Firefox gives more scrutiny to add-ons but Firefox also forgot to give more scrutiny to a cert, Path traversals trampled by ransomware, Secure Software Design: The Next Frontier In Cybersecurity...

Application News - Application Security Weekly #59 from 2019-05-01T09:00

In the Application Security News, Software update gums up fingerprints, a counterproductive security practice expires thanks to well-considered guidelines, Docker Hub breach response, a path to ...

Larry Maccherone, Comcast - Application Security Weekly #59 from 2019-04-30T17:30:39

This week, we welcome Larry Maccherone, Senior Director of Comcast, to talk about the world of SecOps vs. DevSecOps!

Full Show Notes: Listen

Application News - Application Security Weekly #58 from 2019-04-24T09:00

In the Application Security News, Breach at IT outsourcer Wipro, SCP serves the file it wants, Confluence Path traverses to RCE, another Local PrivEsc on Windows, easier sandboxing for C and C++...

Thomas Hatch, SaltStack - Application Security Weekly #58 from 2019-04-23T09:00

Thomas is the creator of the Salt open source software project and the CTO of SaltStack, the company behind Salt. He has spent his career writing software to orchestrate and automate the work of...

Application News - Application Security Weekly #57 from 2019-04-17T09:00

3D fingerprints and unlocking Android, Ticking off another command injection, Alexa, audio, and annotations, STS no longer just for HTTP, and Hardenize goes beyond TLS.

Full Show Notes: <...

Containers and Kubernetes - Application Security Weekly #57 from 2019-04-16T14:20

This last week was pretty busy with announcements and presentations from the Google Next Conference. In 2018 they previewed some security tools and this year many of them are now GA along with a...

Falco, Sysdig - Application Security Weekly #56 from 2019-04-10T09:00

This week, we welcome Loris Degioanni from Sysdig to discuss their open source container native runtime security project called Falco!

To learn more about Sysdig, visit: Listen

Docker, ARM, & "Selfie" - Application Security Weekly #56 from 2019-04-09T09:00

In the News segment, The Matrix turns 20, Containers are Weakest Security Leak Again, The Evolution of Application Security in the Serverless World, and more!

Full Show Notes: Listen

Wins & Challenges In AppSec , Square - Application Security Weekly #55 from 2019-03-29T09:00

Mike Shema is the Product Security Lead of Square. Mike joins us on the show to talk about where the wins and challenges are in appsec!

Full Show Notes: Listen

Bugs, Breaches, and More! - Application Security Weekly #55 from 2019-03-28T20:30:48

XSS Vulnerability in Abandoned Cart Plugin Leads to WordPress Site Takeover, The RedMonk Programming Language Rankings: January 2019, I Deleted Facebook Last Year; Here's What Changed (and What ...

DARPA, Yelp, & FBI - Application Security Weekly #54 from 2019-03-20T09:00

Owner of MAGA-Friendly Yelp Knockoff Threatens to Call FBI After Researcher Exposes Security Holes, Chinese Data Breach Exposes 'Breed Ready' Status Of Almost 2 Million Women, Dozens of companie...

Jamie Duncan, Red Hat - Application Security Weekly #54 from 2019-03-19T15:00:25

Jamie Duncan is a recovering history major who has been at Red Hat for just over 7 years. Beginning with his role as a TAM, his focus has increasingly centered on the operations-oriented feature...

Application News - Application Security Weekly #53 from 2019-03-13T09:00

WordPress accounted for 90 percent of all hacked CMS sites in 2018, Japanese police charge 13-year-old for sharing 'unclosable popup' prank online, Facebook exploit – Confirm website visitor ide...

RSA 2019 Recap - Application Security Weekly #53 from 2019-03-12T18:38:06

Keith and Paul discuss the structure and experiences of 2019's RSA Conference.

Full Show Notes: https://wiki.securityweekly.com/AS...

Matt Springfield, 12Feet, Inc. - Application Security Weekly #52 from 2019-02-27T10:00

Matt Springfield is the founder of 12Feet, Inc. an information security consulting firm based in the Dallas area. Matt has more than 23 years of information security experience spanning operatio...

Bugs, Breaches, and More! - Application Security Weekly #52 from 2019-02-26T10:00

Many websites threatened by highly critical code-execution bug in Drupal, UK parliament calls for antitrust, data abuse probe of Facebook, CommitStrip: Get rich quick, Google says the built-in m...

Android, Dark Web, & Development - Application Security Weekly #51 from 2019-02-20T10:00

A PNG Android Vulnerability, 620 Million Stolen Accounts for Sale on the Dark Web, How Shifting Security Left Speeds Development and more!

Full Show Notes: Listen

Integrating Security into DevOps, Altran - Application Security Weekly #51 from 2019-02-19T10:00

Gurpreet S. Sachdeva is the Assistant Vice President of Technology for Altran. Gurpreet Sachdeva will be discussing "Integrating Security into DevOps"!

Full Show Notes: Listen

Application News - Application Security Weekly #50 from 2019-02-14T10:00

In the Application Security News, Many popular iPhone apps secretly record your screen without asking, MongoDB databases still being held for ransom, Most of the Fortune 100 still use flawed sof...

Basic Flow of Problem, Solution, and Value - Application Security Weekly #50 from 2019-02-13T10:00

Tim Eades is the CEO at vArmour. Tim joins us on the show to talk about the basic flow of problems, the solutions, and the value.

Full Show Notes: Listen

Application News - Application Security Weekly #49 from 2019-02-06T10:00

Three UK customer details exposed in homepage blunder, Microsoft cloud services see global authentication outage, the age of surveillance capitalism, the rise of DevXOps, and much more!

F...

The Current State of Privacy & Software Development - Application Security Weekly #49 from 2019-02-05T16:34:12

Keith and Paul discuss the current state of privacy and software development.

- Facebook reveals news feed experiment to control emotions

- Facebook pays teens to install VPN that ...

Bugs, Breaches, and More! - Application Security Weekly #48 from 2019-01-31T10:00

Concerns about WordPress' new "White Screen of Death", Google Chrome changes could 'destroy' ad-blockers, Mozilla is adding and ad-blocker to Firefox Focus 9.0, Websites can steal browser data v...

Jing Xie, Venafi - Application Security Weekly #48 from 2019-01-30T10:00

Dr. Jing Xie is the senior threat intelligence researcher for Venafi, the market leading cybersecurity company in machine identity protection. As a member of the Venafi thought leadership group,...

The Human Element of Application Security - Application Security Weekly #47 from 2019-01-23T10:00

This week on Application Security Weekly, Matt Alderman is joined by James Wickett, who is the Head of Research at Signal Sciences. They talk about the human element of application security trai...

Bugs, Breaches, and More - Application Security Weekly #47 from 2019-01-23T10:00

In the News segment, Oracle patches 284 vulnerabilities, bug in Twitter Android app exposed protected tweets, 4 tips for better API Security in 2019, and more!

Full Show Notes: Listen

Rey Bango, Microsoft - Application Security Weekly #46 from 2019-01-17T10:00

Rey is a security advocate at Microsoft focused on helping the community build secure systems & being a voice for researchers within MS. After a long career in software development, he developed...

CRLF, NASA, & GitHub - Application Security Weekly #46 from 2019-01-16T10:00

Another server security lapse at NASA exposed staff and project data, CRLF Injection Into PHP’s cURL Options, System Down: A systemd-journald exploit, GitHub now gives free users unlimited priva...

WordPress, Silicon Valley, and Hijacking - Application Security Weekly #45 from 2019-01-10T10:00

Wormable stored XSS on WordPress.org, a security lapse revealed private complaints from Silicon Valley employees, hackers hijack thousands of Chromecasts to warn of latest security bug, a lintin...

Ken Johnson, GitHub - Application Security Weekly #45 from 2019-01-09T10:00

Ken Johnson has been hacking web applications professionally for 10 years and giving security training for 7 of those years. Ken is both a breaker and builder who currently works on the GitHub a...

Signal App, Jenkins Servers, & WordPress - Application Security Weekly #44 from 2018-12-18T15:14:14

Facebook bug exposed private photos of 6.8 million users, thousands of Jenkins servers will let anonymous users become admins, Signal app can't include a backdoor for the Australian government, ...

Harry Sverdlove, Edgewise - Application Security Weekly #44 from 2018-12-18T14:59:36

Harry Sverdlove is the CTO of Edgewise. Harry joins Keith and Paul to discuss what Edgewise does in the AppSec world, segmentation, cloud migration, trying different architectures, and more!

Chris Elgee, Counter Hack Challenge - Application Security Weekly #43 from 2018-12-12T10:00

Chris Elgee is a full time husband, father of four, and technical engineer at Counter Hack Challenges. Chris joins Keith and Paul this week to talk about the Counter Hack Challenge, how it's bee...

Kubernetes, Firefox, & WordPress - Application Security Weekly #43 from 2018-12-11T10:00

Kubernetes instances are being hijacked worldwide, malicious sites abuse 11-year old Firefox bug that Mozilla failed to fix, Google is on a Witch Hunt for Internal Leakers, a botnet of over 20,0...

NSA Malware, AFL Fuzzer, & Firecracker - Application Security Weekly #42 from 2018-12-05T10:00

Hackers are opening SMB ports on routers to infect PCs with NSA malware, bug detectives whip up smarter version of classic AFL fuzzer to hunt code vulnerabilities, malware & rogue users can spy ...

Aleksei Tiurin, Acunetix - Application Security Weekly #42 from 2018-12-04T16:52:09

Aleksei Tiurin is the Senior Security Researcher for Acunetix. He is performing a technical segment on reverse proxies using weblogic, Tomcat, and Nginx.

To learn more about Acunetix, go ...

Drupalgeddon, USPS, & JavaScript - Application Security Weekly #41 from 2018-11-29T10:30

Hackers use Drupalgeddon 2 and Dirty COW exploits to take over web servers, second WordPress hacking campaign underway, USPS took a year to fix a vulnerability that exposed all 60 million users'...

Brent Dukes - Application Security Weekly #41 from 2018-11-28T10:00

Brent Dukes is a hacker, and Director of Information Security for an established manufacturing company. He joins Keith and Paul this week to talk about WAF’s, Pentesting, Burp Suite, and more! Listen

Instagram, Kraken, GitMiner - Application Security Weekly #40 from 2018-11-19T22:35:14

Instagram leaks passwords to the public, Clickjacking on Google MyAccount Worth $7,500, James Wickett's thread on Open Source SAST options, an advanced search tool for sensitive information stor...

John Kinsella, Layered Insight - Application Security Weekly #40 from 2018-11-19T22:04:23

Previously co-founder and head of product at Layered Insight, John now leads container security engineering at Qualys after it's acquisition of Layered Insight. John talks about Qualys' Containe...

ColdFusion, Destroying Logs, & Tracing Meme's - Application Security Weekly #39 from 2018-11-15T10:00

DJI Drone Vulnerability, Hackers are increasingly destroying logs to hide attacks, Adobe ColdFusion servers under attack from APT group, understanding Open Source Code use in your business, and ...

Brian Kelly, CyberArk - Application Security Weekly #39 from 2018-11-14T10:00

Brian Kelly is Head of Conjur Engineering at CyberArk, where he focuses on creating products that add much-needed security and identity management to the landscape of DevOps tools and cloud syst...

'Stalkerware', DHCPv6 Packets , & Python - Application Security Weekly #38 from 2018-11-07T10:00

In the Application Security News, a nasty DHCPv6 packet can Pwn vulnerable Linux Boxes, 'Stalkerware' website let anyone intercept texts of tens of thousands of people, twelve malicious Python l...

Daniel Cuthbert, Banco Santander - Application Security Weekly #38 from 2018-11-06T20:05:03

Daniel Cuthbert is the Global Head of Security Research for Banco Santander. He joins Keith and Paul this week for an interview!

Full Show Notes: Listen

Airline Hacks, MicroTik Bug, & WordPress - Application Security Weekly #37 from 2018-11-01T09:00

Millions of passengers affected by Cathay Pacific Airline Hack, China has been hijacking the internet backbone of Western countries, how proficient are developers at fixing Application Security ...

Johnny Xmas, Kasada.io - Application Security Weekly #37 from 2018-10-31T09:00

Keith, Paul, and Johnny Xmas discuss airport security, penetration testing, the top 5 payment apps, and DevOps infused conversation! Full Show Notes: Listen

Cryptocurrency, Disney, and Adobe - Application Security Weekly #36 from 2018-10-24T09:00

Hackers hide Cryptocurrency malware in Adobe flash updates, the government is finally rolling out 2 Factor Authentication for Federal Agency Domains, and Disney is helping women from across thei...

Bugs, Breaches, and More! - Application Security Weekly #36 from 2018-10-23T09:00

Paul and April Wright discuss a jQuery Plugin that has been exploited for years is finally getting patched, a flaw in LibSSH leaves thousands of servers at risk, and a remote code implantation f...

Garrett Gross, Rapid7 - Application Security Weekly #35 from 2018-10-16T15:09:54

Garrett Gross received his first modem at age six and has been plugged in ever since. Today, Garrett is a Senior Solutions Engineer with a specialization in application security at Rapid7. He se...

Git Project, Google+, & Facebook - Application Security Weekly #35 from 2018-10-16T15:08:59

In the Application Security News, Git Project patches Remote Code Execution Vulnerability, Google is Shutting Down Google+ after 500k accounts potentially affected by a data breach, Facebook wan...

Bugs, Breaches, and More - Application Security Weekly #34 from 2018-10-03T08:30

Facebook discloses the loss of at least 50M Access Tokens also covered by Motherboard Formjacking is on the rise, Google admits to allowing hundreds of companies read your email, FireFox Monitor...

Landing a Job in Application Security - Application Security Weekly #34 from 2018-10-02T09:00

Attend local meetups and conferences, practice your coding skills, get educated by World Class security researchers, do your homework, there's no substitute for Practice, OWASP Juice Shop, and m...

Newegg, Ticketmaster, & iOS 12 - Application Security Weekly #33 from 2018-09-27T09:00

In the Application Security News, Hackers stole customer credit cards in Newegg data breach, John Hancock now requires monitoring bracelets to buy insurance, the man who broke Ticketmaster, new ...

Ron Gula, Gula Tech Adventures - Application Security Weekly #33 from 2018-09-26T21:00

Ron started his cybersecurity career as a network penetration tester for the NSA, and is the Founder of Tenable and Gula Tech Adventures. He joins Keith and April for an interview to talk about ...

Bluebox-ng, Stock Data Breaches, and CommitStrip- Application Security Weekly #32 from 2018-09-26T09:00

Alpine Linux hit with bug that can lead to Poisoned Containers, data breaches affect stock performance in the long run, Bluebox-ng, a Node.js VoIP pentesting framework, and CommitStrip: It's Not...

April Wright, ArchitectSecurity.org - Application Security Weekly #32 from 2018-09-25T21:00

Keith Hoodlet and Paul Asadoorian interview April Wright. They discuss people connected by apps, workplace reward systems, and the importance of building/practicing the process before documentin...

Microsoft, Equifax, MacOS, and Bug Bounties - Application Security Weekly #31 from 2018-09-13T09:00

U.S. Government releases post-mortem on Equifax, MacOS security baseline script by Jerry Gamblin, Equifax mega-breach and nothing has changed, Docker hacking challenge, and Bug Bounties and ment...

Fortnite, Netflix, & Black Hat - Application Security Weekly #30 from 2018-08-30T09:00

In the Application security news, 'Fortnite' developer had sharp words for Google after an Exploit was discovered, PHP flaw puts WordPress sites at risk, Oracle will charge for Java starting in ...

The Apache Struts2 RCE Vulnerability - Application Security Weekly #30 from 2018-08-29T09:00

Keith Hoodlet and Paul Asadoorian talk about The Apache Struts2 RCE Vulnerability. They cover:

- CVE-2018-11776

- How the 3 Ways of DevOps can guide us toward better security pract...

Tom McLaughlin, ServerlessOps - Application Security Weekly #29 from 2018-08-22T09:00

Tom is the founder of ServerlessOps (https://www.serverlessops.io/) and an experienced operations engineer. He started ServerlessOps after he asked the question, what would he do if servers went...

Matt Alderman & Paul Asadoorian, Def Con 2018 - Application Security Weekly #29 from 2018-08-21T17:20:47

Matt Alderman and Paul sat down at DEF CON to talk all of the AppSec vendors that they held briefings with at our Pool Cabana. They sat down with companies like Synopsis, Signal Sciences, and di...

Alibaba Cloud Security, Comcast, and Facebook - Application Security Weekly #28 from 2018-08-15T09:00

Alibaba Cloud Security team discovers Apache spark rest API remote code execution exploit, Comcast security flaws exposed partial address, Hacker finds hidden 'God Mode' in old x86 CPUs, and mor...

Secure Coding Practices - Application Security Weekly #28 from 2018-08-14T14:27:03

After arriving back from Black Hat and DEF CON 2018, Doug joins Keith to share some of his stories about attending the world famous security conferences. They discuss, secure coding practices. Listen

Resources, Bugs, Breaches, and Learning Tools - Application Security Weekly #27 from 2018-08-09T09:00

Hardware-based Root of Trust, Small Trusted Computing Base, React v16.4.2, GitHub shows best practices for account security and recoverability, and the cost of JavaScript, and Food for Thought!<...

Galen Hunt, Microsoft - Application Security Weekly #27 from 2018-08-08T09:00

Galen founded and lead the team building the Azure Sphere, announced at RSA Conference 2018. Our goal is to make IoT safe for society. Azure Sphere provides an end-to-end solution that enables a...

Spectre, OWASP, and iGoat - Application Security Weekly #26 from 2018-08-02T09:00

New Spectre attack can remotely steal secrets, Microsoft discovers supply chain attack at unnamed maker of PDF Software, XSS filter in edge, OWASP iGoat is a vulnerable swift application for iOS...

Jessica Rozhin, Marqueta - Application Security Weekly #26 from 2018-08-01T09:00

Jessica Rozhin is currently a Security Engineer at an Oakland Financial Tech startup called Marqeta. This is her first role in the security space, but she is no stranger to technical operations ...

Venmo, Oracle, & Linux - Application Security Weekly #25 from 2018-07-25T09:00

Venmo caught publishing all transactions publicly, Oracle releases critical patches, Microsoft releases PowerShell Core for Linux, Health insurers are vacuuming up details about you, changing yo...

Joe Garcia, CyberArk - Application Security Weekly #25 from 2018-07-24T09:00

As a Global Corporate Solutions Engineer, Joe Garcia has a strong background in DevOps, Cloud and Security and is currently focused on helping customers implement and scale effective secrets man...

AppSec Solutions in a DevOps World - Application Security Weekly #24 from 2018-07-19T09:30

Application Security solutions in a DevOps world.

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode24 Follow us on ...

iOS Bugs, Burp Suite, & DevSecOps - Application Security Weekly #24 from 2018-07-18T09:00

In the news, compromised JavaScript package caught stealing npm credentials, remote iOS bugs, a $39 device that can defeat iOS USB Restricted mode, Broadcom buys CA Technologies, Burp Suite Auto...

The Hardest Problem in Application Security - Application Security Weekly #23 from 2018-07-11T09:00

One of the hardest problems that Application Security practitioners need to solve is the problem of visibility. Not only do they need to uncover all of the different projects under development -...

Facebook, Google, & GitLab - Application Security Weekly #23 from 2018-07-10T20:58:37

In the news, Google patches critical remote code execution bugs in Android OS, A new data breach may have exposed personal information of almost every American adult, Facebook acknowledges it sh...

PHPMyAdmin, GitHub, and VS Code - Application Security Weekly #22 from 2018-07-05T09:00

'GDPR-Lite', Testing Firefox, refactoring in VS Code, sniff network traffic from our iOS device, Gentoo GitHub organization is hacked, and what does it mean to experience fulfillment? All that a...

Thomas GX, Yelda - Application Security Weekly #22 from 2018-07-03T09:00

Thomas GX is a French entrepreneur specialized in Automation, AI, Assistants & Bots, handling creation and development as well as project management processes.

Full Show Notes: Listen

Microsoft, JavaScript, AI Can Fire - Application Security Weekly #21 from 2018-06-28T09:00

Apple comments on erroneous reports of iPhone brute force passcode hack, XSS, in Google Colaboratory + CSP bypass, how to deploy to Azure with Docker & VS Code, and debugging JavaScript in Googl...

Dan Kuykendall, Rapid7 - Application Security Weekly #21 from 2018-06-27T09:00

Dan Kuykendall is the Senior Director of Application Security Products at Rapid7 where he directs the strategic vision, research and product development for the company’s application security so...

Windows, Smart Lock, & iPhone Hackers - Application Security Weekly #20 from 2018-06-21T09:00

In the news, Microsoft Windows remote kernel crash vulnerability, another flaw hits Tapplock smart locks, cops aren't confident iPhone hackers found a workaround to Apple's new security feature ...

Ron Gula, Gula Tech Adventures - Application Security Weekly #20 from 2018-06-20T09:00

Ron started his cybersecurity career as a network penetration tester for the NSA. at BBN, he developed network honeypots to lure hackers and he ran US Internetworking's team of penetration teste...

Peter Chestna, Veracode - Application Security Weekly #19 from 2018-06-13T09:00

Peter Chestna is the Director of Developer Engagement Veracode. He comes on the show to talk about the article he wrote called "The 3 Ways of DevSecOps".

Full Show Notes: Listen

GitHub, Oracle, & GDPR - Application Security Weekly #18 from 2018-06-07T09:00

In the news, how other companies are responding to GDPR, Oracle plans to drop Java Serialization Port, Microsoft acquires GitHub, the percentage of open source code in proprietary apps is rising...

Agile vs. DevOps - Application Security Weekly #18 from 2018-06-06T09:00

This week, Keith and Paul discuss what the difference is between Agile, CI/CD, and DevOps! Agile is focused on processed, highlighting change, all while accelerating delivery. CI/CD focuses on s...

Nest, Node.js, & F.Secure - Application Security Weekly #17 from 2018-05-24T09:00

In the news, the entire Nest ecosystem of smart home devices goes offline, how Alphabet plans to keep hackers away from this year's election, the Node.js Ecosystem is chaotic and insecure, open-...

James Wickett, Signal Sciences - Application Security Weekly #17 from 2018-05-23T09:00

James is the creator and founder of the Lonestar Application Security Conference which is the largest annual security conference in Austin, TX. He also runs DevOps Days Austin and is on the glob...

Adam Gordon, ITProTV - Application Security Weekly #16 from 2018-05-17T09:00

Adam Gordon comes on the show to talk about DevOps, SecOps, and DevSecOps. He explains how DevOps, as a solution, is the framework for defining software, the nature of automation, and the nature...

Text Bombs, Black Dots of Death, and Azure - Application Security Weekly #16 from 2018-05-16T09:00

A remote code execution vulnerability is discovered in Electron, the Azure CTO reveals details about Azure confidential computing, and part 1 of 3 on the ways of DevSecOps.

Full Show Note...

Twitter, Meltdown, & RSAC - Application Security Weekly #15 from 2018-05-09T09:00

In the news, A Boeing 757 was hacked remotely while it sat on the runway, Twitter says all 336 million users should change their passwords, Meltdown patches return kernel page table directory to...

Building Your AppSec Program - Application Security Weekly #15 from 2018-05-08T16:02:35

Keith and Paul talk more about building your own AppSec program. They discuss working with developers as part of building your appsec program, and giving developers the tools to be able to move ...

Building Your AppSec Program: Getting Started - Application Security Weekly #14 from 2018-05-02T09:00

Keith and Paul talk about building your application security program!

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode...

FDA, Microsoft, & Android - Application Security Weekly #14 from 2018-05-01T16:32:24

In the news, SEC fines Yahoo $35 million for not reporting cyber breach, hackers found using a new code injection technique to evade detection, Microsoft dismantles it's Windows Development Grou...

Drupal, RSAC, & Facebook - Application Security Weekly #13 from 2018-05-01T09:00

In the news, Drupal 7 and 8 core critical releases, Irony of Leaky App at #RSAC Not Lost on Attendees, US FDA seeking Congressional Authority for new requirements, Facebook fuels broad privacy d...

Rami Sass, CEO & Co-Founder of WhiteSource - Application Security Weekly #13 from 2018-04-30T14:39:51

Rami Sass is CEO and Co-Founder of WhiteSource. Rami is an experienced entrepreneur and executive with vast experience in defining innovative products, leading technology groups and growing comp...

Windows, MacOS, & Javascript - Application Security Weekly #12 from 2018-04-15T09:00

In the news, Attacking an FTP Client: MGETting more than you bargained for, Warning: Your Windows PC can get hacked by just visiting a site, new MacOS backdoor linked to OceanLotus, & more on th...

Open Source Software - Application Security Weekly #12 from 2018-04-14T09:00

With GitHub's 10-year Anniversary, it's about time we talk Open Source! Visit: https://github.com/ten to read about their anniversary!

Full Show Notes: Listen

One Language to Rule Them All - Application Security Weekly #11 from 2018-04-08T09:00

Everything you want to build, anywhere you want to build it, can be done with JavaScript. This week Paul and Keith discuss One Language to Rule Them All: Node-based Operating System, NodeOS!

Intel, Slack, Spectre, & NASA - Application Security Weekly #11 from 2018-04-07T09:00

In the news, Microsoft rushes out fix for major hole caused by previous Meltdown patch, Intel admits a load of its CPUs have Spectre v2 flaw that can't be fixed, Slack’s new policy lets bosses r...

DevOps or DevSecOps? - Application Security Weekly #10 from 2018-04-01T09:00

Does DevOps handle security, or does it need to be DevSecOps? Maybe your not doing DevOps if you’re not doing security. This week Paul and Keith discuss the debate between the two!

Full S...

Cloudflare, Facebook, & Red Team Wisdom - Application Security Weekly #10 from 2018-03-31T09:00

In the news, uncovering a bug in Cloudflare's Minification Service, how security alerts are keeping your code safer, Red Team wisdom, Facebook scraped call, text message data for years from Andr...

AMD, MailChimp, & Equifax - Application Security Weekly #9 from 2018-03-18T09:00

In the news, researchers say AMD processors have serious vulnerabilities and backdoors, hijacked MailChimp accounts used to distribute malware banking, Voodoo Kali, for Equifax executive charged...

Personal Development in Application Security - Application Security Weekly #9 from 2018-03-17T09:00

This week, Introducing Metta: Uber's open source tool for adversarial simulation, probable wordlists, & AttackDeploy gets dockerized!

Full Show Notes: Listen

Ethereum, Kali Linux, & Creepy Alexa - Application Security Weekly #8 from 2018-03-14T09:00

In the news, Amazon admits Alexa is creepily laughing at people and is working on a fix, Ethereum fixes serious 'eclipse' flaw that could be exploited by any kid, Kali Linux is now an app in the...

AppSec Development Partnership - Application Security Weekly #8 from 2018-03-13T09:00

This week, Paul and Keith talk about "The Phoenix Project: A Novel about IT, DevOps, and Helping Your Business Win!"

Full Show Notes: Listen

DigiCert, GitHub, & Black Panther - Application Security Weekly #7 from 2018-03-04T10:00

In the news, DigiCert statement on Trustico certificate renovation, GitHub survived the biggest DDoS attack ever recorded, Black Panther inspired Disney to fund a STEM center in Oakland, & more ...

Facebook Malware Scan - Application Security Weekly #7 from 2018-03-03T10:00

This week, Paul and Keith discuss Facebook's mandatory malware scan and how they lost daily users for the first time ever in the U.S. and Canada!

Full Show Notes: Listen

Bitcoin, Salon, Oxford Comma Dispute, and Amazon - Application Security Weekly #6 from 2018-02-18T10:00

In the news, Lenovo warns of critical Wifi vulnerability, Russian nuclear scientists arrest for Bitcoin mining plot, remote workers are outperforming office workers, & more on this episode of Ap...

Topic: Bug Bounties - Application Security Weekly #6 from 2018-02-17T10:00

This week, Keith and Paul discuss Data Security and Bug Bounty programs! They mention the lessons learned from the Uber breach and why Google paid 2.9 million in Bug Bounties in 2017!

Ful...

OWASP ASVS pt. 2 - Application Security Weekly #05 from 2018-02-11T10:00

This week, Paul and Keith continue to discuss OWASP Application Security Verification Standards!

Full Show Notes: https://wiki.sec...

NSA, Google, & Microsoft - Application Security Weekly #05 from 2018-02-10T10:00

In the news, NSA Exploits Ported to Work on All Windows Versions Released Since Windows 2000, beware the looming Google Chrome HTTPS certificate apocalypse, Microsoft open sources a new Kubernet...

OWASP Application Security Verification Standard - Application Security Weekly #04 from 2018-02-04T10:00

This week, Paul and Keith discuss OWASP Application Security Verification Standards!

Full Show Notes: https://wiki.securityweekly....

Intel, CloudFair, & Lenovo - Application Security Weekly #04 from 2018-02-03T10:00

In the news, Intel warned Chinese companies of chip flaw before U.S. government, $530 million cryptocurrency heist may be the biggest ever, Fitness tracking app Strava gives away location of sec...

Facebook, RedHat, & Russian Twitterbots - Application Security Weekly #03 from 2018-01-28T10:00

This week, Doug and Keith discuss the last of the top ten most critical web application security risks! They discuss security misconfiguration, insecure deserialization, insufficient logging and...

Matias Madou, Secure Code Warrior - Application Security Weekly #03 from 2018-01-27T10:00

Matias Madou is the CTO of Secure Code Warrior where he is responsible for leading the company’s technology vision and overseeing the engineering team. He joins Keith this week for the feature i...

Google, Oracle, and Apple - Application Security Weekly #02 from 2018-01-21T10:00

In the Application Security News, Paul and Keith discuss Google Chromecast and Google Chrome, ballistic missile alerts, Intel AMT security issues, and the stress of remote working! All that and ...

Top 10 OWASP pt.2 - Application Security Weekly #02 from 2018-01-20T10:00

This week, Paul and Keith discuss the last of the top ten most critical web application security risks! They discuss security misconfiguration, insecure deserialization, insufficient logging and...

OWASP Top 10 (2017) Overview - Application Security Weekly #1 from 2018-01-13T10:00

This week, Paul and Keith discuss the ten most critical web application security risks! They discuss broken authentication, sensible data exposure, XML external entities (XXE), broken access con...

NVIDIA, Oracle, Coinbase, and Bitcoin - Application Security Weekly #1 from 2018-01-12T20:32:46

In the Application Security News, Paul and Keith discuss how malicious NPM packages could harvest credit card numbers and passwords from your site, NVIDIA updates video drivers to help address C...

Rise of Application Security - Application Security Weekly #00 from 2018-01-07T10:00

Paul and Keith host the first show of Application Security Weekly! Today, they discuss the brief history of application security, software, and software security! With application security on th...

Google, Intel, Mozilla, and Starbucks - Application Security Weekly #00 from 2018-01-06T10:00

In the Application Security News, Paul and Keith talk about impatient employers designing their own courses, measurable CPU differences in AWS from Intel CPU vulnerabilities, the CEO of Intel se...