最高の Application Security ポッドキャスト (2024)

1
Applying Usability and Transparency to Security - Hannah Sutor - ASW #311 1:09:42

12d ago1:09:42

1:09:42

Practices around identity and managing credentials have improved greatly since the days of infosec mandating 90-day password rotations. But those improvements didn't arise from a narrow security view. Hannah Sutor talks about the importance of balancing security with usability, the importance of engaging with users when determining defaults, and se…

1
Ancient Curl Bug, AWS re:Invent, Malware in NPM, Census III Report, MS OTP - ASW #311 35:35

11d ago35:35

35:35

Curl's oldest bug yet, RCPs (and more!) from AWS re:Invent, possible controls for NPM's malware proliferation, insights and next steps on protecting top 500 packages from the Census III report, the flawed design choice that made Microsoft's OTP (successfully) brute-forceable, and more! 00:00 - Intro & Cyber Resilience Insights 01:20 - The 25-Year-O…

1
Brett Crawley -- Threat Modeling Gameplay with EoP 45:28

18d ago45:28

45:28

Brett Crawley discusses the Elevation of Privilege (EoP) card game, a powerful tool for threat modeling in software development. The discussion explores recent extensions to the game including privacy-focused suits and TRIM (Transfer, Retention/Removal, Inference, Minimization) categories. Crawley emphasizes that threat modeling shouldn't end with …

1
Applying Usability and Transparency to Security - Hannah Sutor - ASW #311 34:09

12d ago34:09

34:09

Practices around identity and managing credentials have improved greatly since the days of infosec mandating 90-day password rotations. But those improvements didn't arise from a narrow security view. Hannah Sutor talks about the importance of balancing security with usability, the importance of engaging with users when determining defaults, and se…

1
AI's Junk Vulns, Web3 Backdoor, LLM CTFs, 5 GenAI Mistakes, Top Ten for LLMs - ASW #310 29:02

18d ago29:02

29:02

Curl and Python (and others) deal with bad vuln reports generated by LLMs, supply chain attack on Solana, comparing 5 genAI mistakes to OWASP's Top Ten for LLM Applications, a Rust survey, and more! Show Notes: https://securityweekly.com/asw-310

1
Looking Back on 2024 - ASW #310 30:24

18d ago30:24

30:24

We do our usual end of year look back on the topics, news, and trends that caught our attention. We covered some OWASP projects, the ongoing attention and promises of generative AI, and big events from the XZ Utils backdoor to Microsoft's Recall to Crowdstrike's outage. Segment resources https://prods.ec https://owasp.org/www-project-spvs/ https://…

1
Looking Back on 2024 - ASW #310 59:23

18d ago59:23

59:23

We do our usual end of year look back on the topics, news, and trends that caught our attention. We covered some OWASP projects, the ongoing attention and promises of generative AI, and big events from the XZ Utils backdoor to Microsoft's Recall to Crowdstrike's outage. Segment resources https://prods.ec https://owasp.org/www-project-spvs/ https://…

1
Fuzzing Barcodes, Fuzzing with AI, AI vs. Scammers, CWEs, Repo Swatting - ASW #309 36:34

25d ago36:34

36:34

Fuzzing barcodes and getting projects onboarded with fuzzers, using AI to guide fuzzers, using AI to combat scammers, using CWEs for something, using malicious comments to ban repos, and more! Show Notes: https://securityweekly.com/asw-309

1
Adding Observability with OpenTelemetry - Adriana Villela - ASW #309 1:10:55

25d ago1:10:55

1:10:55

Observability is a lot more than just sprinkling printf statements throughout a code base. Adriana Villela explains principles behind logging, traceability, and metrics and how the OpenTelemetry project helps developers gather this useful information. She also provides suggestions on starting logging from scratch, how to avoid information overload,…

1
Adding Observability with OpenTelemetry - Adriana Villela - ASW #309 34:24

25d ago34:24

34:24

Observability is a lot more than just sprinkling printf statements throughout a code base. Adriana Villela explains principles behind logging, traceability, and metrics and how the OpenTelemetry project helps developers gather this useful information. She also provides suggestions on starting logging from scratch, how to avoid information overload,…

1
AI fixes everything, C++ the actual worst, IAM is hard - ASW #308 37:14

1M ago37:14

37:14

This week, in the Application Security News, we dismiss magical thinking and discuss what generative AI will actually be able to do for us. We also discuss whether Secure by Design's goals are practical or not. OSC&R releases a report on software supply chain that should be interesting, though neither of us had time to read it yet. Also, Watchtowr …

1
Biometric Frontiers: Unlocking The Future Of Engagement - Andras Cser, Enza Iannopollo - ASW #308 1:10:32

1M ago1:10:32

1:10:32

This week's interview dives deep into the state of biometrics with two Forrester Research analysts! This discussion compares and contrasts regional approaches to biometrics; examine the security challenges and benefits of their implementation; and reveal how biometrics holds the keys to a range of engagement models of the future. Andras Cser dives …

1
Biometric Frontiers: Unlocking The Future Of Engagement - Andras Cser, Enza Iannopollo - ASW #308 33:19

1M ago33:19

33:19

This week's interview dives deep into the state of biometrics with two Forrester Research analysts! This discussion compares and contrasts regional approaches to biometrics; examine the security challenges and benefits of their implementation; and reveal how biometrics holds the keys to a range of engagement models of the future. Andras Cser dives …

1
Typosquatting NPM, vulnerability analysis, and AI challenges - ASW #307 35:50

2M ago35:50

35:50

This week, in the Application Security News, we spend a lot of time on some recent vulnerabilities. We take this opportunity to talk about how to determine whether or not a vulnerability is worth a critical response. Can AI fully automate DevSecOps Governance? Adrian has his reservations, but JLK is bullish. Is it bad that 70% of DevSecOps professi…

1
Modernizing AppSec - Melinda Marks - ASW #307 1:09:29

2M ago1:09:29

1:09:29

In this week's interview, Melinda Marks' joins us to discuss her latest research. Her recent report Modernizing Application Security to Scale for Cloud-Native Development delves into many aspects and trends affecting AppSec as it matures, particularly in cloud-first organizations. We also discuss the fuzzy line between "cloud-native" AppSec and eve…

1
Modernizing AppSec - Melinda Marks - ASW #307 33:41

2M ago33:41

33:41

In this week's interview, Melinda Marks' joins us to discuss her latest research. Her recent report Modernizing Application Security to Scale for Cloud-Native Development delves into many aspects and trends affecting AppSec as it matures, particularly in cloud-first organizations. We also discuss the fuzzy line between "cloud-native" AppSec and eve…

1
Matin Mavaddat - Understanding Security as a Systemic Concern: The Role of Anti-Requirements 50:20

2M ago50:20

50:20

Matin Mavaddat discusses his perspective on security as a systemic concern, developed from his background in requirements engineering and systems architecture. He introduces the concept of "anti-requirements" - defining what a system should not do - and distinguishes between "syntactic security" (addressing technical vulnerabilities that are always…

1
Total Recall? LLM finds bug in SQLite, C++ safety failures, zero time for zero privs - ASW #306 33:29

2M ago33:29

33:29

Microsoft delays Recall AGAIN, Project Zero uses an LLM to find a bugger underflow in SQLite, the scourge of infostealer malware, zero standing privileges is easy if you have unlimited time (but no one does), reverse engineering Nintendo's Alarmo and RedBox's... boxes. Bonus: the book series mentioned in this episode The Lost Fleet by Jack Campbell…

1
Bug bounties, vulnerability disclosure, PTaaS, fractional pentesting - Grant McCracken - ASW #306 1:05:35

2M ago1:05:35

1:05:35

After spending a decade working for appsec vendors, Grant McKracken wanted to give something back. He saw a gap in the market for free or low-cost services for smaller organizations that have real appsec needs, but not a lot of means to pay for it. He founded DarkHorse, who offers VDPs and bug bounties to organizations of all sizes for free, or for…

1
Bug bounties, vulnerability disclosure, PTaaS, fractional pentesting - Grant McCracken - ASW #306 32:08

2M ago32:08

32:08

After spending a decade working for appsec vendors, Grant McKracken wanted to give something back. He saw a gap in the market for free or low-cost services for smaller organizations that have real appsec needs, but not a lot of means to pay for it. He founded DarkHorse, who offers VDPs and bug bounties to organizations of all sizes for free, or for…

1
Protecting Identity of AI Agents & Standardizing Identity Security for SaaS Apps - Shiven Ramji, Arnab Bose - ASW #305 30:42

2M ago30:42

30:42

Generative AI has been the talk of the technology industry for the past 18+ months. Companies are seeing its value, so generative AI budgets are growing. With more and more AI agents expected in the coming years, it’s essential that we are securing how consumers interact with generative AI agents and how developers build AI agents into their apps. …

1
Making TLS More Secure, Lessons from IPv6, LLMs Finding Vulns - ASW #305 53:04

2M ago53:04

53:04

Better TLS implementations with Rust, fuzzing, and managing certs, appsec lessons from the everlasting transition to IPv6, LLMs for finding vulns (and whether fuzzing is better), and more! Also check out this presentation from BSides Knoxville that we talked about briefly, https://youtu.be/DLn7Noex_fc?feature=shared Show Notes: https://securityweek…

1
Making TLS More Secure, Lessons from IPv6, LLMs Finding Vulns - Arnab Bose, Shiven Ramji - ASW #305 1:22:48

2M ago1:22:48

1:22:48

Better TLS implementations with Rust, fuzzing, and managing certs, appsec lessons from the everlasting transition to IPv6, LLMs for finding vulns (and whether fuzzing is better), and more! Also check out this presentation from BSides Knoxville that we talked about briefly, https://youtu.be/DLn7Noex_fc?feature=shared Generative AI has been the talk …

1
Kayra Otaner -- DevSecOps 32:46

2M ago32:46

32:46

Kayra Otaner joins the podcast today to discuss DevSecOps and answer the question, is it dead? Kayra is the Director of DevSecOps at Roche and is highly involved in the DevSecOps community. Kayra states that DevSecOps in its traditional form is “dead” and that each organization should approach its needs based on their size. Otaner introduces the co…

聞く価値のあるポッドキャスト

ポッドキャスト Application Security

聞く価値のあるポッドキャスト

1
Application Security Weekly (Audio)

Security Weekly Productions

1
Application Security Weekly (Video)

Security Weekly

1
The Application Security Podcast

Chris Romeo and Robert Hurlbut

1
Future of Application Security

Tromzo

1
Applying Usability and Transparency to Security - Hannah Sutor - ASW #311 1:09:42

1
Ancient Curl Bug, AWS re:Invent, Malware in NPM, Census III Report, MS OTP - ASW #311 35:35

1
Brett Crawley -- Threat Modeling Gameplay with EoP 45:28

1
Applying Usability and Transparency to Security - Hannah Sutor - ASW #311 34:09

1
AI's Junk Vulns, Web3 Backdoor, LLM CTFs, 5 GenAI Mistakes, Top Ten for LLMs - ASW #310 29:02

1
Looking Back on 2024 - ASW #310 30:24

1
Looking Back on 2024 - ASW #310 59:23

1
Fuzzing Barcodes, Fuzzing with AI, AI vs. Scammers, CWEs, Repo Swatting - ASW #309 36:34

1
Adding Observability with OpenTelemetry - Adriana Villela - ASW #309 1:10:55

1
Adding Observability with OpenTelemetry - Adriana Villela - ASW #309 34:24

1
AI fixes everything, C++ the actual worst, IAM is hard - ASW #308 37:14

1
Biometric Frontiers: Unlocking The Future Of Engagement - Andras Cser, Enza Iannopollo - ASW #308 1:10:32

1
Biometric Frontiers: Unlocking The Future Of Engagement - Andras Cser, Enza Iannopollo - ASW #308 33:19

1
Typosquatting NPM, vulnerability analysis, and AI challenges - ASW #307 35:50

1
Modernizing AppSec - Melinda Marks - ASW #307 1:09:29

1
Modernizing AppSec - Melinda Marks - ASW #307 33:41

1
Matin Mavaddat - Understanding Security as a Systemic Concern: The Role of Anti-Requirements 50:20

1
Total Recall? LLM finds bug in SQLite, C++ safety failures, zero time for zero privs - ASW #306 33:29

1
Bug bounties, vulnerability disclosure, PTaaS, fractional pentesting - Grant McCracken - ASW #306 1:05:35

1
Bug bounties, vulnerability disclosure, PTaaS, fractional pentesting - Grant McCracken - ASW #306 32:08

1
Protecting Identity of AI Agents & Standardizing Identity Security for SaaS Apps - Shiven Ramji, Arnab Bose - ASW #305 30:42

1
Making TLS More Secure, Lessons from IPv6, LLMs Finding Vulns - ASW #305 53:04

1
Making TLS More Secure, Lessons from IPv6, LLMs Finding Vulns - Arnab Bose, Shiven Ramji - ASW #305 1:22:48

1
Kayra Otaner -- DevSecOps 32:46

クイックリファレンスガイド