loader from loading.io

The Fallout and Lessons Learned from the CrowdStrike Fiasco - Shimon Modi, Jeff Pollard, Allie Mellen, Boaz Barzel - ASW #296

Application Security Weekly (Audio)

Release Date: 08/20/2024

Avoiding Appsec's Worst Practices - ASW #324 show art Avoiding Appsec's Worst Practices - ASW #324

Application Security Weekly (Audio)

We take advantage of April Fools to look at some of appsec's myths, mistakes, and behaviors that lead to bad practices. It's easy to get trapped in a status quo of chasing CVEs or discussing which direction to shift security. But scrutinizing decimal points in CVSS scores or rearranging tools misses the opportunity for more strategic thinking. We satirize some worst practices in order to have a more serious discussion about a future where more software is based on secure designs. Segment resources: Visit for all the latest episodes! Show Notes:

info_outline
Finding a Use for GenAI in AppSec - Keith Hoodlet - ASW #323 show art Finding a Use for GenAI in AppSec - Keith Hoodlet - ASW #323

Application Security Weekly (Audio)

LLMs are helping devs write code, but is it secure code? How are LLMs helping appsec teams? Keith Hoodlet returns to talk about where he's seen value from genAI, where it fits in with tools like source code analysis and fuzzers, and where its limitations mean we'll be relying on humans for a while. Those limitations don't mean appsec should dismiss LLMs as a tool. It means appsec should understand how things like context windows might limit a tool's security analysis to a few files, leaving a security architecture review to humans. Segment resources: Visit for all the latest episodes!...

info_outline
Redlining the Smart Contract Top 10 - Shashank . - ASW #322 show art Redlining the Smart Contract Top 10 - Shashank . - ASW #322

Application Security Weekly (Audio)

The crypto world is rife with smart contracts that have been outsmarted by attackers, with consequences in the millions of dollars (and more!). Shashank shares his research into scanning contracts for flaws, how the classes of contract flaws have changed in the last few years, and how optimistic we can be about the future of this space. Segment Resources: Visit for all the latest episodes! Show Notes:

info_outline
CISA's Secure by Design Principles, Pledge, and Progress - Jack Cable - ASW #321 show art CISA's Secure by Design Principles, Pledge, and Progress - Jack Cable - ASW #321

Application Security Weekly (Audio)

Just three months into 2025 and we already have several hundred CVEs for XSS and SQL injection. Appsec has known about these vulns since the late 90s. Common defenses have been known since the early 2000s. Jack Cable talks about CISA's Secure by Design principles and how they're trying to refocus businesses on addressing vuln classes and prioritizing software quality -- with security one of those important dimensions of quality. Segment Resources: Skype hangs up for good, over a million cheap Android devices may be backdoored, parallels between jailbreak research and XSS, impersonating...

info_outline
Keeping Curl Successful and Secure Over the Decades - Daniel Stenberg - ASW #320 show art Keeping Curl Successful and Secure Over the Decades - Daniel Stenberg - ASW #320

Application Security Weekly (Audio)

Curl and libcurl are everywhere. Not only has the project maintained success for almost three decades now, but it's done that while being written in C. Daniel Stenberg talks about the challenges in dealing with appsec, the design philosophies that keep it secure, and fostering a community to create one of the most recognizable open source projects in the world. Segment Resources: Google replacing SMS with QR codes for authentication, MS pulls a VSCode extension due to red flags, threat modeling with TRAIL, threat modeling the Bybit hack, malicious models and malicious AMIs, and more!...

info_outline
Developer Environments, Developer Experience, and Security - Dan Moore - ASW #319 show art Developer Environments, Developer Experience, and Security - Dan Moore - ASW #319

Application Security Weekly (Audio)

Minimizing latency, increasing performance, and reducing compile times are just a part of what makes a development environment better. Throw in useful tests and some useful security tools and you have an even better environment. Dan Moore talks about what motivates some developers to prefer a "local first" approach as we walk through what all of this means for security. Applying forgivable vs. unforgivable criteria to reDoS vulns, what backdoors in LLMs mean for trust in building software, considering some secure AI architectures to minimize prompt injection impact, developer reactions to...

info_outline
Top 10 Web Hacking Techniques of 2024 - James Kettle - ASW #318 show art Top 10 Web Hacking Techniques of 2024 - James Kettle - ASW #318

Application Security Weekly (Audio)

We're getting close to two full decades of celebrating web hacking techniques. James Kettle shares which was his favorite, why the list is important to the web hacking community, and what inspires the kind of research that makes it onto the list. We discuss why we keep seeing eternal flaws like XSS and SQL injection making these lists year after year and how clever research is still finding new attack surfaces in old technologies. But there's a lot of new web technology still to be examined, from HTTP/2 and HTTP/3 to WebAssembly. Segment Resources: Top 10, 2024: Full nomination list: ...

info_outline
Code Scanning That Works With Your Code - Scott Norberg - ASW #317 show art Code Scanning That Works With Your Code - Scott Norberg - ASW #317

Application Security Weekly (Audio)

Code scanning is one of the oldest appsec practices. In many cases, simple grep patterns and some fancy regular expressions are enough to find many of the obvious software mistakes. Scott Norberg shares his experience with encountering code scanners that didn't find the .NET vuln classes he needed to find and why that led him to creating a scanner from scratch. We talk about some challenges in testing tools, making smart investments in engineering time, and why working with .NET's compiler made his decisions easier. Segment Resources: - Identifying and eradicating unforgivable vulns, an...

info_outline
Threat Modeling That Helps the Business - Akira Brand, Sandy Carielli - ASW #316 show art Threat Modeling That Helps the Business - Akira Brand, Sandy Carielli - ASW #316

Application Security Weekly (Audio)

Threat modeling has been in the appsec toolbox for decades. But it hasn't always been used and it hasn't always been useful. Sandy Carielli shares what she's learned from talking to orgs about what's been successful, and what's failed, when they've approached this practice. Akira Brand joins to talk about her direct experience with building threat models with developers. Speculative data flow attacks demonstrated against Apple chips with SLAP and FLOP, the design and implementation choices that led to OCSP's demise, an appsec angle on AI, updating the threat model and recommendations for...

info_outline
Security the AI SDLC - Niv Braun - ASW #315 show art Security the AI SDLC - Niv Braun - ASW #315

Application Security Weekly (Audio)

A lot of AI security boils down to the boring, but important, software security topics that appsec teams have been dealing with for decades. Niv Braun explains the distinctions between AI-related and AI-specific security as we avoid the FUD and hype of genAI to figure out where appsec teams can invest their time. He notes that data scientists have been working with ML and sensitive data sets for a long time, and it's good to have more scrutiny on what controls should be present to protect that data. This segment is sponsored by Noma Security. Visit  to learn more about them! An open...

info_outline
 
More Episodes

This week, Jeff Pollard and Allie Mellen join us to discuss the fallout and lessons learned from the CrowdStrike fiasco. They explore the reasons behind running in the kernel, the challenges of software quality, and the distinction between a security incident and an IT incident. They also touch on the need to reduce the attack surface and the importance of clear definitions in the cybersecurity industry. The conversation explores the need for a product security revolution and the importance of transparency and trust in security vendors.

As development cycles shorten and more responsibilities shift to developers, application security (AppSec) is rapidly evolving. Organizations are increasingly building mature programs that automate and enhance AppSec, moving beyond manual processes. In this discussion, we explore how organizations are adapting their AppSec practices, highlighting the challenges and milestones encountered along the way.

Key topics include the integration of security into the development lifecycle, the impact of emerging technologies, and strategies for fostering a security-first culture. Boaz Barzel shares his experiences and offers practical advice on overcoming common obstacles, ensuring that security measures keep pace with rapid technological advancements. This segment serves as a comprehensive guide for organizations striving to enhance their AppSec practices and continuously optimize their posture.

This segment is sponsored by OX Security. Visit https://securityweekly.com/oxbh to learn more about them!

Given the rapid rise of threat actors utilizing AI for cyber-attacks, security teams need advanced AI capabilities more than ever.

Shimon will discuss how Dataminr’s Pulse for Cyber Risk uses Dataminr’s leading multi-modal AI platform to provide the speed and scale required to build enterprise resilience in the modern cyber threat environment. Dataminr's world-leading AI platform helps companies stay informed - performing trillions of daily computations across billions of public data inputs from more than one million unique public data sources encompassing text, image, video, audio and sensor signals to provide real-time information when you need it most.

Segment Resources: https://www.dataminr.com/pulse/cyber-risk/?utmsource=google&utmmedium=paidsearch&utmterm=dataminr%20company&utmcampaign=NORAMDIGIBRG-SearchHDRSMajEntDemo&utmsource=google&utmmedium=paidsearch&hsaacc=8657480186&hsacam=958164645&hsagrp=125093879176&hsaad=654125003504&hsasrc=g&hsatgt=kwd-338332441603&hsakw=dataminr%20company&hsamt=p&hsanet=adwords&hsaver=3&gadsource=1&gclid=CjwKCAjwnqK1BhBvEiwAi7o0XxetJ1k8xcqlYk1Pk5Jsr6Adr2yP-9yhNM7oxISq2-Rbz-UunCxSmhoCYfgQAvD_BwE

https://www.dataminr.com/resources/on-demand-webinar/why-cyber-physical-convergence-really-matters

This segment is sponsored by Dataminr. Visit https://securityweekly.com/dataminrbh to learn more about their world-leading AI platform perform!

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw-296