Application Security Weekly (Audio)

Appsec teams and developers must both understand the consequences of what they're doing when building APIs. Appsec teams need to push for collaboration and help implement tools that augment the development process. Dev teams need to wrangle complex architectures and work on addressing classes of vulns rather than just playing BugOps with scanner outputs. In the news, there's a (non-critical, but cool) RCE in ssh-agent forwarding, Node's vm2 bids adieu, zero-day from a CTF eventually makes it to a bug bounty program, Bad.Build, and more! This segment is sponsored by GuidePoint.  Visit https://securityweekly.com/guidepoint to learn more about them! Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/asw-248

While much has been written and argued about the security of election systems - the things that do the actual ballot counting - there's other systems that have to be in place and secured before the vote can occur - voter registration databases, ballot delivery systems, etc. Might it be possible to use modern appsec concepts OWASP SAMM to secure them in a more efficient, targeted, cost-effective manner? Brian Glas joins us to talk about this and his ongoing work around providing students with a modern application security education. It's a busy news week - We explore what happens when people trust plugging cables into their EVs in public, how an APT is leveraging docker and kubernetes to build a botnet, why you should be careful running code from "researchers," and much more Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly  Like us on Facebook: https://www.facebook.com/secweekly Visit https://securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-247

Infosec is still figuring out useful metrics, how to talk about risk, and how to make resilience more relevant. Shannon talks about a new community effort to measure software trust. She also covers threat modeling and adversary management as steps towards determining an org's resiliency and security. Segment Resources: https://community.ravemetrics.com  Melinda will share results from her study last year on developer-focused security, "Walking the Line: Shift Left and GitOps Security" and discuss trends to help security keep up with modern software development. Segment Resources: ESG Complete Survey Results: Walking the Line: GitOps and Shift Left Security: https://research.esg-global.com/reportaction/515201532/Toc  Addressing the confusion around shift-left cloud security | TechTarget: https://www.techtarget.com/searchsecurity/opinion/Addressing-the-confusion-around-shift-left-cloud-security  Melinda Marks’s Most Recent Content: https://www.techtarget.com/contributor/Melinda-Marks  Visit [securityweekly.com/asw](https://securityweekly.com/asw) for all the latest episodes! Follow us on Twitter: [@SecWeekly](https://www.twitter.com/secweekly) Like us on Facebook: [facebook.com/secweekly](https://www.facebook.com/secweekly) Visit https://securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-246  

Check out this interview from the ASW Vault, hand picked by main host Mike Shema! This segment was originally published on May 23, 2022. Developers want bug-free code -- it frees up their time and is easier to maintain. They want secure code for the same reasons. We'll talk about how the definition of secure coding varies among developers and appsec teams, why it's important to understand those perspectives, and how training is just one step towards building a security culture.   Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/vault-asw-3 

Without visibility and continuous monitoring, dangerous threats expose our blind spots and create risk. Invicti, who brought together Acunetix and Netsparker, analyzes common web application vulns across thousands of assets yearly and releases the Invicti AppSec Indicator for a holistic view of vulnerability trends from automated scan results. In this talk, Invicti Director of Product Patrick Vandenberg shares a deep dive into the trends currently impacting AppSec programs and discusses some of the best practices that will help organizations achieve efficiencies in their programs. Segment Resources: - [AppSec Indicator Spring 2023 edition | Invicti](https://www.invicti.com/clp/appsec-indicator/?utm_medium=contentsyn&utm_source=sc_media&utm_campaign=i-syn_CRA-ASW-Jun2023&utm_content=230424-ga_spring-appsec-indicator&utm_term=brand) This segment is sponsored by Invicti. Visit [securityweekly.com/invicti](https://securityweekly.com/invicti) to learn more about them!  In the news, two XSS vulns via postMessage methods in Azure, how to choose (and move on from) a web research topic, OpenSSF finances a security developer-in-residence for Python, more infosec myths, free cybersecurity training resources. Visit [securityweekly.com/asw](https://securityweekly.com/asw) for all the latest episodes! Follow us on Twitter: [@SecWeekly](https://www.twitter.com/secweekly) Like us on Facebook: [facebook.com/secweekly](https://www.facebook.com/secweekly) Visit https://securityweekly.com/asw for all the latest episodes!  Show Notes: https://securityweekly.com/asw-245

Security is one of the most evolving and impactful landscapes in the regulatory sphere. Proposed initiatives in the areas of Incident Response, Software and Product Assurance, Coordinated Vulnerability Disclosure (CVD), and IoT or Connected Products Regulations are among the most active and developing areas of security policy around the world. This evolving landscape also serves as an opportunity for innovation and research collaboration. Elazari will walk us through some of the most recent trends in policy proposals shaping the future of security. We will also talk about bug bounties and vulnerability disclosure, what are some of the industry's best practices in this area, how to implement these programs to foster security, collaboration and transparency, and how this connects to the policy momentum and its impact on security researchers. Segment Resources: Project Circuit Breaker: https://www.intel.com/content/www/us/en/newsroom/news/intel-launches-project-circuit-breaker.html Project Circuit Breaker Landing Page: https://www.projectcircuitbreaker.com/ Intel’s 2021 Product Security Report: https://www.intel.com/content/www/us/en/security/intel-2021-product-security-report.html   Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/vault-asw-2 

Eric Olden, CEO and Co-Founder of Strata Identity, discusses the concept of Identity Orchestration. He covers the evolving identity landscape and how it has evolved to keep pace with modern apps, the challenges encountered during an identity modernization project, how Identity Orchestration helps those modernization projects, and best practices for implementing secure identity. Segment Resources: - [Identity Orchestration Use Cases](https://www.strata.io/use-cases/) - [What is Identity Orchestration WhitePaper](https://www.strata.io/resources/whitepapers/what-is-identity-orchestration-and-why-you-need-it-to-succeed-with-multi-cloud/) This segment is sponsored by Strata.  Visit https://securityweekly.com/strata to learn more about them!  This year's Verizon DBIR is out, CVSS is updating its methodology, poor password reset design, SQL injection in MOVEit, a CTF for AWS IAM Visit https://www.securityweekly.com/asw for all the latest episodes!  Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-244

Walking the show floor at RSA Conference, you couldn't trip without falling into an application security vendor booth ... and API security specialists were especially plentiful. Join Forrester Principal Analyst Sandy Carielli for her thoughts on RSA Conference and a deep dive into the challenges of API security. Segment Resources: - https://www.forrester.com/blogs/insights-from-the-2023-rsa-conference-generative-ai-quantum-and-innovation-sandbox/ OWASP has a draft for the LLM Top 10, simple vulns in a modern SaaS app, ancient vuln in a Wordpress plugin, PyPI moves to secure its package manager accounts, ThinkstScape Quarterly research report, having fun with memory variables, DNS, and logins. Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-243

Check out this interview from the ASW VAULT, hand picked by main host Mike Shema! This segment was originally published on March 14, 2022. Cybersecurity is a large and often complex domain, traditionally focused on the infrastructure and general information security, with little or no attention to Application Security. Security providers usually tack-on AppSec services to their existing menu of offering without understanding the domain, and their team of professionals have little or no experience with software development or inner workings of modern application architectures. As the world turns Digital at a rapid pace accelerated by the recent pandemic, applications become common place in our lives, providing attackers more opportunities to exploit these poorly protected applications. As such, it is important to know what is actually required to build and run software securely, and how to do application security right. Segment Resources: https://forwardsecurity.com/2022/03/07/application-security-for-busy-tech-execs/   Show notes: https://www.scmagazine.com/podcast-episode/asw-188-farshad-abasi 

The OWASP Top 10 dates back to 2003, when appsec was just settling on terms like cross-site scripting and SQL injection. It's a list that everyone knows about and everyone talks about. But is it still the right model for modern appsec awareness? What if we put that attention and effort elsewhere? Maybe we could have secure defaults instead. Or linters and build tools that point out these flaws. We'll talk about top 10 lists, what we like about them, what we don't like, and what we'd like to see replace them. We'll also test our hosts' knowledge of just how many top 10 lists are out there.   Segment resources: [OWASP Top 10:2021](https://owasp.org/Top10/)  [OWASP API Security Project](https://owasp.org/www-project-api-security/) [OWASP Top 10 Mobile Risks](https://github.com/OWASP/www-project-mobile-top-10/blob/master/2016-risks/index.md) [OWASP Top 10 CI/CD Security Risks](https://owasp.org/www-project-top-10-ci-cd-security-risks/) and [ASW #220](https://www.scmagazine.com/podcast-episode/asw-220-daniel-krivelevich) [OWASP Low-Code/No-Code Top 10](https://owasp.org/www-project-top-10-low-code-no-code-security-risks/) [OWASP Top 10 Privacy Risks](https://owasp.org/www-project-top-10-privacy-risks/) [OWASP Proactive Controls](https://owasp.org/www-project-proactive-controls/) [OWASP AI Security and Privacy Guide](https://owasp.org/www-project-ai-security-and-privacy-guide/) [OWASP Cheat Sheet Series](https://cheatsheetseries.owasp.org) [OWASP Application Security Verification Standard](https://owasp.org/www-project-application-security-verification-standard/) and [ASW #232](https://www.scmagazine.com/podcast-episode/asw-232-josh-grossman) [Moving on from the OWASP Top 10](https://deadliestwebattacks.com/appsec/2023/03/30/reflecting-on-the-owasp-top-10)   New TLDs are already old news, fuzzing eBPF validators, Microsoft sets to kill bug classes, draft RFC to track location trackers, a top ten list with directory traversal on it, conference videos from Real World Crypto and BSidesSF, and an attack tree generator from markdown.   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/asw242