Application Security Weekly (Audio)

In this episode, Neatsun Ziv, co-founder and CEO of Ox security takes a deep dive into supply chain security. He focuses on the new Open Software Supply Chain Attack Reference (OSC&R), a consortium of leading cybersecurity leaders. OSC&R the first and only open framework for understanding and evaluating existing threats to entire software supply chain security. Segment Resources: https://pbom.dev/ -https://github.com/pbomdev/   OSCAR WebSocket hijack that leads to a full workspace takeover in a cloud IDE, malicious packages flood public repos, side-channel attack on a post-quantum algorithm, looking at OWASP's evolution, OAuth misconfigs lead to account takeover, AI risk management framework, Zed Attack Proxy   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly   Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/asw231

Join us for this segment with Lina Lau to learn lessons from real incident response engagements covering types of attacks leveraged against the cloud, war stories from supply chain breaches seen in the last 1-2 years, and how defenders and enterprises can better protect and proactively defend against these attacks.   Segment Resources: Attacking and Defending the Cloud (Training) https://training.xintra.org/ Blackhat Singapore 2023 Training ADVANCED APT THREAT HUNTING & INCIDENT RESPONSE (VIRTUAL) https://www.blackhat.com/asia-23/training/schedule/index.html#advanced-apt-threat-hunting--incident-response-virtual-29792 Blackhat USA 2023 Training ADVANCED APT THREAT HUNTING & INCIDENT RESPONSE (IN-PERSON) https://www.blackhat.com/us-23/training/schedule/#advanced-apt-threat-hunting--incident-response-30558     Twitter 2FA goes away, safe testing for server-side prototype pollution, OWASP's guide on AI security & privacy, Adobe's approach to smarter security testing, a fast web fuzzer   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/asw230

It's another holiday week, so enjoy this episode from our archives! What does a collaborative approach to security testing look like? What does it take to tackle an entire attack class as opposed to fixing a bunch of bugs? If we can shift from vulnerability mitigation to vulnerability elimination, then appsec would be able to demonstrate some significant wins -- and they need a partnership with DevOps teams in order to do this successfully. Log4j has more updates and more vulns (but probably not more heartburn...), revisiting outages and whether availability has made it into your threat models, deep dive into hardware security, another data point on bug bounty awards, and looking at risk topics for the next year. This completes another year of the podcast! A very heartfelt thank you to all our listeners! And a special thank you and shout out to the crew that helps make this possible every week -- Johnny, Gus, Sam, and Renee. We'll keep the New Wave / Post-Punk, movie, and pop culture references coming for all the appsec and DevOps topics you can throw our way. Thanks again everyone!!   Segment Resources: - https://blog.trailofbits.com/   Show Notes: https://securityweekly.com/asw178

Organizations spend hundreds of work hours to build applications and services that will benefit customers and employees alike. Whether the application/service is externally facing or for internal use only, it is mandatory to identify and understand the scope of potential cyber risks and threats it poses to the organization. But where and how do you start with an accurate threat model? Nick can discuss how to approach this and create a model that's useful to security and developers alike. Segment Resources https://github.com/trailofbits/publications/blob/master/reviews/2022-12-curl-threatmodel.pdf   Reddit's breach disclosure, simple vulns in Toyota's web portals, OpenSSL vulns, voting results for Portswigger's top 10 web hacking techniques of 2022, tiny IoT cryptography implementations, real world migration of a million lines of code    Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/asw229

Most of the myths and lies in InfoSec take hold because they seem correct or sound logical. Similar cognitive biases make it possible for even the most preposterous conspiracy theories to become commonly accepted in some groups. This is a talk about the importance of critical thinking and checking sources in InfoSec. Our industry is relatively new and constantly changing. Too often, we operate more off faith and hope than fact or results. Exhausted and overworked defenders often don't have the time to seek direct evidence for claims, question sources, or test theories for themselves. Resources - https://www.usenix.org/conference/enigma2023/presentation/sanabria - https://www.usenix.org/sites/default/files/conference/protected-files/enigma2023_slides_sanabria.pdf - https://yourbias.is - Discuss: What Makes a Good Breach Response? - ESW #303: https://www.youtube.com/watch?v=5RpZiVu3xEs   The aviation equivalent of ASCII art, a memory safety issue in OpenSSH that might not be terrible, a format string in F5 that might be terrible, a new MITRE framework for supply chain security, programming languages and secure code   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/asw228

Dr. David Movshovitz, cybersecurity expert, discusses $10M ransom demand to Riot Games, DoS in BIND, an unexpected Twilio refactor, Rust insights, SQL Slammer 20 years later, and SQLMap tool. Also covers logging importance, user journey analytics, SaaS usage monitoring, challenges for new AppSec hires, source code leaks in gaming, refactoring efforts, memory safety, language security, and source code audits.

Breach disclosures from T-Mobile and PayPal, SSRF in Azure services, Google Threat Horizons report, integer overflows and more, Rust in Chromium, ML for web scanning, Top 10 web hacking techniques of 2022 Developers write code. Ideally, secure code. But what do we mean by secure code? What should secure code training look like? Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/asw226

We're aren't recording this holiday week, so enjoy this ASW throwback episode! Main host Mike Shema selected this episode to share as it's still relevant to the AppSec community today.    This week, we welcome Nuno Loureiro, CEO at Probely, and Tiago Mendo, CTO at Probely, to talk about Dev(Sec)Ops Scanning Challenges & Tips! There's a plenitude of ways to do Dev(Sec)Ops, and each organization or even each team uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important to understand how to integrate a security scanner in your DevSecOps processes. It all comes down to speed, how fast can I scan the new deployment? Discussion around the challenges on how to integrate a DAST scanner in DevSecOps and some tips to make it easier.   In the AppSec News: View source good / vuln bad, IoT bad / rick-roll good, analyzing the iOS 15.0.2 patch to develop an exploit, bypassing reviews with GitHub Actions, & more NIST DevSecOps guidance!   Show Notes: https://securityweekly.com/asw170   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

Exposed secrets from CircleCI, web hackers target the auto industry, $100K bounty for making Google smart speakers listen, inspiration from Office Space, AWS making better defaults for S3, resources for learning Rust   This segment will discuss options for protecting your APIs. First, why protect them? Second, what are the options and the tradeoffs. Segment Resources: - https://stackoverflow.blog/2022/04/11/the-complete-guide-to-protecting-your-apis-with-oauth2/ - https://fusionauth.io/learn/expert-advice/ - https://fusionauth.io/learn/expert-advice/oauth/modern-guide-to-oauth - https://oauth.net/2/ - https://tools.ietf.org/html/rfc6749 - https://datatracker.ietf.org/doc/id/draft-ietf-oauth-v2-1-07.html - https://paseto.io - https://securityboulevard.com/2021/11/biggest-api-security-attacks-of-2021-so-far/   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/asw225

How do you mature a team responsible for securing software? What are effective ways to prioritize investments? We'll discuss a set of posts on building talent, building capabilities, and what mature teams look like. Segment resources: - https://securing.dev/categories/essentials/   Metrics for building a security product, hands-on image classification attacks, a proposed PEACH framework for cloud isolation, looking back at Log4Shell, building an appsec toolbox   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/asw224