Application Security Weekly (Audio)

Vuln in an Atlassian Confluence app, "Dirty Dancing" in OAuth flows, security audits of sigstore and slf4j, flaws in fleet management app, conducting tabletop exercises.   Pressured by the speed of innovation, organizations are struggling to achieve the continuous web application security they need in the face of mounting threats and compliance requirements. What does it take in order for your AppSec program to be both effective and agile? In this segment, Ferruh Mavituna, founder and strategic advisor of Invicti Security, discusses best practices to help you implement an effective, agile, and – most importantly – continuous approach to application security. This segment is sponsored by Invicti. Visit https://securityweekly.com/invicti to learn more about them!   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/asw205

0-day vulnerabilities pose a high risk because cybercriminals race to exploit them and vulnerable systems are exposed until a patch is issued & installed. These types of software vulnerabilities can be found through continuous detection but even then may not always have a patch available. It’s important for software teams to set up tools that continually look for these types of flaws, as well as defenses that let software adapt itself to an evolving threat landscape. In this episode, we will discuss the ins and outs of 0-day vulnerabilities and what the future of managing them looks like. Segment Resources: Recent 0-day blog: https://www.contrastsecurity.com/security-influencers/contrast-protect-eliminates-another-zero-day-headache What is Contrast Security video: https://www.youtube.com/watch?v=8FwY6zJX1ms The Contrast Secure Code Platform video: https://www.youtube.com/watch?v=k5CycR4R6bg   This segment is sponsored by Contrast Security. Visit https://securityweekly.com/contrast to learn more about them!   This week in the AppSec News: speculative execution attack with retbleed, CSRB's report on log4j, one-line lowercase action leads to a vuln, approaching SOC2 with secure engineering principles, free online Mac Malware book   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/asw204

This week in the AppSec News: Apple introduces Lockdown Mode, PyPI hits 2FA trouble, cataloging cloud vulns, practical attacks on ML, NIST's post-quantum algorithms, & more!   Appsec starts with the premise that we need to build secure code, but it also has to be able to recommend effective practices and tools that help developers. This also means appsec teams need to work with developers to create criteria for security solutions, whether it's training or scanners, in order to make sure their investments of time and money lead to more secure apps. Segment Resources: https://forwardsecurity.com/2022/04/24/embedding-security-into-software-during-development/ https://forwardsecurity.com/2022/03/15/application-security-for-busy-tech-execs/ https://forwardsecurity.com/2022/03/09/sast-sca-dast-iast-rasp-what-they-are-and-how-you-can-automate-application-security/   Visit https://www.securityweekly.com/asw for all the latest episodes!   Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/asw203

Both GraphQL and template engines have the potential for injection attacks, from potentially exposing data due to weak authorization in APIs to the slew of OGNL-related vulns in Java this past year. We take a look at both of these technologies in order to understand the similarities in what could go wrong, while also examining the differences in how each one influences modern application architectures.   This week in the AppSec News: Lessons learned from fuzzing, OT:ICEFALL report on insecure designs, CSA's Top Threats to Cloud Computing, Twitter apologizes for misusing data collection, & State of Open Source Security report!   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/asw202

This week in the AppSec News: SynLapse shows shell injection via ODBC, Java deserialization example, MFA for Ruby Gems ecosystem, simple flaws in firmware, the decade-long journey of a Safari vuln, & more!   IE has gone to 11 and is no more. There's some notable history related to IE11 and bug bounty programs. In 2008, Katie Moussouris and others from Microsoft announced their vulnerability disclosure program. In 2013 this evolved into a bug bounty program piloted with IE11, with award ranges from $500 to $11,000. Ten years later, that bounty range is still common across the industry. The technical goals of the program remain similar as well -- RCEs, universal XSS, and sandbox escapes are all vulns that can easily gain $10,000+ (or an order of magnitude greater) in modern browser bounty programs. So, even if we've finally moved on from a browser with an outdated security architecture, we're still dealing with critical patches in modern browsers. Fortunately, the concept of bounty programs continues. References: - https://www.blackhat.com/presentations/bh-usa-08/Reavey/MSRC.pdf - https://media.blackhat.com/bh-usa-08/video/bh-us-08-Reavey/black-hat-usa-08-reavey-securetheplanet-hires.m4v - https://web.archive.org/web/20130719064943/http://www.microsoft.com/security/msrc/report/IE11.aspx - https://web.archive.org/web/20190507215514/https://blogs.technet.microsoft.com/bluehat/2013/07/03/new-bounty-programs-one-week-in/   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/asw201

HTTP RFCs have evolved: A Cloudflare view of HTTP usage trends, Career Advice and Professional Development, Active Exploitation of Confluence CVE-2022-26134 Seamlessly Connect & Protect Entire IT Ecosystem The new business reality is that everything is connected, and everyone is vulnerable. In today’s world, security resilience is imperative, and Cisco believes it requires an open, unified security platform that crosses hybrid multi-cloud environments. Our vision for the Cisco Security Cloud will reshape the way organizations approach and protect the integrity of the entire IT ecosystem.   Segment Resources:   Cisco Security Resilience: https://www.cisco.com/c/en/us/products/security/security-resilience.html This segment is sponsored by Cisco. Visit https://securityweekly.com/cisco to learn more about them!   The Culture Blindspot: Harmonizing DevSecOps Helps Curb Burnout Recent data shows that security and development teams are still stressed, and they’re taking that stress home with them. Not only are they spending unnecessary hours addressing security issues that they could have otherwise prevented with modern tools and best practices, but also these teams are taking time out of their personal lives during holidays and on weekends to manage critical issues, contributing to burnout and ultimately churn. There’s good news, though: relationships between security and development are steadily improving, and with the right support and modern tooling at hand, you can transform the lives of cybersecurity professionals while also boosting your organization’s security posture, too. This segment is sponsored by Invicti. Visit https://securityweekly.com/invicti to learn more about them!   Visit https://www.securityweekly.com/asw for all the latest episodes!   Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/asw200

Developers want bug-free code -- it frees up their time and is easier to maintain. They want secure code for the same reasons. Matias Madou joins to talk about how the definition of secure coding varies among developers and appsec teams, why it's important to understand those perspectives, and how training is just one step towards building a security culture. This week in the AppSec News: OWASP Top 10 for Kubernetes, Firefox improves security with process isolation, CNCF releases guidance on Secure Software Factories and Cloud Native Security, & the DOJ clarifies its policy on CFAA! Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw198

This week, in the first segment, Brian Glas answers the questions surrounding the next generations of AppSec professionals: What does it look like to try teaching cybersecurity at an undergraduate level? What are the goals and challenges faced when trying to help future generations learn what they need to know to contribute to this industry? Then, in the AppSec News: Typosquatting spreads to Rust, curl fixes flaws in mishandling dots and slashes, OpenSSF invests in a mobilization plan for open source, &interesting AppSec from Black Hat Asia! Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/asw197

This week, Mike and John kick off the show with an interview of Christoph Nagy, the CEO of SecurityBridge! Then, in the AppSec News: Secure coding practices and smart contracts, lessons from the Heroku breach, Real World Crypto conference highlights, and an entertaining bug in Google Docs, & more! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw196

This week, Mike and John interview Lynn Marks, Product Manager at Imperva, & discuss Bad Bots: The Automated Threat Targeting Your Websites, Apps, & APIs! In the AppSec News: ExtraReplica in Azure, Chrome disfavors document.domain, appsec presentations highlighted in the latest Thinkst Quarterly, Nimbuspwn Vuln in Linux, & more! This segment is sponsored by Imperva. Visit https://securityweekly.com/imperva to learn more about them! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw195