Application Security Weekly (Audio)

This week, we welcome Ted Harrington, Executive Partner at Independent Security Evaluators, to discuss Hackable; How to do Application Security Right! In the Application Security News, Implementation pitfalls in parsing JSON, finding all forms of a flaw with CodeQL, more educational resources for hacking apps, engineering and product management practices for DevOps, & more!   Show Notes: https://securityweekly.com/asw141 Register for the DevSecOps eSummit for which Ted will be a panelist: https://onlinexperiences.com/Launch/QReg.htm?ShowUUID=5673DA7C-B8C2-4A3E-B675-C6BBF45DC04F   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

This week, we welcome Brandon Edwards, Co-Founder and Chief Scientist at Capsule8, to discuss Targeting, Exploiting, & Defending Linux! Linux is all over the place (sometimes surprising), why is targeting it different? What types of attacks are used? How can we defend against attacks on Linux? We can incorporate recent attacks against Sudo as a timely reference. In the Application Security News, Dependency confusion for internal packages, Chrome pulls down the Great Suspender, Microsoft highlights web shells, some strategies on scaling AppSec, & more!   Show Notes: https://securityweekly.com/asw140 Visit https://securityweekly.com/capsule8 to learn more about them! To register for Capsule8's upcoming webcast "Preparing Linux Hosts for Unexpected Threats" visit https://attendee.gotowebinar.com/register/1056145103342240783?source=SW   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

This week, we welcome Alissa Knight, Partner at Knight Ink, to discuss Being a Serial Entrepreneur, Business Leader, & Hacker! Alissa Knight has spent her career going against industry and social norms as both a Transgendered and Lesbian business leader and hacker. Learn more about her, her achievements as a published author, her recent vulnerability research in hacking law enforcement vehicles, mHealth apps and APIs, her life as a hacker, and barriers she's broken down in business. In the AppSec News, Funding bounties or finding bugs, how should we invest? Talks from Enigma Conference on memory unsafety and 0-days. Coming trends in API security and a review of research from 2020!   Show Notes: https://securityweekly.com/asw139 Visit https://www.securityweekly.com/asw for all the latest episodes!   Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

This week, we welcome John Delaroderie, Security Solutions Architect at Qualys, to discuss Groundhog Day - It's Time to Reset the Script on Vulnerabilities! In honor of the movie Groundhog Day, John will take a look at the top 10 most routinely exploited vulnerabilities through a web app security lens. In the Application Security News, Sudo sure does, Libgcrypt flaw, iMessage demonstrates security by design, AWS Lambda shares a message on its design security, & more!   Show Notes: https://securityweekly.com/asw138 Visit https://securityweekly.com/qualys to learn more about them!   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

This week, we welcome back Taylor McCaslin, Sr. Product Manager of Secure at GitLab, to discuss Reading Industry Analyst Tea Leaves To Predict The Future! It's analyst season with the new Forrester Wave on SAST recently published as well as Gartner's Application Security Testing Magic Quadrant publishing in April. We'll talk about what are analyst reports, how should you use them, and how should you interpret placement on them as as I like to call it, reading the analyst tea leaves.   In the AppSec News, an overflow and a flawed regex paint an RCE picture for Kindle, messaging apps miss the message on secure state machines, three pillars of a data security strategy for the cloud, where DoH might fit into AppSec, and all the things that can go wrong when you give up root in your Kubernetes pod!   Show Notes: https://securityweekly.com/asw137 Visit https://securityweekly.com/GitLab to learn more about them!   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

This week, we welcome Andrei Serban, Co-Founder at Fuzzbuzz, to discuss Fuzz Testing! Fuzzing can be successful AppSec strategy for finding software bugs. And deploying a fuzzer no longer needs to be a cumbersome process. Find out how fuzzing can help secure software beyond just memory safety issues and what the future holds for making this strategy more effective for modern apps. In the AppSec News, Significant source code leak from misconfigured repo, side-channel attack on hardware authentication keys, a third bug bounty for the U.S. Army, the cost of poor software quality, and the benefits of DevOps approaches to building systems!   Show Notes: https://securityweekly.com/asw136 Visit https://www.securityweekly.com/asw for all the latest episodes!   Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

A premise of adding security to DevOps is we can "shift left" AppSec responsibilities, one of which is building apps so they're secure by design. Yet what resources does the AppSec community provide for this approach to design? We take a look at the OWASP Top 10, Web Security Testing Guide, and Application Security Verification Standard to find a way forward for DevOps teams. In the AppSec News, Microsoft purges malicious SolarWinds presence and highlights a threat model around their source code, the tl;drsec crew provides a hardening guide for Kubernetes, Apples provides a user guide for hardening accounts, and Firefox provides a new storage system to defeat side channel abuse!   Show Notes: https://securityweekly.com/asw135 Visit https://www.securityweekly.com/asw for all the latest episodes!   Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

This week, we welcome Ev Kontsevoy, CEO at Teleport, to discuss Freedom From Computing Environments! In the Application Security News, FireEye shares supply chain subterfuge, researchers show repeated mistakes in TCP/IP stacks, Google open sources Python fuzzing, Cisco and Microsoft patch their patches for vulns in Jabber and printer modules!   Show Notes: https://securityweekly.com/asw134 Visit https://securityweekly.com/teleport to learn more about them!   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly

This week, we welcome Mike Manrod, CISO of Grand Canyon University, joined by John Delaroderie, Security Solutions Architect at Qualys, to discuss his approach to web application security with an emphasis on improving knowledge of web application vulnerabilities and the external attack surface, and his approach to reducing the number of opportunities an attacker has to compromise our information and infrastructure! In the Application Security News, An old security bug in the Play library still affects 8% of apps in Google Play, Project Zero researcher spends six months to reboot an iPhone (in an epic manner), GitHub looks at the security of repos within its Octoverse, the OWASP Web Security Testing Guide gets a minor bump, and XS-Leaks get more attention.   Show Notes: https://securityweekly.com/asw133 Visit https://securityweekly.com/qualys to learn more about them!   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

This week, we welcome back Tim Mackey, Principal Security Strategist at Synopsys, to talk about Security Decisions During Application Development! In the Application Security News, Xbox bug exposed email identities, focusing on prevention for your cloud security strategies, Amazon looking to hire more Rust developers, KubeCon continues push for security, and a DevOps reading list!   Show Notes: https://securityweekly.com/asw132 Visit https://securityweekly.com/synopsys to learn more about them!   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly