Application Security Weekly (Audio)

Software Trust & Adversaries, Developer-Focused Security - Shannon Lietz, Melinda Marks - ASW #246

This episode covers a wide range of topics related to software trust, metrics, resilience, security, and collaboration between developers and security teams. It explores the challenges faced by organizations in measuring trust in software and highlights the importance of metrics such as resilience, adoption, velocity, and error rates. The episode also delves into the role of security teams in shifting left and working closely with developers to ensure better security outcomes. Additionally, it discusses the unique considerations and challenges in Cloud Native app-sec and offers insights on cloud security programs and vendor selection.

The Psychology of Training - Matias Madou - ASW Vault

This episode covers the importance of a good security culture, effective ways to address security, evaluating the effectiveness of security programs, promoting secure coding practices, effective training strategies, and creating developer-friendly solutions. Topics include the need for relevant and interactive content, the role of security champions, measuring the impact of training, focusing on one vulnerability at a time, convincing management teams to invest in security, aligning training with organizational resources, and embedding knowledge into development environments.

Latest Web Vulnerability Trends & Best Practices - Patrick Vandenberg - ASW #245

This episode covers a range of topics including the 20th anniversary of '28 Days Later' and its impact on the zombie genre, web vulnerability trends and best practices with Patrick Vandenberg from Invicti, news highlights on XSS in Azure and debunking myths about application security. It also delves into insights on organizations scanning more having fewer vulnerabilities, efficiency and proficiency in addressing vulnerabilities, improvements in vulnerability classes like cross-site scripting, collaboration and operational efficiency in risk containment, allocation of effort in fixing vulnerabilities, trends and profiles in application security, IoT security and shifting left, continuous automated scanning and production environments, risk conversations and business safe software, KeyCloak and IAM challenges, exploring new areas of research in security, bug bounties and security developer in residence programs, Linux kernel vulnerabilities and strategic vulnerability management, a security issue with Amazon CDK, and the importance of practical experience in production environments for job applications.

Policy Momentum in Coordinated Vulnerability Disclosure - Amit Elazari - ASW Vault

The episode discusses the importance of building connections between institutions and the hacker community, the increased adoption of vulnerability disclosure programs and bug bounties, flexible security policies and collaboration with researchers, engaging with researchers and fostering collaboration, resources for vulnerability disclosure programs, and resources for effective vulnerability reporting.

Enhancing Security: App Modernization, Identity Orchestration, & Big IAM Challenge - Eric Olden - ASW #244

This episode covers a wide range of topics related to identity management, access control, and security practices. From threat modeling using Jurassic Park as a reference to implementing passwordless authentication and avoiding lock-in, the episode explores the challenges and best practices in modern identity management. It also delves into the importance of distributed policies, zero trust principles, common vulnerabilities, and security risks. The episode concludes with discussions on trust issues, formal verification methods, improving security workflows, and effective measurement in the field of security.

What's the Deal with API Security? - Sandy Carielli - ASW #243

The episode covers a range of topics including the 40th anniversary of the movie War Games, API security challenges and solutions, vulnerabilities in PHP-based applications and WordPress plugins, encryption and password management considerations, understanding memory representation and building DNS from scratch, detecting anomalies in AWS infrastructures, real-time ML model drift detection, highlights from Thinkscapes quarterly, and community pledges.

Navigating the Complexities of Application Security: Vulnerability Management, Risk Mitigation, and Business Logic Attacks - ASW #239

• Phones are backed up on the CVE Expressway due to passing 200,000 records last week.
• Major delays at the intersection of CI and CD due to an overturned truck carrying CVSS scores.
• There's major construction down at the infrastructure as code, but once you're past the on-ramp traffic is moving quickly....