Companies deploy tools (usually lots of tools) to address different threats to supply chain security. Melinda Marks shares some of the chaos those companies still face when trying to prioritize investments, measure risk, and scale their solutions to keep pace with their development. Not only are companies still figuring out supply chain, but now they're bracing for the coming of genAI and how that will just further highlight the current struggles they're having with data security and data...

How can open source projects find a funding model that works for them? What are the implications with different sources of funding? Simon Bennetts talks about his stewardship of Zed Attack Proxy and its journey from OWASP to OpenSSF to an Open Source Fellowship with Crash Override. Mark Curphy adds how his experience with OWASP and the appsec community motivated him to create Crash Override and help projects like ZAP gain the support they deserve. Segment resources: ...

There are as many paths into infosec as there are disciplines within infosec to specialize in. Karan Dwivedi talks about the recent book he and co-author Raaghav Srinivasan wrote about security engineering. There's an appealing future to security taking on engineering roles and creating solutions to problems that orgs face. We talk about the breadth and depth of security engineering and ways to build the skills that will help you in your appsec career. Segment resources: ...

We look into the supply chain saga of the XZ Utils backdoor. It's a wild story of a carefully planned long con to add malicious code to a commonly used package that many SSH connections rely on. It hits themes from social engineering and abuse of trust to obscuring the changes and suppressing warnings. It also has a few lessons about software development, the social and economic dynamics of open source, and strategies for patching software. It's an exciting topic partially because so much...

Sometimes infosec problems can be summarized succinctly, like "patching is hard". Sometimes a succinct summary sounds convincing, but is based on old data, irrelevant data, or made up data. Adrian Sanabria walks through some of the archeological work he's done to dig up the source of some myths. We talk about some of our favorite (as in most disliked) myths to point out how oversimplified slogans and oversimplified threat models lead to bad advice -- and why bad advice can make users less...

One of the biggest failures in appsec is an attitude that blames users for security problems. A lot of processes and workflows break down because of an insecure design or insecure defaults. Benedek Gagyi chats with us about the impact of the user experience (UX) on security and why it's not only important to understand how to make a user's life easier, but in defining who that user is in the first place. Segment resources: ...

Lots of companies need cybersecurity programs, as do non-profits. Tyler Von Moll talks about how to get small organizations started on security and how to prioritize initial investments. While an appsec program likely isn't going to be one of the first steps, it's going to be an early one. What decisions can you make at the start that will benefit the program in the years that follow? What does an appsec program look like at a small scale? Segment Resources: "Cybersecurity for Nonprofits",...

A majority of internet traffic now originates from APIs, and cybercriminals are taking advantage. Increasingly, APIs are used as a common attack vector because they’re a direct pathway to access sensitive data. In this discussion, Lebin Cheng shares what API attack trends Imperva, a Thales Company has observed over the past year, and what steps organizations can take to protect their APIs. This segment is sponsored by Imperva. Visit https://www.securityweekly.com/imperva to learn more about...

The need for vuln management programs has been around since the first bugs -- but lots of programs remain stuck in the past. We talk about the traps to avoid in VM programs, the easy-to-say yet hard-to-do foundations that VM programs need, and smarter ways to approach vulns based in modern app development. We also explore the ecosystem of acronyms around vulns and figure out what's useful (if anything) in CVSS, SSVC, EPSS, and more. Segment resources: ...

Farshad Abasi joins us again to talk about creating a new OWASP project, the Secure Pipeline Verification Standard. (Bonus points for not being a top ten list!) We talk about what it takes to pitch a new project and the problems that this new project is trying to solve. For this kind of project to be successful -- as in making a positive impact to how software is built -- it's important to not only identify the right audience, but craft guidance in a way that's understandable and achievable...

Check out this interview from the ASW Vault, hand picked by main host Mike Shema! This segment was originally published on Dec 13, 2022. Threat modeling is an important part of a security program, but as companies grow you will choose which features you want to threat model or become a bottleneck. What if I told you, you can have your cake and eat it too. It is possible to scale your program and deliver higher quality threat models. Segment Resources: - Original blog:...

We've been scanning code for decades. Sometimes scanning works well -- it finds meaningful flaws to fix. Sometimes it distracts us with false positives. Sometimes it burdens us with too many issues. We talk about finding a scanning strategy that works well and what the definition of "works well" should even be. Segment Resources: https://www.lacework.com/blog/introducing-a-new-approach-to-code-security/ LLMs improve fuzzing coverage, the Shim vuln threatens Linux secure boot, considering...

We can't talk about OWASP without talking about lists, but we go beyond the lists to talk about a product security framework. Grant shares his insights on what makes lists work (and not work). More importantly, he shares the work he's doing to spearhead a new OWASP project to help scale the creation of appsec programs, whether you're on your own or part of a global org. Segment Resources: https://owasp.org/www-project-product-security-capabilities-framework/ https://github.com/OWASP/pscf...

We return to the practice of presentations, this time with a perspective from a conference organizer. And we have tons of questions! What makes a topic stand out? How can an old, boring topic be given new life? How do you prepare as a first-time presenter? What can conferences do to foster better presentations and new voices? Segment resources: https://bsidessf.org https://infosec.exchange/@worldwise001/111280163638514582 https://www.youtube.com/watch?v=1lVIeh5f4Rg Vulns in Jenkins code...

Where apps provide something of value, bots are sure to follow. Modern threat models need to include scenarios for bad bots that not only target user credentials, but that will also hoard inventory and increase fraud. Sandy shares her recent research as we talk about bots, API security, and what developers can do to deal with these. Segment resources https://www.forrester.com/blogs/avoid-a-bot-waterloo/ ...

It's time to start thinking about CFPs and presentations for 2024! Eve shares advice on delivering technical topics so that an audience can understand the points you want to make. Then we show how developing these presentation skills for conferences helps with presentations within orgs and why these are useful skills to build for your career. Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook:...

We kick off the new year with a discussion of what we're looking forward to and what we're not looking forward to. Then we pick our favorite responses to "appsec in three words" and set our sights on a new theme for 2024. In the news, 23andMe shifts blame to users for poor password practices, abusing Google's OAuth2 through a MultiLogin endpoint, Rustls is memory safe and fast, AI enters OSINT, and more! Visit https://securityweekly.com/asw for all the latest episodes! Follow us on...

HTTP RFCs have evolved: A Cloudflare view of HTTP usage trends, Career Advice and Professional Development, Active Exploitation of Confluence CVE-2022-26134 Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/vault-asw-7

We will provide a short introduction to OWASP SAMM, which is a flagship OWASP project allowing organizations to bootstrap and iteratively improve their secure software practice in a measurable way. Seba will explain the SAMM model, consisting of 15 security practices. Every security practice contains a set of activities, structured into 3 maturity levels. The activities on a lower maturity level are typically easier to execute and require less formalization than the ones on a higher maturity...

Service meshes create the opportunity to make security a team sport. They can improve observability and service identity. Turning monoliths into micro services sounds appealing, but maybe not every monolith needs to be broken up. We'll also talk about the maturity and design choices that go into service meshes and when a monolith should just remain a monolith. Segment Resources: https://www.solo.io/blog/kubernetes-security-cloud-native-applications/...

We have a lot of questions about standards. How do standards emerge? How do standards encourage adoption? How do they stay relevant as development patterns change and security threats evolve? We have standards for web appsec (HTML, HTTP), all sorts of protocols, and all sorts of authentication (OAuth, OpenID). Learning how these standards come about can also inform how your own org documents designs and decisions. Segment resources https://datatracker.ietf.org/doc/html/rfc3552...

We cover appsec news on a weekly basis, but sometimes that news is merely about the start of a new project, sometimes it's yet another example of a vuln class, and sometimes it's a topic we hope doesn't become a trend. So, what themes have we seen and where do we see them going? Here are a few headline topics that have alternately generated yays and yawns. CISA's Secure by Design and Secure by Default CVSS 4.0 Generative AI MFA mandates Microsoft, Rust, and Memory Safety New TLDs OAuth...

This year we've talked about vulns, clouds, breaches, presentations, and all the variations of Dev, Sec, and Ops. As we end the year, let's talk about starting things -- like starting an appsec program or an appsec career. But is there still a need for an appsec team? Or has it turned into specializations for areas like cloud security and bug bounty programs? We'll cover careers and coding, with an eye towards figuring out what modern software development looks like and where application (or...

Firmware security is complex and continues to be an industry challenge. In this podcast we'll talk about the reasons firmware security remains a challenge and some best practices around platform security. Segment Resources: https://www.helpnetsecurity.com/2020/04/27/firmware-blind-spots/ https://www.helpnetsecurity.com/2020/09/28/hardware-security-challenges/ https://darkreading.com/application-security/4-open-source-tools-to-add-to-your-security-arsenal ...