Application Security Weekly (audio)

While APIs enable innovation, they’re increasingly targeted as a pathway to data. API abuses are often carried out through automated attacks, in which a botnet floods the API with unwanted traffic—seeking vulnerable applications and unprotected data. In this discussion, Karl Triebes shares what you need to know about the automated bot threats targeting your APIs with guidance on how to protect your applications and APIs from these attacks. This segment is sponsored by Imperva. Visit https://securityweekly.com/imperva to learn more about them!   The punycode parsing in OpenSSL, missing authentication in Azure Cosmos DB Notebooks, the importance of documentation in security, labeling IoT security, bad response to a security disclosure   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/asw219

A critical OpenSSL vuln is coming this Tuesday, a SQLite vuln, Apple blogs about memory safety and bug bounties, determining a random shuffle   The Web3 ecosystem is chock full of applications and projects that have lost money (and their customers’ money) due to breaches, code flaws, or outright fraud. How can security teams do a better job of protecting Web3 apps? Web3 applications (including NFTs) aren’t just vulnerable to attack, they often present a broader attack surface (due to the distributed nature of blockchains) at the same time as being a desirable target because of the value association with tokens. Join us for a lively discussion about key threats to Web3 apps – both on-chain and off-chain - what we can do to mitigate them…and what we absolutely should not do. Additional resources - https://www.bloomberg.com/features/2022-the-crypto-story/ - https://web3isgoinggreat.com - https://blog.trailofbits.com/2022/06/21/are-blockchains-decentralized/   Visit https://www.securityweekly.com/asw for all the

Learn what keeps DevOps and SecOps up at night when securing Kubernetes, container, and cloud native applications, what tactics are best for developers and application architects to consider when securing your latest cloud application and hardening your CI/CD pipeline and processes. This segment is sponsored by Qualys. Visit https://securityweekly.com/qualys to learn more about them!   Text4Shell isn't a new patching hell, using supply chain info with GUAC, OpenSSF Scorecards and metrics, Toner Deaf firmware persistence, upcoming OWASP Board Elections, Chrome browser exploitation   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/asw217

Exploiting FortiOS with HTTP client headers, mishandling memory in Linux kernel Wi-Fi stack, a field guide to security communities, secure coding resources from the OpenSSF, Linux kernel exploitation Cybersecurity is a data problem. Accelerated AI enables 100 percent data visibility and faster threat detection and remediation. Find out how NVIDIA used AI to reduce cybersecurity events from 100M per week to up to 10 actionable events per day, and accelerate threat detection from weeks to minutes.   Segment Resources: Morpheus new digital fingerprinting GTC Fall 22 Demo Video: https://www.youtube.com/watch?v=8rEPkHRvDq0 Morpheus Web Page: https://developer.nvidia.com/morpheus-cybersecurity Morpheus Digital Fingerprinting Blog: https://developer.nvidia.com/blog/fingerprinting-every-network-user-and-asset-with-morpheus/ Detecting Threats Faster with AI-Based Cybersecurity Blog: https://developer.nvidia.com/blog/detecting-threats-faster-with-ai-based-cybersecurity/ Enroll in our free, self-paced, 1-hour DLI cour

We talk with Akira Brand about appsec educational resources and crafting better resources for developers to learn about secure coding. Segment Resources: - www.akirabrand.com - www.wehackpurple.com - www.owasp.org - www.brightsec.com/blog   Rust arrives in the Linux Kernel, verdict in the Uber security case, overview(s) of JavaScript prototype pollution, flaws in PHP Composer and the NPM vm2 package, reading CloudSecDocs   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/asw215

The core focus of this podcast is to provide the listeners with food for thoughts for what is required for releasing secured cloud native applications - Continuous, Multi-layer, and Multi-service analysis and focusing not only on the code, but also on the runtime and the infrastructure. - Focus on the vulnerabilities that matter. The critical, exploitable ones. Use Context. - Choose the right remediation forms. It may come in different shapes Segment Resources: Oxeye Website for videos and content - www.oxeye.io   Exchange RCE, bulk pull requests to patch at scale, metrics from DORA, best papers from USENIX, implementing passkeys   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/asw214

Applications are the most frequent external attack vector for companies. However, application security can improve only if developers either code securely or remediate existing security flaws — unfortunately, many don’t receive training with proper security know-how. In this session, we will talk about the state of application security education and what you can do to secure what you sell. Segment Resources: - https://www.forrester.com/blogs/school-is-in-session-but-appsec-is-still-on-vacation/?ref_search=3502061_1663615159889 https://www.wisporg.com/events-calendar/2022/11/8/security-amp-risk-conference-forrester https://www.veracode.com/events/hacker-games https://blogs.microsoft.com/blog/2021/10/28/america-faces-a-cybersecurity-skills-crisis-microsoft-launches-national-campaign-to-help-community-colleges-expand-the-cybersecurity-workforce/ Wiz reveals authorization bypass in Oracle Cloud, Python 15-year old path traversal flaw, Prototype Pollution in Chrome, PS4 flaw reappears in PS5, Why security produ

Appsec places a lot of importance on secure SDLC practices, API security, integrating security tools, and collaborating with developers. What does this look like from a developer's perspective? We'll cover API security, effective ways to test code, and what appsec teams can do to help developers create secure code. This segment is sponsored by ThreatX. Visit https://securityweekly.com/threatx to learn more about them!   Appsec dimensions of the Uber breach, Rust creates a security team, MiraclePtr addresses C++ heap mistakes for Chrome, a critical reading of the NSA/CISA Supply Chain guidance, talking about careers   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/asw212

Go releases their own curated vuln management resources, OSS-Fuzz finds command injection, Microsoft gets rid of Basic Auth in Exchange, NSA provides guidance on securing SDLC practices, reflections on pentesting, comments on e2e   Shifting left has been a buzzword in the application security space for several years now, and with good reason – making security an integral part of development is the only practical approach for modern agile workflows. But in their drive to build security testing into development as early as possible, many organizations are neglecting application security in later phases and losing sight of the big picture. In this talk, Invicti’s Chief Product Officer Sonali Shah discusses the challenges and misunderstandings around shifting left, and provides tips on how organizations can implement web application security program without tradeoffs throughout the whole application security lifecycle. This segment is sponsored by Invicti. Visit https://securityweekly.com/invicti to learn more ab

We will review the primary needs for cloud security: - Guardrails against misconfiguration - Continuously Identify and Remediate Vulnerabilities in Cloud APIs, Apps, and Services - Observability, Protection, and Reporting against Compliance and Risk Policies - We will also review CNAPP -- Cloud Native Application Protection Platform -- and why companies need to take a closer look for the best cloud security Segment Resources: - https://www.datatheorem.com/news/2021/data-theorem-representative-vendor-cnapp-2021-gartner-innovation-insight-report   Twitter whistleblower complaint lessons for appsec (and beyond), the LastPass breach, building a culture of threat modeling, signed binaries become vectors for ransomware, a look back to the birth of Nmap and the beginning of Linux.   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/asw210

The unique nature of cloud native apps, Kubernetes, and microservices based architectures introduces new risks and opportunities that require AppSec practitioners to adapt their approach to security tooling, integration with the CI/CD pipeline, and how they engage developers to fix vulnerabilities. In this episode, we’ll discuss how AppSec teams can effectively manage the transition from securing traditional monolithic applications to modern cloud native applications and the types of security tooling needed to provide coverage across custom application code, dependencies, container images, and web/API interfaces. Finally, we’ll conclude with tips and tricks that will help make your developers more efficient at fixing vulnerabilities earlier in the SDLC and your pen testers more effective. Segment Resources: https://www.deepfactor.io/kubernetes-security-essentials-securing-cloud-native-applications/ https://www.deepfactor.io/resource/observing-application-behavior-via-api-interception/ https://www.deepfactor

Let's talk about adding security tools to a CI/CD, the difference between "perfect" and "good" appsec, and my upcoming book. Segment Resources: https://community.wehackpurple.com #CyberMentoringMonday on Twitter Microsoft fixes an old bounty from 2019, rewards almost $14M on bounties in the past year, and releases a security layer for Edge; Black Hat talks on bounties and desync attacks, Google's bounties for the Linux kernel, modifying browser behavior, and the Excel championships.   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/asw208

In today's high-tech industries, security is struggling to keep up with rapidly changing production systems and the chaos that agile development introduces into workflows. Application security (AppSec) teams are fighting an uphill battle to gain visibility and control over their environments. Rather than invest their time in critical activities, teams are overwhelmed by gaps in visibility and tools to govern the process. As a result, many digital services remain improperly protected. In this episode, we plan to address and discuss the current state of AppSec, and point out a few common failure points. Afterwards we plan to discuss what agile AppSec looks like, and how a reorganization, and a shift in management strategy could greatly transform the field, and allow business to truly address the risk of under-protected software.   Segment Resources: https://appsecmap.com/   Nextauth.js account takeover due to parsing flaw, URL parsing flaw in Go's net/url, another path traversal, Slack exposes password hashes (

In our first segment, we are joined by Manish Gupt, the CEO and Co-Founder of ShiftLeft for A discussion of how the changes and advancements in static application security testing (SAST) and intelligent software composition analysis (SCA) have helped development and DevSecOps teams work better together to fix security issues faster! In the AppSec News: Multiple vulns in a smart lock, Office Macros finally disabled by default, data breach costs and threat modeling, designing migration paths for 2FA, & more!   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/asw206

Nikhil will be discussing the pain points that leaders in the application security space are facing, which can cover how software development has evolved, as well as how this has impacted development teams and security teams as well as the occurrence of shifting left. He would also like to speak to the solution he has found to this problem, specifically being that of developing a community, the Purple Book Community. This closely connects to the final topics he would like to cover, which include how breaches have continued to occur at an increasingly rapid pace, leading to the importance behind why and how companies should be prepared for when, not if, a cyber attack will occur. The talk will also cover how the Purple Book of Software Security came about and how it has now morphed into a global movement by security leaders, for security leaders, to develop secure software. Segment Resources: https://www.armorcode.com/ https://www.thepurplebook.club/ https://www.armorcode.com/what-is-appsecops https://www.armo

Vuln in an Atlassian Confluence app, "Dirty Dancing" in OAuth flows, security audits of sigstore and slf4j, flaws in fleet management app, conducting tabletop exercises.   Pressured by the speed of innovation, organizations are struggling to achieve the continuous web application security they need in the face of mounting threats and compliance requirements. What does it take in order for your AppSec program to be both effective and agile? In this segment, Ferruh Mavituna, founder and strategic advisor of Invicti Security, discusses best practices to help you implement an effective, agile, and – most importantly – continuous approach to application security. This segment is sponsored by Invicti. Visit https://securityweekly.com/invicti to learn more about them!   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/asw205

0-day vulnerabilities pose a high risk because cybercriminals race to exploit them and vulnerable systems are exposed until a patch is issued & installed. These types of software vulnerabilities can be found through continuous detection but even then may not always have a patch available. It’s important for software teams to set up tools that continually look for these types of flaws, as well as defenses that let software adapt itself to an evolving threat landscape. In this episode, we will discuss the ins and outs of 0-day vulnerabilities and what the future of managing them looks like. Segment Resources: Recent 0-day blog: https://www.contrastsecurity.com/security-influencers/contrast-protect-eliminates-another-zero-day-headache What is Contrast Security video: https://www.youtube.com/watch?v=8FwY6zJX1ms The Contrast Secure Code Platform video: https://www.youtube.com/watch?v=k5CycR4R6bg   This segment is sponsored by Contrast Security. Visit https://securityweekly.com/contrast to learn more about the

This week in the AppSec News: Apple introduces Lockdown Mode, PyPI hits 2FA trouble, cataloging cloud vulns, practical attacks on ML, NIST's post-quantum algorithms, & more!   Appsec starts with the premise that we need to build secure code, but it also has to be able to recommend effective practices and tools that help developers. This also means appsec teams need to work with developers to create criteria for security solutions, whether it's training or scanners, in order to make sure their investments of time and money lead to more secure apps. Segment Resources: https://forwardsecurity.com/2022/04/24/embedding-security-into-software-during-development/ https://forwardsecurity.com/2022/03/15/application-security-for-busy-tech-execs/ https://forwardsecurity.com/2022/03/09/sast-sca-dast-iast-rasp-what-they-are-and-how-you-can-automate-application-security/   Visit https://www.securityweekly.com/asw for all the latest episodes!   Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebo

Both GraphQL and template engines have the potential for injection attacks, from potentially exposing data due to weak authorization in APIs to the slew of OGNL-related vulns in Java this past year. We take a look at both of these technologies in order to understand the similarities in what could go wrong, while also examining the differences in how each one influences modern application architectures.   This week in the AppSec News: Lessons learned from fuzzing, OT:ICEFALL report on insecure designs, CSA's Top Threats to Cloud Computing, Twitter apologizes for misusing data collection, & State of Open Source Security report!   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/asw202

This week in the AppSec News: SynLapse shows shell injection via ODBC, Java deserialization example, MFA for Ruby Gems ecosystem, simple flaws in firmware, the decade-long journey of a Safari vuln, & more!   IE has gone to 11 and is no more. There's some notable history related to IE11 and bug bounty programs. In 2008, Katie Moussouris and others from Microsoft announced their vulnerability disclosure program. In 2013 this evolved into a bug bounty program piloted with IE11, with award ranges from $500 to $11,000. Ten years later, that bounty range is still common across the industry. The technical goals of the program remain similar as well -- RCEs, universal XSS, and sandbox escapes are all vulns that can easily gain $10,000+ (or an order of magnitude greater) in modern browser bounty programs. So, even if we've finally moved on from a browser with an outdated security architecture, we're still dealing with critical patches in modern browsers. Fortunately, the concept of bounty programs continues. Refer