Application Security Weekly (Video) – Détails, épisodes et analyse

The many lessons to take away from a 24-year old flaw in glibc and the mastery in crafting an exploit in PHP, changing a fuzzer's configuration to find more flaws, fuzzing LLMs for prompt injection and jailbreaks, security hardening of baseband code, revisiting the threat models in Microsoft's Recall, and more!

Show Notes: https://securityweekly.com/asw-302

Zed Attack Proxy has been a crucial web app testing tool for decades. It's also had a struggle throughout 2024 to obtain funding that would enable the tool to add more features while remaining true to its open source history. Simon Bennetts, founder of ZAP, and Ori Bendet from Checkmarx update us on that journey, share some exploration of LLM fuzzing that ZAP has been working on, and what the future looks like for this well-loved project.

Segment Resources:

• https://www.zaproxy.org/blog/2024-09-24-zap-has-joined-forces-with-checkmarx/
• https://www.zaproxy.org/blog/2024-09-30-improving-fuzzing-payloads-for-llms-with-fuzzai/
• https://checkmarx.com/press-releases/checkmarx-joins-forces-with-zap-to-supercharge-dynamic-application-security-testing-dast-for-the-enterprise-and-enhance-community-growth/
• KICS: https://github.com/Checkmarx/kics
• 2MS: https://github.com/Checkmarx/2ms

Show Notes: https://securityweekly.com/asw-302

IoT devices are notorious for weak designs, insecure implementations, and a lifecycle that mostly ignores patching. We look at external factors that might lead to change, like the FCC's cybersecurity labeling for IoT. We explore the constraints that often influence poor security on these devices, whether those constraints are as consequential given modern appsec practices, and what the opportunities are to make these devices more secure for everyone.

Segment resources:

• https://www.fcc.gov/document/cybersecurity-labeling-program-internet-things-iot-products

Show Notes: https://securityweekly.com/asw-297

Zed Attack Proxy is an essential tool for web app pentesting. The project just recently moved from OWASP to the Secure Software Project. Hear about the challenges of running an OSS security project, why Simon got involved in the first place, and why successful projects are about more than just code.

Segment Resources:

• https://www.zaproxy.org/ 
• https://softwaresecurityproject.org/blog/welcoming-zap-to-the-software-security-project/
• https://owasp.org/www-project-vulnerable-web-applications-directory/

Show Notes: https://securityweekly.com/asw-254 

Check out this interview from the ASW Vault, hand picked by main host Mike Shema! This segment was originally published on January 10, 2022. There's an understandable focus on "shift left" in modern DevOps and appsec discussions. So what does it take to broaden what we call appsec into something effective for modern apps, whether they're on the web, mobile, or cloud? We'll talk about moving on from niche offerings into successful appsec programs.

Show Notes: https://securityweekly.com/vault-asw-4 

A Go Crypto presentation from Real World Crypto, Excel releases support for Python, protecting users from malware like the Luna Grabber and WinRAR RCE, DARPA's V-SPELLS project, and more!

Show Notes: https://securityweekly.com/asw-253 

We go deep on LLMs and generative AIs to shine a light on areas that security leaders should focus on. There are technical concerns like prompt injection and access controls, and privacy concerns in training and usage. But there are also areas where security tools are starting to address these concerns as well as areas where security tools are adopting AI themselves. We'll share where we see AI showing promise, as well as where we suspect it's still premature.

Segment resources:

• https://www.forrester.com/blogs/defending-ai-models-from-soon-to-yesterday/
• https://www.forrester.com/blogs/generative-ai-goes-mainstream-in-security-with-microsoft-security-copilot/
• https://www.forrester.com/blogs/chatgpt-cybersecurity-ramifications-beyond-malware/
• https://www.forrester.com/report/securing-generative-ai/RES179497
• https://www.forrester.com/report/generative-ai-what-it-means-for-security/RES179522

Show Notes: https://securityweekly.com/asw-253 

Discord.io ceases to be, Azure AD breach to get scrutiny from the CSRB, Zoom's AI stumbles show security concerns, model confusion attacks, a look at how far we have -- and haven't -- come with XSS flaws, an approachable article on AI, and more!

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw-252 

Modern applications are transforming how businesses serve their customers, employees, and partners. But they also challenge security teams with limited to no visibility or control while expanding an organization's attack surface. Jason Rolleston, vice president and general manager of VMware Carbon Black, discusses how security teams can enable their companies to safely adopt modern application environments.

Segment Resources:

• https://blogs.vmware.com/security/2023/07/announcing-cloud-native-detection-and-response-for-carbon-black.html

This segment is sponsored by VMWare Carbon Black. Visit https://securityweekly.com/vmwarebh to learn more about them!

In today's mobile-first world, where Android and iOS apps are crucial for customer engagement, companies often overlook the vulnerability of their applications - which poses a growing risk to the enterprise. While business cybersecurity measures are robust, hackers exploit the app path to circumvent server-side security. To help you understand the risks and safeguard your mobile apps and your customer PII, Asaf Ashkenazi will talk about the top mobile app attacks, the real-world implications, the blind spot in many company security teams, and easy ways to protect, detect and respond to this growing threat.

Segment Resources:

• [Asaf Ashkenazi introduces Verimatrix XTD](https://youtu.be/j3mJoc8OSY8)
• [Verimatrix XTD](https://www.verimatrix.com/cybersecurity/verimatrix-xtd/)
• [Verimatrix's Triple-Threat Initiative Enhances Mobile App Security](https://www.itsecurityguru.org/2023/04/13/verimatrixs-triple-threat-initiative-enhances-mobile-app-security/)

This segment is sponsored by Verimatrix. Visit https://securityweekly.com/verimatrixbh to learn more about them!

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw-252 

DARPA unleashes an AI Cyber Challenge to find flaws, CISA asks for input on securing open source software and memory safety, what five years of vuln research shows for vuln management programs, siphoning security tokens from VS Code, and more!

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw-251