Secure code should be grounded more in concepts like secure by default and secure by design than by "spot the vuln" thinking. Matias Madou shares his experience in secure coding training and the importance of teaching critical thinking. He also discusses why critical thinking is so closely related to threat modeling and how LLMs can be a tool for helping developers get beyond the superficial advice of, "Think like an attacker."

Show Notes: https://securityweekly.com/asw-357

Just how bad can things get if someone clicks on a link? Rob Allen joins us again to talk about ransomware, why putting too much attention on clicking links misses the larger picture of effective defenses, and what orgs can do to prepare for an influx of holiday-infused ransomware targeting.

Segment resources

• https://www.bleepingcomputer.com/news/security/how-a-ransomware-gang-encrypted-nevada-governments-systems/
• https://www.darkreading.com/endpoint-security/pro-russian-hackers-linux-vms-hide-windows
• https://www.threatlocker.com/blog/how-to-build-a-robust-lights-out-checklist

This segment is sponsored by ThreatLocker. Visit https://securityweekly.com/threatlocker to learn more about them!

Show Notes: https://securityweekly.com/asw-356

Up first, the ASW news of the week.

At Black Hat 2025, Doug White interviews Ted Shorter, CTO of Keyfactor, about the quantum revolution already knocking on cybersecurity's door. They discuss the terrifying reality of quantum computing's power to break RSA and ECC encryption—the very foundations of modern digital life. With 2030 set as the deadline for transitioning away from legacy crypto, organizations face a race against time. Ted breaks down what "full crypto visibility" really means, why it's crucial to map your cryptographic assets now, and how legacy tech—from robotic sawmills to outdated hospital gear—poses serious risks. The interview explores NIST's new post-quantum algorithms, global readiness efforts, and how Keyfactor's acquisitions of InfoSec Global and Cipher Insights help companies start the quantum transition today—not tomorrow. Don't wait for the breach. Watch this and start your quantum strategy now. If digital trust is the goal, cryptography is the foundation.

Segment Resources: http://www.keyfactor.com/digital-trust-digest-quantum-readiness https://www.keyfactor.com/press-releases/keyfactor-acquires-infosec-global-and-cipherinsights/

For more information about Keyfactor's latest Digital Trust Digest, please visit: https://securityweekly.com/keyfactorbh

Live from BlackHat 2025 in Las Vegas, cybersecurity host Jackie McGuire sits down with Seemant Sehgal, founder of BreachLock, to unpack one of the most pressing challenges facing SOC teams today: alert fatigue—and its even more dangerous cousin, vulnerability fatigue. In this must-watch conversation, Seemant reveals how his groundbreaking approach, Adversarial Exposure Validation (AEV), flips the script on traditional defense-heavy security strategies. Instead of drowning in 10,000+ "critical" alerts, AEV pinpoints what actually matters—using Generative AI to map realistic attack paths, visualize kill chains, and identify the exact vulnerabilities that put an organization's crown jewels at risk. From his days leading cybersecurity at a major global bank to pioneering near real-time CVE validation, Seemant shares insights on scaling offensive security, improving executive buy-in, and balancing automation with human expertise. Whether you're a CISO, SOC analyst, red teamer, or security enthusiast, this interview delivers actionable strategies to fight fatigue, prioritize risks, and protect high-value assets. Key topics covered: - The truth about alert fatigue & why it's crippling SOC efficiency - How AI-driven offensive security changes the game - Visualizing kill chains to drive faster remediation - Why fixing "what matters" beats fixing "everything" - The future of AI trust, transparency, and control in cybersecurity Watch now to discover how BreachLock is redefining offensive security for the AI era.

Segment Resources: https://www.breachlock.com/products/adversarial-exposure-validation/

This segment is sponsored by Breachlock. Visit https://securityweekly.com/breachlockbh to learn more about them!

Show Notes: https://securityweekly.com/asw-347

Open source has been a part of the software supply chain for decades, yet many projects and their maintainers remain undersupported by the companies that consume them. The security responsibilities for project owners has increased not only in dealing with security disclosures, but in maintaining secure processes backed by strong authentication and trust.

Segment Resources:

• https://www.cisa.gov/news-events/news/lessons-xz-utils-achieving-more-sustainable-open-source-ecosystem
• https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094
• https://www.cisa.gov/securebydesign/pledge
• https://tidelift.com/about/press-releases/tidelift-study-reveals-that-despite-increasing-demands-from-government-and-industry-60-of-maintainers-are-still-unpaid-volunteers
• https://blog.tidelift.com/paying-maintainers-the-howto

Show Notes: https://securityweekly.com/asw-287

With hundreds or thousands of SaaS apps to secure with no traditional perimeter, Identity becomes the focal point for SaaS Security in the modern enterprise. Yet with Shadow IT, now recast as Business-Led IT, quickly becoming normal practice, it's more complicated than trying to centralize all identities with an Identity Provider (IdP) for Single Sign-On (SSO). So the question becomes, "How do you enable the business while still providing security oversight and governance?"

This segment is sponsored by Savvy. Visit https://securityweekly.com/savvy to learn more about them!

CISOs encounter challenges in securing data amidst the rapid growth driven by Cloud and GenAI applications. In this segment, we will delve into how Bedrock Security powers frictionless data security, empowering CISOs to securely manage data sprawl, allowing their businesses to operate at optimal speed, without compromising security.

Segment Resources:

Bedrock Security: https://www.bedrock.security/

Bedrock Security X/Twitter: https://twitter.com/bedrocksec

Bedrock Security LinkedIn: https://www.linkedin.com/company/bedrocksec/

House Rx (customer) Case Study: https://tinyurl.com/35v48wx7

Introductory Whitepaper: https://tinyurl.com/5yjeu92b

Innovation Sandbox 2024:  https://www.businesswire.com/news/home/20240402284910/en/Bedrock-Security-Named-RSA-Conference-2024-Innovation-Sandbox-Finalist

This segment is sponsored by Bedrock Security. Visit https://securityweekly.com/bedrockrsac to learn more about them!

Show Notes: https://securityweekly.com/vault-asw-10

Check out this interview from the ASW Vault, hand picked by main host Mike Shema! This segment was originally published on April 18, 2023.

We talk with Ben about the rewards, hazards, and fun of bug bounty programs. Then we find out different ways to build successful and welcoming communities.

Show Notes: https://securityweekly.com/vault-asw-9

The challenge of evaluating threat alerts in aggregate – what a collection and sequence of threat signals tell us about an attacker's sophistication and motives – has bedeviled SOC teams since the dawn of the Iron Age. Vectra AI CTO Oliver Tavakoli will discuss how the design principles of our XDR platform deal with this challenge and how GenAI impacts this perspective.

Segment Resources:

1. Vectra AI Platform Video: https://vimeo.com/916801622

2. Blog: https://www.vectra.ai/blog/what-is-xdr-the-promise-of-xdr-capabilities-explained

3. Blog: https://www.vectra.ai/blog/xdr-explored-the-evolution-and-impact-of-extended-detection-and-response

4. MXDR Calculator: https://www.vectra.ai/calculators/mxdr-value-calculator

This segment is sponsored by Vectra AI. Visit https://securityweekly.com/vectrarsac to learn more about them!

In this interview, we will discuss the network security challenges of business applications and how they can also be the solution. AlgoSec has spent over two decades tackling tough security issues in some of the world's most complex networks. Now, they're applying their expertise to hybrid networks—where customers are combining their on-premise resources along with multiple cloud providers.

Segment Resources: https://www.algosec.com/resources/

This segment is sponsored by AlgoSec. Visit https://securityweekly.com/algosecrsac to learn more about them!

Show Notes: https://securityweekly.com/asw-286

Secure coding education should be more than a list of issues or repeating generic advice. Liran Tal explains his approach to teaching developers through examples that start with exploiting known vulns and end with discussions on possible fixes. Not only does this create a more engaging experience, but it also relies on code that looks familiar to developers rather than contrived or overly simplistic examples.

Segment resources:

• https://github.com/lirantal
• https://cheatsheetseries.owasp.org/cheatsheets/NPMSecurityCheat_Sheet.html
• https://lirantal.com/blog/poor-express-authentication-patterns-nodejs

Show Notes: https://securityweekly.com/asw-286

How companies are benefiting from the enterprise browser. It's not just security when talking about the enterprise browser. It's the marriage between security AND productivity. In this interview, Mike will provide real live case studies on how different enterprises are benefitting.

Segment Resources:

• https://www.island.io/resources
• https://www.island.io/press

This segment is sponsored by Island. Visit https://www.securityweekly.com/islandrsac to learn more about them!

The cybersecurity landscape continues to transform, with a growing focus on mitigating supply chain vulnerabilities, enforcing data governance, and incorporating AI into security measures. This transformation promises to steer DevSecOps teams toward software development processes with efficiency and security at the forefront. Josh Lemos, Chief Information Security Officer at GitLab will discuss the role of AI in securing software and data supply chains and helping developers work more efficiently while creating more secure code.

This segment is sponsored by GitLab. Visit https://securityweekly.com/gitlabrsac to learn more about them!

Show Notes: https://securityweekly.com/asw-285

Everyone is interested in generative AIs and LLMs, and everyone is looking for use cases and apps to apply them to. Just as the early days of the web inspired the original OWASP Top 10 over 20 years ago, the experimentation and adoption of LLMs has inspired a Top 10 list of their own. Sandy Dunn talks about why the list looks so familiar in many ways -- after all, LLMs are still software. But the list captures some new concepts that anyone looking to use LLMs or generative AIs should be aware of.

• https://llmtop10.com/
• https://github.com/OWASP/www-project-top-10-for-large-language-model-applications/wiki/Educational-Resources
• https://owasp.org/www-project-ai-security-and-privacy-guide/
• https://gandalf.lakera.ai/
• https://quarkiq.com/blog

Show Notes: https://securityweekly.com/asw-285

We already have bug bounties for web apps so it was only a matter of time before we would have bounties for AI-related bugs. Keith Hoodlet shares his experience winning first place in the DOD's inaugural AI bias bounty program. He explains how his education in psychology helped fill in the lack of resources in testing an AI's bias. Then we discuss how organizations should approach the very different concepts of AI security and AI safety.

Segment Resources:

• https://securing.dev/posts/hacking-ai-bias/
• https://www.defense.gov/News/Releases/Release/Article/3659519/cdao-launches-first-dod-ai-bias-bounty-focused-on-unknown-risks-in-llms/

Show Notes: https://securityweekly.com/asw-284

A lot of AI security has nothing to do with AI -- things like data privacy, access controls, and identity are concerns for any new software and in many cases AI concerns look more like old-school API concerns. But...there are still important aspects to AI safety and security, from prompt injection to jailbreaking to authenticity. Caleb Sima explains why it's important to understand the different types of AI and the practical tasks necessary to secure how it's used.

Segment resources:

• https://calebsima.com/2023/08/16/demystifing-llms-and-threats/
• https://www.youtube.com/watch?v=qgDtOu17E&t=1s

Show Notes: https://securityweekly.com/asw-284

Misusing random numbers, protecting platforms for code repos and package repos, vulns that teach us about designs and defaults, and more!

Show Notes: https://securityweekly.com/asw-283

In this must-see BlackHat 2025 interview, Doug White sits down with Michael Callahan, CMO at Salt Security, for a high-stakes conversation about Agentic AI, Model Context Protocol (MCP) servers, and the massive API security risks reshaping the cyber landscape. Broadcast live from the CyberRisk TV studio at Mandalay Bay, Las Vegas, the discussion pulls back the curtain on how autonomous AI agents and centralized MCP hubs could supercharge productivity—while also opening the door to unprecedented supply chain vulnerabilities. From "shadow MCP servers" to the concept of an "API fabric," Michael explains why these threats are evolving faster than traditional security measures can keep up, and why CISOs need to act before it's too late. Viewers will get rare insight into the parallels between MCP exploitation and DNS poisoning, the hidden dangers of API sprawl, and why this new era of AI-driven communication could become a hacker's dream. Blog: https://salt.security/blog/when-ai-agents-go-rogue-what-youre-missing-in-your-mcp-security Survey Report: https://content.salt.security/AI-Agentic-Survey-2025_LP-AI-Agentic-Survey-2025.html This segment is sponsored by Salt Security. Visit https://securityweekly.com/saltbh for a free API Attack Surface Assessment!

At Black Hat 2025, live from the Cyber Risk TV studio in Las Vegas, Jackie McGuire sits down with Apiiro Co-Founder & CEO Idan Plotnik to unpack the real-world impact of AI code assistants on application security, developer velocity, and cloud costs. With experience as a former Director of Engineering at Microsoft, Idan dives into what drove him to launch Apiiro — and why 75% of engineers will be using AI assistants by 2028. From 10x more vulnerabilities to skyrocketing API bloat and security blind spots, Idan breaks down research from Fortune 500 companies on how AI is accelerating both innovation and risk. What you'll learn in this interview: - Why AI coding tools are increasing code complexity and risk - The massive cost of unnecessary APIs in cloud environments - How to automate secure code without slowing down delivery - Why most CISOs fail to connect security to revenue (and how to fix it) - How Apiiro's Autofix AI Agent helps organizations auto-fix and auto-govern code risks at scale This isn't just another AI hype talk. It's a deep dive into the future of secure software delivery — with practical steps for CISOs, CTOs, and security leaders to become true business enablers. Watch till the end to hear how Apiiro is helping Fortune 500s bridge the gap between code, risk, and revenue. Apiiro AutoFix Agent. Built for Enterprise Security: https://youtu.be/f-_zrnqzYsc Deep Dive Demo: https://youtu.be/WnFmMiXiUuM This segment is sponsored by Apiiro. Be one of the first to see their new AppSec Agent in action at https://securityweekly.com/apiirobh.

Is Your AI Usage a Ticking Time Bomb? In this exclusive Black Hat 2025 interview, Matt Alderman sits down with GitLab CISO Josh Lemos to unpack one of the most pressing questions in tech today: Are executives blindly racing into AI adoption without understanding the risks? Filmed live at the CyberRisk TV Studio in Las Vegas, this eye-opening conversation dives deep into: - How AI is being rapidly adopted across enterprises — with or without security buy-in - Why AI governance is no longer optional — and how to actually implement it - The truth about agentic AI, automation, and building trust in non-human identities - The role of frameworks like ISO 42001 in building AI transparency and assurance - Real-world examples of how teams are using LLMs in development, documentation & compliance Whether you're a CISO, developer, or business exec — this discussion will reshape how you think about AI governance, security, and adoption strategy in your org. Don't wait until it's too late to understand the risks. The Economics of Software Innovation: $750B+ Opportunity at a Crossroads Report: http://about.gitlab.com/software-innovation-report/ For more information about GitLab and their report, please visit: https://securityweekly.com/gitlabbh

Live from Black Hat 2025 in Las Vegas, Jackie McGuire sits down with Chris Boehm, Field CTO at Zero Networks, for a high-impact conversation on microsegmentation, shadow IT, and why AI still struggles to stop lateral movement. With 15+ years of cybersecurity experience—from Microsoft to SentinelOne—Chris breaks down complex concepts like you're a precocious 8th grader (his words!) and shares real talk on why AI alone won't save your infrastructure. Learn how Zero Networks is finally making microsegmentation frictionless, how summarization is the current AI win, and what red flags to look for when evaluating AI-infused security tools. If you're a CISO, dev, or just trying to stay ahead of cloud threats—this one's for you. This segment is sponsored by Zero Networks. Visit https://securityweekly.com/zerobh to learn more about them!

Show Notes: https://securityweekly.com/asw-346

Companies deploy tools (usually lots of tools) to address different threats to supply chain security. Melinda Marks shares some of the chaos those companies still face when trying to prioritize investments, measure risk, and scale their solutions to keep pace with their development. Not only are companies still figuring out supply chain, but now they're bracing for the coming of genAI and how that will just further highlight the current struggles they're having with data security and data privacy.

Segment Resources:
Complete Survey Results: The Growing Complexity of Securing the Software Supply Chain
https://research.esg-global.com/reportaction/515201781/Toc 

Show Notes: https://securityweekly.com/asw-283

CISA chimes in on the XZ Utils backdoor, PuTTY's private keys and maintaining a secure design, LeakyCLI and maintaining secure secrets in CSPs, LLMs and exploit generation, and more!

Show Notes: https://securityweekly.com/asw-282

How can open source projects find a funding model that works for them? What are the implications with different sources of funding? Simon Bennetts talks about his stewardship of Zed Attack Proxy and its journey from OWASP to OpenSSF to an Open Source Fellowship with Crash Override. Mark Curphy adds how his experience with OWASP and the appsec community motivated him to create Crash Override and help projects like ZAP gain the support they deserve.

Segment resources:

• https://crashoverride.com/blog/welcome-zap-to-the-open-source-fellowship
• https://www.zaproxy.org
• https://crashoverride.com/blog/are-there-too-many-bubbles-of-similar-security-efforts

Show Notes: https://securityweekly.com/asw-282

A Rust advisory highlights the perils of parsing and problems of inconsistent approaches, D-Link (sort of) deals with end of life hardware, CSRB recommends practices and processes for Microsoft, Chrome's V8 Sandbox increases defense, and more!

Show Notes: https://securityweekly.com/asw-281

There are as many paths into infosec as there are disciplines within infosec to specialize in. Karan Dwivedi talks about the recent book he and co-author Raaghav Srinivasan wrote about security engineering. There's an appealing future to security taking on engineering roles and creating solutions to problems that orgs face. We talk about the breadth and depth of security engineering and ways to build the skills that will help you in your appsec career.

Segment resources:

• https://kickstartseceng.com

Show Notes: https://securityweekly.com/asw-281

OWASP leaks resumes, defining different types of prompt injection, a secure design example in device-bound sessions, turning an ASVS requirement into practice, Ivanti has its 2000s-era Microsoft moment, HTTP/2 CONTINUATION flood, and more!

Show Notes: https://securityweekly.com/asw-280

We look into the supply chain saga of the XZ Utils backdoor. It's a wild story of a carefully planned long con to add malicious code to a commonly used package that many SSH connections rely on. It hits themes from social engineering and abuse of trust to obscuring the changes and suppressing warnings. It also has a few lessons about software development, the social and economic dynamics of open source, and strategies for patching software.

It's an exciting topic partially because so much other appsec is boring. And that boring stuff is important to get right first. We also talk about what parts of this that orgs should be worried about and what types of threats they should be prioritizing instead.

Segment Resources:

• https://tukaani.org/xz-backdoor/
• https://news.risky.biz/risky-biz-news-supply-chain-attack-in-linuxland/
• https://www.zdnet.com/article/this-backdoor-almost-infected-linux-everywhere-the-xz-utils-close-call/#ftag=RSSbaffb68
• https://therecord.media/malicious-backdoor-code-linux-red-hat-cisa
• https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094
• https://duo.com/decipher/carefully-crafted-campaign-led-to-xz-utils-backdoor
• https://boehs.org/node/everything-i-know-about-the-xz-backdoor

Show Notes: https://securityweekly.com/asw-280

The OWASP Top 10 gets its first update after a year, Metasploit gets its first rewrite (but it's still in Perl), PHP adds support for prepared statements, RSA Conference puts passwords on notice while patching remains hard, and more!

Show Notes: https://securityweekly.com/asw-279

Sometimes infosec problems can be summarized succinctly, like "patching is hard". Sometimes a succinct summary sounds convincing, but is based on old data, irrelevant data, or made up data. Adrian Sanabria walks through some of the archeological work he's done to dig up the source of some myths. We talk about some of our favorite (as in most disliked) myths to point out how oversimplified slogans and oversimplified threat models lead to bad advice -- and why bad advice can make users less secure.

Segment resources:

• https://www.oreilly.com/library/view/cybersecurity-myths-and/9780137929214/

Show Notes: https://securityweekly.com/asw-279

One of the biggest failures in appsec is an attitude that blames users for security problems. A lot of processes and workflows break down because of an insecure design or insecure defaults. Benedek Gagyi chats with us about the impact of the user experience (UX) on security and why it's not only important to understand how to make a user's life easier, but in defining who that user is in the first place.

Segment resources:

• https://www.usenix.org/conference/8th-usenix-security-symposium/why-johnny-cant-encrypt-usability-evaluation-pgp-50

Show Notes: https://securityweekly.com/asw-278

The EU Cyber Resilience Act joins the long list of regulations intended to improve the security of software delivered to users. Emily Fox and Roman Zhukov share their experience education regulators on open source software and educating open source projects on security. They talk about creating a baseline for security that addresses technical items, maintaining projects, and supporting project owners so they can focus on their projects.

Segment resources:

• github.com/ossf/wg-globalcyberpolicy
• github.com/orcwg
• baseline.openssf.org

Show Notes: https://securityweekly.com/asw-345

The GoFetch side channel in Apple CPUs, OpenSSF's plan for secure software developer education, fuzzing vs. formal verification as a security strategy, hard problems in InfoSec (and AppSec), and more!

Show Notes: https://securityweekly.com/asw-278

Insecure defaults and insecure design in smart locks, FCC adopts Cyber Trust Mark labels for IoT devices, the ZAP project gets a new home, and more!

Show Notes: https://securityweekly.com/asw-277

Lots of companies need cybersecurity programs, as do non-profits. Tyler Von Moll talks about how to get small organizations started on security and how to prioritize initial investments. While an appsec program likely isn't going to be one of the first steps, it's going to be an early one. What decisions can you make at the start that will benefit the program in the years that follow? What does an appsec program look like at a small scale?

Segment Resources:

• "Cybersecurity for Nonprofits", https://docs.google.com/presentation/d/18HuKtwgwGMtEJ87CgkMqHp1JDVRUXPP--zptjMpF0/edit?usp=sharing
• https://www.verizon.com/business/resources/reports/dbir/2023/master-guide/

Show Notes: https://securityweekly.com/asw-277

The trivial tweaks to bypass authentication in TeamCity, ArtPrompt attacks use ASCII art against LLMs, annoying developers with low quality vuln reports, removing dependencies as part of secure by design, removing overhead with secure by design, and more!

Show Notes: https://securityweekly.com/asw-276

A majority of internet traffic now originates from APIs, and cybercriminals are taking advantage. Increasingly, APIs are used as a common attack vector because they're a direct pathway to access sensitive data. In this discussion, Lebin Cheng shares what API attack trends Imperva, a Thales Company has observed over the past year, and what steps organizations can take to protect their APIs.

This segment is sponsored by Imperva. Visit https://www.securityweekly.com/imperva to learn more about them!

Show Notes: https://securityweekly.com/asw-276

A SilverSAML example similar to the GoldenSAML attack technique, more about serializing AI models for Hugging Face, OWASP releases 1.0 of the IoT Security Testing Guide, the White House releases more encouragement to move to memory-safe languages, and more!

Show Notes: https://securityweekly.com/asw-275

The need for vuln management programs has been around since the first bugs -- but lots of programs remain stuck in the past. We talk about the traps to avoid in VM programs, the easy-to-say yet hard-to-do foundations that VM programs need, and smarter ways to approach vulns based in modern app development. We also explore the ecosystem of acronyms around vulns and figure out what's useful (if anything) in CVSS, SSVC, EPSS, and more.

Segment resources:

• https://www.redhat.com/en/blog/patch-management-needs-a-revolution-part-1
• https://next.redhat.com/blog/
• https://www.first.org/cvss/v4-0/
• https://www.first.org/epss/
• https://deadliestwebattacks.com/appsec/2010/02/19/primordial-cross-site-scripting-xss-exploits -- For a bit of history, one of the earliest "bugs bounty" from 1995.

Show Notes: https://securityweekly.com/asw-275

PrintListener recreates fingerprints, iMessage updates key handling for a PQ3 rating, Silent Sabotage shows supply chain subterfuge against AI models, 2023 Rust survey results, the ways genAI might help developers, and more!

Show Notes: https://securityweekly.com/asw-274

Farshad Abasi joins us again to talk about creating a new OWASP project, the Secure Pipeline Verification Standard. (Bonus points for not being a top ten list!) We talk about what it takes to pitch a new project and the problems that this new project is trying to solve. For this kind of project to be successful -- as in making a positive impact to how software is built -- it's important to not only identify the right audience, but craft guidance in a way that's understandable and achievable for that audience. This is also a chance to learn more about a project in its early days and the opportunities for participating in its development!

Segment resources

• https://github.com/OWASP/www-project-secure-pipeline-verification-standard--spvs- (coming soon!)

Show Notes: https://securityweekly.com/asw-274

Check out this interview from the ASW Vault, hand picked by main host Mike Shema! This segment was originally published on Dec 13, 2022.

Threat modeling is an important part of a security program, but as companies grow you will choose which features you want to threat model or become a bottleneck. What if I told you, you can have your cake and eat it too. It is possible to scale your program and deliver higher quality threat models.

Segment Resources: - Original blog: https://segment.com/blog/redefining-threat-modeling/ - Open Sourced slides: https://github.com/segmentio/threat-modeling-training

Show Notes: https://securityweekly.com/vault-asw-8

A smaller attack surface should lead to a smaller list of CVEs to track, which in turn should lead to a smaller set of vulns that you should care about. But in practice, keeping something like a container image small has a lot of challenges in terms of what should be considered minimal. Neil Carpenter shares advice and anecdotes on what it takes to refine a container image and to change an org's expectations that every CVE needs to be fixed.

Show Notes: https://securityweekly.com/asw-344

LLMs improve fuzzing coverage, the Shim vuln threatens Linux secure boot, considering AI application threat models, a new language for a configuration file format, and more!

Show Notes: https://securityweekly.com/asw-273

We've been scanning code for decades. Sometimes scanning works well -- it finds meaningful flaws to fix. Sometimes it distracts us with false positives. Sometimes it burdens us with too many issues. We talk about finding a scanning strategy that works well and what the definition of "works well" should even be.

Segment Resources:

• https://www.lacework.com/blog/introducing-a-new-approach-to-code-security/

Show Notes: https://securityweekly.com/asw-273

Qualys discloses syslog and qsort vulns in glibc, Apple's jailbroken iPhone for security researchers, moving away from OpenSSL, what an ancient vuln in image parsing can teach us today, and more!

Show Notes: https://securityweekly.com/asw-272

We can't talk about OWASP without talking about lists, but we go beyond the lists to talk about a product security framework. Grant shares his insights on what makes lists work (and not work). More importantly, he shares the work he's doing to spearhead a new OWASP project to help scale the creation of appsec programs, whether you're on your own or part of a global org.

Segment Resources:

• https://owasp.org/www-project-product-security-capabilities-framework/
• https://github.com/OWASP/pscf
• https://prods.ec/
• https://owaspsamm.org
• https://iso25000.com/index.php/en/iso-25000-standards/iso-25010
• https://www.scmagazine.com/podcast-episode/application-security-weekly-242

Show Notes: https://securityweekly.com/asw-272

Vulns in Jenkins code and Cisco devices that make us think about secure designs, MiraclePtr pulls off a relatively quick miracle, code lasts while domains expire, an "Artificial Intelligence chip" from the 90s, and more!

Show Notes: https://securityweekly.com/asw-271

We return to the practice of presentations, this time with a perspective from a conference organizer. And we have tons of questions! What makes a topic stand out? How can an old, boring topic be given new life? How do you prepare as a first-time presenter? What can conferences do to foster better presentations and new voices?

Segment resources:

• https://bsidessf.org
• https://infosec.exchange/@worldwise001/111280163638514582
• https://www.youtube.com/watch?v=1lVIeh5f4Rg

Show Notes: https://securityweekly.com/asw-271

Vulns throw a wrench in a wrench, more vulns drench Atlassian, vulns send GitLab back to the design bench, voting for the top web hacking techniques of 2023, and more!

Show Notes: https://securityweekly.com/asw-270

Where apps provide something of value, bots are sure to follow. Modern threat models need to include scenarios for bad bots that not only target user credentials, but that will also hoard inventory and increase fraud. Sandy shares her recent research as we talk about bots, API security, and what developers can do to deal with these.

Segment resources

• https://www.forrester.com/blogs/avoid-a-bot-waterloo/
• https://www.forrester.com/blogs/are-your-bot-management-tools-up-to-date-to-handle-the-holiday-season/
• https://www.theguardian.com/technology/2023/sep/05/swedish-criminal-gangs-using-fake-spotify-streams-to-launder-money

Show Notes: https://securityweekly.com/asw-270

It's time to start thinking about CFPs and presentations for 2024! Eve shares advice on delivering technical topics so that an audience can understand the points you want to make. Then we show how developing these presentation skills for conferences helps with presentations within orgs and why these are useful skills to build for your career.

Show Notes: https://securityweekly.com/asw-269

23andMe shifts blame to users for poor password practices, abusing Google's OAuth2 through a MultiLogin endpoint, Rustls is memory safe and fast, AI enters OSINT, and more!

Show Notes: https://securityweekly.com/asw-268

Open source software is a massive contribution that provides everything from foundational frameworks to tiny single-purpose libraries. We walk through the dimensions of trust and provenance in the software supply chain with Janet Worthington. And we discuss how even with new code generated by LLMs and new terms like slopsquatting, a lot of the most effective solutions are old techniques.

Resources

• https://www.forrester.com/blogs/make-no-mistake-software-is-a-supply-chain-and-its-under-attack/
• https://www.forrester.com/report/the-future-of-software-supply-chain-security/RES184050

Show Notes: https://securityweekly.com/asw-343

We kick off the new year with a discussion of what we're looking forward to and what we're not looking forward to. Then we pick our favorite responses to "appsec in three words" and set our sights on a new theme for 2024.

Show Notes: https://securityweekly.com/asw-268

HTTP RFCs have evolved: A Cloudflare view of HTTP usage trends, Career Advice and Professional Development, Active Exploitation of Confluence CVE-2022-26134

Show Notes: https://securityweekly.com/vault-asw-7

We will provide a short introduction to OWASP SAMM, which is a flagship OWASP project allowing organizations to bootstrap and iteratively improve their secure software practice in a measurable way. Seba will explain the SAMM model, consisting of 15 security practices. Every security practice contains a set of activities, structured into 3 maturity levels. The activities on a lower maturity level are typically easier to execute and require less formalization than the ones on a higher maturity level. A the end we will cover how you can engage with the SAMM community and provide an overview of what happened at our latest SAMM User Day which happened on May 27th.

Segment Resources:

• https://owaspsamm.org/

• https://github.com/OWASPsamm

• https://app.slack.com/client/T04T40NHX/C0VF1EJGH

-https://www.youtube.com/channel/UCEZDbvQrj5APg5cEET49A_g

• https://twitter.com/OwaspSAMM

• https://www.linkedin.com/company/18910344/admin/

Show Notes: https://securityweekly.com/vault-asw-6