The challenge of evaluating threat alerts in aggregate – what a collection and sequence of threat signals tell us about an attacker’s sophistication and motives – has bedeviled SOC teams since the dawn of the Iron Age. Vectra AI CTO Oliver Tava

Node.js Secure Coding - Liran Tal - ASW #286

15 hours ago 38m 36s

Secure coding education should be more than a list of issues or repeating generic advice. Liran Tal explains his approach to teaching developers through examples that start with exploiting known vulns and end with discussions on possible fixes.

The Enterprise Browser & AI in Securing Software and Supply Chains - Mike Fey, Josh Lemos - ASW #285

7 days ago 29m 24s

How companies are benefiting from the enterprise browser. It's not just security when talking about the enterprise browser. It's the marriage between security AND productivity. In this interview, Mike will provide real live case studies on how

Inside the OWASP Top 10 for LLM Applications - Sandy Dunn - ASW #285

8 days ago 37m 33s

Everyone is interested in generative AIs and LLMs, and everyone is looking for use cases and apps to apply them to. Just as the early days of the web inspired the original OWASP Top 10 over 20 years ago, the experimentation and adoption of LLMs

Hacking AI Bias with Human Techniques - Keith Hoodlet - ASW #284

14 days ago 31m 47s

We already have bug bounties for web apps so it was only a matter of time before we would have bounties for AI-related bugs. Keith Hoodlet shares his experience winning first place in the DOD's inaugural AI bias bounty program. He explains how

AI & Hype & Security (Oh My!) - Caleb Sima - ASW #284

15 days ago 33m 18s

A lot of AI security has nothing to do with AI -- things like data privacy, access controls, and identity are concerns for any new software and in many cases AI concerns look more like old-school API concerns. But...there are still important as

Random Problems, Protecting Packages, and Vulns in Designs, Defaults & Data Leaks - ASW #283

21 days ago 38m 40s

Misusing random numbers, protecting platforms for code repos and package repos, vulns that teach us about designs and defaults, and more! Show Notes: https://securityweekly.com/asw-283

Why Companies Continue to Struggle with Supply Chain Security - Melinda Marks - ASW #283

22 days ago 41m 11s

Companies deploy tools (usually lots of tools) to address different threats to supply chain security. Melinda Marks shares some of the chaos those companies still face when trying to prioritize investments, measure risk, and scale their solutio

XZ & Open Source, PuTTY's Private Keys, LeakyCLI, LLMs Writing Exploits - ASW #282

28 days ago 38m 28s

CISA chimes in on the XZ Utils backdoor, PuTTY's private keys and maintaining a secure design, LeakyCLI and maintaining secure secrets in CSPs, LLMs and exploit generation, and more! Show Notes: https://securityweekly.com/asw-282

Sustainable Funding of Open Source Tools - Simon Bennetts, Mark Curphey - ASW #282

29 days ago 39m 29s

How can open source projects find a funding model that works for them? What are the implications with different sources of funding? Simon Bennetts talks about his stewardship of Zed Attack Proxy and its journey from OWASP to OpenSSF to an Open

Arg Parsing in Rust, End of Life Hardware, CSRB & MS, Chrome’s V8 Sandbox - ASW #281

Apr 16th, 2024 28m 12s

A Rust advisory highlights the perils of parsing and problems of inconsistent approaches, D-Link (sort of) deals with end of life hardware, CSRB recommends practices and processes for Microsoft, Chrome’s V8 Sandbox increases defense, and more!

Demystifying Security Engineering Career Tracks - Karan Dwivedi - ASW #281

Apr 16th, 2024 35m 17s

There are as many paths into infosec as there are disciplines within infosec to specialize in. Karan Dwivedi talks about the recent book he and co-author Raaghav Srinivasan wrote about security engineering. There's an appealing future to securi

OWASP Breach, Types of Prompt Injection, Device-Bound Sessions, ASVS & APIs - ASW #280

Apr 9th, 2024 28m 30s

OWASP leaks resumes, defining different types of prompt injection, a secure design example in device-bound sessions, turning an ASVS requirement into practice, Ivanti has its 2000s-era Microsoft moment, HTTP/2 CONTINUATION flood, and more! Show

Lessons That The XZ Utils Backdoor Spells Out - Farshad Abasi - ASW #280

Apr 9th, 2024 31m 53s

We look into the supply chain saga of the XZ Utils backdoor. It's a wild story of a carefully planned long con to add malicious code to a commonly used package that many SSH connections rely on. It hits themes from social engineering and abuse

Top 10's First Update, Metasploit's Second Update, PHP Prepares Statements, RSA & MS - ASW #279

Apr 2nd, 2024 26m 34s

The OWASP Top 10 gets its first update after a year, Metasploit gets its first rewrite (but it's still in Perl), PHP adds support for prepared statements, RSA Conference puts passwords on notice while patching remains hard, and more! Show Notes

Infosec Myths, Mistakes, and Misconceptions - Adrian Sanabria - ASW #279

Apr 2nd, 2024 34m 27s

Sometimes infosec problems can be summarized succinctly, like "patching is hard". Sometimes a succinct summary sounds convincing, but is based on old data, irrelevant data, or made up data. Adrian Sanabria walks through some of the archeologica

Successful Security Needs a Streamlined UX - Benedek Gagyi - ASW #278

Mar 26th, 2024 36m 36s

One of the biggest failures in appsec is an attitude that blames users for security problems. A lot of processes and workflows break down because of an insecure design or insecure defaults. Benedek Gagyi chats with us about the impact of the us

GoFetch Side Channel, OpenSSF & Security Education, Fuzzing vs. Formal Verification - ASW #278

Mar 25th, 2024 32m 33s

The GoFetch side channel in Apple CPUs, OpenSSF's plan for secure software developer education, fuzzing vs. formal verification as a security strategy, hard problems in InfoSec (and AppSec), and more! Show Notes: https://securityweekly.com/asw-

Vulns in Smart Locks, FCC labels for IoT, ZAP's New Home - ASW #277

Mar 19th, 2024 38m 20s

Insecure defaults and insecure design in smart locks, FCC adopts Cyber Trust Mark labels for IoT devices, the ZAP project gets a new home, and more! Show Notes: https://securityweekly.com/asw-277

Figuring Out Where Appsec Fits When Starting a Cybersecurity Program - Tyler VonMoll - ASW #277

Mar 19th, 2024 35m 6s

Lots of companies need cybersecurity programs, as do non-profits. Tyler Von Moll talks about how to get small organizations started on security and how to prioritize initial investments. While an appsec program likely isn't going to be one of t

TeamCity Authn Bypass, ArtPrompt Attacks, Low Quality Vuln Reports, Secure by Design - ASW #276

Mar 12th, 2024 36m 56s

The trivial tweaks to bypass authentication in TeamCity, ArtPrompt attacks use ASCII art against LLMs, annoying developers with low quality vuln reports, removing dependencies as part of secure by design, removing overhead with secure by design

More API Calls, More Problems: The State of API Security in 2024 - Lebin Cheng - ASW #276

Mar 12th, 2024 35m 28s

A majority of internet traffic now originates from APIs, and cybercriminals are taking advantage. Increasingly, APIs are used as a common attack vector because they’re a direct pathway to access sensitive data. In this discussion, Lebin Cheng s

SAML & Secrets, Serializing AI Models, OWASP ISTG, More Memory Safety - ASW #275

Mar 6th, 2024 38m 54s

A SilverSAML example similar to the GoldenSAML attack technique, more about serializing AI models for Hugging Face, OWASP releases 1.0 of the IoT Security Testing Guide, the White House releases more encouragement to move to memory-safe languag

The Simple Mistakes and Complex Seeds of a Vulnerability Management Program - Emily Fox - ASW #275

Mar 5th, 2024 40m 38s

The need for vuln management programs has been around since the first bugs -- but lots of programs remain stuck in the past. We talk about the traps to avoid in VM programs, the easy-to-say yet hard-to-do foundations that VM programs need, and