In the Application Security News, Git Project patches Remote Code Execution Vulnerability, Google is Shutting Down Google+ after 500k accounts potentially affected by a data breach, Facebook wants people to Invite its cameras into their homes, GitHub introduces user blocking notifications, DevOps producing more insecure apps than ever, Climate Change being taught on Fortnite Twitch stream, and more!
Full Show Notes: https://wiki.securityweekly.com/ASW_Episode35
Visit https://www.securityweekly.com/asw for all the latest episodes!
Follow us on Twitter: https://www.twitter.com/securityweekly
A SilverSAML example similar to the GoldenSAML attack technique, more about serializing AI models for Hugging Face, OWASP releases 1.0 of the IoT Security Testing Guide, the White House releases more encouragement to move to memory-safe languages, and more!
Show Notes: https://securityweekly.com/asw-275
The need for vuln management programs has been around since the first bugs -- but lots of programs remain stuck in the past. We talk about the traps to avoid in VM programs, the easy-to-say yet hard-to-do foundations that VM programs need, and smarter ways to approach vulns based in modern app development. We also explore the ecosystem of acronyms around vulns and figure out what's useful (if anything) in CVSS, SSVC, EPSS, and more.
Segment resources:
Show Notes: https://securityweekly.com/asw-275
PrintListener recreates fingerprints, iMessage updates key handling for a PQ3 rating, Silent Sabotage shows supply chain subterfuge against AI models, 2023 Rust survey results, the ways genAI might help developers, and more!
Show Notes: https://securityweekly.com/asw-274
Farshad Abasi joins us again to talk about creating a new OWASP project, the Secure Pipeline Verification Standard. (Bonus points for not being a top ten list!) We talk about what it takes to pitch a new project and the problems that this new project is trying to solve. For this kind of project to be successful -- as in making a positive impact to how software is built -- it's important to not only identify the right audience, but craft guidance in a way that's understandable and achievable for that audience. This is also a chance to learn more about a project in its early days and the opportunities for participating in its development!
Segment resources
Show Notes: https://securityweekly.com/asw-274
Check out this interview from the ASW Vault, hand picked by main host Mike Shema! This segment was originally published on Dec 13, 2022.
Threat modeling is an important part of a security program, but as companies grow you will choose which features you want to threat model or become a bottleneck. What if I told you, you can have your cake and eat it too. It is possible to scale your program and deliver higher quality threat models.
Segment Resources: - Original blog: https://segment.com/blog/redefining-threat-modeling/ - Open Sourced slides: https://github.com/segmentio/threat-modeling-training
Show Notes: https://securityweekly.com/vault-asw-8
We've been scanning code for decades. Sometimes scanning works well -- it finds meaningful flaws to fix. Sometimes it distracts us with false positives. Sometimes it burdens us with too many issues. We talk about finding a scanning strategy that works well and what the definition of "works well" should even be.
Segment Resources:
Show Notes: https://securityweekly.com/asw-273
LLMs improve fuzzing coverage, the Shim vuln threatens Linux secure boot, considering AI application threat models, a new language for a configuration file format, and more!
Show Notes: https://securityweekly.com/asw-273
Qualys discloses syslog and qsort vulns in glibc, Apple's jailbroken iPhone for security researchers, moving away from OpenSSL, what an ancient vuln in image parsing can teach us today, and more!
Show Notes: https://securityweekly.com/asw-272
We can't talk about OWASP without talking about lists, but we go beyond the lists to talk about a product security framework. Grant shares his insights on what makes lists work (and not work). More importantly, he shares the work he's doing to spearhead a new OWASP project to help scale the creation of appsec programs, whether you're on your own or part of a global org.
Segment Resources:
Show Notes: https://securityweekly.com/asw-272
Vulns in Jenkins code and Cisco devices that make us think about secure designs, MiraclePtr pulls off a relatively quick miracle, code lasts while domains expire, an "Artificial Intelligence chip" from the 90s, and more!
Show Notes: https://securityweekly.com/asw-271
Stay up to date
For any inquiries, please email us at hello@podcastworld.io
