))
A weekly podcast of all things application security related. Hosted by Ken Johnson and Seth Law.
…
continue reading
Welcome to The AppSec Insiders Podcast. This is a show where we discuss the hottest topics and latest trends in application and cloud security, and tell you what you need to know For those who don’t know who we are, we are all software developers, white-hat hackers, and code security experts. When we’re not recording the podcast, we help organizations of all sizes with their cybersecurity needs. If you’re an AppSec professional looking for an opportunity to work with some of the best in the ...
…
continue reading
AppSec Builders features practical and actionable conversations with application security experts and practitioners. Topics range from understanding and solving classes of vulnerability, building protections to efficiently scale with your business, and core best practices to strengthen your security posture. AppSec Builders is hosted by Jb Aviat, AppSec staff engineer at Datadog, former CTO and co-founder at Sqreen and Apple Red Team member. Contact us at appsecbuilders@datadoghq.com
…
continue reading
Agile DevOps, Cloud Deployment, Microservices, and Open Source have all dramatically accelerated application delivery and complexity. Today’s AppSec teams, outnumbered by as much as 100:1 by developers, depend on a collection of point security products and siloed manual processes. This leaves them struggling to gain the visibility, insight, and process scale they need to identify and protect the always changing and growing application risk surface. This resulting AppSec Chaos means applicati ...
…
continue reading
T
The AppSec Insiders
1
Exploring the Challenges of Testing Against the ASVS Standard - Part 2
32:35
32:35
Nghe Sau
Nghe Sau
Danh sách
Thích
Đã thích
32:35
In this episode, we continue to explore the challenges of testing against the ASVS standard.Bởi Farshad Abasi
…
continue reading
Ken and Seth are back with another episode where they try _not_ to cover more on LLMs and AI. Specifically, talk about the basics of implementing security into an SDLC. A long conversation and personal experience from both Ken and Seth on time management and how to get into a flow when working on technical problems. Finally, some answers to questio…
…
continue reading
Seth and Ken run through their experiences implementing Machine Learning for different application security activities. A break down the duo's experience at DEF CON 31, interesting talks, and happy hour results.
…
continue reading
A very special pre-DEF CON episode with @lojikil (aka Stefan Edwards). Seth and Stefan dig into various security aspects of artificial intelligence and the recent hype cycle around large language models (LLMs). A discussion of the recently released OWASP Top 10 for LLMs and its target audience. Finally, opinions on the recent news of ZAPs departure…
…
continue reading
A special episode with Brian Joe (brianwjoe on LinkedIn), head of product and co-founder of Impart Security (impart.security). Brian has a background with Signal Sciences, Fastly, and Verizon. He posts regularly on infosec, API and application security, among other topics at Security Boulevard.
…
continue reading
T
The AppSec Insiders
1
Software Composition Analysis (SCA) & Supply Chain Security feat. Oscar van der Meer from MergeBase
40:45
40:45
Nghe Sau
Nghe Sau
Danh sách
Thích
Đã thích
40:45
In this episode, we sit down with Oscar van der Meer, Founder and CEO of MergeBase to discuss Software Composition Analysis (SCA) and why it is important for supply chain security.Bởi Farshad Abasi
…
continue reading
With some interesting developments going on at RunReveal, Evan Johnson joins Seth and Ken to discuss monitoring of security logs (hurray! Seth's favorite Crocs and Socks topic) and RunReveal's open beta (as well as other AppSec topics).
…
continue reading
T
The AppSec Insiders
1
Azure Security: Raising Alarms and Reducing the Blast Radius
33:21
33:21
Nghe Sau
Nghe Sau
Danh sách
Thích
Đã thích
33:21
In this episode we explore Azure Security: Raising Alarms and Reducing the Blast Radius.Bởi Farshad Abasi
…
continue reading
T
The AppSec Insiders
1
AWS SRA (Secure Reference Architecture)
27:23
27:23
Nghe Sau
Nghe Sau
Danh sách
Thích
Đã thích
27:23
In this episode we explore AWS SRA (Secure Reference Architecture).Bởi Farshad Abasi
…
continue reading
Ken Johnson (@cktricky) and Seth Law (@sethlaw) host Brian Walter (@bdwalter), co-founder and CEO of OpenContext (opencontext.com), tech industry veteran with leadership stints at device-reputation company iovation (acquired by TransUnion), Xerox, Siemens, Sun Microsystems, Lockheed Martin, among others. Discussion focuses on establishing product r…
…
continue reading
From depths comes a rumbling, and it carries the whisper of AppSec on its breath! Seth and Ken dig into approaches to conducting client scans and processing results. A review of recent research into EPP services for domain registrars along with the methodology for conducting code reviews and appsec research. Finally, some resources for threat model…
…
continue reading
Join us for a special episode of Absolute AppSec with James Wickett (@wickett on twitter), the co-founder of DryRun Security (dryrun.security), creator of the Lonestar Application Security Conference, and all around infosec industry veteran.
…
continue reading
Beware! It’s double ides of May! (Proviso being that you add the integers and not the 1/2s). Sponsored by @redpointsec, an application security firm that specializes in code security by and for coders. If you're looking for Web App or mobile Pentesting, developer training, smart contract or secure-code reviews, check them out: https://redpointsecur…
…
continue reading
T
The AppSec Insiders
1
Exploring the Challenges of Testing Against the ASVS Standard
38:07
38:07
Nghe Sau
Nghe Sau
Danh sách
Thích
Đã thích
38:07
In this episode, we explore the challenges of testing against the ASVS standard.Bởi Farshad Abasi
…
continue reading
Hello! We’re just a podcast, standing in front of you, aching to be the SYN to your ACK. Seth and Ken are back to talk about how the PyPI repo is experiencing an attack from multiple malicious package uploads. Seth brings up the concept of watering hole attacks and how the IDE plugin is a growing attack vector. Solarwinds discussion follows. Learni…
…
continue reading
T
The AppSec Insiders
1
Attacks on the CI/CD Pipeline (Part 2)
35:17
35:17
Nghe Sau
Nghe Sau
Danh sách
Thích
Đã thích
35:17
In this episode, we continue our discussion about OWASP Top 10 and attacks on the CI/CD pipeline.Bởi Farshad Abasi
…
continue reading
T
The AppSec Insiders
1
Attacks on the CI/CD Pipeline (Part 1)
40:51
40:51
Nghe Sau
Nghe Sau
Danh sách
Thích
Đã thích
40:51
In this episode, we explore OWASP Top 10 and the potential attacks on the CI/CD (part 1).Bởi Farshad Abasi
…
continue reading
T
The AppSec Insiders
1
ChatGPT and the Future of Application Security
19:36
19:36
Nghe Sau
Nghe Sau
Danh sách
Thích
Đã thích
19:36
In this episode, we dive deep into the world of ChatGPT and AI technology. What does this mean for application security?Bởi Farshad Abasi
…
continue reading
Seth Law and Ken Johnson are back this week. In this show, Seth and Ken discuss what the RSA conference did (and did not) reveal about the current state of #applicationsecurity, #appsec, #crocsandsocks. Also a discussion of the ChatGPT breach as well as AI's role in generating ever more content (in this case with news sites).…
…
continue reading
Finally returning to the podcast after a couple weeks of travel, training, and speaking, Seth and Ken are back for more, including their own takes opinions on the decline of application security and the reported death of manual code reviews.
…
continue reading
The dynamite duopoly that is Ken and Seth are back to take the AppSec news by storm. Starting with Seth's favorite topic of Auditing or Logging, Ken brings up the recent Okta vulnerability report related to plaintext logging of usernames and passwords. This is followed by a review of Troy Hunt's recent post on edge cases when interacting with 3rd-p…
…
continue reading
Joining Seth and Ken is Shlomi Shaki, a tech exec with GitHub who directs sales resources related Application Security and Product Security in APJ region. Discussion revolves around adoption of security tools and the struggles of securing software from both a tooling and process perspective.
…
continue reading
Ken Johnson (@cktricky on twitter) and Seth Law (@sethlaw) interview Haseeb Awan (@haseeb) founder and CEO of Efani, a mobile service provider focused on security.
…
continue reading
A lot has happened since the 200th (!!!) episode of the podcast, so we are bring another episode with a discussion of recent events, sites, and interesting finds. First up is a discussion of recent breaches, including some stories related to consumer rewards programs and weaknesses in that space. This is followed by a discussion on responsibility o…
…
continue reading
Jerry Gamblin joins Seth and Ken for the 200th episode of the podcast. The discussions starts with a lengthy analysis of startup culture, security startups, and gotchas to be aware of when employed at or considering a job with a startup. This is followed by in-depth analysis of CVEs and how the process of publicly reporting issues in software has c…
…
continue reading
After a number of guest appearances, Ken and Seth are flying "duo" to talk through recent news across the industry. Starting with analysis of the recent OWASP Change petition that has surfaced to address needs of OWASP projects and chapters for funding and definition of how the organization supports multiple efforts. Followed by commiseration with …
…
continue reading
Laura Bell Main, founder and CEO of safestack.io (@lady_nerd on twitter and check out her website https://laurabellmain.com to acquaint yourself with her work and recent publications), joins Seth and Ken as a special guest. The discussion revolves around security training for developers and how it has changed over the years.…
…
continue reading
Sal Olivares, Senior Software Engineer from segment.io, joins Seth and Ken to discuss his experience with and recent blog post related to security token scanning and revocation. Sal was involved with the recently-implemented exposed scanning token service at Segment and talks through his experience, gotchas, and other security topics.…
…
continue reading
Seth and Ken dig into a topic that was raised by a member of our Slack community. The initial half of the show reviews both the risks and dynamic or static review items associated with microservices. This is followed by a discussion that starts by asking the question "what are the must-have security features for a web application?"…
…
continue reading
Ken (@cktricky) and Seth (@sethlaw) take a step away from the news to review technical articles and research released in the last couple of weeks. This includes analysis done by Jerry Gamblin on total CVEs released during 2022, a new tool for exploiting weak CORS configurations, an excellent writeup on usage along with an intentionally-vulnerable G…
…
continue reading
Frank Wang from dbtlabs (@ffwang2 on twitter) joins Seth and Ken for a discussion on current security landscape, artificial intelligence, and machine learning. Follow Frank on twitter or through his blog at https://franklyspeaking.substack.com/. Discussion starts with current breaches and how organizations approach security through their first secu…
…
continue reading
@cktricky and @sethlaw host another episode starting with a lengthy discussion on security metrics spurred by a recent post by Leif Drezler (@leifdreizler). Security metrics are highly specific and custom to the organization and target audience, as evidenced by the lively discussion between the hosts. This is followed by a discussion of improvement…
…
continue reading
What do _you_ want for an AppSec Christmas! Another episode featuring Ken and Seth, for sure. The duo starts the conversation talking about useful AppSec and Security Blogs while featuring a recent GoLang Security post from Cole Cornford. Followed by an in-depth discussion on ChatGPT to welcome our new AI overlords. Finally, Seth and Ken both talk …
…
continue reading
Going into the final month of 2022, the dynamic duo graces us with their presence. It begins with discussion of DNS Attacks based on Kaminsky-style attacks spurred by research presented at DeepSec by Timo Longen of Sec Consult. Followed by a conversation straight out of Slack about considerations involving organization and technical risks, specific…
…
continue reading
Ken and Seth break down the recently-released Immutable Laws of Security from Microsoft's Security Best Practices recommendations. Points of special interest being "Cybersecurity is a team sport", "Not keeping up is falling behind", and "Ruthless Prioritization is a survival skill".
…
continue reading
Developers don't want to be slowed down, but security teams don't want development speed driving AppSec posture off a cliff. The compromise: security guardrails instead of release gates. With a basis of mutual trust that only critical findings will be sent for remediation and all critical findings will be remediated, friction between teams can be m…
…
continue reading
Seth and Ken kickoff another unique discussion by looking at a recent scholarly paper on security bypasses and workarounds by health care workers. Followed by a demo of AppMap, a development tool that shows code traces based on dynamic use. Finally, a discussion of Portswigger's new Dastardly CI/CD tool and where it fits in the security SDLC.…
…
continue reading
Prioritizing threat/vulnerability findings takes thought, a satellite cam, and a microscope if you don't have an AppSecOps platform at work. There's a lot to consider: criticality variance across tools (they don't come normalized out of the box), threat intelligence on CVEs, and tool/technique weight factors, for starters. A major concept is the co…
…
continue reading
L
Let's Talk AppSecOps
1
Vulnerability Management – What? When? How?
6:30
6:30
Nghe Sau
Nghe Sau
Danh sách
Thích
Đã thích
6:30
Vulnerability Management looks different from business to business. What qualifies a risk as acceptable or not? When should confirmed vulns be fixed by? Perhaps most distressingly, how do we know when vulnerability has actually been remediated? Luis Guzmán talks about the different aspects of vulnerability and its most common musts: a workflow fram…
…
continue reading
What's that you say? There is no such thing as "done" with application security? Are our Sisyphean hosts (@cktricky and @sethlaw) therefore doomed to ever push this rock up the mountain, just to discuss ways to push it up again?
…
continue reading
Back once again, Ken and Seth riff off of recent health discussions to talk about hacking health and maintaining a descent work/life balance. Discussion of recent Fortinet authorization issue and how to both search for and protect against flaws in COTS (commercial-off-the-shelf) products. To close out, a quick discussion on detecting custom secrets…
…
continue reading
…
continue reading
A short release cycle has myriad benefits: faster delivery to market for new functionalities, and swiftly-improving accuracy toward goals (what we call Agile) chief among them. And from a security perspective, a quick reaction time to zero-day threats thanks to a well-oiled assembly line is invaluable. But, of course, there are drawbacks: like a la…
…
continue reading
The SBOM Movement has gained huge attention in just half a year. Whether as an external dependency of a developing product or a mission-critical tech stack component, inbound software has provenance (and often, vulnerabilities) that need to be reported for security downstream. US and foreign government support, as well as executive action, have don…
…
continue reading
L
Let's Talk AppSecOps
1
Dev Vs Sec – Who's Responsible For The Ops?
6:02
6:02
Nghe Sau
Nghe Sau
Danh sách
Thích
Đã thích
6:02
…
continue reading
Ken is back in the land of the living, so of course he and Seth dig into the current state of information security training, how SCORM is the worst for developer training, and what goes into creating and teaching a course. Discussions on bug bounties in the web3/defi space and the nature of payouts. Finally, a discussion on MFA fatigue and how theo…
…
continue reading
Ken (cktricky) is out sick today, so Seth is joined by Daniel (https://twitter.com/hoodiepony) from Australia to talk about recent breaches. Specifically, the recent breach of Optus in Australia has led to the exposure of about 10 million identity records. Daniel and Seth reference the recent Optus and Uber breaches to discuss weaknesses in identit…
…
continue reading
Ken is back to lead a discussion on identification of interesting sources for the podcast and specifically how XSS just is not as interesting to him and Seth as it was a decade ago. A new project for analyzing and bypassing 403 responses from proxies and WAFs. Opinions on Patreon's recent layoffs and hot takes around security issues. Finally, web3-…
…
continue reading
Ken is away, so Loji comes to play. Absolute AppSec is hosted this week by Seth and Stefan (@lojikil) to go outside the normal topics of application security to address questions about information warfare, Ukraine, and propaganda with Stefan Edwards (@lojikil) and @LegendaryPatMan.
…
continue reading
A late decision to record an episode this week after thinking it would be scratched due to life ended up with a long discussion on the recent Twitter drama and whistleblower revelations around their security problems. Both Seth and Ken express opinions about disclosures and building out security programs. Further discussion on password managers and…
…
continue reading
