Application Security Weekly
@aswpodcast.com
Listen to the Application Security Weekly podcast for interviews and news on everything appsec — and more!
Hosted by @mutantzombie.bsky.social, @jlk.bsky.social, and Kalyani Pawar.
Hosted by @mutantzombie.bsky.social, @jlk.bsky.social, and Kalyani Pawar.
Here’s the March recap while I finish writing up what we did in April. #appsec
dangerouserrors.com/appsec/2025/...
dangerouserrors.com/appsec/2025/...
ASW Recap for March 2025
Recap of the Application Security Weekly podcast episodes from March 2025
dangerouserrors.com
May 3, 2025 at 5:26 PM
Here’s the March recap while I finish writing up what we did in April. #appsec
dangerouserrors.com/appsec/2025/...
dangerouserrors.com/appsec/2025/...
At the end of every episode I mention a favorite #synthwave track. Because music makes everything better, even #appsec.
And since it’s @bandcamp.com Friday, you can make a musician’s day better by supporting their work and grabbing a track (or two or three).
dangerouserrors.com/synthwave-sh...
And since it’s @bandcamp.com Friday, you can make a musician’s day better by supporting their work and grabbing a track (or two or three).
dangerouserrors.com/synthwave-sh...
Synthwave Shoutouts
Synthwave, retrowave, and other shoutouts from the ASW podcast
dangerouserrors.com
May 2, 2025 at 11:12 AM
At the end of every episode I mention a favorite #synthwave track. Because music makes everything better, even #appsec.
And since it’s @bandcamp.com Friday, you can make a musician’s day better by supporting their work and grabbing a track (or two or three).
dangerouserrors.com/synthwave-sh...
And since it’s @bandcamp.com Friday, you can make a musician’s day better by supporting their work and grabbing a track (or two or three).
dangerouserrors.com/synthwave-sh...
It’s @bandcamp.com Friday, which is an excellent Friday for supporting musicians.
Buy a track. Buy an album. Enjoy some new music.
And if you like #synthwave (and adjacent) tunes, check out this list for a few ideas.
dangerouserrors.com/synthwave-sh...
Buy a track. Buy an album. Enjoy some new music.
And if you like #synthwave (and adjacent) tunes, check out this list for a few ideas.
dangerouserrors.com/synthwave-sh...
Synthwave Shoutouts
Synthwave, retrowave, and other shoutouts from the ASW podcast
dangerouserrors.com
May 2, 2025 at 11:08 AM
It’s @bandcamp.com Friday, which is an excellent Friday for supporting musicians.
Buy a track. Buy an album. Enjoy some new music.
And if you like #synthwave (and adjacent) tunes, check out this list for a few ideas.
dangerouserrors.com/synthwave-sh...
Buy a track. Buy an album. Enjoy some new music.
And if you like #synthwave (and adjacent) tunes, check out this list for a few ideas.
dangerouserrors.com/synthwave-sh...
Reposted by Application Security Weekly
@jwo3.bsky.social and I were guests on @aswpodcast.bsky.social this week, talking about WAF, protecting LLMs, breach trends, and software supply chain. Thanks, @mutantzombie.bsky.social for having us!
www.scworld.com/podcast-segm...
www.scworld.com/podcast-segm...
More WAFs in Blocking Mode and More Security Headaches from LLMs – Sandy Carielli, Janet Worthington – ASW #326
The breaches will continue until appsec improves. Janet Worthington and Sandy Carielli share their latest research on breaches from 2024, WAFs in 2025, and where secure by design fits into all this. W...
www.scworld.com
April 15, 2025 at 11:04 AM
@jwo3.bsky.social and I were guests on @aswpodcast.bsky.social this week, talking about WAF, protecting LLMs, breach trends, and software supply chain. Thanks, @mutantzombie.bsky.social for having us!
www.scworld.com/podcast-segm...
www.scworld.com/podcast-segm...
Reposted by Application Security Weekly
We were somewhere around Barstow, on the edge of AppSec, when the vibe coding began to take hold.
April 1, 2025 at 6:43 PM
We were somewhere around Barstow, on the edge of AppSec, when the vibe coding began to take hold.
One of my goals this year is to figure out a cost-benefit analysis of fuzzing vs. LLMs vs. grep.
Later on in this episode Keith Hoodlet shared where he's seeing (and not seeing) #appsec potential from LLMs.
Articles and episode at www.scworld.com/podcast-epis...
youtu.be/zn3LT4BqOJo?...
Later on in this episode Keith Hoodlet shared where he's seeing (and not seeing) #appsec potential from LLMs.
Articles and episode at www.scworld.com/podcast-epis...
youtu.be/zn3LT4BqOJo?...
Finding a Use for GenAI in AppSec - Keith Hoodlet - ASW #323
YouTube video by Security Weekly - A CRA Resource
youtu.be
March 28, 2025 at 9:12 PM
One of my goals this year is to figure out a cost-benefit analysis of fuzzing vs. LLMs vs. grep.
Later on in this episode Keith Hoodlet shared where he's seeing (and not seeing) #appsec potential from LLMs.
Articles and episode at www.scworld.com/podcast-epis...
youtu.be/zn3LT4BqOJo?...
Later on in this episode Keith Hoodlet shared where he's seeing (and not seeing) #appsec potential from LLMs.
Articles and episode at www.scworld.com/podcast-epis...
youtu.be/zn3LT4BqOJo?...
Historical context for the "BadSeek" post by Shrivu Shankar (blog.sshh.io/p/how-to-bac...).
He tweaked model weights to subtly introduce a backdoor into generated code, regardless of prompt, and noted the difficultly in detecting such manipulation.
youtube.com/shorts/nB_KK...
He tweaked model weights to subtly introduce a backdoor into generated code, regardless of prompt, and noted the difficultly in detecting such manipulation.
youtube.com/shorts/nB_KK...
Ken Thompson’s Secret Hack — Trust No Compiler!
YouTube video by Security Weekly - A CRA Resource
youtube.com
March 28, 2025 at 12:42 AM
Historical context for the "BadSeek" post by Shrivu Shankar (blog.sshh.io/p/how-to-bac...).
He tweaked model weights to subtly introduce a backdoor into generated code, regardless of prompt, and noted the difficultly in detecting such manipulation.
youtube.com/shorts/nB_KK...
He tweaked model weights to subtly introduce a backdoor into generated code, regardless of prompt, and noted the difficultly in detecting such manipulation.
youtube.com/shorts/nB_KK...
Memory safe code was having an unsafe design week this week.
News articles and notes at www.scworld.com/podcast-epis...
www.youtube.com/watch?featur...
News articles and notes at www.scworld.com/podcast-epis...
www.youtube.com/watch?featur...
Finding a Use for GenAI in AppSec - Keith Hoodlet - ASW #323
YouTube video by Security Weekly - A CRA Resource
www.youtube.com
March 26, 2025 at 9:19 PM
Memory safe code was having an unsafe design week this week.
News articles and notes at www.scworld.com/podcast-epis...
www.youtube.com/watch?featur...
News articles and notes at www.scworld.com/podcast-epis...
www.youtube.com/watch?featur...
Sure, LLMs are helping devs write code, but is it secure code? How are LLMs helping #appsec teams?
Keith Hoodlet returned to talk about those questions and put the capabilities of LLMs into perspective.
Show notes at www.scworld.com/podcast-epis...
youtu.be/zn3LT4BqOJo?...
Keith Hoodlet returned to talk about those questions and put the capabilities of LLMs into perspective.
Show notes at www.scworld.com/podcast-epis...
youtu.be/zn3LT4BqOJo?...
Finding a Use for GenAI in AppSec - Keith Hoodlet - ASW #323
YouTube video by Security Weekly - A CRA Resource
youtu.be
March 26, 2025 at 12:44 AM
Sure, LLMs are helping devs write code, but is it secure code? How are LLMs helping #appsec teams?
Keith Hoodlet returned to talk about those questions and put the capabilities of LLMs into perspective.
Show notes at www.scworld.com/podcast-epis...
youtu.be/zn3LT4BqOJo?...
Keith Hoodlet returned to talk about those questions and put the capabilities of LLMs into perspective.
Show notes at www.scworld.com/podcast-epis...
youtu.be/zn3LT4BqOJo?...
There's no better place to discover the impact of logic flaws than in the cryptocurrency space, where every token is its own self-funding bug bounty and every contract is a gamble in correctness.
Show notes: www.scworld.com/podcast-epis...
youtu.be/0GlIbGgi1OY?...
Show notes: www.scworld.com/podcast-epis...
youtu.be/0GlIbGgi1OY?...
Redlining the Smart Contract Top 10 - Shashank - ASW #322
YouTube video by Security Weekly - A CRA Resource
youtu.be
March 18, 2025 at 5:50 PM
There's no better place to discover the impact of logic flaws than in the cryptocurrency space, where every token is its own self-funding bug bounty and every contract is a gamble in correctness.
Show notes: www.scworld.com/podcast-epis...
youtu.be/0GlIbGgi1OY?...
Show notes: www.scworld.com/podcast-epis...
youtu.be/0GlIbGgi1OY?...
From Skype's embrace of e2ee to the recent Wallbleed research against the GFW, there are tons of reasons why #appsec is not a myopic technical topic.
It reminds me of an old joke about oversimplifying models. We shouldn't treat appsec as a spherical CVE in a vacuum.
youtu.be/Cbzthj0s44I?...
It reminds me of an old joke about oversimplifying models. We shouldn't treat appsec as a spherical CVE in a vacuum.
youtu.be/Cbzthj0s44I?...
Skype Hangs Up, Android Backdoors, Jailbreak Research, Pretend AirTags, Wallbleed - ASW #321
YouTube video by Security Weekly - A CRA Resource
youtu.be
March 13, 2025 at 4:16 PM
From Skype's embrace of e2ee to the recent Wallbleed research against the GFW, there are tons of reasons why #appsec is not a myopic technical topic.
It reminds me of an old joke about oversimplifying models. We shouldn't treat appsec as a spherical CVE in a vacuum.
youtu.be/Cbzthj0s44I?...
It reminds me of an old joke about oversimplifying models. We shouldn't treat appsec as a spherical CVE in a vacuum.
youtu.be/Cbzthj0s44I?...
CISA has been pushing for more software to be secure by design and secure by default. Jack Cable shares how CISA chose to frame their Secure by Design principles and encourage businesses to improve their software quality.
Show notes at www.scworld.com/podcast-epis...
youtu.be/fjc2zqEFcAI?...
Show notes at www.scworld.com/podcast-epis...
youtu.be/fjc2zqEFcAI?...
CISA's Secure by Design Principles, Pledge, and Progress - Jack Cable - ASW #321
YouTube video by Security Weekly - A CRA Resource
youtu.be
March 13, 2025 at 6:32 AM
CISA has been pushing for more software to be secure by design and secure by default. Jack Cable shares how CISA chose to frame their Secure by Design principles and encourage businesses to improve their software quality.
Show notes at www.scworld.com/podcast-epis...
youtu.be/fjc2zqEFcAI?...
Show notes at www.scworld.com/podcast-epis...
youtu.be/fjc2zqEFcAI?...
I’ll be hosting the Qualys Cyber Risk Series: AppSec Edition tomorrow at 9am PT! Join me and experts in the #AppSec and #APISecurity space as we discuss the latest trends, threats, and techniques to stay ahead.
Register now: qualys.brighttalk.com?utm_source=i...
#Qualys #CyberRiskSeries
Register now: qualys.brighttalk.com?utm_source=i...
#Qualys #CyberRiskSeries
March 11, 2025 at 9:46 PM
I’ll be hosting the Qualys Cyber Risk Series: AppSec Edition tomorrow at 9am PT! Join me and experts in the #AppSec and #APISecurity space as we discuss the latest trends, threats, and techniques to stay ahead.
Register now: qualys.brighttalk.com?utm_source=i...
#Qualys #CyberRiskSeries
Register now: qualys.brighttalk.com?utm_source=i...
#Qualys #CyberRiskSeries
Your operating system has curl on it. Your toaster probably has curl on it. The moon likely will have curl on it soon.
And you can't spell curl without C...
@daniel.haxx.se explains how curl keeps its code secure and some of the #appsec friction it has had to deal.
youtu.be/0UavY_kKKic
And you can't spell curl without C...
@daniel.haxx.se explains how curl keeps its code secure and some of the #appsec friction it has had to deal.
youtu.be/0UavY_kKKic
Keeping Curl Successful and Secure Over the Decades - Daniel Stenberg - ASW #320
YouTube video by Security Weekly - A CRA Resource
youtu.be
March 4, 2025 at 7:07 PM
Your operating system has curl on it. Your toaster probably has curl on it. The moon likely will have curl on it soon.
And you can't spell curl without C...
@daniel.haxx.se explains how curl keeps its code secure and some of the #appsec friction it has had to deal.
youtu.be/0UavY_kKKic
And you can't spell curl without C...
@daniel.haxx.se explains how curl keeps its code secure and some of the #appsec friction it has had to deal.
youtu.be/0UavY_kKKic
*shakes fist*
It has been 0 weeks since we did not mention AI and LLMs.
But I think we added helpful angles to what a secure architecture can look like for using them and what the implications are for backdoors like BadSeek.
Show notes at www.scworld.com/podcast-epis...
youtu.be/TIxLvtCT-CE?...
It has been 0 weeks since we did not mention AI and LLMs.
But I think we added helpful angles to what a secure architecture can look like for using them and what the implications are for backdoors like BadSeek.
Show notes at www.scworld.com/podcast-epis...
youtu.be/TIxLvtCT-CE?...
Regex DoS, LLM Backdoors, Secure AI Architectures, Rust Survey - ASW #319
YouTube video by Security Weekly - A CRA Resource
youtu.be
March 3, 2025 at 10:15 PM
*shakes fist*
It has been 0 weeks since we did not mention AI and LLMs.
But I think we added helpful angles to what a secure architecture can look like for using them and what the implications are for backdoors like BadSeek.
Show notes at www.scworld.com/podcast-epis...
youtu.be/TIxLvtCT-CE?...
It has been 0 weeks since we did not mention AI and LLMs.
But I think we added helpful angles to what a secure architecture can look like for using them and what the implications are for backdoors like BadSeek.
Show notes at www.scworld.com/podcast-epis...
youtu.be/TIxLvtCT-CE?...
I love the "cookie sandwich" because it combines parsing, implementation mismatches, and finding new flaws in old (yet pervasive) tech.
In our chat about the top 10 web hacking techniques of 2024, James talked about cookies and finding inspiration for research topics.
youtu.be/8XEK3NkbKOA?...
In our chat about the top 10 web hacking techniques of 2024, James talked about cookies and finding inspiration for research topics.
youtu.be/8XEK3NkbKOA?...
Top 10 Web Hacking Techniques of 2024 - James Kettle - ASW #318
YouTube video by Security Weekly - A CRA Resource
youtu.be
February 27, 2025 at 6:16 PM
I love the "cookie sandwich" because it combines parsing, implementation mismatches, and finding new flaws in old (yet pervasive) tech.
In our chat about the top 10 web hacking techniques of 2024, James talked about cookies and finding inspiration for research topics.
youtu.be/8XEK3NkbKOA?...
In our chat about the top 10 web hacking techniques of 2024, James talked about cookies and finding inspiration for research topics.
youtu.be/8XEK3NkbKOA?...
For me, prompt injection is the new XSS. The techniques and payloads are fun, they inspire creative thinking, but they're ultimately a lot of noise to be filtered with an effective framework like the examples we mentioned here.
Show notes: www.scworld.com/podcast-epis...
youtu.be/TIxLvtCT-CE
Show notes: www.scworld.com/podcast-epis...
youtu.be/TIxLvtCT-CE
Regex DoS, LLM Backdoors, Secure AI Architectures, Rust Survey - ASW #319
YouTube video by Security Weekly - A CRA Resource
youtu.be
February 26, 2025 at 6:11 PM
For me, prompt injection is the new XSS. The techniques and payloads are fun, they inspire creative thinking, but they're ultimately a lot of noise to be filtered with an effective framework like the examples we mentioned here.
Show notes: www.scworld.com/podcast-epis...
youtu.be/TIxLvtCT-CE
Show notes: www.scworld.com/podcast-epis...
youtu.be/TIxLvtCT-CE
We're almost at 20 years of celebrating web hacking techniques.
@jameskettle.com shares his favorites from 2024, the list's importance to the web hacking community, and what inspires the kind of research it highlights.
List at portswigger.net/research/top...
youtu.be/8XEK3NkbKOA?...
@jameskettle.com shares his favorites from 2024, the list's importance to the web hacking community, and what inspires the kind of research it highlights.
List at portswigger.net/research/top...
youtu.be/8XEK3NkbKOA?...
Top 10 Web Hacking Techniques of 2024 - James Kettle - ASW #318
YouTube video by Security Weekly - A CRA Resource
youtu.be
February 25, 2025 at 11:45 PM
We're almost at 20 years of celebrating web hacking techniques.
@jameskettle.com shares his favorites from 2024, the list's importance to the web hacking community, and what inspires the kind of research it highlights.
List at portswigger.net/research/top...
youtu.be/8XEK3NkbKOA?...
@jameskettle.com shares his favorites from 2024, the list's importance to the web hacking community, and what inspires the kind of research it highlights.
List at portswigger.net/research/top...
youtu.be/8XEK3NkbKOA?...
Scott Norberg's goal for pentesting really resonated with me.
"I view it as my job not to find all the instances of three different classes of vulnerabilities; it's to find as many different classes of vulnerabilities as I can."
www.youtube.com/clip/Ugkx0N9...
"I view it as my job not to find all the instances of three different classes of vulnerabilities; it's to find as many different classes of vulnerabilities as I can."
www.youtube.com/clip/Ugkx0N9...
YouTube
Share your videos with friends, family, and the world
www.youtube.com
February 14, 2025 at 12:23 AM
Scott Norberg's goal for pentesting really resonated with me.
"I view it as my job not to find all the instances of three different classes of vulnerabilities; it's to find as many different classes of vulnerabilities as I can."
www.youtube.com/clip/Ugkx0N9...
"I view it as my job not to find all the instances of three different classes of vulnerabilities; it's to find as many different classes of vulnerabilities as I can."
www.youtube.com/clip/Ugkx0N9...
Kalyani and I reviewed the "unforgivable" criteria in the recent article from @ncsc.gov.uk.
We applied it to vulns in the news, with some easy ones like DeepSeek disabling ATS on iOS. But then the categories get messier...
Show notes: www.scworld.com/podcast-epis...
youtu.be/AVkucIviAnI?...
We applied it to vulns in the news, with some easy ones like DeepSeek disabling ATS on iOS. But then the categories get messier...
Show notes: www.scworld.com/podcast-epis...
youtu.be/AVkucIviAnI?...
Unforgivable Vulns, DeepSeek iOS App Security Flaws, Memory Safety Standards - ASW #317
YouTube video by Security Weekly - A CRA Resource
youtu.be
February 14, 2025 at 12:20 AM
Kalyani and I reviewed the "unforgivable" criteria in the recent article from @ncsc.gov.uk.
We applied it to vulns in the news, with some easy ones like DeepSeek disabling ATS on iOS. But then the categories get messier...
Show notes: www.scworld.com/podcast-epis...
youtu.be/AVkucIviAnI?...
We applied it to vulns in the news, with some easy ones like DeepSeek disabling ATS on iOS. But then the categories get messier...
Show notes: www.scworld.com/podcast-epis...
youtu.be/AVkucIviAnI?...
Code scanning is an ancient #appsec practice. Grep and regexes still work, but grep can't follow control flows and regexes aren't semantic parsers.
Scott Norberg talks about his experience looking for a scanner against .NET code and why he ended up writing his own.
www.scworld.com/podcast-epis...
Scott Norberg talks about his experience looking for a scanner against .NET code and why he ended up writing his own.
www.scworld.com/podcast-epis...
Code Scanning That Works With Your Code – Scott Norberg – ASW #317
Code scanning is one of the oldest appsec practices. In many cases, simple grep patterns and some fancy regular expressions are enough to find many of the obvious software mistakes. Scott Norberg shar...
www.scworld.com
February 11, 2025 at 11:12 PM
Code scanning is an ancient #appsec practice. Grep and regexes still work, but grep can't follow control flows and regexes aren't semantic parsers.
Scott Norberg talks about his experience looking for a scanner against .NET code and why he ended up writing his own.
www.scworld.com/podcast-epis...
Scott Norberg talks about his experience looking for a scanner against .NET code and why he ended up writing his own.
www.scworld.com/podcast-epis...
We had a busy January! And getting ready to record once again this Monday.
deadliestwebattacks.com/appsec/2025/...
deadliestwebattacks.com/appsec/2025/...
The ASW January 2025 Recap
Recap of the Application Security Weekly podcast episodes from January 2025
deadliestwebattacks.com
February 9, 2025 at 6:13 AM
We had a busy January! And getting ready to record once again this Monday.
deadliestwebattacks.com/appsec/2025/...
deadliestwebattacks.com/appsec/2025/...