Application Security Weekly
@aswpodcast.com
Listen to the Application Security Weekly podcast for interviews and news on everything appsec — and more!
Hosted by @mutantzombie.bsky.social, @jlk.bsky.social, and Kalyani Pawar.
Hosted by @mutantzombie.bsky.social, @jlk.bsky.social, and Kalyani Pawar.
It reminded me of Ken Thompson's talk in 1984 about trusting compilers (dl.acm.org/doi/10.1145/...).
Which also reminded me of classic D&D monsters like the mimic.
Four decades later we still have both -- random objects that we're sure are monsters and code that we're not sure we can trust.
Which also reminded me of classic D&D monsters like the mimic.
Four decades later we still have both -- random objects that we're sure are monsters and code that we're not sure we can trust.
March 28, 2025 at 12:42 AM
It reminded me of Ken Thompson's talk in 1984 about trusting compilers (dl.acm.org/doi/10.1145/...).
Which also reminded me of classic D&D monsters like the mimic.
Four decades later we still have both -- random objects that we're sure are monsters and code that we're not sure we can trust.
Which also reminded me of classic D&D monsters like the mimic.
Four decades later we still have both -- random objects that we're sure are monsters and code that we're not sure we can trust.
Keith Hoodlet and Kalyani Pawar shared their ideas on better designs and better defaults. We also pondered just how much more secure the world might be if there was no more XML...
March 26, 2025 at 9:19 PM
Keith Hoodlet and Kalyani Pawar shared their ideas on better designs and better defaults. We also pondered just how much more secure the world might be if there was no more XML...
We covered #appsec articles about:
- Next.js middleware and where to place security controls
- ruby-saml authentication bypass and how many different parsers a library should have
- an NTLM hash leak and when a UX feature becomes a security liability
- Next.js middleware and where to place security controls
- ruby-saml authentication bypass and how many different parsers a library should have
- an NTLM hash leak and when a UX feature becomes a security liability
March 26, 2025 at 9:19 PM
We covered #appsec articles about:
- Next.js middleware and where to place security controls
- ruby-saml authentication bypass and how many different parsers a library should have
- an NTLM hash leak and when a UX feature becomes a security liability
- Next.js middleware and where to place security controls
- ruby-saml authentication bypass and how many different parsers a library should have
- an NTLM hash leak and when a UX feature becomes a security liability
I always enjoy talking with Keith. Regardless of how much of a future we'll have with appsec toasters, he'll always be a human I turn to for insights in this area.
March 26, 2025 at 12:44 AM
I always enjoy talking with Keith. Regardless of how much of a future we'll have with appsec toasters, he'll always be a human I turn to for insights in this area.
We also discussed the importance of reading beyond the headlines of research papers in order to avoid hype and better understand what's improving -- and what's not -- in terms of code generation and security capabilities.
March 26, 2025 at 12:44 AM
We also discussed the importance of reading beyond the headlines of research papers in order to avoid hype and better understand what's improving -- and what's not -- in terms of code generation and security capabilities.
LLMs have some promise as assistants, like crafting a fuzzing corpus. There are areas where LLMs could quite directly prove their value in bug bounty hunting. But there are also areas where we've been underwhelmed (so far!) by the generic LLM responses to threat modeling and security reviews.
March 26, 2025 at 12:44 AM
LLMs have some promise as assistants, like crafting a fuzzing corpus. There are areas where LLMs could quite directly prove their value in bug bounty hunting. But there are also areas where we've been underwhelmed (so far!) by the generic LLM responses to threat modeling and security reviews.
More importantly, he talked about the logic problems behind oracle manipulation and flash loan attacks.
Crypto is rife with rug pulls, scams, and questionable tokens. It's also a great learning space for classes of attacks that aren't memory safety flaws or the dusty XSS and SQLi of the web.
Crypto is rife with rug pulls, scams, and questionable tokens. It's also a great learning space for classes of attacks that aren't memory safety flaws or the dusty XSS and SQLi of the web.
March 18, 2025 at 5:50 PM
More importantly, he talked about the logic problems behind oracle manipulation and flash loan attacks.
Crypto is rife with rug pulls, scams, and questionable tokens. It's also a great learning space for classes of attacks that aren't memory safety flaws or the dusty XSS and SQLi of the web.
Crypto is rife with rug pulls, scams, and questionable tokens. It's also a great learning space for classes of attacks that aren't memory safety flaws or the dusty XSS and SQLi of the web.
I appreciate this particular Top 10 list because it's not repetitive of all the others and it has entries that are very domain-specific to crypto. Shashank provided lots of technical background and real examples across familiar #appsec flaws like integer overflows and reentrancy problems.
March 18, 2025 at 5:50 PM
I appreciate this particular Top 10 list because it's not repetitive of all the others and it has entries that are very domain-specific to crypto. Shashank provided lots of technical background and real examples across familiar #appsec flaws like integer overflows and reentrancy problems.
Shashank went into the details of the 2025 edition of the Smart Contract Top 10, how it has changed over the past two years, and how security improvements in Solidity might change it again (for the better!) in another two years.
March 18, 2025 at 5:50 PM
Shashank went into the details of the 2025 edition of the Smart Contract Top 10, how it has changed over the past two years, and how security improvements in Solidity might change it again (for the better!) in another two years.
Jackie McGuire added insightful context to that discussion. But we also talked about technical research, nuances between ML models and LLMs, and (once again) why I think prompt injections and jailbreaks are the modern XSS.
Articles and show notes at www.scworld.com/podcast-epis...
Articles and show notes at www.scworld.com/podcast-epis...
March 13, 2025 at 4:16 PM
Jackie McGuire added insightful context to that discussion. But we also talked about technical research, nuances between ML models and LLMs, and (once again) why I think prompt injections and jailbreaks are the modern XSS.
Articles and show notes at www.scworld.com/podcast-epis...
Articles and show notes at www.scworld.com/podcast-epis...
We talked with Jack about the important qualifiers that "easy" fixes have to be "easy to implement and deploy". Not everyone has Google's budget for #appsec.
March 13, 2025 at 6:32 AM
We talked with Jack about the important qualifiers that "easy" fixes have to be "easy to implement and deploy". Not everyone has Google's budget for #appsec.