Security Weekly
Application Security WeeklySubscribe
Application security, DevSecOps

Dependency Confusion, Suspender Falls, Web Shells, & AppSec Scale – ASW #140

This week on the Application Security News, Dependency confusion for internal packages, Chrome pulls down the Great Suspender, Microsoft highlights web shells, some strategies on scaling AppSec, & more!

Full episode and show notes

Announcements

  • We're always looking for great guests for all of the Security Weekly shows! Submit your suggestions by visiting https://securityweekly.com/guests and completing the form!

  • If you missed Security Weekly Unlocked, you can now access all of the content on-demand, whether you registered before the live event or not, by visiting https://securityweekly.com/unlocked and clicking either the button to register or the button to login!

Hosts

Tech Lead at Block
  1. 1. Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies
    The package is coming from inside the house! -- except not really. Our horror trope returns with a dash of DNS and publicly posted internal item names.
  2. 2. The Great Suspender Chrome extension’s fall from grace
    A different sort of supply chain sneakiness, something we might call "usurped trust" or "trust laundering".
  3. 3. Web shell attacks continue to rise
    A tour through some visual obfuscation and nefarious scripting. A nice read to learn about post-exploitation techniques along with some reasonable recommendations to counter them. We last touched this specific topic from Microsoft back on February 10, 2020 in episode 95.
  4. 4. Let’s Encrypt Gears Up to Replace 200M Certificates a Day
    Availability is important to services that provide security as much as it's an important piece of the CIA triad. Confidentially isn't as confidential if you can get the certs to make the communications confidential! You can find more details at https://letsencrypt.org/2021/02/10/200m-certs-24hrs.html
  5. 5. Appsec Development: Keeping it all together at scale
    What if scaling security reviews was the wrong strategy all along?
  6. 6. completely ridiculous API (crAPI) will help you to understand the ten most critical API security risks
    Learn about API security by poking at an insecure API.
  7. 7. Apple Outlines 2021 Security, Privacy Roadmap
    How would you document the security for your own product or SaaS platform? You can read the full guide online or download the 196-page PDF at https://support.apple.com/guide/security/welcome/web
Senior Engineering Leader at AWS

Related

Hacker Heroes – Jeremiah Grossman – PSW #828

Illuminating the Cybersecurity Path: A Conversation with Jeremiah Grossman Join us for a compelling episode featuring Jeremiah Grossman, a prominent figure in the cybersecurity landscape. As a recognized expert, Jeremiah has played a pivotal role in shaping the discourse around web security and risk management. Jeremiah's journey in cybersecurit...
Hacking AI Bias with Human Techniques – Keith Hoodlet – ASW #284

We already have bug bounties for web apps so it was only a matter of time before we would have bounties for AI-related bugs. Keith Hoodlet shares his experience winning first place in the DOD's inaugural AI bias bounty program. He explains how his education in psychology helped fill in the lack of resources in testing an AI's bias. Then we discuss ...