Helping Secure OSS Software – Alvaro Munoz – ASW #189

March 21, 2022

- Past research such as JNDI Injection, Unsafe deserialization, Struts RCEs

- OSS security: CodeQL, Dependabot, collaboration between researchers and developers, OWASP Top Ten Proactive Controls, CVD for OSS

Segment Resources:

- [Write more secure code with the OWASP Top 10 Proactive Controls](https://github.blog/2021-12-06-write-more-secure-code-owasp-top-10-proactive-controls/)

- [An analysis on developer-security researcher interactions in the vulnerability disclosure process](https://github.blog/2021-09-09-analysis-developer-security-researcher-interactions-vulnerability-disclosure/)

- [Building security researcher and developer collaboration](https://www.securitymagazine.com/articles/97066-how-to-build-security-researcher-and-software-developer-collaboration)

- [Coordinated vulnerability disclosure (CVD) for open source projects](https://github.blog/2022-02-09-coordinated-vulnerability-disclosure-cvd-open-source-projects/)

- [GitHub Advisory Database now open to community contributions](https://github.blog/2022-02-22-github-advisory-database-now-open-to-community-contributions/)

- [Blue-teaming for Exiv2: creating a security advisory process](https://github.blog/2021-11-02-blue-teaming-create-security-advisory-process/)

Full episode and show notes

Announcements

Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

Guest

Alvaro Munoz

Principal Security Researcher at GitHub

Alvaro Muñoz works as Principal Security Researcher with GitHub Security Lab team. Previously he worked as an Application Security Consultant helping top enterprises to deploy their application security programs. He is passionate about Web Application security where he has focused most of his research. Muñoz has presented at many Security conferences including BlackHat, DEFCON, RSA, OWASP AppSec EU and US, JavaOne, etc, and holds several infosec certifications, including OSCP, GWAPT, and CISSP.

Hosts

John Kinsella

Co-founder & CTO at Cysense

Lee Neely

Information Assurance APL at Lawrence Livermore National Laboratory

Application security

OpenAI Info Leak, BitCoin ATM Hack, GitHub RSA SSH Key, Measuring AI Security – ASW #234

March 27, 2023

Ferrari refuses ransomware, OpenAI deals with security issues from cacheing, video killed a crypto ATM, GitHub rotates their RSA SSH key, bypassing CloudTrail, terms and techniques for measuring AI security and safety

Application security

Real-life Examples. Benefits, Risk & Security Implications of AI – Frank Catucci – ASW #234

March 27, 2023

With the increased interest and use of AI such as GTP 3/4, ChatGPT, GitHub Copilot, and internal modeling, there comes an array of use cases and examples for increased efficiency, but also inherent security risks that organizations should consider. In this talk, Invicti’s CTO & Head of Security Research Frank Catucci discusses potential use cas...

DevOps

PassTheHash from Outlook, RCE in Modem Chipset, OpenSSH Sandboxes, Curl’s Anniversary – ASW #233

March 20, 2023

Outlook can leak NTLM hashes, potential RCE in a chipset for Wi-Fi calling in phones (and autos!?), the design of OpenSSH's sandboxes, more on the direction of OWASP, celebrating 25 years of Curl.