Application Security Weekly
SubscribeMore API Calls, More Problems: The State of API Security in 2024 – Lebin Cheng – ASW #276
A majority of internet traffic now originates from APIs, and cybercriminals are taking advantage. Increasingly, APIs are used as a common attack vector because they’re a direct pathway to access sensitive data. In this discussion, Lebin Cheng shares what API attack trends Imperva, a Thales Company has observed over the past year, and what steps organizations can take to protect their APIs.
This segment is sponsored by Imperva. Visit https://www.securityweekly.com/imperva to learn more about them!
The trivial tweaks to bypass authentication in TeamCity, ArtPrompt attacks use ASCII art against LLMs, annoying developers with low quality vuln reports, removing dependencies as part of secure by design, removing overhead with secure by design, and more!
Visit https://www.securityweekly.com/asw for all the latest episodes!
Segments
More API Calls, More Problems: The State of API Security in 2024 – Lebin Cheng – ASW #276
TeamCity Authn Bypass, ArtPrompt Attacks, Low Quality Vuln Reports, Secure by Design – ASW #276
The Simple Mistakes and Complex Seeds of a Vulnerability Management Program – Emily Fox – ASW #275
The need for vuln management programs has been around since the first bugs -- but lots of programs remain stuck in the past. We talk about the traps to avoid in VM programs, the easy-to-say yet hard-to-do foundations that VM programs need, and smarter ways to approach vulns based in modern app development. We also explore the ecosystem of acronyms around vulns and figure out what's useful (if anything) in CVSS, SSVC, EPSS, and more.
Segment resources:
- https://www.redhat.com/en/blog/patch-management-needs-a-revolution-part-1
- https://next.redhat.com/blog/
- https://www.first.org/cvss/v4-0/
- https://www.first.org/epss/
- https://deadliestwebattacks.com/appsec/2010/02/19/primordial-cross-site-scripting-xss-exploits -- For a bit of history, one of the earliest "bugs bounty" from 1995.
A SilverSAML example similar to the GoldenSAML attack technique, more about serializing AI models for Hugging Face, OWASP releases 1.0 of the IoT Security Testing Guide, the White House releases more encouragement to move to memory-safe languages, and more!
Visit https://www.securityweekly.com/asw for all the latest episodes!
Segments
The Simple Mistakes and Complex Seeds of a Vulnerability Management Program – Emily Fox – ASW #275
SAML & Secrets, Serializing AI Models, OWASP ISTG, More Memory Safety – ASW #275
Creating the Secure Pipeline Verification Standard – Farshad Abasi – ASW #274
Farshad Abasi joins us again to talk about creating a new OWASP project, the Secure Pipeline Verification Standard. (Bonus points for not being a top ten list!) We talk about what it takes to pitch a new project and the problems that this new project is trying to solve. For this kind of project to be successful -- as in making a positive impact to how software is built -- it's important to not only identify the right audience, but craft guidance in a way that's understandable and achievable for that audience. This is also a chance to learn more about a project in its early days and the opportunities for participating in its development!
Segment resources
PrintListener recreates fingerprints, iMessage updates key handling for a PQ3 rating, Silent Sabotage shows supply chain subterfuge against AI models, 2023 Rust survey results, the ways genAI might help developers, and more!
Visit https://www.securityweekly.com/asw for all the latest episodes!
Segments
Creating the Secure Pipeline Verification Standard – Farshad Abasi – ASW #274
PrintListener, Post-Quantum Crypto in iMessage, Silent Sabotage, Rust Survey Results – ASW #274
Redefining Threat Modeling – Security Team Goes on Vacation – Jeevan Singh – ASW Vault
Check out this interview from the ASW Vault, hand picked by main host Mike Shema! This segment was originally published on Dec 13, 2022.
Threat modeling is an important part of a security program, but as companies grow you will choose which features you want to threat model or become a bottleneck. What if I told you, you can have your cake and eat it too. It is possible to scale your program and deliver higher quality threat models.
Segment Resources: - Original blog: https://segment.com/blog/redefining-threat-modeling/ - Open Sourced slides: https://github.com/segmentio/threat-modeling-training
Segments
Redefining Threat Modeling – Security Team Goes on Vacation – Jeevan Singh – ASW Vault
Creating Code Security Through Better Visibility – Christien Rioux – ASW #273
We've been scanning code for decades. Sometimes scanning works well -- it finds meaningful flaws to fix. Sometimes it distracts us with false positives. Sometimes it burdens us with too many issues. We talk about finding a scanning strategy that works well and what the definition of "works well" should even be.
Segment Resources:
LLMs improve fuzzing coverage, the Shim vuln threatens Linux secure boot, considering AI application threat models, a new language for a configuration file format, and more!
Visit https://www.securityweekly.com/asw for all the latest episodes!
Segments
Creating Code Security Through Better Visibility – Christien Rioux – ASW #273
LLMs & Security Tools, Shim Vuln, AI Threat Models, Configuration as Code with Pkl – ASW #273
Starting an OWASP Project (That’s Not a List!) – Grant Ongers – ASW #272
We can't talk about OWASP without talking about lists, but we go beyond the lists to talk about a product security framework. Grant shares his insights on what makes lists work (and not work). More importantly, he shares the work he's doing to spearhead a new OWASP project to help scale the creation of appsec programs, whether you're on your own or part of a global org.
Segment Resources:
- https://owasp.org/www-project-product-security-capabilities-framework/
- https://github.com/OWASP/pscf
- https://prods.ec/
- https://owaspsamm.org
- https://iso25000.com/index.php/en/iso-25000-standards/iso-25010
- https://www.scmagazine.com/podcast-episode/application-security-weekly-242
Qualys discloses syslog and qsort vulns in glibc, Apple's jailbroken iPhone for security researchers, moving away from OpenSSL, what an ancient vuln in image parsing can teach us today, and more!
Visit https://www.securityweekly.com/asw for all the latest episodes!
Segments
Starting an OWASP Project (That’s Not a List!) – Grant Ongers – ASW #272
Sorting Out Glibc Vulns, Apple’s Security Research Device, BoringSSL, Old C Vulns – ASW #272
Getting Your First Conference Presentation – Sarah Harvey – ASW #271
We return to the practice of presentations, this time with a perspective from a conference organizer. And we have tons of questions! What makes a topic stand out? How can an old, boring topic be given new life? How do you prepare as a first-time presenter? What can conferences do to foster better presentations and new voices?
Segment resources:
- https://bsidessf.org
- https://infosec.exchange/@worldwise001/111280163638514582
- https://www.youtube.com/watch?v=1lVIeh5f4Rg
Vulns in Jenkins code and Cisco devices that make us think about secure designs, MiraclePtr pulls off a relatively quick miracle, code lasts while domains expire, an "Artificial Intelligence chip" from the 90s, and more!
Visit https://www.securityweekly.com/asw for all the latest episodes!
Segments
Getting Your First Conference Presentation – Sarah Harvey – ASW #271
Vulns & Secure Design, MiraclePtr Success, Abandoned Projects & Maven, Old “AI Chip” – ASW #271
Dealing with the Burden of Bad Bots – Sandy Carielli – ASW #270
Where apps provide something of value, bots are sure to follow. Modern threat models need to include scenarios for bad bots that not only target user credentials, but that will also hoard inventory and increase fraud. Sandy shares her recent research as we talk about bots, API security, and what developers can do to deal with these.
Segment resources
- https://www.forrester.com/blogs/avoid-a-bot-waterloo/
- https://www.forrester.com/blogs/are-your-bot-management-tools-up-to-date-to-handle-the-holiday-season/
In the news, vulns throw a wrench in a wrench, more vulns drench Atlassian, vulns send GitLab back to the design bench, voting for the top web hacking techniques of 2023, and more!
Visit https://securityweekly.com/asw for all the latest episodes!
Follow us on Twitter: https://www.twitter.com/secweekly
Like us on Facebook: https://www.facebook.com/secweekly
Segments
Dealing with the Burden of Bad Bots – Sandy Carielli – ASW #270
Security in Wrenches, Vulns in Atlassian and GitLab, 2023’s Top Web Hacking Tricks – ASW #270
Communicating Technical Topics Without Being Boring – Eve Maler – ASW #269
It's time to start thinking about CFPs and presentations for 2024! Eve shares advice on delivering technical topics so that an audience can understand the points you want to make. Then we show how developing these presentation skills for conferences helps with presentations within orgs and why these are useful skills to build for your career.
Visit https://securityweekly.com/asw for all the latest episodes!
Follow us on Twitter: https://www.twitter.com/secweekly
Like us on Facebook: https://www.facebook.com/secweekly
Segments
Communicating Technical Topics Without Being Boring – Eve Maler – ASW #269
What’s in Store for 2024? – ASW #268
We kick off the new year with a discussion of what we're looking forward to and what we're not looking forward to. Then we pick our favorite responses to "appsec in three words" and set our sights on a new theme for 2024.
In the news, 23andMe shifts blame to users for poor password practices, abusing Google's OAuth2 through a MultiLogin endpoint, Rustls is memory safe and fast, AI enters OSINT, and more!
Visit https://securityweekly.com/asw for all the latest episodes!
Follow us on Twitter: https://www.twitter.com/secweekly
Like us on Facebook: https://www.facebook.com/secweekly