DevSecOps

Equifax’s Breach, CISA’s 1,000 Vulns, Rust’s TLS Library, Complexity vs. Design – ASW #256

September 25, 2023

A stroll back through the Apache Struts breach of Equifax, CISA's list of Known Exploited Vulnerabilities, Rust's replacement for OpenSSL, Go no longer throws programmers for a loop, complexity vs. design (that leads to better security).

Application security

Supply Chain Security Security with Containers and CI/CD Systems – Kirsten Newcomer – ASW #256

September 25, 2023

Supply chain has been a hot topic for a few years now, but so many things we need to do for a secure supply chain aren't new at all. We'll cover SBOMs, vuln management, and putting together a secure pipeline. Segment resources: https://www.solarwinds.com/assets/solarwinds/swresources/whitepaper/2111swiwhitepaper_nextgenbuild.pdf https://next.red...

Application security

Azure’s Eight XSS Vulns, CNCF’s Two Security Audits, CISA’s OSS Roadmap, Repojacking – ASW #255

September 18, 2023

A slew of XSS in Azure's HDInsights, CNCF releases fuzzing and security audits on Kyverno and Dragonfly2, CISA shares a roadmap for security open source software, race conditions and repojacking in GitHub, and more!

Application security

Stopping Business Logic Attacks: Why a WAF is no Longer Enough – Karl Triebes – ASW #255

September 18, 2023

The majority of attacks are now automated, with a growing number of attacks targeting business logic via APIs, which is unique to every organization. This shift makes traditional signature-based defenses insufficient to stop targeted business logic attacks on their own. In this discussion, Karl Triebes shares how flaws in business logic design can ...

CISA is primarily concerned with two scenarios: a piece of corrupted code that has become part of many different commercial and free software programs and the intentional targeting of a software provider in order to gain access to the IT environments of their customers downstream. (Image credit: zokara via Getty Image)

DevSecOps

CISA releases roadmap to support the open source software ecosystem

Derek B. JohnsonSeptember 12, 2023

The Cybersecurity and Infrastructure Security Agency officials hope plan will lead to better tracking and spur quick action when a vulnerability is disclosed.

Application security

Microsoft Dumps a Key, Grafana Logs a Key, URL Parsers Disagree, Old Bug in Ubuntu – ASW #254

September 11, 2023

A key compromised from a crash dump (and the many, many lessons that followed), more examples of mishandling secrets, URL parsing mismatches show path traversal works well in Rust, an old Linux kernel bug shows how brittle code can be (even when it's heavily audited), an example of keeping OSS projects alive, a quick note on BLASTPASS, and a look a...

Application security

Building a Scanner and a Community with Zed Attack Proxy – Simon Bennetts – ASW #254

September 11, 2023

Zed Attack Proxy is an essential tool for web app pentesting. The project just recently moved from OWASP to the Secure Software Project. Hear about the challenges of running an OSS security project, why Simon got involved in the first place, and why successful projects are about more than just code. Segment Resources: https://www.zaproxy.org/ ht...

Cloud Security

Broadening What We Call AppSec – Christien Rioux – ASW Vault

September 4, 2023

Check out this interview from the ASW Vault, hand picked by main host Mike Shema! This segment was originally published on January 10, 2022. There's an understandable focus on "shift left" in modern DevOps and appsec discussions. So what does it take to broaden what we call appsec into something effective for modern apps, whether they're on the we...

DevSecOps

Related events

Dr. DevSecOps: A prescription for alleviating AppSec’s biggest pain points

Generative AI: Understanding the AppSec risks and how DAST can mitigate them

Platform for Platforms: Developing Modern Applications at the Edge

Related Videos

DevSecOps: A process of methods and mentality

Target’s Jodie Kautt on the benefit of innovation beyond the enterprise

The hard lessons of DevOps and security

Related Perspectives

Treat software release speed as an enabler for security

How AI should – and shouldn’t – assist code developers

Three ways to improve cloud security without slowing down developers

Briefs

Repojacking attack could impact thousands of GitHub repositories

First Pwn2Own Automotive contest to award over $1M for car system bugs

New data exfiltration attacks involving malicious NPM packages reported

Equifax’s Breach, CISA’s 1,000 Vulns, Rust’s TLS Library, Complexity vs. Design – ASW #256

Supply Chain Security Security with Containers and CI/CD Systems – Kirsten Newcomer – ASW #256

Azure’s Eight XSS Vulns, CNCF’s Two Security Audits, CISA’s OSS Roadmap, Repojacking – ASW #255

Stopping Business Logic Attacks: Why a WAF is no Longer Enough – Karl Triebes – ASW #255

CISA releases roadmap to support the open source software ecosystem

Microsoft Dumps a Key, Grafana Logs a Key, URL Parsers Disagree, Old Bug in Ubuntu – ASW #254

Building a Scanner and a Community with Zed Attack Proxy – Simon Bennetts – ASW #254

Broadening What We Call AppSec – Christien Rioux – ASW Vault