Application Security Weekly

We will provide a short introduction to OWASP SAMM, which is a flagship OWASP project allowing organizations to bootstrap and iteratively improve their secure software practice in a measurable way. Seba will explain the SAMM model, consisting of 15 security practices. Every security practice contains a set of activities, structured into 3 maturity levels. The activities on a lower maturity level are typically easier to execute and require less formalization than the ones on a higher maturity level. A the end we will cover how you can engage with the SAMM community and provide an overview of what happened at our latest SAMM User Day which happened on May 27th. Segment Resources:            -         Visit  for all the latest episodes! Follow us on Twitter:  Like us on Facebook:  Show Notes:

OWASP SAMM - Software Assurance Maturity Model - Sebastian Deleersnyder - ASW Vault

HTTP RFCs have evolved: A Cloudflare view of HTTP usage trends, Career Advice and Professional Development, Active Exploitation of Confluence CVE-2022-26134 Visit  for all the latest episodes! Follow us on Twitter:  Like us on Facebook:  Show Notes:

HTTP RFCs Have Evolved, Breaking Into Cloud, Scaling AppSec at Netflix, & Confluence - Keith Hoodlet - ASW Vault

We kick off the new year with a discussion of what we're looking forward to and what we're not looking forward to. Then we pick our favorite responses to "appsec in three words" and set our sights on a new theme for 2024. In the news, 23andMe shifts blame to users for poor password practices, abusing Google's OAuth2 through a MultiLogin endpoint, Rustls is memory safe and fast, AI enters OSINT, and more! Visit  for all the latest episodes! Follow us on Twitter:  Like us on Facebook:  Show Notes:

What's in Store for 2024? - ASW #268

It's time to start thinking about CFPs and presentations for 2024! Eve shares advice on delivering technical topics so that an audience can understand the points you want to make. Then we show how developing these presentation skills for conferences helps with presentations within orgs and why these are useful skills to build for your career. Visit  for all the latest episodes! Follow us on Twitter:  Like us on Facebook:  Show Notes:

Communicating Technical Topics Without Being Boring - Eve Maler - ASW #269

Where apps provide something of value, bots are sure to follow. Modern threat models need to include scenarios for bad bots that not only target user credentials, but that will also hoard inventory and increase fraud. Sandy shares her recent research as we talk about bots, API security, and what developers can do to deal with these. Segment resources     In the news, vulns throw a wrench in a wrench, more vulns drench Atlassian, vulns send GitLab back to the design bench, voting for the top web hacking techniques of 2023, and more! Visit  for all the latest episodes! Follow us on Twitter:  Like us on Facebook:  Show Notes:

Dealing with the Burden of Bad Bots - Sandy Carielli - ASW #270

We return to the practice of presentations, this time with a perspective from a conference organizer. And we have tons of questions! What makes a topic stand out? How can an old, boring topic be given new life? How do you prepare as a first-time presenter? What can conferences do to foster better presentations and new voices? Segment resources:      Vulns in Jenkins code and Cisco devices that make us think about secure designs, MiraclePtr pulls off a relatively quick miracle, code lasts while domains expire, an "Artificial Intelligence chip" from the 90s, and more! Visit  for all the latest episodes! Show Notes:

Getting Your First Conference Presentation - Sarah Harvey - ASW #271

We can't talk about OWASP without talking about lists, but we go beyond the lists to talk about a product security framework. Grant shares his insights on what makes lists work (and not work). More importantly, he shares the work he's doing to spearhead a new OWASP project to help scale the creation of appsec programs, whether you're on your own or part of a global org. Segment Resources:         Qualys discloses syslog and qsort vulns in glibc, Apple's jailbroken iPhone for security researchers, moving away from OpenSSL, what an ancient vuln in image parsing can teach us today, and more! Visit  for all the latest episodes! Show Notes:

Starting an OWASP Project (That's Not a List!) - Grant Ongers - ASW #272

We've been scanning code for decades. Sometimes scanning works well -- it finds meaningful flaws to fix. Sometimes it distracts us with false positives. Sometimes it burdens us with too many issues. We talk about finding a scanning strategy that works well and what the definition of "works well" should even be. Segment Resources:    LLMs improve fuzzing coverage, the Shim vuln threatens Linux secure boot, considering AI application threat models, a new language for a configuration file format, and more! Visit  for all the latest episodes! Show Notes:

Creating Code Security Through Better Visibility - Christien Rioux - ASW #273

Check out this interview from the ASW Vault, hand picked by main host Mike Shema! This segment was originally published on Dec 13, 2022. Threat modeling is an important part of a security program, but as companies grow you will choose which features you want to threat model or become a bottleneck. What if I told you, you can have your cake and eat it too. It is possible to scale your program and deliver higher quality threat models. Segment Resources: - Original blog:  - Open Sourced slides:  Show Notes:

Redefining Threat Modeling - Security Team Goes on Vacation - Jeevan Singh - ASW Vault

Farshad Abasi joins us again to talk about creating a new OWASP project, the Secure Pipeline Verification Standard. (Bonus points for not being a top ten list!) We talk about what it takes to pitch a new project and the problems that this new project is trying to solve. For this kind of project to be successful -- as in making a positive impact to how software is built -- it's important to not only identify the right audience, but craft guidance in a way that's understandable and achievable for that audience. This is also a chance to learn more about a project in its early days and the opportunities for participating in its development! Segment resources   (coming soon!)  PrintListener recreates fingerprints, iMessage updates key handling for a PQ3 rating, Silent Sabotage shows supply chain subterfuge against AI models, 2023 Rust survey results, the ways genAI might help developers, and more! Visit  for all the latest episodes! Show Notes:

Creating the Secure Pipeline Verification Standard - Farshad Abasi - ASW #274

The need for vuln management programs has been around since the first bugs -- but lots of programs remain stuck in the past. We talk about the traps to avoid in VM programs, the easy-to-say yet hard-to-do foundations that VM programs need, and smarter ways to approach vulns based in modern app development. We also explore the ecosystem of acronyms around vulns and figure out what's useful (if anything) in CVSS, SSVC, EPSS, and more. Segment resources:       -- For a bit of history, one of the earliest "bugs bounty" from 1995.  A SilverSAML example similar to the GoldenSAML attack technique, more about serializing AI models for Hugging Face, OWASP releases 1.0 of the IoT Security Testing Guide, the White House releases more encouragement to move to memory-safe languages, and more! Visit  for all the latest episodes! Show Notes:

The Simple Mistakes and Complex Seeds of a Vulnerability Management Program - Emily Fox - ASW #275

This week, we welcome Dave Ferguson, Director of Product Management and WAS at Qualys! Dave will discuss the issue of latent vulnerabilities and how they may linger in your custom-coded web applications and APIs, presenting an enticing target for attackers. In the Application Security News, GitLab Doles Out Half a Million Bucks to White Hats, How can we integrate security into the DevOps pipelines?, Go passwordless to strengthen security and reduce costs - and design your app to support these types of workflows, including account recovery. &nbsp; Show Notes: https://wiki.securityweekly.com/ASWEpisode89 To learn more, visit: https://securityweekly.com/qualys &nbsp; Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

Backup & Restore - ASW #89

This week on Application Security Weekly, Mike Shema and Matt Alderman discuss Privacy by Design - The 7 Foundational Principles! In the Application Security News, Featured Flaws and Big Breaches, Cloud, Code and Controls (Python is dead. Long live Python!), Learning and Tools (Breaking Down the OWASP API Security Top 10), and Food for Thought (Facebook will stop mining contacts with your 2FA number, 6 Security Team Goals for DevSecOps in 2020, 7 security incidents that cost CISOs their jobs)! &nbsp; Show Notes: https://wiki.securityweekly.com/ASWEpisode90 Visit https://www.securityweekly.com/asw for all the latest episodes! &nbsp; Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

Learn & Improve - ASW #90

This week, we welcome Hillel Solow, CTO at Check Point, to discuss The Evolution of DevSecOps and AppSec Trends in 2020! In the Application Security News, Policy and Disclosure: 2020 Edition, A look back &amp; forward for bug bounties over the past decade, 4 Ring Employees Fired For Spying on Customers, Exploit Fully Breaks SHA-1, Lowers the Attack Bar, The Open Source Licence Debate: Comprehension Consternations &amp; Stipulation Frustrations, Synopsys Buys Tinfoil, and Rotate Your Amazon RDS, Aurora, and Amazon DocumentDB (with MongoDB compatibility) Certificates! &nbsp; &nbsp; Show Notes:  Visit  for all the latest episodes! &nbsp; Follow us on Twitter:  Like us on Facebook:  &nbsp;

Carrot in the Cliff - ASW #91

This week in our first segment, Mike, Matt, and John, discuss Protecting Data in Apps and Protecting Apps from Data! In the Application Security News, PoC Exploits Published For Microsoft Crypto Bug disclosed by NSA, Introducing Microsoft Application Inspector, Vulnerability management requires good people and patching skills, and DevSecOps: 10 Best Practices to Embed Security into DevOps are more like 10 verbs related to DevOps responsibilities! &nbsp; Show Notes:  Visit  for all the latest episodes! &nbsp; Follow us on Twitter:  Like us on Facebook:

Warm & Fuzzy - ASW #92

This week, we welcome John Butler, Solutions Engineer at Guardsquare, to discuss Dynamically Protecting Mobile Applications with RASP! In the Application Security News, Insecure configurations expose GE Healthcare devices to attacks demonstrate more simple flaws with high impacts, NSA Offers Guidance on Mitigating Cloud Vulnerabilities, Enumerating Docker Registries with go-pillage-registries for pentesters searching for useful information, and more! &nbsp; Like us on Facebook:  To request a demo with Guardsquare, please visit:  &nbsp; Visit  for all the latest episodes! Follow us on Twitter:  Like us on Facebook:

Running Out of Fingers - ASW #93

This week, Mike, John, and Matt review the presentation given by Clint Gilber at AppSec Cali, An Opinionated Guide to Scaling Your Company's Security! In the Application Security News, Xbox Bounty Program, Magento 2.3.4 Patches Critical Code Execution Vulnerabilities, Remote Cloud Execution - Critical Vulnerabilities in Azure Cloud Infrastructure, RCE in OpenSMTPD library impacts BSD and Linux distros, Fintechs divided on screen scraping ban, and Zero trust architecture design principles! &nbsp; Show Notes:  Visit  for all the latest episodes! &nbsp; Follow us on Twitter:  Like us on Facebook:

Totally Thrilled - ASW #94

This week, Mike and John interview Shaun Lamb about strategies for how to best design applications so they are "secure by default" and have fewer incidents and vulnerabilities, and more! In the Application Security News, Dropbox bug bounty program has paid out over $1,000,000, Report Pins Cloud Security Woes on Flawed DevOps Processes, Ghost in the shell: Investigating web shell attacks, An Incident Impacting your Account Identity, and more! &nbsp; Show Notes:  Visit  for all the latest episodes! &nbsp; Follow us on Twitter:  Like us on Facebook:

The Toothbrush of Trust - ASW #95

This week, we welcome Doug DePerry, Director of Defense at Datadog, to discuss Lessons Learned From The DevSecOps Trenches! In the Application Security News, SweynTooth: Unleashing Mayhem over Bluetooth Low Energy, RetireJS, What Is DevSecOps and How to Enable It on Your SDLC? and more! &nbsp; Show Notes:  Visit  for all the latest episodes! &nbsp; Follow us on Twitter:  Like us on Facebook:

Over the Edge - ASW #96

This week, live from RSAC 2020, we interview Chris Eng, Chief Research Officer at Veracode! Chris provides an update on Veracode including 2019 growth, new product announcements, Veracode Security Labs, and booth activities at RSA Conference 2020! In the RSAC Application Security News, 6 of the 10 vendors at Innovation Sandbox are application security companies, F5 Empowers Customers with End-to-End App Security, Checkmarx Simplifies Automation of Application Security Testing for Modern Development and DevOps Environments, and more RSA Conference News! &nbsp; Show Notes:  Visit  for all the latest episodes! &nbsp; Follow us on Twitter:  Like us on Facebook:

Really Windy - ASW #97

Information security news, hacking, interviews, podcasts, live Internet TV, cocktails, and more!

Hack naked.