Application Security Weekly
SubscribeThe Future of Zed Attack Proxy – Simon Bennetts, Ori Bendet – ASW #302
Zed Attack Proxy has been a crucial web app testing tool for decades. It's also had a struggle throughout 2024 to obtain funding that would enable the tool to add more features while remaining true to its open source history. Simon Bennetts, founder of ZAP, and Ori Bendet from Checkmarx update us on that journey, share some exploration of LLM fuzzing that ZAP has been working on, and what the future looks like for this well-loved project.
Segment Resources:
- https://www.zaproxy.org/blog/2024-09-24-zap-has-joined-forces-with-checkmarx/
- https://www.zaproxy.org/blog/2024-09-30-improving-fuzzing-payloads-for-llms-with-fuzzai/
- https://checkmarx.com/press-releases/checkmarx-joins-forces-with-zap-to-supercharge-dynamic-application-security-testing-dast-for-the-enterprise-and-enhance-community-growth/
- KICS: https://github.com/Checkmarx/kics
- 2MS: https://github.com/Checkmarx/2ms
The many lessons to take away from a 24-year old flaw in glibc and the mastery in crafting an exploit in PHP, changing a fuzzer's configuration to find more flaws, fuzzing LLMs for prompt injection and jailbreaks, security hardening of baseband code, revisiting the threat models in Microsoft's Recall, and more!
Visit https://www.securityweekly.com/asw for all the latest episodes!
Segments
More Car Hacks, CUPS Vulns, Microsoft’s SFI, Memory Safety, Password Complexity – Farshad Abasi – ASW #301
More remote car control via web interfaces, an RCE in CUPS, Microsoft reduces attack surface, migrating to memory safety, dealing with dependency confusion, getting rid of password strength calculators, and more!
Visit https://www.securityweekly.com/asw for all the latest episodes!
Segments
Vulnerable APIs and Bot Attacks: Two Interconnected, Growing Security Threats – David Holmes – ASW #300
APIs are essential to modern application architectures, driving rapid development, seamless integration, and improved user experiences. However, their widespread use has made them prime targets for attackers, especially those deploying sophisticated bots. When these bots exploit business logic, they can cause considerable financial and reputational damage. In this discussion, David Holmes offers insights into the latest trends in API and bot attacks and provides strategies to defend against these threats.
Segment Resources:
- The Economic Impact of API and Bot Attacks: https://www.imperva.com/resources/resource-library/reports/the-economic-impact-of-api-and-bot-attacks/
- The True Cost of API Insecurity and Bot Attacks in 2024: https://www.imperva.com/resources/resource-library/webinars/the-true-cost-of-api-insecurity-and-bot-attacks-in-2024/
This segment is sponsored by Imperva. Visit https://www.securityweekly.com/imperva to learn more about them!
Fuzzing network traffic in OpenWRT, parsing problems lead to GitLab auth bypass, more fuzzing finds vulns in a JPEG parser, and more!
Visit https://www.securityweekly.com/asw for all the latest episodes!
Segments
Bringing Secure Coding Concepts to Developers – Dustin Lehr – ASW #299
When a conference positioned as a day of security for developers has to be canceled due to lack of interest from developers, it's important to understand why there was so little interest and why appsec should reconsider its approach to awareness. Dustin Lehr discusses how appsec can better engage and better deliver security concepts in a way that makes developers not only feel like their time is well used, but that the content appeals to them.
Segment Resources: - The Security Champion Program Success Guide -- A free guide that includes all steps necessary to build a successful security champion program, with real-world recommendations and examples: https://securitychampionsuccessguide.org/ - Let's Talk Software Security -- A free global virtual community where we host monthly open discussions on appsec topics: https://www.meetup.com/lets-talk-software-security/
A takeover of the MOBI TLD for $20, configuring an LLM for a CTF, firmware flaw in an SSD, Microsoft talks kernel resilience, six truths of cyber risk quantification, and more!
Visit https://www.securityweekly.com/asw for all the latest episodes!
Segments
Paying Down Tech Debt, Rust in Firmware, EUCLEAK, Deploying SSO – ASW #298
Considerations in paying down tech debt, make Rust work on bare metal, ECDSA side-channel in Yubikeys, trade-offs in deploying SSO quickly, and more!
Visit https://www.securityweekly.com/asw for all the latest episodes!
Segments
Close the Security Theater: Enter Resilience – Kelly Shortridge – ASW Vault
Check out this interview from the ASW Vault, hand picked by main host Mike Shema! This segment was originally published on May 9, 2023.
What does software resilience mean? Why is status quo application security unfit for the modern era of software? How can we move from security theater to security chaos engineering? This segment answers these questions and more.
Segment Resources:
Book -- https://securitychaoseng.com
Segments
Changing the Course of IoT’s Future from Its Insecure Past – Paddy Harrington – ASW #297
IoT devices are notorious for weak designs, insecure implementations, and a lifecycle that mostly ignores patching. We look at external factors that might lead to change, like the FCC's cybersecurity labeling for IoT. We explore the constraints that often influence poor security on these devices, whether those constraints are as consequential given modern appsec practices, and what the opportunities are to make these devices more secure for everyone.
Segment resources:
Research by Orange Tsai into Apache HTTPD's architecture reveals several vulns, NCC Group shows techniques for hacking IoT devices with Sonos speakers, finding use cases for WebAssembly, Slack's AI leaks data, DARPA wants a future of Rust, and more!
Visit https://www.securityweekly.com/asw for all the latest episodes!
Segments
The Fallout and Lessons Learned from the CrowdStrike Fiasco – Shimon Modi, Jeff Pollard, Allie Mellen, Boaz Barzel – ASW #296
This week, Jeff Pollard and Allie Mellen join us to discuss the fallout and lessons learned from the CrowdStrike fiasco. They explore the reasons behind running in the kernel, the challenges of software quality, and the distinction between a security incident and an IT incident. They also touch on the need to reduce the attack surface and the importance of clear definitions in the cybersecurity industry. The conversation explores the need for a product security revolution and the importance of transparency and trust in security vendors.
As development cycles shorten and more responsibilities shift to developers, application security (AppSec) is rapidly evolving. Organizations are increasingly building mature programs that automate and enhance AppSec, moving beyond manual processes. In this discussion, we explore how organizations are adapting their AppSec practices, highlighting the challenges and milestones encountered along the way.
Key topics include the integration of security into the development lifecycle, the impact of emerging technologies, and strategies for fostering a security-first culture. Boaz Barzel shares his experiences and offers practical advice on overcoming common obstacles, ensuring that security measures keep pace with rapid technological advancements. This segment serves as a comprehensive guide for organizations striving to enhance their AppSec practices and continuously optimize their posture.
This segment is sponsored by OX Security. Visit https://securityweekly.com/oxbh to learn more about them!
Given the rapid rise of threat actors utilizing AI for cyber-attacks, security teams need advanced AI capabilities more than ever.
Shimon will discuss how Dataminr’s Pulse for Cyber Risk uses Dataminr’s leading multi-modal AI platform to provide the speed and scale required to build enterprise resilience in the modern cyber threat environment. Dataminr's world-leading AI platform helps companies stay informed - performing trillions of daily computations across billions of public data inputs from more than one million unique public data sources encompassing text, image, video, audio and sensor signals to provide real-time information when you need it most.
https://www.dataminr.com/resources/on-demand-webinar/why-cyber-physical-convergence-really-matters
This segment is sponsored by Dataminr. Visit https://securityweekly.com/dataminrbh to learn more about their world-leading AI platform perform!
Visit https://www.securityweekly.com/asw for all the latest episodes!
Segments
When Appsec Needs to Start Small – Kalyani Pawar, Danny Jenkins, Nikos Kiourtis – ASW #295
Startups and small orgs don't have the luxury of massive budgets and large teams. How do you choose an appsec approach that complements a startup's needs while keeping it secure. Kalyani Pawar shares her experience at different ends of an appsec maturity spectrum.
In complex software ecosystems, individual application risks are compounded. When it comes to mitigating supply chain risk, identifying backdoors or unintended vulnerabilities that can be exploited in your environment is just as critical as staying current with the latest hacking intel. Understand how to spot and reduce the risk to your environment and prevent disruption to your operation.
This segment is sponsored by Threatlocker. Visit https://securityweekly.com/threatlockerbh for a free trial!
Every mobile device connecting to enterprise assets hosts a unique blend of work and personal apps, creating a complex landscape of innumerable vulnerabilities. Thankfully, methods exist to provide security teams with the real-world insights necessary to proactively address threats and shield against attacks targeting mobile apps and device endpoints. Nikos Kiourtis, CTO at Quokka, shares the latest findings in mobile security, outlining emerging threats and effective measures to reduce your mobile app attack surface – and safeguarding against potential attacks and data breaches.
Segment Resources: - Panelcast with SC Magazine: 8 ways attackers target mobile apps to steal your data (and how to stop them) https://www.scworld.com/cybercast/8-ways-attackers-target-mobile-apps-to-steal-your-data-and-how-to-stop-them - Ryan Johnson’s talk at DEF CON 32, “Android App Usage and Cell Tower Location: Private. Sensitive. Available to Anyone?” https://defcon.org/html/defcon-32/dc-32-speakers.html
This segment is sponsored by Quokka. Visit https://securityweekly.com/quokkabh to learn more about their intelligence app solutions!
Visit https://www.securityweekly.com/asw for all the latest episodes!
Segments
Building Successful Security Champions Programs – Marisa Fagan – ASW #294
Even though Security Champions programs look very different across organizations and maturity levels, they share core principles for becoming successful. Marisa shares her experience in building these programs to foster a positive security culture within companies. She explains the incentives and rewards that lead to more engagement from champions and the benefits that come from so many people being engaged with security.
Segment Resources:
- OWASP Security Champions Guide - Get Involved! - https://owasp.org/www-project-security-champions-guidebook/#div-getinvolved
- OWASP Security Champions Guide - LinkedIn page - https://www.linkedin.com/company/owasp-security-champions-guide/
- The Security Champions Success Guide - https://securitychampionsuccessguide.org/
- "Building a Successful Security Champions Program... What Does it Take?" - https://www.katilyst.com/post/building-a-successful-security-champions-program-what-does-it-take
The code curation considerations of removing abandoned protocols in OpenSSL, kernel driver lessons from CrowdStrike's crash, choosing isolation primitives, cross-cache attacks made possible by SLUBStick, and more!
Visit https://www.securityweekly.com/asw for all the latest episodes!