April brought shenanigans, limericks, an appsec version of aviation safety, and other intros that demonstrate how much we take security seriously.

Cybersecurity Awareness Limerick Month (ep. 279)

April 1st fell on a Monday this year and I couldn’t let the opportunity for fun go by.

First, we revisited many infosec myths and misconceptions with Adrian Sanabria. We had talked with him last year on the same subject and wanted to find out if anything has improved (you can already guess the answer). Adrian walks through some examples and talks about why these might often be silly, but can also be harmful.

Then we had our usual news segment. Well…usual for appsec events and articles from 2004 instead of 2024. You’d be surprised how relevant 20-year old topics can be – and how little progress we’ve made on several of them. Give it a watch.

XZ Utils Backdoor (ep. 280)

Next up Farshad Abasi kindly returned to talk about the technical and social aspects of the XZ Utils backdoor. One thing we focused on was how organizations can put processes and controls in place now to defend against compromised packages. And, of course, that even though the social aspects of the XZ Utils attack were an impressive long con, that’s not the only way we’ve seen packages compromised. Nor is the challenge of malicious maintainers unique to open source.

Appsec Taxes (ep. 281)

Then we changed direction to career paths and advice from Karan Dwivedi on starting your appsec engineering career. He shared some of the technical skills he sees orgs value in modern appsec, as well as the social aspects (there’s that word again) of building relationships to learn about different roles. This is a topic we’ll definitely return to.

Investing in Open Source (ep. 282)

Speaking of open source, Mark Curphy and Simon Bennetts joined us to talk about how Crash Override’s Open Source Fellowship is helping Zed Attack Proxy shape its own future. Simon talked about the challenges in maintaining an open source project, especially in how the industry does – and notably does not – support such tools. Mark gave insights on finding a funding model for projects like ZAP and the trade-offs in approaches that orgs like OWASP and OpenSSF take.

Software Supply Chains & AI (ep. 283)

We wrapped up the month with Melinda Marks, who talked about her study on supply chain security. One of the takeaways is that companies seem to like to buy lots of tools, self-assess that they’re mature, then go on to list all sorts of challenges that cast doubt on how well they’re actually coordinating tools and processes.

I also had fun with this intro, imaginng if appsec wrote the aviation safety script you hear before takeoff. Check it out.

March kicked off our planning for a Cybersecurity Awareness Limerick Month. If top 10 lists and powerpoint presentations aren’t delivering, then maybe it’s time to try a new format for delivering awareness. Stay tuned and stay CALM. ;)

Infosec Myths (ep. 275)

Emily Fox walked us through the mistakes orgs make with vuln management, how they can manage risk without burning out devs, and why the boring basics make everything easier. She explains how orgs can be more comfortable with eventually fixing vulns instead of fighting every fire they see.

The Case of Bad Appsec Advice (ep. 276)

Lebin Cheng gave us an update on the state of API security and why they will remain a profitable target. After all, a lot of successful attacks have all the patterns of normal traffic – exercising business logic vulns rarely relies on the obvious payloads that stand out in things like XSS and other injection attacks.

Cybersecurity Programs & Appsec (ep. 277)

Tyler Von Moll gave us a perspective on starting a cybersecurity program and how appsec fits into that. We’re neither surprised nor disappointed (honestly!) that appsec isn’t the first thing every org should be doing. It’s eventually important and one of the things we try to do here is figure out how to define eventually.

UX & Security (ep. 278)

Benedek Gagyi closed out the month with our first in-depth discussion on how user experience (UX) impacts security. Despite being one of my favorite topics, we hadn’t given this nearly the attention it deserves. Benedek walks through some examples of bad UX leads to behaviors that are against users interests and how good UX makes apps better.

February brought us the Lunar New Year, a Leap Day, and more OWASP projects than we expected!

The Case of the New Year (ep. 272)

Grant Ongers kicked off our February shows with a preview of his new OWASP project – the Product Security Capability Framework. He explains how it relates to efforts like ASVS and SAMM and, importantly, why it’s not just another top 10 list.

Year of the Wood Dragon (ep. 273)

Then Christien Rioux talked about code scanning strategies and how better visibility into code translates to more meaningful flaws to pay attention to. He shares how seeing what’s running in prod and what prod systems are talking to helps dev teams far more than a long list of potential vulns.

Pure Energy (ep. 223, replay)

We went back to the vault for week three, bringing back a discussion on successful threat modeling with Jeevan Singh. Our focus wasn’t so much on the nuances of threat models, but the adjectives around them – successful and scalable. All too often appsec teams say “do threat modeling” and mistake an approach that works once with a process that needs to scale.

Welcome to 2023 (ep. 224)

As a mirror to the start of the month, Farshad Abasi to talk about his upcoming OWASP project – the Secure Pipeline Verification Standard. One of the motivations for this was that, sure, there’s a top 10 list, but there are no solutions. It’s great to see more projects focusing on frameworks and design patterns that dev teams can follow to secure how code is compiled into artifacts and artifacts are sent to prod.

January brings a new year and a new vision for appsec. Let’s leave behind lists and think less about shifting and more about expanding security.

The Difference Engine (ep. 200, replay)

The first show we posted for 2024 came from the vault. Back in July 2022 Keith Hoodlet came by to help celebrate the 200th episode. Keith started the show with episode 0. Since then he’s been blogging at securing.dev about #appsec (of course) and DevOps. Even though this is a news segment, two of the articles were about careers and career development – and surely still relevant today.

Welcome to 2024 (ep. 268)

In the first show we recorded for 2024, John Kinsella shared his take on “appsec in three words” along with a few favorite responses from last year’s guests. Then we talked about where we hope this year takes appsec and some topics that we hope to move on from. It’ll be no surprise to see more AI and supply chain items in the news. It’ll be even better if those items aren’t about more prompt injection or more shift left – some things can stay in 2023.

Communicating Technical Topics Without Being Boring (ep. 269)

Eve Maler returned with recommendations for communicating technical topics to different audiences. It’s part of the theme of presentations that we covered quite a bit in 2023. This time we focused on the importance of communication skills at work.

Appsec Noise Pollution (ep. 270)

Sandy Carielli is another guest we always love to have on the show. We talked about bad bots and their impact on products and the user experience – where there are items of value there are bots. Sandy also makes the point that value isn’t always in obvious items like concert tickets, limited edition clothing, and credentials. Bots can also drive inauthentic reviews and artificial popularity, which is as relevant to products as it is to politics.

Getting Your First Conference Presentation (ep. 271)

We wrapped up January with one last discussion on delivering presentations. This time Sarah Harvey gave a conference organizer’s perspective. Sarah shared some of her own techniques for crafting slides and giving a coherent conference talk. She also explained how conferences like BSides SF actively support new speakers by offering practice sessions and constructive feedback. Giving constructive feedback is its own skill and one that’s relevant to corporate environments in addition to conferences.

December closed out another year of Application Security Weekly. Thank you to everyone who’s listened! We have more news, more guests, and more fun intros coming in 2024.

More Kindling (ep. 265)

John Kinsella keeps a list of news articles and topics to revisit six months later and the end of 2023 seemed like the right time to check that list out. We reviewed several articles from the past year to see if they elicited a yay or a yawn. Not surprisingly, LLMs were pretty common, followed by memory safety and projects adopting Rust.

Walks Into a Bar... (ep. 266)

We dipped into documentation in a conversation with Heather Flanagan about RFCs. She has deep experience with various standards processes and shared her insights on how standards come about, security considerations, and how standards try to avoid ambiguity. Even if you’re not usually reading RFCs (they’re not all dry and boring!), there are lessons here for all sorts of documentation related to software. Check out the show notes for some of our favorite RFCs.

Search for a Clue (ep. 267)

On our last recorded show of the year Idit Levine talked about making service meshes work for people – primarily as a means to increase observability for SREs, developers, and appsec teams. We talked about when and why organizations move from monorepos to service meshes, as well as when a monorepo should remain a monorepo.

Dead Simple (ep. 154, replay)

Since there was one more Monday in December, we squeezed in an episode from the vault. In June 2021 Seba Deleersnyder joined us to talk about the OWASP Software Assurance Maturity Model. It can be especially useful to small orgs and orgs trying to figure out a roadmap for building secure software.