Application Security Weekly

Code scanning is one of the oldest appsec practices. In many cases, simple grep patterns and some fancy regular expressions are enough to find many of the obvious software mistakes. Scott Norberg shares his experience with encountering code scanners that didn't find the .NET vuln classes he needed to find and why that led him to creating a scanner from scratch. We talk about some challenges in testing tools, making smart investments in engineering time, and why working with .NET's compiler made his decisions easier.

Segment Resources:

-https://github.com/ScottNorberg-NCG/CodeSheriff.NET

Identifying and eradicating unforgivable vulns, an unforgivable flaw (and a few others) in DeepSeek's iOS app, academics and industry looking to standardize principles and practices for memory safety, and more!

Visit https://www.securityweekly.com/asw for all the latest episodes!

Threat modeling has been in the appsec toolbox for decades. But it hasn't always been used and it hasn't always been useful. Sandy Carielli shares what she's learned from talking to orgs about what's been successful, and what's failed, when they've approached this practice. Akira Brand joins to talk about her direct experience with building threat models with developers.

Speculative data flow attacks demonstrated against Apple chips with SLAP and FLOP, the design and implementation choices that led to OCSP's demise, an appsec angle on AI, updating the threat model and recommendations for implementing OAuth 2.0, and more!

Visit https://www.securityweekly.com/asw for all the latest episodes!

A lot of AI security boils down to the boring, but important, software security topics that appsec teams have been dealing with for decades. Niv Braun explains the distinctions between AI-related and AI-specific security as we avoid the FUD and hype of genAI to figure out where appsec teams can invest their time. He notes that data scientists have been working with ML and sensitive data sets for a long time, and it's good to have more scrutiny on what controls should be present to protect that data.

An open source security project forks in response to license changes (and an echo of how we've been here before), car hacking via spectacularly insecure web apps, hacking a synth via spectacularly cool MIDI messages, cookie parsing problems, the RANsacked paper of 100+ LTE/5G vulns found from fuzzing, and more!

Visit https://www.securityweekly.com/asw for all the latest episodes!

What’s in store for appsec in 2025? Sure, there'll be some XSS and SQL injection, but what about trends that might influence how appsec teams plan? Cody Scott shares five cybersecurity and privacy predictions and we take a deep dive into three of them. We talk about finding value to appsec from AI, why IoT and OT need both programmatic and technical changes, and what the implications of the next XZ Utils attack might be.

Segment resources:

• https://www.forrester.com/blogs/predictions-2025-cybersecurity-risk-privacy/

Visit https://www.securityweekly.com/asw for all the latest episodes!

There's a pernicious myth that developers don't care about security. In practice, they care about code quality. What developers don't care for is ambiguous requirements. Ixchel Ruiz shares her experience is discussing software designs, the challenges in prioritizing dev efforts, and how to help open source project maintainers with their issue backlog.

Segment resources:

• https://github.com/ossf/scorecard
• https://www.commonhaus.org/
• https://www.hackergarten.net/

Design lessons from PyPI's Quarantine capability, effective ways for appsec to approach phishing, why fishshell is moving to Rust component by component (and why that's a good thing!), what behaviors the Cyber Trust Mark might influence, and more!

Visit https://www.securityweekly.com/asw for all the latest episodes!

All appsec teams need quality tools and all developers benefit from appsec guidance that's focused on meaningful results. Greg Anderson shares his experience in bringing the OWASP DefectDojo project to life and maintaining its value for over a decade. He reminds us that there are tons of appsec teams with low budgets and few members that need tools to help them bring useful insights to developers.

Segment Resources:

• https://owasp.org/www-project-defectdojo/
• Three-quarters of CISOs surveyed reported being "overwhelmed" by the growing number of tools and their alerts: https://www.darkreading.com/cloud-security/cisos-throwing-cash-tools-detect-breaches
• As many as one-fifth of all cybersecurity alerts turn out to be false positives. Among 800 IT professionals surveyed, just under half of them stated that approximately 40% of the alerts they receive are false positives: https://www.securitymagazine.com/articles/97260-one-fifth-of-cybersecurity-alerts-are-false-positives
• 91% of organizations knowingly released vulnerable applications, 57% of vulnerabilities are left unresolved by developers, 32% of CISOs deploy vulnerable code in the hopes it won’t be discovered, 56% of developers struggle to prioritize vulnerability fixes: https://info.checkmarx.com/future-of-application-security-2024

Curl removes a Rust backend, double clickjacking revives an old vuln, a new tool for working with HTTP/3, a brief reminder to verify JWT signatures, design lessons from recursion, and more!

Visit https://www.securityweekly.com/asw for all the latest episodes!

Practices around identity and managing credentials have improved greatly since the days of infosec mandating 90-day password rotations. But those improvements didn't arise from a narrow security view. Hannah Sutor talks about the importance of balancing security with usability, the importance of engaging with users when determining defaults, and setting an example for transparency in security disclosures.

Segment resources

• https://youtu.be/ydg95R2QKwM

Curl's oldest bug yet, RCPs (and more!) from AWS re:Invent, possible controls for NPM's malware proliferation, insights and next steps on protecting top 500 packages from the Census III report, the flawed design choice that made Microsoft's OTP (successfully) brute-forceable, and more!

Visit https://www.securityweekly.com/asw for all the latest episodes!

00:00 Welcome to Application Security Weekly!

01:49 Meet the Experts

03:28 What Are Non-Human Identities?

06:17 Balancing Security & Usability

08:24 MFA Challenges & Admin Security

12:09 Navigating Breaking Changes

16:05 Security by Design in Action

18:42 Identity Management for Startups

20:18 Secure by Design: Real Impact

24:03 Transparency After a Critical Vulnerability

31:39 Looking Ahead to 2025

32:45 Application Security in Three Words

34:10 - Intro & Cyber Resilience Insights

35:30 - The 25-Year-Old Curl Bug Story

38:27 - Fuzzing for Security: A Missed Opportunity?

42:56 - AWS re:Invent Security Highlights

46:04 - NPM Malware Surge

50:43 - Small Packages, Big Risks in NPM

54:05 - Open Source Security Trends

58:37 - Microsoft MFA Vulnerability Explained

62:38 - Hardware Hacking & DMA Exploits

65:05 - Auditing Ruby’s Package Ecosystem

68:12 - Looking Ahead to 2025

We do our usual end of year look back on the topics, news, and trends that caught our attention. We covered some OWASP projects, the ongoing attention and promises of generative AI, and big events from the XZ Utils backdoor to Microsoft's Recall to Crowdstrike's outage.

Segment resources

• https://prods.ec
• https://owasp.org/www-project-spvs/
• https://genai.owasp.org/resource/owasp-top-10-for-llm-applications-2025/
• https://securitychampions.owasp.org/
• https://deadliestwebattacks.com/appsec/2024/11/14/ai-and-llms-asw-topic-recap
• https://www.scworld.com/podcast-episode/3017-infosec-myths-mistakes-and-misconceptions-adrian-sanabria-asw-279

Curl and Python (and others) deal with bad vuln reports generated by LLMs, supply chain attack on Solana, comparing 5 genAI mistakes to OWASP's Top Ten for LLM Applications, a Rust survey, and more!

Visit https://www.securityweekly.com/asw for all the latest episodes!

Observability is a lot more than just sprinkling printf statements throughout a code base. Adriana Villela explains principles behind logging, traceability, and metrics and how the OpenTelemetry project helps developers gather this useful information. She also provides suggestions on starting logging from scratch, how to avoid information overload, and how engaging users about their experience with solutions like OpenTelemetry makes for better software -- a lesson that appsec teams can apply to paved roads and security guardrails.

Segment Resources:

• https://opentelemetry.io
• https://cncf.io
• https://adri-v.medium.com/

Fuzzing barcodes and getting projects onboarded with fuzzers, using AI to guide fuzzers, using AI to combat scammers, using CWEs for something, using malicious comments to ban repos, and more!

Visit https://www.securityweekly.com/asw for all the latest episodes!

This week's interview dives deep into the state of biometrics with two Forrester Research analysts!

This discussion compares and contrasts regional approaches to biometrics; examine the security challenges and benefits of their implementation; and reveal how biometrics holds the keys to a range of engagement models of the future.

Andras Cser dives into the technical end of things and explains how biometrics can be resilient to attack. We can't replace our fingerprints or faces, but as Andras explains, there's no need to, thanks to how biometrics actually work. Then, Enza takes us through the latest on privacy in biometrics - a concern for both consumers, and businesses tasked with complying with privacy regulations and avoiding costly fines.

Finally, get a sneak peek into the upcoming Forrester Security & Risk Summit. Whether you're an industry professional or just curious about the implications of biometrics, this episode delivers insights you won't want to miss!

This week, in the Application Security News, we dismiss magical thinking and discuss what generative AI will actually be able to do for us.

We also discuss whether Secure by Design's goals are practical or not.

OSC&R releases a report on software supply chain that should be interesting, though neither of us had time to read it yet.

Also, Watchtowr has some fun with Citrix VDI!

Visit https://www.securityweekly.com/asw for all the latest episodes!