Daily cybersecurity news for practitioners. Vulnerabilities, defenses, threats, network security insight, research and more to make you sound smarter as you get to the office in the morning. New each weekday.
…
continue reading
Player FM - Internet Radio Done Right
51 subscribers
Checked 3d ago
Added seven years ago
Content provided by Security Weekly Productions and Security Weekly. All podcast content including episodes, graphics, and podcast descriptions are uploaded and provided directly by Security Weekly Productions and Security Weekly or their podcast platform partner. If you believe someone is using your copyrighted work without your permission, you can follow the process outlined here https://ppacc.player.fm/legal.
Similar to Application Security Weekly (Video)
Android Backstage, a podcast by and for Android developers. Hosted by developers from the Android engineering team, this show covers topics of interest to Android programmers, with in-depth discussions and interviews with engineers on the Android team at Google. Subscribe to Android Developers YouTube → https://goo.gle/AndroidDevs
…
continue reading
Windows Weekly is about more than Windows. Veteran Microsoft insiders Paul Thurrott and Richard Campbell join Leo for a deep dive into the most valuable company in the world. From consumer to enterprise, AI to Xbox, Windows Weekly is the only Microsoft podcast you'll ever need. Records live every Wednesday at 2:00pm Eastern / 11:00am Pacific / 18:00 UTC.
…
continue reading
Welcome to the Security Weekly Podcast Network, your all-in-one source for the latest in cybersecurity! This feed features a diverse lineup of shows, including Application Security Weekly, Business Security Weekly, Paul's Security Weekly, Enterprise Security Weekly, and Security Weekly News. Whether you're a cybersecurity professional, business leader, or tech enthusiast, we cover all angles of the cybersecurity landscape. Tune in for in-depth panel discussions, expert guest interviews, and ...
…
continue reading
Risky Business is a weekly information security podcast featuring news and in-depth interviews with industry luminaries. Launched in February 2007, Risky Business is a must-listen digest for information security pros. With a running time of approximately 50-60 minutes, Risky Business is pacy; a security podcast without the waffle.
…
continue reading
Technical interviews about software topics.
…
continue reading
Ever wondered how automation will change the world? Maybe you puzzle over what India could do to ease traffic congestion, or how China's aircraft carriers will transform Indian Ocean geopolitics? All Things Policy, a daily podcast brought to you by the Takshashila Institution, brings you all the answers. Every weekday, our researchers break down complex economic and geopolitical ideas through the lens of current events. For everyone from the busy executive to the curious student, All Things ...
…
continue reading
Tech News Briefing is your guide to what people in tech are talking about. Every weekday, we’ll bring you breaking tech news and scoops from the pros at the Wall Street Journal, insight into new innovations and policy debates, tips from our personal tech team, and exclusive interviews with movers and shakers in the industry.
…
continue reading
America is divided, and it always has been. We're going back to the moment when that split turned into war. This is Uncivil: Gimlet Media's new history podcast, hosted by journalists Jack Hitt and Chenjerai Kumanyika. We ransack the official version of the Civil War, and take on the history you grew up with. We bring you untold stories about covert operations, corruption, resistance, mutiny, counterfeiting, antebellum drones, and so much more. And we connect these forgotten struggles to the ...
…
continue reading
Industry expert Mikah Sargent, brings you interviews from tech journalists who make or break the top stories of the week. Get the freshest perspective and in depth insight into the fast-paced world of technology from Tech News Weekly. Records every Thursday at 2:00pm Eastern / 11:00am Pacific / 18:00 UTC.
…
continue reading
Player FM - Podcast App
Go offline with the Player FM app!
Go offline with the Player FM app!
))
Daily Deals
Podcasts Worth a Listen
SPONSORED
T
The Final Flight of Captain Forrester
1 The Final Flight of Captain Forrester | 1. The Mystery of Tiny 05 38:05
38:05 
Play Later 
Play Later 
Lists 
Like 
Liked38:05
Play Later
Play Later
Lists
Like
LikedIn late 1972, U.S. Marine Captain Ron Forrester disappeared on a bombing run into North Vietnam. Back home in Texas, his family could only wait and hope. Audio subscribers to Texas Monthly can get early access to episodes of the series, plus exclusive interviews and audio. Visit texasmonthly.com/audio to join.…
Managing Secrets - Vlad Matsiiako - ASW #327
Manage episode 478428348 series 2086046
Content provided by Security Weekly Productions and Security Weekly. All podcast content including episodes, graphics, and podcast descriptions are uploaded and provided directly by Security Weekly Productions and Security Weekly or their podcast platform partner. If you believe someone is using your copyrighted work without your permission, you can follow the process outlined here https://ppacc.player.fm/legal.
Secrets end up everywhere, from dev systems to CI/CD pipelines to services, certificates, and cloud environments. Vlad Matsiiako shares some of the tactics that make managing secrets more secure as we discuss the distinctions between secure architectures, good policies, and developer friendly tools. We've thankfully moved on from forced 90-day user password rotations, but that doesn't mean there isn't a place for rotating secrets. It means that the tooling and processes for ephemeral secrets should be based on secure, efficient mechanisms rather than putting all the burden on users. And it also means that managing secrets shouldn't become an unmanaged risk with new attack surfaces or new points of failure.
Segment Resources:
- https://infisical.com/blog/solving-secret-zero-problem
- https://infisical.com/blog/gitops-secrets-management
Show Notes: https://securityweekly.com/asw-327
657 episodes
ShareManage episode 478428348 series 2086046
Content provided by Security Weekly Productions and Security Weekly. All podcast content including episodes, graphics, and podcast descriptions are uploaded and provided directly by Security Weekly Productions and Security Weekly or their podcast platform partner. If you believe someone is using your copyrighted work without your permission, you can follow the process outlined here https://ppacc.player.fm/legal.
Secrets end up everywhere, from dev systems to CI/CD pipelines to services, certificates, and cloud environments. Vlad Matsiiako shares some of the tactics that make managing secrets more secure as we discuss the distinctions between secure architectures, good policies, and developer friendly tools. We've thankfully moved on from forced 90-day user password rotations, but that doesn't mean there isn't a place for rotating secrets. It means that the tooling and processes for ephemeral secrets should be based on secure, efficient mechanisms rather than putting all the burden on users. And it also means that managing secrets shouldn't become an unmanaged risk with new attack surfaces or new points of failure.
Segment Resources:
- https://infisical.com/blog/solving-secret-zero-problem
- https://infisical.com/blog/gitops-secrets-management
Show Notes: https://securityweekly.com/asw-327
657 episodes
All episodes
×
A
Application Security Weekly (Video)
1 Secure Designs, UX Dragons, Vuln Dungeons - Jack Cable - ASW #328 44:08
44:08 Play Later Play Later Lists Like Liked44:08
Play Later Play Later Lists Like LikedIn this live recording from BSidesSF we explore the factors that influence a secure design, talk about how to avoid the bite of UX dragons, and why designs should put classes of vulns into dungeons. But we can't threat model a secure design forever and we can't oversimplify guidance for a design to be "more secure". Kalyani Pawar and Jack Cable join the discussion to provide advice on evaluating secure designs through examples of strong and weak designs we've seen over the years. We highlight the importance of designing systems to serve users and consider what it means to have a secure design with a poor UX. As we talk about the strategy and tactics of secure design, we share why framing this as a challenge in preventing dangerous errors can help devs make practical engineering decisions that improve appsec for everyone. Resources https://owasp.org/Top10/A04 2021-Insecure Design/ https://dl.acm.org/doi/10.5555/1251421.1251435 https://www.threatmodelingmanifesto.org https://www.ietf.org/rfc/rfc9700.html https://www.cisa.gov/resources-tools/resources/secure-by-design Show Notes: https://securityweekly.com/asw-328…
A
Application Security Weekly (Video)
1 Managing Secrets - Vlad Matsiiako - ASW #327 1:03:03
1:03:03 Play Later Play Later Lists Like Liked1:03:03
Play Later Play Later Lists Like LikedSecrets end up everywhere, from dev systems to CI/CD pipelines to services, certificates, and cloud environments. Vlad Matsiiako shares some of the tactics that make managing secrets more secure as we discuss the distinctions between secure architectures, good policies, and developer friendly tools. We've thankfully moved on from forced 90-day user password rotations, but that doesn't mean there isn't a place for rotating secrets. It means that the tooling and processes for ephemeral secrets should be based on secure, efficient mechanisms rather than putting all the burden on users. And it also means that managing secrets shouldn't become an unmanaged risk with new attack surfaces or new points of failure. Segment Resources: https://infisical.com/blog/solving-secret-zero-problem https://infisical.com/blog/gitops-secrets-management Show Notes: https://securityweekly.com/asw-327…
A
Application Security Weekly (Video)
1 More WAFs in Blocking Mode and More Security Headaches from LLMs - Sandy Carielli, Janet Worthington - ASW #326 1:14:45
1:14:45 Play Later Play Later Lists Like Liked1:14:45
Play Later Play Later Lists Like LikedThe breaches will continue until appsec improves. Janet Worthington and Sandy Carielli share their latest research on breaches from 2024, WAFs in 2025, and where secure by design fits into all this. WAFs are delivering value in a way that orgs are relying on them more for bot management and fraud detection. But adopting phishing-resistant authentication solutions like passkeys and deploying WAFs still seem peripheral to secure by design principles. We discuss what's necessary for establishing a secure environment and why so many orgs still look to tools. And with LLMs writing so much code, we continue to look for ways LLMs can help appsec in addition to all the ways LLMs keep recreating appsec problems. Resources https://www.forrester.com/blogs/breaches-and-lawsuits-and-fines-oh-my-what-we-learned-the-hard-way-from-2024/ https://www.forrester.com/blogs/wafs-are-now-the-center-of-application-protection-suites/ https://www.forrester.com/blogs/are-you-making-these-devsecops-mistakes-the-four-phases-you-need-to-know-before-your-code-becomes-your-vulnerability/ In the news, crates.io logging mistake shows the errors of missing redactions, LLMs give us slopsquatting as a variation on typosquatting, CaMeL kicks sand on prompt injection attacks, using NTLM flaws as lessons for authentication designs, tradeoffs between containers and WebAssembly, research gaps in the world of Programmable Logic Controllers, and more! Show Notes: https://securityweekly.com/asw-326…
A
Application Security Weekly (Video)
1 In Search of Secure Design - ASW #325 1:07:36
1:07:36 Play Later Play Later Lists Like Liked1:07:36
Play Later Play Later Lists Like LikedWe have a top ten list entry for Insecure Design, pledges to CISA's Secure by Design principles, and tons of CVEs that fall into familiar categories of flaws. But what does it mean to have a secure design and how do we get there? There are plenty of secure practices that orgs should implement are supply chains, authentication, and the SDLC. Those practices address important areas of risk, but only indirectly influence a secure design. We look at tactics from coding styles to design councils as we search for guidance that makes software more secure. Segment resources https://owasp.org/Top10/A04 2021-Insecure Design/ https://www.cisa.gov/securebydesign/pledge https://www.cisa.gov/securebydesign https://kccnceu2025.sched.com/event/1xBJR/keynote-rust-in-the-linux-kernel-a-new-era-for-cloud-native-performance-and-security-greg-kroah-hartman-linux-kernel-maintainer-fellow-the-linux-foundation https://newsletter.pragmaticengineer.com/p/how-linux-is-built-with-greg-kroah https://daniel.haxx.se/blog/2025/04/07/writing-c-for-curl/ Show Notes: https://securityweekly.com/asw-325…
A
Application Security Weekly (Video)
1 Avoiding Appsec's Worst Practices - ASW #324 1:11:19
1:11:19 Play Later Play Later Lists Like Liked1:11:19
Play Later Play Later Lists Like LikedWe take advantage of April Fools to look at some of appsec's myths, mistakes, and behaviors that lead to bad practices. It's easy to get trapped in a status quo of chasing CVEs or discussing which direction to shift security. But scrutinizing decimal points in CVSS scores or rearranging tools misses the opportunity for more strategic thinking. We satirize some worst practices in order to have a more serious discussion about a future where more software is based on secure designs. Segment resources: https://bsidessf2025.sched.com/event/1x8ST/secure-designs-ux-dragons-vuln-dungeons-application-security-weekly https://bsidessf2025.sched.com/event/1x8TU/preparing-for-dragons-dont-sharpen-swords-set-traps-gather-supplies https://www.rfc-editor.org/rfc/rfc3514.html https://www.rfc-editor.org/rfc/rfc1149.html Show Notes: https://securityweekly.com/asw-324…
A
Application Security Weekly (Video)
1 Finding a Use for GenAI in AppSec - Keith Hoodlet - ASW #323 54:08
54:08 Play Later Play Later Lists Like Liked54:08
Play Later Play Later Lists Like LikedLLMs are helping devs write code, but is it secure code? How are LLMs helping appsec teams? Keith Hoodlet returns to talk about where he's seen value from genAI, where it fits in with tools like source code analysis and fuzzers, and where its limitations mean we'll be relying on humans for a while. Those limitations don't mean appsec should dismiss LLMs as a tool. It means appsec should understand how things like context windows might limit a tool's security analysis to a few files, leaving a security architecture review to humans. Segment resources: https://securing.dev/posts/ai-security-reasoning-and-bias/ https://seclists.org/dailydave/2025/q1/0 https://arxiv.org/pdf/2409.16165 https://arxiv.org/pdf/2410.05229 https://nicholas.carlini.com/writing/2025/thoughts-on-future-ai.html Show Notes: https://securityweekly.com/asw-323…
A
Application Security Weekly (Video)
1 Redlining the Smart Contract Top 10 - Shashank - ASW #322 53:01
53:01 Play Later Play Later Lists Like Liked53:01
Play Later Play Later Lists Like LikedThe crypto world is rife with smart contracts that have been outsmarted by attackers, with consequences in the millions of dollars (and more!). Shashank shares his research into scanning contracts for flaws, how the classes of contract flaws have changed in the last few years, and how optimistic we can be about the future of this space. Segment Resources: https://scs.owasp.org https://scs.owasp.org/sctop10/ https://solidityscan.com/web3hackhub https://www.web3isgoinggreat.com Show Notes: https://securityweekly.com/asw-322…
A
Application Security Weekly (Video)
1 Skype Hangs Up, Android Backdoors, Jailbreak Research, Pretend AirTags, Wallbleed - ASW #321 33:17
33:17 Play Later Play Later Lists Like Liked33:17
Play Later Play Later Lists Like LikedSkype hangs up for good, over a million cheap Android devices may be backdoored, parallels between jailbreak research and XSS, impersonating AirTags, network reconnaissance via a memory disclosure vuln in the GFW, and more! Show Notes: https://securityweekly.com/asw-321
A
Application Security Weekly (Video)
1 CISA's Secure by Design Principles, Pledge, and Progress - Jack Cable - ASW #321 40:34
40:34 Play Later Play Later Lists Like Liked40:34
Play Later Play Later Lists Like LikedJust three months into 2025 and we already have several hundred CVEs for XSS and SQL injection. Appsec has known about these vulns since the late 90s. Common defenses have been known since the early 2000s. Jack Cable talks about CISA's Secure by Design principles and how they're trying to refocus businesses on addressing vuln classes and prioritizing software quality -- with security one of those important dimensions of quality. Segment Resources: https://www.cisa.gov/securebydesign https://www.cisa.gov/securebydesign/pledge https://www.cisa.gov/resources-tools/resources/product-security-bad-practices https://www.lawfaremedia.org/projects-series/reviews-essays/security-by-design https://corridor.dev Show Notes: https://securityweekly.com/asw-321…
A
Application Security Weekly (Video)
1 QR Codes Replacing SMS, MS Pulls VSCode Extension, Threat Modeling, Bybit Hack - ASW #320 33:55
33:55 Play Later Play Later Lists Like Liked33:55
Play Later Play Later Lists Like LikedGoogle replacing SMS with QR codes for authentication, MS pulls a VSCode extension due to red flags, threat modeling with TRAIL, threat modeling the Bybit hack, malicious models and malicious AMIs, and more! Show Notes: https://securityweekly.com/asw-320
A
Application Security Weekly (Video)
1 Keeping Curl Successful and Secure Over the Decades - Daniel Stenberg - ASW #320 35:08
35:08 Play Later Play Later Lists Like Liked35:08
Play Later Play Later Lists Like LikedCurl and libcurl are everywhere. Not only has the project maintained success for almost three decades now, but it's done that while being written in C. Daniel Stenberg talks about the challenges in dealing with appsec, the design philosophies that keep it secure, and fostering a community to create one of the most recognizable open source projects in the world. Segment Resources: https://daniel.haxx.se/blog/2025/01/23/cvss-is-dead-to-us/ https://daniel.haxx.se/blog/2024/01/02/the-i-in-llm-stands-for-intelligence/ https://thenewstack.io/curls-daniel-stenberg-on-securing-180000-lines-of-c-code/ Show Notes: https://securityweekly.com/asw-320…
A
Application Security Weekly (Video)
1 Regex DoS, LLM Backdoors, Secure AI Architectures, Rust Survey - ASW #319 36:26
36:26 Play Later Play Later Lists Like Liked36:26
Play Later Play Later Lists Like LikedApplying forgivable vs. unforgivable criteria to reDoS vulns, what backdoors in LLMs mean for trust in building software, considering some secure AI architectures to minimize prompt injection impact, developer reactions to Rust, and more! Show Notes: https://securityweekly.com/asw-319
A
Application Security Weekly (Video)
1 Developer Environments, Developer Experience, and Security - Dan Moore - ASW #319 33:56
33:56 Play Later Play Later Lists Like Liked33:56
Play Later Play Later Lists Like LikedMinimizing latency, increasing performance, and reducing compile times are just a part of what makes a development environment better. Throw in useful tests and some useful security tools and you have an even better environment. Dan Moore talks about what motivates some developers to prefer a "local first" approach as we walk through what all of this means for security. Show Notes: https://securityweekly.com/asw-319…
A
Application Security Weekly (Video)
1 Top 10 Web Hacking Techniques of 2024 - James Kettle - ASW #318 44:57
44:57 Play Later Play Later Lists Like Liked44:57
Play Later Play Later Lists Like LikedWe're getting close to two full decades of celebrating web hacking techniques. James Kettle shares which was his favorite, why the list is important to the web hacking community, and what inspires the kind of research that makes it onto the list. We discuss why we keep seeing eternal flaws like XSS and SQL injection making these lists year after year and how clever research is still finding new attack surfaces in old technologies. But there's a lot of new web technology still to be examined, from HTTP/2 and HTTP/3 to WebAssembly. Segment Resources: Top 10, 2024: https://portswigger.net/research/top-10-web-hacking-techniques-of-2024 Full nomination list: https://portswigger.net/research/top-10-web-hacking-techniques-of-2024-nominations-open Project overview: https://portswigger.net/research/top-10-web-hacking-techniques Show Notes: https://securityweekly.com/asw-318…
A
Application Security Weekly (Video)
1 Unforgivable Vulns, DeepSeek iOS App Security Flaws, Memory Safety Standards - ASW #317 35:52
35:52 Play Later Play Later Lists Like Liked35:52
Play Later Play Later Lists Like LikedIdentifying and eradicating unforgivable vulns, an unforgivable flaw (and a few others) in DeepSeek's iOS app, academics and industry looking to standardize principles and practices for memory safety, and more! Show Notes: https://securityweekly.com/asw-317
Welcome to Player FM!
Player FM is scanning the web for high-quality podcasts for you to enjoy right now. It's the best podcast app and works on Android, iPhone, and the web. Signup to sync subscriptions across devices.
Daily Deals
Daily Deals
Similar to Application Security Weekly (Video)
Daily cybersecurity news for practitioners. Vulnerabilities, defenses, threats, network security insight, research and more to make you sound smarter as you get to the office in the morning. New each weekday.
…
continue reading
Android Backstage, a podcast by and for Android developers. Hosted by developers from the Android engineering team, this show covers topics of interest to Android programmers, with in-depth discussions and interviews with engineers on the Android team at Google. Subscribe to Android Developers YouTube → https://goo.gle/AndroidDevs
…
continue reading
Windows Weekly is about more than Windows. Veteran Microsoft insiders Paul Thurrott and Richard Campbell join Leo for a deep dive into the most valuable company in the world. From consumer to enterprise, AI to Xbox, Windows Weekly is the only Microsoft podcast you'll ever need. Records live every Wednesday at 2:00pm Eastern / 11:00am Pacific / 18:00 UTC.
…
continue reading
Welcome to the Security Weekly Podcast Network, your all-in-one source for the latest in cybersecurity! This feed features a diverse lineup of shows, including Application Security Weekly, Business Security Weekly, Paul's Security Weekly, Enterprise Security Weekly, and Security Weekly News. Whether you're a cybersecurity professional, business leader, or tech enthusiast, we cover all angles of the cybersecurity landscape. Tune in for in-depth panel discussions, expert guest interviews, and ...
…
continue reading
Risky Business is a weekly information security podcast featuring news and in-depth interviews with industry luminaries. Launched in February 2007, Risky Business is a must-listen digest for information security pros. With a running time of approximately 50-60 minutes, Risky Business is pacy; a security podcast without the waffle.
…
continue reading
Technical interviews about software topics.
…
continue reading
Ever wondered how automation will change the world? Maybe you puzzle over what India could do to ease traffic congestion, or how China's aircraft carriers will transform Indian Ocean geopolitics? All Things Policy, a daily podcast brought to you by the Takshashila Institution, brings you all the answers. Every weekday, our researchers break down complex economic and geopolitical ideas through the lens of current events. For everyone from the busy executive to the curious student, All Things ...
…
continue reading
Tech News Briefing is your guide to what people in tech are talking about. Every weekday, we’ll bring you breaking tech news and scoops from the pros at the Wall Street Journal, insight into new innovations and policy debates, tips from our personal tech team, and exclusive interviews with movers and shakers in the industry.
…
continue reading
America is divided, and it always has been. We're going back to the moment when that split turned into war. This is Uncivil: Gimlet Media's new history podcast, hosted by journalists Jack Hitt and Chenjerai Kumanyika. We ransack the official version of the Civil War, and take on the history you grew up with. We bring you untold stories about covert operations, corruption, resistance, mutiny, counterfeiting, antebellum drones, and so much more. And we connect these forgotten struggles to the ...
…
continue reading
Industry expert Mikah Sargent, brings you interviews from tech journalists who make or break the top stories of the week. Get the freshest perspective and in depth insight into the fast-paced world of technology from Tech News Weekly. Records every Thursday at 2:00pm Eastern / 11:00am Pacific / 18:00 UTC.
…
continue reading
Player FM - Podcast App
Go offline with the Player FM app!
Go offline with the Player FM app!
