Design lessons from PyPI's Quarantine capability, effective ways for appsec to approach phishing, why fishshell is moving to Rust component by component (and why that's a good thing!), what behaviors the Cyber Trust Mark might influence, and more!

Show Notes: https://securityweekly.com/asw-313

There's a pernicious myth that developers don't care about security. In practice, they care about code quality. What developers don't care for is ambiguous requirements. Ixchel Ruiz shares her experience is discussing software designs, the challenges in prioritizing dev efforts, and how to help open source project maintainers with their issue backlog.

Segment resources:

• https://github.com/ossf/scorecard
• https://www.commonhaus.org/
• https://www.hackergarten.net/

Show Notes: https://securityweekly.com/asw-313

Curl removes a Rust backend, double clickjacking revives an old vuln, a new tool for working with HTTP/3, a brief reminder to verify JWT signatures, design lessons from recursion, and more!

Show Notes: https://securityweekly.com/asw-312

All appsec teams need quality tools and all developers benefit from appsec guidance that's focused on meaningful results. Greg Anderson shares his experience in bringing the OWASP DefectDojo project to life and maintaining its value for over a decade. He reminds us that there are tons of appsec teams with low budgets and few members that need tools to help them bring useful insights to developers.

Segment Resources:

• https://owasp.org/www-project-defectdojo/
• Three-quarters of CISOs surveyed reported being "overwhelmed" by the growing number of tools and their alerts: https://www.darkreading.com/cloud-security/cisos-throwing-cash-tools-detect-breaches
• As many as one-fifth of all cybersecurity alerts turn out to be false positives. Among 800 IT professionals surveyed, just under half of them stated that approximately 40% of the alerts they receive are false positives: https://www.securitymagazine.com/articles/97260-one-fifth-of-cybersecurity-alerts-are-false-positives
• 91% of organizations knowingly released vulnerable applications, 57% of vulnerabilities are left unresolved by developers, 32% of CISOs deploy vulnerable code in the hopes it won’t be discovered, 56% of developers struggle to prioritize vulnerability fixes: https://info.checkmarx.com/future-of-application-security-2024

Show Notes: https://securityweekly.com/asw-312

Curl's oldest bug yet, RCPs (and more!) from AWS re:Invent, possible controls for NPM's malware proliferation, insights and next steps on protecting top 500 packages from the Census III report, the flawed design choice that made Microsoft's OTP (successfully) brute-forceable, and more!

00:00 - Intro & Cyber Resilience Insights 01:20 - The 25-Year-Old Curl Bug Story 04:17 - Fuzzing for Security: A Missed Opportunity? 08:46 - AWS re:Invent Security Highlights 11:54 - NPM Malware Surge 16:33 - Small Packages, Big Risks in NPM 19:55 - Open Source Security Trends 24:27 - Microsoft MFA Vulnerability Explained 28:28 - Hardware Hacking & DMA Exploits 30:55 - Auditing Ruby’s Package Ecosystem 34:02 - Looking Ahead to 2025

Show Notes: https://securityweekly.com/asw-311

Practices around identity and managing credentials have improved greatly since the days of infosec mandating 90-day password rotations. But those improvements didn't arise from a narrow security view. Hannah Sutor talks about the importance of balancing security with usability, the importance of engaging with users when determining defaults, and setting an example for transparency in security disclosures.

Segment resources

• https://youtu.be/ydg95R2QKwM

00:00 Welcome to Application Security Weekly! 01:49 Meet the Experts 03:28 What Are Non-Human Identities? 06:17 Balancing Security & Usability 08:24 MFA Challenges & Admin Security 12:09 Navigating Breaking Changes 16:05 Security by Design in Action 18:42 Identity Management for Startups 20:18 Secure by Design: Real Impact 24:03 Transparency After a Critical Vulnerability 31:39 Looking Ahead to 2025 32:45 Application Security in Three Words

Show Notes: https://securityweekly.com/asw-311

Curl and Python (and others) deal with bad vuln reports generated by LLMs, supply chain attack on Solana, comparing 5 genAI mistakes to OWASP's Top Ten for LLM Applications, a Rust survey, and more!

Show Notes: https://securityweekly.com/asw-310

We do our usual end of year look back on the topics, news, and trends that caught our attention. We covered some OWASP projects, the ongoing attention and promises of generative AI, and big events from the XZ Utils backdoor to Microsoft's Recall to Crowdstrike's outage.

Segment resources

• https://prods.ec
• https://owasp.org/www-project-spvs/
• https://genai.owasp.org/resource/owasp-top-10-for-llm-applications-2025/
• https://securitychampions.owasp.org/
• https://deadliestwebattacks.com/appsec/2024/11/14/ai-and-llms-asw-topic-recap
• https://www.scworld.com/podcast-episode/3017-infosec-myths-mistakes-and-misconceptions-adrian-sanabria-asw-279

Show Notes: https://securityweekly.com/asw-310

Fuzzing barcodes and getting projects onboarded with fuzzers, using AI to guide fuzzers, using AI to combat scammers, using CWEs for something, using malicious comments to ban repos, and more!

Show Notes: https://securityweekly.com/asw-309

Observability is a lot more than just sprinkling printf statements throughout a code base. Adriana Villela explains principles behind logging, traceability, and metrics and how the OpenTelemetry project helps developers gather this useful information. She also provides suggestions on starting logging from scratch, how to avoid information overload, and how engaging users about their experience with solutions like OpenTelemetry makes for better software -- a lesson that appsec teams can apply to paved roads and security guardrails.

Segment Resources:

• https://opentelemetry.io
• https://cncf.io
• https://adri-v.medium.com/

Show Notes: https://securityweekly.com/asw-309