“SBOM” should not exist! Long live the SBOM.
This article by Steve Springett, who is at the center of the software bill of materials universe, explains what an SBOM is and why they should exist.
In defense of simple architectures
As security professionals, we love simple because complex is hard to secure. This article is about a 1.7 billion dollar company that runs its web app as a Python monolith on top of Postgres and how this simplified architecture runs a successful application.
Alex Mor -- Application Risk Profiling at Scale
How do you manage appsec when you have thousands of applications in an enterprise? Alex Mor joined the Application Security Podcast to talk about application risk profiling. He defines what it is, then walks through how to scale across an organization.
HOW INFRASTRUCTURE AS CODE SHOULD FEEL
This article is all about feelings...infrastructure feeling. It dives into how your infrastructurous code should feel; it should feel safe, better, etc. Check it out to understand this new way of thinking.
Improving software supply chain security with tamper-proof builds
We all still, to this day, struggle with the software supply chain. This article, showing how to better create tamper-proof builds, dives into SLSA and the principles you can apply to your software supply chain to make it more secure.

3 Cultural Obstacles to Successful DevSecOps Implementation
When our goal is to change security culture we must consider how to influence our developers while still caring for their needs. This article shares helpful insight into implementing successful security culture change within an organization. 

Brenna Leath -- Product Security Leads: A different way of approaching Security Champions
Brenna Leath, head of product security at SAS, visited the Application Security Podcast to share her insight on security champions and how she approaches this role in her organization with product security leads. We hope you enjoy this conversation with...Brenna Leath.

How GO Mitigates Supply Chain Attacks
This post, from the GO blog, dives into how this coding language mitigates supply chain attacks.

GitHub can now auto-block commits containing API keys, auth tokens
It is vital to keep private information, such as API keys, passwords and authentication tokens, secure. GitHub recently released a new update that scans code for this sensitive information before committing the code to a repository.

If you're not using SSH certificates you're doing SSH wrong
If you use SSH without certificates, this story may make you uneasy. The author argues why we shouldn't be using SSH with anything other than certificates in the modern day.

1. An Analysis of Open-source Automated Threat Modeling Tools and Their Extensibility from Security into Privacy
-https://www.usenix.org/publications/l...

We conducted our review of threat modeling tools in three main phases: Tool Discovery, Evaluation Criteria Selection, and Application of Evaluation Criteria.

2. In-depth research and trends analyzed from 50+ different concepts as code
-https://www.jedi.be/blog/2022/02/23/t...

•DevSecOps as code explosion
•Data as code
•Capturing knowledge as code

3. Security Journey Provides Free Application Security Training Environment for OWASP® Members
-https://www.securityjourney.com/post/...

Security Journey’s OWASP dojo will be open and available to all OWASP members starting April 1st. Members can access it in their member portal.

4. GitHub - 99designs/aws-vault: A vault for securely storing and accessing AWS credentials in development environments
-https://github.com/99designs/aws-vault

AWS Vault is a tool to securely store and access AWS credentials in a development environment.

5. Avoiding the top Nginx configuration mistakes (nginx.com)
-https://www.nginx.com/blog/avoiding-t...

This blog takes a deep look at the 10 of the most common errors, 
sometimes even committed by NGINX engineers. The article will explain what are the 10 most common mistakes and how to fix them.

1. Is it safe to use SECRETS_INTERNALS_DO_NOT_USE_OR_YOU_WILL_BE_FIRED?
- https://datasociety.net/wp-content/up...

This first story is a react development issue. A developer was asking if a specific property was safe to use. This shows the importance of naming in understanding the security risks when using specific properties.

2. Adam Shostack -- Fast, cheap, and good threat models
-https://www.securityjourney.com/podca...
Adam is very well known in the world of threat modeling as a thought leader. This is his take on some new approaches he wants everyone in the industry to understand.

3. SHA-256 explained step-by-step visually
- https://sha256algorithm.com/

This is a website that will describe how SHA-256 works. Hashing algorithms are a critical part of how we protect information whether it is at rest or in transit. This is a fascinating way to go through the steps and understand how they work.

4. Over 28,000 Vulnerabilities Disclosed in 2021: Report
- https://sha256algorithm.com/

This article is describing a report published by Risk Based Security highlighting the 28,000 vulnerabilities that were disclosed in 2021. It shows that not much has changed since 2020, but check it out to see all the details.

5. Known exploited vulnerabilities catalog
- https://www.cisa.gov/known-exploited-...

This is the Know Exploited Vulnerabilities Catalog from CISA. There was a pointer in the previous story to the site as a resource to search and stay up to date on different exploitable vulnerabilities and their remediations.

Bounty Everything
This ebook has in-depth explanations of how bug bounties work, how the economy works within the bug bounty, and how the researchers are paid and treated.
Understanding Website SQL Injections
A high-level deep dive into SQL injection, so even those that have no understanding of what an injection attack is can learn how they work.
Mazin Ahmed -- Terraform Security
Terraform is all the rage in the infrastructurous code world. Mazin walks through all things you need to understand about terraform, the security challenges and where to learn more in this episode of the Application Security Podcast.
10 real-world stories of how we've compromised CI/CD pipeline
We all have CI/CD pipelines that we are using in a DevOps world to build our production software; those pipelines have vulnerabilities. Check out these real-world examples to become more educated about the security issues you need to care about.
Cryptocurrencies: Tracing the evolution of criminal finances
This Intelligence Notification provides an overview of the illicit use of cryptocurrencies, including those services that facilitate their illicit use, illustrating relevant modi opzerandi using case examples. 

5% of 666 Python repos had comma typos (including Tensorflow, PyTorch, Sentry, and V8)​
Out of a group of GitHub repositories that had been checked, 5% had a comma problem. Either too few or too many commas somewhere in the library.

Advanced SQL Injection Cheatsheet​
This repository contains an advanced methodology of all types of SQL Injection.​ MySQL, PostgreSQL, Oracle, and MSSQL​

10 Threats ebook
Read about the eBook on 10 Greatest Threats to Your Application’s Security 2021 version.

Dev corrupts NPM libs ‘colors’ and ‘faker’ breaking thousands of apps ​
The colors library receives over 20 million weekly downloads on npm alone and has almost 19,000 projects relying on it. Whereas, faker receives over 2.8 million weekly downloads on npm, and has over 2,500 dependents.

How I Discovered Thousands of Open Databases on AWS​
My journey on finding and reporting databases with sensitive data about Fortune-500 companies, Hospitals, Crypto platforms, Startups during due diligence, and more.

1.Fuzzing for XSS via nested parsers condition-https://swarm.ptsecurity.com/fuzzing-...

In this article web application security researcher, Igor Sak-Sakovskiy reveals a novel technique for finding sanitization issues that could lead to XSS attacks.

2.Anti-Patterns in Cybersecurity Management-https://systemweakness.com/anti-patte...

In this article, this author walks through the most memorable anti-patterns he's seen recurring in cybersecurity management.

3.OWASP Top 10 Peer Review-http://www.securityjourney.com/podcas...

Robert and Chris break down the OWASP Top 10 2021 Peer Review Edition in this episode of the Application Security Podcast. They walk through and give their insights, highlight the things that stood out and ask questions.

4.My first impressions of web3 - https://moxie.org/2022/01/07/web3-fir...

Security researcher and entrepreneur, Moxie Marlinspike recently explored web3. He shares what he's learned about how web3 works from the inside out.

5.How a routine gem update ended up creating $73k worth of subscriptions- https://serpapi.com/blog/how-a-routin...
This is the story of how a company attempted to deploy what looked like an innocent gem update but ended up costing them $73k. In less than an hour, 474 new subscribers had been mistakenly added to their service.

ZAPping the OWASP Top 10

This document gives an overview of the automation and manual components provided by OWASP Zed Attack Proxy (ZAP) that are recommended for testing each of the OWASP Top Ten Project 2021 risks. 

AWS Is the Internet's Biggest Single Point of Failure

In December, several services on the internet ground to a halt because of an outage at some Amazon Web Services cloud servers. The outage affected Netflix, Disney Plus, PUBG, League of Legends, Ring security cameras, as well as Amazon products and delivery infrastructure. The outage only lasted a few hours, but it showed the world just how much the internet depends on Amazon's infrastructure.  

Eran Kinsbruner -- DevSecOps Continuous Training

Eran joins the Application Security Podcast to talk about the role of testing in a secure software pipeline. They talk about the intersection of security and quality, challenges in getting started, and even a brief conversation about how SAST is used to check automotive software. 

Find the root cause of your productivity problem with the "5 Whys" technique

The 5 Whys technique was developed in the 1930s by Sakichi Toyoda, the founder of the automotive manufacturer Toyota Industries. The idea is simple: ask "why" 5 times, until you get to the root cause of your issue. It's not dissimilar to a kid who exasperates their parents by continually creating "why"... but the benefits can be transformative!

Why I'm Using HTTP Basic Auth in 2022

Building an entire login system from scratch can be a significant investment and creates a major barrier to entry.  It's prevented me from building useful tools because they would require a login. 

Exploring Container Security: A Storage Vulnerability Deep Dive - https://security.googleblog.com/2021/...

Recently, the GKE Security team discovered a high severity vulnerability that allowed workloads to have access to parts of the host file system outside the boundaries of the mounted volume. Remember, vulnerabilities can exist deep within the internals of Kubernetes.

Really Stupid “Smart Contract” Bug Let Hackers Steal $31 Million In Digital Coin - https://arstechnica.com/information-t...

An accounting error built into the company's software let an attacker inflate the MONO tokens price and then use it to cash out all the other deposited tokens, MonoX Finance revealed in a post. The haul amounted to $31 million worth of tokens on the Ethereum or Polygon blockchains, both of which are supported by the MonoX protocol.

Thinking back, Looking forward – A Balanced Approach to Securing our Software Future - https://www.buzzsprout.com/1730684/88...

Keven Greene is the Director of Security Solutions at Parasoft and has extensive experience and expertise in software security, cyber research and development, and DevOps. He and Chris discussed software security from the past into the future. They cover how to make security easier for devs, SBOM, software minimalism, and so much more in this episode of the Application Security Podcast.

Security Metrics that Count - https://www.twilio.com/blog/security-...

Metrics can be challenging. Twilio uses security metrics to drive change within their organization, celebrate improvements over time to help better protect their customers, and measure their security program.

Playbook for Threat Modeling Medical Devices - https://www.mitre.org/publications/te...

The "Playbook for Threat Modeling Medical Devices" was developed further to increase knowledge of threat modeling throughout the medical device ecosystem and strengthen the cybersecurity and safety of medical devices.

How to Learn Stuff Quickly: https://www.joshwcomeau.com/blog/how-...
Learning how to learn is a crucial skill of the security professional and developer

Never Update Anything: https://blog.kronis.dev/articles/neve...
"In my eyes, it could be pretty nice to have a framework version that's supported for 10-20 years and is so stable that it can be used with little to no changes for the entire expected lifetime of a system."

Bridges fall down due to insecure design - make sure your web applications don't: https://www.securityjourney.com/post/...
This principle also applies to web applications, which is why the new #4 on the OWASP Top 10 2021 list is Insecure Design. ​

Pin exact dependency versions: https://betterdev.blog/pin-exact-depe...
Use a dependency manager that creates a lock file and commits it to the repository. Even then, pin your dependencies - explicitly specify their exact versions.

Financial services need to prioritize API security to protect their customers: https://www.helpnetsecurity.com/2021/...
Given this growing trend, Knight focused her vulnerability research on the financial services and FinTech companies and was able to access 55 banks through their API's, giving her the ability to change customers' PIN codes and move money in and out of customers accounts.