Application Security Weekly
Listen to the Application Security Weekly podcast for interviews and news on everything appsec — and more!
Hosted by @mutantzombie.bsky.social, @jlk.bsky.social, and Kalyani Pawar.
- Here’s the March recap while I finish writing up what we did in April. #appsec dangerouserrors.com/appsec/2025/...
- At the end of every episode I mention a favorite #synthwave track. Because music makes everything better, even #appsec. And since it’s @bandcamp.com Friday, you can make a musician’s day better by supporting their work and grabbing a track (or two or three). dangerouserrors.com/synthwave-sh...
- It’s @bandcamp.com Friday, which is an excellent Friday for supporting musicians. Buy a track. Buy an album. Enjoy some new music. And if you like #synthwave (and adjacent) tunes, check out this list for a few ideas. dangerouserrors.com/synthwave-sh...
- Find more episodes, recaps, and some random #appsec reading on the blog. dangerouserrors.com
- Reposted by Application Security Weekly[Not loaded yet]
- Reposted by Application Security Weekly[Not loaded yet]
- Reposted by Application Security Weekly[Not loaded yet]
- One of my goals this year is to figure out a cost-benefit analysis of fuzzing vs. LLMs vs. grep. Later on in this episode Keith Hoodlet shared where he's seeing (and not seeing) #appsec potential from LLMs. Articles and episode at www.scworld.com/podcast-epis... youtu.be/zn3LT4BqOJo?...
- Historical context for the "BadSeek" post by Shrivu Shankar (blog.sshh.io/p/how-to-bac...). He tweaked model weights to subtly introduce a backdoor into generated code, regardless of prompt, and noted the difficultly in detecting such manipulation. youtube.com/shorts/nB_KK...
- Memory safe code was having an unsafe design week this week. News articles and notes at www.scworld.com/podcast-epis... www.youtube.com/watch?featur...
- Sure, LLMs are helping devs write code, but is it secure code? How are LLMs helping #appsec teams? Keith Hoodlet returned to talk about those questions and put the capabilities of LLMs into perspective. Show notes at www.scworld.com/podcast-epis... youtu.be/zn3LT4BqOJo?...
- There's no better place to discover the impact of logic flaws than in the cryptocurrency space, where every token is its own self-funding bug bounty and every contract is a gamble in correctness. Show notes: www.scworld.com/podcast-epis... youtu.be/0GlIbGgi1OY?...
- Find episodes, recaps, and some random #appsec thoughts on the blog. deadliestwebattacks.com
- From Skype's embrace of e2ee to the recent Wallbleed research against the GFW, there are tons of reasons why #appsec is not a myopic technical topic. It reminds me of an old joke about oversimplifying models. We shouldn't treat appsec as a spherical CVE in a vacuum. youtu.be/Cbzthj0s44I?...
- CISA has been pushing for more software to be secure by design and secure by default. Jack Cable shares how CISA chose to frame their Secure by Design principles and encourage businesses to improve their software quality. Show notes at www.scworld.com/podcast-epis... youtu.be/fjc2zqEFcAI?...
- I’ll be hosting the Qualys Cyber Risk Series: AppSec Edition tomorrow at 9am PT! Join me and experts in the #AppSec and #APISecurity space as we discuss the latest trends, threats, and techniques to stay ahead. Register now: qualys.brighttalk.com?utm_source=i... #Qualys #CyberRiskSeries
- Your operating system has curl on it. Your toaster probably has curl on it. The moon likely will have curl on it soon. And you can't spell curl without C... @daniel.haxx.se explains how curl keeps its code secure and some of the #appsec friction it has had to deal. youtu.be/0UavY_kKKic
- *shakes fist* It has been 0 weeks since we did not mention AI and LLMs. But I think we added helpful angles to what a secure architecture can look like for using them and what the implications are for backdoors like BadSeek. Show notes at www.scworld.com/podcast-epis... youtu.be/TIxLvtCT-CE?...
- I love the "cookie sandwich" because it combines parsing, implementation mismatches, and finding new flaws in old (yet pervasive) tech. In our chat about the top 10 web hacking techniques of 2024, James talked about cookies and finding inspiration for research topics. youtu.be/8XEK3NkbKOA?...
- For me, prompt injection is the new XSS. The techniques and payloads are fun, they inspire creative thinking, but they're ultimately a lot of noise to be filtered with an effective framework like the examples we mentioned here. Show notes: www.scworld.com/podcast-epis... youtu.be/TIxLvtCT-CE
- We're almost at 20 years of celebrating web hacking techniques. @jameskettle.com shares his favorites from 2024, the list's importance to the web hacking community, and what inspires the kind of research it highlights. List at portswigger.net/research/top... youtu.be/8XEK3NkbKOA?...
- Scott Norberg's goal for pentesting really resonated with me. "I view it as my job not to find all the instances of three different classes of vulnerabilities; it's to find as many different classes of vulnerabilities as I can." www.youtube.com/clip/Ugkx0N9...
- Kalyani and I reviewed the "unforgivable" criteria in the recent article from @ncsc.gov.uk. We applied it to vulns in the news, with some easy ones like DeepSeek disabling ATS on iOS. But then the categories get messier... Show notes: www.scworld.com/podcast-epis... youtu.be/AVkucIviAnI?...
- Code scanning is an ancient #appsec practice. Grep and regexes still work, but grep can't follow control flows and regexes aren't semantic parsers. Scott Norberg talks about his experience looking for a scanner against .NET code and why he ended up writing his own. www.scworld.com/podcast-epis...
- We had a busy January! And getting ready to record once again this Monday. deadliestwebattacks.com/appsec/2025/...
- Reposted by Application Security Weekly[Not loaded yet]
