Application Security WeeklySubscribe
Application security, AI/ML, DevSecOps

Microsoft Recall’s Security & Privacy, Hacking Web APIs, Secure Design Pledge – ASW #288

Looking at use cases and abuse cases of Microsoft's Recall feature, examples of hacking web APIs, CISA's secure design pledge, what we look for in CVEs, a nod to PHP's history, and more!

Full episode and show notes

Announcements

  • Follow Security Weekly Productions on LinkedIn for exclusive show clips, insights, and updates across our organization! Stay connected with our hosts and fellow community members, and join the conversation that's shaping the future of cybersecurity.

Hosts

Tech Lead at Block
  1. 1. Update on the Recall preview feature for Copilot+ PCs | Windows Experience Blog
  2. 2. Hacking Millions of Modems (and Investigating Who Hacked My Modem)
  3. 3. Taking Down Big Laundry – Slug Security
  4. 4. Risky Biz News: The Linux CNA mess

    How do we want to use CVEs? What makes them useful?

  5. 5. Microsoft overhaul treats security as ‘top priority’ after a series of failures – The Verge

    Resources

  6. 6. Secure by Design Pledge | CISA

    Goals

    • MULTI-FACTOR AUTHENTICATION (MFA)
    • DEFAULT PASSWORDS
    • REDUCING ENTIRE CLASSES OF VULNERABILITY
    • SECURITY PATCHES
    • VULNERABILITY DISCLOSURE POLICY
    • CVES
    • EVIDENCE OF INTRUSIONS
  7. 7. Evolving the Go Standard Library with math/rand/v2 – The Go Programming Language

    Example of secure design considerations

  8. 8. Real World Cryptography Conference 2024 | NCC Group Research Blog

    “Making Signal Messenger Post Quantum / Making Encrypted Messaging Post Quantum” is another example of secure design.

  9. 9. [HISTORY] Announce: Personal Home Page Tools (PHP Tools)

    Announcing the Personal Home Page Tools (PHP Tools) version 1.0. on June 8, 1995.

AVP Application Security at PRA Group
Senior Engineering Leader at AWS
  1. 1. Intel whitepaper: Hardware Features and Behavior Related to Speculative Execution

    Since we first learned of speculative execution bugs several years ago, there have been many attempts to mitigate. Intel's put a paper together with their hardware capabilities in this space

  2. 2. 20% of Rust Crates use Unsafe keyword

    In Rust, Unsafe is a sudo-type of thing - allowing a programmer to do things which they language attempts to prevent - accessing out-of-scope memory.

    I translate this as 20% of Rust programmers are lazy, or don't fully understand the language.

  3. 3. Path traversal in tar extract in intel cve-bin-tool

    In celebration of return of the news, a ../.. just for Mike.

  4. 4. Netflix hits $1M bug bounty payout

    It's the new unicorn.

Related

AI fixes everything, C++ the actual worst, IAM is hard – ASW #308

This week, in the Application Security News, we dismiss magical thinking and discuss what generative AI will actually be able to do for us. We also discuss whether Secure by Design's goals are practical or not. OSC&R releases a report on software supply chain that should be interesting, though neither of us had time to read it yet. Also, Wat...