Application Security Weekly

The breaches will continue until appsec improves. Janet Worthington and Sandy Carielli share their latest research on breaches from 2024, WAFs in 2025, and where secure by design fits into all this. WAFs are delivering value in a way that orgs are relying on them more for bot management and fraud detection. But adopting phishing-resistant authentication solutions like passkeys and deploying WAFs still seem peripheral to secure by design principles. We discuss what's necessary for establishing a secure environment and why so many orgs still look to tools. And with LLMs writing so much code, we continue to look for ways LLMs can help appsec in addition to all the ways LLMs keep recreating appsec problems.

Resources

• https://www.forrester.com/blogs/breaches-and-lawsuits-and-fines-oh-my-what-we-learned-the-hard-way-from-2024/
• https://www.forrester.com/blogs/wafs-are-now-the-center-of-application-protection-suites/
• https://www.forrester.com/blogs/are-you-making-these-devsecops-mistakes-the-four-phases-you-need-to-know-before-your-code-becomes-your-vulnerability/

In the news, crates.io logging mistake shows the errors of missing redactions, LLMs give us slopsquatting as a variation on typosquatting, CaMeL kicks sand on prompt injection attacks, using NTLM flaws as lessons for authentication designs, tradeoffs between containers and WebAssembly, research gaps in the world of Programmable Logic Controllers, and more!

Visit https://www.securityweekly.com/asw for all the latest episodes!

We have a top ten list entry for Insecure Design, pledges to CISA's Secure by Design principles, and tons of CVEs that fall into familiar categories of flaws. But what does it mean to have a secure design and how do we get there? There are plenty of secure practices that orgs should implement are supply chains, authentication, and the SDLC. Those practices address important areas of risk, but only indirectly influence a secure design. We look at tactics from coding styles to design councils as we search for guidance that makes software more secure.

Segment resources

• https://owasp.org/Top10/A042021-InsecureDesign/
• https://www.cisa.gov/securebydesign/pledge
• https://www.cisa.gov/securebydesign
• https://kccnceu2025.sched.com/event/1xBJR/keynote-rust-in-the-linux-kernel-a-new-era-for-cloud-native-performance-and-security-greg-kroah-hartman-linux-kernel-maintainer-fellow-the-linux-foundation
• https://newsletter.pragmaticengineer.com/p/how-linux-is-built-with-greg-kroah
• https://daniel.haxx.se/blog/2025/04/07/writing-c-for-curl/

Visit https://www.securityweekly.com/asw for all the latest episodes!

We take advantage of April Fools to look at some of appsec's myths, mistakes, and behaviors that lead to bad practices. It's easy to get trapped in a status quo of chasing CVEs or discussing which direction to shift security. But scrutinizing decimal points in CVSS scores or rearranging tools misses the opportunity for more strategic thinking. We satirize some worst practices in order to have a more serious discussion about a future where more software is based on secure designs.

Segment resources:

• https://bsidessf2025.sched.com/event/1x8ST/secure-designs-ux-dragons-vuln-dungeons-application-security-weekly
• https://bsidessf2025.sched.com/event/1x8TU/preparing-for-dragons-dont-sharpen-swords-set-traps-gather-supplies
• https://www.rfc-editor.org/rfc/rfc3514.html
• https://www.rfc-editor.org/rfc/rfc1149.html

Visit https://www.securityweekly.com/asw for all the latest episodes!

LLMs are helping devs write code, but is it secure code? How are LLMs helping appsec teams? Keith Hoodlet returns to talk about where he's seen value from genAI, where it fits in with tools like source code analysis and fuzzers, and where its limitations mean we'll be relying on humans for a while. Those limitations don't mean appsec should dismiss LLMs as a tool. It means appsec should understand how things like context windows might limit a tool's security analysis to a few files, leaving a security architecture review to humans.

Segment resources:

• https://securing.dev/posts/ai-security-reasoning-and-bias/
• https://seclists.org/dailydave/2025/q1/0
• https://arxiv.org/pdf/2409.16165
• https://arxiv.org/pdf/2410.05229
• https://nicholas.carlini.com/writing/2025/thoughts-on-future-ai.html

Visit https://www.securityweekly.com/asw for all the latest episodes!

The crypto world is rife with smart contracts that have been outsmarted by attackers, with consequences in the millions of dollars (and more!). Shashank shares his research into scanning contracts for flaws, how the classes of contract flaws have changed in the last few years, and how optimistic we can be about the future of this space.

Segment Resources:

• https://scs.owasp.org
• https://scs.owasp.org/sctop10/
• https://solidityscan.com/web3hackhub
• https://www.web3isgoinggreat.com

Visit https://www.securityweekly.com/asw for all the latest episodes!

Just three months into 2025 and we already have several hundred CVEs for XSS and SQL injection. Appsec has known about these vulns since the late 90s. Common defenses have been known since the early 2000s. Jack Cable talks about CISA's Secure by Design principles and how they're trying to refocus businesses on addressing vuln classes and prioritizing software quality -- with security one of those important dimensions of quality.

Segment Resources:

• https://www.cisa.gov/securebydesign
• https://www.cisa.gov/securebydesign/pledge
• https://www.cisa.gov/resources-tools/resources/product-security-bad-practices
• https://www.lawfaremedia.org/projects-series/reviews-essays/security-by-design
• https://corridor.dev

Skype hangs up for good, over a million cheap Android devices may be backdoored, parallels between jailbreak research and XSS, impersonating AirTags, network reconnaissance via a memory disclosure vuln in the GFW, and more!

Visit https://www.securityweekly.com/asw for all the latest episodes!

Curl and libcurl are everywhere. Not only has the project maintained success for almost three decades now, but it's done that while being written in C. Daniel Stenberg talks about the challenges in dealing with appsec, the design philosophies that keep it secure, and fostering a community to create one of the most recognizable open source projects in the world.

Segment Resources:

• https://daniel.haxx.se/blog/2025/01/23/cvss-is-dead-to-us/
• https://daniel.haxx.se/blog/2024/01/02/the-i-in-llm-stands-for-intelligence/
• https://thenewstack.io/curls-daniel-stenberg-on-securing-180000-lines-of-c-code/

Google replacing SMS with QR codes for authentication, MS pulls a VSCode extension due to red flags, threat modeling with TRAIL, threat modeling the Bybit hack, malicious models and malicious AMIs, and more!

Visit https://www.securityweekly.com/asw for all the latest episodes!

Minimizing latency, increasing performance, and reducing compile times are just a part of what makes a development environment better. Throw in useful tests and some useful security tools and you have an even better environment. Dan Moore talks about what motivates some developers to prefer a "local first" approach as we walk through what all of this means for security.

Applying forgivable vs. unforgivable criteria to reDoS vulns, what backdoors in LLMs mean for trust in building software, considering some secure AI architectures to minimize prompt injection impact, developer reactions to Rust, and more!

Visit https://www.securityweekly.com/asw for all the latest episodes!

We're getting close to two full decades of celebrating web hacking techniques. James Kettle shares which was his favorite, why the list is important to the web hacking community, and what inspires the kind of research that makes it onto the list. We discuss why we keep seeing eternal flaws like XSS and SQL injection making these lists year after year and how clever research is still finding new attack surfaces in old technologies. But there's a lot of new web technology still to be examined, from HTTP/2 and HTTP/3 to WebAssembly.

Segment Resources:

• Top 10, 2024: https://portswigger.net/research/top-10-web-hacking-techniques-of-2024
• Full nomination list: https://portswigger.net/research/top-10-web-hacking-techniques-of-2024-nominations-open
• Project overview: https://portswigger.net/research/top-10-web-hacking-techniques

Visit https://www.securityweekly.com/asw for all the latest episodes!

Code scanning is one of the oldest appsec practices. In many cases, simple grep patterns and some fancy regular expressions are enough to find many of the obvious software mistakes. Scott Norberg shares his experience with encountering code scanners that didn't find the .NET vuln classes he needed to find and why that led him to creating a scanner from scratch. We talk about some challenges in testing tools, making smart investments in engineering time, and why working with .NET's compiler made his decisions easier.

Segment Resources:

-https://github.com/ScottNorberg-NCG/CodeSheriff.NET

Identifying and eradicating unforgivable vulns, an unforgivable flaw (and a few others) in DeepSeek's iOS app, academics and industry looking to standardize principles and practices for memory safety, and more!

Visit https://www.securityweekly.com/asw for all the latest episodes!