Application Security Weekly

The crypto world is rife with smart contracts that have been outsmarted by attackers, with consequences in the millions of dollars (and more!). Shashank shares his research into scanning contracts for flaws, how the classes of contract flaws have changed in the last few years, and how optimistic we can be about the future of this space.

Segment Resources:

• https://scs.owasp.org
• https://scs.owasp.org/sctop10/
• https://solidityscan.com/web3hackhub
• https://www.web3isgoinggreat.com

Visit https://www.securityweekly.com/asw for all the latest episodes!

Just three months into 2025 and we already have several hundred CVEs for XSS and SQL injection. Appsec has known about these vulns since the late 90s. Common defenses have been known since the early 2000s. Jack Cable talks about CISA's Secure by Design principles and how they're trying to refocus businesses on addressing vuln classes and prioritizing software quality -- with security one of those important dimensions of quality.

Segment Resources:

• https://www.cisa.gov/securebydesign
• https://www.cisa.gov/securebydesign/pledge
• https://www.cisa.gov/resources-tools/resources/product-security-bad-practices
• https://www.lawfaremedia.org/projects-series/reviews-essays/security-by-design
• https://corridor.dev

Skype hangs up for good, over a million cheap Android devices may be backdoored, parallels between jailbreak research and XSS, impersonating AirTags, network reconnaissance via a memory disclosure vuln in the GFW, and more!

Visit https://www.securityweekly.com/asw for all the latest episodes!

Curl and libcurl are everywhere. Not only has the project maintained success for almost three decades now, but it's done that while being written in C. Daniel Stenberg talks about the challenges in dealing with appsec, the design philosophies that keep it secure, and fostering a community to create one of the most recognizable open source projects in the world.

Segment Resources:

• https://daniel.haxx.se/blog/2025/01/23/cvss-is-dead-to-us/
• https://daniel.haxx.se/blog/2024/01/02/the-i-in-llm-stands-for-intelligence/
• https://thenewstack.io/curls-daniel-stenberg-on-securing-180000-lines-of-c-code/

Google replacing SMS with QR codes for authentication, MS pulls a VSCode extension due to red flags, threat modeling with TRAIL, threat modeling the Bybit hack, malicious models and malicious AMIs, and more!

Visit https://www.securityweekly.com/asw for all the latest episodes!

Minimizing latency, increasing performance, and reducing compile times are just a part of what makes a development environment better. Throw in useful tests and some useful security tools and you have an even better environment. Dan Moore talks about what motivates some developers to prefer a "local first" approach as we walk through what all of this means for security.

Applying forgivable vs. unforgivable criteria to reDoS vulns, what backdoors in LLMs mean for trust in building software, considering some secure AI architectures to minimize prompt injection impact, developer reactions to Rust, and more!

Visit https://www.securityweekly.com/asw for all the latest episodes!

We're getting close to two full decades of celebrating web hacking techniques. James Kettle shares which was his favorite, why the list is important to the web hacking community, and what inspires the kind of research that makes it onto the list. We discuss why we keep seeing eternal flaws like XSS and SQL injection making these lists year after year and how clever research is still finding new attack surfaces in old technologies. But there's a lot of new web technology still to be examined, from HTTP/2 and HTTP/3 to WebAssembly.

Segment Resources:

• Top 10, 2024: https://portswigger.net/research/top-10-web-hacking-techniques-of-2024
• Full nomination list: https://portswigger.net/research/top-10-web-hacking-techniques-of-2024-nominations-open
• Project overview: https://portswigger.net/research/top-10-web-hacking-techniques

Visit https://www.securityweekly.com/asw for all the latest episodes!

Code scanning is one of the oldest appsec practices. In many cases, simple grep patterns and some fancy regular expressions are enough to find many of the obvious software mistakes. Scott Norberg shares his experience with encountering code scanners that didn't find the .NET vuln classes he needed to find and why that led him to creating a scanner from scratch. We talk about some challenges in testing tools, making smart investments in engineering time, and why working with .NET's compiler made his decisions easier.

Segment Resources:

-https://github.com/ScottNorberg-NCG/CodeSheriff.NET

Identifying and eradicating unforgivable vulns, an unforgivable flaw (and a few others) in DeepSeek's iOS app, academics and industry looking to standardize principles and practices for memory safety, and more!

Visit https://www.securityweekly.com/asw for all the latest episodes!

Threat modeling has been in the appsec toolbox for decades. But it hasn't always been used and it hasn't always been useful. Sandy Carielli shares what she's learned from talking to orgs about what's been successful, and what's failed, when they've approached this practice. Akira Brand joins to talk about her direct experience with building threat models with developers.

Speculative data flow attacks demonstrated against Apple chips with SLAP and FLOP, the design and implementation choices that led to OCSP's demise, an appsec angle on AI, updating the threat model and recommendations for implementing OAuth 2.0, and more!

Visit https://www.securityweekly.com/asw for all the latest episodes!

A lot of AI security boils down to the boring, but important, software security topics that appsec teams have been dealing with for decades. Niv Braun explains the distinctions between AI-related and AI-specific security as we avoid the FUD and hype of genAI to figure out where appsec teams can invest their time. He notes that data scientists have been working with ML and sensitive data sets for a long time, and it's good to have more scrutiny on what controls should be present to protect that data.

An open source security project forks in response to license changes (and an echo of how we've been here before), car hacking via spectacularly insecure web apps, hacking a synth via spectacularly cool MIDI messages, cookie parsing problems, the RANsacked paper of 100+ LTE/5G vulns found from fuzzing, and more!

Visit https://www.securityweekly.com/asw for all the latest episodes!

What’s in store for appsec in 2025? Sure, there'll be some XSS and SQL injection, but what about trends that might influence how appsec teams plan? Cody Scott shares five cybersecurity and privacy predictions and we take a deep dive into three of them. We talk about finding value to appsec from AI, why IoT and OT need both programmatic and technical changes, and what the implications of the next XZ Utils attack might be.

Segment resources:

• https://www.forrester.com/blogs/predictions-2025-cybersecurity-risk-privacy/

Visit https://www.securityweekly.com/asw for all the latest episodes!

There's a pernicious myth that developers don't care about security. In practice, they care about code quality. What developers don't care for is ambiguous requirements. Ixchel Ruiz shares her experience is discussing software designs, the challenges in prioritizing dev efforts, and how to help open source project maintainers with their issue backlog.

Segment resources:

• https://github.com/ossf/scorecard
• https://www.commonhaus.org/
• https://www.hackergarten.net/

Design lessons from PyPI's Quarantine capability, effective ways for appsec to approach phishing, why fishshell is moving to Rust component by component (and why that's a good thing!), what behaviors the Cyber Trust Mark might influence, and more!

Visit https://www.securityweekly.com/asw for all the latest episodes!