Application Security Weekly (Audio)

Everyone is turning to LLMs to generate code, including attackers. Thus, it's no great surprise that there are now examples of malware generated by LLMs. We discuss the implications of more malware with Rob Allen and what it means for orgs that want to protect themselves from ransomware.
Resources
https://www.bleepingcomputer.com/news/security/voidlink-cloud-malware-shows-clear-signs-of-being-ai-generated/
https://research.checkpoint.com/2026/voidlink-early-ai-generated-malware-framework/
https://cloud.google.com/blog/topics/threat-intelligence/threat-actor-usage-of-ai-tools/
This segment is sponsored by ThreatLocker. Visit https://securityweekly.com/threatlocker to learn more about them!
Visit https://www.securityweekly.com/asw for all the latest episodes!
Show Notes: https://securityweekly.com/asw-368

Supply chain security remains one of the biggest time sinks for appsec teams and developers, even making it onto the latest iteration of the OWASP Top 10 list. Paul Davis joins us to talk about strategies to proactively defend your environment from the different types of attacks that target supply chains and package dependencies. We also discuss how to gain some of the time back by being smarter about how to manage packages and even where the responsibility for managing the security of packages should be.
Visit https://www.securityweekly.com/asw for all the latest episodes!
Show Notes: https://securityweekly.com/asw-367

MongoBleed and a recent OWASP CRS bypass show how parsing problems remain a source of security flaws regardless of programming language. We talk with Kalyani Pawar about how these problems rank against the Top 25 CWEs for 2025 and what it means for relying on LLMs to generate code.
Visit https://www.securityweekly.com/asw for all the latest episodes!
Show Notes: https://securityweekly.com/asw-366

Not all infosec advice is helpful. Bad advice wastes time, makes people less secure, and takes focus away from making software more secure. Bob Lord talks about his efforts to tamp down hacklore -- the security myths and mistakes that crop up in news stories and advice to users. He talks about how these myths come about, why they're harmful, and how they're related to the necessity of building software that's secure by design.
Segment Resources:
https://www.hacklore.org/

https://medium.com/@boblord/lets-stop-hacklore-d5c86a0fdad8

https://www.cisa.gov/securebydesign

https://medium.com/@boblord/recurring-classes-of-software-weaknesses-2007-vs-2025-c2cd56125e1a

https://www.ncsc.gov.uk/report/a-method-to-assess-forgivable-vs-unforgivable-vulnerabilities

https://99percentinvisible.org/episode/nut-behind-wheel/

https://timharford.com/2022/05/cautionary-tales-short-a-screw-loose-at-17000ft/

Visit https://www.securityweekly.com/asw for all the latest episodes!
Show Notes: https://securityweekly.com/asw-365

Developers are adding LLMs to their code creation toolboxes, using them to assist with writing and reviewing code. Chris Wysopal talks about the security downsides of relying on LLMs and how appsec needs to adapt to dealing with more code at a faster pace.
Resources
https://www.veracode.com/blog/genai-code-security-report/

https://www.veracode.com/blog/ai-code-security-october-update/

https://www.veracode.com/resources/analyst-reports/2025-genai-code-security-report/

Visit https://www.securityweekly.com/asw for all the latest episodes!
Show Notes: https://securityweekly.com/asw-364