Application Security Weekly (Audio)

Journalists put a lot of effort into collecting information and protecting their sources, but everyone can benefit from having a digital environment that's more secure and more privacy protecting. Runa Sandvik shares her experience working with journalists and targeted groups to craft plans for how they use their devices and manage their information. And she also makes the point that the burden of security should not be just for users -- platforms and software providers should be evaluating secure defaults and secure designs that improve protections for everyone.
Resources
https://techcrunch.com/2025/03/13/apples-lockdown-mode-is-good-for-security-but-its-notifications-are-baffling/
https://www.glitchcat.xyz/p/lessons-learned-from-the-2021-arrest
https://gijn.org/resource/introduction-investigative-journalism-digital-security/
https://cpj.org/
Visit https://www.securityweekly.com/asw for all the latest episodes!
Show Notes: https://securityweekly.com/asw-371

A major premise of appsec is figuring out effective ways to answer the question, "What security flaws are in this code?" The nature of the question doesn't really change depending on who or what wrote the code. In other words, LLMs writing code really just means there's mode code to secure. So, what about using LLMs to find security flaws? Just how effective and efficient are they?
We talk with Adrian Sanabria and John Kinsella about the latest appsec articles that show a range of results from finding memory corruption bugs in open source software to spending an inordinate amount of manual effort validating persuasive, but ultimately incorrect, security findings from an LLM.
Visit https://www.securityweekly.com/asw for all the latest episodes!
Show Notes: https://securityweekly.com/asw-370

When it comes to agents and MCPs, the interesting security discussion isn't that they need strong authentication and authorization, but what that authn/z story should look like, where does it get implemented, and who implements it. Dan Moore shares the useful parallels in securing APIs that should be brought into the world of MCPs -- especially because so many are still interacting with APIs.
Resources
https://stackoverflow.blog/2026/01/21/is-that-allowed-authentication-and-authorization-in-model-context-protocol/
https://fusionauth.io/articles/identity-basics/authorization-models
Visit https://www.securityweekly.com/asw for all the latest episodes!
Show Notes: https://securityweekly.com/asw-369

Everyone is turning to LLMs to generate code, including attackers. Thus, it's no great surprise that there are now examples of malware generated by LLMs. We discuss the implications of more malware with Rob Allen and what it means for orgs that want to protect themselves from ransomware.
Resources
https://www.bleepingcomputer.com/news/security/voidlink-cloud-malware-shows-clear-signs-of-being-ai-generated/
https://research.checkpoint.com/2026/voidlink-early-ai-generated-malware-framework/
https://cloud.google.com/blog/topics/threat-intelligence/threat-actor-usage-of-ai-tools/
This segment is sponsored by ThreatLocker. Visit https://securityweekly.com/threatlocker to learn more about them!
Visit https://www.securityweekly.com/asw for all the latest episodes!
Show Notes: https://securityweekly.com/asw-368

Supply chain security remains one of the biggest time sinks for appsec teams and developers, even making it onto the latest iteration of the OWASP Top 10 list. Paul Davis joins us to talk about strategies to proactively defend your environment from the different types of attacks that target supply chains and package dependencies. We also discuss how to gain some of the time back by being smarter about how to manage packages and even where the responsibility for managing the security of packages should be.
Visit https://www.securityweekly.com/asw for all the latest episodes!
Show Notes: https://securityweekly.com/asw-367