In the news, Coinbase deals with bribes and insider threat, the NCSC notes the cross-cutting problem of incentivizing secure design, we cover some research that notes the multitude of definitions for secure design, and discuss the new Cybersecurity Skills Framework from the OpenSSF and Linux Foundation. Then we share two more sponsored interviews from this year's RSAC Conference.

With more types of identities, machines, and agents trying to access increasingly critical data and resources, across larger numbers of devices, organizations will be faced with managing this added complexity and identity sprawl. Now more than ever, organizations need to make sure security is not an afterthought, implementing comprehensive solutions for securing, managing, and governing both non-human and human identities across ecosystems at scale.

This segment is sponsored by Okta. Visit https://securityweekly.com/oktarsac to learn more about them!

At Mend.io, we believe that securing AI-powered applications requires more than just scanning for vulnerabilities in AI-generated code—it demands a comprehensive, enterprise-level strategy. While many AppSec vendors offer limited, point-in-time solutions focused solely on AI code, Mend.io takes a broader and more integrated approach.

Our platform is designed to secure not just the code, but the full spectrum of AI components embedded within modern applications. By leveraging existing risk management strategies, processes, and tools, we uncover the unique risks that AI introduces—without forcing organizations to reinvent their workflows. Mend.io’s solution ensures that AI security is embedded into the software development lifecycle, enabling teams to assess and mitigate risks proactively and at scale.

Unlike isolated AI security startups, Mend.io delivers a single, unified platform that secures an organization’s entire codebase—including its AI-driven elements. This approach maximizes efficiency, minimizes disruption, and empowers enterprises to embrace AI innovation with confidence and control.

This segment is sponsored by Mend.io. Visit https://securityweekly.com/mendrsac to book a live demo!

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw-331

Developers are relying on LLMs as coding assistants, so where are the LLM assistants for appsec? The principles behind secure code reviews don't really change based on who write the code, whether human or AI. But more code means more reasons for appsec to scale its practices and figure out how to establish trust in code, packages, and designs. Rey Bango shares his experience with secure code reviews and where developer education fits in among the adoption of LLMs.

As businesses rapidly embrace SaaS and AI-powered applications at an unprecedented rate, many small-to-medium sized businesses (SMBs) struggle to keep up due to complex tech stacks and limited visibility into the skyrocketing app sprawl. These modern challenges demand a smarter, more streamlined approach to identity and access management. Learn how LastPass is reimagining access control through “Secure Access Experiences” - starting with the introduction of SaaS Monitoring capabilities designed to bring clarity to even the most chaotic environments. Secure Access Experiences - https://www.lastpass.com/solutions/secure-access

This segment is sponsored by LastPass. Visit https://securityweekly.com/lastpassrsac to learn more about them!

Cloud Application Detection and Response (CADR) has burst onto the scene as one of the hottest categories in security, with numerous vendors touting a variety of capabilities and making promises on how bringing detection and response to the application-level will be a game changer. In this segment, Gal Elbaz, co-founder and CTO of Oligo Security, will dive into what CADR is, who it helps, and what the future will look like for this game changing technology. Segment Resources - https://www.oligo.security/company/whyoligo

To see Oligo in action, please visit https://securityweekly.com/oligorsac

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw-330

We catch up on news after a week of BSidesSF and RSAC Conference. Unsurprisingly, AI in all its flavors, from agentic to gen, was inescapable. But perhaps more surprising (and more unfortunate) is how much the adoption of LLMs has increased the attack surface within orgs. The news is heavy on security issues from MCPs and a novel alignment bypass against LLMs. Not everything is genAI as we cover some secure design topics from the Airborne attack against Apple's AirPlay to more calls for companies to show how they're embracing secure design principles and practices.

Apiiro CEO & Co-Founder, Idan Plotnik discusses the AI problem in AppSec.

This segment is sponsored by Apiiro. Visit https://securityweekly.com/apiirorsac to learn more about them!

Gen AI is being adopted faster than company’s policy and data security can keep up, and as LLM’s become more integrated into company systems and uses leverage more AI enabled applications, they essentially become unintentional data exfiltration points. These tools do not differentiate between what data is sensitive and proprietary and what is not. This interview will examine how the rapid adoption of Gen AI is putting sensitive company data at risk, and the data security considerations and policies organizations should implement before, if, and when their employees may seek to adopt a Gen AI tools to leverage some of their undeniable workplace benefits.

Customer case studies: https://www.seclore.com/resources/customer-case-studies/

Seclore Blog: https://www.seclore.com/blog/

This segment is sponsored by Seclore. Visit https://securityweekly.com/seclorersac to learn more about them!

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw-329

In this live recording from BSidesSF we explore the factors that influence a secure design, talk about how to avoid the bite of UX dragons, and why designs should put classes of vulns into dungeons.

But we can't threat model a secure design forever and we can't oversimplify guidance for a design to be "more secure". Kalyani Pawar and Jack Cable join the discussion to provide advice on evaluating secure designs through examples of strong and weak designs we've seen over the years. We highlight the importance of designing systems to serve users and consider what it means to have a secure design with a poor UX. As we talk about the strategy and tactics of secure design, we share why framing this as a challenge in preventing dangerous errors can help devs make practical engineering decisions that improve appsec for everyone.

Resources

• https://owasp.org/Top10/A042021-InsecureDesign/
• https://dl.acm.org/doi/10.5555/1251421.1251435
• https://www.threatmodelingmanifesto.org
• https://www.ietf.org/rfc/rfc9700.html
• https://www.cisa.gov/resources-tools/resources/secure-by-design

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw-328

Secrets end up everywhere, from dev systems to CI/CD pipelines to services, certificates, and cloud environments. Vlad Matsiiako shares some of the tactics that make managing secrets more secure as we discuss the distinctions between secure architectures, good policies, and developer friendly tools. We've thankfully moved on from forced 90-day user password rotations, but that doesn't mean there isn't a place for rotating secrets. It means that the tooling and processes for ephemeral secrets should be based on secure, efficient mechanisms rather than putting all the burden on users. And it also means that managing secrets shouldn't become an unmanaged risk with new attack surfaces or new points of failure.

Segment Resources:

• https://infisical.com/blog/solving-secret-zero-problem
• https://infisical.com/blog/gitops-secrets-management

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw-327

The breaches will continue until appsec improves. Janet Worthington and Sandy Carielli share their latest research on breaches from 2024, WAFs in 2025, and where secure by design fits into all this. WAFs are delivering value in a way that orgs are relying on them more for bot management and fraud detection. But adopting phishing-resistant authentication solutions like passkeys and deploying WAFs still seem peripheral to secure by design principles. We discuss what's necessary for establishing a secure environment and why so many orgs still look to tools. And with LLMs writing so much code, we continue to look for ways LLMs can help appsec in addition to all the ways LLMs keep recreating appsec problems.

Resources

• https://www.forrester.com/blogs/breaches-and-lawsuits-and-fines-oh-my-what-we-learned-the-hard-way-from-2024/
• https://www.forrester.com/blogs/wafs-are-now-the-center-of-application-protection-suites/
• https://www.forrester.com/blogs/are-you-making-these-devsecops-mistakes-the-four-phases-you-need-to-know-before-your-code-becomes-your-vulnerability/

In the news, crates.io logging mistake shows the errors of missing redactions, LLMs give us slopsquatting as a variation on typosquatting, CaMeL kicks sand on prompt injection attacks, using NTLM flaws as lessons for authentication designs, tradeoffs between containers and WebAssembly, research gaps in the world of Programmable Logic Controllers, and more!

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw-326

We have a top ten list entry for Insecure Design, pledges to CISA's Secure by Design principles, and tons of CVEs that fall into familiar categories of flaws. But what does it mean to have a secure design and how do we get there? There are plenty of secure practices that orgs should implement are supply chains, authentication, and the SDLC. Those practices address important areas of risk, but only indirectly influence a secure design. We look at tactics from coding styles to design councils as we search for guidance that makes software more secure.

Segment resources

• https://owasp.org/Top10/A042021-InsecureDesign/
• https://www.cisa.gov/securebydesign/pledge
• https://www.cisa.gov/securebydesign
• https://kccnceu2025.sched.com/event/1xBJR/keynote-rust-in-the-linux-kernel-a-new-era-for-cloud-native-performance-and-security-greg-kroah-hartman-linux-kernel-maintainer-fellow-the-linux-foundation
• https://newsletter.pragmaticengineer.com/p/how-linux-is-built-with-greg-kroah
• https://daniel.haxx.se/blog/2025/04/07/writing-c-for-curl/

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw-325

We take advantage of April Fools to look at some of appsec's myths, mistakes, and behaviors that lead to bad practices. It's easy to get trapped in a status quo of chasing CVEs or discussing which direction to shift security. But scrutinizing decimal points in CVSS scores or rearranging tools misses the opportunity for more strategic thinking. We satirize some worst practices in order to have a more serious discussion about a future where more software is based on secure designs.

Segment resources:

• https://bsidessf2025.sched.com/event/1x8ST/secure-designs-ux-dragons-vuln-dungeons-application-security-weekly
• https://bsidessf2025.sched.com/event/1x8TU/preparing-for-dragons-dont-sharpen-swords-set-traps-gather-supplies
• https://www.rfc-editor.org/rfc/rfc3514.html
• https://www.rfc-editor.org/rfc/rfc1149.html

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw-324