Not all infosec advice is helpful. Bad advice wastes time, makes people less secure, and takes focus away from making software more secure. Bob Lord talks about his efforts to tamp down hacklore -- the security myths and mistakes that crop up in news stories and advice to users. He talks about how these myths come about, why they're harmful, and how they're related to the necessity of building software that's secure by design.

Segment Resources:

• https://www.hacklore.org/

• https://medium.com/@boblord/lets-stop-hacklore-d5c86a0fdad8

• https://www.cisa.gov/securebydesign

• https://medium.com/@boblord/recurring-classes-of-software-weaknesses-2007-vs-2025-c2cd56125e1a

• https://www.ncsc.gov.uk/report/a-method-to-assess-forgivable-vs-unforgivable-vulnerabilities

• https://99percentinvisible.org/episode/nut-behind-wheel/

• https://timharford.com/2022/05/cautionary-tales-short-a-screw-loose-at-17000ft/

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw-365

Developers are adding LLMs to their code creation toolboxes, using them to assist with writing and reviewing code. Chris Wysopal talks about the security downsides of relying on LLMs and how appsec needs to adapt to dealing with more code at a faster pace.

Resources

• https://www.veracode.com/blog/genai-code-security-report/

• https://www.veracode.com/blog/ai-code-security-october-update/

• https://www.veracode.com/resources/analyst-reports/2025-genai-code-security-report/

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw-364

In an era dominated by AI-powered security tools and cloud-native architectures, are traditional Web Application Firewalls still relevant? Join us as we speak with Felipe Zipitria, co-leader of the OWASP Core Rule Set (CRS) project. Felipe has been at the forefront of open-source security, leading the development of one of the world's most widely deployed WAF rule sets, trusted by organizations globally to protect their web applications.

Felipe explains why WAFs remain a critical layer in modern defense-in-depth strategies. We'll explore what makes OWASP CRS the go-to choice for security teams, dive into the project's current innovations, and discuss how traditional rule-based security is evolving to work alongside — not against — AI.

Segment Resources:

• github.com/coreruleset/coreruleset

• coreruleset.org

The future of CycloneDX is defined by modularity, API-first design, and deeper contextual insight, enabling transparency that is not just comprehensive, but actionable. At its heart is the Transparency Exchange API, which delivers a normalized, format-agnostic model for sharing SBOMs, attestations, risks, and more across the software supply chain.

As genAI transforms every sector of modern business, the security community faces a question: how do we protect systems we can't fully see or understand? In this fireside chat, Aruneesh Salhotra, Project Lead for OWASP AIBOM and Co-Lead of OWASP AI Exchange, discusses two groundbreaking initiatives that are reshaping how organizations approach AI security and supply chain transparency.

OWASP AI Exchange has emerged as the go-to single resource for AI security and privacy, providing over 200 pages of practical advice on protecting AI and data-centric systems from threats. Through its official liaison partnership with CEN/CENELEC, the project has contributed 70 pages to ISO/IEC 27090 and 40 pages to the EU AI Act security standard OWASP, achieving OWASP Flagship project status in March 2025.

Meanwhile, the OWASP AIBOM Project is establishing a comprehensive framework to provide transparency into how AI models are built, trained, and deployed, extending OWASP's mission of making security visible to the rapidly evolving AI ecosystem.

This conversation explores how these complementary initiatives are addressing real-world challenges—from prompt injection and data poisoning to model provenance and supply chain risks—while actively shaping international standards and regulatory frameworks. We'll discuss concrete achievements, lessons learned from global collaboration, and the ambitious roadmap ahead as these projects continue to mature and expand their impact across the AI security landscape.

Segment Resources:

• https://owasp.org/www-project-aibom/

• https://www.linkedin.com/posts/aruneeshsalhotra_owasp-ai-aisecurity-activity-7364649799800766465-DJGM/

• https://www.youtube.com/@OWASPAIBOM

• https://www.youtube.com/@RobvanderVeer-ex3gj

• https://owaspai.org/

Agentic AI introduces unique and complex security challenges that render traditional risk management frameworks insufficient. In this keynote, Ken Huang, CEO of Distributedapps.ai and a key contributor to AI security standards, outlines a new approach to manage these emerging threats. The session will present a practical strategy that integrates the NIST AI Risk Management Framework with specialized tools to address the full lifecycle of Agentic AI.

Segment Resources:

• aivss.owasp.org

• https://kenhuangus.substack.com/p/owasp-aivss-the-new-framework-for

• https://cloudsecurityalliance.org/blog/2025/02/06/agentic-ai-threat-modeling-framework-maestro

This interview is sponsored by the OWASP GenAI Security Project. Visit https://securityweekly.com/owaspappsec to watch all of CyberRisk TV's interviews from the OWASP 2025 Global AppSec Conference!

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw-363

Using OWASP SAMM to assess and improve compliance with the Cyber Resilience Act (CRA) is an excellent strategy, as SAMM provides a framework for secure development practices such as secure by design principles and handling vulns.

Segment Resources:

• https://owaspsamm.org/
• https://cybersecuritycoalition.be/resource/a-strategic-approach-to-product-security-with-owasp-samm/

As genAI becomes a more popular tool in software engineering, the definition of "secure coding" is changing. This session explores how artificial intelligence is reshaping the way developers learn, apply, and scale secure coding practices — and how new risks emerge when machines start generating the code themselves. We'll dive into the dual challenge of securing both human-written and AI-assisted code, discuss how enterprises can validate AI outputs against existing security standards, and highlight practical steps teams can take to build resilience into the entire development pipeline. Join us as we look ahead to the convergence of secure software engineering and AI security — where trust, transparency, and tooling will define the future of code safety.

Segment Resources:

• https://manicode.com/ai/

Understand the history of threat modeling with Adam Shostack. Learn how threat modeling has evolved with the Four Question Framework and can work in your organizations in the wake of the AI revolution.

Whether you're launching a formal Security Champions program or still figuring out where to start, there's one truth every security leader needs to hear: You already have allies in your org -- they're just waiting to be activated. In this session, we'll explore how identifying and empowering your internal advocates is the fastest, most sustainable way to drive security culture change. These are your early adopters: the developers, engineers, and team leads who already "get it," even if their title doesn't say "security."

We'll unpack:

• Why you need help from people outside the security org to actually be effective
• Where to find your natural allies (hint: it starts with listening, not preaching)
• How to support and energize those allies so they influence the majority
• What behavioral science tells us about spreading change across an organization

Segment Resources:

• Security Champion Success Guide: https://securitychampionsuccessguide.org/
• Related interviews/podcasts: https://www.youtube.com/playlist?list=PLPb14P8f4T1ITv3p3Y3XtKsyEAA8W526h
• How to measure success and impact of culture change and champions: https://www.linkedin.com/pulse/from-soft-skills-hard-data-measuring-success-security-yhmse/
• Global Community of Champions sign up: https://docs.google.com/forms/d/e/1FAIpQLScyXPAMf9M8idpDMwO4p2h5Ng8I0ffofZuY70BbmgCZNPUS5Q/viewform

This interview is sponsored by the OWASP GenAI Security Project. Visit https://securityweekly.com/owaspappsec to watch all of CyberRisk TV's interviews from the OWASP 2025 Global AppSec Conference!

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw-362

Open source projects benefit from support that takes many shapes. Kat Cosgrove shares her experience across the Kubernetes project and the different ways people can make meaningful contributions to it. One of the underlying themes is that code is written for other people. That means PRs need to be understandable, discussions need to be enlightening, documentation needs to be clear, and collaboration needs to cross all sorts of boundaries.

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw-361

The MCP standard gave rise to dreams of interconnected agents and nightmares of what those interconnected agents would do with unfettered access to APIs, data, and local systems. Aaron Parecki explains how OAuth's new Client ID Metadata Documents spec provides more security for MCPs and the reasons why the behavior and design of MCPs required a new spec like this.

Segment resources:

• https://aaronparecki.com/2025/11/25/1/mcp-authorization-spec-update
• https://www.ietf.org/archive/id/draft-ietf-oauth-client-id-metadata-document-00.html
• https://oauth.net/cross-app-access/
• https://oauth.net/2/oauth-best-practice/

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw-360

For OT systems, uptime is paramount. That's a hard rule that makes maintaining, upgrading, and securing them a complex struggle. Tomas "Data" Owens and James Cotter discuss how Tennessee is tackling the organizational and technical challenges that come with hardening OT systems across the state. Those challenges range from old technology (like RS-232 over Wi-Fi!?) to limited budgets. They talk about the different domains where OT appears and provide some examples of how the next generation of builders and breakers can start learning about this space.

Segment Resources:

Free Cyber OT Training (INL): https://ics-training.inl.gov/ Free Cyber Hygiene Training (CISA): https://www.cisa.gov/cyber-hygiene-services

Recommendations for network hardening (CISA): https://www.cisa.gov/shields-up

More OT and ICS resources: https://github.com/biero-el-corridor/OTICSressource_list

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw-359

What are your favorite resources for secure code? Co-hosts John Kinsella and Kalyani Pawar talk about the reality of bringing security into a business. We talk about the role of the OWASP Top 10 and the OWASP ASVS in crafting security programs. And balance that with a discussion in what's the best use of everyone's time -- developers and appsec folks alike -- in crafting code that's secure by design rather than just secure from scanner results.

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw-358

Secure code should be grounded more in concepts like secure by default and secure by design than by "spot the vuln" thinking. Matias Madou shares his experience in secure coding training and the importance of teaching critical thinking. He also discusses why critical thinking is so closely related to threat modeling and how LLMs can be a tool for helping developers get beyond the superficial advice of, "Think like an attacker."

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw-357

Just how bad can things get if someone clicks on a link? Rob Allen joins us again to talk about ransomware, why putting too much attention on clicking links misses the larger picture of effective defenses, and what orgs can do to prepare for an influx of holiday-infused ransomware targeting.

Segment resources

• https://www.bleepingcomputer.com/news/security/how-a-ransomware-gang-encrypted-nevada-governments-systems/
• https://www.darkreading.com/endpoint-security/pro-russian-hackers-linux-vms-hide-windows
• https://www.threatlocker.com/blog/how-to-build-a-robust-lights-out-checklist

This segment is sponsored by ThreatLocker. Visit https://securityweekly.com/threatlocker to learn more about them!

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw-356

Pull requests are a core part of collaboration, whether in open or closed source. GitHub has documented some of the security consequences of misconfiguring how PRs can trigger actions. But what happens when repo owners don't read the docs? Bar Kaduri and Roi Nisimi walk through their experience in reading docs, finding vulns, demonstrating exploits, and working with repo owners to improve their security. Their work highlights the challenges in maintaining good security guidance, figuring out secure defaults, and how so many orgs still struggle with triaging external security reports -- something that's becoming even more challenging when orgs are being flooded with low-quality reports from LLMs.

Segment Resources:

• https://orca.security/resources/blog/pull-request-nightmare-github-actions-rce/
• https://orca.security/resources/blog/pull-request-nightmare-part-2-exploits/

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw-355