Mike Shema's Blog

March meandered through C code, mused about secure design, marked a new top ten list, made space for machines, and finally descended into a bit of madness. And every single moment was fun!

[image error]

Keeping Curl Successful and Secure Over the Decades (ep. 320)

Our month kicked off with curl���s continuous curator, Daniel Stenberg, explaining the project���s approach to appsec. It has had to deal with bad bug bounty reports from LLMs and inflated CVSS scores from CVEs.

It���s also had positive experie...

Go is giving devs a better tool against traversal attacks.

We didn���t get the chance for a news segment in this week���s Application Security Weekly podcast, but I still wanted to highlight an article that stood out to me.

Path traversal is one of my favorite appsec flaws. It���s trivial to demonstrate, easy to understand, and its related security principles lead down many���paths.

The simplest payloads rely on classic characters like dot...

AppSec has decades of lists, acronyms, taxonomies, and scanners for flaws like XSS and SQL injection.

And yet barely three months into 2025 those two vuln classes already account for several hundred new CVEs. (WordPress plugins alone seem to be responsible for over 900 XSS vulns. That aspect deserves an entirely separate discussion on software design choices.)

What does a history of never-ending flaws mean for a future where LLMs produce code, attackers produce backdoored LLMs, and supply chai...

There are a ton of infosec conferences throughout the world, which means there���s lots of opportunity to deliver research, ideas, and educational presentations.

[image error]

OWASP and Security BSides provide community support for small regional events. BSides launched in 2009 and celebrated its 1,000th event almost exactly 15 years later in July 2024. So yeah, lots of opportunities.

All those events need speakers! Many conferences even provide resources for first-time speakers. Giving presentations is a...

February should have been cybersecurity awareness month. It���s the shortest month and occasionally off by one.

We filled up every Monday with a fun new conversation.

[image error]

Episode 316 - Threat Modeling That Helps the Business

Threat modeling has been in appsec���s toolbox for decades. But it hasn���t always been used and it hasn���t always been useful. Sandy Carielli shared what she learned from interviewing orgs about what succeeded and what failed in their approaches to threat modeling. Akira ...

Thanks for keeping us company throughout 2024 and joining us for a new year!

We started another solar cycle of appsec with a simple desire: Let���s have designs and defaults that minimize flaws, and reduce the damage that an exploit can cause.

[image error]

Episode 312

Greg Anderson talked about the origins of OWASP���s DefectDojo and why orgs still struggle to distinguish flaws they need to fix from those with negligible risk. The conversation turned to familiar challenges like tool quality, vuln priori...

Most users just want to know how to keep their devices updated with little intervention, how (and why) to use a password manager, and have reassurance about account recovery if they lose their passkey or auth token generator.

But users don���t know the important Security Things. Things like all the places where a link can appear, or why RFCs intended links to be clicked but didn���t bother to explain which links are safe and which aren���t. U...

As I see how search engines are incorporating LLMs, it makes me all the more eager to see their capabilities cross into the physical world.

I���d love to be able to walk into a room and just tap a wall to trigger full-room illumination through an agentic interaction.

And just imagine having a more complex agent, like if I slide my finger vertically, then the movement could be semantically translated into the amount of illumination I���m in the mood for. Plus, in the real world you have axes an...

We ended the year in the chill of December,

Hoping that appsec wouldn���t dim to an ember.

That instead it would burn brightly and begin to enshrine,

That good security comes by default and design.

That the page count of hardening guides will start dwindling,

And that all those top ten lists are used for just kindling.

[image error]

Episode 309

We once again turned our focus on developers, with Adriana Villela explaining why observability is more than a bunch of printfs and how generating useful logs...

November���s ASW turned into Adrian Sanabria Weekly!

[image error]

Episode 306

The month kicked off with Grant McCracken discussing bug bounties and a modern approach to pentesting. While I would still love to see the costs of fixing flaws, seeing the costs of security flaws quantified through bounties is always eye-opening. Plus, it���s always good to see other approaches to security testing that carry a more predictable budget. Now if only those bugs didn���t make it to production in the first place���