Securing Software's Journey with the OWASP SPVS - Cameron W., Farshad Abasi, Rohan Ravindranath, Ido Geffen - ASW #378
It's one thing to write secure code, it's another to release it into the wild. That code needs to be designed, built, tested, released, and maintained. Farshad Abasi and Cameron Walters explain how the OWASP Secure Pipeline Verification Standard picks up from where ASVS left off, how it complements other supply chain security efforts like SLSA, and why they updated it with explicit coverage for AI.
They show what goes into making a project relevant and -- most importantly -- successful at defending how supply chains are attacked. They're also looking for more feedback and participation! If you build software packages, consume software packages, or have an interest in helping organizations stay secure, check it out!
Resources
- https://owasp.org/www-project-spvs/
- https://github.com/OWASP/www-project-spvs/blob/main/1.5/ReleaseNotesOWASPSPVS1.5-AI-Pipeline-Security.md
- https://youtu.be/-WoqGDdivGw?si=kK5-csbnTw8Y4g2J -- The Story Behind OWASP SPVS
- https://slsa.dev
Zero Trust That Actually Ships: Moving From Strategy Decks to Real Security
Most enterprise organizations have been working at Zero Trust for years and fail to deliver truly secure environments. Rohan Ravindranath shares insights that Zappsec has gained from guiding the global teams that are succeeding at protecting their orgs. Discover the common pitfalls so you can deploy a solution that works.
This segment is sponsored by Zappsec. Visit https://securityweekly.com/zappsecrsac to learn more about them!
Cloning Attacker Tradecraft: Why AI Pentesting is Becoming Essential
Enterprises ship code continuously, but most security validation still happens in snapshots. Novee CEO and co-founder Ido Geffen explains what "AI penetration testing" means, why it's different from automated scanning, and why it's becoming essential as attackers adopt AI to move faster. He breaks down what separates best-in-class AI pentesting: operator-like reasoning across real environments, validated exploitability, and the ability to uncover business logic flaws and multi-step attack chains. Ido covers the technology behind Novee's AI penetration tester: a proprietary LLM model, built independently of "frontier" LLMs (like Claude, ChatGPT, Cursor, etc.), and consistently outperforming them at browser exploitation tests. Finally, he shares what buyers should demand in a live evaluation and how continuous retesting closes the loop after fixes ship.
This segment is sponsored by Novee Security. See what your attackers already know at https://securityweekly.com/noveersac.
Show Notes: https://securityweekly.com/asw-378
目录
最新
- You're not going to patch your way out of this - PSW #926
- Optimize Legal Operations as the CISO Role Changes to Address Skills Gaps and AI - Walter Scott Wilkens - BSW #447
- Tomato, JDownloader, TempPCP, Bad Vibes, Dirty Frag, Giedi Prime, Aaran Leyland... - SWN #580
- Why Basic Security Practices Still Work - Rob Allen - ASW #382
- The impact of Mythos and Florida Man, confidence gaps, phishing, & AI adoption - Erich Kron, Deepen Desai, Chris Wallis - ESW #458
- Canvas, Shai-Hulud, QuasarRat, 0Days, Anthropic, Aaran Leyland, and EU Compliance! - SWN #579
- Getting Rid of Your VPN - Rob Allen - PSW #925
- Teach to Sell and Two Interviews from RSAC 2026 from Dropzone AI and Microsoft - Dan Rochon, Edward Wu, Arunesh Chandra - BSW #446