🔒 Welcome to this week’s episode of AppSecNow, the DevCentral podcast dedicated to all things application security! 🚨 This week, we unpack critical updates including:
💥 A zero-day SAP CVE with a CVSS score of 10—what it means, how it's being exploited, and what you can do to defend against it.
🛠️ A groundbreaking Parquet tool from F5 Labs that simplifies vulnerability testing for critical supply chain security issues.
Link: https://github.com/F5-Labs/parquet-canary-exploit-rce-poc-CVE-2025-30065
🌍 The EU Cyber Resilience Act—what it means for manufacturers, open-source stewards, and secure-by-design initiatives.
Learn how AppSec professionals leverage cutting-edge tools and protocols to tackle some of the biggest challenges in software security today. Whether you're prepping for RSA or managing zero trust architectures, this episode is packed with actionable insights!
✅ Like, subscribe, and follow to keep up with the latest in application security.
00:00 Introduction02:20 Parquet Tool06:30 VulnCon 202509:09 EU Cyber Resilience Act16:45 CVE Program Chaos20:29 Pay Your Tolls!27:17 SAP Critical Vulnerability29:18 Outro
Join Merlyn Chase, MegaZone, and Aubrey on this week’s AppSec Now podcast as they dive into the latest topics in application security! 🚀 From the recent B-Sides Seattle conference to critical discussions on EV car hacking, cybersecurity quandaries, AI-generated passports bypassing KYC, and Japan’s groundbreaking Active Cyber Defense Bill—you don’t want to miss this one. Plus, learn how AppSecNow is keeping you ahead with insights by F5 Labs and the F5 Security Incident Response Team.Stay informed, stay secure—like, subscribe, and follow for all things AppSec!00:00 Introduction03:10 EV Car Hacking12:25 AI Generated Passports21:35 LLMs Do Not Trust Humans28:31 Japan's Active Cyber Defense Bill34:19 Outro
Join our AppSec experts—Merlyn, Malcolm, MegaZone, and host Chase Abbott—as they dig into some of the latest stories shaking up the cybersecurity world. This week's AppSec Now explores an active campaign targeting Amazon EC2 instance metadata via SSRF vulnerabilities, and why that's a wider-reaching problem than you might think. We discuss Oracle's controversial handling of their cloud breach and the impact of trust in the disclosure process.
Also in the mix: malicious NPM packages deployed by North Korean hackers, a sneaky Golang malware employing "click-fix" tactics for crypto theft, and a critical Apache Parquet remote code execution bug rated CVSS 10.0—but how worried should we really be?
🔗 Relevant Links Here:https://community.f5.com/kb/security-insights/oracle-hack-north-korean-hackers-critical-flaw-in-apache/340708
00:00 Introduction
04:01 F5 Labs: AWS EC2 SSRF
10:44 Oracle Cloud Breach
16:44 Verizon iOS App Exposure
20:23 BeaverTail Malware via NPM
24:43 Golang Ghost Malware
28:34 Apache Parquet RCE - CVSS 10 !!!
34:12 Outro
Dive into the latest episode of AppSecNow, where we break down the Ingress Nightmare vulnerability impacting NGINX and Kubernetes environments, plus the implications of a critical CVE in Next.js, one of the most widely-used JavaScript frameworks with 9 million weekly downloads.
Join Aubrey, Chase, and Merlyn for expert analysis on the security landscape, from Chromium Zero Day concerns to ransomware gangs getting pwned. Stay informed on the front lines of application security with actionable advice from DevCentral's experts.
Welcome to the 31st episode of AppSec Now! This week, our hosts Aubrey, David Warburton, Chase Abbott, and MegaZone get into some hot topics in the world of application security. Our focus is on the latest F5 Labs Advanced Persistent Bots report, highlighting the ever-evolving landscape of bot attacks and the importance of robust mitigation strategies. We analyze Google's hefty $32 million acquisition of Wiz, exploring what this move means for the tech giant's security posture and its potential impact on the cloud security market.We also tackle the sensitive topic of personal data with a focus on 23andMe's bankruptcy and the critical steps you should take to safeguard your genetic information. Finally, we explore the emerging trend of "vibe coding" and its implications for both seasoned developers and novices. Join us for these engaging discussions and more, and don't forget to like, subscribe, and leave a comment with your thoughts!00:00 Introduction01:08 Google / Wiz Deal04:57 Electrical Fire Closes Heathrow12:39 23andMe Bankrupt! Delete data. 19:10 Advance Persistent Bots Report32:06 Vibe Coding Roundtable42:37 Outro
Join us for the thirtieth episode of AppSecNow, a DevCentral podcast dedicated to the latest trends and threats in the application security (AppSec) world. In this episode, host Aubrey King is joined by Malcolm Heath, Chase Abbott, and MegaZone to dive into recent security incidents and developments, including a detailed analysis of the Coinbase phishing scam, the resurgence of user-mode rootkits with OBSCURE#BAT, the BRUTED brute force campaign and KoSpy, a sophisticated Android spyware campaign linked to North Korean threat actors.Stay informed with custom-curated content from F5's Security Incident Response Team and relevant data from F5 Labs. Discover how attackers are evolving their methods and learn practical tips to protect your applications from these emerging threats. Whether you’re a security professional or just interested in the latest in cybersecurity, this episode has something for you.00:00 Introduction01:52 Coinbase Phishing Scam12:24 BRUTED Brute Force18:26 OBSCURE#BAT Malware21:14 KoSpy Android Spyware 33:15 CISA KEV Updates34:19 Outro
Welcome to the latest episode of AppSec Now, a DevCentral podcast dedicated to the ever-evolving world of application security. In this episode, Chase takes the reins while Aubrey is away, joined by Malcolm Heath, a principal researcher at F5 Labs, and the illustrious MegaZone, a principal security engineer on the SIRT team.
We dive deep into the recent Apache Camel remote code execution vulnerability, discussing the initial panic and the eventual revelation that it was a medium-severity CVE with narrow impact. We also explore the ongoing debate on government backdoors in end-to-end encryption, with insights on the recent stances of Signal and Apple. Finally, we shed light on the recent DDoS attack on X (formerly Twitter), attributed to Dark Storm, and discuss the complexities of attributing such attacks. Stay informed and up-to-date with the latest trends and threats in the AppSec world!
References: https://community.f5.com/kb/security-insights/appsec-camels-typhoons-and-backdoors/340217
00:00 Introduction
00:59 Apache Camel RCE
10:09 Silk Typhoon
16:11 Government Encryption Backdoors
25:51 X (Twitter) DDoS
30:25 VulnCon Comin' Up!
32:16 Outro
Join Aubrey, MegaZone, and Merlyn in this week's episode of AppSec Now as they dive into the latest in application security. This week, we discuss Microsoft's groundbreaking Majorana One chip, capable of scaling up to a million qubits and its potential impact on quantum computing. We also explore the recent critical vulnerabilities in MongoDB libraries and OpenSSH, analyzing their implications and mitigations. We dig into the layoffs at CISA and the potential cybersecurity impacts. Don't miss out on these crucial insights to stay ahead in the cybersecurity landscape.
TWIS:
https://community.f5.com/kb/security-insights/u-s-government-cuts-majorana-1-chip-cves-for-mongoose-and-openssh/339995
00:00 Introduction
04:28 Majorana1
09:07 CISA Layoffs
16:06 OpenSSH MITM / DoS CVEs
20:28 MongoDB RCE CVEs25:54 Outro
In this episode of AppSec Monthly, join our host, MegaZone, joined by Malcolm Heath, Merlyn Albery-Speyer and Aubrey King, as they dive into the latest cybersecurity news. We explore the complexities of the TikTok ban, the impact of geopolitical decisions on internet freedom, and the nuances of data sovereignty. Our experts also discuss the implications of recent breaches by Chinese state actors and the importance of using end-to-end encrypted apps to protect your data. Additionally, we shed light on the fascinating history of internet control and how it continues to evolve with emerging technologies. Stay tuned until the end for insights on the upcoming VulnCon 2025 and how you can participate. Don’t forget to subscribe for more AppSec insights!
Welcome to our special year-end episode of AppSec Monthly, a DevCentral podcast! In this exciting edition, we join forces with the experts at F5 Labs to bring you our highly anticipated cybersecurity predictions for the year ahead. Our panel, including David Warburton, Aubrey King, and Megazone, dives deep into the trends and emerging threats that are set to shape the cybersecurity landscape in 2025. Whether you're an IT professional, a security enthusiast, or just curious about the future of application security, this episode is packed with insights you won't want to miss. During this episode, we cover a wide range of topics, from the increasing sophistication of cyberattacks to the evolving role of AI in security. We reflect on the accuracy of last year’s predictions and discuss the implications of new technologies and geopolitical shifts on the security environment. With engaging discussions, expert analyses, and a bit of holiday cheer, this episode is the perfect way to stay informed and prepared for the challenges and opportunities of the coming year. So grab your earbuds, get comfortable, and join us for an insightful journey into the future of cybersecurity with AppSec Monthly. Don’t forget to like, subscribe, and leave a review on your favorite platform to stay updated with our latest episodes!
Welcome to the latest episode of AppSec Monthly! In this episode, we delve into IT policies, recent cybersecurity trends, and sophisticated attack detection with industry experts David Warburton, Malcolm Heath, and MegaZone.
Special guests Adeolu and Shuang from F5 Labs share their latest research on Black Friday shopping trends, automation, and bot attacks, providing insights into the types of bots targeting retailers and their impact.
We also look ahead to future trends in automation and predictions for 2024, offering practical advice for retailers on dealing with bot attacks effectively.
In our security news segment, we discuss the implications of quantum computing on RSA decryption, security flaws in popular ML toolkits, and the updated 2025 OWASP LLM Apps Top Ten.
Explore more at f5.com/labs and visit community.f5.com for additional content from F5 SIRT and F5 Labs.
Don't forget to like, subscribe, and leave a review!
Theme song, 'Deserted Dunes Welcome Weary Feet,' freely usable by King Gizzard And The Lizard Wizard, as per https://kinggizzardandthelizardwizard.com/bootlegger.
Welcome to another exciting episode of AppSec Monthly, brought to you by DevCentral! This month, we dive deep into various aspects of application security with contributions from Aaron Brailsford, Malcolm Heath, and MegaZone! We discuss the importance of integrating security early in the development process, the critical role of trust in cybersecurity, and the recent buzz around CUPS vulnerabilities. Hear about the latest exploits involving Internet Explorer vulnerabilities. Get ready for an engaging and informative session on all things AppSec. Don't forget to like, subscribe, and stay tuned for more updates!
After a small summer break, the gang's back and talking DDoS with F5 Labs' new DDoS Report. David Warburton lays it all out for us after a healthy dose of news with Aaron Brailsford, Malcolm Heath and, for the first time, MegaZone! Tune in for this action packed episode 23 for July of 2024!
In May of 2024, Aubrey King, from DevCentral, went to #RSAC. While there, he got a chance to hook up with Steve Wilson and Ken Huang to talk about security authoring - 'how to get going' and 'what's the process like?' - before catching up with Akira Brand, who talks about speaking at RSA and more!
It's an action packed Episode 22 before we even get to our roundtable, where F5 Labs' David Warburton and Aaron Brailsford catch up with Sam Borer, from the F5 Security Incident Response Team about all the latest happenings. You'll hear about the Dell Breach, Ticketmaster and more!
In Episode 21, we change our name! Welcome AppSec Monthly, goodbye This Month In Security. In addition to that new in April of 2024, DevCentral's Aubrey King catches up with Semgrep's Jonathan Werrett to talk about how the AI phenomenon changes the game for Red and Blue Teamers out there in the security world. Also, Aubrey catches up with DevCentral OG, Peter Silva, to talk about 5g security and app isolation for security. Aaron Brailsford herds those cats named David Warburton and Malcolm Heath for our monthly roundtable, as well!
DevCentral's Aubrey King is joined by Dave Warburton, Malcolm Heath and Aaron Brailsford this month for the roundtable and he shares a conversation with Dan Barahona about the APISec University 2024 API Security Market Review they just published and shares the news about APISec Con, coming up on May 22. There's also a teaser of an #AppWorld2024 AI API Security panel conversation between Aubrey, Dan, Corey Ball and Cameron Delano.
In Episode 19 of This Month In Security, Aubrey King catches back up with Tashaffi Samin Yeasar to talk about her daily grind and an IoT coder who's using AI at the edge and some of the security implications of Edge AI. Also, Byron McNaught jumps into the monthly roundtable with Aaron Brailsford and David Warburton, where they talked a bit about AI and deepfakes, as well as some of the latest Ransomware news out there.
This Month In Security, Aubrey King gets to talk to DevCentral MVP Daniel Wolf about how he recommends customers build WAF policy from SBOM. Aaron Brailsford shares the roundtable with Malcolm Heath and Sander Vinberg. Also, we get a sample from This Week In Security.
This week in security, our editor is AaronJB, who brings news of a VMWare exploit that might be older than Aubrey! Also, countless exploits and some amazing videos from The 37th Chaos Communication Congress.
Read the full article here: https://community.f5.com/t5/technical-articles/time-to-exploit-and-large-scale-breaches-jan-15th-21st-2024-f5/ta-p/327201
This Week In Security is a contribution to DevCentral by the F5 Security Incident Response Team and you can find it in our Technical Articles section every week.
This Week In Security, our editor is Jordan_Zebor, who shows the community about Github's Runner Poisoning, a cloud threat called F-Bot and an attack on Hadoop!
Read the full article here:
https://community.f5.com/t5/technical-articles/compromised-ci-cd-fbot-and-hadoop-attacks-jan-7th-14th-2023-f5/ta-p/326973
This Week In Security is a contribution to DevCentral by the F5 Security Incident Response Team and you can find it in our Technical Articles section every week.
