Securing Software's Journey with the OWASP SPVS - Cameron W., Farshad Abasi, Rohan Ravindranath, Ido Geffen - ASW #378

It's one thing to write secure code, it's another to release it into the wild. That code needs to be designed, built, tested, released, and maintained. Farshad Abasi and Cameron Walters explain how the OWASP Secure Pipeline Verification Standard picks up from where ASVS left off, how it complements other supply chain security efforts like SLSA, and why they updated it with explicit coverage for AI.

They show what goes into making a project relevant and -- most importantly -- successful at defending how supply chains are attacked. They're also looking for more feedback and participation! If you build software packages, consume software packages, or have an interest in helping organizations stay secure, check it out!

Resources

• https://owasp.org/www-project-spvs/
• https://github.com/OWASP/www-project-spvs/blob/main/1.5/ReleaseNotesOWASPSPVS1.5-AI-Pipeline-Security.md
• https://youtu.be/-WoqGDdivGw?si=kK5-csbnTw8Y4g2J -- The Story Behind OWASP SPVS
• https://slsa.dev

Zero Trust That Actually Ships: Moving From Strategy Decks to Real Security

Most enterprise organizations have been working at Zero Trust for years and fail to deliver truly secure environments. Rohan Ravindranath shares insights that Zappsec has gained from guiding the global teams that are succeeding at protecting their orgs. Discover the common pitfalls so you can deploy a solution that works.

This segment is sponsored by Zappsec. Visit https://securityweekly.com/zappsecrsac to learn more about them!

Cloning Attacker Tradecraft: Why AI Pentesting is Becoming Essential

Enterprises ship code continuously, but most security validation still happens in snapshots. Novee CEO and co-founder Ido Geffen explains what "AI penetration testing" means, why it's different from automated scanning, and why it's becoming essential as attackers adopt AI to move faster. He breaks down what separates best-in-class AI pentesting: operator-like reasoning across real environments, validated exploitability, and the ability to uncover business logic flaws and multi-step attack chains. Ido covers the technology behind Novee's AI penetration tester: a proprietary LLM model, built independently of "frontier" LLMs (like Claude, ChatGPT, Cursor, etc.), and consistently outperforming them at browser exploitation tests. Finally, he shares what buyers should demand in a live evaluation and how continuous retesting closes the loop after fixes ship.

This segment is sponsored by Novee Security. See what your attackers already know at https://securityweekly.com/noveersac.

Show Notes: https://securityweekly.com/asw-378