Uniting software development and application security - Will Vandevanter, Jonathan Schneider - ASW #342

Maintaining code is a lot more than keeping dependencies up to date. It involved everything from keeping old code running to changing frameworks to even changing implementation languages. Jonathan Schneider talks about the engineering considerations of refactoring and rewriting code, why code maintenance is important to appsec, and how to build confidence that adding automation to a migration results in code that has the same workflows as before. Resources https://docs.openrewrite.org https://github.com/openrewrite Then, instead of our usual news segment, we do a deep dive on some recent vulns NVIDIA's Triton Inference Server disclosed by Trail of Bits' Will Vandevanter. Will talks about the thought process and tools that go into identify potential vulns, the analysis in determining whether they're exploitable, and the disclosure process with vendors. He makes the important point that even if something doesn't turn out to be a vuln, there's still benefit to the learning process and gaining experience in seeing the different ways that devs design software. Of course, it's also more fun when you find an exploitable vuln -- which Will did here! Resources https://nvidia.custhelp.com/app/answers/detail/a_id/5687 https://github.com/triton-inference-server/server https://blog.trailofbits.com/2025/07/31/hijacking-multi-agent-systems-in-your-pajamas/ https://blog.trailofbits.com/2025/07/28/we-built-the-security-layer-mcp-always-needed/ Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-342