About

Seth Law (@sethlaw) & Ken Johnson (@cktricky) host an informal discussion of all things application security. Opinions, biases, and recommendations about the security industry, current events, and anything else is fair game. Guests include industry professionals ranging from consultants to managers.
Have a topic or question?

Latest Episode


Episode 267 - w/ Kinnaird McQuade - Building a Security Product

Listen on Google Podcasts |

Episodes

| | | Episode 267 - w/ Kinnaird McQuade - Building a Security Product |
| | | Episode 266 - Scope of Penetration Testing, Attack Modeling |
| | | Episode 265 - w/ Scott Norberg - Static Analysis |
| | | Episode 264 - w/ Jeremy Long - Software Composition Analysis |
| | | Episode 263 - WebApp Fuzzing, Mobile Testing, Secrets Management |
| | | Episode 262 - w/ Ariel Shin - Building a Security Program |
| | | Episode 261 - Security Economy, Password Resets, Vendor Consolidation |
| | | Episode 260 w/ Darren Meyer of Endor Labs - Dependency Management |
| | | Episode 259 - Special Melbourne Australia Edition w/Paul McCarty & Daniel Ting |
| | | Episode 258 - Engaging Developers, ALBeast, Dangerous TLDs |
| | | Episode 257 - In-Person vs. Virtual Training, Compliance Violations |
| | | Episode 256 w/ John Poulin - Token Security, Staying Technical as a Manager |
| | | Episode 255 - HackerSummerCamp Recap |
| | | Episode 254 - Pre-Hacker Summer Camp |
| | | Episode 253 w/ Justin Collins - Managing Security, ProdSec vs. AppSec |
| | | Episode 252 w/ Rami McCarthy - Security Startups, Jobs |
| | | Episode 251 - Passive Scanning, Chrome Extensions, CocoaPods, NVD |
| | | Episode 250 - Security Startups, Polyfill Takeover |
| | | Episode 249 w/ Tanya Janca - Secure Guardrails |
| | | Episode 248 w/ Rahil Parikh - Building AppSec Programs |
| | | Episode 247 - w/ Alejandro Saenz |
| | | Episode 246 - w/ Charles Shirer |
| | | Episode 245 - w/ Dustin Lehr - Security Champions |
| | | Episode 244 - w/ Kyle Kelly - Software Security Supply Chain |
| | | Episode 243 - w/ Bryan Schmidt |
| | | Episode 242 - LLMs Exploiting Vulns, State of DevSecOps |
| | | Episode 241 - Secure Defaults, Using LLMs for Code Review |
| | | Episode 240 - Code Smells, XZ Backdoor, Hallucinations |
| | | Episode 239 - AppSec Intel, CVEs, Authorization |
| | | Episode 238 - AppSec vs. Enterprise Sec, Supply Chain Tool Analysis |
| | | Episode 237 - Security 101, Nation State Hackers, Malicious Code |
| | | Episode 236 - Memory Safe Languages, LLM Supply Chain Security |
| | | Episode 235 - 2023 Top 10 Web Hacking Techniques, LLM Agent Hacking |
| | | Episode 234 - Password Analysis, GitHub Copilot |
| | | Episode 233 - Scammers, Deep Fakes, Data Exposure |
| | | Episode 232 - Security Jobs, Surveillance, Prompt Injection |
| | | Episode 231 - FlowMate, State of Software Supply Chain Security |
| | | Episode 230 - False Positives vs. Negatives, Scaling Vuln Management |
| | | Episode 229 - Software Supply Chain Security, 2024 Predictions |
| | | Episode 228 w/ Chime Security Engineering - Monocle |
| | | Episode 227 - Token Leakage, Cybersecurity Isn't Special |
| | | Episode 226 - Security Reviews, CVE-2023-46214 |
| | | Episode 225 w/ Brian C. Reed |
| | | Episode 224 w/ Jeevan Singh |
| | | Episode 223 w/Stefan Edwards - OWASP, Privacy |
| | | Episode 222 w/ Leif Dreizler |
| | | Episode 221 - Interviews, Breach, AI Tools |
| | | Episode 220 w/ Erik Cabetas (Include Security) |
| | | Episode 219 w/ Jason Haddix - Discovery Tools, Security Research |
| | | Episode 218 w/ Cole Cornford - Security Startups, Developer Training |
| | | Episode 217 w/ Shlomi Shaki - Security Tooling |
| | | Episode 216 - Security SDLC, Time Management |
| | | Episode 215 - Learning Machine Learning, DEF CON 31 Recap |
| | | Episode 214 - Artificial Intelligence and Security with @lojikil |
| | | Episode 213 - Brian Joe of Impart Security |
| | | Episode 212 - Evan Johnson of RunReveal |
| | | Episode 211 - Brian Walter of OpenContext |
| | | Episode 210 - Approaching Scans, AppSec Research, Threat Modeling |
| | | Episode 209 - James Wickett, Contextual Security Analysis |
| | | Episode 208 - Zip TLD, PyPI 2FA, AI Poisoning |
| | | Episode 207 - Watering Hole Attacks, Adversarial AI, Cookie Security |
| | | Episode 206 - RSA, Artificial Intelligence, Spidering Tools |
| | | Episode 205 - Decline of AppSec, Death of Code Review |
| | | Episode 204 - Logging, Edge Cases, Client API Exposure |
| | | Episode 203 w/ Shlomi Shaki - Security Tools |
| | | Episode 202 w/ Haseeb Awan - Mobile Security |
| | | Episode 201 - Breaches, Package Managers, Audit Logs |
| | | Episode 200 w/ Jerry Gamblin - Startups, CVEs |
| | | Episode 199 - OWASP, Phishing, Eurostar |
| | | Episode 198 with Laura Bell Main - Training |
| | | Episode 197 with Sal Olivares - Exposed API Tokens |
| | | Episode 196 - API Reviews, Web App Security Features |
| | | Episode 195 - 2022 CVEs, CORS, GraphQL |
| | | Episode 194 - Frank Wang (dbtlabs) - Organization Security, AI/ML |
| | | Episode 193 - Security Metrics, End-User Security |
| | | Episode 192 - Blogs, GoLang Security, ChatGPT |
| | | Episode 191 - DNS Attacks, Organizational Risk, Mastadon |
| | | Episode 190 - Immutable Laws of Security |
| | | Episode 189 - Security Bypasses, AppMap, Dastardly |
| | | Episode 188 - Security Training, Zero Trust, Rating of IoT Security |
| | | Episode 187 - Hacking your Health, Fortinet, Secrets in Source |
| | | Episode 186 - Security Trainings, Web3 Bounties, MFA |
| | | Episode 185 - Daniel Ting - Breaches, Optus, Uber |
| | | Episode 184 - Sources, Payloads, Patreon, Ethereum, Starbucks |
| | | Episode 183 - Information Warfare w/LegendaryPatMan |
| | | Episode 182 - Twitter, LastPass, Testing Edge Cases |
| | | Episode 181 - (Post DEFCON) |
| | | Episode 180 - Logging! Attacks! |
| | | Episode 179 - Starting in AppSec, Threat Modeling |
| | | Episode 178 - Wallet Attacks(!) and Data Privacy |
| | | Episode 177 - That Post-LocoMocoSec Glow |
| | | Episode 176 - Exposed Secrets, Semgrep Rules, IoT Security Failures |
| | | Episode 175 - Web3, JWT Security, Public App Attacks |
| | | Episode 174 - Smart Contracts, Code Review Lessons Learned |
| | | Episode 173 - Enumeration Attacks! |
| | | Episode 172 - Jimmy Mesta - Kubernetes, Startup Adventures |
| | | Episode 171 - Ruby Deserialization Walkthrough, Domain Takeovers |
| | | Episode 170 - Security Basics, Social Engineering, Plan for Failure |
| | | Episode 169 - Finding Security Bugs |
| | | Episode 168 - Secure Code Review, Package Confusion, Privacy Acts |
| | | Episode 167 - Ken Toler - Cryptocurrency, Spring4Shell |
| | | Episode 166 - Web App Firewalls, ProtestWare, CSP Level 3 |
| | | Episode 165 - Portswigger 2021 Top 10, Supply Chain Attacks, TLS Certs |
| | | Episode 164 - Supply Chain Security, Cyber Attacks, 2FA, AutoWarp |
| | | Episode 163 - IT Army, Secrets, Access Control |
| | | Episode 162 - Mike McCabe - Cloud Security |
| | | Episode 161 - Language Semantics, Blockchain Validations, Pentest Stories |
| | | Episode 160 - Mental Health, Open Source Bug Bounties, IDOR |
| | | Episode 159 - Neil Matatall (@ndm) - CSP, Infosec Hiring, Languages & Framework Security |
| | | Episode 158 - More Supply Chains, 2021 Top Ten, CORS + CSRF |
| | | Episode 157 - 2022 Predictions, Schema Libraries, NPM and Open Source Packages |
| | | Episode 156 - Stefan Edwards (@lojikil) - Open Source Software, Software Bill of Materials |
| | | Episode 155 - Log4Hell, Boring AppSec, Crocs and SOCs |
| | | Episode 154 - Conferences, Cloud Security, Software Supply Chain |
| | | Episode 153 - Fuzzing, Authentication, Browser Wars (again) |
| | | Episode 152 - Breaches, Symbolic Execution, Dynamic vs. Static Assessments |
| | | Episode 151 - Secure Code Review, Software Interdependency |
| | | Episode 150 - Jerry Gamblin - NVD CVEs, Vulnerability Disclosure, Burp Cert |
| | | Episode 149 - Burnout, AppSec News Sources |
| | | Episode 148 - Facebook, Phrack, Paved Path |
| | | Episode 147 - James Kettle - Security Research, HTTP Request Smuggling |
| | | Episode 146 - OWASP Top 10, Bug Bounties with @JHaddix, Request Smuggling |
| | | Episode 145 - Return of @cktricky, Burnout, Bumble Vuln, Brute-Forcing |
| | | Episode 144 - Stefan Edwards - Fuzzing, Radamsa, Property Testing |
| | | Episode 143 - Stefan Edwards - HTTP/2, Black Hat/DEFCON, Kubernetes |
| | | Episode 142 - AI Code Generation, Puma Scan, HTTP Request Smuggling |
| | | Episode 141 - print(), Cross-Site Scripting (XSS), RiskIQ, Amass Demo |
| | | Episode #140 - Naomi Buckwalter - Gatekeeping, Developing AppSec Resources |
| | | Episode #CXXXIX - Return of the @lojikil (Stefan Edwards) |
| | | Episode #138 - Ransomware |
| | | Episode #137 - CSRF, GraphQL, Kubernetes, Docker, NoSQL Injection |
| | | Episode #136 - AppSec Nihilism and Breaches |
| | | Episode #135 - GoSDL, Language Choice, Kenna, Dependency Confusion |
| | | Episode #134 - Legal Protections, Browser Sanitization APIs, Burnout |
| | | Episode #133 - Rob Shavell - Privacy |
| | | Episode #132 - Supply Chain Attacks, What I Wish I Knew Starting in Security |
| | | Episode #131 - Jeevan Singh - Threat Modeling |
| | | Episode #130 - Facebook 'Breach', Data Privacy |
| | | Episode #129 - Rey Bango - JQuery, Developer Relations, Security Education |
| | | Episode #128 - Stefan Edwards/David Coursey - PHP, Backdoors, and AppSec Nihilism |
| | | Episode #127 - Regexes, WAFs, Secondary Contexts |
| | | Episode #126 - Junior AppSec Positions, Phishing Site Detection, Client-side JavaScript |
| | | Episode #125 - Interviews, SQLi, Concurrency, Wordpress |
| | | Episode #124 - 2020 Top 10 Web Hacking Techniques, Development vs. Security |
| | | Episode #123 - Client-Side Controls, Dependency Confusion |
| | | Episode #122 - Brian Glas - OWASP Top 10 2021 |
| | | Episode #121 - Stefan Edwards - Formal Specification, Fuzzing, LangSec |
| | | Episode #120 - OWASP Top 10 2021, Researcher Attacks, Parler, Phishing |
| | | Episode #119 - Bugtraq, Web Cache Poisoning, and Blind SSRF |
| | | Episode #118 - Parler, Twitter, and IDOR |
| | | Episode #117 - Solarwinds, Timing Attacks, Threat Dragon |
| | | Episode #116 - Lewis Ardern & pwnfunction - Client-Side JavaScript Security |
| | | Episode #115 - Clint Gibler - Static Analysis with Semgrep |
| | | Episode #114 - Account Enumeration, Github Actions |
| | | Episode #113 - Jacob Salassi - Modeling Threats, Risk Assessment |
| | | Episode #112 - Mark Feferman - Static Analysis Tools |
| | | Episode #111 - Bug Bounties, Detection as Code |
| | | Episode #110 - Reserved Words, Authentication, Developer Patterns |
| | | Episode #109 - Threat Modeling & Social Media apps |
| | | Episode #108 - Sean Poris - Bug Bounty Programs and H1-2010 |
| | | Episode #107 - Markus Schirp - Ruby & Dynamic Languages |
| | | Episode #106 -Justin Massey - Logging & Monitoring |
| | | Episode #105 - Laura Migus - Diversity & Inclusion |
| | | Episode #104 - Leif Dreizler - Authentication & SCIM |
| | | Episode #103 - Secrets Management, Oded Hareven, & akeyless.io |
| | | Episode #102 - Popular Programming Languages, TikTok, OWASP |
| | | Episode #101 - Mike McCabe, Ken Toler & Cloud Security |
| | | Episode #100 - Virtual Content, Bots, DDoS, Ebay |
| | | Episode #99 - Contact Tracing, GnuTLS, Breaches |
| | | Episode #98 - Bug Bounty Programs, Work when World is Crazy |
| | | Episode #97 - Stefan Edwards and Brian Glas - Threat Modeling |
| | | Episode #96 - Fuzzing and Static Analysis Tools |
| | | Episode #95 - Jessica Rozhin and Lady Christina Liu - Incident Response, Lockpicking, Building an Infosec Culture |
| | | Episode #94 - Bug Bounty, Microservices vs. Monoliths, and CVE Fatigue |
| | | Episode #93 - Huntr Dev - Securing Open Source Software |
| | | Episode #92 - Working from Home, Skreen, Evolution of AppSec |
| | | Episode #91 - Stefan Edwards - More Voatz, Zoom, Code Reviews, Report Writing, Threat Models, and Risk Assessments |
| | | Episode #90 - Voatz, HackerOne, Bug Bounties, GraphQL, Shodan Network Trends |
| | | Episode #89 - Kat Sweet - Incident Response, DevOps & Developer Training, Breaking into Security |
| | | Episode #88 - Kevin Johnson - Secure Ideas, Star Wars, Passing it On |
| | | Episode #87 - Abhay Bhargav - Threat Modeling, DevSecOps, Microservices |
| | | Episode #86 - Rohan Joshi - QA Security Testing, Security Champions, Paypal Vulnerabilities |
| | | Episode #85 - David Lindner - Voting Apps, Bug Bounties, IAST/RASP/WAF |
| | | Episode #84 - Tinfoil Hat Tuesday - Backdoors, Application Libraries, Equifax |
| | | Episode #83 - Ron Perris - NPM, Developer Training, React |
| | | Episode #82 - Kelley Robinson - MFA, SHAKEN, STIR |
| | | Episode #81 - Matias Madou - Application Security Training |
| | | Episode #80 - Louis Barrett - SIRT and AppSec |
| | | Episode #79 - Live from DevSecOpsDays Austin - Next up in AppSec/DevSecops |
| | | Episode #78 - Breaches, Passwords, and Chicken Fingies |
| | | Episode #77 - Clint Gibler, DevSecOps, TLDR; Sec |
| | | Episode #76 - Guy Podjarny, Snyk, AppScan, SCA |
| | | Episode #75 - Brian Glas, OWASP Top 10, OWASPSAMM |
| | | Episode #74 - Ernest Mueller, DevOps, Security & Cloud Computing |
| | | Episode #73 - Kevin Cody, CORS, and Lockpicking |
| | | Episode #72 - Consulting Horror Stories |
| | | Episode #71 - Evan Johnson, Cloudflare, and Lastpass |
| | | Episode #70 - Andrew Wilson, OWASP, and Training New AppSec Resources |
| | | Episode #69 - Eric Ellett, Development vs. Security |
| | | Episode #68 - Jerry Gamblin, DEF CON 27 Recap |
| | | Episode #67 - Kubernetes Security with Stefan and Bobby |
| | | Episode #66 - Capital One Breach, NPM, and Secure Code Reviews |
| | | Episode #65 - Adam Baldwin, 3rd Party Dependencies, and Supply Chain Security |
| | | Episode #64 - Hijacked Gems, Zoom RCE, and Marriott/Starwood Breach Fines |
| | | Episode #63 - Julian Berton, AppSec Day, Developer Training, and Security Standards |
| | | Episode #62 - Abdullah Munawar, Ben Pick, Global AppSec DC, and Running an OWASP Chapter |
| | | Episode #61 - Tanya Janca, DevSlop, Diversity, and Inclusion |
| | | Episode #60 - Stefan Edwards, Huawei, Android, and Programming Languages |
| | | Episode #59 - James Wickett & DevOps |
| | | Episode #58 - David Lindner, RASP, Mobile, IoT |
| | | Episode #57 - OWASP WIA (Women In AppSec) Committee |
| | | Episode #56 - Learn to Code / Loco Moco Sec Recap |
| | | Episode #55 - Stefan Edwards ruins Infosec - Testing Edition |
| | | Episode #54 - Recon-NG and Burp Suite 2 with Tim Tomes |
| | | Episode #53 - Building AppSec at GitHub with Greg Ose |
| | | Episode #52 - Serialization Vulns, Career Growth, and Hacking your Happiness with Chris Gates |
| | | Episode #51 - XXE, Assessment Reporting and Process with Jessica Ryan |
| | | Episode #50 - Static Analysis Tools, DevSecOps, Secure Code Training with Eric Heitzman |
| | | Episode #49 - Subdomain Takeovers, DNS SSRF, Oauth Best Practices, Top 10 Web Hacking Techniques of 2019 |
| | | Episode #48 - .dev domains, Kamus with Kubernetes Secrets, Threat Modeling as Code, OWASP Glue Project & Omer Levi Hevroni |
| | | Episode #47 - Mapping Application Source, Mobile OWASP Top 10, Mobile App Testing & Kevin Cody |
| | | Episode #46 - Fuzzing, Frameworks, Training & Daniel Miessler |
| | | Episode #45 - Bug Bounties, Managing AppSec, & Sean Poris |
| | | Episode #44 - AppSec Cali, Bug Bounties, & David Coursey |
| | | Episode #43 - DerbyCon, pwnhead, & Keith Hoodlet |
| | | Episode #42 - SSRF Rebinding & Segment Team (Leif Dreizler& David Scrobonia) - SSRF Rebinding, Breach Password Lists |
| | | Episode #41 - Hidden File Enumeration + Will Bengtson - AWS/Cloud Security, Cloudtrail, Trailblazer |
| | | Episode #40 - Secure Code Reviews, Assessment Scopes, More Breach Fatigue |
| | | Episode #39 - Jerry Gamblin - Breach Fatigue, AWS Re:Invent |
| | | Episode #38 - Matt Konda - event_stream, Glue Tool, OWASP, Jemerai |
| | | Episode #37 - Stefan Edwards - Holiday Gifts, Getting Started with Security and Languages, Formal Verification. |
| | | Episode #36 - Mike McCabe - Input Validation vs. XSS, Cloud Security, Building AppSec Programs, Interviews |
| | | Episode #35 - Travis McPeak - OWASP Bay Area, RepoKid, AWS Security, and SSRF |
| | | Episode #34 - Stefan Edwards - Security Testing, Blockchain & you! |
| | | Episode #33 - John Melton - Building appsec programs, static analysis tools, and contributing to open source. |
| | | Episode #32 - Eric Johnson - Burp Suite Pro setup tips, Puma Scan, teaching appsec |
| | | Episode #31 - Rob Fuller - Writing effective vulnerability reports, CCDC, volunteerism, NoVA Hackers |
| | | Episode #30 - Dave Ferguson - CSRF, AppSec Tooling, Developer Training |
| | | Episode #29 - Matt Tesauro - OWASP, Defect Dojo, AppSec Pipeline Toolbox |
| | | Episode #28 - Astha Singhal - Automating application security, bug bounties |
| | | Episode #27 - Jim Manico - Jim Manico RAW, Training, OWASP, Code Security |
| | | Episode #26 - Justin Larson - Building an AppSec program from scratch, Ruby vs. JS |
| | | Episode #25 - Scott Piper - AWS Security, Cloud Mapper, Cloud Tracker |
| | | Episode #24 - Jason White - Transitioning from developer to application security |
| | | Episode #23 - Ken Toler - Security programs and identifying security champions |
| | | Episode #22 - Jimmy Mesta - Kubernetes and container security |
| | | Episode #21 - Alex Smolen - cloudtrail-daily & webauthn |
| | | Episode #20 - Authentication & JWTs |
| | | Episode #19 - Submitting CFPs & More |
| | | Episode #18 - Chris Gates (Purple Teaming/WeirdAAL) |
| | | Episode #17 - Efail & CSRF Tokens |
| | | Episode #16 - Hipster Languages/Frameworks |
| | | Episode #15 - Kevin Cody (Mobile Security Testing) |
| | | Episode #14 - Karthik Gaekwad |
| | | Episode #13 - Charles Nwatu |
| | | Episode #12 - Justin Collins |
| | | Episode #11 - David Coursey & Stefan Edwards |
| | | Episode 10 - Jimmy Mesta |
| | | Episode 9 - Jason Haddix |
| | | Episode 8 - Neil Matatal |
| | | Episode 7 |
| | | Episode 6 - Kevin Cody |
| | | Episode 5 - Stefan Edwards & David Coursey |
| | | Episode 4 - Evan Johnson |
| | | Episode 3 - Jerry Gamblin |
| | | Episode 2 |
| | | Episode 1 - Introductions |

The Hosts