https://absoluteappsec.com en-us Ken Johnson and Seth Law no Ken Johnson and Seth Law absoluteappsec@gmail.com A weekly podcast of all things application security related. Hosted by Ken Johnson and Seth Law. https://absoluteappsec.com/img/logo_1600x1600.jpg https://absoluteappsec.com https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_315.mp3 Tue, 03 Mar 2026 11:00:00 -0700 In episode 315 of Absolute AppSec, Ken Johnson and Seth Law discuss the rapidly evolving challenges of securing software in an era of AI-assisted development. The hosts provide updates on their "Harnessing LLMs for Application Security" training, noting that the field is changing so fast that they must constantly update their exercises to include new agents and advanced tools like Claude Code. A primary concern raised is the "naivete" of many new security tools, where prompts are often automatically generated by AI rather than expertly crafted, causing a loss of essential nuance. The hosts also warn against AI companies building security products without specialized expertise, citing a zero-click exploit in the "Comet" AI browser that could exfiltrate sensitive secrets via calendar summaries. As development teams now ship code at "AI speed," the hosts argue that traditional AppSec methods are too slow, necessitating a strategic pivot toward automated design reviews, governance, and observability rather than just chasing individual vulnerabilities. Despite the inherent risks and the ongoing difficulty of managing AI reasoning drift, they remain optimistic that these tools can eventually unlock more efficient, hands-off AppSec workflows if managed with proper guardrails and deterministic oversight. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_314.mp3 Tue, 24 Feb 2026 11:00:00 -0700 In this episode, the hosts discuss the seismic shift in the application security landscape triggered by the rise of Large Language Models (LLMs) and Anthropic’s "Claude Code". They highlight the massive economic repercussions of these AI advancements, noting that billions in market value were wiped from traditional cybersecurity stocks as investors begin to believe frontier models might eventually write perfectly secure code. The hosts critique the industry's historical reliance on "checkbox" compliance tools like SAST, DAST, and SCA, arguing that these "archaic" methods are being replaced by AI-native strategies capable of reasoning through complex logic flaws. While they acknowledge that AI can suffer from "reasoning drift" and still requires deterministic validation to avoid false positives, they emphasize that security professionals must adapt by building custom "skills" and focusing on governance and observability. The discussion concludes that as developers move to "AI speed," the traditional role of the AppSec professional is evolving into a "Jarvis-like" orchestrator who manages automated workflows and infuses institutional knowledge into AI agents to maintain oversight without slowing down production. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_313.mp3 Tue, 17 Feb 2026 11:00:00 -0700 Ken Johnson and Seth Law examine the intensifying pressure on security practitioners as AI-driven development causes an unprecedented acceleration in industry velocity. A primary theme is the emergence of "shadow AI," where developers utilize unauthorized AI coding assistants and personal agents, introducing significant data classification risks and supply chain vulnerabilities. The discussion dives into technical concepts like AI agent "skills"—markdown files providing specialized directions—and the corresponding security risks found in new skill registries, such as malicious tools designed to exfiltrate credentials and crypto assets. The hosts also review 1Password’s SCAM (Security Comprehension Awareness Measure), highlighting broad performance gaps in an AI's ability to detect phishing, with some models failing up to 65% of the time. To manage these unpredictable systems, the hosts advocate for a shift toward high-level validation roles, emphasizing the need for Subject Matter Expertise to combat "reasoning drift" and maintain safety through test-driven development and periodic "checkpoints". Ultimately, they conclude that while AI can simulate expertise, human oversight remains vital to secure the probabilistic nature of modern agentic workflows. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_312.mp3 Tue, 10 Feb 2026 11:00:00 -0700 In episode 312 of Absolute AppSec, the hosts discuss the double-edged sword of "vibe coding", noting that while AI agents often write better functional tests than humans, they frequently struggle with nuanced authorization patterns and inherit "upkeep costs" as foundational models change behavior over time. A central theme of the episode is that the greatest security risk to an organization is not AI itself, but an exhausted security team. The hosts explore how burnout often manifests as "silent withdrawal" and emphasize that managers must proactively draw out these issues within organizations that often treat security as a mere cost center. Additionally, they review new defensive strategies, such as TrapSec, a framework for deploying canary API endpoints to detect malicious scanning. They also highlight the value of security scorecarding—pioneered by companies like Netflix and GitHub—as a maturity activity that provides a holistic, blame-free view of application health by aggregating multiple metrics. The episode concludes with a reminder that technical tools like Semgrep remain essential for efficiency, even as practitioners increasingly leverage the probabilistic creativity of LLMs. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_311.mp3 Tue, 03 Feb 2026 11:00:00 -0700 Ken Johnson and Seth Law examine the profound transformation of the security industry as AI tooling moves from simple generative models to sophisticated agentic architectures. A primary theme is the dramatic surge in development velocity, with some organizations seeing pull request volumes increase by over 800% as developers allow AI agents to operate nearly hands-off. This shift is redefining the role of Application Security practitioners, moving experts from manual tasks like manipulating Burp Suite requests to a validation-centric role where they spot-check complex findings generated by AI in minutes. The hosts characterize older security tools as "primitive" compared to modern AI analysis, which can now identify human-level flaws like complex authorization bypasses. A major technical highlight is the introduction of agent "skills"—markdown files containing instructions that empower coding assistants—and the associated emergence of new supply chain risks. They specifically reference research on malicious skills designed to exfiltrate crypto wallets and SSH credentials, warning that registries for these skills lack adequate security responses. To manage the inherent "reasoning drift" of AI, the hosts argue that test-driven development has become a critical safety requirement. Ultimately, they warn that the industry has already shifted fundamentally, and security professionals must lean into these new technologies immediately to avoid becoming obsolete in a day-to-day evolving landscape. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_310.mp3 Tue, 27 Jan 2026 11:00:00 -0700 In this episode of Absolute AppSec, hosts Ken Johnson and Seth Law interview Mohan Kumar and Naveen K Mahavisnu, the practitioner-founders of Aira Security, to explore the critical challenges of securing autonomous AI agents in 2026. The conversation centers on the industry's shift toward "agentic workflows," where AI is delegated complex tasks that require monitoring not just for access control, but for the underlying "intent" of the agent's actions. The founders explain that agents can experience "reasoning drift," taking dangerous or unintended shortcuts to complete missions, which necessitates advanced guardrails like "trajectory analysis" and human-in-the-loop interventions to ensure safety and data integrity. A significant portion of the episode is dedicated to the security of the Model Context Protocol (MCP), highlighting how these integration servers can be vulnerable to "shadowing attacks" and indirect prompt injections—exemplified by a real-world case where private code was exfiltrated via a public GitHub pull request. To address these gaps, the guests introduce their open-source tool, MCP Checkpoint, which allows developers to baseline their agentic configurations and detect malicious changes in third-party tooling. Throughout the discussion, the group emphasizes that as AI moves into production, security must evolve into a proactive enablement layer that understands the probabilistic and unpredictable nature of LLM reasoning. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_309.mp3 Tue, 20 Jan 2026 11:00:00 -0700 In this episode of Absolute AppSec, Nathan Hunstad, Director of Security at Vanta, discusses the intersection of security policy, governance, and technical defense. Drawing on his unique background in political science and the Minnesota state legislature, Hunstad argues that policy acts as the essential "conductor" for an organization's security tools. A major theme of the conversation is the challenge of compliance for startups, with the group advising founders to prioritize business survival and basic security hygiene—like password managers and IAM—before pursuing intensive certifications like SOC 2. The discussion also explores how AI is accelerating both development velocity and the ability to automate tedious security questionnaires. Furthermore, Hunstad contrasts the security posture of modern, cloud-native startups against legacy enterprises, noting that older organizations often struggle with "dark corners" of un-inventoried, vulnerable legacy tech. The episode concludes with a critique of outdated authentication standards, specifically advocating for the removal of mandatory password rotation in favor of NIST-aligned, phishing-resistant MFA. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_308.mp3 Tue, 13 Jan 2026 11:00:00 -0700 Ken Johnson (cktricky on social media) and Seth Law are happy to announce a special episode of Absolute AppSec with Avi Douglen (sec_tigger on X), long-time OWASP Global Board of Directors member, founder and CEO of Bounce Security and co-author of the Threat Modeling Manifesto. The conversation ranges from Application Privacy related to Application Security, to participating in meetups and conferences, and finally OWASP as an Avi's experience as a board member. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_307.mp3 Tue, 23 Dec 2025 11:00:00 -0700 In episode 307 of Absolute AppSec, hosts Ken and Seth conduct a retrospective on the application security landscape of 2025. They conclude that their previous predictions were largely accurate, particularly regarding the rise of prompt injection, AI-backed attacks, and the industry-wide shift toward per-token billing models. A major theme of the year was the solidification of supply chain security as a critical pillar of AppSec, driven by notable incidents such as Shai Hulud and React for Shell. The hosts also share insights from their four-day training course on utilizing LLMs for secure code review, noting that while AI development is becoming more prevalent, most practitioners are still in the nascent stages of building custom tooling. Much of the discussion focuses on the Model Context Protocol (MCP); while it offers significant value for agentic workflows, the hosts criticize its current lack of robust security controls, specifically highlighting issues with OAuth implementations and short timeouts in existing clients. Finally, they discuss how the industry is moving toward a more nuanced balance between deterministic tools like Semgrep and the probabilistic creativity of LLMs to increase efficiency in security consulting. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_306.mp3 Tue, 02 Dec 2025 11:00:00 -0700 Given the spate of recent npm news stories, we've arranged a topical show with software supply-chain security researcher and npm hacker Paul McCarty (find Paul on bsky https://bsky.app/profile/6mile.githax.com) . Paul is currently a researcher with Safety (https://getsafety.com/) and has a background in security including work at John Deere, Boeing, Regence Blue Cross/Blue Shield, NASA Jet Propulsion Lab, the US Army, and the Queensland Government. He's also spent twenty some odd years helping startups with security practices, and is a maintainer of the Open Source Malware project. In addition, Paul has been long time friend of the show, contributing his insights to the Absolute AppSec community slack in addition to frequently writing up his research at the SourceCode RED blog: https://sourcecodered.com/blog. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_305.mp3 Tue, 25 Nov 2025 11:00:00 -0700 The latest episode of Absolute AppSec is here, with Ken Johnson and Seth Law checking in during the busy Q4 holiday season to share some fascinating insights on the evolving landscape of security and technology. They kick off by reflecting on their intensive, ever-changing "Harnessing LLMs for Application Security" courses, noting how rapidly the underlying tech evolves. The conversation quickly turns to a compelling debate: How will the rise of generative AI impact career paths for newcomers, especially given that LLMs fundamentally rely on the contributions of existing experts? While pathways may change, they agree that core human activities—like networking, contributing to projects, and maintaining a hacker mindset—will remain crucial. The hosts then dive into a fascinating discussion on the darker side of SEO, introducing the concept of Generative AI Engine Optimization (GEO), where marketers exploit AI search results through tricks like keyword-stuffed files to game rankings. They tie this to historical examples of exploitation, harkening back to Google hacking days. Finally, they cover the recent Shai Hulud 2 supply chain attack, which infected hundreds of NPM packages and utilized even more sophisticated obfuscation and delayed execution tactics than its predecessor. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_304.mp3 Tue, 18 Nov 2025 11:00:00 -0700 This episode, the 304th of Absolute AppSec, features hosts Ken Johnson (@cktricky) and Seth Law (@sethlaw) discussing the crush of Q4 expectations, upcoming training opportunities, the recent updates to the OWASP Top Ten, and the impact of AI tools like XBow on application security (AppSec) consulting. The hosts discuss the shift in the OWASP Top Ten from focusing on vulnerabilities to focusing on risks, and the dual role the list now plays for both awareness/training and compliance. Shifting to recent funding of XBow, the overall consensus is that while AI tools dramatically improve process flow, scoping, and the speed of vulnerability identification for consultants, they won't replace the need for human experts for complex, bespoke systems, business logic flaws, or authorization issues. AI is commoditizing lower-level AppSec work. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_303.mp3 Mon, 10 Nov 2025 11:00:00 -0700 Prof. Brian Glas (infosecdad on social media) joins Seth Law (sethlaw) and Ken Johnson (cktricky) for a timely episode of Absolute AppSec. Infosec Guru and one of the OWASP Top Ten project leaders Prof. Glas joins us in the aftermath of the Global AppSec conference and the announcement of the new OWASP Top Ten (2025). This episode focuses on the process for compiling the list as well as gleaning any other insights from Prof. Glas. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_302.mp3 Tue, 04 Nov 2025 11:00:00 -0700 Episode 302 of Absolute AppSec has hosts Ken Johnson and Seth Law speculating on the upcoming Global AppSec DC conference, predicting the announcement of the OWASP Top Ten 2025 edition, with Brian Glass scheduled to discuss it on the podcast. The conversation shifts to a technical discussion of OpenAI's new browser, Atlas, which is built on Chromium and includes AI capabilities. The hosts noted concern over the discovered prompt instructions for Atlas, which direct the ChatGPT agent to use browser history and available APIs to find data from the user's logged-in sites to answer ambiguous queries or fulfill requests. This functionality raises significant security concerns, as the agent's ability to comb the cache and logged-in sites could be exploited, effectively creating a "honeypot for cross-site scripting" with malicious potential like unauthorized money transfers. The hosts discussed the lack of talk submissions on Mobile Context Protocol (MCP) security at the conference, despite its growing relevance in a world of AI agents and tooling. Finally, they highlighted a new tool called SlopGuard, developed to prevent the risk of AI hallucinating non-existent, potentially malicious packages (which occurs 5-21% of the time) and attempting to install them from registries like NPM. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_301.mp3 Tue, 28 Oct 2025 11:00:00 -0700 In this episode, Seth and Ken debate OpenAI's Atlas browser, which embeds AI into web browsing. Ken views it as a major privacy concern, potentially accelerating invasive data collection and surveillance. Seth noted that new browsers historically have critical flaws. They acknowledged that AI is very useful for generic and technical internet searches. They discussed the Co-Fish attack, a phishing vulnerability in Microsoft Copilot Studio that could exfiltrate access tokens via a seemingly valid Microsoft URL. Finally, they noted that big companies like Snyk and Black Duck are moving toward agentic AI capabilities, confirming the industry trend. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_300.mp3 Tue, 14 Oct 2025 11:00:00 -0700 For the 300th (!!!!) episode of the podcast, Seth and Ken reminisce on changes to the industry and overall approach to application security since inception. The hosts discussed the evolution of the industry, noting that once-popular approaches like blindly emulating "hip" Silicon Valley security programs and running unmanaged Security Champions Programs have fallen out of favor, as organizations now better understand that these approaches are not one-size-fits-all and require careful, metrics-driven management. While Bug Bounty Programs remain popular, they noted an increase in submissions from "skiddies" (script kiddies) that challenge program effectiveness and highlight the need for internal support and a proactive stance before rolling out a public program. Positively, they observed that the industry has become more mature, focusing on business value, metrics, and ROI , a move that may have been accelerated by recent economic pressures. Furthermore, security practices have improved, with the decline of common vulnerabilities like XSS and SQL Injection due to safer frameworks and browser controls, allowing AppSec professionals to focus on more complex issues, such as business logic flaws and focused threat analysis, while the once monolithic process of threat modeling has evolved into a more nimble, "point-in-time" assessment readily adopted by developers. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_299.mp3 Tue, 07 Oct 2025 11:00:00 -0700 The duo is back after a short hiatus. Today's episode is inspired by recent articles related to startups, funding, and the grind that happens when building a company or being an individual contributor. Specifically, a recent article about AI startup founders putting in long hours to the exclusion of everything else is debated. This is followed by aa discussion on the current security AI startup hype cycle, spurred by thoughts from FranklySpeaking, and how security companies in general are acquired and disappear over time. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_298.mp3 Tue, 16 Sep 2025 11:00:00 -0700 In what is (sadly) becoming a weekly segment, this episode starts with talk of the latest installment of npm package takeovers, dubbed Shai Hulud as discussed in Slack and analyzed by Paul McCarty and team. Strategies discussed for monitoring packages and preventing malware from entering into organization's products. This is followed by an article referencing security via intentional redundancy when designing sensitive application functionality. Finally, analysis of a recent article from Frankly Speaking that lists a series of new commandments for security teams, which are mostly agreed to by both Seth and Ken, with some caveats. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_297.mp3 Tue, 09 Sep 2025 11:00:00 -0700 The Absolute AppSec duo returns with an in-depth episode talking about true and false positives, where context matters and business impact must be taken into account in order to avoid rabbit holes. This discussion spurred by a recent article from signalblur of magonia.io discussing alerts in a security operations center. In short, only considering existence of a flaw (or alert) is not enough by itself. True impact comes by understanding context. Anyone want t-shirts? A discussion of the recent successful phish of an npm package maintainer, resulting in exposure of millions of projects depending on popular npm packages. It happens, folks, protect yourself. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_296.mp3 Tue, 02 Sep 2025 11:00:00 -0700 Ken and Seth kickoff a podcast by reviewing current state of the OWASP Top 10 project, given recent requests and interactions on Absolute AppSec slack from various contributors. This is followed by an in-depth breakdown of the recent NX npm package compromise. This breakdown shows that even though AI is weaponized to exfiltrate data, the main exploit was the result of a command injection flaw. Crocs and Socks coming back to bit all of us. Finally, Ken and Seth provide a list of resources used to monitor the wider security community. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_295.mp3 Tue, 26 Aug 2025 11:00:00 -0700 Seth and Ken return with a new episode summarizing their experience at DEF CON 33 and all things Las Vegas over the past month. This includes panels, talks, workshops, happy hours, and even corporate (boo) events. This is followed by discussion of a few research items that came out of the conference, including James Kettle's HTTP1.1 Must Die talk. Finally, why AI is infecting Application Security. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_294.mp3 Tue, 19 Aug 2025 11:00:00 -0700 Just in time for AppSec sweeps week, Anshuman Bhartiya is joining Seth Law (sethlaw on social media) and Ken Johnson (cktricky) on the Absolute AppSec podcast! With over a decade in the security industry, Anshuman Bhartiya brings a wealth of knowledge to the table, in web application penetration testing and product security for major enterprises (EMC, Intuit, Atlassian, Lytx, etc). As the current Tech Lead for Application Security at Lyft and co-host of The Boring AppSec Podcast, Anshuman has a wealth of knowledge on AppSec topics. Read more about Anshuman’s work in the AppSec community at his webpage here: https://www.anshumanbhartiya.com. Join us for a wide-ranging conversation about making it in information security and AppSec. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_293.mp3 Tue, 29 Jul 2025 11:00:00 -0700 Spurred by a recent article from Venture in Security, this episode delves deep into the practical application of security into an organization's SDLC. Covering a range of issues from gaps in contextual understanding to disingenuous vendor claims, Seth and Ken share their experiences dealing with small and large organizations with varying levels of maturity. Some degree of nihilism is warranted, but recent developments using generative AI is cause for optimism in the space. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_292.mp3 Tue, 15 Jul 2025 11:00:00 -0700 Seth and Ken are _back_ to talk through some recent experiences and news across the industry. To start the episode, Seth highlights the edge cases uncovered during manual code review that require context to understand and identify. Inspired by recent a recent post on AI Slop in the curl bug bounty program, the duo addresses the increase of slop across bug bounty reports and why it happens. Finally, a discussion on McDonald's recent authorization flaw that potentially exposed millions of job applicant's data. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_291.mp3 Tue, 08 Jul 2025 11:00:00 -0700 Sean Varga, current regional sales manager with noted ASPM company Cycode joins Ken (@cktricky) and Seth (@sethlaw) to discuss the dawning realization organizations are having that they need AppSec experience and tech help to accompany their swelling numbers of developers. Sean's introduces "the OWASP Top 10 for AppSec Sales" to the community Before joining Cycode, Sean worked as Large Enterprise Sales Manager at Apiiro and Enterprise Account executive at Secure Code Warrior. He's also had stints at Veracode, Quest Software, and RSA across his career. We'll get to know Sean and his journey into AppSec, as well as getting his insights on the direction he sees things going moving forward. Connect with or follow Sean on LinkedIn to see what he's up to in the meantime: https://www.linkedin.com/in/sean-varga/ no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_290.mp3 Tue, 01 Jul 2025 11:00:00 -0700 Ken returns after a week's hiatus to review the latest AppSec news with Seth. Specifically, the idea that authentication fatigue exists for both consumers and developers. The amount of choice to implement security controls can have unintended consequences and introduces risk that may or may not be considered. This is followed by research from SquareX that claims Browser AI Agents are riskier and easier to target than employees. This results in opinions on phishing and protections against consumer/business targeting by attackers. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_289.mp3 Tue, 24 Jun 2025 14:30:00 -0700 With @cktricky out on a grand tour across the country (or just unable to record for the day), @sethlaw succumbs to the dark side to give @lojikil a platform to talk about recent developments in the application security world. Specifically, a discussion on vulnerability data and scoring mechanisms, including CVE, CVSS, CWSS, and other acronyms. Wraps up with a longer discussion on the use of AI across multiple disciplines and provenance of AI Slop. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_288.mp3 Tue, 17 Jun 2025 10:00:00 -0700 Seth and Ken return with an in-depth discussion around the future of security due to use of AI. The landscape of security is changing quickly and we do not know where it is headed. As such, it is worth exploring how it has changed security's outlook and what we are seeing across organizations from a consulting and product perspective. A recent article from a16z titled "Next-Gen Pentesting: AI Empowers the Good Guys" is a good summary of the changes happening. A short aside on unintended consequences when introducing new browser features. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_287.mp3 Tue, 10 Jun 2025 10:00:00 -0700 Hayden Smith, Hunted Labs Co-Founder comes on Absolute AppSec to discuss, among other things, the Hunted Labs work discovering and publicizing the EasyJson software supply chain threat. Before co-founding Hunted Labs, Hayden was Senior Director of Field Services at Anchore, assisting US government, intelligence, and Fortune 500 clients. Long a specialist on supply-chain issues, Smith established the DoD's Platform One software factory, designed container-hardening pipelines securing 500+ Iron Bank images, and led Anchore solutions architects. Previously, he also worked at Booz Allen Hamilton where he supported US government and intelligence clients on cybersecurity/DevOps, and led the cybersecurity team testing the US Air Force's GPS OCX. Seth and Ken discuss some of Hayden's path into the security industry as well as Hunted Labs' report on the EasyJson software supply-chain threat. Read up here for more information: https://huntedlabs.com/exclusive-threat-report/ no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_286.mp3 Tue, 20 May 2025 10:00:00 -0700 We are happy to have Kayra Otaner as a special guest on the Absolute AppSec podcast. Kayra (kayraotaner on LinkedIn and X/twitter), the current Director of DevSecOps at Roche, brings over 15 years of cybersecurity leadership experience from New York and Wall Street. He's led DevSecOps and DevOps teams across a variety of organizations, including ADP, Voice, and adMarketplace, and has served as a trusted CTO advisor for Trendyol. His background also includes cybersecurity consulting for the Turkish Navy, where he helped develop a defense solution that was later deployed in NATO's Locked Shields cyber defense war games in Tallinn. Kayra is a frequent speaker at international DevSecOps conferences and serves on the Business and Computer Science Advisory Board at Middlesex County College in New Jersey. During this episode of the podcast Kayra discusses his journey into information security and spurs on his recent thoughts on authenticating open source developers through models similar to TSA PreCheck. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_285.mp3 Tue, 13 May 2025 10:00:00 -0700 News this week has been dominated by dependency issues and attribution towards unwanted nation states and actors. Specifically, easyjson is developed by a Russian firm that is under sanctions. The podcast duo discuss the implications and how to protect apps from sub-dependency threats. This leads to a deep dive into breaches and whether a breach has an effect on the industry, company, or individual. Current regulations and certifications can be lost, but does not always have the effect we would expect. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_284.mp3 Tue, 06 May 2025 10:00:00 -0700 Back after a hiatus for both BSidesSF and RSA, Seth and Ken recap their experience at both conferences. TL;DR - BSidesSF is great for technical security content and community, RSA focuses on sales for mostly large organizations and budgets. Two sides of the security industry coin and depends on preferences for which makes the most sense for career or business growth. This is followed by a short discussion on vibe coding educational security tools. Episode wraps with an article on MFA phishing and how WebAuthN helps prevent accidental exposure. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_283.mp3 Tue, 22 Apr 2025 10:00:00 -0700 Ok, so vulnerable MCP tools are a thing now? Ken demonstrates installing and running an intentionally vulnerable MCP server with a bunch of example issues. Following is a discussion of the recent article and research around hallucinations of 3rd party dependencies/libraries in AI-Generated Python and JavaScript. New attack targets all dependent on how creative the LLM is allowed to be. A short aside on why we talk about AI and LLMs so much. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_282.mp3 Tue, 15 Apr 2025 10:00:00 -0700 It is time to talk about Model Context Protocol (MCP), Google's Agent 2 Agent specification, and get back to the crocs and socks of authentication for Non-Human Identities (NHIs). MCP servers have exploded over the last few weeks and provide a standard mechanism for LLMs to interact with pretty much _anything_. Seth and Ken talk about the risks, exposures, and where things could go from here. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_281.mp3 Tue, 08 Apr 2025 10:00:00 -0700 The duo are back for a discussion on securing machine learning models using Sigstore, based on a recent blog post from Google Security. Followed by some spicy takes on opinions on vibe coding and its effects on application and product security. Finally, short-lived tokens used to exploit RCE against the GitHub CodeQL Action. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_280.mp3 Tue, 25 Mar 2025 10:00:00 -0700 Seth and Ken are back with an episode dedicated to a review of the recent Next.js middleware vulnerability and how that impacts application security both specifically and in general. Over-dependence on third party software accompanied by agile development can lead to devastating results when security flaws are identified. A followup and demo of using LLMs to analyze HTTP sessions for user enumeration flaws as a sneak peak of an upcoming talk by Seth for BSidesSLC. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_279.mp3 Tue, 18 Mar 2025 10:00:00 -0700 After a week's hiatus, Ken and Seth return and start with a discussion on OWASP conferences and the effectiveness of attendance for vendors. This is followed by an expansive mental health discussion inspired by a recent blog post on Destructive Fatigue from Justin Larson at Redpoint Security. A constant focus on breaking and tearing down applications or anything can have mental health effects. Additionally, focus on the negative aspects increases imposter syndrome that is already prevalent across the industry. This leads to the question, what do you do to maintain sanity and mental health? Jump into Slack or tag @absoluteappsec on social media with your strategies. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_278.mp3 Tue, 04 Mar 2025 10:00:00 -0700 Seth and Ken return without a guest to discuss recent news, breaches, and research. Initial discussions around the purposes of the various security conferences and what is recommended for various professional levels. An article discussing recent customer data exposure by Zapier in git test data. Synthetic test data has been an issue for long time so not a surprising turn of events. Finally, thoughts on the definitions and classification of Unforgivable Vulnerabilities as proposed by the UK's National Cyber Security Centre. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_277.mp3 Tue, 25 Feb 2025 10:00:00 -0700 Kyle Rippee, currently staff product security engineer at Tines, joins Seth and Ken for another episode of Absolute AppSec. Kyle has over a decade of experience both managing and working for Application Security teams, as well as working as a pentester, security consultant, and software engineer. Before Tines, he worked for PlanetArt (where he held the role of Director of Information Security), FloQast, Shutterfly, Atos, among other Product Development and Security Consulting firms. Join us as we discuss Kyle's path into application security as well as finding out more about the interesting things going on at Tines. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_276.mp3 Tue, 18 Feb 2025 10:00:00 -0700 Myles is currently Product Lead for Developer Platform at Snowflake. Previously, he directed project management at GitHub, overseeing projects like GitHub Copilot Workspace for PRs, Codespaces, npm, and Packages. A key contributor to Ecma International and TC39, he has served for stretches as a Delegate, Co-Chair, and VP for the project. His contributions to TC39 coincided with his periods he worked for both Google and Microsoft, respectively. In addition to extensive experience driving security and standards improvement in open source initiatives and key development languages, Myles is an active and accomplished musician. Catch up with Myles and his work here: https://mylesborins.com/about.html. We are excited to have Myles as a guest on the show, so be sure to catch up with this episode and make a note that this episode is occurring one hour earlier than the typical livestream broadcast time. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_275.mp3 Tue, 11 Feb 2025 11:00:00 -0700 Ken and Seth are back for another episode that starts with a summary of the Semgrep and OpenGrep break. This is followed by Google's recent article titled Secure By Design: Google's Blueprint for a High-Assurance Web Framework. Google is focused on protections within the browser, given their products and business, but the controls and overall process are relevant to most application security programs. Finally, a discussion of Orange Tsai's research on Confusion Attacks within Apache that was number one in Portswigger's Top 10 Web Hacking Techniques of 2024. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_274.mp3 Tue, 04 Feb 2025 11:00:00 -0700 Seth and Ken return for another week to review current articles and happenings in the application security world. Specifically, they spend some time reacting to the news that the Semgrep Community version has been forked as Opengrep by a number of vendors. This occurs as a result of Semgrep changing the licenses on their open source rules to prevent use in competitor products. Also a discussion spurred by Rami McCarthy's recent article on how "No" is still appropriate and security shouldn't be a rubber stamp for any organization. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_273.mp3 Tue, 28 Jan 2025 11:00:00 -0700 Josh Larsen, co-founder of CTO of Ghost Security, joins Seth Law and Ken Johnson on January 28th at 12 Noon Eastern time. Before Ghost Security, Josh was a co-founder and CEO of Darkbit and before that of the Blackfin Security Group. Larsen led the GTM strategy for both startups, and Darkbit and Blackfin Security Group were acquired by Aqua Security and Symantec Corporation, respectively. Ghost Security (https://ghostsecurity.com/) was founded so development shops and AppSec teams had a tool to perform autonomous application security using Agentic AI with the goal of helping teams discover, test, and mitigate risks in real time. Josh (joshlarsen on Linked In, @josh_larsen on X/Twitter) has been in the industry for 25 years working as a security program manager and consultant as well as building products that improve the security landscape. Be sure to tune in as Seth and Ken talk through his experiences in the field as well as gleaning his insights about the future of AppSec. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_272.mp3 Tue, 21 Jan 2025 11:00:00 -0700 Ken and Seth start with a demo and discussion on some newer tools that use integrated AI in both the code and workflow spaces. Specifically, use for code review and understanding is improving. This is followed by a wide-ranging discussion of false positives, where they come from, and how they affect application security. Seth gets up in arms about trying to deal with unrealistic expectations around reducing false positives. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_271.mp3 Fri, 17 Jan 2025 11:00:00 -0700 Seth and Ken return once again to talk through the overall effectiveness and purpose of Portswigger's Top 10 Web Hacking Techniques and how it benefits the community. A short discussion on some of the current crop of techniques up for polling. Spurred by recent revelations around Snyk's approach to identifying security issues in npm packages, the duo discusses research techniques and identifying security issues without exploitation or harm. To close out, a discussion on progressing from junior to senior within the security space and challenges in the current market. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_270.mp3 Tue, 07 Jan 2025 11:00:00 -0700 Ken and Seth return for 2025 to review the accuracy of their predictions from 2024 and make a few new ones for this new year. Some hits and misses for last year, but overall the generic predictions for both AI/LLM growth and software supply chain security were accurate. However, they were wrong in their assumptions around LLM creation and training. For 2025, predictions on AI billing models, software supply chain attacks, OWASP Top 10 2025, and more. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_269.mp3 Tue, 17 Dec 2024 11:00:00 -0700 The dynamic duo is back for another holiday special. Not that they reference the holidays, but dig into complaints about security conferences and how to build a conference network. Followed by a discussion inspired by a recent TL;DRSec post from Maya Kaczorowski on "What Sucks about Security" where security leaders were asked that specific question. This leads into the question "What Sucks in AppSec?", so the co-hosts give their responses. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_268.mp3 Tue, 10 Dec 2024 11:00:00 -0700 Seth and Ken are happy to announce that Clint Gibler (@clintgibler), the force behind TL;DRSec (tldrsec.com) and head of Security Research at Semgrep, will be coming on as a guest again on the Absolute AppSec podcast. The conversation starts with background on his experience with TL;DRSec and writing a newsletter. Followed up by an indepth discussion on secure defaults and how Semgrep and other tools help push security in organizations. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_267.mp3 Tue, 19 Nov 2024 11:00:00 -0700 Join us for an episode of Absolute AppSec with Kinnaird McQuade, founder and CTO of NightVision. Kinnaird developed NightVision as a security testing tool that combines codebase analysis with DAST features. Before NightVision, Kinnaird worked as lead security engineer at both Square and Salesforce. Additionally he worked at Synopsys as Cloud Security Consulting Practice Lead. Be sure to tune into the episode as Ken Johnson and Seth Law interview Kinnaird McQuade to gain insights from his experiences and thoughts on improving security for applications and developers. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_266.mp3 Thu, 05 Nov 2024 11:00:00 -0700 Seth (@sethlaw) and Ken (@cktricky) return for an in-depth discussion on penetration testing expectations, driven by recent posts and slack activity from Andrew Wilson. Essentially, certain clients expect that a single penetration test finds everything possible, whether or not those expectations are appropriate. The duo expounds on their experience with similar expectations and how its affected their respective careers and organizations. A followup on threat modeling and a new approach being coined as Attack Modeling. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_265.mp3 Thu, 29 Oct 2024 11:00:00 -0700 Scott Norberg joins Ken Johnson and Seth Law for an episode of Absolute AppSec all about SAST. Scott is an ASP.NET Security Consultant, Author, Researcher and Speaker. In addition to running his Opperis Technologies consultancy, Scott has recently begun working as lead application security architect at CDW. Before that he worked as Lead Application Security engineer at Gallagher and was a Senior Consultant with the AppSec team at Coalfire. He has been a web security specialist for nearly two decades, and holds several certifications, including Microsoft Certified Technology Specialist (MCTS), certifications for ASP.NET and SQL Server, and a Certified Information Systems Security Professional (CISSP) and CCSP certification. He also has an MBA from Indiana University. To find out more about Scott check out his website https://scottnorberg.com/ as well as his 2020 book Advanced ASP NET Core Security Vulnerabilities. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_264.mp3 Thu, 17 Oct 2024 11:00:00 -0700 Jeremy Long (@ctxt on social media), Principal Security Engineer at Service Now and project founder and lead for the OWASP Dependency Check project joins Ken Johnson (@cktricky) and Seth Law (@sethlaw). Jeremy spent a decade and a half as a lead application security engineer and principal engineer at Wells Fargo before joining ServiceNow. He has spent years developing processes for automated security analysis of software libraries and techniques for improving real-time application protection (RTAP) systems. Make sure to set time aside for a discussion on Jeremy's insights into improving security systems through dependency analysis and managing industry projects. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_263.mp3 Tue, 08 Oct 2024 11:00:00 -0700 Ken and Seth return for Episode #263 and start with a discussion around web application fuzzing and the deficiencies of vulnerability and exploit-focused dynamic testing, a common thread in Seth's ranting. This is followed by a discussion on mobile testing and attempting to control security through client-side controls, spurred by an article that compares security in the McDonald's Android app to various banking apps. The final topic is around secrets management and use of the dotenv (.env) file for storing secrets. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_262.mp3 Tue, 30 Sep 2024 11:00:00 -0700 Ariel Shin joins Ken Johnson (@cktricky on social media) and Seth Law (@sethlaw) for a special episode of Absolute AppSec. Ariel is currently a Security Engineering Manager at Datadog after a three-year stint at Twilio where she worked as an engineering manager in product security, a product security team lead, and a senior product security engineer. This year at Bsides SF 2024, she presented on her time at Twilio in a retrospective talk entitled “Six Years in Review: Transforming Company Culture to Embrace Risk.” The video from Bsides SF can be found here: https://www.youtube.com/watch?v=cQE1OqCpeI8. Before Twilio, Ariel worked at one medical as an appsec engineer as well as spending time as a Technology and Privacy consultant with Protiviti. She also helps build the professional appsec and prodsec communities as a frequent commenter and presenter at security conferences. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_261.mp3 Tue, 24 Sep 2024 20:00:00 -0700 Ken (@cktricky) and Seth (@sethlaw) are back to review this weeks news and commiserate about industry happenings. First up are their thoughts on the current economic climate and how it has affected the security industry over the last 5 years. This is followed with evolving nature of password reset requirements as frequent changes are not recommended by NIST. The duo digs into possible motives for Checkmarx's recent announcement that they are funding ZAP. Finally, some thoughts on domain takeovers. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_260.mp3 Thu, 19 Sep 2024 20:00:00 -0700 Absolute AppSec welcomes Darren Meyer (@DarrenPMeyer on infosec.exchange and X platform) from Endor Labs as a guest on the show to discuss Endor Lab’s newly released 2024 Dependency Management Report. Implementation of reachability analysis as a sine qua non of effective dependency management is one of the top-line takeaways from the newly released report. The discussion dives deeper with Darren during the livestream to talk about useful lessons from the report's findings. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_259.mp3 Tue, 11 Sep 2024 20:00:00 -0700 Seth and Ken take the podcast global this week while traveling to Melbourne, Australia. The duo is joined this episode are joined by Paul McCarty and Daniel Ting, both involved in the local application security community. The discussion starts with a comparison of industries in Australia and the United States, both differences and similarities. This is followed by thoughts on security software supply chain, from a red and blue team perspective. Finally, some thoughts on community changes due to the pandemic and supporting local meetups. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_258.mp3 Tue, 03 Sep 2024 11:00:00 -0700 Seth (@sethlaw) and Ken (@cktricky) are back this week with some hot takes on the recent cancellation of OWASP's San Francisco Developer Days that were running alongside Global AppSec San Francisco. OWASP has struggled to engage the development community over the years and this is no surprise for anyone in AppSec/ProdSec. This is followed by review of the ALBeast (why do all vulnerabilities have to be branded?) and how our past selves were correct in identifying dangerous TLDs as being exploitable. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_257.mp3 Tue, 27 Aug 2024 11:00:00 -0700 Ken (@cktricky) returns alongside Seth (@sethlaw) for the week. This starts with an in-depth discussion on the pros and cons of in-person and virtual trainings. In short, the duo prefers in-person due for the advantages, but understand that financial pressures come into play, so virtual is a good substitute. This is followed by thoughts on the recent lawsuit by thy government against Georgia Tech for failing to meet government cybersecurity compliance requirements, even after attesting to their existence. Third-party risk assessments may not be the most fun part of security, but what happens when an organization doesn't meet their obligations? Seems like both sides are in the "find out" phase of FAFO. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_256.mp3 Web, 21 Aug 2024 11:00:00 -0700 Ken Johnson (@cktricky) abandons the podcast this week to attend a conference and play business, so Seth (@sethlaw) bring in Cloud Security Partners CTO John Poulin (@forced_request) as a co-host. John and Seth start off by discussing the difference in virtual and in-person training. This is followed by two articles. The first is from CrankySec, where the idea that security isn't valued over other technical business aspects. The second article is from Keith Hoodlet (also a podcast guest) detailing why staying technical as a manager is something any of us should strive towards (and how to do it). no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_255.mp3 Tue, 13 Aug 2024 11:00:00 -0700 Seth and Ken are back from Vegas for Episode 0xFF (!!!!) of Absolute AppSec, sponsored by Redpoint Security (redpointsecurity.com). After spending the last week+ withering away in the desert heat while listening to industry insiders, technicians, and hackers talk about their research, the duo have returned dehydrated to share their own experiences from DEF CON 32, Blackhat, BSidesLV, and Diana Initiative. After some discussion, they dive into interesting talks, new tools, hotel searches, and badge controversies. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_254.mp3 Thu, 01 Aug 2024 14:00:00 -0700 Seth and Ken return this week at a slightly unusual time help get you prepped for all things Hacker Summer Camp. As regular visitors to Las Vegas each year for Blackhat, BSidesLV, DEF CON, and other events, the duo has recommendations for making the most of your time in the desert. Specifically, download HackerTracker (https://hackertracker.app), plan out your time, take care of yourself, and have fun. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_253.mp3 Tue, 23 Jul 2024 11:00:00 -0700 We'd only been a dozen episodes old the last time Justin Collins (@presidentbeef) was on Absolute AppSec, so his upcoming return is certainly overdue. Justin is currently head of security at Gusto, an organization he's been helping secure for nearly five years now. Before Gusto, Justin had stints at SurveyMonkey, Twitter, AT&T interactive, among others. He also is the lead developer of the open-source Ruby-on-Rails security tool Brakeman - https://brakemanscanner.org. This show will covers the range of his deep experience regarding topics like Product Security and AppSec in organizations, static analyzers, and advice for helping organizations create successful security programs and mindsets. Tune in as Justin joins Seth Law (@sethlaw) and Ken Johnson (@cktricky) to talk about managing security people and various product and application security topics. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_252.mp3 Tue, 16 Jul 2024 11:00:00 -0700 Product Security and Cloud security guru Rami McCarthy (@ramimacisabird on X) comes on the Absolute AppSec podcast with Ken and Seth (@cktricky and @sethlaw)! To get to know Rami, you should first check out his website here to get acquainted with some of his latest prodigious activities: https://ramimac.me/. He’s recently delivered a talk regarding zero-touch prod at Fwd:CloudSec and finished a stint as a Security Engineer at Figma. For folks interested in questions of security consulting, management, AWS and cloud security as well as many of the other large questions in infosec, Rami is always a great follow. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_251.mp3 Tue, 09 Jul 2024 11:00:00 -0700 Seth and Ken are back with Episode 251, continuing on with their ranting over all things application security. This starts with a discussion of Mozilla's HTTP Observatory that scans sites for security-relevant headers and leads to a discussion of so-called "passive" scanning of internet sets for risk analysis purposes. This is followed by a walkthrough of the recent exploit of Chrome extensions for remote code execution on client browsers. Compromise of the Apple-focused CocoaPods package repository. Finally, a discussion about recent problems and headaches at the National Vulnerability Database (NVD). no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_250.mp3 Tue, 02 Jul 2024 11:00:00 -0700 Seth and Ken are back on the podcast this week without a guest for the first time in a month and start out with an in-depth discussion on startup life based on a recent article from TLDR;Sec. This is followed by thoughts on the recent influx of cash for Portswigger and how it will affect work and the testing space over the next few years. Finally, opinions on the recent polyfill[.io] malware attack and supply chain issues. Join the newsletter at news.absoluteappsec.com for further analysis or pick up some new podcast swag at merch.absoluteappsec.com no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_249.mp3 Tue, 25 Jun 2024 11:00:00 -0700 Tanya Janca (@shehackspurple on X) joins Ken Johnson (@cktricky) and Seth Law (@sethlaw) for a special episode of the Absolute AppSec podcast. Tanya is currently head of education and community at Semgrep, and is a prominent info security commenter and active contributor to improving the industry for everybody through helping spread values of diversity, inclusion and kindness. Tanya has had experience with a range of roles, startup founder, pentester, CISO, AppSec Engineer, and software developer, and she’s worked at major industry landmarks such as Microsoft, Adobe, and Nokia. She is an award-winning public speaker, the founder of We Hack Purple (since acquired by Semgrep), an active blogger and streamer and has delivered hundreds of talks and trainings on 6 continents. Catch up with Tanya’s multiple activities and initiatives at her website https://shehackspurple.ca no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_248.mp3 Tue, 18 Jun 2024 11:00:00 -0700 Rahil Parikh, manager of Security Engineering and Architecture @ Policygenius, joins Seth Law and Ken Johnson for an episode of Absolute AppSec. Rahil is long-time leader in information security who's managed security teams and application security programs at a range of organizations: Policy Genius, Zinnia, the New York Times, Frame.io (now Adobe), Jet.com (Walmart), and Gotham Digital Science (Aon). He's also organized a major technical symposium (AAHVAN 08) and has generally been strengthening the infosec community for beyond a decade. He joins the podcast for the June 18th show, so be sure to tune in to learn more about his path in the industry and his thoughts on application security, cloud security, and leading teams toward success. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_247.mp3 Tue, 11 Jun 2024 11:00:00 -0700 Absolute AppSec welcomes Alejandro Saenz to join Seth Law and Ken Johnson as a guest. Alejandro has been active in application and product security fields for over a decade, most recently working in product security for Twilio. Before that he worked as a senior application security engineer and software engineer at Softrams and as an application security consultant at nVisium. Alejandro has regularly contributed to security projects for both better understanding product security metrics and monitoring assets and managing vulnerabilities. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_246.mp3 Tue, 04 Jun 2024 11:00:00 -0700 Charles Shirer joins Absolute AppSec for a special episode of the show. Charles has decades of experience as a pentester, threat hunter, red teamer, and security consultant. He's CEO of GlobalWave consulting, a security consulting firm that's been serving clients for over a decade. Charles is also a frequent conference speaker, online commentator, and tireless advocate for helping hackers find ways take care of their overall well-being. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_245.mp3 Tue, 28 May 2024 11:00:00 -0700 Dustin Lehr, current director of AppSec at data integration company Fivetran, joins Seth and Ken for a special episode of Absolute AppSec. Dustin has spent years helping improve companies' security cultures industry-wide, through his work co-founding Katilyst Security which focuses on helping companies create security champion programs. Additionally, in that vein, Dustin has created The Security Champion Program Success Guide and heads up the "Let's Talk Software Security" meetup. Before Fivetran, Dustin headed Application Security at Staples. To read some of his thoughts on the benefits of security champions programs as well as advice on setting it up in your organization, you can read his article here hosted on the New Stack: https://securitychampionsuccessguide.org/ no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_244.mp3 Tue, 21 May 2024 11:00:00 -0700 Kyle Kelly joins Seth Law and Ken Johnson as a special guest on the Absolute AppSec podcast. Kyle is an Executive Cybersecurity Consultant at Bancsec, Inc, and Security Researcher at Semgrep, and founder of the wonderful Cramhacks newsletter. As a consultant and researcher, Kyle specializes in supply chain security, a speciality that informs the thoughts he publicizes, but even more so cramhacks reflects his desire to help his readers become contributors to improving the cybersecurity landscape and analysis of software security supply chains. Subscribe to Kyle's newsletter at cramhacks.com. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_243.mp3 Tue, 30 Apr 2024 11:00:00 -0700 Bryan Schmidt, information security lead at Adept AI is joining Ken Johnson (@cktricky on twitter/x) and Seth Law (@Sethlaw) for a special episode of Absolute AppSec. Before Adept.AI, Bryan spent the last half decade working as a security engineering manager at, first, Flatiron Health and, later ChowNow, and he worked as a penetration tester and security consultant for that. We’ll be discussing AI during the show as Adept.ai is recently again designated as one of the AI Fortune50. Be sure to tune in to learn a little about Bryan and his trajectory into security and emerging technologies. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_242.mp3 Tue, 23 Apr 2024 11:00:00 -0700 Seth and Ken return with analysis of recent research that shows LLMs exploiting known CVEs. And no, it's not completely autonomous yet. This is followed by a breakdown of DataDog's State of DevSecOps article, backing up our gut feel of current industry needs and failures. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_241.mp3 Tue, 16 Apr 2024 11:00:00 -0700 **Video may be required**: this episode is focused on demonstrating uses of LLMs against various code. As such, listeners may want to watch the stream to see these uses rather than just listening. Also, Seth and Ken talk briefly at the beginning of the episode about a new tldr;sec project (thanks Clint!) called awesome secure defaults that lists out useful libraries and projects that are secure by default. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_240.mp3 Tue, 09 Apr 2024 11:00:00 -0700 After a week of travel, Seth and Ken return to the podcast with a breakdown of their travel experiences at multiple conferences and teaching their first Practical Secure Code Review course using LLMs to enhance the methodology. This is followed by reinforcement of code review steps including library research, a discussion of the recent XZ backdoor, and an article reviewing LLM hallucinations when recommending libraries. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_239.mp3 Tue, 26 Mar 2024 11:00:00 -0700 When Ken is away, the geeks will play. Seth is joined by podcast regular Stefan Edwards (@lojikil) to catch up on his recent work around threat hunting. This progresses into a discussion on threat intelligence and what is available for applications. A recent blog post on the utility of the CVE system spurs thoughts on the usefulness of published CVEs. Finally, opinions fly on authorization issues and how simple misconfigurations result in the many vulnerabilities or attack chains. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_238.mp3 Tue, 19 Mar 2024 11:00:00 -0700 Ken and Seth are back to talk about the difference and competing priorities of Application and Enterprise Security. In short, recent news contends that Enterprise or Infrastructure security is lacking, whereas Application or Product Security is in a good state. This is followed by a discussion on supply chain security tools due to a recent analysis conducted by DoyenSec comparing false positives and negatives from the leading tools. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_237.mp3 Tue, 12 Mar 2024 11:00:00 -0700 Ken and Seth return for another episode, starting out with pointers on getting into security and finding a niche, all based on a recently released Microsoft project to introduce anyone to security. This is followed by a discussion on Chinese hacking groups and recent breaches among those groups. Finally, a discussion protecting the software supply chain due to recent forking and upload of malicious repositories on GitHub. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_236.mp3 Tue, 05 Mar 2024 11:00:00 -0700 Seth and Ken review the recent Whitehouse report on going back to the basics for software security and vulnerabilities. Specifically, how is the use of memory unsafe languages like C and C++ affecting the overall security of the internet landscape. This include a discussion on formal verification and crocs and socks of software testing. Finally, thoughts are shared on the recent use of Hugging Face and Github to host malicious code/packages and how this is a natural progression for popular package repositories. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_235.mp3 Tue, 20 Feb 2024 11:00:00 -0700 Podcast viewers will be familiar with Portswigger's annual list of Web Hacking Techniques. Ken and Seth take some time to digest the list and recommend reviewing not only the top 10, but also the nominations. A discussion on the use of LLM Agents as a dynamic scanning engine for identifying vulnerabilities. If you aren't already using an LLM to help speed up your AppSec, why not? Finally, a discussion on security statistics and how bad they are. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_234.mp3 Tue, 13 Feb 2024 11:00:00 -0700 Ken and Seth comment on their recent use of the same passwords across multiple organizations. Errr, or wait. That's administrators in some instances, according to recently published analysis from Lares. Will we ever get over passwords or are we doomed to repeat the past? In other news, GitHub Copilot may be (one of) the culprit(s) for the enshitification of code, based on a published paper from GitClear. Or it might just be that organizations and developers should have coding standards. Or maybe it's not that deep. Come join us and chat about it. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_233.mp3 Tue, 06 Feb 2024 11:00:00 -0700 Seth and Ken return to the podcast to talk about fraud scammers based on a recent article from Cory Doctorow and what AppSec can do to protect their apps and themselves. Crocs and Socks. The use of deep fakes to scam corporations to transfer money. Finally, a discussion on sensitive data and why it happens in APIs due to the recent news that Spoutible exposed all sorts of tokens as reported by Troy Hunt. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_232.mp3 Tue, 30 Jan 2024 11:00:00 -0700 Ken and Seth start out with a lengthy discussion about application security jobs, training, and getting into the security space due to an article based on someone's experience moving from IT to pentesting. This is followed by possible needs for the NSA to collect commercially available browsing data. Finally, a quick hit on prompt injection and how things are moving quickly in the AI/LLM space. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_231.mp3 Tue, 23 Jan 2024 11:00:00 -0700 Seth and Ken are back after a weeks hiatus and start by demonstrating FlowMate, a newly released Burp Extension for building context of the parameters used by an application. This is followed by in-depth analysis of Reversing Lab's State of Software Supply Chain Security Report. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_230.mp3 Tue, 09 Jan 2024 11:00:00 -0700 Ken and Seth return to settle the age old question of whether false positives or false negatives are better when dealing with security tools. Tears are shed as stories of wasted efforts ring through on the podcasting airwaves. Maybe. Discussions on AI generated recommendations and how it _can_ be useful, but also turn out poorly. Finally, introductions on large scale vulnerability management at GitHub and how organizations struggle to fix issues identified through multiple streams. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_229.mp3 Tue, 02 Jan 2024 11:00:00 -0700 Seth and Ken kick off a new year talking about recent news, including improvements in security process for software supply chains. This is followed by security predictions for 2024, including LLMs, dynamic scanning, process, and other possibilities in the near future. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_228.mp3 Tue, 19 Dec 2023 11:00:00 -0700 David Trejo (@dtrejo@infosec.exchange) and Paul Kuliniewicz, security engineers at Chime join Seth (@sethlaw on x) and Ken (@cktricky) to discuss the ins and outs of challenges and successes in a widely recognized effective product security program. You can start reading up on the Monocle program here: https://medium.com/life-at-chime/monocle-how-chime-creates-a-proactive-security-engineering-culture-part-1-dedd3846127f And part 2 here: https://medium.com/life-at-chime/mitigating-risky-pull-requests-with-monocle-risk-advisor-part-2-7013e1485bf2. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_227.mp3 Thu, 14 Dec 2023 11:00:00 -0700 Ken and Seth return to discuss current news. First up is a discussion about token leakage based on the recent discovery of AI tokens on Github and Cloud tokens on Hugging Face's repository. The struggles that package maintainers have with hosted data and secrets is an old problem that doesnt' have a good solution. A re-hash of the recent blogpost "Cybersecurity isn't Special" and how this also isn't a new idea. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_226.mp3 Tue, 05 Dec 2023 11:00:00 -0700 Ken and Seth decide whether the idea of security reviews are dead, spurred on by a recent blog post by Frank Wang on doing away with the current perception of reviews. This is followed by a walkthrough of the Splunk XSLT code and vulnerability for the PoC of CVE-2023-46214. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_225.mp3 Tue, 28 Nov 2023 11:00:00 -0700 We are excited to have Brian C Reed, chief mobility office at NowSecure, as a special guest on the Absolute AppSec podcast. Brian has specialized in mobile security, and his company NowSecure works to secure apps, train developers in safe mobile security engineering. As a piece of his work in mobile security, Brian has helped strengthen OWASP MASVS and ADA MASA standards. He also has experience in helping build go-to-market strategies or growth plans for a range of businesses. Be sure to tune in for the discussion and join our slack for further discussion. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_224.mp3 Tue, 14 Nov 2023 11:00:00 -0700 Jeevan Singh (@askjeevansingh) returns to join Ken Johnson (cktricky on Twitter) and Seth Law (sethlaw) as a guest on the podcast! Jeevan is currently with Rippling, was previously the Director of Product Security at Twilio, and before that Segment. He has been a long-time leader in security and development communities, and currently heads up the @owaspvancouver group. Tune in for ways to improve Threat Modeling, DevSecOps, and security programs in general. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_223.mp3 Tue, 07 Nov 2023 11:00:00 -0700 When cktricky is away, the lojis will play. Stefan Edwards co-hosts an episode with Seth in what ends up bypassing the AI hype to discuss the current state of OWASP. In short, things are murky but the organization is useful and the industry should support some version of its efforts. A discussion on privacy and training AI, based on recent articles and books about Clearview AI. Don't miss this Very Special Episode. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_222.mp3 Mon, 23 Oct 2023 11:00:00 -0700 Ken Johnson (cktricky) and Seth Law (@sethlaw) welcome Leif Dreizler back on the show! Leif recently became a Senior Manager of Software Engineering at Semgrep (semgrep.dev) , spent the better part of a decade working in product security and security software engineering at Twilio and Segment (segment.io). He also is a podcast co-host for the 404 Security Not Found podcast. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_221.mp3 Thu, 19 Oct 2023 11:00:00 -0700 Seth and Ken are back to review some recent news and community discussions. Specifically, the duo talks about the use of coding requirements and projects during interviews for application security. Both have had experience on both ends and have opinions. This is followed by reactions to the recent breach and data dumps from 23andMe. Finally, new AI tools are starting to emerge that will help security find and fix vulnerabilities. yes https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_220.mp3 Tue, 10 Oct 2023 11:00:00 -0700 Erik Cabetas, founder and managing partner of Include Security joins Ken Johnson (@cktricky on twitter) and Seth Law (@sethlaw). Erik has been running Include Security for the last decade, and before that comes from a path that includes time working with early security teams at MicroSoft and Fortify Software, blue-team stints with financial groups as well as heading security for an eCommerce firm. Join us for a wide-ranging and expertly informed discussion of Application Security in many of its facets. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_219.mp3 Tue, 03 Oct 2023 11:00:00 -0700 Seth and Ken are joined last minute by Jason Haddix (@jhaddix). Conversion about DEF CON talks, use of LLMs in research, and recently released tools. yes https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_218.mp3 Tue, 19 Sep 2023 11:00:00 -0700 Ken (cktricky on Twitter) and Seth (sethlaw) welcome Cole Cornford (https://www.colecornford.com) to Absolute AppSec for a discussion on running a security startup and the future of security training for developers and organizations. Cole is the CEO and Founder of Galah Cyber (https://www.galahcyber.com.au) and an all around AppSec maestro, frequently presenting at conferences and contributing to security working groups, such as AppSec Australia. He is also an active commentator in the Absolute AppSec slack, so be sure to join discussion there in addition to tuning into this special episode. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_217.mp3 Thu, 07 Sep 2023 11:00:00 -0700 Shlomi is back! Shlomi Shaki, GitHub’s head of Asia-Pacific-Japan advanced security sales and all around thoughtful observer of the world of application security is back on the podcast with Ken Johnson and Seth Law. A lively discussion on security vs. engineering and failures of security to meet development/business in the appropriate places. Suggestions for getting out of the way and letting security become a part of the culture instead of forcing it onto individuals. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_216.mp3 Tue, 29 Aug 2023 11:00:00 -0700 Ken and Seth are back with another episode where they try _not_ to cover more on LLMs and AI. Specifically, talk about the basics of implementing security into an SDLC. A long conversation and personal experience from both Ken and Seth on time management and how to get into a flow when working on technical problems. Finally, some answers to questions on the future of AI in AppSec. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_215.mp3 Tue, 22 Aug 2023 11:00:00 -0700 Seth and Ken run through their experiences implementing Machine Learning for different application security activities. A break down the duo's experience at DEF CON 31, interesting talks, and happy hour results. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_214.mp3 Tue, 08 Aug 2023 11:00:00 -0700 A very special pre-DEF CON episode with @lojikil (aka Stefan Edwards). Seth and Stefan dig into various security aspects of artificial intelligence and the recent hype cycle around large language models (LLMs). A discussion of the recently released OWASP Top 10 for LLMs and its target audience. Finally, opinions on the recent news of ZAPs departure from OWASP and security tools in general. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_213.mp3 Tue, 25 Jul 2023 11:00:00 -0700 A special episode with Brian Joe (brianwjoe on LinkedIn), head of product and co-founder of Impart Security (impart.security). Brian has a background with Signal Sciences, Fastly, and Verizon. He posts regularly on infosec, API and application security, among other topics at Security Boulevard. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_212.mp3 Tue, 11 Jul 2023 11:00:00 -0700 With some interesting developments going on at RunReveal, Evan Johnson joins Seth and Ken to discuss monitoring of security logs (hurray! Seth's favorite Crocs and Socks topic) and RunReveal's open beta (as well as other AppSec topics). no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_211.mp3 Tue, 20 Jun 2023 11:00:00 -0700 Ken Johnson (@cktricky) and Seth Law (@sethlaw) host Brian Walter (@bdwalter), co-founder and CEO of OpenContext (opencontext.com), tech industry veteran with leadership stints at device-reputation company iovation (acquired by TransUnion), Xerox, Siemens, Sun Microsystems, Lockheed Martin, among others. Discussion focuses on establishing product requirements for all aspects of an application, including development, security, availability and more. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_210.mp3 Tue, 13 Jun 2023 11:00:00 -0700 From depths comes a rumbling, and it carries the whisper of AppSec on its breath! Seth and Ken dig into approaches to conducting client scans and processing results. A review of recent research into EPP services for domain registrars along with the methodology for conducting code reviews and appsec research. Finally, some resources for threat modeling. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_209.mp3 Tue, 06 Jun 2023 11:00:00 -0700 Join us for a special episode of Absolute AppSec with James Wickett (@wickett on twitter), the co-founder of DryRun Security (dryrun.security), creator of the Lonestar Application Security Conference, and all around infosec industry veteran. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_208.mp3 Tue, 30 May 2023 11:00:00 -0700 Beware! It’s double ides of May! (Proviso being that you add the integers and not the 1/2s). Sponsored by @redpointsec, an application security firm that specializes in code security by and for coders. If you're looking for Web App or mobile Pentesting, developer training, smart contract or secure-code reviews, check them out: https://redpointsecurity.com. First topic: the new .zip top-level domain and its potential problematic security implications. Followed by a discussion of PyPI and 2FA. Finally, a discussion on poisoning of ChatGPT and how it affects application security. yes https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_207.mp3 Tue, 23 May 2023 11:00:00 -0700 Hello! We’re just a podcast, standing in front of you, aching to be the SYN to your ACK. Seth and Ken are back to talk about how the PyPI repo is experiencing an attack from multiple malicious package uploads. Seth brings up the concept of watering hole attacks and how the IDE plugin is a growing attack vector. Solarwinds discussion follows. Learning about attacking AI models, cookie security basics, and lock picking (allegedly) uses. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_206.mp3 Thu, 04 May 2023 11:00:00 -0700 Seth Law and Ken Johnson are back this week. In this show, Seth and Ken discuss what the RSA conference did (and did not) reveal about the current state of #applicationsecurity, #appsec, #crocsandsocks. Also a discussion of the ChatGPT breach as well as AI's role in generating ever more content (in this case with news sites). yes https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_205.mp3 Tue, 18 Apr 2023 11:00:00 -0700 Finally returning to the podcast after a couple weeks of travel, training, and speaking, Seth and Ken are back for more, including their own takes opinions on the decline of application security and the reported death of manual code reviews. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_204.mp3 Tue, 28 Mar 2023 11:00:00 -0700 The dynamite duopoly that is Ken and Seth are back to take the AppSec news by storm. Starting with Seth's favorite topic of Auditing or Logging, Ken brings up the recent Okta vulnerability report related to plaintext logging of usernames and passwords. This is followed by a review of Troy Hunt's recent post on edge cases when interacting with 3rd-party services, which the duo extrapolates to security edge cases and things they have seen recently. Finally, a discussion on manipulation of client single page applications to expose administrative endpoints from a recent twitter thread on reported and identified bug bounty issues of the same flavor. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_203.mp3 Tue, 21 Mar 2023 11:00:00 -0700 Joining Seth and Ken is Shlomi Shaki, a tech exec with GitHub who directs sales resources related Application Security and Product Security in APJ region. Discussion revolves around adoption of security tools and the struggles of securing software from both a tooling and process perspective. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_202.mp3 Tue, 14 Mar 2023 11:00:00 -0700 Ken Johnson (@cktricky on twitter) and Seth Law (@sethlaw) interview Haseeb Awan (@haseeb) founder and CEO of Efani, a mobile service provider focused on security. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_201.mp3 Tue, 07 Mar 2023 11:00:00 -0700 A lot has happened since the 200th (!!!) episode of the podcast, so we are bring another episode with a discussion of recent events, sites, and interesting finds. First up is a discussion of recent breaches, including some stories related to consumer rewards programs and weaknesses in that space. This is followed by a discussion on responsibility of package managers (e.g. npm, pip) for disclosure or removal of known vulnerable packages. Finally, Seth's favorite topic of audit logs gets a public shaming site for services that don't follow industry best-practices. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_200.mp3 Tue, 28 Feb 2023 11:00:00 -0700 Jerry Gamblin joins Seth and Ken for the 200th episode of the podcast. The discussions starts with a lengthy analysis of startup culture, security startups, and gotchas to be aware of when employed at or considering a job with a startup. This is followed by in-depth analysis of CVEs and how the process of publicly reporting issues in software has changed over time. A small snippet on interesting tokens/words/comments to search for in git logs and comments that point at security problems. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_199.mp3 Tue, 14 Feb 2023 11:00:00 -0700 After a number of guest appearances, Ken and Seth are flying "duo" to talk through recent news across the industry. Starting with analysis of the recent OWASP Change petition that has surfaced to address needs of OWASP projects and chapters for funding and definition of how the organization supports multiple efforts. Followed by commiseration with Eurostar on their recent self-inflicted lockout of user accounts due to authentication upgrades. Finally, discussion of the recent reddit phishing scam and how the public display of their incident response shows security maturity. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_198.mp3 Tue, 07 Feb 2023 11:00:00 -0700 Laura Bell Main, founder and CEO of safestack.io (@lady_nerd on twitter and check out her website https://laurabellmain.com to acquaint yourself with her work and recent publications), joins Seth and Ken as a special guest. The discussion revolves around security training for developers and how it has changed over the years. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_197.mp3 Tue, 31 Jan 2023 11:00:00 -0700 Sal Olivares, Senior Software Engineer from segment.io, joins Seth and Ken to discuss his experience with and recent blog post related to security token scanning and revocation. Sal was involved with the recently-implemented exposed scanning token service at Segment and talks through his experience, gotchas, and other security topics. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_196.mp3 Tue, 24 Jan 2023 11:00:00 -0700 Seth and Ken dig into a topic that was raised by a member of our Slack community. The initial half of the show reviews both the risks and dynamic or static review items associated with microservices. This is followed by a discussion that starts by asking the question "what are the must-have security features for a web application?" no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_195.mp3 Tue, 17 Jan 2023 11:00:00 -0700 Ken (@cktricky) and Seth (@sethlaw) take a step away from the news to review technical articles and research released in the last couple of weeks. This includes analysis done by Jerry Gamblin on total CVEs released during 2022, a new tool for exploiting weak CORS configurations, an excellent writeup on usage along with an intentionally-vulnerable GraphQL application, and finally some thoughts on prototype pollution style vulnerabilities in other interpreted languages (specifically python). no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_194.mp3 Tue, 10 Jan 2023 11:00:00 -0700 Frank Wang from dbtlabs (@ffwang2 on twitter) joins Seth and Ken for a discussion on current security landscape, artificial intelligence, and machine learning. Follow Frank on twitter or through his blog at https://franklyspeaking.substack.com/. Discussion starts with current breaches and how organizations approach security through their first security hire. This is followed by a discussion on AI related to ChatGPT and how it will affect security in the future. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_193.mp3 Tue, 20 Dec 2022 11:00:00 -0700 @cktricky and @sethlaw host another episode starting with a lengthy discussion on security metrics spurred by a recent post by Leif Drezler (@leifdreizler). Security metrics are highly specific and custom to the organization and target audience, as evidenced by the lively discussion between the hosts. This is followed by a discussion of improvements in end-user security based on recent Apple iOS releases that change encryption and protection mechanisms for various services. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_192.mp3 Tue, 13 Dec 2022 11:00:00 -0700 What do _you_ want for an AppSec Christmas! Another episode featuring Ken and Seth, for sure. The duo starts the conversation talking about useful AppSec and Security Blogs while featuring a recent GoLang Security post from Cole Cornford. Followed by an in-depth discussion on ChatGPT to welcome our new AI overlords. Finally, Seth and Ken both talk about what they wish to see this next year for AppSec-mas. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_191.mp3 Tue, 29 Nov 2022 11:00:00 -0700 Going into the final month of 2022, the dynamic duo graces us with their presence. It begins with discussion of DNS Attacks based on Kaminsky-style attacks spurred by research presented at DeepSec by Timo Longen of Sec Consult. Followed by a conversation straight out of Slack about considerations involving organization and technical risks, specifically how to incorporate technical risk into organizational risk ratings. Finally, everyone is moving to Mastadon, but maybe they shouldn't be. Code is open source and there have been more than one flaw already identified in the service, although AppMap also shows how to use their tool to review Mastadon's source to sink interactions. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_190.mp3 Tue, 08 Nov 2022 11:00:00 -0700 Ken and Seth break down the recently-released Immutable Laws of Security from Microsoft's Security Best Practices recommendations. Points of special interest being "Cybersecurity is a team sport", "Not keeping up is falling behind", and "Ruthless Prioritization is a survival skill". no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_189.mp3 Tue, 01 Nov 2022 11:00:00 -0700 Seth and Ken kickoff another unique discussion by looking at a recent scholarly paper on security bypasses and workarounds by health care workers. Followed by a demo of AppMap, a development tool that shows code traces based on dynamic use. Finally, a discussion of Portswigger's new Dastardly CI/CD tool and where it fits in the security SDLC. yes https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_188.mp3 Tue, 18 Oct 2022 11:00:00 -0700 What's that you say? There is no such thing as "done" with application security? Are our Sisyphean hosts (@cktricky and @sethlaw) therefore doomed to ever push this rock up the mountain, just to discuss ways to push it up again? no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_187.mp3 Tue, 11 Oct 2022 11:00:00 -0700 Back once again, Ken and Seth riff off of recent health discussions to talk about hacking health and maintaining a descent work/life balance. Discussion of recent Fortinet authorization issue and how to both search for and protect against flaws in COTS (commercial-off-the-shelf) products. To close out, a quick discussion on detecting custom secrets in source and using Github regexes to monitor for them. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_186.mp3 Tue, 04 Oct 2022 11:00:00 -0700 Ken is back in the land of the living, so of course he and Seth dig into the current state of information security training, how SCORM is the worst for developer training, and what goes into creating and teaching a course. Discussions on bug bounties in the web3/defi space and the nature of payouts. Finally, a discussion on MFA fatigue and how theoretical attacks have become reality. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_185.mp3 Tue, 27 Sep 2022 11:00:00 -0700 Ken (cktricky) is out sick today, so Seth is joined by Daniel (https://twitter.com/hoodiepony) from Australia to talk about recent breaches. Specifically, the recent breach of Optus in Australia has led to the exposure of about 10 million identity records. Daniel and Seth reference the recent Optus and Uber breaches to discuss weaknesses in identity protection, access control, and data disclosure. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_184.mp3 Thu, 15 Sep 2022 11:00:00 -0700 Ken is back to lead a discussion on identification of interesting sources for the podcast and specifically how XSS just is not as interesting to him and Seth as it was a decade ago. A new project for analyzing and bypassing 403 responses from proxies and WAFs. Opinions on Patreon's recent layoffs and hot takes around security issues. Finally, web3-related topics of the recently-complete Ethereum merge along with Starbucks NFTs. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_183.mp3 Tue, 06 Sep 2022 11:00:00 -0700 Ken is away, so Loji comes to play. Absolute AppSec is hosted this week by Seth and Stefan (@lojikil) to go outside the normal topics of application security to address questions about information warfare, Ukraine, and propaganda with Stefan Edwards (@lojikil) and @LegendaryPatMan. yes https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_182.mp3 Tue, 30 Aug 2022 11:00:00 -0700 A late decision to record an episode this week after thinking it would be scratched due to life ended up with a long discussion on the recent Twitter drama and whistleblower revelations around their security problems. Both Seth and Ken express opinions about disclosures and building out security programs. Further discussion on password managers and LastPass breach. Finally, a bug bounty report shows the importance of testing edge cases and using a bounty program to supplement integration testing. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_181.mp3 Tue, 23 Aug 2022 11:00:00 -0700 Finally returned from the wasteland that is Las Vegas, or at least the fun that is #hackersummercamp and #defcon30, Ken and Seth break down their different experiences and impressions from the conference, including training. A discussion on in-app browsers for mobile applications and how they are bad and should feel bad. Finally, encoding of malicious strings in DNA, of all things. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_180.mp3 Wed, 10 Aug 2022 11:00:00 -0700 It's time for hacker summer camp, so the duo starts out discussing upcoming events and interesting talks. A discussion of LOGGING to warms Seth's heart as it comes to light that logging of sensitive data was the cause of a recently successful web3 wallet-draining attack. Further topics include deserialization of objects in multiple sensitive data disclosures. Discussion on importance of identity provides as well as the difference between application security and product security. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_179.mp3 Tue, 02 Aug 2022 11:00:00 -0700 Ken pulls Seth back into an episode to talk through the steps anyone can take to get into Application or Product Security based on some recent articles. True security professionals can come from anywhere. This leads to a discussion on threat assessment and threat modeling across the industry. yes https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_178.mp3 Tue, 26 Jul 2022 11:00:00 -0700 The duo is back and live, with an episode stolen from _some_ headlines. Specifically, a breakdown of various attacks against crypto wallets and how they stem from traditional security risks. Followed up by a discussion of data privacy disclosure, business ethics, and the tradeoffs associated with disclosing data as both a consumer and organization. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_177.mp3 Tue, 05 Jul 2022 11:00:00 -0700 Seth and Ken recap some of their experiences from LocoMocoSec, followed by a discussion on the recent Bugcrowd revelation that an employee attempted to re-submit reports for gain. A review of LaLuka's 60 RCEs in 60 minutes. Finally, thoughts on the recent Chinese data leak. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_176.mp3 Tue, 21 Jun 2022 11:00:00 -0700 Guess what's coming right up!? Another edition of Absolute AppSec with your summer-school hosts, @sethlaw and @cktricky. What are the secrets out there available if one scans the internet? Well, security researchers at @RedHuntLabs have reported on a large-scale study. Giving back by publishing relevant Semgrep Rules and a lack of access control in multiple IoT devices and services. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_175.mp3 Tue, 14 Jun 2022 11:00:00 -0700 Late night edition. Now we are tired. Seth and Ken get back to the podcast and dig into Web3 security a bit. A review of the recent blog post from portswigger on JWT security. Finally discussion on public attacks against applications coming from nation states against US-based systems. Come to LocomocoSec ... and Defcon. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_174.mp3 Tue, 31 May 2022 11:00:00 -0700 If there were a magical world where mensch-y podcasters (@cktricky and @sethlaw) discuss smart contract vulnerabilities, secure code review experiences, and package takeover attacks, wouldn't you like to know about it?! Such a world exists for your pleasure in this episode of Absolute AppSec. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_173.mp3 Tue, 24 May 2022 11:00:00 -0700 Yet ANOTHER episode of Absolute AppSec with Seth and Ken! User enumeration vulnerabilities are the order of the day. Seth digs in on an interesting #talesfromconsulting where security questions, and the different way they appeared for real users and invalid users, revealed valid user accounts on an application. Further enumeration flaws using WAF bypasses in production systems. A story from Ken on a case where an application only checked that password-reset token was valid, but not tied to an account, allowing for unauthorized password reset of _any_ user account. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_172.mp3 Tue, 17 May 2022 11:00:00 -0700 Jimmy Mesta (@jimmesta) of KSOC joins Ken and Seth to talk about Kubernetes Security and startup adventures with KSOC. This leads to a discussion on the OWASP's Top 10 Kubernetes Project and how all old security principles are seen in new technologies. Jimmy breaks down his experience in funding a startup, gaining partners, and ultimately building a team. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_171.mp3 Tue, 10 May 2022 11:00:00 -0700 Ken and Seth are back to talk about potential of package hijacking based on DNS takeovers due to domain expirations. Ken provides a walkthrough of Ruby Deserialization techniques based on recent news articles. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_170.mp3 Tue, 03 May 2022 11:00:00 -0700 Seth and Ken return with a discussion of security basics and failures resulting from lack of security hygiene. As a developer, security engineer, or a CISO, i's important to recognize that breaches will happen, so security planners should "plan for failure." "It's not a matter of if but when." yes https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_169.mp3 Tue, 26 Apr 2022 11:00:00 -0700 Seth and Ken return to the podcast and spend the episode reviewing the recent keynote from Mark Dowd at OffensiveCon 22 about the process he uses to find bugs in software. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_168.mp3 Tue, 19 Apr 2022 11:00:00 -0700 What's that sound?! Could it be the Absolute AppSec train coming 'round the bend, set to deliver @cktricky and @sethlaw's timely takes on Application Security news?! This episode starts with an in-depth discussion about secure code review techniques based on a recent twitter thread. Further topics include more software supply chain attacks based on package confusion, the proliferation of state privacy acts, handling of bug bounty issues, and a review of the recently-patched GitLab critical security flaw. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_167.mp3 Tue, 05 Apr 2022 11:00:00 -0700 A pair of Kens. A quick discussion on Spring4Shell and how the exploit takes advantage of Java's dynamic configuration options along with a data binding aka mass assignment vulnerabilities. Ken Toler (@relotnek) joins the show to discus the current web3 security landscape and how security can be involved in cryptocurrency projects. "There is a place for you in crypto" - @relotnek no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_166.mp3 Tue, 22 Mar 2022 11:00:00 -0700 As sands through the hourglass, another episode is falls on a Tuesday in late March. It was not _the_ first episode, but it was an episode as Ken and Seth talk about the origins of web application firewalls (WAFs) to go along with an article describing current WAF usage patterns. A heated discussion on recent software supply issues related to ProtestWare (or the changing of open source packages to highlight maintainer-focused causes). Finally, a quick look into Content Security Policy (CSP) Level 3 and upcoming browser support for the protocol. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_165.mp3 Tue, 15 Mar 2022 11:00:00 -0700 Welcome to the latest nihilism and bitch session. In this episode, Seth and Ken review Portswigger's Top 10 list of the "most significant web security research released in the last year". Discussion of weak links in the NPM supply chain and what developers can look at to ascertain the security of packages they depend on. Finally, Russia has begun issuing its own TLS certificates, which always leads to better privacy and security for the general public..../s yes https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_164.mp3 Tue, 08 Mar 2022 11:00:00 -0700 What now? Another episode? You have to be kidding me. Now I get to write another summary per my job description. At least this episode covers some security topics like as Software Supply Chain Security using socket.dev and protecting yourself with security basics as a package maintainer. And the discussion of recent cyber attacks against Toyota hardware suppliers and AutoWarp vulnerability for Azure was at least interesting. Listen, or don't, I'm just required to write the description. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_163.mp3 Tue, 01 Mar 2022 11:00:00 -0700 And we are live, with our 163 episode of Absolute AppSec. Say hi to Ken and Seth once again as they start out with a discussion on the IT Cyber Army and issues with enlisting to help in cyber attacks. Next up is a series of opinions on the security of environment variables and inclusion of secrets within application architectures and the cloud. Finally, a discussion on authorization and access control based on viewer demand. Yes, it's hard, yes, you should do it. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_162.mp3 Tue, 22 Feb 2022 11:00:00 -0700 After a week's hiatus, the Absolute AppSec-ers return with guest Mike McCabe (@mccabe615) to talk about all things Cloud Security. Discussions on cloud security tools, various differences between AWS and Azure, infrastructure as code (IaC), and predictions on cloudsec merging with appsec in the future. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_161.mp3 Tue, 08 Feb 2022 11:00:00 -0700 A blast from the past as Ken and Seth reminisce about past penetration testing and security stories. A discussion of language semantics and how programming language basics are similar to spoken language basics. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_160.mp3 Tue, 01 Feb 2022 11:00:00 -0700 The duplicitous duo returns with another episode that starts out in left field away from security topics by addressing mental health and how to keep sane when life gets busy, in both good and bad ways. Security does eventually become a topic in a discussion around bug bounties in the news as the European Government announces bug bounties for multiple open source projects. Finally, a discussion on the existence of IDOR _everywhere_ and how to identify it in more complex scenarios. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_159.mp3 Tue, 25 Jan 2022 11:00:00 -0700 Ken and Seth are back to talk with a blast from the past. Neil Matatall (@ndm) of Twitter, Github, and now TikTok fame joins the discussion (again) to talk about CSP. The conversation wanders from there to hiring people in information security and tech jobs. Opinions on language and framework security defaults and why Ruby cannot be beat, errr, or is so good. Finally getting back to CSP and misunderstandings on what it provides to developers. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_158.mp3 Tue, 18 Jan 2022 11:00:00 -0700 Yet another episode. Always something to discuss. Ken and Seth talk about a recent article covering *theoretical* software supply chain exploits and how this will be a big thing this year. A review of Portswigger's nominations for Top Ten Web Hacking techniques of 2021. Finally, a discussion on the upcoming Chrome changes to do pre-flight requests for non-routable IP address CSRF requests. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_157.mp3 Tue, 11 Jan 2022 11:00:00 -0700 NEW YEAR, NEW SECURITY MADNESS! The duo is back with their application security predictions for 2022. A discussion on 3rd party library differences, in particular how URL/URI Schema libraries and parsing can lead to security flaws. Finally, a discussion on recent NPM news where a developer pushed package versions that undermine the trust developers and corporations have with open source maintainers. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_156.mp3 Tue, 21 Dec 2021 11:00:00 -0700 As we get ready for the holidays, we only want to talk about log4hell and bill of materials. Please let it end, please, oh please. A surprise visit by Stefan Edwards (@lojikil) to address all things Open Source Software and Software Bill of Materials. Why this matters so much and how asset, application, and software inventory management is death by a thousand cuts. Also, happy holidays! no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_155.mp3 Fri, 17 Dec 2021 11:00:00 -0700 Tis the season... for 0 days. Discussions on the ever-present Log4j issue that the whole industry is dealing with. Kernelcon training announcements, dealing with varying expectations of clients and developers on industry terms, further appsec resources, and why crocs and socks matter. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_154.mp3 Tue, 07 Dec 2021 11:00:00 -0700 It's one of those days, must be Q4. View of tech conferences as an outsider. An analysis of data from Google's "Threat Horizons" report and what it tells us about Cloud Security. A few items related security of the software supply chain, including an academic white paper comparing different SCA tools. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_153.mp3 Tue, 30 Nov 2021 11:00:00 -0700 Our last episode before its December!!! Where oh where did 2021 go? Seth and Ken wrap up a conversation on fuzzing strategies for HTTP Requests. A discussion on the difficulty of authentication and why that is. Finally, Google Chrome has taken over the web and how it comes back to the browser wars of the early 2000s. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_152.mp3 Tue, 23 Nov 2021 11:00:00 -0700 Gobble gobble! It is that time of the year again to stuff our faces... WITH APPSEC! A discussion on breach notification related to the recent GoDaddy disclosure. Understanding symbolic execution with trail of bits. The differences of dynamic and static assessments and why both are important. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_151.mp3 Tue, 16 Nov 2021 11:00:00 -0700 Ahem, Seth and Ken return with a live code review of a recently seen authentication routine. A discussion of software interdependence and the issues it creates (such as SSRF). In other words, 151 and not even the rum... sigh. Well somehow these clowns are still allowed on YouTube so stay tuned for another episode I guess or whatever. Or don't, who cares. Worst. Internship. Ever. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_150.mp3 Tue, 26 Oct 2021 11:00:00 -0700 Jerry Gamblin makes a return to the podcast to talk about recent events in Missouri and how _not_ to respond to responsible vulnerability disclosure. A discussion on the increase of CVEs showing up in the National Vulnerability Database, how Kenna was acquired by Cisco, and Portswigger's new Burp Suite Certificate. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_149.mp3 Tue, 19 Oct 2021 11:00:00 -0700 Just two old men bi***ing and moaning about App Sec and the price of a good pair of New Balances. Real discussion on dealing with burnout and imposter syndrome. How to stay engaged and interested when the excitement becomes mundane. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_148.mp3 Tue, 05 Oct 2021 11:00:00 -0700 Strange things are afoot at the Circle K. Facebook outage and BGP routing. A new issue of phrack released on Oct 5 results a discussion on the good ol' days, BBSes, and the commercialization of security. Finally, thoughts on paved paths and how they affect security. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_147.mp3 Tue, 21 Sep 2021 11:00:00 -0700 The one and only James Kettle (@albinowax) of Portswigger joins Seth and Ken to talk about his path into security, HTTP request smuggling, and how to perform security research. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_146.mp3 Tue, 14 Sep 2021 11:00:00 -0700 Now with the latest in old people ramblings. Discussion about the OWASP Top 10 Draft list and how the Top 10 should be used as an awareness document. Discussions on bug bounties with surprise guest Jason Haddix (@JHaddix). More fun with HTTP Request Smuggling. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_145.mp3 Thu, 26 Aug 2021 11:00:00 -0700 @cktricky is _back_ with a newfound lease on life (and application security). The duo discusses in-person vs. virtual conferences, DEF CON 29, burnout, vulnerabilities in dating apps. A demonstration of using Burp Suite to fuzz a user enumeration vulnerability and brute-force an account. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_144.mp3 Tue, 17 Aug 2021 11:00:00 -0700 With @cktricky still on hiatus, @sethlaw and @lojikil talk fuzzing, property testing, semantic analysis and demo radamsa. yes https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_143.mp3 Tue, 10 Aug 2021 11:00:00 -0700 With @cktricky out adventuring, @sethlaw is joined by a familiar face (@lojikil) to dive deeply into recent research presented at Black Hat/DEF CON, HTTP/2, and how everything old is new again. yes https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_142.mp3 Tue, 20 Jul 2021 11:00:00 -0700 Dreamin', Beamin', and Streamin' about using artificial intelligence (AI) to generate code (*cough*, *cough*). When and where to use automated source code analysis tools, specifically Puma Scan for .Net/C# code. Also a primer on HTTP Request Smuggling and what you should know about it. yes https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_141.mp3 Tue, 13 Jul 2021 11:00:00 -0700 Just two grumpy old men with some AppSec sprinkled in. Topics this week include new research from portswigger using print to bypass new Chrome XSS iframe restrictions, how XSS is still the best (and worst) issue we deal with, and Microsoft's acquisition of RiskIQ. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_140.mp3 Tue, 29 Jun 2021 11:00:00 -0700 Naomi Buckwalter (@ineedmorecyber) joins Ken and Seth in a discussion about security gatekeeping, how anyone can get into application security, and the relationships between development and security. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_139.mp3 Tue, 22 Jun 2021 11:00:00 -0700 Stefan returns and we pick his brain about information security degrees, format strings, and different testing methodologies. Then we spend most of the episode googling the words that come out of his mouth. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_138.mp3 Tue, 15 Jun 2021 11:00:00 -0700 The duo is back to talk about consulting scheduling and ransomware. Somehow this evolved to a discussion on Hipster Vulns and how auditing is the Crocs-n-SOCs of application security. yes https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_137.mp3 Tue, 08 Jun 2021 11:00:00 -0700 Live from their parent's basement and dripping with tin foil - Seth and Ken talk about how CSRF is a thing in GraphQL. Kubernetes gets an intentionally-vulnerable setup, and you should definitely check the security of your docker. Finally, some noise about the NoSQL Injection Cheat Sheet. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_136.mp3 Tue, 01 Jun 2021 11:00:00 -0700 Back off of a week's break, Seth and Ken catch up on breach news. A return of security nihilism is also in order based on recent breaches and exploits. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_135.mp3 Tue, 18 May 2021 11:00:00 -0700 Punchy and Grumpy are back at it starting with a discussion on GoSDL and how it integrates with developer workflows. Followed by a discussion on language choice/experience, Cisco's acquisition of Kenna Security, and more dependency confusion in gem files. yes https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_134.mp3 Tue, 11 May 2021 11:00:00 -0700 Statler and Waldorf meet again to discuss legal protections when conducting security testing, new browser APIs for sanitization of user-supplied content, how XSS is boring, and techniques for dealing with burnout. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_133.mp3 Tue, 04 May 2021 11:00:00 -0700 Rob Shavell from Abine.com joins Seth and Ken to talk about data privacy, social media, and industry concerns with tracking. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_1.mp3 Tue, 09 Jan 2018 21:00:00 -0700 Introductions with Seth and Ken no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_2.mp3 Tue, 16 Jan 2018 21:00:00 -0700 Weekly discussion no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_3.mp3 Tue, 23 Jan 2018 21:00:00 -0700 Featuring Guest Jerry Gamblin no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_4.mp3 Tue, 30 Jan 2018 21:00:00 -0700 Featuring Guest Evan Johnson no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_5.mp3 Tue, 06 Feb 2018 21:00:00 -0700 Featuring Guests Stefan Edwards and David Coursey no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_6.mp3 Tue, 13 Feb 2018 21:00:00 -0700 Featuring Guest Kevin Cody no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_7.mp3 Tue, 20 Feb 2018 21:00:00 -0700 Seth and Ken discuss current events no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_8.mp3 Tue, 27 Feb 2018 21:00:00 -0700 Featuring Guest Neil Matatal no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_9.mp3 Tue, 06 Mar 2018 21:00:00 -0700 Seth and Ken talk with Jason Haddix about bug bounties no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_10.mp3 Tue, 13 Mar 2018 21:00:00 -0700 Jimmy Mesta joins Seth and Ken to talk about Kubernetes and Container security. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_11.mp3 Tue, 27 Mar 2018 21:00:00 -0700 David Coursey and Stefan Edwards reprise their discussion with Ken and Seth no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_12.mp3 Tue, 04 Apr 2018 21:00:00 -0700 Ken and Justin Collins join from LocoMocoSec to discuss static analyzers no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_13.mp3 Tue, 10 Apr 2018 21:00:00 -0700 Charles Nwatu joins Ken and Seth no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_14.mp3 Tue, 24 Apr 2018 21:00:00 -0700 Karthik Gaekwad joins Ken and Seth no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_15.mp3 Tue, 01 May 2018 21:00:00 -0700 Kevin Cody joins Ken and Seth to talk about mobile security testing no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_16.mp3 Tue, 08 May 2018 21:00:00 -0700 Ken and Seth talk about hipster languages and frameworks no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_17.mp3 Tue, 15 May 2018 21:00:00 -0700 Ken and Seth talk about current news (Efail) and CSRF Tokens no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_18.mp3 Tue, 29 May 2018 21:00:00 -0700 Ken and Seth are joined by Chris Gates to talk about Purple Teaming and the WeirdAAL tool no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_19.mp3 Tue, 05 Jun 2018 21:00:00 -0700 Ken and Seth talk about current events, submitting CFPs, and more no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_20.mp3 Tue, 19 Jun 2018 21:00:00 -0700 Ken and Seth talk more about authentication, JWTs and everything that is wrong with both of them. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_21.mp3 Tue, 21 Jun 2018 21:00:00 -0700 Ken and Seth are joined by Alex Smolen (@alsmola) to talk about current events, cloudtrail audit, and webauthn. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_22.mp3 Tue, 28 Jun 2018 21:00:00 -0700 Ken and Seth are joined by Jimmy Mesta (@jimmesta) to talk about Kubernetes and container security. yes https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_23.mp3 Tue, 10 Jul 2018 21:00:00 -0700 Ken and Seth are joined by Ken Toler (@relotnek) and talk security champions and security program management. yes https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_24.mp3 Tue, 17 Jul 2018 21:00:00 -0700 Ken and Seth are joined by Jason White (@misfir3) and talk about transitioning from a developer to an application security professional. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_25.mp3 Tue, 24 Jul 2018 21:00:00 -0700 Ken and Seth are joined by Scott Piper (@0xdabbad00) and talk AWS Security, including https://flaws.cloud, cloud mapper, and cloud tracker projects. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_26.mp3 Tue, 31 Jul 2018 21:00:00 -0700 Ken and Seth are joined by Justin Larson (@Phant0mTrav3ler) and talk about building an AppSec program from scratch. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_27.mp3 Tue, 14 Aug 2018 21:00:00 -0700 Ken and Seth are joined by Jim Manico (@manicode) RAW, training, OWASP, code security, and all things AppSec. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_28.mp3 Tue, 21 Aug 2018 21:00:00 -0700 Astha Singhal (@astha_singhal) joins Ken and Seth to talk automating application security and bug bounties. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_29.mp3 Tue, 28 Aug 2018 21:00:00 -0700 Matt Tesauro (@matt_tesauro) talks OWASP, community involvement, Defect Dojo, and the AppSec Pipeline toolbox with Ken and Seth. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_30.mp3 Tue, 04 Sep 2018 21:00:00 -0700 Dave Ferguson (@_sc0rn) talks about the futility of developer training, initial discovery of CSRF in on netflix.com, and application scanning with Ken and Seth. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_31.mp3 Tue, 11 Sep 2018 21:00:00 -0700 Practical advice on submitting and writing effective findings for bug bounties and reports. Rob Fuller (@mubix) talks about his path into security, CCDC, volunteerism, NoVA Hackers and more. yes https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_32.mp3 Tue, 18 Sep 2018 21:00:00 -0700 Setup tips for starting an assessment with Burp Suite Professional. Eric Johnson (@emjohn20) talks with Ken and Seth about Roslyn, building Puma Scan, SANS, and more. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_33.mp3 Tue, 02 Oct 2018 21:00:00 -0700 Seth and Ken go over fully vetting functions during code reviews. John Melton (@_jtmelton) talks with Ken and Seth about static analysis tools, building an appsec program, open source, and more. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_34.mp3 Tue, 30 Oct 2018 21:00:00 -0700 Seth and Ken are joined last minute by Stefan Edwards (@lojikil) to talk about security unit tests, fuzzing, and all things you will need to google later on. Blockchains and secure contracts are introduced and somewhat explained. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_35.mp3 Tue, 06 Nov 2018 21:00:00 -0700 Seth and Ken discuss server side request forgery and then pick Travis McPeak's (@travismcpeak) brain about AWS security, his path into security, QA testing, and Netflix cloud security tools. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_36.mp3 Tue, 13 Nov 2018 21:00:00 -0700 Seth and Ken discuss cross-site scripting and input validation/output encoding findings. Later joined by Mike McCabe's (@mccabe615) talking about cloud security, building an appsec program, interviews (both for and against) and CHRISTMAS. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_37.mp3 Tue, 20 Nov 2018 21:00:00 -0700 Seth and Ken discuss security gifts for appsec peeps. Joined by Stefan Edwards (@lojikil) to talk about his origin story (Seth gets bagged on), formal verification, and a multitude of other topics. yes https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_38.mp3 Tue, 27 Nov 2018 21:00:00 -0700 Seth and Ken discuss node packages and event_stream fallout. Matt Konda (@mkonda) joins to talk about OWASP, the Glue tool, Jemurai and his origin story and other topics. yes https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_39.mp3 Tue, 04 Dec 2018 21:00:00 -0700 Is there such a thing as breach fatigue? When have we had enough? Seth and Ken are joined by Jerry Gamblin of Kenna Security to discuss recent breaches and AWS Re:Invent. yes https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_40.mp3 Tue, 11 Dec 2018 21:00:00 -0700 Seth and Ken talk through secure code reviews and assessment scoping, more on breaches, the Google congressional hearings and more. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_41.mp3 Tue, 18 Dec 2018 21:00:00 -0700 Seth and Ken discuss hidden file and directory enumeration. Joined by Will Bengtson to talk AWS and cloud security, including cloudtrail and trailblazer. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_42.mp3 Tue, 08 Jan 2019 21:00:00 -0700 Seth and Ken discuss SSRF Rebinding defenses with Segment (Leif, David, and Achille). Additional topics include password complexity, password resets, and using Troy Hunt's breach database. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_43.mp3 Tue, 15 Jan 2019 21:00:00 -0700 Seth and Ken are joined by Keith Hoodlet (@andMyHacks) to discuss DerbyCon, pwnhead, and application security in medical devices. yes https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_44.mp3 Tue, 29 Jan 2019 21:00:00 -0700 Seth and Ken are joined once again by David Coursey (@dacoursey) to review topics from AppSec California 2019, including building developer relationships and the OWASP ZAP HUD. Ken and Dave answer questions about the time investment required to support a Bug Bounty program. David discusses his role at Allstate. yes https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_45.mp3 Tue, 05 Feb 2019 21:00:00 -0700 Seth and Ken are joined by Sean Poris (@skp00) of Verizon Media to talk about making the most of a bug bounty program, Sean's path into application security from his budding time as a biologist, and strategies on managing a large application security program. Sean also talks about methods he has used for finding and developing application security engineers. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_46.mp3 Tue, 12 Feb 2019 21:00:00 -0700 Seth and Ken talk about the recent release of ClusterFuzz by Google. Joined by Daniel Miessler (@Daniel Miessler) to talk about the SecLists project, how it relates to fuzzing, training developers and his path into security. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_47.mp3 Tue, 19 Feb 2019 21:00:00 -0700 Seth and Ken review steps taken during a secure code review to map out an application. Joined by Kevin Cody (@kevcody) to talk mobile application testing, OWASP Mobile Top 10, what devices to use when performing these tests and how python is awesome. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_48.mp3 Tue, 26 Feb 2019 16:00:00 -0700 Seth and Ken discuss recent events with the .dev domain and why developers should care. Omer Levi Hevroni (@omerlh) stops by to talk about the OWASP Glue Project, the Kamus project for managing Kubernetes secrets, and Threat Modeling as code. Also .Net. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_49.mp3 Tue, 05 Mar 2019 16:00:00 -0700 Seth and Ken talk through subdomain takeovers vulnerabilities at large companies and identification of DNS SSRF. Ken walks through a few oauth best practices. A look at the Portswigger list of Top 10 Web Hacking Techniques of 2018. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_50.mp3 Tue, 12 Mar 2019 16:00:00 -0700 Seth and Ken talk about number 8 in the top web hacking techniques of 2018. Discussions on static analysis tools and approach to usidng them. Eric Heitzman joins to talk about his background, DevSecOps, secure code training and more. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_51.mp3 Tue, 19 Mar 2019 16:00:00 -0700 Seth and Ken talk about new techniques for exploiting XXE, number 7 in the top web hacking techniques of 2018. Discussions on assessment process, including reporting, note taking and soft skills with Jessica Ryan. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_52.mp3 Tue, 26 Mar 2019 11:00:00 -0700 Seth and Ken talk about serialization vulnerabilities, number 6 in the top web hacking techniques of 2018. Discussions on continuous integration, hacking jenkins, reading code to find vulns, maintaining your edge, career growth, and hacking your happiness with Chris Gates. yes https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_53.mp3 Tue, 02 Apr 2019 11:00:00 -0700 Seth and Ken talk AppCache vulnerabilities and postMessage exploits from PortSwigger's Top 10 web hacking techniques of 2018. Greg Ose joins them to talk about building application security programs, developer involvement, his background, and product security at Github. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_54.mp3 Tue, 09 Apr 2019 11:00:00 -0700 Seth and Ken are joined by Tim Tomes, aka LaNMaSteR53. We discuss Tim's path into application security, his work on Recon-NG, and his analysis of Burp Suite Professional's version 2. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_55.mp3 Thu, 18 Apr 2019 11:00:00 -0700 Seth is joined once again by Stefan Edwards. First in the series "Lojikil ruins Infosec". Ken is at LocomocoSec in Hawaii, so Seth and Stefan (@lojikil) talk all things testing, including symbolic execution, fuzzing, and why everything is awful. Seth becomes a nihilist. yes https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_56.mp3 Tue, 23 Apr 2019 11:00:00 -0700 Seth and Ken get back together to talk about Loco Moco Sec and recent industry news. Specifically, should all security people be able to code? Is it a strict requirement? Ken gives his take on the talks from LocomocoSec and why we should all be there in 2020. yes https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_57.mp3 Tue, 30 Apr 2019 11:00:00 -0700 Seth and Ken are joined by the OWASP WIA (Women in AppSec, @owaspwia) Committee. We discuss diversity in security and how the committee and OWASP is making the community more inclusive. Topics include first security conferences, how to get involved, and more. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_58.mp3 Tue, 07 May 2019 11:00:00 -0700 Seth and Ken discuss Edge Side Include Injection. Subsequently joined by David Lindner (@golfhackerdave), the current head of AppSec at Contrast Security. David talks all about RASP, mobile and IoT security plus talk a little bit about appsec program building. yes https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_59.mp3 Tue, 14 May 2019 11:00:00 -0700 Seth and Ken discuss Minecraft mod hacking and applying AppSec tools to the practice. Joined by James Wickett (@wickett) to talk about the history of DevOps, why software security people should learn to code, and current trends in the DevOps space. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_60.mp3 Tue, 21 May 2019 11:00:00 -0700 Seth is joined once again by Stefan Edwards to talk about current events and ruin another portion of information security. Topics include Huawei, Android Security, and Programming Languages. yes https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_61.mp3 Tue, 11 Jun 2019 11:00:00 -0700 Based on demand, Seth and Ken are joined by Tanya Janca (@shehackspurple) to talk about all things OWASP, travel, and experinces. Topics include OWASP DevSlop, diversity, and inclusion no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_62.mp3 Tue, 18 Jun 2019 11:00:00 -0700 Seth and Ken welcome Abdullah Munawar and Ben Pick to the show. They discuss their path into application security, current roles, and OWASP involvement. Specifically, Abdullah and Ben talk about running the OWASP NoVA chapter and challenges in organizing the Global AppSec DC conference. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_63.mp3 Tue, 02 Jul 2019 11:00:00 -0700 Julian Berton joins Seth and Ken to talk about Developer Training, Security Standards and AppSec Day, a global Application Security conference in Melbourne, Australia. They also discuss the latest lodash vulnerability and Boeing's outsourcing of developers. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_64.mp3 Tue, 09 Jul 2019 11:00:00 -0700 Seth and Ken discuss conference proposals submissions and how to stand out. Also discussions on the latest security news, including the Zoom vulnerability disclosure, European fines for Marriott, and the latest hijacked/backdoored third-party library. yes https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_65.mp3 Tue, 16 Jul 2019 11:00:00 -0700 Seth and Ken are joined by Adam Baldwin (@adam_baldwin) to discuss a topic we've been talking a lot about - 3rd party dependency and supply chain security. Adam gave a talk at this year's LocoMoco Security conference where he discuss fascinating and VERY relevant topics such as "developer burnout as an attack vector" as well as providing stats such as 97% of modern node applications rely on the code of 3rd party libraries. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_66.mp3 Tue, 30 Jul 2019 11:00:00 -0700 Seth and Ken discuss the latest news, including the Capital One Breach, Project Zero's recent iOS vusnerability disclosures, and further malicious NPM package takeovers. Further topics include learning who to trust and security code reviews. yes https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_67.mp3 Mon, 12 Aug 2019 11:00:00 -0700 Seth and Ken are joined by Stefan (@lojikil) and Bobby (@b0bbytabl3s) to talk about Kubernetes Security based on the assessment they conducted at Trail of Bits. yes https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_68.mp3 Mon, 13 Aug 2019 11:00:00 -0700 Jerry Gamblin (@jgamblin) joins Seth and Ken to talk about #hackersummercamp, DEF CON 27, and all things Vegas. Discussion includes NULL license plates, software bill of materials, and more. yes https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_69.mp3 Tue, 27 Aug 2019 11:00:00 -0700 Seth and Ken are joined by Eric Ellett (@EricEllett) to talk about software supply chain security. Development vs. Security and how to develop a good relationship with development instead of an antagonistic one. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_70.mp3 Tue, 03 Sep 2019 11:00:00 -0700 Andrew Wilson (@azwilsong) , a friend and partner at Bishop Fox joins Seth and Ken to discuss OWASP, running a consultancy, organizing CactusCon, and training new AppSec resources. yes https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_71.mp3 Tue, 17 Sep 2019 11:00:00 -0700 Eric Johnson (@ejcx_), one of the first podcast guests to join Seth and Ken revisits to talk about recent industry revelations, including the Lastpass vulnerability from Google's Project Zero. Further discussions on Cloudflare Access and ranging topics including Coke's 80s lawsuit involving trade secrets. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_72.mp3 Tue, 01 Oct 2019 11:00:00 -0700 Seth and Ken kickoff October with a discussion of consulting horror stories, both from personal experiences and listener-provided. Additional discussions around Cloudflare's WARP. yes https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_73.mp3 Wed, 16 Oct 2019 23:00:00 -0700 Kevin Cody (@kevcody) is back with Seth and Ken to talk about his collaboration with Tim Tomes (@LaNMaSteR53) on CORS. Also discussions on lockpicking, travel tips, and a wide range of topics. Remember, CORS is a anti-security control. yes https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_74.mp3 Tue, 22 Oct 2019 23:00:00 -0700 Ernest Mueller (@ernestmueller) joins Seth and Ken to talk about the his path into technology, operations, and security. Additional discussions on the beginnings of DevOps, Security, and Cloud Computing. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_75.mp3 Tue, 19 Nov 2019 11:00:00 -0700 Ken and Seth are back! Joined in this episode by Brian Glas, aka @infosecdad, aka Professor Glas to talk about all things OWASP Top 10 2017, the path to his involvement, and how it almost split AppSec in two. Also a discussion on OWASPSAMM vs. OpenSAMM vs. BSIMM. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_76.mp3 Tue, 26 Nov 2019 11:00:00 -0700 Guy Podjarny (@guypod), founder of Snyk, joins Ken and Seth to talk about Snyk, the origins of AppScan Standard, Software Composition Analysis and his origin story. A discussion of building developer focused security tools and how this can benefit security in the long run. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_77.mp3 Tue, 03 Dec 2019 11:00:00 -0700 Seth and Ken are joined this week by Clint Gibler (@clintgibler) to talk about DevSecOps, what he sees in the industry as effective security, and his newsletter TLDR; Sec (https://bit.ly/tldrsec). Comments on prioritization, asset inventory, and effectively quashing bug classes. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_78.mp3 Tue, 10 Dec 2019 11:00:00 -0700 Seth and Ken host Seth and Santa's Secure Workshop as a pair this week. The discussion revolves around the Hacker 1 "breach", Practical Pentest Lab's storage and sending of plaintext passwords, chicken fingie injection, and toxicity of infosec social media. May or may not be a discussion on squirrels and pigeons in cowboy hats. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_79.mp3 Tue, 17 Dec 2019 11:00:00 -0700 Seth and Ken host the podcast live from DevSecOpsDays Austin, with multiple guests from conference speakers. Discussions on what each guest feels is up next in AppSec and DevSecOps for the forseeable future. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_80.mp3 Tue, 14 Jan 2020 11:00:00 -0700 Louis Barrett of the Segment SIRT team joins Seth and Ken to discuss his path into security, mentors, and SIRT. Discussions on approaching SIRT, creating a SIRT team, and how to integration AppSec into the SIRT. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_81.mp3 Tue, 21 Jan 2020 11:00:00 -0700 Ken and Seth are joined by Matias Madou, CTO of Secure Code Warrior. Discussion of current state of application security training, static analysis tools, and just-in-time-training. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_82.mp3 Tue, 28 Jan 2020 11:00:00 -0700 Kelley Robinson (@kelleyrobinson), Security Advocate at Twilio/Authy joins Seth and Ken to talk about multifactor authentication, her path into security, and advances in voice security (SHAKEN/STIR). no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_83.mp3 Thu, 06 Feb 2020 11:00:00 -0700 Ron Perris (@ronperris), Software Security Engineer from npm, Inc. joins Seth and Ken to talk about module security, developer interactions, and recent node security issues. DOM Clobbering. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_84.mp3 Tue, 11 Feb 2020 11:00:00 -0700 Seth and Ken discuss the latest security news, including CIA Backdoors in the Crypto AG products, FBI release of wanted Chinese nationals related to the Equifax breach, protecting applications against nation state actors, and securing open source libraries. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_85.mp3 Tue, 18 Feb 2020 11:00:00 -0700 David Lindner (@golfhackerdave) joins Seth and Ken discuss the voting applications, including the Iowa debacle and the Voatz application. Ranting on bug bounties and response times for researcher findings. An explanation of IAST, RASP, and WAFs. yes https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_86.mp3 Tue, 25 Feb 2020 11:00:00 -0700 Seth and Ken discuss bug bounties and a recent article on Paypal issues. Joined by Rohan Joshi to discuss building an application security program, QA security testing, and security champions. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_87.mp3 Tue, 03 Mar 2020 11:00:00 -0700 Abhay Bhargav, founder of We45, joins Seth and Ken in a discussion on threat modeling in an agile development methodology, the rise and role of DevSecOps, and security within microservices. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_88.mp3 Tue, 17 Mar 2020 11:00:00 -0700 Kevin Johnson of Secure Idea joins Seth and Ken in a discussion on his path into security, Star Wars (yes, really), and giving back to the community. This includes passing on teaching, sharing knowledge, and mentoring those that ask for it. yes https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_89.mp3 Tue, 24 Mar 2020 11:00:00 -0700 Kat Sweet (@TheSweetKat) continues our discussion from DevSecOps Days Austin. Topics include incident response, staying right while you push left, developer training, and getting into information security. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_90.mp3 Tue, 31 Mar 2020 11:00:00 -0700 Seth and Ken provide their take on the Voatz mobile app dismissal from HackerOne. Additional discussion of network trends during social distancing and COVID-19 as reported by Shodan. Finally some thoughts on the new OWASP Firmware Testing Guide and InQL, a GraphQL Burp Suite Pro plugin. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_91.mp3 Tue, 07 Apr 2020 11:00:00 -0700 LOJI IS BACK! Stefan joins Seth and Ken to talk about his work on Trail of Bits assessment of the Voatz mobile application, share thoughts on Zoom, and discuss the assessment process. Discussions on report writing, risk assessments, threat modeling, and other appsec goodness. yes https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_92.mp3 Tue, 14 Apr 2020 11:00:00 -0700 Seth struggles with internet access during a discussion with Ken on working from home, employee surveillance, and Sneek. Additional thoughts on the evolution of application security and penetration testing since the beginning of our careers. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_93.mp3 Tue, 21 Apr 2020 11:00:00 -0700 Seth and Ken are joined by the Huntr Dev team to talk about securing open source software, bug bounties, and writing secure code. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_94.mp3 Tue, 05 May 2020 11:00:00 -0700 Seth and Ken discuss tips for running a bug bounty program, risk of webhooks, Segment's move to and from microservices, and having CVE Fatigue. yes https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_95.mp3 Tue, 12 May 2020 11:00:00 -0700 Jessica Rozhin (@JessicaRozhin) and Lady Christina Liu (@cliuthulu) join Seth and Ken to talk about alternate routes into security, including accounting and joining a circus. Discussions on forensics, incident response, and how lock picking can help build an infosec culture. yes https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_96.mp3 Tue, 19 May 2020 11:00:00 -0700 Seth and Ken discuss fuzzing techniques, recommendations, and experience. Stories of fuzzing in production. How static analysis tools have changed and where they fit. yes https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_97.mp3 Tue, 26 May 2020 11:00:00 -0700 Stefan (@lojikil) and Brian (@infosecdad) are back to talk about threat modeling with Seth and Ken. Discussion covers risk assessment, threat modeling, asset inventory, and software maturity. yes https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_98.mp3 Tue, 02 Jun 2020 11:00:00 -0700 Seth and Ken go full rant mode about bug bounties and trying to work while the world goes insane. yes https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_99.mp3 Tue, 09 Jun 2020 11:00:00 -0700 Seth and Ken are back to security and technology this week. Discussions about contact tracing applications, privacy and freedom vs. security, the GnuTLS CVE, and possible Honda breach. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_100.mp3 Tue, 16 Jun 2020 11:00:00 -0700 Seth and Ken break the 100 episode barrier by talking about virtual conferences. Discussions about bots, distributed denial of service attacks, and Ebay stalking of a newsletter. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_101.mp3 Tue, 23 Jun 2020 11:00:00 -0700 Seth and Ken are joined by Mike McCabe (@mccabe615) and Ken Toler (@relotnek) to break down their talk on Cloud Security. Discussions revolves around cloud security, but touches legacy systems, application inventory, virtual conferences, and more. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_102.mp3 Tue, 30 Jun 2020 11:00:00 -0700 Seth and Ken talk about the popularity of various programming languages, TikTok app issues, and new changes at OWASP. yes https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_103.mp3 Tue, 21 Jul 2020 11:00:00 -0700 Oded Hareven from AKEYLESS joins Seth and Ken to discuss the idea behind AKEYLESS as well as give us a chance to learn a little bit more about Oded. yes https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_104.mp3 Wed, 05 Aug 2020 11:00:00 -0700 Leif Drezler joins Seth and Ken to talk about recent projects, including authentication, SCIM, and how to embed within a development team. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_105.mp3 Tue, 18 Aug 2020 11:00:00 -0700 Seth and Ken chat with Laura Migus who is an expert in the realm of Diversity and Inclusion to learn more about the topic and how to support diversity and inclusion efforts. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_106.mp3 Tue, 25 Aug 2020 11:00:00 -0700 Justin Massey from Data Dog joins us to talk Application Logging. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_107.mp3 Tue, 01 Sep 2020 11:00:00 -0700 Markus Schirp (@_m_b_j_) joins Seth and Ken to talk about Ruby and other dynamic languages. Mutation testing, TDD weaknesses, and meta programming. yes https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_108.mp3 Tue, 15 Sep 2020 11:00:00 -0700 Sean Poris (@skp00) joins Absolute AppSec to talk about The Paranoids virtual bug bounty hacking event H1-2010, staying sane, managing a virtual team, and advice for running a bug bounty program. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_109.mp3 Tue, 22 Sep 2020 11:00:00 -0700 We are back with a Seth and Ken only episode to talk about the evolution of threat modeling, the documentary "The Social Dilemma", mental health, and imposter syndrome. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_110.mp3 Tue, 06 Oct 2020 11:00:00 -0700 Back at it like a phrack addict to talk reserved words, authentication flaws in apps and Grindr, and recognizing insecure patterns during development. yes https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_111.mp3 Tue, 13 Oct 2020 11:00:00 -0700 Seth and Ken dig into strange requests when running bug bounty programs, recent revelations on Apple security research, and detection as code. yes https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_112.mp3 Tue, 20 Oct 2020 11:00:00 -0700 Mark Feferman (@mfeferman) joins Seth and Ken to throw down about automated static analysis tools. Discussion of applictaion security talent (or lack thereof) and 'shifting left'. yes https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_113.mp3 Tue, 27 Oct 2020 11:00:00 -0700 Jacob Salassi (@JacobSalassi) joins us to discuss his developer-driven, standardized, threat modeling process. Also discussions on developer empathy, risk assessment, and other topics. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_114.mp3 Tue, 10 Nov 2020 11:00:00 -0700 Seth and Ken discuss account enumeration vulnerabilities and open source tools that take advantage of them. Discussion about the recent Github Actions vulnerability. yes https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_115.mp3 Tue, 17 Nov 2020 11:00:00 -0700 Clint Gibler (@clintgibler) joins Seth and Ken to talk about Static Analysis with Semgrep. Demonstrations of writing rules within Semgrep and how to use it. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_116.mp3 Tue, 24 Nov 2020 11:00:00 -0700 Lewis Ardern (@LewisArdern) and Pwnfunction (@pwnfunction) join Seth and Ken to talk client-side JavaScript security and their recent Vue JS blog post. https://portswigger.net/research/evading-defences-using-vuejs-script-gadgets no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_117.mp3 Tue, 22 Dec 2020 11:00:00 -0700 The dynamic duo is back for their last podcast of 2020! no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_118.mp3 Tue, 12 Jan 2021 11:00:00 -0700 Seth and Ken return with a discussion about application security in the news, including relevance to the Parler "backups". Also discussions about Twitter and latest political developments and how they affect the security industry. yes https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_119.mp3 Tue, 19 Jan 2021 11:00:00 -0700 Seth and Ken wax nostalgic about the old days due to the shut down of the Bugtraq Mailing List (RIP old friend). Further discussions on web cache poisoning and blind server-side request forgery (SSRF) exploits. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_120.mp3 Tue, 26 Jan 2021 11:00:00 -0700 Seth and Ken discuss the proposed 2021 OWASP Top 10 Risks, North Korean attacks against security researchers, password managers, latest in Parler de-platforming, and phishing possibilities. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_121.mp3 Tue, 02 Feb 2021 11:00:00 -0700 Stefan Edwards (@lojikil) once again joins Seth and Ken to talk all things LangSec (language security). Discussion ranges from manual vs. automated testing to fuzzing to semantic analysis to formal specification. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_122.mp3 Thu, 18 Feb 2021 11:00:00 -0700 Seth and Ken welcome back Professor Brian Glas (@infosecdad) to dispel the recent OWASP Top 10 2021 speculation and rumor. We talk through the origins and purpose of the OWASP Top 10 as well as the 2021 call for data and upcoming release. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_123.mp3 Tue, 23 Feb 2021 11:00:00 -0700 Seth and Ken discuss client-side controls and 3rd-party JavaScript security features. Confused deputy vulnerabilities (dependency confusion) in the news. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_124.mp3 Tue, 02 Mar 2021 11:00:00 -0700 Seth and Ken discuss Portswigger's Top 10 Web Hacking Techniques of 2020, specifically injection attacks through images in PDFs and reverse proxies. Further discussion on creativity in development and how that affects and limits security. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_125.mp3 Tue, 09 Mar 2021 11:00:00 -0700 Seth and Ken discuss interviewing techniques for technical resources, SQL injection in the media and Github's recent concurrency vulnerability. Also a discussion on recent WordPress plugin vulnerabilities and why they are always so devastating. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_126.mp3 Tue, 16 Mar 2021 11:00:00 -0700 Seth and Ken are back on another Taco Tuesday to talk through getting into application security and how to support those new to the field. Also a discussion on phishing sites that detect VMs and other tools to bypass detection and observed client-side JavaScript attacks. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_127.mp3 Tue, 23 Mar 2021 11:00:00 -0700 Seth and Ken discuss the role of regular expressions in routing of web application requests. Discussion covers basics of routing, exploitation of secondary contexts, and bypassing of web application firewalls. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_128.mp3 Tue, 30 Mar 2021 11:00:00 -0700 Seth hosts Stefan Edwards (@lojikil) and David Coursey (@dacoursey) discussing PHP's recent backdoor, probable fixes including code commit signing and the move to GitHub. THe discussion covers ease of security, developer tendencies when securing code, and application security nihilism. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_129.mp3 Tue, 06 Apr 2021 11:00:00 -0700 Rey Bango (@reybango) from Veracode joins Seth and Ken to talk about his path into security. Topics include JavaScript, JQuery, building relationships between security and relations, and how to educate the next generation of developers in security. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_130.mp3 Tue, 13 Apr 2021 11:00:00 -0700 Ken and Seth break down the Facebook 'Breach', aka data collection and different views on dealing with that data. The discussion continues with privacy data and how far we should trust any social media application. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_131.mp3 Tue, 20 Apr 2021 11:00:00 -0700 Jeevan Singh from Segment joins Seth and Ken to discuss the recently-released, open source threat modeling training material. no https://absolute-appsec-eps.s3.us-west-1.amazonaws.com/episodes/Absolute_AppSec_Ep_132.mp3 Tue, 27 Apr 2021 11:00:00 -0700 Ken and Seth are the dynamic duo revealing what they wish they knew starting in security and as a penetration tester. Also a discussion about supply chain attacks and a tribute to the late Dan Kaminski. no