Absolute AppSec
284 episodes - English - Latest episode: 17 days ago - ★★★★★ - 16 ratingsA weekly podcast of all things application security related. Hosted by Ken Johnson and Seth Law.
Homepage Apple Podcasts Google Podcasts Overcast Castro Pocket Casts RSS feed
Episodes
Episode 240 - Code Smells, XZ Backdoor, Hallucinations
April 09, 2024 18:00 - 31.8 MBAfter a week of travel, Seth and Ken return to the podcast with a breakdown of their travel experiences at multiple conferences and teaching their first Practical Secure Code Review course using LLMs to enhance the methodology. This is followed by reinforcement of code review steps including library research, a discussion of the recent XZ backdoor, and an article reviewing LLM hallucinations when recommending libraries.
Episode 239 - AppSec Intel, CVEs, Authorization
March 26, 2024 18:00 - 40.6 MBWhen Ken is away, the geeks will play. Seth is joined by podcast regular Stefan Edwards (@lojikil) to catch up on his recent work around threat hunting. This progresses into a discussion on threat intelligence and what is available for applications. A recent blog post on the utility of the CVE system spurs thoughts on the usefulness of published CVEs. Finally, opinions fly on authorization issues and how simple misconfigurations result in the many vulnerabilities or attack chains.
Episode 238 - AppSec vs. Enterprise Sec, Supply Chain Tool Analysis
March 19, 2024 18:00 - 35.3 MBKen and Seth are back to talk about the difference and competing priorities of Application and Enterprise Security. In short, recent news contends that Enterprise or Infrastructure security is lacking, whereas Application or Product Security is in a good state. This is followed by a discussion on supply chain security tools due to a recent analysis conducted by DoyenSec comparing false positives and negatives from the leading tools.
Episode 237 - Security 101, Nation State Hackers, Malicious Code
March 12, 2024 18:00 - 30.3 MBKen and Seth return for another episode, starting out with pointers on getting into security and finding a niche, all based on a recently released Microsoft project to introduce anyone to security. This is followed by a discussion on Chinese hacking groups and recent breaches among those groups. Finally, a discussion protecting the software supply chain due to recent forking and upload of malicious repositories on GitHub.
Episode 236 - Memory Safe Languages, LLM Supply Chain Security
March 05, 2024 18:00 - 35.3 MBSeth and Ken review the recent Whitehouse report on going back to the basics for software security and vulnerabilities. Specifically, how is the use of memory unsafe languages like C and C++ affecting the overall security of the internet landscape. This include a discussion on formal verification and crocs and socks of software testing. Finally, thoughts are shared on the recent use of Hugging Face and Github to host malicious code/packages and how this is a natural progression for popular pa...
Episode 235 - 2023 Top 10 Web Hacking Techniques, LLM Agent Hacking
February 20, 2024 18:00 - 33 MBPodcast viewers will be familiar with Portswigger's annual list of Web Hacking Techniques. Ken and Seth take some time to digest the list and recommend reviewing not only the top 10, but also the nominations. A discussion on the use of LLM Agents as a dynamic scanning engine for identifying vulnerabilities. If you aren't already using an LLM to help speed up your AppSec, why not? Finally, a discussion on security statistics and how bad they are.
Episode 234 - Password Analysis, GitHub Copilot
February 13, 2024 18:00 - 30.8 MBKen and Seth comment on their recent use of the same passwords across multiple organizations. Errr, or wait. That's administrators in some instances, according to recently published analysis from Lares. Will we ever get over passwords or are we doomed to repeat the past? In other news, GitHub Copilot may be (one of) the culprit(s) for the enshitification of code, based on a published paper from GitClear. Or it might just be that organizations and developers should have coding standards. Or ma...
Episode 233 - Scammers, Deep Fakes, Data Exposure
February 06, 2024 18:00 - 34.5 MBSeth and Ken return to the podcast to talk about fraud scammers based on a recent article from Cory Doctorow and what AppSec can do to protect their apps and themselves. Crocs and Socks. The use of deep fakes to scam corporations to transfer money. Finally, a discussion on sensitive data and why it happens in APIs due to the recent news that Spoutible exposed all sorts of tokens as reported by Troy Hunt.
Episode 232 - Security Jobs, Surveillance, Prompt Injection
January 30, 2024 18:00 - 33.1 MBKen and Seth start out with a lengthy discussion about application security jobs, training, and getting into the security space due to an article based on someone's experience moving from IT to pentesting. This is followed by possible needs for the NSA to collect commercially available browsing data. Finally, a quick hit on prompt injection and how things are moving quickly in the AI/LLM space.
Episode 231 - FlowMate, State of Software Supply Chain Security
January 23, 2024 18:00 - 34.1 MBSeth and Ken are back after a weeks hiatus and start by demonstrating FlowMate, a newly released Burp Extension for building context of the parameters used by an application. This is followed by in-depth analysis of Reversing Lab's State of Software Supply Chain Security Report.
Episode 230 - False Positives vs. Negatives, Scaling Vuln Management
January 09, 2024 18:00 - 31 MBKen and Seth return to settle the age old question of whether false positives or false negatives are better when dealing with security tools. Tears are shed as stories of wasted efforts ring through on the podcasting airwaves. Maybe. Discussions on AI generated recommendations and how it _can_ be useful, but also turn out poorly. Finally, introductions on large scale vulnerability management at GitHub and how organizations struggle to fix issues identified through multiple streams.
Episode 229 - Software Supply Chain Security, 2024 Predictions
January 02, 2024 18:00 - 33.2 MBSeth and Ken kick off a new year talking about recent news, including improvements in security process for software supply chains. This is followed by security predictions for 2024, including LLMs, dynamic scanning, process, and other possibilities in the near future.
Episode 228 w/ Chime Security Engineering - Monocle
December 19, 2023 18:00 - 34.6 MBDavid Trejo (@[email protected]) and Paul Kuliniewicz, security engineers at Chime join Seth (@sethlaw on x) and Ken (@cktricky) to discuss the ins and outs of challenges and successes in a widely recognized effective product security program. You can start reading up on the Monocle program here: https://medium.com/life-at-chime/monocle-how-chime-creates-a-proactive-security-engineering-culture-part-1-dedd3846127f And part 2 here: https://medium.com/life-at-chime/mitigating-risky-pull-r...
Episode 227 - Token Leakage, Cybersecurity Isn't Special
December 14, 2023 18:00 - 35.1 MBKen and Seth return to discuss current news. First up is a discussion about token leakage based on the recent discovery of AI tokens on Github and Cloud tokens on Hugging Face's repository. The struggles that package maintainers have with hosted data and secrets is an old problem that doesnt' have a good solution. A re-hash of the recent blogpost "Cybersecurity isn't Special" and how this also isn't a new idea.
Episode 226 - Security Reviews, CVE-2023-46214
December 05, 2023 18:00 - 28.5 MBKen and Seth decide whether the idea of security reviews are dead, spurred on by a recent blog post by Frank Wang on doing away with the current perception of reviews. This is followed by a walkthrough of the Splunk XSLT code and vulnerability for the PoC of CVE-2023-46214.
Episode 225 w/ Brian C Reed
November 28, 2023 18:00 - 32.2 MBWe are excited to have Brian C Reed, chief mobility office at NowSecure, as a special guest on the Absolute AppSec podcast. Brian has specialized in mobile security, and his company NowSecure works to secure apps, train developers in safe mobile security engineering. As a piece of his work in mobile security, Brian has helped strengthen OWASP MASVS and ADA MASA standards. He also has experience in helping build go-to-market strategies or growth plans for a range of businesses. Be sure to tune...
Episode 224 w/ Jeevan Singh
November 14, 2023 18:00 - 32.1 MBJeevan Singh (@askjeevansingh) returns to join Ken Johnson (cktricky on Twitter) and Seth Law (sethlaw) as a guest on the podcast! Jeevan is currently with Rippling, was previously the Director of Product Security at Twilio, and before that Segment. He has been a long-time leader in security and development communities, and currently heads up the @owaspvancouver group. Tune in for ways to improve Threat Modeling, DevSecOps, and security programs in general.
Episode 223 w/Stefan Edwards - OWASP, Privacy
November 07, 2023 18:00 - 33.1 MBWhen cktricky is away, the lojis will play. Stefan Edwards co-hosts an episode with Seth in what ends up bypassing the AI hype to discuss the current state of OWASP. In short, things are murky but the organization is useful and the industry should support some version of its efforts. A discussion on privacy and training AI, based on recent articles and books about Clearview AI. Don't miss this Very Special Episode.
Episode 222 w/ Leif Dreizler
October 23, 2023 18:00 - 32.7 MBKen Johnson (cktricky) and Seth Law (@sethlaw) welcome Leif Dreizler back on the show! Leif recently became a Senior Manager of Software Engineering at Semgrep (semgrep.dev) , spent the better part of a decade working in product security and security software engineering at Twilio and Segment (segment.io). He also is a podcast co-host for the 404 Security Not Found podcast.
Episode 221 - Interviews, Breach, AI Tools
October 19, 2023 18:00 - 32.3 MBSeth and Ken are back to review some recent news and community discussions. Specifically, the duo talks about the use of coding requirements and projects during interviews for application security. Both have had experience on both ends and have opinions. This is followed by reactions to the recent breach and data dumps from 23andMe. Finally, new AI tools are starting to emerge that will help security find and fix vulnerabilities.
Episode 220 w/ Erik Cabetas (Include Security)
October 10, 2023 18:00 - 36.3 MBErik Cabetas, founder and managing partner of Include Security joins Ken Johnson (@cktricky on twitter) and Seth Law (@sethlaw). Erik has been running Include Security for the last decade, and before that comes from a path that includes time working with early security teams at MicroSoft and Fortify Software, blue-team stints with financial groups as well as heading security for an eCommerce firm. Join us for a wide-ranging and expertly informed discussion of Application Security in many of i...
Episode 219 w/Jason Haddix - Discovery Tools, Security Research
October 03, 2023 18:00 - 31.4 MBSeth and Ken are joined last minute by Jason Haddix (@jhaddix). Conversion about DEF CON talks, use of LLMs in research, and recently released tools.
Episode 218 w/ Cole Cornford - Security Startups, Developer Training
September 19, 2023 18:00 - 42 MBKen (cktricky on Twitter) and Seth (sethlaw) welcome Cole Cornford (https://www.colecornford.com) to Absolute AppSec for a discussion on running a security startup and the future of security training for developers and organizations. Cole is the CEO and Founder of Galah Cyber (https://www.galahcyber.com.au) and an all around AppSec maestro, frequently presenting at conferences and contributing to security working groups, such as AppSec Australia. He is also an active commentator in the Absolu...
Episode 217 w/ Shlomi Shaki - Security Tooling
September 07, 2023 18:00 - 34.8 MBShlomi is back! Shlomi Shaki, GitHub’s head of Asia-Pacific-Japan advanced security sales and all around thoughtful observer of the world of application security is back on the podcast with Ken Johnson and Seth Law. A lively discussion on security vs. engineering and failures of security to meet development/business in the appropriate places. Suggestions for getting out of the way and letting security become a part of the culture instead of forcing it onto individuals.
Episode 216 - Security SDLC, Time Management
August 29, 2023 18:00 - 31.8 MBKen and Seth are back with another episode where they try _not_ to cover more on LLMs and AI. Specifically, talk about the basics of implementing security into an SDLC. A long conversation and personal experience from both Ken and Seth on time management and how to get into a flow when working on technical problems. Finally, some answers to questions on the future of AI in AppSec.
Episode 215 - Learning Machine Learning, DEF CON 31 Recap
August 22, 2023 18:00 - 33.2 MBSeth and Ken run through their experiences implementing Machine Learning for different application security activities. A break down the duo's experience at DEF CON 31, interesting talks, and happy hour results.
Episode 214 - Artificial Intelligence and Security with @lojikil
August 08, 2023 18:00 - 36.3 MBA very special pre-DEF CON episode with @lojikil (aka Stefan Edwards). Seth and Stefan dig into various security aspects of artificial intelligence and the recent hype cycle around large language models (LLMs). A discussion of the recently released OWASP Top 10 for LLMs and its target audience. Finally, opinions on the recent news of ZAPs departure from OWASP and security tools in general.
Episode 213 - Brian Joe of Impart Security
July 25, 2023 18:00 - 32.7 MBA special episode with Brian Joe (brianwjoe on LinkedIn), head of product and co-founder of Impart Security (impart.security). Brian has a background with Signal Sciences, Fastly, and Verizon. He posts regularly on infosec, API and application security, among other topics at Security Boulevard.
Episode 212 - Evan Johnson of RunReveal
July 11, 2023 18:00 - 33.6 MBWith some interesting developments going on at RunReveal, Evan Johnson joins Seth and Ken to discuss monitoring of security logs (hurray! Seth's favorite Crocs and Socks topic) and RunReveal's open beta (as well as other AppSec topics).
Episode 211 - Brian Walter of OpenContext
June 20, 2023 18:00 - 32.9 MBKen Johnson (@cktricky) and Seth Law (@sethlaw) host Brian Walter (@bdwalter), co-founder and CEO of OpenContext (opencontext.com), tech industry veteran with leadership stints at device-reputation company iovation (acquired by TransUnion), Xerox, Siemens, Sun Microsystems, Lockheed Martin, among others. Discussion focuses on establishing product requirements for all aspects of an application, including development, security, availability and more.
Episode 210 - Approaching Scans, AppSec Research, Threat Modeling
June 13, 2023 18:00 - 33.7 MBFrom depths comes a rumbling, and it carries the whisper of AppSec on its breath! Seth and Ken dig into approaches to conducting client scans and processing results. A review of recent research into EPP services for domain registrars along with the methodology for conducting code reviews and appsec research. Finally, some resources for threat modeling.
Episode 209 - James Wickett, Contextual Security Analysis
June 06, 2023 18:00 - 33.1 MBJoin us for a special episode of Absolute AppSec with James Wickett (@wickett on twitter), the co-founder of DryRun Security (dryrun.security), creator of the Lonestar Application Security Conference, and all around infosec industry veteran.
Episode 208 - Zip TLD, PyPI 2FA, AI Poisoning
May 30, 2023 18:00 - 31.4 MBBeware! It’s double ides of May! (Proviso being that you add the integers and not the 1/2s). Sponsored by @redpointsec, an application security firm that specializes in code security by and for coders. If you're looking for Web App or mobile Pentesting, developer training, smart contract or secure-code reviews, check them out: https://redpointsecurity.com. First topic: the new .zip top-level domain and its potential problematic security implications. Followed by a discussion of PyPI and 2FA. ...
Episode 207 - Watering Hole Attacks, Adversarial AI, Cookie Security
May 23, 2023 18:00 - 35.3 MBHello! We’re just a podcast, standing in front of you, aching to be the SYN to your ACK. Seth and Ken are back to talk about how the PyPI repo is experiencing an attack from multiple malicious package uploads. Seth brings up the concept of watering hole attacks and how the IDE plugin is a growing attack vector. Solarwinds discussion follows. Learning about attacking AI models, cookie security basics, and lock picking (allegedly) uses.
Episode 206 - RSA, Artificial Intelligence, Spidering Tools
May 04, 2023 18:00 - 30.5 MBSeth Law and Ken Johnson are back this week. In this show, Seth and Ken discuss what the RSA conference did (and did not) reveal about the current state of #applicationsecurity, #appsec, #crocsandsocks. Also a discussion of the ChatGPT breach as well as AI's role in generating ever more content (in this case with news sites).
Episode 205 - Decline of AppSec, Death of Code Review
April 18, 2023 18:00 - 31.2 MBFinally returning to the podcast after a couple weeks of travel, training, and speaking, Seth and Ken are back for more, including their own takes opinions on the decline of application security and the reported death of manual code reviews.
Episode 204 - Logging, Edge Cases, Client API Exposure
March 28, 2023 18:00 - 33.2 MBThe dynamite duopoly that is Ken and Seth are back to take the AppSec news by storm. Starting with Seth's favorite topic of Auditing or Logging, Ken brings up the recent Okta vulnerability report related to plaintext logging of usernames and passwords. This is followed by a review of Troy Hunt's recent post on edge cases when interacting with 3rd-party services, which the duo extrapolates to security edge cases and things they have seen recently. Finally, a discussion on manipulation of clien...
Episode 203 w/ Shlomi Shaki - Security Tools
March 21, 2023 18:00 - 34.3 MBJoining Seth and Ken is Shlomi Shaki, a tech exec with GitHub who directs sales resources related Application Security and Product Security in APJ region. Discussion revolves around adoption of security tools and the struggles of securing software from both a tooling and process perspective.
Episode 202 w/ Haseeb Awan - Mobile Security
March 14, 2023 18:00 - 29.9 MBKen Johnson (@cktricky on twitter) and Seth Law (@sethlaw) interview Haseeb Awan (@haseeb) founder and CEO of Efani, a mobile service provider focused on security.
Episode 201 - Breaches, Package Managers, Audit Logs
March 07, 2023 18:00 - 31.8 MBA lot has happened since the 200th (!!!) episode of the podcast, so we are bring another episode with a discussion of recent events, sites, and interesting finds. First up is a discussion of recent breaches, including some stories related to consumer rewards programs and weaknesses in that space. This is followed by a discussion on responsibility of package managers (e.g. npm, pip) for disclosure or removal of known vulnerable packages. Finally, Seth's favorite topic of audit logs gets a publ...
Episode 200 w/ Jerry Gamblin - Startups, CVEs
February 28, 2023 18:00 - 34.1 MBJerry Gamblin joins Seth and Ken for the 200th episode of the podcast. The discussions starts with a lengthy analysis of startup culture, security startups, and gotchas to be aware of when employed at or considering a job with a startup. This is followed by in-depth analysis of CVEs and how the process of publicly reporting issues in software has changed over time. A small snippet on interesting tokens/words/comments to search for in git logs and comments that point at security problems.
Episode 199 - OWASP, Phishing, Eurostar
February 14, 2023 18:00 - 28.5 MBAfter a number of guest appearances, Ken and Seth are flying "duo" to talk through recent news across the industry. Starting with analysis of the recent OWASP Change petition that has surfaced to address needs of OWASP projects and chapters for funding and definition of how the organization supports multiple efforts. Followed by commiseration with Eurostar on their recent self-inflicted lockout of user accounts due to authentication upgrades. Finally, discussion of the recent reddit phishing ...
Episode 198 with Laura Bell Main - Training
February 07, 2023 18:00 - 28.4 MBLaura Bell Main, founder and CEO of safestack.io (@lady_nerd on twitter and check out her website https://laurabellmain.com to acquaint yourself with her work and recent publications), joins Seth and Ken as a special guest. The discussion revolves around security training for developers and how it has changed over the years.
Episode 197 with Sal Olivares - Exposed API Tokens
January 31, 2023 18:00 - 29.5 MBSal Olivares, Senior Software Engineer from segment.io, joins Seth and Ken to discuss his experience with and recent blog post related to security token scanning and revocation. Sal was involved with the recently-implemented exposed scanning token service at Segment and talks through his experience, gotchas, and other security topics.
Episode 196 - API Reviews, Web App Security Features
January 24, 2023 18:00 - 33 MBSeth and Ken dig into a topic that was raised by a member of our Slack community. The initial half of the show reviews both the risks and dynamic or static review items associated with microservices. This is followed by a discussion that starts by asking the question "what are the must-have security features for a web application?"
Episode 195 - 2022 CVEs, CORS, GraphQL
January 17, 2023 18:00 - 31.9 MBKen (@cktricky) and Seth (@sethlaw) take a step away from the news to review technical articles and research released in the last couple of weeks. This includes analysis done by Jerry Gamblin on total CVEs released during 2022, a new tool for exploiting weak CORS configurations, an excellent writeup on usage along with an intentionally-vulnerable GraphQL application, and finally some thoughts on prototype pollution style vulnerabilities in other interpreted languages (specifically python).
Episode 194 - Frank Wang (dbtlabs) - Organization Security, AI/ML
January 10, 2023 18:00 - 34.1 MBFrank Wang from dbtlabs (@ffwang2 on twitter) joins Seth and Ken for a discussion on current security landscape, artificial intelligence, and machine learning. Follow Frank on twitter or through his blog at https://franklyspeaking.substack.com/. Discussion starts with current breaches and how organizations approach security through their first security hire. This is followed by a discussion on AI related to ChatGPT and how it will affect security in the future.
Episode 193 - Security Metrics, End-User Security
December 20, 2022 18:00 - 34.1 MB@cktricky and @sethlaw host another episode starting with a lengthy discussion on security metrics spurred by a recent post by Leif Drezler (@leifdreizler). Security metrics are highly specific and custom to the organization and target audience, as evidenced by the lively discussion between the hosts. This is followed by a discussion of improvements in end-user security based on recent Apple iOS releases that change encryption and protection mechanisms for various services.
Episode 192 - Blogs, GoLang Security, ChatGPT
December 13, 2022 18:00 - 37.2 MBWhat do _you_ want for an AppSec Christmas! Another episode featuring Ken and Seth, for sure. The duo starts the conversation talking about useful AppSec and Security Blogs while featuring a recent GoLang Security post from Cole Cornford. Followed by an in-depth discussion on ChatGPT to welcome our new AI overlords. Finally, Seth and Ken both talk about what they wish to see this next year for AppSec-mas.
Episode 191 - DNS Attacks, Organizational Risk, Mastadon
November 29, 2022 18:00 - 30 MBGoing into the final month of 2022, the dynamic duo graces us with their presence. It begins with discussion of DNS Attacks based on Kaminsky-style attacks spurred by research presented at DeepSec by Timo Longen of Sec Consult. Followed by a conversation straight out of Slack about considerations involving organization and technical risks, specifically how to incorporate technical risk into organizational risk ratings. Finally, everyone is moving to Mastadon, but maybe they shouldn't be. Code...