Seth and Ken are back with Episode 251, continuing on with their ranting over all things application security. This starts with a discussion of Mozilla's HTTP Observatory that scans sites for security-relevant headers and leads to a discussion

Episode 250 - Security Startups, Polyfill Takeover

11 days ago

Seth and Ken are back on the podcast this week without a guest for the first time in a month and start out with an in-depth discussion on startup life based on a recent article from TLDR;Sec. This is followed by thoughts on the recent influx of

Episode 249 w/ Tanya Janca - Secure Guardrails

18 days ago

Tanya Janca (@shehackspurple on X) joins Ken Johnson (@cktricky) and Seth Law (@sethlaw) for a special episode of the Absolute AppSec podcast. Tanya is currently head of education and community at Semgrep, and is a prominent info security comme

Episode 248 w/ Rahil Parikh - Building AppSec Programs

25 days ago

Rahil Parikh, manager of Security Engineering and Architecture @ Policygenius, joins Seth Law and Ken Johnson for an episode of Absolute AppSec. Rahil is long-time leader in information security who's managed security teams and application secu

Episode 247 - w/ Alejandro Saenz

Jun 11th, 2024

Absolute AppSec welcomes Alejandro Saenz to join Seth Law and Ken Johnson as a guest. Alejandro has been active in application and product security fields for over a decade, most recently working in product security for Twilio. Before that he w

Episode 246 - w/ Charles Shirer

Jun 4th, 2024

Charles Shirer joins Absolute AppSec for a special episode of the show. Charles has decades of experience as a pentester, threat hunter, red teamer, and security consultant. He's CEO of GlobalWave consulting, a security consulting firm that's b

Episode 245 - w/ Dustin Lehr - Security Champions

May 28th, 2024

Dustin Lehr, current director of AppSec at data integration company Fivetran, joins Seth and Ken for a special episode of Absolute AppSec. Dustin has spent years helping improve companies' security cultures industry-wide, through his work co-fo

Episode 244 - w/ Kyle Kelly - Software Security Supply Chain

May 21st, 2024

Kyle Kelly joins Seth Law and Ken Johnson as a special guest on the Absolute AppSec podcast. Kyle is an Executive Cybersecurity Consultant at Bancsec, Inc, and Security Researcher at Semgrep, and founder of the wonderful Cramhacks newsletter. A

Episode 243 - w/ Bryan Schmidt

Apr 30th, 2024

Bryan Schmidt, information security lead at Adept AI is joining Ken Johnson (@cktricky on twitter/x) and Seth Law (@Sethlaw) for a special episode of Absolute AppSec. Before Adept.AI, Bryan spent the last half decade working as a security engin

Episode 242 - LLMs Exploiting Vulns, State of DevSecOps

Apr 23rd, 2024

Seth and Ken return with analysis of recent research that shows LLMs exploiting known CVEs. And no, it's not completely autonomous yet. This is followed by a breakdown of DataDog's State of DevSecOps article, backing up our gut feel of current

Episode 241 - Secure Defaults, Using LLMs for Code Review

Apr 16th, 2024

**Video may be required**: this episode is focused on demonstrating uses of LLMs against various code. As such, listeners may want to watch the stream to see these uses rather than just listening. Also, Seth and Ken talk briefly at the beginnin

Episode 240 - Code Smells, XZ Backdoor, Hallucinations

Apr 9th, 2024

After a week of travel, Seth and Ken return to the podcast with a breakdown of their travel experiences at multiple conferences and teaching their first Practical Secure Code Review course using LLMs to enhance the methodology. This is followed

Episode 239 - AppSec Intel, CVEs, Authorization

Mar 26th, 2024

When Ken is away, the geeks will play. Seth is joined by podcast regular Stefan Edwards (@lojikil) to catch up on his recent work around threat hunting. This progresses into a discussion on threat intelligence and what is available for applicat

Episode 238 - AppSec vs. Enterprise Sec, Supply Chain Tool Analysis

Mar 19th, 2024

Ken and Seth are back to talk about the difference and competing priorities of Application and Enterprise Security. In short, recent news contends that Enterprise or Infrastructure security is lacking, whereas Application or Product Security is

Episode 237 - Security 101, Nation State Hackers, Malicious Code

Mar 12th, 2024

Ken and Seth return for another episode, starting out with pointers on getting into security and finding a niche, all based on a recently released Microsoft project to introduce anyone to security. This is followed by a discussion on Chinese ha

Episode 236 - Memory Safe Languages, LLM Supply Chain Security

Mar 5th, 2024

Seth and Ken review the recent Whitehouse report on going back to the basics for software security and vulnerabilities. Specifically, how is the use of memory unsafe languages like C and C++ affecting the overall security of the internet landsc

Episode 235 - 2023 Top 10 Web Hacking Techniques, LLM Agent Hacking

Feb 20th, 2024

Podcast viewers will be familiar with Portswigger's annual list of Web Hacking Techniques. Ken and Seth take some time to digest the list and recommend reviewing not only the top 10, but also the nominations. A discussion on the use of LLM Agen

Episode 234 - Password Analysis, GitHub Copilot

Feb 13th, 2024

Ken and Seth comment on their recent use of the same passwords across multiple organizations. Errr, or wait. That's administrators in some instances, according to recently published analysis from Lares. Will we ever get over passwords or are we

Episode 233 - Scammers, Deep Fakes, Data Exposure

Feb 6th, 2024

Seth and Ken return to the podcast to talk about fraud scammers based on a recent article from Cory Doctorow and what AppSec can do to protect their apps and themselves. Crocs and Socks. The use of deep fakes to scam corporations to transfer mo

Episode 232 - Security Jobs, Surveillance, Prompt Injection

Jan 30th, 2024

Ken and Seth start out with a lengthy discussion about application security jobs, training, and getting into the security space due to an article based on someone's experience moving from IT to pentesting. This is followed by possible needs for

Episode 231 - FlowMate, State of Software Supply Chain Security

Jan 23rd, 2024

Seth and Ken are back after a weeks hiatus and start by demonstrating FlowMate, a newly released Burp Extension for building context of the parameters used by an application. This is followed by in-depth analysis of Reversing Lab's State of Sof

Episode 230 - False Positives vs. Negatives, Scaling Vuln Management

Jan 9th, 2024

Ken and Seth return to settle the age old question of whether false positives or false negatives are better when dealing with security tools. Tears are shed as stories of wasted efforts ring through on the podcasting airwaves. Maybe. Discussion

Episode 229 - Software Supply Chain Security, 2024 Predictions

Jan 2nd, 2024

Seth and Ken kick off a new year talking about recent news, including improvements in security process for software supply chains. This is followed by security predictions for 2024, including LLMs, dynamic scanning, process, and other possibili

Episode 228 w/ Chime Security Engineering - Monocle

Dec 19th, 2023

David Trejo (@dtrejo@infosec.exchange) and Paul Kuliniewicz, security engineers at Chime join Seth (@sethlaw on x) and Ken (@cktricky) to discuss the ins and outs of challenges and successes in a widely recognized effective product security pro

Episode 227 - Token Leakage, Cybersecurity Isn't Special

Dec 14th, 2023

Ken and Seth return to discuss current news. First up is a discussion about token leakage based on the recent discovery of AI tokens on Github and Cloud tokens on Hugging Face's repository. The struggles that package maintainers have with hoste