『Absolute AppSec』のカバーアート

Absolute AppSec

Absolute AppSec

著者: Ken Johnson and Seth Law
無料で聴く

このコンテンツについて

 A weekly podcast of all things application security related. Hosted by Ken Johnson and Seth Law.
エピソード
  • Episode 302 - OWASP Global AppSec DC predictions, AI Browser Dangers, MCP Security

    Episode 302 - OWASP Global AppSec DC predictions, AI Browser Dangers, MCP Security
    2025/11/04
    Episode 302 of Absolute AppSec has hosts Ken Johnson and Seth Law speculating on the upcoming Global AppSec DC conference, predicting the announcement of the OWASP Top Ten 2025 edition, with Brian Glass scheduled to discuss it on the podcast. The conversation shifts to a technical discussion of OpenAI's new browser, Atlas, which is built on Chromium and includes AI capabilities. The hosts noted concern over the discovered prompt instructions for Atlas, which direct the ChatGPT agent to use browser history and available APIs to find data from the user's logged-in sites to answer ambiguous queries or fulfill requests. This functionality raises significant security concerns, as the agent's ability to comb the cache and logged-in sites could be exploited, effectively creating a "honeypot for cross-site scripting" with malicious potential like unauthorized money transfers. The hosts discussed the lack of talk submissions on Mobile Context Protocol (MCP) security at the conference, despite its growing relevance in a world of AI agents and tooling. Finally, they highlighted a new tool called SlopGuard, developed to prevent the risk of AI hallucinating non-existent, potentially malicious packages (which occurs 5-21% of the time) and attempting to install them from registries like NPM.
    続きを読む 一部表示
    1分未満
  • Episode 301 - AI Browsers, New AI Agent Attacks, Framework Checklists

    Episode 301 - AI Browsers, New AI Agent Attacks, Framework Checklists
    2025/10/28
    In this episode, Seth and Ken debate OpenAI's Atlas browser, which embeds AI into web browsing. Ken views it as a major privacy concern, potentially accelerating invasive data collection and surveillance. Seth noted that new browsers historically have critical flaws. They acknowledged that AI is very useful for generic and technical internet searches. They discussed the Co-Fish attack, a phishing vulnerability in Microsoft Copilot Studio that could exfiltrate access tokens via a seemingly valid Microsoft URL. Finally, they noted that big companies like Snyk and Black Duck are moving toward agentic AI capabilities, confirming the industry trend.
    続きを読む 一部表示
    1分未満
  • Episode 300 - THIS! IS! APPSEC!

    Episode 300 - THIS! IS! APPSEC!
    2025/10/14
    For the 300th (!!!!) episode of the podcast, Seth and Ken reminisce on changes to the industry and overall approach to application security since inception. The hosts discussed the evolution of the industry, noting that once-popular approaches like blindly emulating "hip" Silicon Valley security programs and running unmanaged Security Champions Programs have fallen out of favor, as organizations now better understand that these approaches are not one-size-fits-all and require careful, metrics-driven management. While Bug Bounty Programs remain popular, they noted an increase in submissions from "skiddies" (script kiddies) that challenge program effectiveness and highlight the need for internal support and a proactive stance before rolling out a public program. Positively, they observed that the industry has become more mature, focusing on business value, metrics, and ROI , a move that may have been accelerated by recent economic pressures. Furthermore, security practices have improved, with the decline of common vulnerabilities like XSS and SQL Injection due to safer frameworks and browser controls, allowing AppSec professionals to focus on more complex issues, such as business logic flaws and focused threat analysis, while the once monolithic process of threat modeling has evolved into a more nimble, "point-in-time" assessment readily adopted by developers.
    続きを読む 一部表示
    1分未満
まだレビューはありません