エピソード

  • Episode 298 - Shai Halud, Layered Security, New Commandments of Security Teams

    Episode 298 - Shai Halud, Layered Security, New Commandments of Security Teams
    2025/09/16
    In what is (sadly) becoming a weekly segment, this episode starts with talk of the latest installment of npm package takeovers, dubbed Shai Halud as discussed in Slack and analyzed by Paul McCarty and team. Strategies discussed for monitoring packages and preventing malware from entering into organization's products. This is followed by an article referencing security via intentional redundancy when designing sensitive application functionality. Finally, analysis of a recent article from Frankly Speaking that lists a series of new commandments for security teams, which are mostly agreed to by both Seth and Ken, with some caveats.
    続きを読む 一部表示
    1分未満
  • Episode 297 - True/False Positives, Phishing Package Maintainers

    Episode 297 - True/False Positives, Phishing Package Maintainers
    2025/09/09
    The Absolute AppSec duo returns with an in-depth episode talking about true and false positives, where context matters and business impact must be taken into account in order to avoid rabbit holes. This discussion spurred by a recent article from signalblur of magonia.io discussing alerts in a security operations center. In short, only considering existence of a flaw (or alert) is not enough by itself. True impact comes by understanding context. Anyone want t-shirts? A discussion of the recent successful phish of an npm package maintainer, resulting in exposure of millions of projects depending on popular npm packages. It happens, folks, protect yourself.
    続きを読む 一部表示
    1分未満
  • Episode 296 - OWASP Top 10, NX Compromise, Security News Sources

    Episode 296 - OWASP Top 10, NX Compromise, Security News Sources
    2025/09/02
    Ken and Seth kickoff a podcast by reviewing current state of the OWASP Top 10 project, given recent requests and interactions on Absolute AppSec slack from various contributors. This is followed by an in-depth breakdown of the recent NX npm package compromise. This breakdown shows that even though AI is weaponized to exfiltrate data, the main exploit was the result of a command injection flaw. Crocs and Socks coming back to bit all of us. Finally, Ken and Seth provide a list of resources used to monitor the wider security community.
    続きを読む 一部表示
    1分未満
  • Episode 295 - DEF CON 33 Recap, Crocs and Socks (and Bots)

    Episode 295 - DEF CON 33 Recap, Crocs and Socks (and Bots)
    2025/08/26
    Seth and Ken return with a new episode summarizing their experience at DEF CON 33 and all things Las Vegas over the past month. This includes panels, talks, workshops, happy hours, and even corporate (boo) events. This is followed by discussion of a few research items that came out of the conference, including James Kettle's HTTP1.1 Must Die talk. Finally, why AI is infecting Application Security.
    続きを読む 一部表示
    1分未満
  • Episode 294 - w/ Anshuman Bhartiya - AppSec in the Age of AI

    Episode 294 - w/ Anshuman Bhartiya - AppSec in the Age of AI
    2025/08/19
    Just in time for AppSec sweeps week, Anshuman Bhartiya is joining Seth Law (sethlaw on social media) and Ken Johnson (cktricky) on the Absolute AppSec podcast! With over a decade in the security industry, Anshuman Bhartiya brings a wealth of knowledge to the table, in web application penetration testing and product security for major enterprises (EMC, Intuit, Atlassian, Lytx, etc). As the current Tech Lead for Application Security at Lyft and co-host of The Boring AppSec Podcast, Anshuman has a wealth of knowledge on AppSec topics. Read more about Anshuman’s work in the AppSec community at his webpage here: https://www.anshumanbhartiya.com. Join us for a wide-ranging conversation about making it in information security and AppSec.
    続きを読む 一部表示
    1分未満
  • Episode 293 - AppSec's Reality Gap

    Episode 293 - AppSec's Reality Gap
    2025/07/29
    Spurred by a recent article from Venture in Security, this episode delves deep into the practical application of security into an organization's SDLC. Covering a range of issues from gaps in contextual understanding to disingenuous vendor claims, Seth and Ken share their experiences dealing with small and large organizations with varying levels of maturity. Some degree of nihilism is warranted, but recent developments using generative AI is cause for optimism in the space.
    続きを読む 一部表示
    1分未満
  • Episode 292 - Manual Source Code Review, AI Slop in Bug Bounties, AppSec Authorization

    Episode 292 - Manual Source Code Review, AI Slop in Bug Bounties, AppSec Authorization
    2025/07/15
    Seth and Ken are _back_ to talk through some recent experiences and news across the industry. To start the episode, Seth highlights the edge cases uncovered during manual code review that require context to understand and identify. Inspired by recent a recent post on AI Slop in the curl bug bounty program, the duo addresses the increase of slop across bug bounty reports and why it happens. Finally, a discussion on McDonald's recent authorization flaw that potentially exposed millions of job applicant's data.
    続きを読む 一部表示
    1分未満
  • Episode 291 - w/ Sean Varga - OWASP Top 10 of AppSec Sales

    Episode 291 - w/ Sean Varga - OWASP Top 10 of AppSec Sales
    2025/07/08
    Sean Varga, current regional sales manager with noted ASPM company Cycode joins Ken (@cktricky) and Seth (@sethlaw) to discuss the dawning realization organizations are having that they need AppSec experience and tech help to accompany their swelling numbers of developers. Sean's introduces "the OWASP Top 10 for AppSec Sales" to the community Before joining Cycode, Sean worked as Large Enterprise Sales Manager at Apiiro and Enterprise Account executive at Secure Code Warrior. He's also had stints at Veracode, Quest Software, and RSA across his career. We'll get to know Sean and his journey into AppSec, as well as getting his insights on the direction he sees things going moving forward. Connect with or follow Sean on LinkedIn to see what he's up to in the meantime: https://www.linkedin.com/in/sean-varga/
    続きを読む 一部表示
    1分未満