We are happy to have Kayra Otaner as a special guest on the Absolute AppSec podcast. Kayra (kayraotaner on LinkedIn and X/twitter), the current Director of DevSecOps at Roche, brings over 15 years of cybersecurity leadership experience from New York and Wall Street. He's led DevSecOps and DevOps teams across a variety of organizations, including AD…

News this week has been dominated by dependency issues and attribution towards unwanted nation states and actors. Specifically, easyjson is developed by a Russian firm that is under sanctions. The podcast duo discuss the implications and how to protect apps from sub-dependency threats. This leads to a deep dive into breaches and whether a breach ha…

Back after a hiatus for both BSidesSF and RSA, Seth and Ken recap their experience at both conferences. TL;DR - BSidesSF is great for technical security content and community, RSA focuses on sales for mostly large organizations and budgets. Two sides of the security industry coin and depends on preferences for which makes the most sense for career …

Ok, so vulnerable MCP tools are a thing now? Ken demonstrates installing and running an intentionally vulnerable MCP server with a bunch of example issues. Following is a discussion of the recent article and research around hallucinations of 3rd party dependencies/libraries in AI-Generated Python and JavaScript. New attack targets all dependent on …

It is time to talk about Model Context Protocol (MCP), Google's Agent 2 Agent specification, and get back to the crocs and socks of authentication for Non-Human Identities (NHIs). MCP servers have exploded over the last few weeks and provide a standard mechanism for LLMs to interact with pretty much _anything_. Seth and Ken talk about the risks, ex…

The duo are back for a discussion on securing machine learning models using Sigstore, based on a recent blog post from Google Security. Followed by some spicy takes on opinions on vibe coding and its effects on application and product security. Finally, short-lived tokens used to exploit RCE against the GitHub CodeQL Action.…

Seth and Ken are back with an episode dedicated to a review of the recent Next.js middleware vulnerability and how that impacts application security both specifically and in general. Over-dependence on third party software accompanied by agile development can lead to devastating results when security flaws are identified. A followup and demo of usi…

After a week's hiatus, Ken and Seth return and start with a discussion on OWASP conferences and the effectiveness of attendance for vendors. This is followed by an expansive mental health discussion inspired by a recent blog post on Destructive Fatigue from Justin Larson at Redpoint Security. A constant focus on breaking and tearing down applicatio…

Seth and Ken return without a guest to discuss recent news, breaches, and research. Initial discussions around the purposes of the various security conferences and what is recommended for various professional levels. An article discussing recent customer data exposure by Zapier in git test data. Synthetic test data has been an issue for long time s…

Kyle Rippee, currently staff product security engineer at Tines, joins Seth and Ken for another episode of Absolute AppSec. Kyle has over a decade of experience both managing and working for Application Security teams, as well as working as a pentester, security consultant, and software engineer. Before Tines, he worked for PlanetArt (where he held…

Myles is currently Product Lead for Developer Platform at Snowflake. Previously, he directed project management at GitHub, overseeing projects like GitHub Copilot Workspace for PRs, Codespaces, npm, and Packages. A key contributor to Ecma International and TC39, he has served for stretches as a Delegate, Co-Chair, and VP for the project. His contri…

Ken and Seth are back for another episode that starts with a summary of the Semgrep and OpenGrep break. This is followed by Google's recent article titled Secure By Design: Google's Blueprint for a High-Assurance Web Framework. Google is focused on protections within the browser, given their products and business, but the controls and overall proce…

Seth and Ken return for another week to review current articles and happenings in the application security world. Specifically, they spend some time reacting to the news that the Semgrep Community version has been forked as Opengrep by a number of vendors. This occurs as a result of Semgrep changing the licenses on their open source rules to preven…

Josh Larsen, co-founder of CTO of Ghost Security, joins Seth Law and Ken Johnson on January 28th at 12 Noon Eastern time. Before Ghost Security, Josh was a co-founder and CEO of Darkbit and before that of the Blackfin Security Group. Larsen led the GTM strategy for both startups, and Darkbit and Blackfin Security Group were acquired by Aqua Securit…

Ken and Seth start with a demo and discussion on some newer tools that use integrated AI in both the code and workflow spaces. Specifically, use for code review and understanding is improving. This is followed by a wide-ranging discussion of false positives, where they come from, and how they affect application security. Seth gets up in arms about …

Seth and Ken return once again to talk through the overall effectiveness and purpose of Portswigger's Top 10 Web Hacking Techniques and how it benefits the community. A short discussion on some of the current crop of techniques up for polling. Spurred by recent revelations around Snyk's approach to identifying security issues in npm packages, the d…

Ken and Seth return for 2025 to review the accuracy of their predictions from 2024 and make a few new ones for this new year. Some hits and misses for last year, but overall the generic predictions for both AI/LLM growth and software supply chain security were accurate. However, they were wrong in their assumptions around LLM creation and training.…

The dynamic duo is back for another holiday special. Not that they reference the holidays, but dig into complaints about security conferences and how to build a conference network. Followed by a discussion inspired by a recent TL;DRSec post from Maya Kaczorowski on "What Sucks about Security" where security leaders were asked that specific question…

Seth and Ken are happy to announce that Clint Gibler (@clintgibler), the force behind TL;DRSec (tldrsec.com) and head of Security Research at Semgrep, will be coming on as a guest again on the Absolute AppSec podcast. The conversation starts with background on his experience with TL;DRSec and writing a newsletter. Followed up by an indepth discussi…

Join us for an episode of Absolute AppSec with Kinnaird McQuade, founder and CTO of NightVision. Kinnaird developed NightVision as a security testing tool that combines codebase analysis with DAST features. Before NightVision, Kinnaird worked as lead security engineer at both Square and Salesforce. Additionally he worked at Synopsys as Cloud Securi…

Seth (@sethlaw) and Ken (@cktricky) return for an in-depth discussion on penetration testing expectations, driven by recent posts and slack activity from Andrew Wilson. Essentially, certain clients expect that a single penetration test finds everything possible, whether or not those expectations are appropriate. The duo expounds on their experience…

Scott Norberg joins Ken Johnson and Seth Law for an episode of Absolute AppSec all about SAST. Scott is an ASP.NET Security Consultant, Author, Researcher and Speaker. In addition to running his Opperis Technologies consultancy, Scott has recently begun working as lead application security architect at CDW. Before that he worked as Lead Application…

Jeremy Long (@ctxt on social media), Principal Security Engineer at Service Now and project founder and lead for the OWASP Dependency Check project joins Ken Johnson (@cktricky) and Seth Law (@sethlaw). Jeremy spent a decade and a half as a lead application security engineer and principal engineer at Wells Fargo before joining ServiceNow. He has sp…

Ken and Seth return for Episode #263 and start with a discussion around web application fuzzing and the deficiencies of vulnerability and exploit-focused dynamic testing, a common thread in Seth's ranting. This is followed by a discussion on mobile testing and attempting to control security through client-side controls, spurred by an article that c…

Ariel Shin joins Ken Johnson (@cktricky on social media) and Seth Law (@sethlaw) for a special episode of Absolute AppSec. Ariel is currently a Security Engineering Manager at Datadog after a three-year stint at Twilio where she worked as an engineering manager in product security, a product security team lead, and a senior product security enginee…

Ken (@cktricky) and Seth (@sethlaw) are back to review this weeks news and commiserate about industry happenings. First up are their thoughts on the current economic climate and how it has affected the security industry over the last 5 years. This is followed with evolving nature of password reset requirements as frequent changes are not recommende…

Absolute AppSec welcomes Darren Meyer (@DarrenPMeyer on infosec.exchange and X platform) from Endor Labs as a guest on the show to discuss Endor Lab’s newly released 2024 Dependency Management Report. Implementation of reachability analysis as a sine qua non of effective dependency management is one of the top-line takeaways from the newly released…

Seth and Ken take the podcast global this week while traveling to Melbourne, Australia. The duo is joined this episode are joined by Paul McCarty and Daniel Ting, both involved in the local application security community. The discussion starts with a comparison of industries in Australia and the United States, both differences and similarities. Thi…

Seth (@sethlaw) and Ken (@cktricky) are back this week with some hot takes on the recent cancellation of OWASP's San Francisco Developer Days that were running alongside Global AppSec San Francisco. OWASP has struggled to engage the development community over the years and this is no surprise for anyone in AppSec/ProdSec. This is followed by review…

Ken (@cktricky) returns alongside Seth (@sethlaw) for the week. This starts with an in-depth discussion on the pros and cons of in-person and virtual trainings. In short, the duo prefers in-person due for the advantages, but understand that financial pressures come into play, so virtual is a good substitute. This is followed by thoughts on the rece…

Ken Johnson (@cktricky) abandons the podcast this week to attend a conference and play business, so Seth (@sethlaw) bring in Cloud Security Partners CTO John Poulin (@forced_request) as a co-host. John and Seth start off by discussing the difference in virtual and in-person training. This is followed by two articles. The first is from CrankySec, wh…

Seth and Ken are back from Vegas for Episode 0xFF (!!!!) of Absolute AppSec, sponsored by Redpoint Security (redpointsecurity.com). After spending the last week+ withering away in the desert heat while listening to industry insiders, technicians, and hackers talk about their research, the duo have returned dehydrated to share their own experiences …

Seth and Ken return this week at a slightly unusual time help get you prepped for all things Hacker Summer Camp. As regular visitors to Las Vegas each year for Blackhat, BSidesLV, DEF CON, and other events, the duo has recommendations for making the most of your time in the desert. Specifically, download HackerTracker (https://hackertracker.app), p…

We'd only been a dozen episodes old the last time Justin Collins (@presidentbeef) was on Absolute AppSec, so his upcoming return is certainly overdue. Justin is currently head of security at Gusto, an organization he's been helping secure for nearly five years now. Before Gusto, Justin had stints at SurveyMonkey, Twitter, AT&T interactive, among ot…

Product Security and Cloud security guru Rami McCarthy (@ramimacisabird on X) comes on the Absolute AppSec podcast with Ken and Seth (@cktricky and @sethlaw)! To get to know Rami, you should first check out his website here to get acquainted with some of his latest prodigious activities: https://ramimac.me/. He’s recently delivered a talk regarding…

Seth and Ken are back with Episode 251, continuing on with their ranting over all things application security. This starts with a discussion of Mozilla's HTTP Observatory that scans sites for security-relevant headers and leads to a discussion of so-called "passive" scanning of internet sets for risk analysis purposes. This is followed by a walkthr…

Seth and Ken are back on the podcast this week without a guest for the first time in a month and start out with an in-depth discussion on startup life based on a recent article from TLDR;Sec. This is followed by thoughts on the recent influx of cash for Portswigger and how it will affect work and the testing space over the next few years. Finally, …

Tanya Janca (@shehackspurple on X) joins Ken Johnson (@cktricky) and Seth Law (@sethlaw) for a special episode of the Absolute AppSec podcast. Tanya is currently head of education and community at Semgrep, and is a prominent info security commenter and active contributor to improving the industry for everybody through helping spread values of diver…

Rahil Parikh, manager of Security Engineering and Architecture @ Policygenius, joins Seth Law and Ken Johnson for an episode of Absolute AppSec. Rahil is long-time leader in information security who's managed security teams and application security programs at a range of organizations: Policy Genius, Zinnia, the New York Times, Frame.io (now Adobe)…

Absolute AppSec welcomes Alejandro Saenz to join Seth Law and Ken Johnson as a guest. Alejandro has been active in application and product security fields for over a decade, most recently working in product security for Twilio. Before that he worked as a senior application security engineer and software engineer at Softrams and as an application se…

Charles Shirer joins Absolute AppSec for a special episode of the show. Charles has decades of experience as a pentester, threat hunter, red teamer, and security consultant. He's CEO of GlobalWave consulting, a security consulting firm that's been serving clients for over a decade. Charles is also a frequent conference speaker, online commentator, …

Dustin Lehr, current director of AppSec at data integration company Fivetran, joins Seth and Ken for a special episode of Absolute AppSec. Dustin has spent years helping improve companies' security cultures industry-wide, through his work co-founding Katilyst Security which focuses on helping companies create security champion programs. Additionall…

Kyle Kelly joins Seth Law and Ken Johnson as a special guest on the Absolute AppSec podcast. Kyle is an Executive Cybersecurity Consultant at Bancsec, Inc, and Security Researcher at Semgrep, and founder of the wonderful Cramhacks newsletter. As a consultant and researcher, Kyle specializes in supply chain security, a speciality that informs the th…

Bryan Schmidt, information security lead at Adept AI is joining Ken Johnson (@cktricky on twitter/x) and Seth Law (@Sethlaw) for a special episode of Absolute AppSec. Before Adept.AI, Bryan spent the last half decade working as a security engineering manager at, first, Flatiron Health and, later ChowNow, and he worked as a penetration tester and se…

Seth and Ken return with analysis of recent research that shows LLMs exploiting known CVEs. And no, it's not completely autonomous yet. This is followed by a breakdown of DataDog's State of DevSecOps article, backing up our gut feel of current industry needs and failures.

**Video may be required**: this episode is focused on demonstrating uses of LLMs against various code. As such, listeners may want to watch the stream to see these uses rather than just listening. Also, Seth and Ken talk briefly at the beginning of the episode about a new tldr;sec project (thanks Clint!) called awesome secure defaults that lists ou…

After a week of travel, Seth and Ken return to the podcast with a breakdown of their travel experiences at multiple conferences and teaching their first Practical Secure Code Review course using LLMs to enhance the methodology. This is followed by reinforcement of code review steps including library research, a discussion of the recent XZ backdoor,…

When Ken is away, the geeks will play. Seth is joined by podcast regular Stefan Edwards (@lojikil) to catch up on his recent work around threat hunting. This progresses into a discussion on threat intelligence and what is available for applications. A recent blog post on the utility of the CVE system spurs thoughts on the usefulness of published CV…

Ken and Seth are back to talk about the difference and competing priorities of Application and Enterprise Security. In short, recent news contends that Enterprise or Infrastructure security is lacking, whereas Application or Product Security is in a good state. This is followed by a discussion on supply chain security tools due to a recent analysis…

Ken and Seth return for another episode, starting out with pointers on getting into security and finding a niche, all based on a recently released Microsoft project to introduce anyone to security. This is followed by a discussion on Chinese hacking groups and recent breaches among those groups. Finally, a discussion protecting the software supply …