Couverture de Absolute AppSec

Absolute AppSec

Absolute AppSec

De : Ken Johnson and Seth Law
Écouter gratuitement

A weekly podcast of all things application security related. Hosted by Ken Johnson and Seth Law.
Épisodes
  • Episode 327 - w/Coffee, Chaos, and ProdSec - ASPM Consolidation, Vuln Prioritization
    Jul 14 2026
    In episode 327 of Absolute AppSec, co-hosts Ken Johnson and Seth Law present a highly anticipated quarterly crossover episode with Cameron and Kurt from the Coffee, Chaos, and ProdSec podcast. Sponsored by GuardSquare, the group begins with lighthearted banter about their personal footwear choices before tackling heavy architectural debates. The primary focus shifts to Application Security Posture Management (ASPM) consolidation. Cameron strongly advocates for utilizing ASPM as a distinct, single pane of glass dashboard to deduplicate vulnerabilities and streamline executive reporting by product suite. However, the hosts contrast this ideal against the messy reality of organizations dealing with a "Frankenstein" mix of loosely bootstrapped open-source scanning tools and competing vendor plugins. The discussion deepens into prioritization strategies amid a massive, AI-driven surge in vulnerability research that threatens to double annual CVE counts. Cameron and Kurt stress the necessity of shifting away from abstract CVSS scores toward custom, runtime-informed risk appetites and impact analysis—prioritizing the hardening of high-risk corporate assets over low-reachability internal flaws. They also examine the critical line separating standard software bugs from intentionally malicious open-source packages that target developer endpoint systems. Ultimately, the panel laments that AppSec teams are effectively functioning as corporate incident responders because Security Operations Center (SOC) analysts lack product-level insight. The episode concludes with a review of automated agent statistics and a fun look ahead to the future emergence of meta OWASP top-ten risk lists.
    Afficher plus Afficher moins
    Moins d'une minute
  • Episode 326 - AppSec Jobs, Benchmarking LLMs, Open Web Standards
    Jul 7 2026
    In episode 326 of Absolute AppSec, sponsored by mobile application security provider GuardSquare (guardsquare.com), the hosts start with a deep-dive into pre-show discussions about the shifting macroeconomic landscape of AppSec jobs. They analyze an industry-wide trend where corporate hiring is pivoting away from external third-party consultancies and contractors. Instead, maturing organizations are forming internal product security "tiger teams" and hiring dedicated security software engineers across general development lifecycles to handle the exponential volume of code generated by artificial intelligence. Turning to AI-driven engineering, they dissect a research paper tracking security vulnerability mitigations through large language model (LLM) feedback. The paper reveals a distinct degradation in code quality and an explosion of "false positives" or unreachable flaws after the fourth or fifth iteration due to compressed context windows and "context drift." Ken highlights his own grueling experience benchmarking AINative software. He heavily cautions that letting models self-score or automatically review code introduces dangerous biases, reinforcing the absolute baseline requirement for humans to critically audit all LLM outputs. Finally, they examine Open Web Docs' new web security guidelines community group, comparing its browser-centric standard party focus to OWASP's broader, audit-driven charter. They close by promoting an upcoming July podcast collaboration with Coffee, Chaos, and ProdSec.
    Afficher plus Afficher moins
    Moins d'une minute
  • Episode 325 - Simplified Threat Modeling, Defining A Vulnerability
    Jun 30 2026
    In episode 325 of Absolute AppSec, co-hosts Ken Johnson and Seth Law first break down an informal guide to threat modeling, arguing that overly prescriptive frameworks like STRIDE induce a heavy cognitive load on developers. Instead, they advocate for simplified, creative questions to expose architectural gaps, citing a historical GitHub planning flaw where private repository images were left exposed on S3 by relying solely on URL obfuscation. They warn that while rapid development in 2026 pushes toward automated lifecycles, human oversight, critical logging, and constructive friction remain essential. Next, they dissect a research paper exploring the philosophical definition of a vulnerability, framing it as a system disposition arising from a fault that manifests as a failure only when environmental and attacker conditions are jointly met. This definition sparks a debate on whether a flaw must carry immediate risk to qualify as a vulnerability, particularly when evaluating modern AI challenges like system prompt disclosures or exposed deprecated API paths.
    Afficher plus Afficher moins
    Moins d'une minute
adbl_web_anon_alc_button_suppression_t1
Aucun commentaire pour le moment