Episodes

  • Episode 296 - OWASP Top 10, NX Compromise, Security News Sources

    Episode 296 - OWASP Top 10, NX Compromise, Security News Sources
    Sep 2 2025
    Ken and Seth kickoff a podcast by reviewing current state of the OWASP Top 10 project, given recent requests and interactions on Absolute AppSec slack from various contributors. This is followed by an in-depth breakdown of the recent NX npm package compromise. This breakdown shows that even though AI is weaponized to exfiltrate data, the main exploit was the result of a command injection flaw. Crocs and Socks coming back to bit all of us. Finally, Ken and Seth provide a list of resources used to monitor the wider security community.
    Show More Show Less
    Less than 1 minute
  • Episode 295 - DEF CON 33 Recap, Crocs and Socks (and Bots)

    Episode 295 - DEF CON 33 Recap, Crocs and Socks (and Bots)
    Aug 26 2025
    Seth and Ken return with a new episode summarizing their experience at DEF CON 33 and all things Las Vegas over the past month. This includes panels, talks, workshops, happy hours, and even corporate (boo) events. This is followed by discussion of a few research items that came out of the conference, including James Kettle's HTTP1.1 Must Die talk. Finally, why AI is infecting Application Security.
    Show More Show Less
    Less than 1 minute
  • Episode 294 - w/ Anshuman Bhartiya - AppSec in the Age of AI

    Episode 294 - w/ Anshuman Bhartiya - AppSec in the Age of AI
    Aug 19 2025
    Just in time for AppSec sweeps week, Anshuman Bhartiya is joining Seth Law (sethlaw on social media) and Ken Johnson (cktricky) on the Absolute AppSec podcast! With over a decade in the security industry, Anshuman Bhartiya brings a wealth of knowledge to the table, in web application penetration testing and product security for major enterprises (EMC, Intuit, Atlassian, Lytx, etc). As the current Tech Lead for Application Security at Lyft and co-host of The Boring AppSec Podcast, Anshuman has a wealth of knowledge on AppSec topics. Read more about Anshuman’s work in the AppSec community at his webpage here: https://www.anshumanbhartiya.com. Join us for a wide-ranging conversation about making it in information security and AppSec.
    Show More Show Less
    Less than 1 minute
  • Episode 293 - AppSec's Reality Gap

    Episode 293 - AppSec's Reality Gap
    Jul 29 2025
    Spurred by a recent article from Venture in Security, this episode delves deep into the practical application of security into an organization's SDLC. Covering a range of issues from gaps in contextual understanding to disingenuous vendor claims, Seth and Ken share their experiences dealing with small and large organizations with varying levels of maturity. Some degree of nihilism is warranted, but recent developments using generative AI is cause for optimism in the space.
    Show More Show Less
    Less than 1 minute
  • Episode 292 - Manual Source Code Review, AI Slop in Bug Bounties, AppSec Authorization

    Episode 292 - Manual Source Code Review, AI Slop in Bug Bounties, AppSec Authorization
    Jul 15 2025
    Seth and Ken are _back_ to talk through some recent experiences and news across the industry. To start the episode, Seth highlights the edge cases uncovered during manual code review that require context to understand and identify. Inspired by recent a recent post on AI Slop in the curl bug bounty program, the duo addresses the increase of slop across bug bounty reports and why it happens. Finally, a discussion on McDonald's recent authorization flaw that potentially exposed millions of job applicant's data.
    Show More Show Less
    Less than 1 minute
  • Episode 291 - w/ Sean Varga - OWASP Top 10 of AppSec Sales

    Episode 291 - w/ Sean Varga - OWASP Top 10 of AppSec Sales
    Jul 8 2025
    Sean Varga, current regional sales manager with noted ASPM company Cycode joins Ken (@cktricky) and Seth (@sethlaw) to discuss the dawning realization organizations are having that they need AppSec experience and tech help to accompany their swelling numbers of developers. Sean's introduces "the OWASP Top 10 for AppSec Sales" to the community Before joining Cycode, Sean worked as Large Enterprise Sales Manager at Apiiro and Enterprise Account executive at Secure Code Warrior. He's also had stints at Veracode, Quest Software, and RSA across his career. We'll get to know Sean and his journey into AppSec, as well as getting his insights on the direction he sees things going moving forward. Connect with or follow Sean on LinkedIn to see what he's up to in the meantime: https://www.linkedin.com/in/sean-varga/
    Show More Show Less
    Less than 1 minute
  • Episode 290 - Authentication Fatigue, Browser AI Agents

    Episode 290 - Authentication Fatigue, Browser AI Agents
    Jul 1 2025
    Ken returns after a week's hiatus to review the latest AppSec news with Seth. Specifically, the idea that authentication fatigue exists for both consumers and developers. The amount of choice to implement security controls can have unintended consequences and introduces risk that may or may not be considered. This is followed by research from SquareX that claims Browser AI Agents are riskier and easier to target than employees. This results in opinions on phishing and protections against consumer/business targeting by attackers.
    Show More Show Less
    Less than 1 minute
  • Episode 289 - Return of @lojikil - Context Matters

    Episode 289 - Return of @lojikil - Context Matters
    Jun 24 2025
    With @cktricky out on a grand tour across the country (or just unable to record for the day), @sethlaw succumbs to the dark side to give @lojikil a platform to talk about recent developments in the application security world. Specifically, a discussion on vulnerability data and scoring mechanisms, including CVE, CVSS, CWSS, and other acronyms. Wraps up with a longer discussion on the use of AI across multiple disciplines and provenance of AI Slop.
    Show More Show Less
    Less than 1 minute