Episodes

  • Episode 300 - THIS! IS! APPSEC!

    Episode 300 - THIS! IS! APPSEC!
    Oct 14 2025
    For the 300th (!!!!) episode of the podcast, Seth and Ken reminisce on changes to the industry and overall approach to application security since inception. The hosts discussed the evolution of the industry, noting that once-popular approaches like blindly emulating "hip" Silicon Valley security programs and running unmanaged Security Champions Programs have fallen out of favor, as organizations now better understand that these approaches are not one-size-fits-all and require careful, metrics-driven management. While Bug Bounty Programs remain popular, they noted an increase in submissions from "skiddies" (script kiddies) that challenge program effectiveness and highlight the need for internal support and a proactive stance before rolling out a public program. Positively, they observed that the industry has become more mature, focusing on business value, metrics, and ROI , a move that may have been accelerated by recent economic pressures. Furthermore, security practices have improved, with the decline of common vulnerabilities like XSS and SQL Injection due to safer frameworks and browser controls, allowing AppSec professionals to focus on more complex issues, such as business logic flaws and focused threat analysis, while the once monolithic process of threat modeling has evolved into a more nimble, "point-in-time" assessment readily adopted by developers.
    Show More Show Less
    Less than 1 minute
  • Episode 299 - Startup Grind, Will Security Companies Disappear

    Episode 299 - Startup Grind, Will Security Companies Disappear
    Oct 7 2025
    The duo is back after a short hiatus. Today's episode is inspired by recent articles related to startups, funding, and the grind that happens when building a company or being an individual contributor. Specifically, a recent article about AI startup founders putting in long hours to the exclusion of everything else is debated. This is followed by aa discussion on the current security AI startup hype cycle, spurred by thoughts from FranklySpeaking, and how security companies in general are acquired and disappear over time.
    Show More Show Less
    Less than 1 minute
  • Episode 298 - Shai Hulud, Layered Security, New Commandments of Security Teams

    Episode 298 - Shai Hulud, Layered Security, New Commandments of Security Teams
    Sep 16 2025
    In what is (sadly) becoming a weekly segment, this episode starts with talk of the latest installment of npm package takeovers, dubbed Shai Hulud as discussed in Slack and analyzed by Paul McCarty and team. Strategies discussed for monitoring packages and preventing malware from entering into organization's products. This is followed by an article referencing security via intentional redundancy when designing sensitive application functionality. Finally, analysis of a recent article from Frankly Speaking that lists a series of new commandments for security teams, which are mostly agreed to by both Seth and Ken, with some caveats.
    Show More Show Less
    Less than 1 minute
  • Episode 297 - True/False Positives, Phishing Package Maintainers

    Episode 297 - True/False Positives, Phishing Package Maintainers
    Sep 9 2025
    The Absolute AppSec duo returns with an in-depth episode talking about true and false positives, where context matters and business impact must be taken into account in order to avoid rabbit holes. This discussion spurred by a recent article from signalblur of magonia.io discussing alerts in a security operations center. In short, only considering existence of a flaw (or alert) is not enough by itself. True impact comes by understanding context. Anyone want t-shirts? A discussion of the recent successful phish of an npm package maintainer, resulting in exposure of millions of projects depending on popular npm packages. It happens, folks, protect yourself.
    Show More Show Less
    Less than 1 minute
  • Episode 296 - OWASP Top 10, NX Compromise, Security News Sources

    Episode 296 - OWASP Top 10, NX Compromise, Security News Sources
    Sep 2 2025
    Ken and Seth kickoff a podcast by reviewing current state of the OWASP Top 10 project, given recent requests and interactions on Absolute AppSec slack from various contributors. This is followed by an in-depth breakdown of the recent NX npm package compromise. This breakdown shows that even though AI is weaponized to exfiltrate data, the main exploit was the result of a command injection flaw. Crocs and Socks coming back to bit all of us. Finally, Ken and Seth provide a list of resources used to monitor the wider security community.
    Show More Show Less
    Less than 1 minute
  • Episode 295 - DEF CON 33 Recap, Crocs and Socks (and Bots)

    Episode 295 - DEF CON 33 Recap, Crocs and Socks (and Bots)
    Aug 26 2025
    Seth and Ken return with a new episode summarizing their experience at DEF CON 33 and all things Las Vegas over the past month. This includes panels, talks, workshops, happy hours, and even corporate (boo) events. This is followed by discussion of a few research items that came out of the conference, including James Kettle's HTTP1.1 Must Die talk. Finally, why AI is infecting Application Security.
    Show More Show Less
    Less than 1 minute
  • Episode 294 - w/ Anshuman Bhartiya - AppSec in the Age of AI

    Episode 294 - w/ Anshuman Bhartiya - AppSec in the Age of AI
    Aug 19 2025
    Just in time for AppSec sweeps week, Anshuman Bhartiya is joining Seth Law (sethlaw on social media) and Ken Johnson (cktricky) on the Absolute AppSec podcast! With over a decade in the security industry, Anshuman Bhartiya brings a wealth of knowledge to the table, in web application penetration testing and product security for major enterprises (EMC, Intuit, Atlassian, Lytx, etc). As the current Tech Lead for Application Security at Lyft and co-host of The Boring AppSec Podcast, Anshuman has a wealth of knowledge on AppSec topics. Read more about Anshuman’s work in the AppSec community at his webpage here: https://www.anshumanbhartiya.com. Join us for a wide-ranging conversation about making it in information security and AppSec.
    Show More Show Less
    Less than 1 minute
  • Episode 293 - AppSec's Reality Gap

    Episode 293 - AppSec's Reality Gap
    Jul 29 2025
    Spurred by a recent article from Venture in Security, this episode delves deep into the practical application of security into an organization's SDLC. Covering a range of issues from gaps in contextual understanding to disingenuous vendor claims, Seth and Ken share their experiences dealing with small and large organizations with varying levels of maturity. Some degree of nihilism is warranted, but recent developments using generative AI is cause for optimism in the space.
    Show More Show Less
    Less than 1 minute