Absolute AppSec Titelbild

Absolute AppSec

Absolute AppSec

Von: Ken Johnson and Seth Law
Jetzt kostenlos hören, ohne Abo

Über diesen Titel

 A weekly podcast of all things application security related. Hosted by Ken Johnson and Seth Law.
Folgen
  • Episode 320 - Return of @lojikil - LLM Bug Hunting, AI OffSec, Defender Burnout

    Episode 320 - Return of @lojikil - LLM Bug Hunting, AI OffSec, Defender Burnout
    May 12 2026
    Ken is away, so Stefan Edwards (lojikil) joins Seth to talk all things AppSec. This episode starts by exploring the acceleration of AI on the offensive side of security, enabling threat actors to automate complex tasks like patch diffing, gadget discovery, and reverse engineering binaries. The conversation highlights a recent milestone where an AI-driven tool, Mythos, successfully identified a vulnerability in curl, signaling a shift from "AI slop" to more relevant bug reports. However, Stefan remains skeptical of LLMs' ability to build secure, large-scale systems, noting their tendency to produce rigid or inconsistent code structures. This imbalance creates a "bad time for defenders," as blue team burnout increases due to the sheer volume of automated agents scanning attack surfaces near-instantaneously. The hosts conclude that while AI provides a "godsend" for testing neglected legacy applications, organizations must return to security basics—such as the principle of least authority and robust disaster recovery—to manage the expanding blast radius of modern breaches. Ultimately, they view AI as a fast, knowledgeable "junior" that requires human expertise to validate and orchestrate effectively.
    Mehr anzeigen Weniger anzeigen
    Weniger als 1 Minute
  • Episode 319 - Vercel Breach, Security vs. Compliance, Pull Request Flows w/ AI Agents

    Episode 319 - Vercel Breach, Security vs. Compliance, Pull Request Flows w/ AI Agents
    Apr 21 2026
    Episode 319 covers a range of industry developments, primarily focusing on the recent Vercel security incident and the evolving landscape of AI-driven compliance. The hosts detail how a Vercel employee's use of a consumer-level Context AI plan led to a workspace compromise via a leaked OAuth token, eventually allowing attackers to access sensitive environment variables. This leads to a critical discussion about the SOC 2 provider Delve, with the hosts addressing allegations regarding "fake" compliance automation and the general limitations of auditing frameworks that do not inherently equate to true security. This episode also explores the future of the Pull Request (PR) flow, debating whether traditional human-led code reviews are "dead" due to the massive volume of code generated by AI agents. While they acknowledge that startups are moving toward autonomous commits, Seth argues that the PR concept is evolving into a system of agentic attestation and guardrails rather than disappearing entirely. The episode concludes with community survey results on this shift and a reminder about the hosts' upcoming training sessions in Singapore.
    Mehr anzeigen Weniger anzeigen
    Weniger als 1 Minute
  • Episode 318 - Slack Impersonation, Mythos, Vulnerability Research Future

    Episode 318 - Slack Impersonation, Mythos, Vulnerability Research Future
    Apr 14 2026
    Episode 318 examines critical vulnerabilities and the evolving impact of AI on the security industry. The episode details a recent sophisticated impersonation and malware attack targeting open-source Slack communities, including their own, where attackers spoofed Seth's identity to distribute malicious links via Google Sites. The hosts express significant frustration with Slack's lack of built-in impersonation controls, comparing the flaw to the inherent trust issues in the Git protocol. A major portion of the discussion focuses on the "leak" of Anthropic's highly capable Mythos model and its potential to disrupt the market. They analyze how such frontier model announcements contribute to massive stock market volatility for traditional security firms while simultaneously creating an "intense echo chamber" regarding AI's ability to replace human practitioners. Referencing Thomas Ptacek's thesis, they debate whether AI agents will soon supplant human vulnerability research for common bug classes, shifting the human role toward high-level governance and "context infusion". Ultimately, the hosts advocate for autonomous defense and rigorous evaluation frameworks to manage "reasoning drift" and the exploding velocity of AI-generated code.
    Mehr anzeigen Weniger anzeigen
    Weniger als 1 Minute
adbl_web_anon_alc_button_suppression_c
Noch keine Rezensionen vorhanden