Absolute AppSec copertina

Absolute AppSec

Absolute AppSec

Di: Ken Johnson and Seth Law
Ascolta gratuitamente

A proposito di questo titolo

 A weekly podcast of all things application security related. Hosted by Ken Johnson and Seth Law.
Episodi
  • Episode 319 - Vercel Breach, Security vs. Compliance, Pull Request Flows w/ AI Agents

    Episode 319 - Vercel Breach, Security vs. Compliance, Pull Request Flows w/ AI Agents
    Apr 21 2026
    Episode 319 covers a range of industry developments, primarily focusing on the recent Vercel security incident and the evolving landscape of AI-driven compliance. The hosts detail how a Vercel employee's use of a consumer-level Context AI plan led to a workspace compromise via a leaked OAuth token, eventually allowing attackers to access sensitive environment variables. This leads to a critical discussion about the SOC 2 provider Delve, with the hosts addressing allegations regarding "fake" compliance automation and the general limitations of auditing frameworks that do not inherently equate to true security. This episode also explores the future of the Pull Request (PR) flow, debating whether traditional human-led code reviews are "dead" due to the massive volume of code generated by AI agents. While they acknowledge that startups are moving toward autonomous commits, Seth argues that the PR concept is evolving into a system of agentic attestation and guardrails rather than disappearing entirely. The episode concludes with community survey results on this shift and a reminder about the hosts' upcoming training sessions in Singapore.
    Mostra di più Mostra meno
    Meno di 1 minuto
  • Episode 318 - Slack Impersonation, Mythos, Vulnerability Research Future

    Episode 318 - Slack Impersonation, Mythos, Vulnerability Research Future
    Apr 14 2026
    Episode 318 examines critical vulnerabilities and the evolving impact of AI on the security industry. The episode details a recent sophisticated impersonation and malware attack targeting open-source Slack communities, including their own, where attackers spoofed Seth's identity to distribute malicious links via Google Sites. The hosts express significant frustration with Slack's lack of built-in impersonation controls, comparing the flaw to the inherent trust issues in the Git protocol. A major portion of the discussion focuses on the "leak" of Anthropic's highly capable Mythos model and its potential to disrupt the market. They analyze how such frontier model announcements contribute to massive stock market volatility for traditional security firms while simultaneously creating an "intense echo chamber" regarding AI's ability to replace human practitioners. Referencing Thomas Ptacek's thesis, they debate whether AI agents will soon supplant human vulnerability research for common bug classes, shifting the human role toward high-level governance and "context infusion". Ultimately, the hosts advocate for autonomous defense and rigorous evaluation frameworks to manage "reasoning drift" and the exploding velocity of AI-generated code.
    Mostra di più Mostra meno
    Meno di 1 minuto
  • Episode 317 - (Post-RSAC/BSidesSF), Supply Chain Security, Future of SDLC

    Episode 317 - (Post-RSAC/BSidesSF), Supply Chain Security, Future of SDLC
    Mar 31 2026
    Ken Johnson and Seth Law reflect on the 2026 RSA Conference and BSidesSF, noting an industry-wide "awakening" regarding the high costs and engineering complexities of operationalizing AI security tools. A major focus is the recent "supply chain attack hell," specifically the compromise of the Axios HTTP client through dual-account breaches that allowed attackers to bypass legitimate OIDC deploy setups via a misconfigured NPM CLI. The malware used was particularly evasive, deleting itself and replacing its package.json with a clean version post-execution. The hosts also discuss the emergence of the "Agentic Development Lifecycle" (ADLC), where engineering teams are increasingly "committing on time" rather than features, creating a volume of code that traditional security gates cannot manage. They debate Thomas Ptacek’s thesis that AI agents will soon "supplant" human vulnerability research for common bug classes, shifting the human role toward high-level governance and "context infusion". Economically, they highlight how Anthropic's security announcements contributed to nearly half a trillion dollars in market value loss for traditional security firms, as investors increasingly bet on frontier models to consume established security domains.
    Mostra di più Mostra meno
    Meno di 1 minuto
Ancora nessuna recensione