Absolute AppSec Podcast By Ken Johnson and Seth Law cover art

Absolute AppSec

Absolute AppSec

By: Ken Johnson and Seth Law
Listen for free

A weekly podcast of all things application security related. Hosted by Ken Johnson and Seth Law.
Episodes
  • Episode 322 - Megalodon, Staged Package Publishing, AI Powered Honeypots

    Episode 322 - Megalodon, Staged Package Publishing, AI Powered Honeypots
    May 26 2026
    In episode 322, the co-hosts examine critical vulnerabilities, changing security standards, and adaptive defense mechanisms. They deep dive into the recent "Megalodon" breach, identifying it as a direct poisoned pipeline execution attack. Rather than exposing a flaw inside GitHub itself , researchers at Hudson Rock traced the root cause to credentials stolen from developer desktops via infostealer malware, which allowed attackers to push base64-encoded payloads into GitHub Actions workflow YAML files. To counter these types of automated supply chain threats, the hosts praise NPM's newly released "staged publishing" pipeline, which mandates two-factor authentication from human maintainers before releasing packages pushed by automated CI/CD workflows. Shifting to framework flaws, they highlight a catastrophic, vanilla SQL injection flaw discovered in GoCMS during active exploitation. Finally, the duo reviews the emergence of AI-powered honeypots highlighted Talos Intelligence. They conclude that turning the tables on attackers by utilizing LLM-driven "hall of mirrors" environments to impersonate real systems represents an innovative, under-explored AppSec strategy designed to drain attacker resources and trigger high token costs.
    Show more Show less
    Less than 1 minute
  • Episode 321 - The Future of AppSec

    Episode 321 - The Future of AppSec
    May 19 2026
    In episode 321 of Absolute AppSec, the co-hosts dive into a sprawling discussion about the future of Application Security amid the heavy noise of artificial intelligence and automated tools. The hosts start with a debate on whether traditional AppSec fundamentals remain relevant. Drawing analogies to the industrialization of car manufacturing and the transition to autonomous labor, they predict that while line-by-line coding and manual code reviews are fading, human intuition, safety guardrails, and system management will remain indispensable. They voice mutual frustrations with modern university cybersecurity curricula for overemphasizing abstract theories while neglecting hands-on operational tools. Despite the rising trend of vibe-coding and the reality of AI-generated bugs, Seth and Ken argue that core principles, such as networking, authentication, authorization, and auditing (AAA), remain fundamentally unchanged. To illustrate this point, they examine how passkeys operate via asymmetric public-private key pairs under the WebAuthn spec. They conclude that as the software landscape becomes increasingly abstracted, the primary responsibility of a senior security generalist shifts from executing manual tasks to auditing, managing, and validating agentic autonomous workflows.
    Show more Show less
    Less than 1 minute
  • Episode 320 - Return of @lojikil - LLM Bug Hunting, AI OffSec, Defender Burnout

    Episode 320 - Return of @lojikil - LLM Bug Hunting, AI OffSec, Defender Burnout
    May 12 2026
    Ken is away, so Stefan Edwards (lojikil) joins Seth to talk all things AppSec. This episode starts by exploring the acceleration of AI on the offensive side of security, enabling threat actors to automate complex tasks like patch diffing, gadget discovery, and reverse engineering binaries. The conversation highlights a recent milestone where an AI-driven tool, Mythos, successfully identified a vulnerability in curl, signaling a shift from "AI slop" to more relevant bug reports. However, Stefan remains skeptical of LLMs' ability to build secure, large-scale systems, noting their tendency to produce rigid or inconsistent code structures. This imbalance creates a "bad time for defenders," as blue team burnout increases due to the sheer volume of automated agents scanning attack surfaces near-instantaneously. The hosts conclude that while AI provides a "godsend" for testing neglected legacy applications, organizations must return to security basics—such as the principle of least authority and robust disaster recovery—to manage the expanding blast radius of modern breaches. Ultimately, they view AI as a fast, knowledgeable "junior" that requires human expertise to validate and orchestrate effectively.
    Show more Show less
    Less than 1 minute
adbl_web_anon_alc_button_suppression_t1
No reviews yet