Absolute AppSec

Hosted by Ken Johnson and Seth Law

Technology News

Website RSS feed

Episodes

323

Latest episode

Jun 2026

Language

EN-US

About the show

A weekly podcast of all things application security related. Hosted by Ken Johnson and Seth Law.

Listen to episodes

60 recent

June 16, 2026

Episode 324 - Three Week Trap, Malicious Extensions

In episode 324 of Absolute AppSec, co-hosts Ken Johnson and Seth Law share a mix of security model critiques. Starting with industry dynamics, Ken recaps his recent presentation at OWASP Nova regarding the limits of human-scale AppSec, recounting a dramatic storm during the talk where patio chairs pelted the high-rise glass. The conversation pivots sharply to Anthropic being forced to pull its "Fable" and "Mythos" cybersecurity models offline due to government sanctions and fears surrounding unpreventable universal jailbreaks. Ken and Seth criticize the company's disingenuous "FUD-based" marketing, which falsely suggested that AI could entirely replace security practitioners. Seth reviews his own blog post regarding the "three-week demo trap", detailing critical, ignored requirements for AI products—such as evaluation, statistical reproducibility, and token cost economics—noting that executing enterprise testing via frontier models can easily exceed $5,000 a day. Transitioning back to fundamental baseline defense, the hosts dissect an article on bypassing Visual Studio Code extension blocks. They emphasize that since modern CDNs pull zipped extensions from distinct domains, blocking the main marketplace URL is completely ineffective. Consequently, they advocate for rigorous data classification, layered on-premise model hosting, and stricter boundary controls on developer endpoints to combat fast-evolving supply chain threats.

June 9, 2026

Episode 323 - Secrets Logs, Prompt Injection Risks

In episode 323 of Absolute AppSec, co-hosts Ken Johnson and Seth Law focus heavily on core application security vulnerabilities, legacy operational struggles, and the challenges of generative AI systems. After briefly discussing Seth’s recent trip to BSides Vancouver and confirming upcoming conference training logistics for Black Hat and DEF CON, the duo dives into the persistent problem of secrets and sensitive data leaking into log files. Referencing an article and talk by Alan Reyes, they unpack the compounding nature of logging failures, noting how system-level integrations and production error conditions often dump entire object blocks or environment variables into third-party tools. They caution that while pattern-based scanners exist, they remain too brittle to capture complex edge cases, and utilizing expensive AI agents to screen every real-time log line is economically impractical. Transitioning to AI security, Seth explores a multi-page research paper analyzing prompt injection. The paper establishes that because large language models mathematically process data through tokenization without any physical or architectural separation between instructions and data contexts, prompt injection cannot be completely solved at the model level. Likening prompt injection to automated social engineering, they argue that the onus currently falls entirely on developers to implement deterministic validation, guardrails, and secure application-level harnesses.

May 26, 2026

Episode 322 - Megalodon, Staged Package Publishing, AI Powered Honeypots

In episode 322, the co-hosts examine critical vulnerabilities, changing security standards, and adaptive defense mechanisms. They deep dive into the recent "Megalodon" breach, identifying it as a direct poisoned pipeline execution attack. Rather than exposing a flaw inside GitHub itself , researchers at Hudson Rock traced the root cause to credentials stolen from developer desktops via infostealer malware, which allowed attackers to push base64-encoded payloads into GitHub Actions workflow YAML files. To counter these types of automated supply chain threats, the hosts praise NPM's newly released "staged publishing" pipeline, which mandates two-factor authentication from human maintainers before releasing packages pushed by automated CI/CD workflows. Shifting to framework flaws, they highlight a catastrophic, vanilla SQL injection flaw discovered in GoCMS during active exploitation. Finally, the duo reviews the emergence of AI-powered honeypots highlighted Talos Intelligence. They conclude that turning the tables on attackers by utilizing LLM-driven "hall of mirrors" environments to impersonate real systems represents an innovative, under-explored AppSec strategy designed to drain attacker resources and trigger high token costs.

May 19, 2026

Episode 321 - The Future of AppSec

In episode 321 of Absolute AppSec, the co-hosts dive into a sprawling discussion about the future of Application Security amid the heavy noise of artificial intelligence and automated tools. The hosts start with a debate on whether traditional AppSec fundamentals remain relevant. Drawing analogies to the industrialization of car manufacturing and the transition to autonomous labor, they predict that while line-by-line coding and manual code reviews are fading, human intuition, safety guardrails, and system management will remain indispensable. They voice mutual frustrations with modern university cybersecurity curricula for overemphasizing abstract theories while neglecting hands-on operational tools. Despite the rising trend of vibe-coding and the reality of AI-generated bugs, Seth and Ken argue that core principles, such as networking, authentication, authorization, and auditing (AAA), remain fundamentally unchanged. To illustrate this point, they examine how passkeys operate via asymmetric public-private key pairs under the WebAuthn spec. They conclude that as the software landscape becomes increasingly abstracted, the primary responsibility of a senior security generalist shifts from executing manual tasks to auditing, managing, and validating agentic autonomous workflows.

May 12, 2026

Episode 320 - Return of @lojikil - LLM Bug Hunting, AI OffSec, Defender Burnout

Ken is away, so Stefan Edwards (lojikil) joins Seth to talk all things AppSec. This episode starts by exploring the acceleration of AI on the offensive side of security, enabling threat actors to automate complex tasks like patch diffing, gadget discovery, and reverse engineering binaries. The conversation highlights a recent milestone where an AI-driven tool, Mythos, successfully identified a vulnerability in curl, signaling a shift from "AI slop" to more relevant bug reports. However, Stefan remains skeptical of LLMs' ability to build secure, large-scale systems, noting their tendency to produce rigid or inconsistent code structures. This imbalance creates a "bad time for defenders," as blue team burnout increases due to the sheer volume of automated agents scanning attack surfaces near-instantaneously. The hosts conclude that while AI provides a "godsend" for testing neglected legacy applications, organizations must return to security basics—such as the principle of least authority and robust disaster recovery—to manage the expanding blast radius of modern breaches. Ultimately, they view AI as a fast, knowledgeable "junior" that requires human expertise to validate and orchestrate effectively.

April 21, 2026

Episode 319 - Vercel Breach, Security vs. Compliance, Pull Request Flows w/ AI Agents

Episode 319 covers a range of industry developments, primarily focusing on the recent Vercel security incident and the evolving landscape of AI-driven compliance. The hosts detail how a Vercel employee's use of a consumer-level Context AI plan led to a workspace compromise via a leaked OAuth token, eventually allowing attackers to access sensitive environment variables. This leads to a critical discussion about the SOC 2 provider Delve, with the hosts addressing allegations regarding "fake" compliance automation and the general limitations of auditing frameworks that do not inherently equate to true security. This episode also explores the future of the Pull Request (PR) flow, debating whether traditional human-led code reviews are "dead" due to the massive volume of code generated by AI agents. While they acknowledge that startups are moving toward autonomous commits, Seth argues that the PR concept is evolving into a system of agentic attestation and guardrails rather than disappearing entirely. The episode concludes with community survey results on this shift and a reminder about the hosts' upcoming training sessions in Singapore.

April 14, 2026

Episode 318 - Slack Impersonation, Mythos, Vulnerability Research Future

Episode 318 examines critical vulnerabilities and the evolving impact of AI on the security industry. The episode details a recent sophisticated impersonation and malware attack targeting open-source Slack communities, including their own, where attackers spoofed Seth's identity to distribute malicious links via Google Sites. The hosts express significant frustration with Slack's lack of built-in impersonation controls, comparing the flaw to the inherent trust issues in the Git protocol. A major portion of the discussion focuses on the "leak" of Anthropic's highly capable Mythos model and its potential to disrupt the market. They analyze how such frontier model announcements contribute to massive stock market volatility for traditional security firms while simultaneously creating an "intense echo chamber" regarding AI's ability to replace human practitioners. Referencing Thomas Ptacek's thesis, they debate whether AI agents will soon supplant human vulnerability research for common bug classes, shifting the human role toward high-level governance and "context infusion". Ultimately, the hosts advocate for autonomous defense and rigorous evaluation frameworks to manage "reasoning drift" and the exploding velocity of AI-generated code.

March 31, 2026

Episode 317 - (Post-RSAC/BSidesSF), Supply Chain Security, Future of SDLC

Ken Johnson and Seth Law reflect on the 2026 RSA Conference and BSidesSF, noting an industry-wide "awakening" regarding the high costs and engineering complexities of operationalizing AI security tools. A major focus is the recent "supply chain attack hell," specifically the compromise of the Axios HTTP client through dual-account breaches that allowed attackers to bypass legitimate OIDC deploy setups via a misconfigured NPM CLI. The malware used was particularly evasive, deleting itself and replacing its package.json with a clean version post-execution. The hosts also discuss the emergence of the "Agentic Development Lifecycle" (ADLC), where engineering teams are increasingly "committing on time" rather than features, creating a volume of code that traditional security gates cannot manage. They debate Thomas Ptacek’s thesis that AI agents will soon "supplant" human vulnerability research for common bug classes, shifting the human role toward high-level governance and "context infusion". Economically, they highlight how Anthropic's security announcements contributed to nearly half a trillion dollars in market value loss for traditional security firms, as investors increasingly bet on frontier models to consume established security domains.

March 17, 2026

Episode 316 - w/Coffee, Chaos, and ProdSec - Agentic Development Lifecycle

In episode 316 of Absolute AppSec, hosts Ken Johnson and Seth Law participate in a crossover with Kurt Hendle and Cameron Walters from the Coffee, Chaos, and ProdSec podcast to discuss the radical transformation of security roles in an AI-driven landscape. The guests share origin stories rooted in gaming and "mischievous" curiosity, which evolved into deep careers in security architecture and engineering. The primary discussion centers on the industry's shift toward an "Agentic Development Lifecycle" (ADLC), where the sheer volume of AI-generated code renders traditional manual review gates obsolete. This acceleration risks a "rubber stamp" culture where developers approve fixes in seconds rather than minutes, potentially leading to a mountain of technical debt. Consequently, the role of security is shifting from manual bug finding to high-level governance and "context infusion," requiring practitioners to manage AI agents that automate complex tasks. Economically, the group highlights how frontier model announcements have caused massive market volatility, wiping billions from traditional security stocks. Ultimately, they conclude that while older "primitive" tools are failing, professionals who lean into AI as a "superpower" for governance and oversight will be essential for navigating this new, non-deterministic reality.

March 3, 2026

Episode 315 - Risks of "AI-Native" Security Products, Rapid Software Development

In episode 315 of Absolute AppSec, Ken Johnson and Seth Law discuss the rapidly evolving challenges of securing software in an era of AI-assisted development. The hosts provide updates on their "Harnessing LLMs for Application Security" training, noting that the field is changing so fast that they must constantly update their exercises to include new agents and advanced tools like Claude Code. A primary concern raised is the "naivete" of many new security tools, where prompts are often automatically generated by AI rather than expertly crafted, causing a loss of essential nuance. The hosts also warn against AI companies building security products without specialized expertise, citing a zero-click exploit in the "Comet" AI browser that could exfiltrate sensitive secrets via calendar summaries. As development teams now ship code at "AI speed," the hosts argue that traditional AppSec methods are too slow, necessitating a strategic pivot toward automated design reviews, governance, and observability rather than just chasing individual vulnerabilities. Despite the inherent risks and the ongoing difficulty of managing AI reasoning drift, they remain optimistic that these tools can eventually unlock more efficient, hands-off AppSec workflows if managed with proper guardrails and deterministic oversight.