Episodes

  • Episode 305 - Career Impact of GenAI, SEO/GEO, More Supply Chain Attacks

    Episode 305 - Career Impact of GenAI, SEO/GEO, More Supply Chain Attacks
    Nov 25 2025
    The latest episode of Absolute AppSec is here, with Ken Johnson and Seth Law checking in during the busy Q4 holiday season to share some fascinating insights on the evolving landscape of security and technology. They kick off by reflecting on their intensive, ever-changing "Harnessing LLMs for Application Security" courses, noting how rapidly the underlying tech evolves. The conversation quickly turns to a compelling debate: How will the rise of generative AI impact career paths for newcomers, especially given that LLMs fundamentally rely on the contributions of existing experts? While pathways may change, they agree that core human activities—like networking, contributing to projects, and maintaining a hacker mindset—will remain crucial. The hosts then dive into a fascinating discussion on the darker side of SEO, introducing the concept of Generative AI Engine Optimization (GEO), where marketers exploit AI search results through tricks like keyword-stuffed files to game rankings. They tie this to historical examples of exploitation, harkening back to Google hacking days. Finally, they cover the recent Shai Hulud 2 supply chain attack, which infected hundreds of NPM packages and utilized even more sophisticated obfuscation and delayed execution tactics than its predecessor.
    Show more Show less
    Less than 1 minute
  • Episode 304 - More OWASP Top 10, AI Dynamic Testing

    Episode 304 - More OWASP Top 10, AI Dynamic Testing
    Nov 18 2025
    This episode, the 304th of Absolute AppSec, features hosts Ken Johnson (@cktricky) and Seth Law (@sethlaw) discussing the crush of Q4 expectations, upcoming training opportunities, the recent updates to the OWASP Top Ten, and the impact of AI tools like XBow on application security (AppSec) consulting. The hosts discuss the shift in the OWASP Top Ten from focusing on vulnerabilities to focusing on risks, and the dual role the list now plays for both awareness/training and compliance. Shifting to recent funding of XBow, the overall consensus is that while AI tools dramatically improve process flow, scoping, and the speed of vulnerability identification for consultants, they won't replace the need for human experts for complex, bespoke systems, business logic flaws, or authorization issues. AI is commoditizing lower-level AppSec work.
    Show more Show less
    Less than 1 minute
  • Episode 303 - w/Prof. Brian Glas - OWASP Top 10 2025

    Episode 303 - w/Prof. Brian Glas - OWASP Top 10 2025
    Nov 10 2025
    Prof. Brian Glas (infosecdad on social media) joins Seth Law (sethlaw) and Ken Johnson (cktricky) for a timely episode of Absolute AppSec. Infosec Guru and one of the OWASP Top Ten project leaders Prof. Glas joins us in the aftermath of the Global AppSec conference and the announcement of the new OWASP Top Ten (2025). This episode focuses on the process for compiling the list as well as gleaning any other insights from Prof. Glas.
    Show more Show less
    Less than 1 minute
  • Episode 302 - OWASP Global AppSec DC predictions, AI Browser Dangers, MCP Security

    Episode 302 - OWASP Global AppSec DC predictions, AI Browser Dangers, MCP Security
    Nov 4 2025
    Episode 302 of Absolute AppSec has hosts Ken Johnson and Seth Law speculating on the upcoming Global AppSec DC conference, predicting the announcement of the OWASP Top Ten 2025 edition, with Brian Glass scheduled to discuss it on the podcast. The conversation shifts to a technical discussion of OpenAI's new browser, Atlas, which is built on Chromium and includes AI capabilities. The hosts noted concern over the discovered prompt instructions for Atlas, which direct the ChatGPT agent to use browser history and available APIs to find data from the user's logged-in sites to answer ambiguous queries or fulfill requests. This functionality raises significant security concerns, as the agent's ability to comb the cache and logged-in sites could be exploited, effectively creating a "honeypot for cross-site scripting" with malicious potential like unauthorized money transfers. The hosts discussed the lack of talk submissions on Mobile Context Protocol (MCP) security at the conference, despite its growing relevance in a world of AI agents and tooling. Finally, they highlighted a new tool called SlopGuard, developed to prevent the risk of AI hallucinating non-existent, potentially malicious packages (which occurs 5-21% of the time) and attempting to install them from registries like NPM.
    Show more Show less
    Less than 1 minute
  • Episode 301 - AI Browsers, New AI Agent Attacks, Framework Checklists

    Episode 301 - AI Browsers, New AI Agent Attacks, Framework Checklists
    Oct 28 2025
    In this episode, Seth and Ken debate OpenAI's Atlas browser, which embeds AI into web browsing. Ken views it as a major privacy concern, potentially accelerating invasive data collection and surveillance. Seth noted that new browsers historically have critical flaws. They acknowledged that AI is very useful for generic and technical internet searches. They discussed the Co-Fish attack, a phishing vulnerability in Microsoft Copilot Studio that could exfiltrate access tokens via a seemingly valid Microsoft URL. Finally, they noted that big companies like Snyk and Black Duck are moving toward agentic AI capabilities, confirming the industry trend.
    Show more Show less
    Less than 1 minute
  • Episode 300 - THIS! IS! APPSEC!

    Episode 300 - THIS! IS! APPSEC!
    Oct 14 2025
    For the 300th (!!!!) episode of the podcast, Seth and Ken reminisce on changes to the industry and overall approach to application security since inception. The hosts discussed the evolution of the industry, noting that once-popular approaches like blindly emulating "hip" Silicon Valley security programs and running unmanaged Security Champions Programs have fallen out of favor, as organizations now better understand that these approaches are not one-size-fits-all and require careful, metrics-driven management. While Bug Bounty Programs remain popular, they noted an increase in submissions from "skiddies" (script kiddies) that challenge program effectiveness and highlight the need for internal support and a proactive stance before rolling out a public program. Positively, they observed that the industry has become more mature, focusing on business value, metrics, and ROI , a move that may have been accelerated by recent economic pressures. Furthermore, security practices have improved, with the decline of common vulnerabilities like XSS and SQL Injection due to safer frameworks and browser controls, allowing AppSec professionals to focus on more complex issues, such as business logic flaws and focused threat analysis, while the once monolithic process of threat modeling has evolved into a more nimble, "point-in-time" assessment readily adopted by developers.
    Show more Show less
    Less than 1 minute
  • Episode 299 - Startup Grind, Will Security Companies Disappear

    Episode 299 - Startup Grind, Will Security Companies Disappear
    Oct 7 2025
    The duo is back after a short hiatus. Today's episode is inspired by recent articles related to startups, funding, and the grind that happens when building a company or being an individual contributor. Specifically, a recent article about AI startup founders putting in long hours to the exclusion of everything else is debated. This is followed by aa discussion on the current security AI startup hype cycle, spurred by thoughts from FranklySpeaking, and how security companies in general are acquired and disappear over time.
    Show more Show less
    Less than 1 minute
  • Episode 298 - Shai Hulud, Layered Security, New Commandments of Security Teams

    Episode 298 - Shai Hulud, Layered Security, New Commandments of Security Teams
    Sep 16 2025
    In what is (sadly) becoming a weekly segment, this episode starts with talk of the latest installment of npm package takeovers, dubbed Shai Hulud as discussed in Slack and analyzed by Paul McCarty and team. Strategies discussed for monitoring packages and preventing malware from entering into organization's products. This is followed by an article referencing security via intentional redundancy when designing sensitive application functionality. Finally, analysis of a recent article from Frankly Speaking that lists a series of new commandments for security teams, which are mostly agreed to by both Seth and Ken, with some caveats.
    Show more Show less
    Less than 1 minute