Absolute AppSec Ken Johnson and Seth Law

Seth and Ken return with analysis of recent research that shows LLMs exploiting known CVEs. And no, it's not completely autonomous yet. This is followed by a breakdown of DataDog's State of DevSecOps article, backing up our gut feel of current industry needs and failures.

**Video may be required**: this episode is focused on demonstrating uses of LLMs against various code. As such, listeners may want to watch the stream to see these uses rather than just listening. Also, Seth and Ken talk briefly at the beginning of the episode about a new tldr;sec project (thanks Clint!) called awesome secure defaults that lists out useful libraries and projects that are secure by default.

After a week of travel, Seth and Ken return to the podcast with a breakdown of their travel experiences at multiple conferences and teaching their first Practical Secure Code Review course using LLMs to enhance the methodology. This is followed by reinforcement of code review steps including library research, a discussion of the recent XZ backdoor, and an article reviewing LLM hallucinations when recommending libraries.

When Ken is away, the geeks will play. Seth is joined by podcast regular Stefan Edwards (@lojikil) to catch up on his recent work around threat hunting. This progresses into a discussion on threat intelligence and what is available for applications. A recent blog post on the utility of the CVE system spurs thoughts on the usefulness of published CVEs. Finally, opinions fly on authorization issues and how simple misconfigurations result in the many vulnerabilities or attack chains.

Ken and Seth are back to talk about the difference and competing priorities of Application and Enterprise Security. In short, recent news contends that Enterprise or Infrastructure security is lacking, whereas Application or Product Security is in a good state. This is followed by a discussion on supply chain security tools due to a recent analysis conducted by DoyenSec comparing false positives and negatives from the leading tools.

Ken and Seth return for another episode, starting out with pointers on getting into security and finding a niche, all based on a recently released Microsoft project to introduce anyone to security. This is followed by a discussion on Chinese hacking groups and recent breaches among those groups. Finally, a discussion protecting the software supply chain due to recent forking and upload of malicious repositories on GitHub.