The Boring AppSec Podcast

The Boring AppSec Podcast
  • 0.0 (0)
  • TECHNOLOGY
  • UPDATED WEEKLY

In this podcast, we will talk about our experiences having worked at different companies - from startups to big enterprises, from tech companies to security companies, and from building side projects to building startups. We will talk about the good, the bad, and everything in between. So join us for some fun, some real, and some super hot takes about all things Security in the Boring AppSec Podcast.

  1. 4D AGO

    Ep 37: The Future of Security Testing in an AI-Driven World with Jason Haddix

    In this episode, Jason Haddix (CEO of Arcanum Information Security and creator of the Bug Hunter’s Methodology) joins us to examine how AI is changing penetration testing and security research. He explains that while AI agents can automate reconnaissance, code analysis, and parts of vulnerability discovery, meaningful results still depend on human expertise, methodology, and context engineering. The conversation explores how AI is shifting the entry path for new security practitioners, why deep research and critical thinking remain essential skills, and how experienced testers are embedding their knowledge into agent workflows using tools like Claude Code. Jason also discusses practical experimentation with AI assistants such as OpenClaw, including prompt-injection defenses, guardrails, and the operational risks of running autonomous systems. The episode also addresses the growing debate around AI-generated code and AI-driven vulnerability discovery, highlighting the difference between marketing claims and real-world results. It closes with a discussion on why the industry needs better benchmarks and evaluation methods to measure whether AI security tools actually find meaningful vulnerabilities.

    1h 1m

  2. MAR 2

    Ep 36: Discussing AI's Current State of Affairs

    In this episode, we examine what is shifting in AI, AppSec, and product security and what remains fundamentally the same. For years, application security has operated on a familiar model: siloed reviews, tool-driven findings, and periodic assessments that struggle to keep pace with modern development. AI doesn’t eliminate those pressures, it amplifies them. Code is generated faster, systems are more interconnected, and the surface area of change expands weekly.  The conversation explores agent-based workflows through tools like OpenClaw, not as novelty, but as a signal of a broader shift: from manually operating tools to orchestrating fleets of agents. As AI interfaces move from chat windows to terminals to messaging environments, security teams must reconsider where workflows live and how context is preserved across them. For decades, AppSec has struggled to build a reliable understanding of what systems exist and how they connect. Large language models may finally make it possible to construct living maps of components, data flows, and trust boundaries  enabling assessments that talk to each other instead of existing in isolation. The discussion also revisits threat modeling, not as a compliance artifact, but as a foundation for system-wide reasoning. If AI can automate baseline coverage and reduce repetitive toil, security teams may return to their original purpose: high-leverage risk judgment on critical systems. This leads to a broader debate whether AppSec as a distinct function evolves, shrinks, or dissolves into engineering itself and what the enduring “maker–checker” model of risk management demands in an AI-native world. Finally, the episode reflects on the role of large AI labs in security: the gap between ambitious claims and shipped products, and what that means for founders and security leaders navigating change. 00:00–02:15 — Why this is a no-guest episode & what’s changed since last year 02:15–06:30 — AI co-authoring, productivity gains, and writing workflows 06:30–10:20 — OpenClaw architecture, agent risks, and prompt injection realities 10:20–14:00 — The shifting UI of AI: chat → terminal → messaging agents 14:00–18:30 — Agent orchestration vs siloed security tooling 18:30–23:00 — Context graphs and assessments that “talk” to each other 23:00–27:30 — Threat modeling’s evolution and system-wide visibility 27:30–31:00 — Why inventory is still AppSec’s hardest problem 31:00–34:30 — Personal AI stacks: Obsidian, memory layers, and query tools 34:30–37:30 — Open source in the age of AI-generated PR spam 37:30–40:00 — AI labs: what they ship vs what they say 40:00–44:00 — Will AppSec disappear? A serious debate 44:00–48:00 — Maker–checker risk models in an AI-driven org 48:00–51:00 — Where AI replaces toil — and where humans stay critical 51:00–End — 2026 predictions for AI security and product security .

    50 min

  3. FEB 16

    Ep 35: Exploring Security After Determinism with Jens Ernstberger

    In this episode, we sit down with Jens to explore why AI agents fundamentally break traditional security assumptions, from API keys and browser sessions to composability and access control. Drawing parallels to DeFi exploits and smart contract failures, he explains why agent identity, short-lived delegated authorization, and zero trust aren’t optional add-ons, but the foundation for safely running autonomous systems. We also dive into context compression as both a performance and security challenge, the real difference between MCP and skills, and a future where humans may stop reviewing code altogether. As agents become the primary actors on the internet, even writing itself begins to change in an AI-scraped world. If agents are non-deterministic by design, the real question becomes: where do we reintroduce determinism? Tune in for a deep dive! Connect with Jens Ernstberger: Website: https://ernstberger.xyz/ LinkedIn: https://www.linkedin.com/in/jens-ernstberger-phd-96b0ba14a/Connect with Anshuman: LinkedIn: ⁠⁠⁠⁠⁠⁠anshumanbhartiya⁠⁠ X: ⁠⁠⁠⁠⁠⁠https://x.com/anshuman_bh⁠⁠ Website: ⁠⁠⁠⁠⁠⁠https://anshumanbhartiya.com/⁠⁠ ⁠⁠⁠⁠Instagram: ⁠⁠anshuman.bhartiya⁠ ⁠⁠⁠Connect with Sandesh: LinkedIn: ⁠⁠⁠⁠⁠⁠anandsandesh⁠⁠ X: ⁠⁠⁠⁠⁠⁠https://x.com/JubbaOnJeans

    50 min

  4. FEB 2

    Security at Scale in a Probabilistic World with Ankur Chakraborty

    In this episode, Ankur Chakraborty discusses the evolution of AI security, emphasizing the importance of foundational security principles in the context of generative AI. He explores the challenges of scaling security measures in an era of rapid feature deployment and the necessity of integrating AI tools into security practices. The conversation delves into the balance between human oversight and autonomous systems, the significance of context in security decision-making, and the evaluation of security tools based on their outcomes. The discussion highlights the need for better guardrails and the role of context engineering in enhancing security practices.

    57 min

  5. JAN 28

    The Future of Identity in AI Agents with Ian Livingstone

    In this conversation, Ian Livingstone discusses the changing landscape of AI and security, focusing on the challenges of agent identity and the need for a new approach to application security. He emphasizes the importance of understanding the non-deterministic nature of AI agents and the implications for identity management, permissions, and data security. The discussion also touches on the future of agent identity, the role of insurance in managing risks, and the transformation of security practices in the age of AI. Tune in for a deep dive! Connect with Ian Livingstone: LinkedIn: ⁠https://www.linkedin.com/in/irlivingstone/ Twitter: https://x.com/ianlivingstone Connect with Anshuman: LinkedIn: ⁠⁠⁠⁠⁠anshumanbhartiya⁠ X: ⁠⁠⁠⁠⁠https://x.com/anshuman_bh⁠ Website: ⁠⁠⁠⁠⁠https://anshumanbhartiya.com/⁠ ⁠⁠⁠⁠Instagram: ⁠anshuman.bhartiya ⁠Connect with Sandesh: LinkedIn: ⁠⁠⁠⁠⁠anandsandesh⁠ X: ⁠⁠⁠⁠⁠https://x.com/JubbaOnJeans⁠

    55 min

  6. JAN 19

    Rethinking Enterprise Security in an AI- and Platform-First World with Kane Narraway

    In this episode, we sit down with Kane Narraway to unpack how enterprise security is changing as AI, platforms, and developer-driven security become the norm. Kane shares his path from digital forensics to leading security at Canva, and why understanding company culture matters just as much as choosing the right tools. We discuss why modern security is becoming platform-first, why much of the security vendor market optimizes for finding problems rather than fixing them, and why Kane believes security teams need more engineers and fewer manual processes.The conversation also digs into AI security, shadow IT (and shadow AI), and the real-world trade-offs between usability and control, especially as low-code and no-code tools become more common inside companies. Tune in for a deep dive! Connect with Kane Narraway: LinkedIn: https://www.linkedin.com/in/kane-n/ Blog: https://kanenarraway.com/ Connect with Anshuman: LinkedIn: ⁠⁠⁠⁠anshumanbhartiya X: ⁠⁠⁠⁠https://x.com/anshuman_bh Website: ⁠⁠⁠⁠https://anshumanbhartiya.com/ ⁠⁠⁠⁠Instagram: anshuman.bhartiyaConnect with Sandesh: LinkedIn: ⁠⁠⁠⁠anandsandesh X: ⁠⁠⁠⁠https://x.com/JubbaOnJeans

    50 min

  7. 12/15/2025

    The Future of Developer Security with Travis McPeak

    In this episode, we sit down with Travis McPeak, one of the most prominent thinkers in the space of developer security. Travis, who built his career at the intersection of security automation and developer productivity, shares his philosophy on achieving security at scale in the AI era. His career spans security leadership roles at major tech companies, including Symantec, IBM, Netflix, and Databricks. Most recently, he founded and served as CEO of Resourcely, a startup built on the idea of making cloud infrastructure secure by default, before being "acqui-hired" by Cursor, the rapidly growing AI-powered code editor, to lead security and enterprise readiness. Key Takeaways AI for Secure by Default: AI tools provide the best injection point to shift security "all the way left" and move past the reactive "whack-a-mole" approach, because developers are already motivated to use these highly effective tools.Changing AppSec Strategy: AI dramatically changes the nature of AppSec by making previously unscalable strategies, such as threat modeling, applicable. AI can generate architecture diagrams on demand by tracing through code.The Compliance Bottleneck: The dramatic consolidation of cloud security vendors reflects how compliance-minded the security industry remains. Critical infrastructure misconfigurations (like public databases being left open) often go unaddressed because they are not measured by compliance standards.Platform vs. Point Solutions: Travis argues against platforms that are often amalgamations of poorly integrated acquired tools. He suggests buying the single best point solution for a high-leverage problem and using AI capabilities to operationalize and wire it into internal systems, thereby simplifying integrations that platforms traditionally provide.The Skeptical Coder: A fundamental limitation of Large Language Models (LLMs) is their desire to "make you happy," causing them to provide answers even if they are incorrect. Therefore, engineers must use AI output only as a starting point and only consider the code finished when they understand it fully end to end.Prompt Injection Defined: Prompt injection is confirmed as a legitimate vulnerability, essentially a rehash of old issues like cross-site scripting and SQL injection, arising from the improper separation between the LLM instruction and the user instruction. Tune in for a deep dive! Contacting Travis * LinkedIn: https://www.linkedin.com/in/travismcpeak/ * Company Website: https://www.cursor.com Contacting Anshuman * LinkedIn: ⁠⁠⁠⁠https://www.linkedin.com/in/anshumanbhartiya/ * X: ⁠⁠⁠⁠https://x.com/anshuman_bh * Website: ⁠⁠⁠⁠https://anshumanbhartiya.com/ * ⁠⁠⁠⁠Instagram: ⁠⁠⁠https://www.instagram.com/anshuman.bhartiya Contacting Sandesh * LinkedIn: ⁠⁠⁠⁠https://www.linkedin.com/in/anandsandesh/ * X: ⁠⁠⁠⁠https://x.com/JubbaOnJeans * Website: ⁠⁠⁠⁠https://boringappsec.substack.com/

    52 min

  8. 12/04/2025

    Scaling Product Security In The AI Era with Teja Myneedu

    In this episode, we sit down with Teja Myneedu, Sr. Director, Security and Trust at Navan. He shares his philosophy on achieving security at scale, discussing some challenges and approaches specially in the AI era. Teja's career spans over two decades on the front lines of product security at hyper-growth companies like Splunk. He currently operates at the complex intersection of FinTech and corporate travel, where his responsibilities include securing financial transactions and ensuring the physical duty of care for global travelers. Key Takeaways • Scaling Security Philosophy: Security programs should be built on developer empathy and innovative solutions, scaling with context and automation. • Pragmatic Protection: Focus on incremental, practical improvements (like WAF rules) to secure the enterprise immediately, instead of letting the pursuit of perfection delay necessary defenses; security by obscurity is not always bad. • Flawed Prioritization: Prioritization frameworks are often flawed because they lack organizational and business context, which security tools fail to provide. • AI and Code Fixes: AI is changing the application security field by reducing the cognitive load on engineers and making it easier for security teams to propose vulnerability fixes (PRs). • The Authorization Dilemma: The biggest novel threat introduced by LLMs is the complexity of identity and authorization, as agents require delegate access and dynamically determine business logic. Tune in for a deep dive! Contacting Teja * LinkedIn: https://www.linkedin.com/in/myneedu/ * Company Website: https://www.navan.com Contacting Anshuman * LinkedIn: ⁠⁠⁠⁠https://www.linkedin.com/in/anshumanbhartiya/ * X: ⁠⁠⁠⁠https://x.com/anshuman_bh * Website: ⁠⁠⁠⁠https://anshumanbhartiya.com/ * ⁠⁠⁠⁠Instagram: ⁠⁠⁠https://www.instagram.com/anshuman.bhartiya Contacting Sandesh * LinkedIn: ⁠⁠⁠⁠https://www.linkedin.com/in/anandsandesh/ * X: ⁠⁠⁠⁠https://x.com/JubbaOnJeans * Website: ⁠⁠⁠⁠https://boringappsec.substack.com/

    52 min
See All (37)

About

In this podcast, we will talk about our experiences having worked at different companies - from startups to big enterprises, from tech companies to security companies, and from building side projects to building startups. We will talk about the good, the bad, and everything in between. So join us for some fun, some real, and some super hot takes about all things Security in the Boring AppSec Podcast.

Information

  • Creator
    The Boring AppSec Podcast
  • Years Active
    2024 - 2026
  • Episodes
    37
  • Rating
    Clean
  • Copyright
    © The Boring AppSec Podcast
  • Show Website
    The Boring AppSec Podcast

You Might Also Like