Absolute AppSec

Ken Johnson and Seth Law
  • 4.9 (18)
  • Technology
  • Updated Weekly

A weekly podcast of all things application security related. Hosted by Ken Johnson and Seth Law.

  1. 45m ago

    Episode 324 - Three Week Trap, Malicious Extensions

    In episode 324 of Absolute AppSec, co-hosts Ken Johnson and Seth Law share a mix of security model critiques. Starting with industry dynamics, Ken recaps his recent presentation at OWASP Nova regarding the limits of human-scale AppSec, recounting a dramatic storm during the talk where patio chairs pelted the high-rise glass. The conversation pivots sharply to Anthropic being forced to pull its "Fable" and "Mythos" cybersecurity models offline due to government sanctions and fears surrounding unpreventable universal jailbreaks. Ken and Seth criticize the company's disingenuous "FUD-based" marketing, which falsely suggested that AI could entirely replace security practitioners. Seth reviews his own blog post regarding the "three-week demo trap", detailing critical, ignored requirements for AI products—such as evaluation, statistical reproducibility, and token cost economics—noting that executing enterprise testing via frontier models can easily exceed $5,000 a day. Transitioning back to fundamental baseline defense, the hosts dissect an article on bypassing Visual Studio Code extension blocks. They emphasize that since modern CDNs pull zipped extensions from distinct domains, blocking the main marketplace URL is completely ineffective. Consequently, they advocate for rigorous data classification, layered on-premise model hosting, and stricter boundary controls on developer endpoints to combat fast-evolving supply chain threats.

  2. Jun 9

    Episode 323 - Secrets Logs, Prompt Injection Risks

    In episode 323 of Absolute AppSec, co-hosts Ken Johnson and Seth Law focus heavily on core application security vulnerabilities, legacy operational struggles, and the challenges of generative AI systems. After briefly discussing Seth’s recent trip to BSides Vancouver and confirming upcoming conference training logistics for Black Hat and DEF CON, the duo dives into the persistent problem of secrets and sensitive data leaking into log files. Referencing an article and talk by Alan Reyes, they unpack the compounding nature of logging failures, noting how system-level integrations and production error conditions often dump entire object blocks or environment variables into third-party tools. They caution that while pattern-based scanners exist, they remain too brittle to capture complex edge cases, and utilizing expensive AI agents to screen every real-time log line is economically impractical. Transitioning to AI security, Seth explores a multi-page research paper analyzing prompt injection. The paper establishes that because large language models mathematically process data through tokenization without any physical or architectural separation between instructions and data contexts, prompt injection cannot be completely solved at the model level. Likening prompt injection to automated social engineering, they argue that the onus currently falls entirely on developers to implement deterministic validation, guardrails, and secure application-level harnesses.

  3. May 26

    Episode 322 - Megalodon, Staged Package Publishing, AI Powered Honeypots

    In episode 322, the co-hosts examine critical vulnerabilities, changing security standards, and adaptive defense mechanisms. They deep dive into the recent "Megalodon" breach, identifying it as a direct poisoned pipeline execution attack. Rather than exposing a flaw inside GitHub itself , researchers at Hudson Rock traced the root cause to credentials stolen from developer desktops via infostealer malware, which allowed attackers to push base64-encoded payloads into GitHub Actions workflow YAML files. To counter these types of automated supply chain threats, the hosts praise NPM's newly released "staged publishing" pipeline, which mandates two-factor authentication from human maintainers before releasing packages pushed by automated CI/CD workflows. Shifting to framework flaws, they highlight a catastrophic, vanilla SQL injection flaw discovered in GoCMS during active exploitation. Finally, the duo reviews the emergence of AI-powered honeypots highlighted Talos Intelligence. They conclude that turning the tables on attackers by utilizing LLM-driven "hall of mirrors" environments to impersonate real systems represents an innovative, under-explored AppSec strategy designed to drain attacker resources and trigger high token costs.

  4. May 19

    Episode 321 - The Future of AppSec

    In episode 321 of Absolute AppSec, the co-hosts dive into a sprawling discussion about the future of Application Security amid the heavy noise of artificial intelligence and automated tools. The hosts start with a debate on whether traditional AppSec fundamentals remain relevant. Drawing analogies to the industrialization of car manufacturing and the transition to autonomous labor, they predict that while line-by-line coding and manual code reviews are fading, human intuition, safety guardrails, and system management will remain indispensable. They voice mutual frustrations with modern university cybersecurity curricula for overemphasizing abstract theories while neglecting hands-on operational tools. Despite the rising trend of vibe-coding and the reality of AI-generated bugs, Seth and Ken argue that core principles, such as networking, authentication, authorization, and auditing (AAA), remain fundamentally unchanged. To illustrate this point, they examine how passkeys operate via asymmetric public-private key pairs under the WebAuthn spec. They conclude that as the software landscape becomes increasingly abstracted, the primary responsibility of a senior security generalist shifts from executing manual tasks to auditing, managing, and validating agentic autonomous workflows.

  5. May 12

    Episode 320 - Return of @lojikil - LLM Bug Hunting, AI OffSec, Defender Burnout

    Ken is away, so Stefan Edwards (lojikil) joins Seth to talk all things AppSec. This episode starts by exploring the acceleration of AI on the offensive side of security, enabling threat actors to automate complex tasks like patch diffing, gadget discovery, and reverse engineering binaries. The conversation highlights a recent milestone where an AI-driven tool, Mythos, successfully identified a vulnerability in curl, signaling a shift from "AI slop" to more relevant bug reports. However, Stefan remains skeptical of LLMs' ability to build secure, large-scale systems, noting their tendency to produce rigid or inconsistent code structures. This imbalance creates a "bad time for defenders," as blue team burnout increases due to the sheer volume of automated agents scanning attack surfaces near-instantaneously. The hosts conclude that while AI provides a "godsend" for testing neglected legacy applications, organizations must return to security basics—such as the principle of least authority and robust disaster recovery—to manage the expanding blast radius of modern breaches. Ultimately, they view AI as a fast, knowledgeable "junior" that requires human expertise to validate and orchestrate effectively.

  6. Apr 21

    Episode 319 - Vercel Breach, Security vs. Compliance, Pull Request Flows w/ AI Agents

    Episode 319 covers a range of industry developments, primarily focusing on the recent Vercel security incident and the evolving landscape of AI-driven compliance. The hosts detail how a Vercel employee's use of a consumer-level Context AI plan led to a workspace compromise via a leaked OAuth token, eventually allowing attackers to access sensitive environment variables. This leads to a critical discussion about the SOC 2 provider Delve, with the hosts addressing allegations regarding "fake" compliance automation and the general limitations of auditing frameworks that do not inherently equate to true security. This episode also explores the future of the Pull Request (PR) flow, debating whether traditional human-led code reviews are "dead" due to the massive volume of code generated by AI agents. While they acknowledge that startups are moving toward autonomous commits, Seth argues that the PR concept is evolving into a system of agentic attestation and guardrails rather than disappearing entirely. The episode concludes with community survey results on this shift and a reminder about the hosts' upcoming training sessions in Singapore.

  7. Apr 14

    Episode 318 - Slack Impersonation, Mythos, Vulnerability Research Future

    Episode 318 examines critical vulnerabilities and the evolving impact of AI on the security industry. The episode details a recent sophisticated impersonation and malware attack targeting open-source Slack communities, including their own, where attackers spoofed Seth's identity to distribute malicious links via Google Sites. The hosts express significant frustration with Slack's lack of built-in impersonation controls, comparing the flaw to the inherent trust issues in the Git protocol. A major portion of the discussion focuses on the "leak" of Anthropic's highly capable Mythos model and its potential to disrupt the market. They analyze how such frontier model announcements contribute to massive stock market volatility for traditional security firms while simultaneously creating an "intense echo chamber" regarding AI's ability to replace human practitioners. Referencing Thomas Ptacek's thesis, they debate whether AI agents will soon supplant human vulnerability research for common bug classes, shifting the human role toward high-level governance and "context infusion". Ultimately, the hosts advocate for autonomous defense and rigorous evaluation frameworks to manage "reasoning drift" and the exploding velocity of AI-generated code.

  8. Mar 31

    Episode 317 - (Post-RSAC/BSidesSF), Supply Chain Security, Future of SDLC

    Ken Johnson and Seth Law reflect on the 2026 RSA Conference and BSidesSF, noting an industry-wide "awakening" regarding the high costs and engineering complexities of operationalizing AI security tools. A major focus is the recent "supply chain attack hell," specifically the compromise of the Axios HTTP client through dual-account breaches that allowed attackers to bypass legitimate OIDC deploy setups via a misconfigured NPM CLI. The malware used was particularly evasive, deleting itself and replacing its package.json with a clean version post-execution. The hosts also discuss the emergence of the "Agentic Development Lifecycle" (ADLC), where engineering teams are increasingly "committing on time" rather than features, creating a volume of code that traditional security gates cannot manage. They debate Thomas Ptacek’s thesis that AI agents will soon "supplant" human vulnerability research for common bug classes, shifting the human role toward high-level governance and "context infusion". Economically, they highlight how Anthropic's security announcements contributed to nearly half a trillion dollars in market value loss for traditional security firms, as investors increasingly bet on frontier models to consume established security domains.

See All (324)

Ratings & Reviews

4.9
out of 5
18 Ratings

About

A weekly podcast of all things application security related. Hosted by Ken Johnson and Seth Law.

Information

  • Creator
    Ken Johnson and Seth Law
  • Years Active
    2018 - 2026
  • Episodes
    324
  • Rating
    Clean
  • Show Website
    Absolute AppSec

You Might Also Like