Absolute AppSec

Ken Johnson and Seth Law

A weekly podcast of all things application security related. Hosted by Ken Johnson and Seth Law.

  1. hace 5 h

    Episode 326 - AppSec Jobs, Benchmarking LLMs, Open Web Standards

    In episode 326 of Absolute AppSec, sponsored by mobile application security provider GuardSquare (guardsquare.com), the hosts start with a deep-dive into pre-show discussions about the shifting macroeconomic landscape of AppSec jobs. They analyze an industry-wide trend where corporate hiring is pivoting away from external third-party consultancies and contractors. Instead, maturing organizations are forming internal product security "tiger teams" and hiring dedicated security software engineers across general development lifecycles to handle the exponential volume of code generated by artificial intelligence. Turning to AI-driven engineering, they dissect a research paper tracking security vulnerability mitigations through large language model (LLM) feedback. The paper reveals a distinct degradation in code quality and an explosion of "false positives" or unreachable flaws after the fourth or fifth iteration due to compressed context windows and "context drift." Ken highlights his own grueling experience benchmarking AINative software. He heavily cautions that letting models self-score or automatically review code introduces dangerous biases, reinforcing the absolute baseline requirement for humans to critically audit all LLM outputs. Finally, they examine Open Web Docs' new web security guidelines community group, comparing its browser-centric standard party focus to OWASP's broader, audit-driven charter. They close by promoting an upcoming July podcast collaboration with Coffee, Chaos, and ProdSec.

  2. 16 jun

    Episode 324 - Three Week Trap, Malicious Extensions

    In episode 324 of Absolute AppSec, co-hosts Ken Johnson and Seth Law share a mix of security model critiques. Starting with industry dynamics, Ken recaps his recent presentation at OWASP Nova regarding the limits of human-scale AppSec, recounting a dramatic storm during the talk where patio chairs pelted the high-rise glass. The conversation pivots sharply to Anthropic being forced to pull its "Fable" and "Mythos" cybersecurity models offline due to government sanctions and fears surrounding unpreventable universal jailbreaks. Ken and Seth criticize the company's disingenuous "FUD-based" marketing, which falsely suggested that AI could entirely replace security practitioners. Seth reviews his own blog post regarding the "three-week demo trap", detailing critical, ignored requirements for AI products—such as evaluation, statistical reproducibility, and token cost economics—noting that executing enterprise testing via frontier models can easily exceed $5,000 a day. Transitioning back to fundamental baseline defense, the hosts dissect an article on bypassing Visual Studio Code extension blocks. They emphasize that since modern CDNs pull zipped extensions from distinct domains, blocking the main marketplace URL is completely ineffective. Consequently, they advocate for rigorous data classification, layered on-premise model hosting, and stricter boundary controls on developer endpoints to combat fast-evolving supply chain threats.

  3. 9 jun

    Episode 323 - Secrets Logs, Prompt Injection Risks

    In episode 323 of Absolute AppSec, co-hosts Ken Johnson and Seth Law focus heavily on core application security vulnerabilities, legacy operational struggles, and the challenges of generative AI systems. After briefly discussing Seth’s recent trip to BSides Vancouver and confirming upcoming conference training logistics for Black Hat and DEF CON, the duo dives into the persistent problem of secrets and sensitive data leaking into log files. Referencing an article and talk by Alan Reyes, they unpack the compounding nature of logging failures, noting how system-level integrations and production error conditions often dump entire object blocks or environment variables into third-party tools. They caution that while pattern-based scanners exist, they remain too brittle to capture complex edge cases, and utilizing expensive AI agents to screen every real-time log line is economically impractical. Transitioning to AI security, Seth explores a multi-page research paper analyzing prompt injection. The paper establishes that because large language models mathematically process data through tokenization without any physical or architectural separation between instructions and data contexts, prompt injection cannot be completely solved at the model level. Likening prompt injection to automated social engineering, they argue that the onus currently falls entirely on developers to implement deterministic validation, guardrails, and secure application-level harnesses.

Calificaciones y reseñas

4.9
de 5
18 calificaciones

Acerca de

A weekly podcast of all things application security related. Hosted by Ken Johnson and Seth Law.

También te podría interesar