Player FM - Internet Radio Done Right
44 subscribers
Checked 4h ago
اضافه شده در seven سال پیش
محتوای ارائه شده توسط Ken Johnson and Seth Law, Ken Johnson, and Seth Law. تمام محتوای پادکست شامل قسمتها، گرافیکها و توضیحات پادکست مستقیماً توسط Ken Johnson and Seth Law, Ken Johnson, and Seth Law یا شریک پلتفرم پادکست آنها آپلود و ارائه میشوند. اگر فکر میکنید شخصی بدون اجازه شما از اثر دارای حق نسخهبرداری شما استفاده میکند، میتوانید روندی که در اینجا شرح داده شده است را دنبال کنید.https://fa.player.fm/legal
Player FM - برنامه پادکست
با برنامه Player FM !
با برنامه Player FM !
پادکست هایی که ارزش شنیدن دارند
حمایت شده
O
Our Skin: A Personal Discovery Podcast


DaQuane Cherry was once the kid who wore a hoodie to hide skin flare-ups in school. Now he’s an artist and advocate helping others feel seen. He reflects on his psoriasis journey, the power of small joys, and why loving yourself first isn’t a cliché—it’s essential. Plus, a deep dive into the history of La Roche-Posay’s legendary spring. See omnystudio.com/listener for privacy information.…
Episode 280 - Middleware Vulnerabilities, Identifying Enumeration with LLMs
Manage episode 473295597 series 2371855
محتوای ارائه شده توسط Ken Johnson and Seth Law, Ken Johnson, and Seth Law. تمام محتوای پادکست شامل قسمتها، گرافیکها و توضیحات پادکست مستقیماً توسط Ken Johnson and Seth Law, Ken Johnson, and Seth Law یا شریک پلتفرم پادکست آنها آپلود و ارائه میشوند. اگر فکر میکنید شخصی بدون اجازه شما از اثر دارای حق نسخهبرداری شما استفاده میکند، میتوانید روندی که در اینجا شرح داده شده است را دنبال کنید.https://fa.player.fm/legal
Seth and Ken are back with an episode dedicated to a review of the recent Next.js middleware vulnerability and how that impacts application security both specifically and in general. Over-dependence on third party software accompanied by agile development can lead to devastating results when security flaws are identified. A followup and demo of using LLMs to analyze HTTP sessions for user enumeration flaws as a sneak peak of an upcoming talk by Seth for BSidesSLC.
…
continue reading
340 قسمت
Manage episode 473295597 series 2371855
محتوای ارائه شده توسط Ken Johnson and Seth Law, Ken Johnson, and Seth Law. تمام محتوای پادکست شامل قسمتها، گرافیکها و توضیحات پادکست مستقیماً توسط Ken Johnson and Seth Law, Ken Johnson, and Seth Law یا شریک پلتفرم پادکست آنها آپلود و ارائه میشوند. اگر فکر میکنید شخصی بدون اجازه شما از اثر دارای حق نسخهبرداری شما استفاده میکند، میتوانید روندی که در اینجا شرح داده شده است را دنبال کنید.https://fa.player.fm/legal
Seth and Ken are back with an episode dedicated to a review of the recent Next.js middleware vulnerability and how that impacts application security both specifically and in general. Over-dependence on third party software accompanied by agile development can lead to devastating results when security flaws are identified. A followup and demo of using LLMs to analyze HTTP sessions for user enumeration flaws as a sneak peak of an upcoming talk by Seth for BSidesSLC.
…
continue reading
340 قسمت
همه قسمت ها
×A
Absolute AppSec

Spurred by a recent article from Venture in Security, this episode delves deep into the practical application of security into an organization's SDLC. Covering a range of issues from gaps in contextual understanding to disingenuous vendor claims, Seth and Ken share their experiences dealing with small and large organizations with varying levels of maturity. Some degree of nihilism is warranted, but recent developments using generative AI is cause for optimism in the space.…
A
Absolute AppSec

Seth and Ken are _back_ to talk through some recent experiences and news across the industry. To start the episode, Seth highlights the edge cases uncovered during manual code review that require context to understand and identify. Inspired by recent a recent post on AI Slop in the curl bug bounty program, the duo addresses the increase of slop across bug bounty reports and why it happens. Finally, a discussion on McDonald's recent authorization flaw that potentially exposed millions of job applicant's data.…
Sean Varga, current regional sales manager with noted ASPM company Cycode joins Ken (@cktricky) and Seth (@sethlaw) to discuss the dawning realization organizations are having that they need AppSec experience and tech help to accompany their swelling numbers of developers. Sean's introduces "the OWASP Top 10 for AppSec Sales" to the community Before joining Cycode, Sean worked as Large Enterprise Sales Manager at Apiiro and Enterprise Account executive at Secure Code Warrior. He's also had stints at Veracode, Quest Software, and RSA across his career. We'll get to know Sean and his journey into AppSec, as well as getting his insights on the direction he sees things going moving forward. Connect with or follow Sean on LinkedIn to see what he's up to in the meantime: https://www.linkedin.com/in/sean-varga/…
Ken returns after a week's hiatus to review the latest AppSec news with Seth. Specifically, the idea that authentication fatigue exists for both consumers and developers. The amount of choice to implement security controls can have unintended consequences and introduces risk that may or may not be considered. This is followed by research from SquareX that claims Browser AI Agents are riskier and easier to target than employees. This results in opinions on phishing and protections against consumer/business targeting by attackers.…
With @cktricky out on a grand tour across the country (or just unable to record for the day), @sethlaw succumbs to the dark side to give @lojikil a platform to talk about recent developments in the application security world. Specifically, a discussion on vulnerability data and scoring mechanisms, including CVE, CVSS, CWSS, and other acronyms. Wraps up with a longer discussion on the use of AI across multiple disciplines and provenance of AI Slop.…
A
Absolute AppSec

Seth and Ken return with an in-depth discussion around the future of security due to use of AI. The landscape of security is changing quickly and we do not know where it is headed. As such, it is worth exploring how it has changed security's outlook and what we are seeing across organizations from a consulting and product perspective. A recent article from a16z titled "Next-Gen Pentesting: AI Empowers the Good Guys" is a good summary of the changes happening. A short aside on unintended consequences when introducing new browser features.…
Hayden Smith, Hunted Labs Co-Founder comes on Absolute AppSec to discuss, among other things, the Hunted Labs work discovering and publicizing the EasyJson software supply chain threat. Before co-founding Hunted Labs, Hayden was Senior Director of Field Services at Anchore, assisting US government, intelligence, and Fortune 500 clients. Long a specialist on supply-chain issues, Smith established the DoD's Platform One software factory, designed container-hardening pipelines securing 500+ Iron Bank images, and led Anchore solutions architects. Previously, he also worked at Booz Allen Hamilton where he supported US government and intelligence clients on cybersecurity/DevOps, and led the cybersecurity team testing the US Air Force's GPS OCX. Seth and Ken discuss some of Hayden's path into the security industry as well as Hunted Labs' report on the EasyJson software supply-chain threat. Read up here for more information: https://huntedlabs.com/exclusive-threat-report/…
We are happy to have Kayra Otaner as a special guest on the Absolute AppSec podcast. Kayra (kayraotaner on LinkedIn and X/twitter), the current Director of DevSecOps at Roche, brings over 15 years of cybersecurity leadership experience from New York and Wall Street. He's led DevSecOps and DevOps teams across a variety of organizations, including ADP, Voice, and adMarketplace, and has served as a trusted CTO advisor for Trendyol. His background also includes cybersecurity consulting for the Turkish Navy, where he helped develop a defense solution that was later deployed in NATO's Locked Shields cyber defense war games in Tallinn. Kayra is a frequent speaker at international DevSecOps conferences and serves on the Business and Computer Science Advisory Board at Middlesex County College in New Jersey. During this episode of the podcast Kayra discusses his journey into information security and spurs on his recent thoughts on authenticating open source developers through models similar to TSA PreCheck.…
News this week has been dominated by dependency issues and attribution towards unwanted nation states and actors. Specifically, easyjson is developed by a Russian firm that is under sanctions. The podcast duo discuss the implications and how to protect apps from sub-dependency threats. This leads to a deep dive into breaches and whether a breach has an effect on the industry, company, or individual. Current regulations and certifications can be lost, but does not always have the effect we would expect.…
Back after a hiatus for both BSidesSF and RSA, Seth and Ken recap their experience at both conferences. TL;DR - BSidesSF is great for technical security content and community, RSA focuses on sales for mostly large organizations and budgets. Two sides of the security industry coin and depends on preferences for which makes the most sense for career or business growth. This is followed by a short discussion on vibe coding educational security tools. Episode wraps with an article on MFA phishing and how WebAuthN helps prevent accidental exposure.…
A
Absolute AppSec

Ok, so vulnerable MCP tools are a thing now? Ken demonstrates installing and running an intentionally vulnerable MCP server with a bunch of example issues. Following is a discussion of the recent article and research around hallucinations of 3rd party dependencies/libraries in AI-Generated Python and JavaScript. New attack targets all dependent on how creative the LLM is allowed to be. A short aside on why we talk about AI and LLMs so much.…
It is time to talk about Model Context Protocol (MCP), Google's Agent 2 Agent specification, and get back to the crocs and socks of authentication for Non-Human Identities (NHIs). MCP servers have exploded over the last few weeks and provide a standard mechanism for LLMs to interact with pretty much _anything_. Seth and Ken talk about the risks, exposures, and where things could go from here.…
The duo are back for a discussion on securing machine learning models using Sigstore, based on a recent blog post from Google Security. Followed by some spicy takes on opinions on vibe coding and its effects on application and product security. Finally, short-lived tokens used to exploit RCE against the GitHub CodeQL Action.…
Seth and Ken are back with an episode dedicated to a review of the recent Next.js middleware vulnerability and how that impacts application security both specifically and in general. Over-dependence on third party software accompanied by agile development can lead to devastating results when security flaws are identified. A followup and demo of using LLMs to analyze HTTP sessions for user enumeration flaws as a sneak peak of an upcoming talk by Seth for BSidesSLC.…
After a week's hiatus, Ken and Seth return and start with a discussion on OWASP conferences and the effectiveness of attendance for vendors. This is followed by an expansive mental health discussion inspired by a recent blog post on Destructive Fatigue from Justin Larson at Redpoint Security. A constant focus on breaking and tearing down applications or anything can have mental health effects. Additionally, focus on the negative aspects increases imposter syndrome that is already prevalent across the industry. This leads to the question, what do you do to maintain sanity and mental health? Jump into Slack or tag @absoluteappsec on social media with your strategies.…
به Player FM خوش آمدید!
Player FM در سراسر وب را برای یافتن پادکست های با کیفیت اسکن می کند تا همین الان لذت ببرید. این بهترین برنامه ی پادکست است که در اندروید، آیفون و وب کار می کند. ثبت نام کنید تا اشتراک های شما در بین دستگاه های مختلف همگام سازی شود.