A weekly podcast of all things application security related. Hosted by Ken Johnson and Seth Law.
Episode 203 w/ Shlomi Shaki - Security Tools
21/3/2023Joining Seth and Ken is Shlomi Shaki, a tech exec with GitHub who directs sales resources related Application Security and Product Security in APJ region. Discussion revolves around adoption of security tools and the struggles of securing software from both a tooling and process perspective.
No te pierdas ningún episodio de “Absolute AppSec”. Síguelo en la aplicación gratuita de GetPodcast.
Episode 201 - Breaches, Package Managers, Audit Logs
7/3/2023A lot has happened since the 200th (!!!) episode of the podcast, so we are bring another episode with a discussion of recent events, sites, and interesting finds. First up is a discussion of recent breaches, including some stories related to consumer rewards programs and weaknesses in that space. This is followed by a discussion on responsibility of package managers (e.g. npm, pip) for disclosure or removal of known vulnerable packages. Finally, Seth's favorite topic of audit logs gets a public shaming site for services that don't follow industry best-practices.
Episode 200 w/ Jerry Gamblin - Startups, CVEs
28/2/2023Jerry Gamblin joins Seth and Ken for the 200th episode of the podcast. The discussions starts with a lengthy analysis of startup culture, security startups, and gotchas to be aware of when employed at or considering a job with a startup. This is followed by in-depth analysis of CVEs and how the process of publicly reporting issues in software has changed over time. A small snippet on interesting tokens/words/comments to search for in git logs and comments that point at security problems.
Episode 199 - OWASP, Phishing, Eurostar
14/2/2023After a number of guest appearances, Ken and Seth are flying "duo" to talk through recent news across the industry. Starting with analysis of the recent OWASP Change petition that has surfaced to address needs of OWASP projects and chapters for funding and definition of how the organization supports multiple efforts. Followed by commiseration with Eurostar on their recent self-inflicted lockout of user accounts due to authentication upgrades. Finally, discussion of the recent reddit phishing scam and how the public display of their incident response shows security maturity.
Episode 198 with Laura Bell Main - Training
7/2/2023Laura Bell Main, founder and CEO of safestack.io (@lady_nerd on twitter and check out her website https://laurabellmain.com to acquaint yourself with her work and recent publications), joins Seth and Ken as a special guest. The discussion revolves around security training for developers and how it has changed over the years.
Episode 197 with Sal Olivares - Exposed API Tokens
31/1/2023Sal Olivares, Senior Software Engineer from segment.io, joins Seth and Ken to discuss his experience with and recent blog post related to security token scanning and revocation. Sal was involved with the recently-implemented exposed scanning token service at Segment and talks through his experience, gotchas, and other security topics.
Episode 196 - API Reviews, Web App Security Features
24/1/2023Seth and Ken dig into a topic that was raised by a member of our Slack community. The initial half of the show reviews both the risks and dynamic or static review items associated with microservices. This is followed by a discussion that starts by asking the question "what are the must-have security features for a web application?"
Episode 195 - 2022 CVEs, CORS, GraphQL
17/1/2023Ken (@cktricky) and Seth (@sethlaw) take a step away from the news to review technical articles and research released in the last couple of weeks. This includes analysis done by Jerry Gamblin on total CVEs released during 2022, a new tool for exploiting weak CORS configurations, an excellent writeup on usage along with an intentionally-vulnerable GraphQL application, and finally some thoughts on prototype pollution style vulnerabilities in other interpreted languages (specifically python).
Episode 194 - Frank Wang (dbtlabs) - Organization Security, AI/ML
10/1/2023Frank Wang from dbtlabs (@ffwang2 on twitter) joins Seth and Ken for a discussion on current security landscape, artificial intelligence, and machine learning. Follow Frank on twitter or through his blog at https://franklyspeaking.substack.com/. Discussion starts with current breaches and how organizations approach security through their first security hire. This is followed by a discussion on AI related to ChatGPT and how it will affect security in the future.