Absolute AppSec cover art

Absolute AppSec

Absolute AppSec

By: Ken Johnson and Seth Law
Listen for free

A weekly podcast of all things application security related. Hosted by Ken Johnson and Seth Law.
Episodes
  • Episode 324 - Three Week Trap, Malicious Extensions

    Episode 324 - Three Week Trap, Malicious Extensions
    Jun 16 2026
    In episode 324 of Absolute AppSec, co-hosts Ken Johnson and Seth Law share a mix of security model critiques. Starting with industry dynamics, Ken recaps his recent presentation at OWASP Nova regarding the limits of human-scale AppSec, recounting a dramatic storm during the talk where patio chairs pelted the high-rise glass. The conversation pivots sharply to Anthropic being forced to pull its "Fable" and "Mythos" cybersecurity models offline due to government sanctions and fears surrounding unpreventable universal jailbreaks. Ken and Seth criticize the company's disingenuous "FUD-based" marketing, which falsely suggested that AI could entirely replace security practitioners. Seth reviews his own blog post regarding the "three-week demo trap", detailing critical, ignored requirements for AI products—such as evaluation, statistical reproducibility, and token cost economics—noting that executing enterprise testing via frontier models can easily exceed $5,000 a day. Transitioning back to fundamental baseline defense, the hosts dissect an article on bypassing Visual Studio Code extension blocks. They emphasize that since modern CDNs pull zipped extensions from distinct domains, blocking the main marketplace URL is completely ineffective. Consequently, they advocate for rigorous data classification, layered on-premise model hosting, and stricter boundary controls on developer endpoints to combat fast-evolving supply chain threats.
    Show More Show Less
    Less than 1 minute
  • Episode 323 - Secrets Logs, Prompt Injection Risks

    Episode 323 - Secrets Logs, Prompt Injection Risks
    Jun 9 2026
    In episode 323 of Absolute AppSec, co-hosts Ken Johnson and Seth Law focus heavily on core application security vulnerabilities, legacy operational struggles, and the challenges of generative AI systems. After briefly discussing Seth’s recent trip to BSides Vancouver and confirming upcoming conference training logistics for Black Hat and DEF CON, the duo dives into the persistent problem of secrets and sensitive data leaking into log files. Referencing an article and talk by Alan Reyes, they unpack the compounding nature of logging failures, noting how system-level integrations and production error conditions often dump entire object blocks or environment variables into third-party tools. They caution that while pattern-based scanners exist, they remain too brittle to capture complex edge cases, and utilizing expensive AI agents to screen every real-time log line is economically impractical. Transitioning to AI security, Seth explores a multi-page research paper analyzing prompt injection. The paper establishes that because large language models mathematically process data through tokenization without any physical or architectural separation between instructions and data contexts, prompt injection cannot be completely solved at the model level. Likening prompt injection to automated social engineering, they argue that the onus currently falls entirely on developers to implement deterministic validation, guardrails, and secure application-level harnesses.
    Show More Show Less
    Less than 1 minute
  • Episode 322 - Megalodon, Staged Package Publishing, AI Powered Honeypots

    Episode 322 - Megalodon, Staged Package Publishing, AI Powered Honeypots
    May 26 2026
    In episode 322, the co-hosts examine critical vulnerabilities, changing security standards, and adaptive defense mechanisms. They deep dive into the recent "Megalodon" breach, identifying it as a direct poisoned pipeline execution attack. Rather than exposing a flaw inside GitHub itself , researchers at Hudson Rock traced the root cause to credentials stolen from developer desktops via infostealer malware, which allowed attackers to push base64-encoded payloads into GitHub Actions workflow YAML files. To counter these types of automated supply chain threats, the hosts praise NPM's newly released "staged publishing" pipeline, which mandates two-factor authentication from human maintainers before releasing packages pushed by automated CI/CD workflows. Shifting to framework flaws, they highlight a catastrophic, vanilla SQL injection flaw discovered in GoCMS during active exploitation. Finally, the duo reviews the emergence of AI-powered honeypots highlighted Talos Intelligence. They conclude that turning the tables on attackers by utilizing LLM-driven "hall of mirrors" environments to impersonate real systems represents an innovative, under-explored AppSec strategy designed to drain attacker resources and trigger high token costs.
    Show More Show Less
    Less than 1 minute
adbl_web_anon_alc_button_suppression_t1
No reviews yet