エピソード

  • Episode 284 - BSidesSF/RSA Recap, Vibe Coding, WebAuthN

    Episode 284 - BSidesSF/RSA Recap, Vibe Coding, WebAuthN
    2025/05/06
    Back after a hiatus for both BSidesSF and RSA, Seth and Ken recap their experience at both conferences. TL;DR - BSidesSF is great for technical security content and community, RSA focuses on sales for mostly large organizations and budgets. Two sides of the security industry coin and depends on preferences for which makes the most sense for career or business growth. This is followed by a short discussion on vibe coding educational security tools. Episode wraps with an article on MFA phishing and how WebAuthN helps prevent accidental exposure.
    続きを読む 一部表示
    1分未満
  • Episode 283 - Intentionally-Vulnerable MCP Server, Hallucinating Software Packages

    Episode 283 - Intentionally-Vulnerable MCP Server, Hallucinating Software Packages
    2025/04/22
    Ok, so vulnerable MCP tools are a thing now? Ken demonstrates installing and running an intentionally vulnerable MCP server with a bunch of example issues. Following is a discussion of the recent article and research around hallucinations of 3rd party dependencies/libraries in AI-Generated Python and JavaScript. New attack targets all dependent on how creative the LLM is allowed to be. A short aside on why we talk about AI and LLMs so much.
    続きを読む 一部表示
    1分未満
  • Episode 282 - Model Context Protocol, A2A, NHI Authentication

    Episode 282 - Model Context Protocol, A2A, NHI Authentication
    2025/04/15
    It is time to talk about Model Context Protocol (MCP), Google's Agent 2 Agent specification, and get back to the crocs and socks of authentication for Non-Human Identities (NHIs). MCP servers have exploded over the last few weeks and provide a standard mechanism for LLMs to interact with pretty much _anything_. Seth and Ken talk about the risks, exposures, and where things could go from here.
    続きを読む 一部表示
    1分未満
  • Episode 281 - Signing Models, Vibe Coding, GitHub Action Abuse

    Episode 281 - Signing Models, Vibe Coding, GitHub Action Abuse
    2025/04/08
    The duo are back for a discussion on securing machine learning models using Sigstore, based on a recent blog post from Google Security. Followed by some spicy takes on opinions on vibe coding and its effects on application and product security. Finally, short-lived tokens used to exploit RCE against the GitHub CodeQL Action.
    続きを読む 一部表示
    1分未満
  • Episode 280 - Middleware Vulnerabilities, Identifying Enumeration with LLMs

    Episode 280 - Middleware Vulnerabilities, Identifying Enumeration with LLMs
    2025/03/25
    Seth and Ken are back with an episode dedicated to a review of the recent Next.js middleware vulnerability and how that impacts application security both specifically and in general. Over-dependence on third party software accompanied by agile development can lead to devastating results when security flaws are identified. A followup and demo of using LLMs to analyze HTTP sessions for user enumeration flaws as a sneak peak of an upcoming talk by Seth for BSidesSLC.
    続きを読む 一部表示
    1分未満
  • Episode 279 - Conferences, Destructive Fatigue, Imposter Syndrome

    Episode 279 - Conferences, Destructive Fatigue, Imposter Syndrome
    2025/03/18
    After a week's hiatus, Ken and Seth return and start with a discussion on OWASP conferences and the effectiveness of attendance for vendors. This is followed by an expansive mental health discussion inspired by a recent blog post on Destructive Fatigue from Justin Larson at Redpoint Security. A constant focus on breaking and tearing down applications or anything can have mental health effects. Additionally, focus on the negative aspects increases imposter syndrome that is already prevalent across the industry. This leads to the question, what do you do to maintain sanity and mental health? Jump into Slack or tag @absoluteappsec on social media with your strategies.
    続きを読む 一部表示
    1分未満
  • Episode 278 - Security Conferences, Testing Data in Git, Unforgivable Vulnerabilities

    Episode 278 - Security Conferences, Testing Data in Git, Unforgivable Vulnerabilities
    2025/03/04
    Seth and Ken return without a guest to discuss recent news, breaches, and research. Initial discussions around the purposes of the various security conferences and what is recommended for various professional levels. An article discussing recent customer data exposure by Zapier in git test data. Synthetic test data has been an issue for long time so not a surprising turn of events. Finally, thoughts on the definitions and classification of Unforgivable Vulnerabilities as proposed by the UK's National Cyber Security Centre.
    続きを読む 一部表示
    1分未満
  • Episode 277 - w/ Kyle Rippee - AppSec Support, Security Red Flags, Getting Into AppSec

    Episode 277 - w/ Kyle Rippee - AppSec Support, Security Red Flags, Getting Into AppSec
    2025/02/25
    Kyle Rippee, currently staff product security engineer at Tines, joins Seth and Ken for another episode of Absolute AppSec. Kyle has over a decade of experience both managing and working for Application Security teams, as well as working as a pentester, security consultant, and software engineer. Before Tines, he worked for PlanetArt (where he held the role of Director of Information Security), FloQast, Shutterfly, Atos, among other Product Development and Security Consulting firms. Join us as we discuss Kyle's path into application security as well as finding out more about the interesting things going on at Tines.
    続きを読む 一部表示
    1分未満