Absolute AppSec cover art

Absolute AppSec

Absolute AppSec

By: Ken Johnson and Seth Law
Listen for free

A weekly podcast of all things application security related. Hosted by Ken Johnson and Seth Law.
Episodes
  • Episode 321 - The Future of AppSec

    Episode 321 - The Future of AppSec
    May 19 2026
    In episode 321 of Absolute AppSec, the co-hosts dive into a sprawling discussion about the future of Application Security amid the heavy noise of artificial intelligence and automated tools. The hosts start with a debate on whether traditional AppSec fundamentals remain relevant. Drawing analogies to the industrialization of car manufacturing and the transition to autonomous labor, they predict that while line-by-line coding and manual code reviews are fading, human intuition, safety guardrails, and system management will remain indispensable. They voice mutual frustrations with modern university cybersecurity curricula for overemphasizing abstract theories while neglecting hands-on operational tools. Despite the rising trend of vibe-coding and the reality of AI-generated bugs, Seth and Ken argue that core principles, such as networking, authentication, authorization, and auditing (AAA), remain fundamentally unchanged. To illustrate this point, they examine how passkeys operate via asymmetric public-private key pairs under the WebAuthn spec. They conclude that as the software landscape becomes increasingly abstracted, the primary responsibility of a senior security generalist shifts from executing manual tasks to auditing, managing, and validating agentic autonomous workflows.
    Show More Show Less
    Less than 1 minute
  • Episode 320 - Return of @lojikil - LLM Bug Hunting, AI OffSec, Defender Burnout

    Episode 320 - Return of @lojikil - LLM Bug Hunting, AI OffSec, Defender Burnout
    May 12 2026
    Ken is away, so Stefan Edwards (lojikil) joins Seth to talk all things AppSec. This episode starts by exploring the acceleration of AI on the offensive side of security, enabling threat actors to automate complex tasks like patch diffing, gadget discovery, and reverse engineering binaries. The conversation highlights a recent milestone where an AI-driven tool, Mythos, successfully identified a vulnerability in curl, signaling a shift from "AI slop" to more relevant bug reports. However, Stefan remains skeptical of LLMs' ability to build secure, large-scale systems, noting their tendency to produce rigid or inconsistent code structures. This imbalance creates a "bad time for defenders," as blue team burnout increases due to the sheer volume of automated agents scanning attack surfaces near-instantaneously. The hosts conclude that while AI provides a "godsend" for testing neglected legacy applications, organizations must return to security basics—such as the principle of least authority and robust disaster recovery—to manage the expanding blast radius of modern breaches. Ultimately, they view AI as a fast, knowledgeable "junior" that requires human expertise to validate and orchestrate effectively.
    Show More Show Less
    Less than 1 minute
  • Episode 319 - Vercel Breach, Security vs. Compliance, Pull Request Flows w/ AI Agents

    Episode 319 - Vercel Breach, Security vs. Compliance, Pull Request Flows w/ AI Agents
    Apr 21 2026
    Episode 319 covers a range of industry developments, primarily focusing on the recent Vercel security incident and the evolving landscape of AI-driven compliance. The hosts detail how a Vercel employee's use of a consumer-level Context AI plan led to a workspace compromise via a leaked OAuth token, eventually allowing attackers to access sensitive environment variables. This leads to a critical discussion about the SOC 2 provider Delve, with the hosts addressing allegations regarding "fake" compliance automation and the general limitations of auditing frameworks that do not inherently equate to true security. This episode also explores the future of the Pull Request (PR) flow, debating whether traditional human-led code reviews are "dead" due to the massive volume of code generated by AI agents. While they acknowledge that startups are moving toward autonomous commits, Seth argues that the PR concept is evolving into a system of agentic attestation and guardrails rather than disappearing entirely. The episode concludes with community survey results on this shift and a reminder about the hosts' upcoming training sessions in Singapore.
    Show More Show Less
    Less than 1 minute
adbl_web_anon_alc_button_suppression_c
No reviews yet