エピソード

  • Episode 276 - w/ Myles Borins - NPM

    Episode 276 - w/ Myles Borins - NPM
    2025/02/18
    Myles is currently Product Lead for Developer Platform at Snowflake. Previously, he directed project management at GitHub, overseeing projects like GitHub Copilot Workspace for PRs, Codespaces, npm, and Packages. A key contributor to Ecma International and TC39, he has served for stretches as a Delegate, Co-Chair, and VP for the project. His contributions to TC39 coincided with his periods he worked for both Google and Microsoft, respectively. In addition to extensive experience driving security and standards improvement in open source initiatives and key development languages, Myles is an active and accomplished musician. Catch up with Myles and his work here: https://mylesborins.com/about.html. We are excited to have Myles as a guest on the show, so be sure to catch up with this episode and make a note that this episode is occurring one hour earlier than the typical livestream broadcast time.
    続きを読む 一部表示
    1分未満
  • Episode 275 - OpenGrep Summary, Secure By Design, Confusion Attacks

    Episode 275 - OpenGrep Summary, Secure By Design, Confusion Attacks
    2025/02/11
    Ken and Seth are back for another episode that starts with a summary of the Semgrep and OpenGrep break. This is followed by Google's recent article titled Secure By Design: Google's Blueprint for a High-Assurance Web Framework. Google is focused on protections within the browser, given their products and business, but the controls and overall process are relevant to most application security programs. Finally, a discussion of Orange Tsai's research on Confusion Attacks within Apache that was number one in Portswigger's Top 10 Web Hacking Techniques of 2024.
    続きを読む 一部表示
    1分未満
  • Episode 274 - Semgrep/OpenGrep, Saying "No" in Security

    Episode 274 - Semgrep/OpenGrep, Saying "No" in Security
    2025/02/04
    Seth and Ken return for another week to review current articles and happenings in the application security world. Specifically, they spend some time reacting to the news that the Semgrep Community version has been forked as Opengrep by a number of vendors. This occurs as a result of Semgrep changing the licenses on their open source rules to prevent use in competitor products. Also a discussion spurred by Rami McCarthy's recent article on how "No" is still appropriate and security shouldn't be a rubber stamp for any organization.
    続きを読む 一部表示
    1分未満
  • Episode 273 - Josh Larsen - Ghost Security

    Episode 273 - Josh Larsen - Ghost Security
    2025/01/28
    Josh Larsen, co-founder of CTO of Ghost Security, joins Seth Law and Ken Johnson on January 28th at 12 Noon Eastern time. Before Ghost Security, Josh was a co-founder and CEO of Darkbit and before that of the Blackfin Security Group. Larsen led the GTM strategy for both startups, and Darkbit and Blackfin Security Group were acquired by Aqua Security and Symantec Corporation, respectively. Ghost Security (https://ghostsecurity.com/) was founded so development shops and AppSec teams had a tool to perform autonomous application security using Agentic AI with the goal of helping teams discover, test, and mitigate risks in real time. Josh (joshlarsen on Linked In, @josh_larsen on X/Twitter) has been in the industry for 25 years working as a security program manager and consultant as well as building products that improve the security landscape. Be sure to tune in as Seth and Ken talk through his experiences in the field as well as gleaning his insights about the future of AppSec.
    続きを読む 一部表示
    1分未満
  • Episode 272 - New AI Tools, True Cost of False Positives

    Episode 272 - New AI Tools, True Cost of False Positives
    2025/01/21
    Ken and Seth start with a demo and discussion on some newer tools that use integrated AI in both the code and workflow spaces. Specifically, use for code review and understanding is improving. This is followed by a wide-ranging discussion of false positives, where they come from, and how they affect application security. Seth gets up in arms about trying to deal with unrealistic expectations around reducing false positives.
    続きを読む 一部表示
    1分未満
  • Episode 271 - Top 10 2024 Web Hacking Techniques, Research Techniques, AppSec Careers

    Episode 271 - Top 10 2024 Web Hacking Techniques, Research Techniques, AppSec Careers
    2025/01/17
    Seth and Ken return once again to talk through the overall effectiveness and purpose of Portswigger's Top 10 Web Hacking Techniques and how it benefits the community. A short discussion on some of the current crop of techniques up for polling. Spurred by recent revelations around Snyk's approach to identifying security issues in npm packages, the duo discusses research techniques and identifying security issues without exploitation or harm. To close out, a discussion on progressing from junior to senior within the security space and challenges in the current market.
    続きを読む 一部表示
    1分未満
  • Episode 270 - 2025 AppSec Predictions

    Episode 270 - 2025 AppSec Predictions
    2025/01/07
    Ken and Seth return for 2025 to review the accuracy of their predictions from 2024 and make a few new ones for this new year. Some hits and misses for last year, but overall the generic predictions for both AI/LLM growth and software supply chain security were accurate. However, they were wrong in their assumptions around LLM creation and training. For 2025, predictions on AI billing models, software supply chain attacks, OWASP Top 10 2025, and more.
    続きを読む 一部表示
    1分未満
  • Episode 269 - Security Conferences, What Sucks in (App)Sec

    Episode 269 - Security Conferences, What Sucks in (App)Sec
    2024/12/17
    The dynamic duo is back for another holiday special. Not that they reference the holidays, but dig into complaints about security conferences and how to build a conference network. Followed by a discussion inspired by a recent TL;DRSec post from Maya Kaczorowski on "What Sucks about Security" where security leaders were asked that specific question. This leads into the question "What Sucks in AppSec?", so the co-hosts give their responses.
    続きを読む 一部表示
    1分未満