Podcasts by Absolute AppSec
A weekly podcast of all things application security related. Hosted by Ken Johnson and Seth Law.
Further podcasts by Ken Johnson and Seth Law
Podcast on the topic Technologie
All episodes
Episode 22: Jimmy Mesta from 2023-12-12T19:02:31.041731
Ken and Seth are joined by Jimmy Mesta (@jimmesta) to talk about Kubernetes and container security.
ListenEpisode 21: Alex Smolen from 2023-12-12T19:02:31.036548
Ken and Seth are joined by Alex Smolen (@alsmola) to talk about current events, cloudtrail audit, and webauthn.
ListenEpisode 12: Justin Collins from 2023-12-12T19:02:30.993408
Ken and Justin Collins join from LocoMocoSec to discuss static analyzers
ListenEpisode 226 - Security Reviews, CVE-2023-46214 from 2023-12-05T11:00
Ken and Seth decide whether the idea of security reviews are dead, spurred on by a recent blog post by Frank Wang on doing away with the current perception of reviews. This is followed by a walkthr...
ListenEpisode 225 w/ Brian C Reed from 2023-11-28T11:00
We are excited to have Brian C Reed, chief mobility office at NowSecure, as a special guest on the Absolute AppSec podcast. Brian has specialized in mobile security, and his company NowSecure works...
ListenEpisode 224 w/ Jeevan Singh from 2023-11-14T11:00
Jeevan Singh (@askjeevansingh) returns to join Ken Johnson (cktricky on Twitter) and Seth Law (sethlaw) as a guest on the podcast! Jeevan is currently with Rippling, was previously the Director of ...
ListenEpisode 223 w/Stefan Edwards - OWASP, Privacy from 2023-11-07T11:00
When cktricky is away, the lojis will play. Stefan Edwards co-hosts an episode with Seth in what ends up bypassing the AI hype to discuss the current state of OWASP. In short, things are murky but ...
ListenEpisode 222 w/ Leif Dreizler from 2023-10-23T11:00
Ken Johnson (cktricky) and Seth Law (@sethlaw) welcome Leif Dreizler back on the show! Leif recently became a Senior Manager of Software Engineering at Semgrep (semgrep.dev) , spent the better part...
ListenEpisode 221 - Interviews, Breach, AI Tools from 2023-10-19T11:00
Seth and Ken are back to review some recent news and community discussions. Specifically, the duo talks about the use of coding requirements and projects during interviews for application security....
ListenEpisode 220 w/ Erik Cabetas (Include Security) from 2023-10-10T11:00
Erik Cabetas, founder and managing partner of Include Security joins Ken Johnson (@cktricky on twitter) and Seth Law (@sethlaw). Erik has been running Include Security for the last decade, and befo...
ListenEpisode 219 w/Jason Haddix - Discovery Tools, Security Research from 2023-10-03T11:00
Seth and Ken are joined last minute by Jason Haddix (@jhaddix). Conversion about DEF CON talks, use of LLMs in research, and recently released tools.
ListenEpisode 218 w/ Cole Cornford - Security Startups, Developer Training from 2023-09-19T11:00
Ken (cktricky on Twitter) and Seth (sethlaw) welcome Cole Cornford (https://www.colecornford.com) to Absolute AppSec for a discussion on running a security startup and the future of security traini...
ListenEpisode 217 w/ Shlomi Shaki - Security Tooling from 2023-09-07T11:00
Shlomi is back! Shlomi Shaki, GitHub’s head of Asia-Pacific-Japan advanced security sales and all around thoughtful observer of the world of application security is back on the podcast with Ken Joh...
ListenEpisode 216 - Security SDLC, Time Management from 2023-08-29T11:00
Ken and Seth are back with another episode where they try _not_ to cover more on LLMs and AI. Specifically, talk about the basics of implementing security into an SDLC. A long conversation and pers...
ListenEpisode 215 - Learning Machine Learning, DEF CON 31 Recap from 2023-08-22T11:00
Seth and Ken run through their experiences implementing Machine Learning for different application security activities. A break down the duo's experience at DEF CON 31, interesting talks, and happy...
ListenEpisode 214 - Artificial Intelligence and Security with @lojikil from 2023-08-08T11:00
A very special pre-DEF CON episode with @lojikil (aka Stefan Edwards). Seth and Stefan dig into various security aspects of artificial intelligence and the recent hype cycle around large language m...
ListenEpisode 213 - Brian Joe of Impart Security from 2023-07-25T11:00
A special episode with Brian Joe (brianwjoe on LinkedIn), head of product and co-founder of Impart Security (impart.security). Brian has a background with Signal Sciences, Fastly, and Verizon. He p...
ListenEpisode 212 - Evan Johnson of RunReveal from 2023-07-11T11:00
With some interesting developments going on at RunReveal, Evan Johnson joins Seth and Ken to discuss monitoring of security logs (hurray! Seth's favorite Crocs and Socks topic) and RunReveal's open...
ListenEpisode 211 - Brian Walter of OpenContext from 2023-06-20T11:00
Ken Johnson (@cktricky) and Seth Law (@sethlaw) host Brian Walter (@bdwalter), co-founder and CEO of OpenContext (opencontext.com), tech industry veteran with leadership stints at device-reputation...
ListenEpisode 210 - Approaching Scans, AppSec Research, Threat Modeling from 2023-06-13T11:00
From depths comes a rumbling, and it carries the whisper of AppSec on its breath! Seth and Ken dig into approaches to conducting client scans and processing results. A review of recent research int...
ListenEpisode 209 - James Wickett, Contextual Security Analysis from 2023-06-06T11:00
Join us for a special episode of Absolute AppSec with James Wickett (@wickett on twitter), the co-founder of DryRun Security (dryrun.security), creator of the Lonestar Application Security Conferen...
ListenEpisode 208 - Zip TLD, PyPI 2FA, AI Poisoning from 2023-05-30T11:00
Beware! It’s double ides of May! (Proviso being that you add the integers and not the 1/2s). Sponsored by @redpointsec, an application security firm that specializes in code security by and for cod...
ListenEpisode 207 - Watering Hole Attacks, Adversarial AI, Cookie Security from 2023-05-23T11:00
Hello! We’re just a podcast, standing in front of you, aching to be the SYN to your ACK. Seth and Ken are back to talk about how the PyPI repo is experiencing an attack from multiple malicious pack...
ListenEpisode 206 - RSA, Artificial Intelligence, Spidering Tools from 2023-05-04T11:00
Seth Law and Ken Johnson are back this week. In this show, Seth and Ken discuss what the RSA conference did (and did not) reveal about the current state of #applicationsecurity, #appsec, #crocsands...
ListenEpisode 205 - Decline of AppSec, Death of Code Review from 2023-04-18T11:00
Finally returning to the podcast after a couple weeks of travel, training, and speaking, Seth and Ken are back for more, including their own takes opinions on the decline of application security an...
ListenEpisode 204 - Logging, Edge Cases, Client API Exposure from 2023-03-28T11:00
The dynamite duopoly that is Ken and Seth are back to take the AppSec news by storm. Starting with Seth's favorite topic of Auditing or Logging, Ken brings up the recent Okta vulnerability report r...
ListenEpisode 203 w/ Shlomi Shaki - Security Tools from 2023-03-21T11:00
Joining Seth and Ken is Shlomi Shaki, a tech exec with GitHub who directs sales resources related Application Security and Product Security in APJ region. Discussion revolves around adoption of sec...
ListenEpisode 202 w/ Haseeb Awan - Mobile Security from 2023-03-14T11:00
Ken Johnson (@cktricky on twitter) and Seth Law (@sethlaw) interview Haseeb Awan (@haseeb) founder and CEO of Efani, a mobile service provider focused on security.
ListenEpisode 201 - Breaches, Package Managers, Audit Logs from 2023-03-07T11:00
A lot has happened since the 200th (!!!) episode of the podcast, so we are bring another episode with a discussion of recent events, sites, and interesting finds. First up is a discussion of recent...
ListenEpisode 200 w/ Jerry Gamblin - Startups, CVEs from 2023-02-28T11:00
Jerry Gamblin joins Seth and Ken for the 200th episode of the podcast. The discussions starts with a lengthy analysis of startup culture, security startups, and gotchas to be aware of when employed...
ListenEpisode 199 - OWASP, Phishing, Eurostar from 2023-02-14T11:00
After a number of guest appearances, Ken and Seth are flying "duo" to talk through recent news across the industry. Starting with analysis of the recent OWASP Change petition that has surfaced to a...
ListenEpisode 198 with Laura Bell Main - Training from 2023-02-07T11:00
Laura Bell Main, founder and CEO of safestack.io (@lady_nerd on twitter and check out her website https://laurabellmain.com to acquaint yourself with her work and recent publications), joins Seth a...
ListenEpisode 197 with Sal Olivares - Exposed API Tokens from 2023-01-31T11:00
Sal Olivares, Senior Software Engineer from segment.io, joins Seth and Ken to discuss his experience with and recent blog post related to security token scanning and revocation. Sal was involved wi...
ListenEpisode 196 - API Reviews, Web App Security Features from 2023-01-24T11:00
Seth and Ken dig into a topic that was raised by a member of our Slack community. The initial half of the show reviews both the risks and dynamic or static review items associated with microservice...
ListenEpisode 195 - 2022 CVEs, CORS, GraphQL from 2023-01-17T11:00
Ken (@cktricky) and Seth (@sethlaw) take a step away from the news to review technical articles and research released in the last couple of weeks. This includes analysis done by Jerry Gamblin on to...
ListenEpisode 194 - Frank Wang (dbtlabs) - Organization Security, AI/ML from 2023-01-10T11:00
Frank Wang from dbtlabs (@ffwang2 on twitter) joins Seth and Ken for a discussion on current security landscape, artificial intelligence, and machine learning. Follow Frank on twitter or through hi...
ListenEpisode 193 - Security Metrics, End-User Security from 2022-12-20T11:00
@cktricky and @sethlaw host another episode starting with a lengthy discussion on security metrics spurred by a recent post by Leif Drezler (@leifdreizler). Security metrics are highly specific and...
ListenEpisode 192 - Blogs, GoLang Security, ChatGPT from 2022-12-13T11:00
What do _you_ want for an AppSec Christmas! Another episode featuring Ken and Seth, for sure. The duo starts the conversation talking about useful AppSec and Security Blogs while featuring a recent...
ListenEpisode 191 - DNS Attacks, Organizational Risk, Mastadon from 2022-11-29T11:00
Going into the final month of 2022, the dynamic duo graces us with their presence. It begins with discussion of DNS Attacks based on Kaminsky-style attacks spurred by research presented at DeepSec ...
ListenEpisode 190 - Immutable Laws of Security from 2022-11-08T11:00
Ken and Seth break down the recently-released Immutable Laws of Security from Microsoft's Security Best Practices recommendations. Points of special interest being "Cybersecurity is a team sport", ...
ListenEpisode 189 - Security Bypasses, AppMap, Dastardly from 2022-11-01T11:00
Seth and Ken kickoff another unique discussion by looking at a recent scholarly paper on security bypasses and workarounds by health care workers. Followed by a demo of AppMap, a development tool t...
ListenEpisode 188 - Security Training, Zero Trust, Rating of IoT Security from 2022-10-18T11:00
What's that you say? There is no such thing as "done" with application security? Are our Sisyphean hosts (@cktricky and @sethlaw) therefore doomed to ever push this rock up the mountain, just to di...
ListenEpisode 187 - Hacking your Health, Fortinet, Secrets in Source from 2022-10-11T11:00
Back once again, Ken and Seth riff off of recent health discussions to talk about hacking health and maintaining a descent work/life balance. Discussion of recent Fortinet authorization issue and h...
ListenEpisode 186 - Security Trainings, Web3 Bounties, MFA from 2022-10-04T11:00
Ken is back in the land of the living, so of course he and Seth dig into the current state of information security training, how SCORM is the worst for developer training, and what goes into creati...
ListenEpisode 185 - Daniel Ting (hoodiepony) - Breaches, Optus, Uber from 2022-09-27T11:00
Ken (cktricky) is out sick today, so Seth is joined by Daniel (https://twitter.com/hoodiepony) from Australia to talk about recent breaches. Specifically, the recent breach of Optus in Australia h...
ListenEpisode 184 - Sources, Payloads, Patreon, Ethereum, Starbucks from 2022-09-15T11:00
Ken is back to lead a discussion on identification of interesting sources for the podcast and specifically how XSS just is not as interesting to him and Seth as it was a decade ago. A new project f...
ListenEpisode 183 - Information Warfare w/LegendaryPatMan from 2022-09-06T11:00
Ken is away, so Loji comes to play. Absolute AppSec is hosted this week by Seth and Stefan (@lojikil) to go outside the normal topics of application security to address questions about information ...
ListenEpisode 182 - Twitter, LastPass, Testing Edge Cases from 2022-08-30T11:00
A late decision to record an episode this week after thinking it would be scratched due to life ended up with a long discussion on the recent Twitter drama and whistleblower revelations around thei...
ListenEpisode 181 - (Post DEFCON) from 2022-08-23T11:00
Finally returned from the wasteland that is Las Vegas, or at least the fun that is #hackersummercamp and #defcon30, Ken and Seth break down their different experiences and impressions from the conf...
ListenEpisode 180 - Logging! Attacks! from 2022-08-10T11:00
It's time for hacker summer camp, so the duo starts out discussing upcoming events and interesting talks. A discussion of LOGGING to warms Seth's heart as it comes to light that logging of sensitiv...
ListenEpisode 179 - Starting in AppSec, Threat Modeling from 2022-08-02T11:00
Ken pulls Seth back into an episode to talk through the steps anyone can take to get into Application or Product Security based on some recent articles. True security professionals can come from an...
ListenEpisode 178 - Wallet Attacks(!) and Data Privacy from 2022-07-26T11:00
The duo is back and live, with an episode stolen from _some_ headlines. Specifically, a breakdown of various attacks against crypto wallets and how they stem from traditional security risks. Follow...
ListenEpisode 177 - That Post-LocoMocoSec Glow from 2022-07-05T11:00
Seth and Ken recap some of their experiences from LocoMocoSec, followed by a discussion on the recent Bugcrowd revelation that an employee attempted to re-submit reports for gain. A review of LaLu...
ListenEpisode 176 - Exposed Secrets, Semgrep Rules, IoT Security Failures from 2022-06-21T11:00
Guess what's coming right up!? Another edition of Absolute AppSec with your summer-school hosts, @sethlaw and @cktricky. What are the secrets out there available if one scans the internet? Well, se...
ListenEpisode 175 - Web3, JWT Security, Public App Attacks from 2022-06-14T11:00
Late night edition. Now we are tired. Seth and Ken get back to the podcast and dig into Web3 security a bit. A review of the recent blog post from portswigger on JWT security. Finally discussion on...
ListenEpisode 174 - Smart Contracts, Code Review Lessons Learned from 2022-05-31T11:00
If there were a magical world where mensch-y podcasters (@cktricky and @sethlaw) discuss smart contract vulnerabilities, secure code review experiences, and package takeover attacks, wouldn't you l...
ListenEpisode 173 - Enumeration Attacks! from 2022-05-24T11:00
Yet ANOTHER episode of Absolute AppSec with Seth and Ken! User enumeration vulnerabilities are the order of the day. Seth digs in on an interesting #talesfromconsulting where security questions, a...
ListenEpisode 172 - Jimmy Mesta - Kubernetes, Startup Adventures from 2022-05-17T11:00
Jimmy Mesta (@jimmesta) of KSOC joins Ken and Seth to talk about Kubernetes Security and startup adventures with KSOC. This leads to a discussion on the OWASP's Top 10 Kubernetes Project and how al...
ListenEpisode 171 - Ruby Deserialization Walkthrough, Domain Takeovers from 2022-05-10T11:00
Ken and Seth are back to talk about potential of package hijacking based on DNS takeovers due to domain expirations. Ken provides a walkthrough of Ruby Deserialization techniques based on recent ne...
ListenEpisode 170 - Security Basics, Social Engineering, Plan for Failure from 2022-05-03T11:00
Seth and Ken return with a discussion of security basics and failures resulting from lack of security hygiene. As a developer, security engineer, or a CISO, i's important to recognize that breaches...
ListenEpisode 169 - Finding Security Bugs from 2022-04-26T11:00
Seth and Ken return to the podcast and spend the episode reviewing the recent keynote from Mark Dowd at OffensiveCon 22 about the process he uses to find bugs in software.
ListenEpisode 168 - Secure Code Review, Package Confusion, Privacy Acts from 2022-04-19T11:00
What's that sound?! Could it be the Absolute AppSec train coming 'round the bend, set to deliver @cktricky and @sethlaw's timely takes on Application Security news?! This episode starts with an in-...
ListenEpisode 167 - Ken Toler - Cryptocurrency, Spring4Shell from 2022-04-05T11:00
A pair of Kens. A quick discussion on Spring4Shell and how the exploit takes advantage of Java's dynamic configuration options along with a data binding aka mass assignment vulnerabilities. Ken Tol...
ListenEpisode 166 - Web App Firewalls, ProtestWare, CSP Level 3 from 2022-03-22T11:00
As sands through the hourglass, another episode is falls on a Tuesday in late March. It was not _the_ first episode, but it was an episode as Ken and Seth talk about the origins of web application ...
ListenEpisode 165 - Portswigger 2021 Top 10, Supply Chain Attacks, TLS Certs from 2022-03-15T11:00
Welcome to the latest nihilism and bitch session. In this episode, Seth and Ken review Portswigger's Top 10 list of the "most significant web security research released in the last year". Discussio...
ListenEpisode 164 - Supply Chain Security, Cyber Attacks, 2FA, AutoWarp from 2022-03-08T11:00
What now? Another episode? You have to be kidding me. Now I get to write another summary per my job description. At least this episode covers some security topics like as Software Supply Chain Secu...
ListenEpisode 68: Jerry Gamblin, DEF CON 27 Recap from 2022-03-07T00:21:26.751579
Jerry Gamblin (@jgamblin) joins Seth and Ken to talk about #hackersummercamp, DEF CON 27, and all things Vegas. Discussion includes NULL license plates, software bill of materials, and more.
ListenEpisode 163 - IT Army, Secrets, Access Control from 2022-03-01T11:00
And we are live, with our 163 episode of Absolute AppSec. Say hi to Ken and Seth once again as they start out with a discussion on the IT Cyber Army and issues with enlisting to help in cyber attac...
ListenEpisode 162 - Mike McCabe (@mccabe615) - Cloud Security from 2022-02-22T11:00
After a week's hiatus, the Absolute AppSec-ers return with guest Mike McCabe (@mccabe615) to talk about all things Cloud Security. Discussions on cloud security tools, various differences between A...
ListenEpisode 161 - Language Semantics, Blockchain Validations, Pentest Stories from 2022-02-08T11:00
A blast from the past as Ken and Seth reminisce about past penetration testing and security stories. A discussion of language semantics and how programming language basics are similar to spoken lan...
ListenEpisode 160 - Mental Health, Open Source Bug Bounties, IDOR from 2022-02-01T11:00
The duplicitous duo returns with another episode that starts out in left field away from security topics by addressing mental health and how to keep sane when life gets busy, in both good and bad w...
ListenEpisode 159 - Neil Matatall - CSP, Infosec Hiring, Languages + Framework Security from 2022-01-25T11:00
Ken and Seth are back to talk with a blast from the past. Neil Matatall (@ndm) of Twitter, Github, and now TikTok fame joins the discussion (again) to talk about CSP. The conversation wanders from ...
ListenEpisode 158 - More Supply Chains, 2021 Top Ten, CORS + CSRF from 2022-01-18T11:00
Yet another episode. Always something to discuss. Ken and Seth talk about a recent article covering *theoretical* software supply chain exploits and how this will be a big thing this year. A review...
ListenEpisode 157 - 2022 Predictions, Schema Libraries, NPM and Open Source Packages from 2022-01-11T11:00
NEW YEAR, NEW SECURITY MADNESS! The duo is back with their application security predictions for 2022. A discussion on 3rd party library differences, in particular how URL/URI Schema libraries and p...
ListenEpisode 156 - Stefan Edwards (@lojikil) - Open Source Software, Software Bill of Materials from 2021-12-21T11:00
As we get ready for the holidays, we only want to talk about log4hell and bill of materials. Please let it end, please, oh please. A surprise visit by Stefan Edwards (@lojikil) to address all thing...
ListenEpisode 155 - Log4Hell, Boring AppSec, Crocs and SOCs from 2021-12-17T11:00
Tis the season... for 0 days. Discussions on the ever-present Log4j issue that the whole industry is dealing with. Kernelcon training announcements, dealing with varying expectations of clients and...
ListenEpisode 154 - Conferences, Cloud Security, Software Supply Chain from 2021-12-07T11:00
It's one of those days, must be Q4. View of tech conferences as an outsider. An analysis of data from Google's "Threat Horizons" report and what it tells us about Cloud Security. A few items relate...
ListenEpisode 153 - Fuzzing, Authentication, Browser Wars (again) from 2021-11-30T11:00
Our last episode before its December!!! Where oh where did 2021 go? Seth and Ken wrap up a conversation on fuzzing strategies for HTTP Requests. A discussion on the difficulty of authentication and...
ListenEpisode 152 - Breaches, Symbolic Execution, Dynamic vs. Static Assessments from 2021-11-23T11:00
Gobble gobble! It is that time of the year again to stuff our faces... WITH APPSEC! A discussion on breach notification related to the recent GoDaddy disclosure. Understanding symbolic execution wi...
ListenEpisode 151 - Secure Code Review, Software Interdependency from 2021-11-16T11:00
Ahem, Seth and Ken return with a live code review of a recently seen authentication routine. A discussion of software interdependence and the issues it creates (such as SSRF). In other words, 151 a...
ListenEpisode 150 - Jerry Gamblin - NVD CVEs, Vulnerability Disclosure, Burp Cert from 2021-10-26T11:00
Jerry Gamblin makes a return to the podcast to talk about recent events in Missouri and how _not_ to respond to responsible vulnerability disclosure. A discussion on the increase of CVEs showing up...
ListenEpisode 149 - Burnout, AppSec News Sources from 2021-10-19T11:00
Just two old men bi***ing and moaning about App Sec and the price of a good pair of New Balances. Real discussion on dealing with burnout and imposter syndrome. How to stay engaged and interested w...
ListenEpisode 148 - Facebook, Phrack, Paved Path from 2021-10-05T11:00
Strange things are afoot at the Circle K. Facebook outage and BGP routing. A new issue of phrack released on Oct 5 results a discussion on the good ol' days, BBSes, and the commercialization of sec...
ListenEpisode 147 - James Kettle (@albinowax), Security Research from 2021-09-21T11:00
The one and only James Kettle (@albinowax) of Portswigger joins Seth and Ken to talk about his path into security, HTTP request smuggling, and how to perform security research.
ListenEpisode 146 - OWASP Top 10, Bug Bounties with @JHaddix, Request Smuggling from 2021-09-14T11:00
Now with the latest in old people ramblings. Discussion about the OWASP Top 10 Draft list and how the Top 10 should be used as an awareness document. Discussions on bug bounties with surprise guest...
ListenEpisode 145 - Return of @cktricky, Burnout, Bumble Vuln, Brute-Forcing from 2021-08-26T11:00
@cktricky is _back_ with a newfound lease on life (and application security). The duo discusses in-person vs. virtual conferences, DEF CON 29, burnout, vulnerabilities in dating apps. A demonstrati...
ListenEpisode 144 - Fuzzing, Radamsa, Property Testing from 2021-08-17T11:00
With @cktricky still on hiatus, @sethlaw and @lojikil talk fuzzing, property testing, semantic analysis and demo radamsa.
ListenEpisode 143 - HTTP/2, Black Hat/DEFCON, Kubernetes from 2021-08-10T11:00
With @cktricky out adventuring, @sethlaw is joined by a familiar face (@lojikil) to dive deeply into recent research presented at Black Hat/DEF CON, HTTP/2, and how everything old is new again.
ListenEpisode 142 - AI Code Generation, Puma Scan, HTTP Request Smuggling from 2021-07-20T11:00
Dreamin', Beamin', and Streamin' about using artificial intelligence (AI) to generate code (*cough*, *cough*). When and where to use automated source code analysis tools, specifically Puma Scan for...
ListenEpisode 141 - print(), Cross-Site Scripting (XSS), RiskIQ, Amass Demo from 2021-07-13T11:00
Just two grumpy old men with some AppSec sprinkled in. Topics this week include new research from portswigger using print to bypass new Chrome XSS iframe restrictions, how XSS is still the best (an...
ListenEpisode 140 - Naomi Buckwalter - Gatekeeping, Developing AppSec Resources from 2021-06-29T11:00
Naomi Buckwalter (@ineedmorecyber) joins Ken and Seth in a discussion about security gatekeeping, how anyone can get into application security, and the relationships between development and security.
ListenEpisode CXXXIX - Return of the @lojikil (Stefan Edwards) from 2021-06-22T11:00
Stefan returns and we pick his brain about information security degrees, format strings, and different testing methodologies. Then we spend most of the episode googling the words that come out of h...
ListenEpisode 138: Ransomware from 2021-06-15T11:00
The duo is back to talk about consulting scheduling and ransomware. Somehow this evolved to a discussion on Hipster Vulns and how auditing is the Crocs-n-SOCs of application security.
ListenEpisode 137: CSRF, GraphQL, Kubernetes, Docker, NoSQL Injection from 2021-06-08T11:00
Live from their parent's basement and dripping with tin foil - Seth and Ken talk about how CSRF is a thing in GraphQL. Kubernetes gets an intentionally-vulnerable setup, and you should definitely c...
ListenEpisode 136: AppSec Nihilism and Breaches from 2021-06-01T11:00
Back off of a week's break, Seth and Ken catch up on breach news. A return of security nihilism is also in order based on recent breaches and exploits.
ListenEpisode 135: GoSDL, Language Choice, Kenna, Dependency Confusion from 2021-05-18T11:00
Punchy and Grumpy are back at it starting with a discussion on GoSDL and how it integrates with developer workflows. Followed by a discussion on language choice/experience, Cisco's acquisition of K...
ListenEpisode 134: Legal Protections, Browser Sanitization APIs, Burnout from 2021-05-11T11:00
Statler and Waldorf meet again to discuss legal protections when conducting security testing, new browser APIs for sanitization of user-supplied content, how XSS is boring, and techniques for deali...
ListenEpisode 133: Rob Shavell - Privacy from 2021-05-04T11:00
Rob Shavell from Abine.com joins Seth and Ken to talk about data privacy, social media, and industry concerns with tracking.
ListenEpisode 132: Supply Chain Attacks, What I Wish I Knew Starting in Security from 2021-04-27T11:00
Ken and Seth are the dynamic duo revealing what they wish they knew starting in security and as a penetration tester. Also a discussion about supply chain attacks and a tribute to the late Dan Kami...
ListenEpisode 131: Jeevan Singh - Threat Modeling from 2021-04-20T11:00
Jeevan Singh from Segment joins Seth and Ken to discuss the recently-released, open source threat modeling training material.
ListenEpisode 130: Facebook 'Breach', Data Privacy from 2021-04-13T11:00
Ken and Seth break down the Facebook 'Breach', aka data collection and different views on dealing with that data. The discussion continues with privacy data and how far we should trust any social m...
ListenEpisode 129: Rey Bango - JQuery, Developer Relations, Security Education from 2021-04-06T11:00
Rey Bango (@reybango) from Veracode joins Seth and Ken to talk about his path into security. Topics include JavaScript, JQuery, building relationships between security and relations, and how to edu...
ListenEpisode 128: Stefan Edwards/David Coursey - PHP, Backdoors, and AppSec Nihilism from 2021-03-30T11:00
Seth hosts Stefan Edwards (@lojikil) and David Coursey (@dacoursey) discussing PHP's recent backdoor, probable fixes including code commit signing and the move to GitHub. THe discussion covers ease...
ListenEpisode 127: Regexes, WAFs, Secondary Contexts from 2021-03-23T11:00
Seth and Ken discuss the role of regular expressions in routing of web application requests. Discussion covers basics of routing, exploitation of secondary contexts, and bypassing of web applicatio...
ListenEpisode 126: Junior AppSec Positions, Phishing Site Detection, Client-side JavaScript from 2021-03-16T11:00
Seth and Ken are back on another Taco Tuesday to talk through getting into application security and how to support those new to the field. Also a discussion on phishing sites that detect VMs and ot...
ListenEpisode 125: Interviews, SQLi, Concurrency, Wordpress from 2021-03-09T11:00
Seth and Ken discuss interviewing techniques for technical resources, SQL injection in the media and Github's recent concurrency vulnerability. Also a discussion on recent WordPress plugin vulnerab...
ListenEpisode 124: 2020 Top 10 Web Hacking Techniques, Development vs. Security from 2021-03-02T11:00
Seth and Ken discuss Portswigger's Top 10 Web Hacking Techniques of 2020, specifically injection attacks through images in PDFs and reverse proxies. Further discussion on creativity in development ...
ListenEpisode 123: Client-Side Controls, Dependency Confusion from 2021-02-23T11:00
Seth and Ken discuss client-side controls and 3rd-party JavaScript security features. Confused deputy vulnerabilities (dependency confusion) in the news.
ListenEpisode 122: Brian Glas (@infosecdad) - OWASP Top 10 2021 from 2021-02-18T11:00
Seth and Ken welcome back Professor Brian Glas (@infosecdad) to dispel the recent OWASP Top 10 2021 speculation and rumor. We talk through the origins and purpose of the OWASP Top 10 as well as the...
ListenEpisode 121: Stefan Edwards (@lojikil) - Formal Specification, Fuzzing, LangSec from 2021-02-02T11:00
Stefan Edwards (@lojikil) once again joins Seth and Ken to talk all things LangSec (language security). Discussion ranges from manual vs. automated testing to fuzzing to semantic analysis to formal...
ListenEpisode 48: .dev domains, Kubernetes Secrets, Threat Modeling as Code, OWASP Glue Project and Omer Levi Hevroni from 2021-01-31T22:10:42.023393
Seth and Ken discuss recent events with the .dev domain and why developers should care. Omer Levi Hevroni (@omerlh) stops by to talk about the OWASP Glue Project, the Kamus project for managing Kub...
ListenEpisode 49: Subdomain Takeovers, DNS SSRF, Oauth Best Practices, Top 10 Web Hacking Techniques of 2019 from 2021-01-31T22:10:42.023393
Seth and Ken talk through subdomain takeovers vulnerabilities at large companies and identification of DNS SSRF. Ken walks through a few oauth best practices. A look at the Portswigger list of Top ...
ListenEpisode 50: Static Analysis Tools, DevSecOps, Secure Code Training with Eric Heitzman from 2021-01-31T22:10:42.023393
Seth and Ken talk about number 8 in the top web hacking techniques of 2018. Discussions on static analysis tools and approach to usidng them. Eric Heitzman joins to talk about his background, DevSe...
ListenEpisode 120: OWASP Top 10 2021, Researcher Attacks, Parler, Phishing from 2021-01-26T11:00
Seth and Ken discuss the proposed 2021 OWASP Top 10 Risks, North Korean attacks against security researchers, password managers, latest in Parler de-platforming, and phishing possibilities.
ListenEpisode 119: Bugtraq, Web Cache Poisoning, and Blind SSRF from 2021-01-19T11:00
Seth and Ken wax nostalgic about the old days due to the shut down of the Bugtraq Mailing List (RIP old friend). Further discussions on web cache poisoning and blind server-side request forgery (SS...
ListenEpisode 118: Parler, Twitter, and IDOR from 2021-01-12T11:00
Seth and Ken return with a discussion about application security in the news, including relevance to the Parler "backups". Also discussions about Twitter and latest political developments and how t...
ListenEpisode 117: Solarwinds, Timing Attacks, Threat Dragon from 2020-12-22T11:00
The dynamic duo is back for their last podcast of 2020!
ListenEpisode 116: Lewis Ardern and Pwnfunction - Client-Side JavaScript Security from 2020-11-24T11:00
Lewis Ardern (@LewisArdern) and Pwnfunction (@pwnfunction) join Seth and Ken to talk client-side JavaScript security and their recent Vue JS blog post. https://portswigger.net/research/evading-defe...
ListenEpisode 115: Clint Gibler - Static Analysis with Semgrep from 2020-11-17T11:00
Clint Gibler (@clintgibler) joins Seth and Ken to talk about Static Analysis with Semgrep. Demonstrations of writing rules within Semgrep and how to use it.
ListenEpisode 114: Account Enumeration, Github Actions from 2020-11-10T11:00
Seth and Ken discuss account enumeration vulnerabilities and open source tools that take advantage of them. Discussion about the recent Github Actions vulnerability.
ListenEpisode 113: Jacob Salassi - Modeling Threats, Risk Assessment from 2020-10-27T11:00
Jacob Salassi (@JacobSalassi) joins us to discuss his developer-driven, standardized, threat modeling process. Also discussions on developer empathy, risk assessment, and other topics.
ListenEpisode 112: Mark Feferman - Static Analysis Tools from 2020-10-20T11:00
Mark Feferman (@mfeferman) joins Seth and Ken to throw down about automated static analysis tools. Discussion of applictaion security talent (or lack thereof) and 'shifting left'.
ListenEpisode 111: Bug Bounties, Detection as Code from 2020-10-13T11:00
Seth and Ken dig into strange requests when running bug bounty programs, recent revelations on Apple security research, and detection as code.
ListenEpisode 110: Reserved Words, Authentication, Developer Patterns from 2020-10-06T11:00
Back at it like a phrack addict to talk reserved words, authentication flaws in apps and Grindr, and recognizing insecure patterns during development.
ListenEpisode 109: Threat Modeling, Social Media, Imposter Syndrome from 2020-09-22T11:00
We are back with a Seth and Ken only episode to talk about the evolution of threat modeling, the documentary "The Social Dilemma", mental health, and imposter syndrome.
ListenEpisode 108: Sean Poris - Bug Bounties and H1-2010 from 2020-09-15T11:00
Sean Poris (@skp00) joins Absolute AppSec to talk about The Paranoids virtual bug bounty hacking event H1-2010, staying sane, managing a virtual team, and advice for running a bug bounty program.
ListenEpisode 107: Markus Schirp - Ruby and Dynamic Languages from 2020-09-01T11:00
Markus Schirp (@_m_b_j_) joins Seth and Ken to talk about Ruby and other dynamic languages. Mutation testing, TDD weaknesses, and meta programming.
ListenEpisode 106: Justin Massey - Logging and Monitoring from 2020-08-25T11:00
Justin Massey from Data Dog joins us to talk Application Logging.
ListenEpisode 105: Laura Migus - Diversity and Inclusion from 2020-08-18T11:00
Seth and Ken chat with Laura Migus who is an expert in the realm of Diversity and Inclusion to learn more about the topic and how to support diversity and inclusion efforts.
ListenEpisode 104: Leif Dreizler - Authentication and SCIM from 2020-08-05T11:00
Leif Drezler joins Seth and Ken to talk about recent projects, including authentication, SCIM, and how to embed within a development team.
ListenEpisode 103: Secrets Management, Oded Hareven, and akeyless.io from 2020-07-21T11:00
Oded Hareven from AKEYLESS joins Seth and Ken to discuss the idea behind AKEYLESS as well as give us a chance to learn a little bit more about Oded.
ListenEpisode 102: Popular Programming Languages, TikTok, OWASP from 2020-06-30T11:00
Seth and Ken talk about the popularity of various programming languages, TikTok app issues, and new changes at OWASP.
ListenEpisode 101: Mike McCabe, Ken Toler, Cloud Security from 2020-06-23T11:00
Seth and Ken are joined by Mike McCabe (@mccabe615) and Ken Toler (@relotnek) to break down their talk on Cloud Security. Discussions revolves around cloud security, but touches legacy systems, app...
ListenEpisode 100: Virtual Conferences, Bots, DDoS, Ebay from 2020-06-16T11:00
Seth and Ken break the 100 episode barrier by talking about virtual conferences. Discussions about bots, distributed denial of service attacks, and Ebay stalking of a newsletter.
ListenEpisode 99: Contact Tracing, GnuTLS, Breaches from 2020-06-09T11:00
Seth and Ken are back to security and technology this week. Discussions about contact tracing applications, privacy and freedom vs. security, the GnuTLS CVE, and possible Honda breach.
ListenEpisode 98: Bug Bounty Programs, Work when World is Crazy from 2020-06-02T11:00
Seth and Ken go full rant mode about bug bounties and trying to work while the world goes insane.
ListenEpisode 97: Stefan Edwards and Brian Glas - Threat Modeling from 2020-05-26T11:00
Stefan (@lojikil) and Brian (@infosecdad) are back to talk about threat modeling with Seth and Ken. Discussion covers risk assessment, threat modeling, asset inventory, and software maturity.
ListenEpisode 96: Fuzzing and Static Analysis Tools from 2020-05-19T11:00
Seth and Ken discuss fuzzing techniques, recommendations, and experience. Stories of fuzzing in production. How static analysis tools have changed and where they fit.
ListenEpisode 95: Jessica Rozhin (@JessicaRozhin) and Lady Christina Liu (cliuthulu) - Incident Response, Lockpicking, Building an Infosec Culture from 2020-05-12T11:00
Jessica Rozhin (@JessicaRozhin) and Lady Christina Liu (@cliuthulu) join Seth and Ken to talk about alternate routes into security, including accounting and joining a circus. Discussions on forensi...
ListenEpisode 94: Bug Bounty, Microservices vs. Monoliths, and CVE Fatigue from 2020-05-05T11:00
Seth and Ken discuss tips for running a bug bounty program, risk of webhooks, Segment's move to and from microservices, and having CVE Fatigue.
ListenEpisode 93: Huntr Dev - Securing Open Source Software from 2020-04-21T11:00
Seth and Ken are joined by the Huntr Dev team to talk about securing open source software, bug bounties, and writing secure code.
ListenEpisode 92: Working from Home, Skreen, Evolution of AppSec from 2020-04-14T11:00
Seth struggles with internet access during a discussion with Ken on working from home, employee surveillance, and Sneek. Additional thoughts on the evolution of application security and penetration...
ListenEpisode 91: Stefan Edwards - More Voatz, Zoom, Code Reviews, Report Writing, Threat Models, and Risk Assessments from 2020-04-07T11:00
LOJI IS BACK! Stefan joins Seth and Ken to talk about his work on Trail of Bits assessment of the Voatz mobile application, share thoughts on Zoom, and discuss the assessment process. Discussions o...
ListenEpisode 90: Voatz, HackerOne, Bug Bounties, GraphQL, Shodan Network Trends from 2020-03-31T11:00
Seth and Ken provide their take on the Voatz mobile app dismissal from HackerOne. Additional discussion of network trends during social distancing and COVID-19 as reported by Shodan. Finally some t...
ListenEpisode 89: Kat Sweet - Incident Response, DevOps and Developer Training, Breaking into Security from 2020-03-24T11:00
Kat Sweet (@TheSweetKat) continues our discussion from DevSecOps Days Austin. Topics include incident response, staying right while you push left, developer training, and getting into information s...
ListenEpisode 88: Kevin Johnson - Secure Ideas, Star Wars, Passing it On from 2020-03-17T11:00
Kevin Johnson of Secure Idea joins Seth and Ken in a discussion on his path into security, Star Wars (yes, really), and giving back to the community. This includes passing on teaching, sharing know...
ListenEpisode 87: Abhay Bhargav - Threat Modeling, DevSecOps, Microservices from 2020-03-03T11:00
Abhay Bhargav, founder of We45, joins Seth and Ken in a discussion on threat modeling in an agile development methodology, the rise and role of DevSecOps, and security within microservices.
ListenEpisode 86: Rohan Johsi - QA Security Testing, Security Champions, Paypal Vulnerabilities from 2020-02-25T11:00
Seth and Ken discuss bug bounties and a recent article on Paypal issues. Joined by Rohan Joshi to discuss building an application security program, QA security testing, and security champions.
ListenEpisode 85: David Lindner - Voting Apps, Bug Bounties, IAST/RASP/WAF from 2020-02-18T11:00
David Lindner (@golfhackerdave) joins Seth and Ken discuss the voting applications, including the Iowa debacle and the Voatz application. Ranting on bug bounties and response times for researcher f...
ListenEpisode 84: Tinfoil Hat Tuesday - Backdoors, Application Libraries, Equifax from 2020-02-11T11:00
Seth and Ken discuss the latest security news, including CIA Backdoors in the Crypto AG products, FBI release of wanted Chinese nationals related to the Equifax breach, protecting applications agai...
ListenEpisode 83: Ron Perris - NPM, Developer Training, React from 2020-02-06T11:00
Ron Perris (@ronperris), Software Security Engineer from npm, Inc. joins Seth and Ken to talk about module security, developer interactions, and recent node security issues. DOM Clobbering.
ListenEpisode 82: Kelley Robinson - MFA, SHAKEN, STIR from 2020-01-28T11:00
Kelley Robinson (@kelleyrobinson), Security Advocate at Twilio/Authy joins Seth and Ken to talk about multifactor authentication, her path into security, and advances in voice security (SHAKEN/STIR).
ListenEpisode 81: Matias Madou - Application Security Training from 2020-01-21T11:00
Ken and Seth are joined by Matias Madou, CTO of Secure Code Warrior. Discussion of current state of application security training, static analysis tools, and just-in-time-training.
ListenEpisode 80: Louis Barratt - SIRT and AppSec from 2020-01-14T11:00
Louis Barrett of the Segment SIRT team joins Seth and Ken to discuss his path into security, mentors, and SIRT. Discussions on approaching SIRT, creating a SIRT team, and how to integration AppSec ...
ListenEpisode 79: Live from DevSecOpsDays Austin - Next up in AppSec/DevSecops from 2019-12-17T11:00
Seth and Ken host the podcast live from DevSecOpsDays Austin, with multiple guests from conference speakers. Discussions on what each guest feels is up next in AppSec and DevSecOps for the forseeab...
ListenEpisode 78: Breaches, Passwords, and Chicken Fingies from 2019-12-10T11:00
Seth and Ken host Seth and Santa's Secure Workshop as a pair this week. The discussion revolves around the Hacker 1 "breach", Practical Pentest Lab's storage and sending of plaintext passwords, chi...
ListenEpisode 77: Clint Gibler, DevSecOps, TLDR; Sec from 2019-12-03T11:00
Seth and Ken are joined this week by Clint Gibler (@clintgibler) to talk about DevSecOps, what he sees in the industry as effective security, and his newsletter TLDR; Sec (https://bit.ly/tldrsec). ...
ListenEpisode 76: Guy Podjarny, Snyk, AppScan, SCA from 2019-11-26T11:00
Guy Podjarny (@guypod), founder of Snyk, joins Ken and Seth to talk about Snyk, the origins of AppScan Standard, Software Composition Analysis and his origin story. A discussion of building develop...
ListenEpisode 75: Brian Glas, OWASP Top 10, OWASPSAMM from 2019-11-19T11:00
Ken and Seth are back! Joined in this episode by Brian Glas, aka @infosecdad, aka Professor Glas to talk about all things OWASP Top 10 2017, the path to his involvement, and how it almost split App...
ListenEpisode 74: Ernest Mueller, DevOps, Security and Cloud Computing from 2019-10-22T23:00
Ernest Mueller (@ernestmueller) joins Seth and Ken to talk about the his path into technology, operations, and security. Additional discussions on the beginnings of DevOps, Security, and Cloud Comp...
ListenEpisode 73: Kevin Cody, CORS, and Lockpicking from 2019-10-16T23:00
Kevin Cody (@kevcody) is back with Seth and Ken to talk about his collaboration with Tim Tomes (@LaNMaSteR53) on CORS. Also discussions on lockpicking, travel tips, and a wide range of topics. Reme...
ListenEpisode 72: Consulting Horror Stories from 2019-10-01T11:00
Seth and Ken kickoff October with a discussion of consulting horror stories, both from personal experiences and listener-provided. Additional discussions around Cloudflare's WARP.
ListenEpisode 71: Evan Johnson, Cloudflare and Lastpass from 2019-09-17T11:00
Eric Johnson (@ejcx_), one of the first podcast guests to join Seth and Ken revisits to talk about recent industry revelations, including the Lastpass vulnerability from Google's Project Zero. Furt...
ListenEpisode 70: Andrew Wilson, OWASP and Training New AppSec Resources from 2019-09-03T11:00
Andrew Wilson (@azwilsong) , a friend and partner at Bishop Fox joins Seth and Ken to discuss OWASP, running a consultancy, organizing CactusCon, and training new AppSec resources.
ListenEpisode 69: Eric Ellett, Development vs. Security from 2019-08-27T11:00
Seth and Ken are joined by Eric Ellett (@EricEllett) to talk about software supply chain security. Development vs. Security and how to develop a good relationship with development instead of an ant...
ListenEpisode 67: Kubernetes Security with Stefan and Bobby from 2019-08-12T11:00
Seth and Ken are joined by Stefan (@lojikil) and Bobby (@b0bbytabl3s) to talk about Kubernetes Security based on the assessment they conducted at Trail of Bits.
ListenEpisode 66: Capital One Breach, NPM, and Secure Code Reviews from 2019-07-30T11:00
Seth and Ken discuss the latest news, including the Capital One Breach, Project Zero's recent iOS vusnerability disclosures, and further malicious NPM package takeovers. Further topics include lear...
ListenEpisode 65: Adam Baldwin, 3rd Party Dependencies, and Supply Chain Security from 2019-07-16T11:00
Seth and Ken are joined by Adam Baldwin (@adam_baldwin) to discuss a topic we've been talking a lot about - 3rd party dependency and supply chain security. Adam gave a talk at this year's LocoMoco ...
ListenEpisode 64: Hijacked Gems, Zoom RCE, and Marriott Fines from 2019-07-09T11:00
Seth and Ken discuss conference proposals submissions and how to stand out. Also discussions on the latest security news, including the Zoom vulnerability disclosure, European fines for Marriott, a...
ListenEpisode 63: Julian Berton, AppSec Day, Developer Training, and Security Standards from 2019-07-02T11:00
Julian Berton joins Seth and Ken to talk about Developer Training, Security Standards and AppSec Day, a global Application Security conference in Melbourne, Australia. They also discuss the latest ...
ListenEpisode 62: Abdullah Munawar, Ben Pick, Global AppSec DC, and Running an OWASP Chapter from 2019-06-18T11:00
Seth and Ken welcome Abdullah Munawar and Ben Pick to the show. They discuss their path into application security, current roles, and OWASP involvement. Specifically, Abdullah and Ben talk about ru...
ListenEpisode 61: Tanya Janca, DevSlop, Diversity, and Inclusion from 2019-06-11T11:00
Based on demand, Seth and Ken are joined by Tanya Janca (@shehackspurple) to talk about all things OWASP, travel, and experinces. Topics include OWASP DevSlop, diversity, and inclusion
ListenEpisode 60: Stefan Edwards, Huawei, Android Security, and Programming Languages from 2019-05-21T11:00
Seth is joined once again by Stefan Edwards to talk about current events and ruin another portion of information security. Topics include Huawei, Android Security, and Programming Languages.
ListenEpisode 59: James Wickett on DevOps from 2019-05-14T11:00
Seth and Ken discuss Minecraft mod hacking and applying AppSec tools to the practice. Joined by James Wickett (@wickett) to talk about the history of DevOps, why software security people should lea...
ListenEpisode 58: David Lindner on RASP, Mobile, IoT from 2019-05-07T11:00
Seth and Ken discuss Edge Side Include Injection. Subsequently joined by David Lindner (@golfhackerdave), the current head of AppSec at Contrast Security. David talks all about RASP, mobile and IoT...
ListenEpisode 57: OWASP WIA (Women in AppSec) Committee from 2019-04-30T11:00
Seth and Ken are joined by the OWASP WIA (Women in AppSec, @owaspwia) Committee. We discuss diversity in security and how the committee and OWASP is making the community more inclusive. Topics incl...
ListenEpisode 56: Learn to Code / Loco Moco Sec Recap from 2019-04-23T11:00
Seth and Ken get back together to talk about Loco Moco Sec and recent industry news. Specifically, should all security people be able to code? Is it a strict requirement? Ken gives his take on the ...
ListenEpisode 55: Stefan Edwards ruins Infosec - Testing Edition from 2019-04-18T11:00
Seth is joined once again by Stefan Edwards. First in the series "Lojikil ruins Infosec". Ken is at LocomocoSec in Hawaii, so Seth and Stefan (@lojikil) talk all things testing, including symbolic ...
ListenEpisode 54: Recon-NG and Burp Suite v2 with Tim Tomes from 2019-04-09T11:00
Seth and Ken are joined by Tim Tomes, aka LaNMaSteR53. We discuss Tim's path into application security, his work on Recon-NG, and his analysis of Burp Suite Professional's version 2.
ListenEpisode 53: Building AppSec at Github with Greg Ose from 2019-04-02T11:00
Seth and Ken talk AppCache vulnerabilities and postMessage exploits from PortSwigger's Top 10 web hacking techniques of 2018. Greg Ose joins them to talk about building application security program...
ListenEpisode 52: Serialization Vulns, Managing Careers, and Hacking your Happiness with Chris Gates from 2019-03-26T11:00
Seth and Ken talk about serialization vulnerabilities, number 6 in the top web hacking techniques of 2018. Discussions on continuous integration, hacking jenkins, reading code to find vulns, mainta...
ListenEpisode 51: XXE review and techniques, Assessment Reporting and Process with Jessica Ryan from 2019-03-19T16:00
Seth and Ken talk about new techniques for exploiting XXE, number 7 in the top web hacking techniques of 2018. Discussions on assessment process, including reporting, note taking and soft skills wi...
ListenEpisode 47: Mapping Application Source Code, Mobile OWASP Top 10, Mobile Application Testing, and Kevin Cody from 2019-02-19T21:00
Seth and Ken review steps taken during a secure code review to map out an application. Joined by Kevin Cody (@kevcody) to talk mobile application testing, OWASP Mobile Top 10, what devices to use w...
ListenEpisode 46: Fuzzing, Frameworks, Training and Daniel Miessler from 2019-02-12T21:00
Seth and Ken talk about the recent release of ClusterFuzz by Google. Joined by Daniel Miessler (@Daniel Miessler) to talk about the SecLists project, how it relates to fuzzing, training developers ...
ListenEpisode 45: Making the most of Bug Bounties, managing an AppSec program, and Sean Poris from 2019-02-05T21:00
Seth and Ken are joined by Sean Poris (@skp00) of Verizon Media to talk about making the most of a bug bounty program, Sean's path into application security from his budding time as a biologist, an...
ListenEpisode 44: AppSec California, running a Bug Bounty program, and David Coursey from 2019-01-29T21:00
Seth and Ken are joined once again by David Coursey (@dacoursey) to review topics from AppSec California 2019, including building developer relationships and the OWASP ZAP HUD. Ken and Dave answer ...
ListenEpisode 43: DerbyCon, pwnhead, and Keith Hoodlet from 2019-01-15T21:00
Seth and Ken are joined by Keith Hoodlet (@andMyHacks) to discuss DerbyCon, pwnhead, and application security in medical devices.
ListenEpisode 42: SSRF Rebinding and Segment Team (Leif Dreizler and David Scrobonia) from 2019-01-08T21:00
Seth and Ken discuss SSRF Rebinding defenses with Segment (Leif, David, and Achille). Additional topics include password complexity, password resets, and using Troy Hunt's breach database.
ListenEpisode 41: Hidden File/Dir Enumeration and Will Bengtson from 2018-12-18T21:00
Seth and Ken discuss hidden file and directory enumeration. Joined by Will Bengtson to talk AWS and cloud security, including cloudtrail and trailblazer.
ListenEpisode 40: Code Reviews from 2018-12-11T21:00
Seth and Ken talk through secure code reviews and assessment scoping, more on breaches, the Google congressional hearings and more.
ListenEpisode 39: Jerry Gamblin from 2018-12-04T21:00
Is there such a thing as breach fatigue? When have we had enough? Seth and Ken are joined by Jerry Gamblin of Kenna Security to discuss recent breaches and AWS Re:Invent.
ListenEpisode 38: Matt Konda from 2018-11-27T21:00
Seth and Ken discuss node packages and event_stream fallout. Matt Konda (@mkonda) joins to talk about OWASP, the Glue tool, Jemurai and his origin story and other topics.
ListenEpisode 37: Stefan Edwards from 2018-11-20T21:00
Seth and Ken discuss security gifts for appsec peeps. Joined by Stefan Edwards (@lojikil) to talk about his origin story (Seth gets bagged on), formal verification, and a multitude of other topics.
ListenEpisode 36: Mike McCabe from 2018-11-13T21:00
Seth and Ken discuss cross-site scripting and input validation/output encoding findings. Later joined by Mike McCabe's (@mccabe615) talking about cloud security, building an appsec program, intervi...
ListenEpisode 35: Travis McPeak from 2018-11-06T21:00
Seth and Ken discuss server side request forgery and then pick Travis McPeak's (@travismcpeak) brain about AWS security, his path into security, QA testing, and Netflix cloud security tools.
ListenEpisode 34: Stefan Edwards from 2018-10-30T21:00
Seth and Ken are joined last minute by Stefan Edwards (@lojikil) to talk about security unit tests, fuzzing, and all things you will need to google later on. Blockchains and secure contracts are in...
ListenEpisode 33: John Melton from 2018-10-02T21:00
Seth and Ken go over fully vetting functions during code reviews. John Melton (@_jtmelton) talks with Ken and Seth about static analysis tools, building an appsec program, open source, and more.
ListenEpisode 32: Eric Johnson from 2018-09-18T21:00
Setup tips for starting an assessment with Burp Suite Professional. Eric Johnson (@emjohn20) talks with Ken and Seth about Roslyn, building Puma Scan, SANS, and more.
ListenEpisode 31: Rob Fuller from 2018-09-11T21:00
Practical advice on submitting and writing effective findings for bug bounties and reports. Rob Fuller (@mubix) talks about his path into security, CCDC, volunteerism, NoVA Hackers and more.
ListenEpisode 30: Dave Ferguson from 2018-09-04T21:00
Dave Ferguson (@_sc0rn) talks about the futility of developer training, initial discovery of CSRF in on netflix.com, and application scanning with Ken and Seth.
ListenEpisode 29: Matt Tesauro from 2018-08-28T21:00
Matt Tesauro (@matt_tesauro) talks OWASP, community involvement, Defect Dojo, and the AppSec Pipeline toolbox with Ken and Seth.
ListenEpisode 28: Astha Singhal from 2018-08-21T21:00
Astha Singhal (@astha_singhal) joins Ken and Seth to talk automating application security and bug bounties.
ListenEpisode 27: Jim Manico from 2018-08-14T21:00
Ken and Seth are joined by Jim Manico (@manicode) RAW, training, OWASP, code security, and all things AppSec.
ListenEpisode 26: Justin Larson from 2018-07-31T21:00
Ken and Seth are joined by Justin Larson (@Phant0mTrav3ler) and talk about building an AppSec program from scratch.
ListenEpisode 25: Scott Piper from 2018-07-24T21:00
Ken and Seth are joined by Scott Piper (@0xdabbad00) and talk AWS Security, including https://flaws.cloud, cloud mapper, and cloud tracker projects.
ListenEpisode 24: Jason White from 2018-07-17T21:00
Ken and Seth are joined by Jason White (@misfir3) and talk about transitioning from a developer to an application security professional.
ListenEpisode 23: Ken Toler from 2018-07-10T21:00
Ken and Seth are joined by Ken Toler (@relotnek) and talk security champions and security program management.
ListenEpisode 20: Authentication and JWTs from 2018-06-19T21:00
Ken and Seth talk more about authentication, JWTs and everything that is wrong with both of them.
ListenEpisode 19: CFPs and More from 2018-06-05T21:00
Ken and Seth talk about current events, submitting CFPs, and more
ListenEpisode 18: Chris Gates from 2018-05-29T21:00
Ken and Seth are joined by Chris Gates to talk about Purple Teaming and the WeirdAAL tool
ListenEpisode 17: Efail and CSRF from 2018-05-15T21:00
Ken and Seth talk about current news (Efail) and CSRF Tokens
ListenEpisode 16: Hipster Languages from 2018-05-08T21:00
Ken and Seth talk about hipster languages and frameworks
ListenEpisode 15: Kevin Cody from 2018-05-01T21:00
Kevin Cody joins Ken and Seth to talk about mobile security testing
ListenEpisode 11: David Coursy and Stefan Edwards from 2018-03-27T21:00
David Coursey and Stefan Edwards reprise their discussion with Ken and Seth
ListenEpisode 10: Jimmy Mesta from 2018-03-13T21:00
Jimmy Mesta joins Seth and Ken to talk about Kubernetes and Container security.
ListenEpisode 9: Jason Haddix from 2018-03-06T21:00
Seth and Ken talk with Jason Haddix about bug bounties
ListenEpisode 5: Stefan Edwards and Dave Coursey from 2018-02-06T21:00
Featuring Guests Stefan Edwards and David Coursey
Listen