Podcasts by Absolute AppSec
A weekly podcast of all things application security related. Hosted by Ken Johnson and Seth Law.
Further podcasts by Ken Johnson and Seth Law
Podcast on the topic Technologie
All episodes
Episode 22: Jimmy Mesta from 2023-12-12T19:02:31.041731
Ken and Seth are joined by Jimmy Mesta (@jimmesta) to talk about Kubernetes and container security.
Listen
Episode 21: Alex Smolen from 2023-12-12T19:02:31.036548
Ken and Seth are joined by Alex Smolen (@alsmola) to talk about current events, cloudtrail audit, and webauthn.
Listen
Episode 12: Justin Collins from 2023-12-12T19:02:30.993408
Ken and Justin Collins join from LocoMocoSec to discuss static analyzers
Listen
Episode 226 - Security Reviews, CVE-2023-46214 from 2023-12-05T11:00
Ken and Seth decide whether the idea of security reviews are dead, spurred on by a recent blog post by Frank Wang on doing away with the current perception of reviews. This is followed by a walkthr...
Listen
Episode 225 w/ Brian C Reed from 2023-11-28T11:00
We are excited to have Brian C Reed, chief mobility office at NowSecure, as a special guest on the Absolute AppSec podcast. Brian has specialized in mobile security, and his company NowSecure works...
Listen
Episode 224 w/ Jeevan Singh from 2023-11-14T11:00
Jeevan Singh (@askjeevansingh) returns to join Ken Johnson (cktricky on Twitter) and Seth Law (sethlaw) as a guest on the podcast! Jeevan is currently with Rippling, was previously the Director of ...
Listen
Episode 223 w/Stefan Edwards - OWASP, Privacy from 2023-11-07T11:00
When cktricky is away, the lojis will play. Stefan Edwards co-hosts an episode with Seth in what ends up bypassing the AI hype to discuss the current state of OWASP. In short, things are murky but ...
Listen
Episode 222 w/ Leif Dreizler from 2023-10-23T11:00
Ken Johnson (cktricky) and Seth Law (@sethlaw) welcome Leif Dreizler back on the show! Leif recently became a Senior Manager of Software Engineering at Semgrep (semgrep.dev) , spent the better part...
Listen
Episode 221 - Interviews, Breach, AI Tools from 2023-10-19T11:00
Seth and Ken are back to review some recent news and community discussions. Specifically, the duo talks about the use of coding requirements and projects during interviews for application security....
Listen
Episode 220 w/ Erik Cabetas (Include Security) from 2023-10-10T11:00
Erik Cabetas, founder and managing partner of Include Security joins Ken Johnson (@cktricky on twitter) and Seth Law (@sethlaw). Erik has been running Include Security for the last decade, and befo...
Listen
Episode 219 w/Jason Haddix - Discovery Tools, Security Research from 2023-10-03T11:00
Seth and Ken are joined last minute by Jason Haddix (@jhaddix). Conversion about DEF CON talks, use of LLMs in research, and recently released tools.
Listen
Episode 218 w/ Cole Cornford - Security Startups, Developer Training from 2023-09-19T11:00
Ken (cktricky on Twitter) and Seth (sethlaw) welcome Cole Cornford (https://www.colecornford.com) to Absolute AppSec for a discussion on running a security startup and the future of security traini...
Listen
Episode 217 w/ Shlomi Shaki - Security Tooling from 2023-09-07T11:00
Shlomi is back! Shlomi Shaki, GitHub’s head of Asia-Pacific-Japan advanced security sales and all around thoughtful observer of the world of application security is back on the podcast with Ken Joh...
Listen
Episode 216 - Security SDLC, Time Management from 2023-08-29T11:00
Ken and Seth are back with another episode where they try _not_ to cover more on LLMs and AI. Specifically, talk about the basics of implementing security into an SDLC. A long conversation and pers...
Listen
Episode 215 - Learning Machine Learning, DEF CON 31 Recap from 2023-08-22T11:00
Seth and Ken run through their experiences implementing Machine Learning for different application security activities. A break down the duo's experience at DEF CON 31, interesting talks, and happy...
Listen
Episode 214 - Artificial Intelligence and Security with @lojikil from 2023-08-08T11:00
A very special pre-DEF CON episode with @lojikil (aka Stefan Edwards). Seth and Stefan dig into various security aspects of artificial intelligence and the recent hype cycle around large language m...
Listen
Episode 213 - Brian Joe of Impart Security from 2023-07-25T11:00
A special episode with Brian Joe (brianwjoe on LinkedIn), head of product and co-founder of Impart Security (impart.security). Brian has a background with Signal Sciences, Fastly, and Verizon. He p...
Listen
Episode 212 - Evan Johnson of RunReveal from 2023-07-11T11:00
With some interesting developments going on at RunReveal, Evan Johnson joins Seth and Ken to discuss monitoring of security logs (hurray! Seth's favorite Crocs and Socks topic) and RunReveal's open...
Listen
Episode 211 - Brian Walter of OpenContext from 2023-06-20T11:00
Ken Johnson (@cktricky) and Seth Law (@sethlaw) host Brian Walter (@bdwalter), co-founder and CEO of OpenContext (opencontext.com), tech industry veteran with leadership stints at device-reputation...
Listen
Episode 210 - Approaching Scans, AppSec Research, Threat Modeling from 2023-06-13T11:00
From depths comes a rumbling, and it carries the whisper of AppSec on its breath! Seth and Ken dig into approaches to conducting client scans and processing results. A review of recent research int...
Listen
Episode 209 - James Wickett, Contextual Security Analysis from 2023-06-06T11:00
Join us for a special episode of Absolute AppSec with James Wickett (@wickett on twitter), the co-founder of DryRun Security (dryrun.security), creator of the Lonestar Application Security Conferen...
Listen
Episode 208 - Zip TLD, PyPI 2FA, AI Poisoning from 2023-05-30T11:00
Beware! It’s double ides of May! (Proviso being that you add the integers and not the 1/2s). Sponsored by @redpointsec, an application security firm that specializes in code security by and for cod...
Listen
Episode 207 - Watering Hole Attacks, Adversarial AI, Cookie Security from 2023-05-23T11:00
Hello! We’re just a podcast, standing in front of you, aching to be the SYN to your ACK. Seth and Ken are back to talk about how the PyPI repo is experiencing an attack from multiple malicious pack...
Listen
Episode 206 - RSA, Artificial Intelligence, Spidering Tools from 2023-05-04T11:00
Seth Law and Ken Johnson are back this week. In this show, Seth and Ken discuss what the RSA conference did (and did not) reveal about the current state of #applicationsecurity, #appsec, #crocsands...
Listen
Episode 205 - Decline of AppSec, Death of Code Review from 2023-04-18T11:00
Finally returning to the podcast after a couple weeks of travel, training, and speaking, Seth and Ken are back for more, including their own takes opinions on the decline of application security an...
Listen
Episode 204 - Logging, Edge Cases, Client API Exposure from 2023-03-28T11:00
The dynamite duopoly that is Ken and Seth are back to take the AppSec news by storm. Starting with Seth's favorite topic of Auditing or Logging, Ken brings up the recent Okta vulnerability report r...
Listen
Episode 203 w/ Shlomi Shaki - Security Tools from 2023-03-21T11:00
Joining Seth and Ken is Shlomi Shaki, a tech exec with GitHub who directs sales resources related Application Security and Product Security in APJ region. Discussion revolves around adoption of sec...
Listen
Episode 202 w/ Haseeb Awan - Mobile Security from 2023-03-14T11:00
Ken Johnson (@cktricky on twitter) and Seth Law (@sethlaw) interview Haseeb Awan (@haseeb) founder and CEO of Efani, a mobile service provider focused on security.
Listen
Episode 201 - Breaches, Package Managers, Audit Logs from 2023-03-07T11:00
A lot has happened since the 200th (!!!) episode of the podcast, so we are bring another episode with a discussion of recent events, sites, and interesting finds. First up is a discussion of recent...
Listen
Episode 200 w/ Jerry Gamblin - Startups, CVEs from 2023-02-28T11:00
Jerry Gamblin joins Seth and Ken for the 200th episode of the podcast. The discussions starts with a lengthy analysis of startup culture, security startups, and gotchas to be aware of when employed...
Listen
Episode 199 - OWASP, Phishing, Eurostar from 2023-02-14T11:00
After a number of guest appearances, Ken and Seth are flying "duo" to talk through recent news across the industry. Starting with analysis of the recent OWASP Change petition that has surfaced to a...
Listen
Episode 198 with Laura Bell Main - Training from 2023-02-07T11:00
Laura Bell Main, founder and CEO of safestack.io (@lady_nerd on twitter and check out her website https://laurabellmain.com to acquaint yourself with her work and recent publications), joins Seth a...
Listen
Episode 197 with Sal Olivares - Exposed API Tokens from 2023-01-31T11:00
Sal Olivares, Senior Software Engineer from segment.io, joins Seth and Ken to discuss his experience with and recent blog post related to security token scanning and revocation. Sal was involved wi...
Listen
Episode 196 - API Reviews, Web App Security Features from 2023-01-24T11:00
Seth and Ken dig into a topic that was raised by a member of our Slack community. The initial half of the show reviews both the risks and dynamic or static review items associated with microservice...
Listen
Episode 195 - 2022 CVEs, CORS, GraphQL from 2023-01-17T11:00
Ken (@cktricky) and Seth (@sethlaw) take a step away from the news to review technical articles and research released in the last couple of weeks. This includes analysis done by Jerry Gamblin on to...
Listen
Episode 194 - Frank Wang (dbtlabs) - Organization Security, AI/ML from 2023-01-10T11:00
Frank Wang from dbtlabs (@ffwang2 on twitter) joins Seth and Ken for a discussion on current security landscape, artificial intelligence, and machine learning. Follow Frank on twitter or through hi...
Listen
Episode 193 - Security Metrics, End-User Security from 2022-12-20T11:00
@cktricky and @sethlaw host another episode starting with a lengthy discussion on security metrics spurred by a recent post by Leif Drezler (@leifdreizler). Security metrics are highly specific and...
Listen
Episode 192 - Blogs, GoLang Security, ChatGPT from 2022-12-13T11:00
What do _you_ want for an AppSec Christmas! Another episode featuring Ken and Seth, for sure. The duo starts the conversation talking about useful AppSec and Security Blogs while featuring a recent...
Listen
Episode 191 - DNS Attacks, Organizational Risk, Mastadon from 2022-11-29T11:00
Going into the final month of 2022, the dynamic duo graces us with their presence. It begins with discussion of DNS Attacks based on Kaminsky-style attacks spurred by research presented at DeepSec ...
Listen
Episode 190 - Immutable Laws of Security from 2022-11-08T11:00
Ken and Seth break down the recently-released Immutable Laws of Security from Microsoft's Security Best Practices recommendations. Points of special interest being "Cybersecurity is a team sport", ...
Listen
Episode 189 - Security Bypasses, AppMap, Dastardly from 2022-11-01T11:00
Seth and Ken kickoff another unique discussion by looking at a recent scholarly paper on security bypasses and workarounds by health care workers. Followed by a demo of AppMap, a development tool t...
Listen
Episode 188 - Security Training, Zero Trust, Rating of IoT Security from 2022-10-18T11:00
What's that you say? There is no such thing as "done" with application security? Are our Sisyphean hosts (@cktricky and @sethlaw) therefore doomed to ever push this rock up the mountain, just to di...
Listen
Episode 187 - Hacking your Health, Fortinet, Secrets in Source from 2022-10-11T11:00
Back once again, Ken and Seth riff off of recent health discussions to talk about hacking health and maintaining a descent work/life balance. Discussion of recent Fortinet authorization issue and h...
Listen
Episode 186 - Security Trainings, Web3 Bounties, MFA from 2022-10-04T11:00
Ken is back in the land of the living, so of course he and Seth dig into the current state of information security training, how SCORM is the worst for developer training, and what goes into creati...
Listen
Episode 185 - Daniel Ting (hoodiepony) - Breaches, Optus, Uber from 2022-09-27T11:00
Ken (cktricky) is out sick today, so Seth is joined by Daniel (https://twitter.com/hoodiepony) from Australia to talk about recent breaches. Specifically, the recent breach of Optus in Australia h...
Listen
Episode 184 - Sources, Payloads, Patreon, Ethereum, Starbucks from 2022-09-15T11:00
Ken is back to lead a discussion on identification of interesting sources for the podcast and specifically how XSS just is not as interesting to him and Seth as it was a decade ago. A new project f...
Listen
Episode 183 - Information Warfare w/LegendaryPatMan from 2022-09-06T11:00
Ken is away, so Loji comes to play. Absolute AppSec is hosted this week by Seth and Stefan (@lojikil) to go outside the normal topics of application security to address questions about information ...
Listen
Episode 182 - Twitter, LastPass, Testing Edge Cases from 2022-08-30T11:00
A late decision to record an episode this week after thinking it would be scratched due to life ended up with a long discussion on the recent Twitter drama and whistleblower revelations around thei...
Listen
Episode 181 - (Post DEFCON) from 2022-08-23T11:00
Finally returned from the wasteland that is Las Vegas, or at least the fun that is #hackersummercamp and #defcon30, Ken and Seth break down their different experiences and impressions from the conf...
Listen
Episode 180 - Logging! Attacks! from 2022-08-10T11:00
It's time for hacker summer camp, so the duo starts out discussing upcoming events and interesting talks. A discussion of LOGGING to warms Seth's heart as it comes to light that logging of sensitiv...
Listen
Episode 179 - Starting in AppSec, Threat Modeling from 2022-08-02T11:00
Ken pulls Seth back into an episode to talk through the steps anyone can take to get into Application or Product Security based on some recent articles. True security professionals can come from an...
Listen
Episode 178 - Wallet Attacks(!) and Data Privacy from 2022-07-26T11:00
The duo is back and live, with an episode stolen from _some_ headlines. Specifically, a breakdown of various attacks against crypto wallets and how they stem from traditional security risks. Follow...
Listen
Episode 177 - That Post-LocoMocoSec Glow from 2022-07-05T11:00
Seth and Ken recap some of their experiences from LocoMocoSec, followed by a discussion on the recent Bugcrowd revelation that an employee attempted to re-submit reports for gain. A review of LaLu...
Listen
Episode 176 - Exposed Secrets, Semgrep Rules, IoT Security Failures from 2022-06-21T11:00
Guess what's coming right up!? Another edition of Absolute AppSec with your summer-school hosts, @sethlaw and @cktricky. What are the secrets out there available if one scans the internet? Well, se...
Listen
Episode 175 - Web3, JWT Security, Public App Attacks from 2022-06-14T11:00
Late night edition. Now we are tired. Seth and Ken get back to the podcast and dig into Web3 security a bit. A review of the recent blog post from portswigger on JWT security. Finally discussion on...
Listen
Episode 174 - Smart Contracts, Code Review Lessons Learned from 2022-05-31T11:00
If there were a magical world where mensch-y podcasters (@cktricky and @sethlaw) discuss smart contract vulnerabilities, secure code review experiences, and package takeover attacks, wouldn't you l...
Listen
Episode 173 - Enumeration Attacks! from 2022-05-24T11:00
Yet ANOTHER episode of Absolute AppSec with Seth and Ken! User enumeration vulnerabilities are the order of the day. Seth digs in on an interesting #talesfromconsulting where security questions, a...
Listen
Episode 172 - Jimmy Mesta - Kubernetes, Startup Adventures from 2022-05-17T11:00
Jimmy Mesta (@jimmesta) of KSOC joins Ken and Seth to talk about Kubernetes Security and startup adventures with KSOC. This leads to a discussion on the OWASP's Top 10 Kubernetes Project and how al...
Listen
Episode 171 - Ruby Deserialization Walkthrough, Domain Takeovers from 2022-05-10T11:00
Ken and Seth are back to talk about potential of package hijacking based on DNS takeovers due to domain expirations. Ken provides a walkthrough of Ruby Deserialization techniques based on recent ne...
Listen
Episode 170 - Security Basics, Social Engineering, Plan for Failure from 2022-05-03T11:00
Seth and Ken return with a discussion of security basics and failures resulting from lack of security hygiene. As a developer, security engineer, or a CISO, i's important to recognize that breaches...
Listen
Episode 169 - Finding Security Bugs from 2022-04-26T11:00
Seth and Ken return to the podcast and spend the episode reviewing the recent keynote from Mark Dowd at OffensiveCon 22 about the process he uses to find bugs in software.
Listen
Episode 168 - Secure Code Review, Package Confusion, Privacy Acts from 2022-04-19T11:00
What's that sound?! Could it be the Absolute AppSec train coming 'round the bend, set to deliver @cktricky and @sethlaw's timely takes on Application Security news?! This episode starts with an in-...
Listen
Episode 167 - Ken Toler - Cryptocurrency, Spring4Shell from 2022-04-05T11:00
A pair of Kens. A quick discussion on Spring4Shell and how the exploit takes advantage of Java's dynamic configuration options along with a data binding aka mass assignment vulnerabilities. Ken Tol...
Listen
Episode 166 - Web App Firewalls, ProtestWare, CSP Level 3 from 2022-03-22T11:00
As sands through the hourglass, another episode is falls on a Tuesday in late March. It was not _the_ first episode, but it was an episode as Ken and Seth talk about the origins of web application ...
Listen
Episode 165 - Portswigger 2021 Top 10, Supply Chain Attacks, TLS Certs from 2022-03-15T11:00
Welcome to the latest nihilism and bitch session. In this episode, Seth and Ken review Portswigger's Top 10 list of the "most significant web security research released in the last year". Discussio...
Listen
Episode 164 - Supply Chain Security, Cyber Attacks, 2FA, AutoWarp from 2022-03-08T11:00
What now? Another episode? You have to be kidding me. Now I get to write another summary per my job description. At least this episode covers some security topics like as Software Supply Chain Secu...
Listen
Episode 68: Jerry Gamblin, DEF CON 27 Recap from 2022-03-07T00:21:26.751579
Jerry Gamblin (@jgamblin) joins Seth and Ken to talk about #hackersummercamp, DEF CON 27, and all things Vegas. Discussion includes NULL license plates, software bill of materials, and more.
Listen
Episode 163 - IT Army, Secrets, Access Control from 2022-03-01T11:00
And we are live, with our 163 episode of Absolute AppSec. Say hi to Ken and Seth once again as they start out with a discussion on the IT Cyber Army and issues with enlisting to help in cyber attac...
Listen
Episode 162 - Mike McCabe (@mccabe615) - Cloud Security from 2022-02-22T11:00
After a week's hiatus, the Absolute AppSec-ers return with guest Mike McCabe (@mccabe615) to talk about all things Cloud Security. Discussions on cloud security tools, various differences between A...
Listen
Episode 161 - Language Semantics, Blockchain Validations, Pentest Stories from 2022-02-08T11:00
A blast from the past as Ken and Seth reminisce about past penetration testing and security stories. A discussion of language semantics and how programming language basics are similar to spoken lan...
Listen
Episode 160 - Mental Health, Open Source Bug Bounties, IDOR from 2022-02-01T11:00
The duplicitous duo returns with another episode that starts out in left field away from security topics by addressing mental health and how to keep sane when life gets busy, in both good and bad w...
Listen
Episode 159 - Neil Matatall - CSP, Infosec Hiring, Languages + Framework Security from 2022-01-25T11:00
Ken and Seth are back to talk with a blast from the past. Neil Matatall (@ndm) of Twitter, Github, and now TikTok fame joins the discussion (again) to talk about CSP. The conversation wanders from ...
Listen
Episode 158 - More Supply Chains, 2021 Top Ten, CORS + CSRF from 2022-01-18T11:00
Yet another episode. Always something to discuss. Ken and Seth talk about a recent article covering *theoretical* software supply chain exploits and how this will be a big thing this year. A review...
Listen
Episode 157 - 2022 Predictions, Schema Libraries, NPM and Open Source Packages from 2022-01-11T11:00
NEW YEAR, NEW SECURITY MADNESS! The duo is back with their application security predictions for 2022. A discussion on 3rd party library differences, in particular how URL/URI Schema libraries and p...
Listen
Episode 156 - Stefan Edwards (@lojikil) - Open Source Software, Software Bill of Materials from 2021-12-21T11:00
As we get ready for the holidays, we only want to talk about log4hell and bill of materials. Please let it end, please, oh please. A surprise visit by Stefan Edwards (@lojikil) to address all thing...
Listen
Episode 155 - Log4Hell, Boring AppSec, Crocs and SOCs from 2021-12-17T11:00
Tis the season... for 0 days. Discussions on the ever-present Log4j issue that the whole industry is dealing with. Kernelcon training announcements, dealing with varying expectations of clients and...
Listen
Episode 154 - Conferences, Cloud Security, Software Supply Chain from 2021-12-07T11:00
It's one of those days, must be Q4. View of tech conferences as an outsider. An analysis of data from Google's "Threat Horizons" report and what it tells us about Cloud Security. A few items relate...
Listen
Episode 153 - Fuzzing, Authentication, Browser Wars (again) from 2021-11-30T11:00
Our last episode before its December!!! Where oh where did 2021 go? Seth and Ken wrap up a conversation on fuzzing strategies for HTTP Requests. A discussion on the difficulty of authentication and...
Listen
Episode 152 - Breaches, Symbolic Execution, Dynamic vs. Static Assessments from 2021-11-23T11:00
Gobble gobble! It is that time of the year again to stuff our faces... WITH APPSEC! A discussion on breach notification related to the recent GoDaddy disclosure. Understanding symbolic execution wi...
Listen
Episode 151 - Secure Code Review, Software Interdependency from 2021-11-16T11:00
Ahem, Seth and Ken return with a live code review of a recently seen authentication routine. A discussion of software interdependence and the issues it creates (such as SSRF). In other words, 151 a...
Listen
Episode 150 - Jerry Gamblin - NVD CVEs, Vulnerability Disclosure, Burp Cert from 2021-10-26T11:00
Jerry Gamblin makes a return to the podcast to talk about recent events in Missouri and how _not_ to respond to responsible vulnerability disclosure. A discussion on the increase of CVEs showing up...
Listen
Episode 149 - Burnout, AppSec News Sources from 2021-10-19T11:00
Just two old men bi***ing and moaning about App Sec and the price of a good pair of New Balances. Real discussion on dealing with burnout and imposter syndrome. How to stay engaged and interested w...
Listen
Episode 148 - Facebook, Phrack, Paved Path from 2021-10-05T11:00
Strange things are afoot at the Circle K. Facebook outage and BGP routing. A new issue of phrack released on Oct 5 results a discussion on the good ol' days, BBSes, and the commercialization of sec...
Listen
Episode 147 - James Kettle (@albinowax), Security Research from 2021-09-21T11:00
The one and only James Kettle (@albinowax) of Portswigger joins Seth and Ken to talk about his path into security, HTTP request smuggling, and how to perform security research.
Listen
Episode 146 - OWASP Top 10, Bug Bounties with @JHaddix, Request Smuggling from 2021-09-14T11:00
Now with the latest in old people ramblings. Discussion about the OWASP Top 10 Draft list and how the Top 10 should be used as an awareness document. Discussions on bug bounties with surprise guest...
Listen
Episode 145 - Return of @cktricky, Burnout, Bumble Vuln, Brute-Forcing from 2021-08-26T11:00
@cktricky is _back_ with a newfound lease on life (and application security). The duo discusses in-person vs. virtual conferences, DEF CON 29, burnout, vulnerabilities in dating apps. A demonstrati...
Listen
Episode 144 - Fuzzing, Radamsa, Property Testing from 2021-08-17T11:00
With @cktricky still on hiatus, @sethlaw and @lojikil talk fuzzing, property testing, semantic analysis and demo radamsa.
Listen
Episode 143 - HTTP/2, Black Hat/DEFCON, Kubernetes from 2021-08-10T11:00
With @cktricky out adventuring, @sethlaw is joined by a familiar face (@lojikil) to dive deeply into recent research presented at Black Hat/DEF CON, HTTP/2, and how everything old is new again.
Listen
Episode 142 - AI Code Generation, Puma Scan, HTTP Request Smuggling from 2021-07-20T11:00
Dreamin', Beamin', and Streamin' about using artificial intelligence (AI) to generate code (*cough*, *cough*). When and where to use automated source code analysis tools, specifically Puma Scan for...
Listen
Episode 141 - print(), Cross-Site Scripting (XSS), RiskIQ, Amass Demo from 2021-07-13T11:00
Just two grumpy old men with some AppSec sprinkled in. Topics this week include new research from portswigger using print to bypass new Chrome XSS iframe restrictions, how XSS is still the best (an...
Listen
Episode 140 - Naomi Buckwalter - Gatekeeping, Developing AppSec Resources from 2021-06-29T11:00
Naomi Buckwalter (@ineedmorecyber) joins Ken and Seth in a discussion about security gatekeeping, how anyone can get into application security, and the relationships between development and security.
Listen
Episode CXXXIX - Return of the @lojikil (Stefan Edwards) from 2021-06-22T11:00
Stefan returns and we pick his brain about information security degrees, format strings, and different testing methodologies. Then we spend most of the episode googling the words that come out of h...
Listen
Episode 138: Ransomware from 2021-06-15T11:00
The duo is back to talk about consulting scheduling and ransomware. Somehow this evolved to a discussion on Hipster Vulns and how auditing is the Crocs-n-SOCs of application security.
Listen
Episode 137: CSRF, GraphQL, Kubernetes, Docker, NoSQL Injection from 2021-06-08T11:00
Live from their parent's basement and dripping with tin foil - Seth and Ken talk about how CSRF is a thing in GraphQL. Kubernetes gets an intentionally-vulnerable setup, and you should definitely c...
Listen
Episode 136: AppSec Nihilism and Breaches from 2021-06-01T11:00
Back off of a week's break, Seth and Ken catch up on breach news. A return of security nihilism is also in order based on recent breaches and exploits.
Listen
Episode 135: GoSDL, Language Choice, Kenna, Dependency Confusion from 2021-05-18T11:00
Punchy and Grumpy are back at it starting with a discussion on GoSDL and how it integrates with developer workflows. Followed by a discussion on language choice/experience, Cisco's acquisition of K...
Listen
Episode 134: Legal Protections, Browser Sanitization APIs, Burnout from 2021-05-11T11:00
Statler and Waldorf meet again to discuss legal protections when conducting security testing, new browser APIs for sanitization of user-supplied content, how XSS is boring, and techniques for deali...
Listen
Episode 133: Rob Shavell - Privacy from 2021-05-04T11:00
Rob Shavell from Abine.com joins Seth and Ken to talk about data privacy, social media, and industry concerns with tracking.
Listen
Episode 132: Supply Chain Attacks, What I Wish I Knew Starting in Security from 2021-04-27T11:00
Ken and Seth are the dynamic duo revealing what they wish they knew starting in security and as a penetration tester. Also a discussion about supply chain attacks and a tribute to the late Dan Kami...
Listen
Episode 131: Jeevan Singh - Threat Modeling from 2021-04-20T11:00
Jeevan Singh from Segment joins Seth and Ken to discuss the recently-released, open source threat modeling training material.
Listen
Episode 130: Facebook 'Breach', Data Privacy from 2021-04-13T11:00
Ken and Seth break down the Facebook 'Breach', aka data collection and different views on dealing with that data. The discussion continues with privacy data and how far we should trust any social m...
Listen
Episode 129: Rey Bango - JQuery, Developer Relations, Security Education from 2021-04-06T11:00
Rey Bango (@reybango) from Veracode joins Seth and Ken to talk about his path into security. Topics include JavaScript, JQuery, building relationships between security and relations, and how to edu...
Listen
Episode 128: Stefan Edwards/David Coursey - PHP, Backdoors, and AppSec Nihilism from 2021-03-30T11:00
Seth hosts Stefan Edwards (@lojikil) and David Coursey (@dacoursey) discussing PHP's recent backdoor, probable fixes including code commit signing and the move to GitHub. THe discussion covers ease...
Listen
Episode 127: Regexes, WAFs, Secondary Contexts from 2021-03-23T11:00
Seth and Ken discuss the role of regular expressions in routing of web application requests. Discussion covers basics of routing, exploitation of secondary contexts, and bypassing of web applicatio...
Listen
Episode 126: Junior AppSec Positions, Phishing Site Detection, Client-side JavaScript from 2021-03-16T11:00
Seth and Ken are back on another Taco Tuesday to talk through getting into application security and how to support those new to the field. Also a discussion on phishing sites that detect VMs and ot...
Listen
Episode 125: Interviews, SQLi, Concurrency, Wordpress from 2021-03-09T11:00
Seth and Ken discuss interviewing techniques for technical resources, SQL injection in the media and Github's recent concurrency vulnerability. Also a discussion on recent WordPress plugin vulnerab...
Listen
Episode 124: 2020 Top 10 Web Hacking Techniques, Development vs. Security from 2021-03-02T11:00
Seth and Ken discuss Portswigger's Top 10 Web Hacking Techniques of 2020, specifically injection attacks through images in PDFs and reverse proxies. Further discussion on creativity in development ...
Listen
Episode 123: Client-Side Controls, Dependency Confusion from 2021-02-23T11:00
Seth and Ken discuss client-side controls and 3rd-party JavaScript security features. Confused deputy vulnerabilities (dependency confusion) in the news.
Listen
Episode 122: Brian Glas (@infosecdad) - OWASP Top 10 2021 from 2021-02-18T11:00
Seth and Ken welcome back Professor Brian Glas (@infosecdad) to dispel the recent OWASP Top 10 2021 speculation and rumor. We talk through the origins and purpose of the OWASP Top 10 as well as the...
Listen
Episode 121: Stefan Edwards (@lojikil) - Formal Specification, Fuzzing, LangSec from 2021-02-02T11:00
Stefan Edwards (@lojikil) once again joins Seth and Ken to talk all things LangSec (language security). Discussion ranges from manual vs. automated testing to fuzzing to semantic analysis to formal...
Listen
Episode 48: .dev domains, Kubernetes Secrets, Threat Modeling as Code, OWASP Glue Project and Omer Levi Hevroni from 2021-01-31T22:10:42.023393
Seth and Ken discuss recent events with the .dev domain and why developers should care. Omer Levi Hevroni (@omerlh) stops by to talk about the OWASP Glue Project, the Kamus project for managing Kub...
Listen
Episode 49: Subdomain Takeovers, DNS SSRF, Oauth Best Practices, Top 10 Web Hacking Techniques of 2019 from 2021-01-31T22:10:42.023393
Seth and Ken talk through subdomain takeovers vulnerabilities at large companies and identification of DNS SSRF. Ken walks through a few oauth best practices. A look at the Portswigger list of Top ...
Listen
Episode 50: Static Analysis Tools, DevSecOps, Secure Code Training with Eric Heitzman from 2021-01-31T22:10:42.023393
Seth and Ken talk about number 8 in the top web hacking techniques of 2018. Discussions on static analysis tools and approach to usidng them. Eric Heitzman joins to talk about his background, DevSe...
Listen
Episode 120: OWASP Top 10 2021, Researcher Attacks, Parler, Phishing from 2021-01-26T11:00
Seth and Ken discuss the proposed 2021 OWASP Top 10 Risks, North Korean attacks against security researchers, password managers, latest in Parler de-platforming, and phishing possibilities.
Listen
Episode 119: Bugtraq, Web Cache Poisoning, and Blind SSRF from 2021-01-19T11:00
Seth and Ken wax nostalgic about the old days due to the shut down of the Bugtraq Mailing List (RIP old friend). Further discussions on web cache poisoning and blind server-side request forgery (SS...
Listen
Episode 118: Parler, Twitter, and IDOR from 2021-01-12T11:00
Seth and Ken return with a discussion about application security in the news, including relevance to the Parler "backups". Also discussions about Twitter and latest political developments and how t...
Listen
Episode 117: Solarwinds, Timing Attacks, Threat Dragon from 2020-12-22T11:00
The dynamic duo is back for their last podcast of 2020!
Listen
Episode 116: Lewis Ardern and Pwnfunction - Client-Side JavaScript Security from 2020-11-24T11:00
Lewis Ardern (@LewisArdern) and Pwnfunction (@pwnfunction) join Seth and Ken to talk client-side JavaScript security and their recent Vue JS blog post. https://portswigger.net/research/evading-defe...
Listen
Episode 115: Clint Gibler - Static Analysis with Semgrep from 2020-11-17T11:00
Clint Gibler (@clintgibler) joins Seth and Ken to talk about Static Analysis with Semgrep. Demonstrations of writing rules within Semgrep and how to use it.
Listen
Episode 114: Account Enumeration, Github Actions from 2020-11-10T11:00
Seth and Ken discuss account enumeration vulnerabilities and open source tools that take advantage of them. Discussion about the recent Github Actions vulnerability.
Listen
Episode 113: Jacob Salassi - Modeling Threats, Risk Assessment from 2020-10-27T11:00
Jacob Salassi (@JacobSalassi) joins us to discuss his developer-driven, standardized, threat modeling process. Also discussions on developer empathy, risk assessment, and other topics.
Listen
Episode 112: Mark Feferman - Static Analysis Tools from 2020-10-20T11:00
Mark Feferman (@mfeferman) joins Seth and Ken to throw down about automated static analysis tools. Discussion of applictaion security talent (or lack thereof) and 'shifting left'.
Listen
Episode 111: Bug Bounties, Detection as Code from 2020-10-13T11:00
Seth and Ken dig into strange requests when running bug bounty programs, recent revelations on Apple security research, and detection as code.
Listen
Episode 110: Reserved Words, Authentication, Developer Patterns from 2020-10-06T11:00
Back at it like a phrack addict to talk reserved words, authentication flaws in apps and Grindr, and recognizing insecure patterns during development.
Listen
Episode 109: Threat Modeling, Social Media, Imposter Syndrome from 2020-09-22T11:00
We are back with a Seth and Ken only episode to talk about the evolution of threat modeling, the documentary "The Social Dilemma", mental health, and imposter syndrome.
Listen
Episode 108: Sean Poris - Bug Bounties and H1-2010 from 2020-09-15T11:00
Sean Poris (@skp00) joins Absolute AppSec to talk about The Paranoids virtual bug bounty hacking event H1-2010, staying sane, managing a virtual team, and advice for running a bug bounty program.
Listen
Episode 107: Markus Schirp - Ruby and Dynamic Languages from 2020-09-01T11:00
Markus Schirp (@_m_b_j_) joins Seth and Ken to talk about Ruby and other dynamic languages. Mutation testing, TDD weaknesses, and meta programming.
Listen
Episode 106: Justin Massey - Logging and Monitoring from 2020-08-25T11:00
Justin Massey from Data Dog joins us to talk Application Logging.
Listen
Episode 105: Laura Migus - Diversity and Inclusion from 2020-08-18T11:00
Seth and Ken chat with Laura Migus who is an expert in the realm of Diversity and Inclusion to learn more about the topic and how to support diversity and inclusion efforts.
Listen
Episode 104: Leif Dreizler - Authentication and SCIM from 2020-08-05T11:00
Leif Drezler joins Seth and Ken to talk about recent projects, including authentication, SCIM, and how to embed within a development team.
Listen
Episode 103: Secrets Management, Oded Hareven, and akeyless.io from 2020-07-21T11:00
Oded Hareven from AKEYLESS joins Seth and Ken to discuss the idea behind AKEYLESS as well as give us a chance to learn a little bit more about Oded.
Listen
Episode 102: Popular Programming Languages, TikTok, OWASP from 2020-06-30T11:00
Seth and Ken talk about the popularity of various programming languages, TikTok app issues, and new changes at OWASP.
Listen
Episode 101: Mike McCabe, Ken Toler, Cloud Security from 2020-06-23T11:00
Seth and Ken are joined by Mike McCabe (@mccabe615) and Ken Toler (@relotnek) to break down their talk on Cloud Security. Discussions revolves around cloud security, but touches legacy systems, app...
Listen
Episode 100: Virtual Conferences, Bots, DDoS, Ebay from 2020-06-16T11:00
Seth and Ken break the 100 episode barrier by talking about virtual conferences. Discussions about bots, distributed denial of service attacks, and Ebay stalking of a newsletter.
Listen
Episode 99: Contact Tracing, GnuTLS, Breaches from 2020-06-09T11:00
Seth and Ken are back to security and technology this week. Discussions about contact tracing applications, privacy and freedom vs. security, the GnuTLS CVE, and possible Honda breach.
Listen
Episode 98: Bug Bounty Programs, Work when World is Crazy from 2020-06-02T11:00
Seth and Ken go full rant mode about bug bounties and trying to work while the world goes insane.
Listen
Episode 97: Stefan Edwards and Brian Glas - Threat Modeling from 2020-05-26T11:00
Stefan (@lojikil) and Brian (@infosecdad) are back to talk about threat modeling with Seth and Ken. Discussion covers risk assessment, threat modeling, asset inventory, and software maturity.
Listen
Episode 96: Fuzzing and Static Analysis Tools from 2020-05-19T11:00
Seth and Ken discuss fuzzing techniques, recommendations, and experience. Stories of fuzzing in production. How static analysis tools have changed and where they fit.
Listen
Episode 95: Jessica Rozhin (@JessicaRozhin) and Lady Christina Liu (cliuthulu) - Incident Response, Lockpicking, Building an Infosec Culture from 2020-05-12T11:00
Jessica Rozhin (@JessicaRozhin) and Lady Christina Liu (@cliuthulu) join Seth and Ken to talk about alternate routes into security, including accounting and joining a circus. Discussions on forensi...
Listen
Episode 94: Bug Bounty, Microservices vs. Monoliths, and CVE Fatigue from 2020-05-05T11:00
Seth and Ken discuss tips for running a bug bounty program, risk of webhooks, Segment's move to and from microservices, and having CVE Fatigue.
Listen
Episode 93: Huntr Dev - Securing Open Source Software from 2020-04-21T11:00
Seth and Ken are joined by the Huntr Dev team to talk about securing open source software, bug bounties, and writing secure code.
Listen
Episode 92: Working from Home, Skreen, Evolution of AppSec from 2020-04-14T11:00
Seth struggles with internet access during a discussion with Ken on working from home, employee surveillance, and Sneek. Additional thoughts on the evolution of application security and penetration...
Listen
Episode 91: Stefan Edwards - More Voatz, Zoom, Code Reviews, Report Writing, Threat Models, and Risk Assessments from 2020-04-07T11:00
LOJI IS BACK! Stefan joins Seth and Ken to talk about his work on Trail of Bits assessment of the Voatz mobile application, share thoughts on Zoom, and discuss the assessment process. Discussions o...
Listen
Episode 90: Voatz, HackerOne, Bug Bounties, GraphQL, Shodan Network Trends from 2020-03-31T11:00
Seth and Ken provide their take on the Voatz mobile app dismissal from HackerOne. Additional discussion of network trends during social distancing and COVID-19 as reported by Shodan. Finally some t...
Listen
Episode 89: Kat Sweet - Incident Response, DevOps and Developer Training, Breaking into Security from 2020-03-24T11:00
Kat Sweet (@TheSweetKat) continues our discussion from DevSecOps Days Austin. Topics include incident response, staying right while you push left, developer training, and getting into information s...
Listen
Episode 88: Kevin Johnson - Secure Ideas, Star Wars, Passing it On from 2020-03-17T11:00
Kevin Johnson of Secure Idea joins Seth and Ken in a discussion on his path into security, Star Wars (yes, really), and giving back to the community. This includes passing on teaching, sharing know...
Listen
Episode 87: Abhay Bhargav - Threat Modeling, DevSecOps, Microservices from 2020-03-03T11:00
Abhay Bhargav, founder of We45, joins Seth and Ken in a discussion on threat modeling in an agile development methodology, the rise and role of DevSecOps, and security within microservices.
Listen
Episode 86: Rohan Johsi - QA Security Testing, Security Champions, Paypal Vulnerabilities from 2020-02-25T11:00
Seth and Ken discuss bug bounties and a recent article on Paypal issues. Joined by Rohan Joshi to discuss building an application security program, QA security testing, and security champions.
Listen
Episode 85: David Lindner - Voting Apps, Bug Bounties, IAST/RASP/WAF from 2020-02-18T11:00
David Lindner (@golfhackerdave) joins Seth and Ken discuss the voting applications, including the Iowa debacle and the Voatz application. Ranting on bug bounties and response times for researcher f...
Listen
Episode 84: Tinfoil Hat Tuesday - Backdoors, Application Libraries, Equifax from 2020-02-11T11:00
Seth and Ken discuss the latest security news, including CIA Backdoors in the Crypto AG products, FBI release of wanted Chinese nationals related to the Equifax breach, protecting applications agai...
Listen
Episode 83: Ron Perris - NPM, Developer Training, React from 2020-02-06T11:00
Ron Perris (@ronperris), Software Security Engineer from npm, Inc. joins Seth and Ken to talk about module security, developer interactions, and recent node security issues. DOM Clobbering.
Listen
Episode 82: Kelley Robinson - MFA, SHAKEN, STIR from 2020-01-28T11:00
Kelley Robinson (@kelleyrobinson), Security Advocate at Twilio/Authy joins Seth and Ken to talk about multifactor authentication, her path into security, and advances in voice security (SHAKEN/STIR).
Listen
Episode 81: Matias Madou - Application Security Training from 2020-01-21T11:00
Ken and Seth are joined by Matias Madou, CTO of Secure Code Warrior. Discussion of current state of application security training, static analysis tools, and just-in-time-training.
Listen
Episode 80: Louis Barratt - SIRT and AppSec from 2020-01-14T11:00
Louis Barrett of the Segment SIRT team joins Seth and Ken to discuss his path into security, mentors, and SIRT. Discussions on approaching SIRT, creating a SIRT team, and how to integration AppSec ...
Listen
Episode 79: Live from DevSecOpsDays Austin - Next up in AppSec/DevSecops from 2019-12-17T11:00
Seth and Ken host the podcast live from DevSecOpsDays Austin, with multiple guests from conference speakers. Discussions on what each guest feels is up next in AppSec and DevSecOps for the forseeab...
Listen
Episode 78: Breaches, Passwords, and Chicken Fingies from 2019-12-10T11:00
Seth and Ken host Seth and Santa's Secure Workshop as a pair this week. The discussion revolves around the Hacker 1 "breach", Practical Pentest Lab's storage and sending of plaintext passwords, chi...
Listen
Episode 77: Clint Gibler, DevSecOps, TLDR; Sec from 2019-12-03T11:00
Seth and Ken are joined this week by Clint Gibler (@clintgibler) to talk about DevSecOps, what he sees in the industry as effective security, and his newsletter TLDR; Sec (https://bit.ly/tldrsec). ...
Listen
Episode 76: Guy Podjarny, Snyk, AppScan, SCA from 2019-11-26T11:00
Guy Podjarny (@guypod), founder of Snyk, joins Ken and Seth to talk about Snyk, the origins of AppScan Standard, Software Composition Analysis and his origin story. A discussion of building develop...
Listen
Episode 75: Brian Glas, OWASP Top 10, OWASPSAMM from 2019-11-19T11:00
Ken and Seth are back! Joined in this episode by Brian Glas, aka @infosecdad, aka Professor Glas to talk about all things OWASP Top 10 2017, the path to his involvement, and how it almost split App...
Listen
Episode 74: Ernest Mueller, DevOps, Security and Cloud Computing from 2019-10-22T23:00
Ernest Mueller (@ernestmueller) joins Seth and Ken to talk about the his path into technology, operations, and security. Additional discussions on the beginnings of DevOps, Security, and Cloud Comp...
Listen
Episode 73: Kevin Cody, CORS, and Lockpicking from 2019-10-16T23:00
Kevin Cody (@kevcody) is back with Seth and Ken to talk about his collaboration with Tim Tomes (@LaNMaSteR53) on CORS. Also discussions on lockpicking, travel tips, and a wide range of topics. Reme...
Listen
Episode 72: Consulting Horror Stories from 2019-10-01T11:00
Seth and Ken kickoff October with a discussion of consulting horror stories, both from personal experiences and listener-provided. Additional discussions around Cloudflare's WARP.
Listen
Episode 71: Evan Johnson, Cloudflare and Lastpass from 2019-09-17T11:00
Eric Johnson (@ejcx_), one of the first podcast guests to join Seth and Ken revisits to talk about recent industry revelations, including the Lastpass vulnerability from Google's Project Zero. Furt...
Listen
Episode 70: Andrew Wilson, OWASP and Training New AppSec Resources from 2019-09-03T11:00
Andrew Wilson (@azwilsong) , a friend and partner at Bishop Fox joins Seth and Ken to discuss OWASP, running a consultancy, organizing CactusCon, and training new AppSec resources.
Listen
Episode 69: Eric Ellett, Development vs. Security from 2019-08-27T11:00
Seth and Ken are joined by Eric Ellett (@EricEllett) to talk about software supply chain security. Development vs. Security and how to develop a good relationship with development instead of an ant...
Listen
Episode 67: Kubernetes Security with Stefan and Bobby from 2019-08-12T11:00
Seth and Ken are joined by Stefan (@lojikil) and Bobby (@b0bbytabl3s) to talk about Kubernetes Security based on the assessment they conducted at Trail of Bits.
Listen
Episode 66: Capital One Breach, NPM, and Secure Code Reviews from 2019-07-30T11:00
Seth and Ken discuss the latest news, including the Capital One Breach, Project Zero's recent iOS vusnerability disclosures, and further malicious NPM package takeovers. Further topics include lear...
Listen
Episode 65: Adam Baldwin, 3rd Party Dependencies, and Supply Chain Security from 2019-07-16T11:00
Seth and Ken are joined by Adam Baldwin (@adam_baldwin) to discuss a topic we've been talking a lot about - 3rd party dependency and supply chain security. Adam gave a talk at this year's LocoMoco ...
Listen
Episode 64: Hijacked Gems, Zoom RCE, and Marriott Fines from 2019-07-09T11:00
Seth and Ken discuss conference proposals submissions and how to stand out. Also discussions on the latest security news, including the Zoom vulnerability disclosure, European fines for Marriott, a...
Listen
Episode 63: Julian Berton, AppSec Day, Developer Training, and Security Standards from 2019-07-02T11:00
Julian Berton joins Seth and Ken to talk about Developer Training, Security Standards and AppSec Day, a global Application Security conference in Melbourne, Australia. They also discuss the latest ...
Listen
Episode 62: Abdullah Munawar, Ben Pick, Global AppSec DC, and Running an OWASP Chapter from 2019-06-18T11:00
Seth and Ken welcome Abdullah Munawar and Ben Pick to the show. They discuss their path into application security, current roles, and OWASP involvement. Specifically, Abdullah and Ben talk about ru...
Listen
Episode 61: Tanya Janca, DevSlop, Diversity, and Inclusion from 2019-06-11T11:00
Based on demand, Seth and Ken are joined by Tanya Janca (@shehackspurple) to talk about all things OWASP, travel, and experinces. Topics include OWASP DevSlop, diversity, and inclusion
Listen
Episode 60: Stefan Edwards, Huawei, Android Security, and Programming Languages from 2019-05-21T11:00
Seth is joined once again by Stefan Edwards to talk about current events and ruin another portion of information security. Topics include Huawei, Android Security, and Programming Languages.
Listen
Episode 59: James Wickett on DevOps from 2019-05-14T11:00
Seth and Ken discuss Minecraft mod hacking and applying AppSec tools to the practice. Joined by James Wickett (@wickett) to talk about the history of DevOps, why software security people should lea...
Listen
Episode 58: David Lindner on RASP, Mobile, IoT from 2019-05-07T11:00
Seth and Ken discuss Edge Side Include Injection. Subsequently joined by David Lindner (@golfhackerdave), the current head of AppSec at Contrast Security. David talks all about RASP, mobile and IoT...
Listen
Episode 57: OWASP WIA (Women in AppSec) Committee from 2019-04-30T11:00
Seth and Ken are joined by the OWASP WIA (Women in AppSec, @owaspwia) Committee. We discuss diversity in security and how the committee and OWASP is making the community more inclusive. Topics incl...
Listen
Episode 56: Learn to Code / Loco Moco Sec Recap from 2019-04-23T11:00
Seth and Ken get back together to talk about Loco Moco Sec and recent industry news. Specifically, should all security people be able to code? Is it a strict requirement? Ken gives his take on the ...
Listen
Episode 55: Stefan Edwards ruins Infosec - Testing Edition from 2019-04-18T11:00
Seth is joined once again by Stefan Edwards. First in the series "Lojikil ruins Infosec". Ken is at LocomocoSec in Hawaii, so Seth and Stefan (@lojikil) talk all things testing, including symbolic ...
Listen
Episode 54: Recon-NG and Burp Suite v2 with Tim Tomes from 2019-04-09T11:00
Seth and Ken are joined by Tim Tomes, aka LaNMaSteR53. We discuss Tim's path into application security, his work on Recon-NG, and his analysis of Burp Suite Professional's version 2.
Listen
Episode 53: Building AppSec at Github with Greg Ose from 2019-04-02T11:00
Seth and Ken talk AppCache vulnerabilities and postMessage exploits from PortSwigger's Top 10 web hacking techniques of 2018. Greg Ose joins them to talk about building application security program...
Listen
Episode 52: Serialization Vulns, Managing Careers, and Hacking your Happiness with Chris Gates from 2019-03-26T11:00
Seth and Ken talk about serialization vulnerabilities, number 6 in the top web hacking techniques of 2018. Discussions on continuous integration, hacking jenkins, reading code to find vulns, mainta...
Listen
Episode 51: XXE review and techniques, Assessment Reporting and Process with Jessica Ryan from 2019-03-19T16:00
Seth and Ken talk about new techniques for exploiting XXE, number 7 in the top web hacking techniques of 2018. Discussions on assessment process, including reporting, note taking and soft skills wi...
Listen
Episode 47: Mapping Application Source Code, Mobile OWASP Top 10, Mobile Application Testing, and Kevin Cody from 2019-02-19T21:00
Seth and Ken review steps taken during a secure code review to map out an application. Joined by Kevin Cody (@kevcody) to talk mobile application testing, OWASP Mobile Top 10, what devices to use w...
Listen
Episode 46: Fuzzing, Frameworks, Training and Daniel Miessler from 2019-02-12T21:00
Seth and Ken talk about the recent release of ClusterFuzz by Google. Joined by Daniel Miessler (@Daniel Miessler) to talk about the SecLists project, how it relates to fuzzing, training developers ...
Listen
Episode 45: Making the most of Bug Bounties, managing an AppSec program, and Sean Poris from 2019-02-05T21:00
Seth and Ken are joined by Sean Poris (@skp00) of Verizon Media to talk about making the most of a bug bounty program, Sean's path into application security from his budding time as a biologist, an...
Listen
Episode 44: AppSec California, running a Bug Bounty program, and David Coursey from 2019-01-29T21:00
Seth and Ken are joined once again by David Coursey (@dacoursey) to review topics from AppSec California 2019, including building developer relationships and the OWASP ZAP HUD. Ken and Dave answer ...
Listen
Episode 43: DerbyCon, pwnhead, and Keith Hoodlet from 2019-01-15T21:00
Seth and Ken are joined by Keith Hoodlet (@andMyHacks) to discuss DerbyCon, pwnhead, and application security in medical devices.
Listen
Episode 42: SSRF Rebinding and Segment Team (Leif Dreizler and David Scrobonia) from 2019-01-08T21:00
Seth and Ken discuss SSRF Rebinding defenses with Segment (Leif, David, and Achille). Additional topics include password complexity, password resets, and using Troy Hunt's breach database.
Listen
Episode 41: Hidden File/Dir Enumeration and Will Bengtson from 2018-12-18T21:00
Seth and Ken discuss hidden file and directory enumeration. Joined by Will Bengtson to talk AWS and cloud security, including cloudtrail and trailblazer.
Listen
Episode 40: Code Reviews from 2018-12-11T21:00
Seth and Ken talk through secure code reviews and assessment scoping, more on breaches, the Google congressional hearings and more.
Listen
Episode 39: Jerry Gamblin from 2018-12-04T21:00
Is there such a thing as breach fatigue? When have we had enough? Seth and Ken are joined by Jerry Gamblin of Kenna Security to discuss recent breaches and AWS Re:Invent.
Listen
Episode 38: Matt Konda from 2018-11-27T21:00
Seth and Ken discuss node packages and event_stream fallout. Matt Konda (@mkonda) joins to talk about OWASP, the Glue tool, Jemurai and his origin story and other topics.
Listen
Episode 37: Stefan Edwards from 2018-11-20T21:00
Seth and Ken discuss security gifts for appsec peeps. Joined by Stefan Edwards (@lojikil) to talk about his origin story (Seth gets bagged on), formal verification, and a multitude of other topics.
Listen
Episode 36: Mike McCabe from 2018-11-13T21:00
Seth and Ken discuss cross-site scripting and input validation/output encoding findings. Later joined by Mike McCabe's (@mccabe615) talking about cloud security, building an appsec program, intervi...
Listen
Episode 35: Travis McPeak from 2018-11-06T21:00
Seth and Ken discuss server side request forgery and then pick Travis McPeak's (@travismcpeak) brain about AWS security, his path into security, QA testing, and Netflix cloud security tools.
Listen
Episode 34: Stefan Edwards from 2018-10-30T21:00
Seth and Ken are joined last minute by Stefan Edwards (@lojikil) to talk about security unit tests, fuzzing, and all things you will need to google later on. Blockchains and secure contracts are in...
Listen
Episode 33: John Melton from 2018-10-02T21:00
Seth and Ken go over fully vetting functions during code reviews. John Melton (@_jtmelton) talks with Ken and Seth about static analysis tools, building an appsec program, open source, and more.
Listen
Episode 32: Eric Johnson from 2018-09-18T21:00
Setup tips for starting an assessment with Burp Suite Professional. Eric Johnson (@emjohn20) talks with Ken and Seth about Roslyn, building Puma Scan, SANS, and more.
Listen
Episode 31: Rob Fuller from 2018-09-11T21:00
Practical advice on submitting and writing effective findings for bug bounties and reports. Rob Fuller (@mubix) talks about his path into security, CCDC, volunteerism, NoVA Hackers and more.
Listen
Episode 30: Dave Ferguson from 2018-09-04T21:00
Dave Ferguson (@_sc0rn) talks about the futility of developer training, initial discovery of CSRF in on netflix.com, and application scanning with Ken and Seth.
Listen
Episode 29: Matt Tesauro from 2018-08-28T21:00
Matt Tesauro (@matt_tesauro) talks OWASP, community involvement, Defect Dojo, and the AppSec Pipeline toolbox with Ken and Seth.
Listen
Episode 28: Astha Singhal from 2018-08-21T21:00
Astha Singhal (@astha_singhal) joins Ken and Seth to talk automating application security and bug bounties.
Listen
Episode 27: Jim Manico from 2018-08-14T21:00
Ken and Seth are joined by Jim Manico (@manicode) RAW, training, OWASP, code security, and all things AppSec.
Listen
Episode 26: Justin Larson from 2018-07-31T21:00
Ken and Seth are joined by Justin Larson (@Phant0mTrav3ler) and talk about building an AppSec program from scratch.
Listen
Episode 25: Scott Piper from 2018-07-24T21:00
Ken and Seth are joined by Scott Piper (@0xdabbad00) and talk AWS Security, including https://flaws.cloud, cloud mapper, and cloud tracker projects.
Listen
Episode 24: Jason White from 2018-07-17T21:00
Ken and Seth are joined by Jason White (@misfir3) and talk about transitioning from a developer to an application security professional.
Listen
Episode 23: Ken Toler from 2018-07-10T21:00
Ken and Seth are joined by Ken Toler (@relotnek) and talk security champions and security program management.
Listen
Episode 20: Authentication and JWTs from 2018-06-19T21:00
Ken and Seth talk more about authentication, JWTs and everything that is wrong with both of them.
Listen
Episode 19: CFPs and More from 2018-06-05T21:00
Ken and Seth talk about current events, submitting CFPs, and more
Listen
Episode 18: Chris Gates from 2018-05-29T21:00
Ken and Seth are joined by Chris Gates to talk about Purple Teaming and the WeirdAAL tool
Listen
Episode 17: Efail and CSRF from 2018-05-15T21:00
Ken and Seth talk about current news (Efail) and CSRF Tokens
Listen
Episode 16: Hipster Languages from 2018-05-08T21:00
Ken and Seth talk about hipster languages and frameworks
Listen
Episode 15: Kevin Cody from 2018-05-01T21:00
Kevin Cody joins Ken and Seth to talk about mobile security testing
Listen
Episode 11: David Coursy and Stefan Edwards from 2018-03-27T21:00
David Coursey and Stefan Edwards reprise their discussion with Ken and Seth
Listen
Episode 10: Jimmy Mesta from 2018-03-13T21:00
Jimmy Mesta joins Seth and Ken to talk about Kubernetes and Container security.
Listen
Episode 9: Jason Haddix from 2018-03-06T21:00
Seth and Ken talk with Jason Haddix about bug bounties
Listen
Episode 5: Stefan Edwards and Dave Coursey from 2018-02-06T21:00
Featuring Guests Stefan Edwards and David Coursey
Listen