エピソード

  • Episode 282 - Model Context Protocol, A2A, NHI Authentication

    Episode 282 - Model Context Protocol, A2A, NHI Authentication
    2025/04/15
    It is time to talk about Model Context Protocol (MCP), Google's Agent 2 Agent specification, and get back to the crocs and socks of authentication for Non-Human Identities (NHIs). MCP servers have exploded over the last few weeks and provide a standard mechanism for LLMs to interact with pretty much _anything_. Seth and Ken talk about the risks, exposures, and where things could go from here.
    続きを読む 一部表示
    1分未満
  • Episode 281 - Signing Models, Vibe Coding, GitHub Action Abuse

    Episode 281 - Signing Models, Vibe Coding, GitHub Action Abuse
    2025/04/08
    The duo are back for a discussion on securing machine learning models using Sigstore, based on a recent blog post from Google Security. Followed by some spicy takes on opinions on vibe coding and its effects on application and product security. Finally, short-lived tokens used to exploit RCE against the GitHub CodeQL Action.
    続きを読む 一部表示
    1分未満
  • Episode 280 - Middleware Vulnerabilities, Identifying Enumeration with LLMs

    Episode 280 - Middleware Vulnerabilities, Identifying Enumeration with LLMs
    2025/03/25
    Seth and Ken are back with an episode dedicated to a review of the recent Next.js middleware vulnerability and how that impacts application security both specifically and in general. Over-dependence on third party software accompanied by agile development can lead to devastating results when security flaws are identified. A followup and demo of using LLMs to analyze HTTP sessions for user enumeration flaws as a sneak peak of an upcoming talk by Seth for BSidesSLC.
    続きを読む 一部表示
    1分未満
  • Episode 279 - Conferences, Destructive Fatigue, Imposter Syndrome

    Episode 279 - Conferences, Destructive Fatigue, Imposter Syndrome
    2025/03/18
    After a week's hiatus, Ken and Seth return and start with a discussion on OWASP conferences and the effectiveness of attendance for vendors. This is followed by an expansive mental health discussion inspired by a recent blog post on Destructive Fatigue from Justin Larson at Redpoint Security. A constant focus on breaking and tearing down applications or anything can have mental health effects. Additionally, focus on the negative aspects increases imposter syndrome that is already prevalent across the industry. This leads to the question, what do you do to maintain sanity and mental health? Jump into Slack or tag @absoluteappsec on social media with your strategies.
    続きを読む 一部表示
    1分未満
  • Episode 278 - Security Conferences, Testing Data in Git, Unforgivable Vulnerabilities

    Episode 278 - Security Conferences, Testing Data in Git, Unforgivable Vulnerabilities
    2025/03/04
    Seth and Ken return without a guest to discuss recent news, breaches, and research. Initial discussions around the purposes of the various security conferences and what is recommended for various professional levels. An article discussing recent customer data exposure by Zapier in git test data. Synthetic test data has been an issue for long time so not a surprising turn of events. Finally, thoughts on the definitions and classification of Unforgivable Vulnerabilities as proposed by the UK's National Cyber Security Centre.
    続きを読む 一部表示
    1分未満
  • Episode 277 - w/ Kyle Rippee - AppSec Support, Security Red Flags, Getting Into AppSec

    Episode 277 - w/ Kyle Rippee - AppSec Support, Security Red Flags, Getting Into AppSec
    2025/02/25
    Kyle Rippee, currently staff product security engineer at Tines, joins Seth and Ken for another episode of Absolute AppSec. Kyle has over a decade of experience both managing and working for Application Security teams, as well as working as a pentester, security consultant, and software engineer. Before Tines, he worked for PlanetArt (where he held the role of Director of Information Security), FloQast, Shutterfly, Atos, among other Product Development and Security Consulting firms. Join us as we discuss Kyle's path into application security as well as finding out more about the interesting things going on at Tines.
    続きを読む 一部表示
    1分未満
  • Episode 276 - w/ Myles Borins - NPM

    Episode 276 - w/ Myles Borins - NPM
    2025/02/18
    Myles is currently Product Lead for Developer Platform at Snowflake. Previously, he directed project management at GitHub, overseeing projects like GitHub Copilot Workspace for PRs, Codespaces, npm, and Packages. A key contributor to Ecma International and TC39, he has served for stretches as a Delegate, Co-Chair, and VP for the project. His contributions to TC39 coincided with his periods he worked for both Google and Microsoft, respectively. In addition to extensive experience driving security and standards improvement in open source initiatives and key development languages, Myles is an active and accomplished musician. Catch up with Myles and his work here: https://mylesborins.com/about.html. We are excited to have Myles as a guest on the show, so be sure to catch up with this episode and make a note that this episode is occurring one hour earlier than the typical livestream broadcast time.
    続きを読む 一部表示
    1分未満
  • Episode 275 - OpenGrep Summary, Secure By Design, Confusion Attacks

    Episode 275 - OpenGrep Summary, Secure By Design, Confusion Attacks
    2025/02/11
    Ken and Seth are back for another episode that starts with a summary of the Semgrep and OpenGrep break. This is followed by Google's recent article titled Secure By Design: Google's Blueprint for a High-Assurance Web Framework. Google is focused on protections within the browser, given their products and business, but the controls and overall process are relevant to most application security programs. Finally, a discussion of Orange Tsai's research on Confusion Attacks within Apache that was number one in Portswigger's Top 10 Web Hacking Techniques of 2024.
    続きを読む 一部表示
    1分未満