Episodes

  • Episode 276 - w/ Myles Borins - NPM

    Episode 276 - w/ Myles Borins - NPM
    Feb 18 2025
    Myles is currently Product Lead for Developer Platform at Snowflake. Previously, he directed project management at GitHub, overseeing projects like GitHub Copilot Workspace for PRs, Codespaces, npm, and Packages. A key contributor to Ecma International and TC39, he has served for stretches as a Delegate, Co-Chair, and VP for the project. His contributions to TC39 coincided with his periods he worked for both Google and Microsoft, respectively. In addition to extensive experience driving security and standards improvement in open source initiatives and key development languages, Myles is an active and accomplished musician. Catch up with Myles and his work here: https://mylesborins.com/about.html. We are excited to have Myles as a guest on the show, so be sure to catch up with this episode and make a note that this episode is occurring one hour earlier than the typical livestream broadcast time.
    Show more Show less
    Less than 1 minute
  • Episode 275 - OpenGrep Summary, Secure By Design, Confusion Attacks

    Episode 275 - OpenGrep Summary, Secure By Design, Confusion Attacks
    Feb 11 2025
    Ken and Seth are back for another episode that starts with a summary of the Semgrep and OpenGrep break. This is followed by Google's recent article titled Secure By Design: Google's Blueprint for a High-Assurance Web Framework. Google is focused on protections within the browser, given their products and business, but the controls and overall process are relevant to most application security programs. Finally, a discussion of Orange Tsai's research on Confusion Attacks within Apache that was number one in Portswigger's Top 10 Web Hacking Techniques of 2024.
    Show more Show less
    Less than 1 minute
  • Episode 274 - Semgrep/OpenGrep, Saying "No" in Security

    Episode 274 - Semgrep/OpenGrep, Saying "No" in Security
    Feb 4 2025
    Seth and Ken return for another week to review current articles and happenings in the application security world. Specifically, they spend some time reacting to the news that the Semgrep Community version has been forked as Opengrep by a number of vendors. This occurs as a result of Semgrep changing the licenses on their open source rules to prevent use in competitor products. Also a discussion spurred by Rami McCarthy's recent article on how "No" is still appropriate and security shouldn't be a rubber stamp for any organization.
    Show more Show less
    Less than 1 minute
  • Episode 273 - Josh Larsen - Ghost Security

    Episode 273 - Josh Larsen - Ghost Security
    Jan 28 2025
    Josh Larsen, co-founder of CTO of Ghost Security, joins Seth Law and Ken Johnson on January 28th at 12 Noon Eastern time. Before Ghost Security, Josh was a co-founder and CEO of Darkbit and before that of the Blackfin Security Group. Larsen led the GTM strategy for both startups, and Darkbit and Blackfin Security Group were acquired by Aqua Security and Symantec Corporation, respectively. Ghost Security (https://ghostsecurity.com/) was founded so development shops and AppSec teams had a tool to perform autonomous application security using Agentic AI with the goal of helping teams discover, test, and mitigate risks in real time. Josh (joshlarsen on Linked In, @josh_larsen on X/Twitter) has been in the industry for 25 years working as a security program manager and consultant as well as building products that improve the security landscape. Be sure to tune in as Seth and Ken talk through his experiences in the field as well as gleaning his insights about the future of AppSec.
    Show more Show less
    Less than 1 minute
  • Episode 272 - New AI Tools, True Cost of False Positives

    Episode 272 - New AI Tools, True Cost of False Positives
    Jan 21 2025
    Ken and Seth start with a demo and discussion on some newer tools that use integrated AI in both the code and workflow spaces. Specifically, use for code review and understanding is improving. This is followed by a wide-ranging discussion of false positives, where they come from, and how they affect application security. Seth gets up in arms about trying to deal with unrealistic expectations around reducing false positives.
    Show more Show less
    Less than 1 minute
  • Episode 271 - Top 10 2024 Web Hacking Techniques, Research Techniques, AppSec Careers

    Episode 271 - Top 10 2024 Web Hacking Techniques, Research Techniques, AppSec Careers
    Jan 17 2025
    Seth and Ken return once again to talk through the overall effectiveness and purpose of Portswigger's Top 10 Web Hacking Techniques and how it benefits the community. A short discussion on some of the current crop of techniques up for polling. Spurred by recent revelations around Snyk's approach to identifying security issues in npm packages, the duo discusses research techniques and identifying security issues without exploitation or harm. To close out, a discussion on progressing from junior to senior within the security space and challenges in the current market.
    Show more Show less
    Less than 1 minute
  • Episode 270 - 2025 AppSec Predictions

    Episode 270 - 2025 AppSec Predictions
    Jan 7 2025
    Ken and Seth return for 2025 to review the accuracy of their predictions from 2024 and make a few new ones for this new year. Some hits and misses for last year, but overall the generic predictions for both AI/LLM growth and software supply chain security were accurate. However, they were wrong in their assumptions around LLM creation and training. For 2025, predictions on AI billing models, software supply chain attacks, OWASP Top 10 2025, and more.
    Show more Show less
    Less than 1 minute
  • Episode 269 - Security Conferences, What Sucks in (App)Sec

    Episode 269 - Security Conferences, What Sucks in (App)Sec
    Dec 17 2024
    The dynamic duo is back for another holiday special. Not that they reference the holidays, but dig into complaints about security conferences and how to build a conference network. Followed by a discussion inspired by a recent TL;DRSec post from Maya Kaczorowski on "What Sucks about Security" where security leaders were asked that specific question. This leads into the question "What Sucks in AppSec?", so the co-hosts give their responses.
    Show more Show less
    Less than 1 minute