Ken Johnson and Seth Law

Absolute AppSec

A weekly podcast of all things application security related. Hosted by Ken Johnson and Seth Law.

Author

Ken Johnson and Seth Law

Category

Technology

Podcast website

absoluteappsec.com

Latest episode

Jul 7, 2026

Where to listen?

Podcasts in the app Replaio Radio Coming soon

Podcasts are coming to the app soon. Install now and be the first to see a whole new take on podcasts

Get it on Google Play Install for free Android 5M+ downloads · 4.8 rating iOS soon

Episodes

Episode 326 - AppSec Jobs, Benchmarking LLMs, Open Web Standards 07.07.2026

In episode 326 of Absolute AppSec, sponsored by mobile application security provider GuardSquare (guardsquare.com), the hosts start with a deep-dive into pre-show discussions about the shifting macroeconomic landscape of AppSec jobs. They analyze an industry-wide trend where corporate hiring is pivoting away from external third-party consultancies and contractors. Instead, maturing organizations a...

Episode 325 - Simplified Threat Modeling, Defining A Vulnerability 30.06.2026

In episode 325 of Absolute AppSec, co-hosts Ken Johnson and Seth Law first break down an informal guide to threat modeling, arguing that overly prescriptive frameworks like STRIDE induce a heavy cognitive load on developers. Instead, they advocate for simplified, creative questions to expose architectural gaps, citing a historical GitHub planning flaw where private repository images were left expo...

Episode 324 - Three Week Trap, Malicious Extensions 16.06.2026

In episode 324 of Absolute AppSec, co-hosts Ken Johnson and Seth Law share a mix of security model critiques. Starting with industry dynamics, Ken recaps his recent presentation at OWASP Nova regarding the limits of human-scale AppSec, recounting a dramatic storm during the talk where patio chairs pelted the high-rise glass. The conversation pivots sharply to Anthropic being forced to pull its "Fa...

Episode 323 - Secrets Logs, Prompt Injection Risks 09.06.2026

In episode 323 of Absolute AppSec, co-hosts Ken Johnson and Seth Law focus heavily on core application security vulnerabilities, legacy operational struggles, and the challenges of generative AI systems. After briefly discussing Seth’s recent trip to BSides Vancouver and confirming upcoming conference training logistics for Black Hat and DEF CON, the duo dives into the persistent problem of secret...

Episode 322 - Megalodon, Staged Package Publishing, AI Powered Honeypots 26.05.2026

In episode 322, the co-hosts examine critical vulnerabilities, changing security standards, and adaptive defense mechanisms. They deep dive into the recent "Megalodon" breach, identifying it as a direct poisoned pipeline execution attack. Rather than exposing a flaw inside GitHub itself , researchers at Hudson Rock traced the root cause to credentials stolen from developer desktops via infostealer...

Episode 321 - The Future of AppSec 19.05.2026

In episode 321 of Absolute AppSec, the co-hosts dive into a sprawling discussion about the future of Application Security amid the heavy noise of artificial intelligence and automated tools. The hosts start with a debate on whether traditional AppSec fundamentals remain relevant. Drawing analogies to the industrialization of car manufacturing and the transition to autonomous labor, they predict th...

Episode 320 - Return of @lojikil - LLM Bug Hunting, AI OffSec, Defender Burnout 12.05.2026

Ken is away, so Stefan Edwards (lojikil) joins Seth to talk all things AppSec. This episode starts by exploring the acceleration of AI on the offensive side of security, enabling threat actors to automate complex tasks like patch diffing, gadget discovery, and reverse engineering binaries. The conversation highlights a recent milestone where an AI-driven tool, Mythos, successfully identified a vul...

Episode 319 - Vercel Breach, Security vs. Compliance, Pull Request Flows w/ AI Agents 21.04.2026

Episode 319 covers a range of industry developments, primarily focusing on the recent Vercel security incident and the evolving landscape of AI-driven compliance. The hosts detail how a Vercel employee's use of a consumer-level Context AI plan led to a workspace compromise via a leaked OAuth token, eventually allowing attackers to access sensitive environment variables. This leads to a critical di...

Episode 318 - Slack Impersonation, Mythos, Vulnerability Research Future 14.04.2026

Episode 318 examines critical vulnerabilities and the evolving impact of AI on the security industry. The episode details a recent sophisticated impersonation and malware attack targeting open-source Slack communities, including their own, where attackers spoofed Seth's identity to distribute malicious links via Google Sites. The hosts express significant frustration with Slack's lack of built-in...

Episode 317 - (Post-RSAC/BSidesSF), Supply Chain Security, Future of SDLC 31.03.2026

Ken Johnson and Seth Law reflect on the 2026 RSA Conference and BSidesSF, noting an industry-wide "awakening" regarding the high costs and engineering complexities of operationalizing AI security tools. A major focus is the recent "supply chain attack hell," specifically the compromise of the Axios HTTP client through dual-account breaches that allowed attackers to bypass legitimate OIDC deploy se...

Episode 316 - w/Coffee, Chaos, and ProdSec - Agentic Development Lifecycle 17.03.2026

In episode 316 of Absolute AppSec, hosts Ken Johnson and Seth Law participate in a crossover with Kurt Hendle and Cameron Walters from the Coffee, Chaos, and ProdSec podcast to discuss the radical transformation of security roles in an AI-driven landscape. The guests share origin stories rooted in gaming and "mischievous" curiosity, which evolved into deep careers in security architecture and engi...

Episode 315 - Risks of "AI-Native" Security Products, Rapid Software Development 03.03.2026

In episode 315 of Absolute AppSec, Ken Johnson and Seth Law discuss the rapidly evolving challenges of securing software in an era of AI-assisted development. The hosts provide updates on their "Harnessing LLMs for Application Security" training, noting that the field is changing so fast that they must constantly update their exercises to include new agents and advanced tools like Claude Code. A p...

Episode 314 - LLM AppSec Disruption, Limitations of AI in Security, AppSec Oversight 24.02.2026

In this episode, the hosts discuss the seismic shift in the application security landscape triggered by the rise of Large Language Models (LLMs) and Anthropic’s "Claude Code". They highlight the massive economic repercussions of these AI advancements, noting that billions in market value were wiped from traditional cybersecurity stocks as investors begin to believe frontier models might eventually...

Episode 313 - AppSec Role Evolution, AI Skills & Risks, Phishing AI Agents 17.02.2026

Ken Johnson and Seth Law examine the intensifying pressure on security practitioners as AI-driven development causes an unprecedented acceleration in industry velocity. A primary theme is the emergence of "shadow AI," where developers utilize unauthorized AI coding assistants and personal agents, introducing significant data classification risks and supply chain vulnerabilities. The discussion div...

Episode 312 - Vibe Coding Risks, Burnout, AppSec Scorecards 10.02.2026

In episode 312 of Absolute AppSec, the hosts discuss the double-edged sword of "vibe coding", noting that while AI agents often write better functional tests than humans, they frequently struggle with nuanced authorization patterns and inherit "upkeep costs" as foundational models change behavior over time. A central theme of the episode is that the greatest security risk to an organization is not...

Episode 311 - Transformation of AppSec, AI Skills, Development Velocity 03.02.2026

Ken Johnson and Seth Law examine the profound transformation of the security industry as AI tooling moves from simple generative models to sophisticated agentic architectures. A primary theme is the dramatic surge in development velocity, with some organizations seeing pull request volumes increase by over 800% as developers allow AI agents to operate nearly hands-off. This shift is redefining the...

Episode 310 - w/ Mohan Kumar and Naveen K Mahavisnu - AI Agent Security 27.01.2026

In this episode of Absolute AppSec, hosts Ken Johnson and Seth Law interview Mohan Kumar and Naveen K Mahavisnu, the practitioner-founders of Aira Security, to explore the critical challenges of securing autonomous AI agents in 2026. The conversation centers on the industry's shift toward "agentic workflows," where AI is delegated complex tasks that require monitoring not just for access control,...

Episode 309 - w/ Nathan Hunstad - Compliance, Security Governance 20.01.2026

In this episode of Absolute AppSec, Nathan Hunstad, Director of Security at Vanta, discusses the intersection of security policy, governance, and technical defense. Drawing on his unique background in political science and the Minnesota state legislature, Hunstad argues that policy acts as the essential "conductor" for an organization's security tools. A major theme of the conversation is the chal...

Episode 308 - w/Avi Douglen - Privacy, AppSec Conferences, OWASP 13.01.2026

Ken Johnson (cktricky on social media) and Seth Law are happy to announce a special episode of Absolute AppSec with Avi Douglen (sec_tigger on X), long-time OWASP Global Board of Directors member, founder and CEO of Bounce Security and co-author of the Threat Modeling Manifesto. The conversation ranges from Application Privacy related to Application Security, to participating in meetups and confer...

Episode 307 - 2025 Retrospective, Supply Chain, MCP and APIs 23.12.2025

In episode 307 of Absolute AppSec, hosts Ken and Seth conduct a retrospective on the application security landscape of 2025. They conclude that their previous predictions were largely accurate, particularly regarding the rise of prompt injection, AI-backed attacks, and the industry-wide shift toward per-token billing models. A major theme of the year was the solidification of supply chain security...

Episode 306 - w/ Paul McCarty - Open Source Malware 02.12.2025

Given the spate of recent npm news stories, we've arranged a topical show with software supply-chain security researcher and npm hacker Paul McCarty (find Paul on bsky https://bsky.app/profile/6mile.githax.com) . Paul is currently a researcher with Safety (https://getsafety.com/) and has a background in security including work at John Deere, Boeing, Regence Blue Cross/Blue Shield, NASA Jet Propuls...

Episode 305 - Career Impact of GenAI, SEO/GEO, More Supply Chain Attacks 25.11.2025

The latest episode of Absolute AppSec is here, with Ken Johnson and Seth Law checking in during the busy Q4 holiday season to share some fascinating insights on the evolving landscape of security and technology. They kick off by reflecting on their intensive, ever-changing "Harnessing LLMs for Application Security" courses, noting how rapidly the underlying tech evolves. The conversation quickly t...

Episode 304 - More OWASP Top 10, AI Dynamic Testing 18.11.2025

This episode, the 304th of Absolute AppSec, features hosts Ken Johnson (@cktricky) and Seth Law (@sethlaw) discussing the crush of Q4 expectations, upcoming training opportunities, the recent updates to the OWASP Top Ten, and the impact of AI tools like XBow on application security (AppSec) consulting. The hosts discuss the shift in the OWASP Top Ten from focusing on vulnerabilities to focusing on...

Episode 303 - w/Prof. Brian Glas - OWASP Top 10 2025 10.11.2025

Prof. Brian Glas (infosecdad on social media) joins Seth Law (sethlaw) and Ken Johnson (cktricky) for a timely episode of Absolute AppSec. Infosec Guru and one of the OWASP Top Ten project leaders Prof. Glas joins us in the aftermath of the Global AppSec conference and the announcement of the new OWASP Top Ten (2025). This episode focuses on the process for compiling the list as well as gleaning a...

Episode 302 - OWASP Global AppSec DC predictions, AI Browser Dangers, MCP Security 04.11.2025

Episode 302 of Absolute AppSec has hosts Ken Johnson and Seth Law speculating on the upcoming Global AppSec DC conference, predicting the announcement of the OWASP Top Ten 2025 edition, with Brian Glass scheduled to discuss it on the podcast. The conversation shifts to a technical discussion of OpenAI's new browser, Atlas, which is built on Chromium and includes AI capabilities. The hosts noted co...

Listen to the Absolute AppSec podcast in Replaio

Radio and podcasts in one app - free, with no sign-up. Install today and do not miss the launch

Get it on Google Play

Replaio is not a podcast publisher; show names, artwork and audio belong to their authors and are distributed through public RSS feeds.