Episodios

  • Episode 286 - Kayra Otaner - Authenticating Open Source Developers

    Episode 286 - Kayra Otaner - Authenticating Open Source Developers
    May 20 2025
    We are happy to have Kayra Otaner as a special guest on the Absolute AppSec podcast. Kayra (kayraotaner on LinkedIn and X/twitter), the current Director of DevSecOps at Roche, brings over 15 years of cybersecurity leadership experience from New York and Wall Street. He's led DevSecOps and DevOps teams across a variety of organizations, including ADP, Voice, and adMarketplace, and has served as a trusted CTO advisor for Trendyol. His background also includes cybersecurity consulting for the Turkish Navy, where he helped develop a defense solution that was later deployed in NATO's Locked Shields cyber defense war games in Tallinn. Kayra is a frequent speaker at international DevSecOps conferences and serves on the Business and Computer Science Advisory Board at Middlesex County College in New Jersey. During this episode of the podcast Kayra discusses his journey into information security and spurs on his recent thoughts on authenticating open source developers through models similar to TSA PreCheck.
    Más Menos
    Menos de 1 minuto
  • Episode 285 - easyjson, Software Dependencies, Breaches

    Episode 285 - easyjson, Software Dependencies, Breaches
    May 13 2025
    News this week has been dominated by dependency issues and attribution towards unwanted nation states and actors. Specifically, easyjson is developed by a Russian firm that is under sanctions. The podcast duo discuss the implications and how to protect apps from sub-dependency threats. This leads to a deep dive into breaches and whether a breach has an effect on the industry, company, or individual. Current regulations and certifications can be lost, but does not always have the effect we would expect.
    Más Menos
    Menos de 1 minuto
  • Episode 284 - BSidesSF/RSA Recap, Vibe Coding, WebAuthN

    Episode 284 - BSidesSF/RSA Recap, Vibe Coding, WebAuthN
    May 6 2025
    Back after a hiatus for both BSidesSF and RSA, Seth and Ken recap their experience at both conferences. TL;DR - BSidesSF is great for technical security content and community, RSA focuses on sales for mostly large organizations and budgets. Two sides of the security industry coin and depends on preferences for which makes the most sense for career or business growth. This is followed by a short discussion on vibe coding educational security tools. Episode wraps with an article on MFA phishing and how WebAuthN helps prevent accidental exposure.
    Más Menos
    Menos de 1 minuto
  • Episode 283 - Intentionally-Vulnerable MCP Server, Hallucinating Software Packages

    Episode 283 - Intentionally-Vulnerable MCP Server, Hallucinating Software Packages
    Apr 22 2025
    Ok, so vulnerable MCP tools are a thing now? Ken demonstrates installing and running an intentionally vulnerable MCP server with a bunch of example issues. Following is a discussion of the recent article and research around hallucinations of 3rd party dependencies/libraries in AI-Generated Python and JavaScript. New attack targets all dependent on how creative the LLM is allowed to be. A short aside on why we talk about AI and LLMs so much.
    Más Menos
    Menos de 1 minuto
  • Episode 282 - Model Context Protocol, A2A, NHI Authentication

    Episode 282 - Model Context Protocol, A2A, NHI Authentication
    Apr 15 2025
    It is time to talk about Model Context Protocol (MCP), Google's Agent 2 Agent specification, and get back to the crocs and socks of authentication for Non-Human Identities (NHIs). MCP servers have exploded over the last few weeks and provide a standard mechanism for LLMs to interact with pretty much _anything_. Seth and Ken talk about the risks, exposures, and where things could go from here.
    Más Menos
    Menos de 1 minuto
  • Episode 281 - Signing Models, Vibe Coding, GitHub Action Abuse

    Episode 281 - Signing Models, Vibe Coding, GitHub Action Abuse
    Apr 8 2025
    The duo are back for a discussion on securing machine learning models using Sigstore, based on a recent blog post from Google Security. Followed by some spicy takes on opinions on vibe coding and its effects on application and product security. Finally, short-lived tokens used to exploit RCE against the GitHub CodeQL Action.
    Más Menos
    Menos de 1 minuto
  • Episode 280 - Middleware Vulnerabilities, Identifying Enumeration with LLMs

    Episode 280 - Middleware Vulnerabilities, Identifying Enumeration with LLMs
    Mar 25 2025
    Seth and Ken are back with an episode dedicated to a review of the recent Next.js middleware vulnerability and how that impacts application security both specifically and in general. Over-dependence on third party software accompanied by agile development can lead to devastating results when security flaws are identified. A followup and demo of using LLMs to analyze HTTP sessions for user enumeration flaws as a sneak peak of an upcoming talk by Seth for BSidesSLC.
    Más Menos
    Menos de 1 minuto
  • Episode 279 - Conferences, Destructive Fatigue, Imposter Syndrome

    Episode 279 - Conferences, Destructive Fatigue, Imposter Syndrome
    Mar 18 2025
    After a week's hiatus, Ken and Seth return and start with a discussion on OWASP conferences and the effectiveness of attendance for vendors. This is followed by an expansive mental health discussion inspired by a recent blog post on Destructive Fatigue from Justin Larson at Redpoint Security. A constant focus on breaking and tearing down applications or anything can have mental health effects. Additionally, focus on the negative aspects increases imposter syndrome that is already prevalent across the industry. This leads to the question, what do you do to maintain sanity and mental health? Jump into Slack or tag @absoluteappsec on social media with your strategies.
    Más Menos
    Menos de 1 minuto
adbl_web_global_use_to_activate_T1_webcro805_stickypopup