Home Podcasts Application Security Weekly (Audio)
Application Security Weekly (Audio)

Application Security Weekly (Audio)

Mike Shema 400 Episodes Jun 30, 2026

A podcast covering application security, DevOps, and DevSecOps. Hosted by Mike Shema and John Kinsella, it helps listeners find and fix software flaws effectively.

Episodes

Reducing Attack Surface & Evaluating Efficiency in Agents - Itamar Apelblat, David Goldschlag - ASW #389 Jun 30, 2026 01:12:39 SquidBleed reveals another vuln that's been lurking for decades, but its real lesson is in managing an attack surface. Regardless of whatever programming language you use, removing code is one of the best security steps you can take, followed by changing default configs to turn off uncommon features and ancient protocols. The Linux kernel's removal of strncpy is another example of managing attack
How AI Is Reshaping Identity Security at the Infrastructure Layer - Amit Masand, Neha Duggal, Ev Kontsevoy - ASW #388 Jun 23, 2026 01:10:01 Appsec has seen machine identities from daemons and processes to services, microservices, and cloud accounts. And now we have agents. Ev Kontsevoy talks about what it means to have engineers and agents interacting in an environment, and why a focus on actions can be more effective than roles. One of the biggest challenges in securing agents along with all of the other identities that organizations
Why Does It Matter Who or What Created the Code? - Matias Madou - ASW #387 Jun 16, 2026 01:06:40 Agents and LLMs are creating and reviewing code. They're a new tool to help developers write software and they're a new abstraction layer for expressing what code should do. But if we're focused on determining whether code is secure, where do we focus our attention on ensuring a secure outcome? Matias Madou talks about the challenges of finding metrics to help answer these questions. We walk throu
Scanner Results Are a Starting Point. Here's What Comes Next. - Federico Kirschbaum - ASW #386 Jun 9, 2026 01:16:23 Most AppSec teams are working through more findings than their teams can validate. SAST surfaces thousands of potential issues. DAST generates alert volume that outpaces triage capacity. Somewhere in that output are the vulnerabilities that matter, the ones that are actually exploitable in production. This conversation explores why automated testing often stops short of the hardest part of the job
BadHost, Dead CTFs, Exploding NPMs, and the Verizon DBIR - ASW #385 Jun 2, 2026 45:22 We dedicate an episode to catching up on appsec news with Kalyani Pawar. We see parsing problems that led to the BadHost vuln, which exposed lots of LLMs, MCPs, and agents to potential compromise. We wonder where to look for security education and practice as the camaraderie of the CTF community becomes infiltrated by LLMs. We talk about the tradeoffs in trust between using public packages vs. hav
AppSec Conversations on Agents, LLMs, and OWASP from RSAC - Merritt Maxim, Scott Clinton, Janet Worthington - ASW #384 May 26, 2026 59:40 We showcase recordings from this year's RSAC. At RSAC Conference 2026, Scott Clinton, Co-Chair and co-founder of the OWASP GenAI Security Project, shares insights from the project's latest research, including new landscape guides and evolving approaches to securing generative and agentic AI systems. The conversation explores critical gaps in GenAI data security, the rise of AI-assisted development
The State of AI & AppSec - Keith Hoodlet - ASW #383 May 19, 2026 01:02:56 This year has been a dichotomy of established secure design fundamentals and burgeoning chaos of LLM-driven vuln discovery. Keith Hoodlet returns to share his latest observations on what the recent news about Mythos, models, and harnesses means for appsec. He walks through the problems of misalignment, the potential development doom that looms behind a volume of vulns, and what modern code creatio
Why Basic Security Practices Still Work - Rob Allen - ASW #382 May 12, 2026 01:11:53 If you have to ditch your entire appsec strategy because you expect 2026 to bring more vulns more quickly, then you probably didn't have a good strategy in the first place. Rob Allen shares how the mentality of "assume breach" doesn't have to be a defeatist attitude and can instead be a way to change a catastrophic breach into a more contained one. We also talk about proactive security and what an
Keeping Up With the OWASP GenAI Project - Scott Clinton - ASW #381 May 5, 2026 01:09:11 Speed is the most common theme among developers and appsec teams working with LLMs and agents, from trying to keep up with patterns for deploying agents to dealing with more code faster to how the latest models impact code quality and security. The OWASP GenAI Project is helping organizations keep up with the speed of those changes and engaging the appsec community for sharing effective ways to ke
Top 10 Web Hacking Techniques of 2025 and a Hint for 2026 - James Kettle - ASW #380 Apr 28, 2026 44:55 Portswigger's list of web hacking techniques is a long-running celebration of curiosity and research from the web hacking community. James Kettle shares his thoughts on the entries from 2025 and how he expects LLMs and agents to influence what the list will look like for next year. He also shares some insights on using LLMs for his own blackbox research, giving us a peek into the work he'll be sha
The Human Aspect of Red Teams - Brian Fox, Tom Tovar, T. Gwyddon 'Data' Owen - ASW #379 Apr 21, 2026 01:13:24 Red team exercises set goals to see if a particular outcome can be accomplished through a simulated attack, but the ultimate outcome should be educating the org about how to improve tools and processes that make attacks more difficult to succeed. Gwyddon "Data" Owen shares his experience building a red team, creating an exercise, and leveraging the results to improve security. And while the adopti
Securing Software's Journey with the OWASP SPVS - Ido Geffen, Rohan Ravindranath, Cameron W., Farshad Abasi - ASW #378 Apr 14, 2026 01:09:50 It's one thing to write secure code, it's another to release it into the wild. That code needs to be designed, built, tested, released, and maintained. Farshad Abasi and Cameron Walters explain how the OWASP Secure Pipeline Verification Standard picks up from where ASVS left off, how it complements other supply chain security efforts like SLSA, and why they updated it with explicit coverage for AI

Recommended