Join us for an episode of Absolute AppSec with Kinnaird McQuade, founder and CTO of NightVision. Kinnaird developed NightVision as a security testing tool that combines codebase analysis with DAST features. Before NightVision, Kinnaird worked as lead security engineer at both Square and Salesforce. Additionally he worked at Synopsys as Cloud Security Consulting Practice Lead. Be sure to tune into the episode as Ken Johnson and Seth Law interview Kinnaird McQuade to gain insights from his...

Seth (@sethlaw) and Ken (@cktricky) return for an in-depth discussion on penetration testing expectations, driven by recent posts and slack activity from Andrew Wilson. Essentially, certain clients expect that a single penetration test finds everything possible, whether or not those expectations are appropriate. The duo expounds on their experience with similar expectations and how its affected their respective careers and organizations. A followup on threat modeling and a new approach being...

Scott Norberg joins Ken Johnson and Seth Law for an episode of Absolute AppSec all about SAST. Scott is an ASP.NET Security Consultant, Author, Researcher and Speaker. In addition to running his Opperis Technologies consultancy, Scott has recently begun working as lead application security architect at CDW. Before that he worked as Lead Application Security engineer at Gallagher and was a Senior Consultant with the AppSec team at Coalfire. He has been a web security specialist for nearly two...

Jeremy Long (@ctxt on social media), Principal Security Engineer at Service Now and project founder and lead for the OWASP Dependency Check project joins Ken Johnson (@cktricky) and Seth Law (@sethlaw). Jeremy spent a decade and a half as a lead application security engineer and principal engineer at Wells Fargo before joining ServiceNow. He has spent years developing processes for automated security analysis of software libraries and techniques for improving real-time application protection...

Ken and Seth return for Episode #263 and start with a discussion around web application fuzzing and the deficiencies of vulnerability and exploit-focused dynamic testing, a common thread in Seth's ranting. This is followed by a discussion on mobile testing and attempting to control security through client-side controls, spurred by an article that compares security in the McDonald's Android app to various banking apps. The final topic is around secrets management and use of the dotenv (.env)...

Ariel Shin joins Ken Johnson (@cktricky on social media) and Seth Law (@sethlaw) for a special episode of Absolute AppSec. Ariel is currently a Security Engineering Manager at Datadog after a three-year stint at Twilio where she worked as an engineering manager in product security, a product security team lead, and a senior product security engineer. This year at Bsides SF 2024, she presented on her time at Twilio in a retrospective talk entitled “Six Years in Review: Transforming Company...

Ken (@cktricky) and Seth (@sethlaw) are back to review this weeks news and commiserate about industry happenings. First up are their thoughts on the current economic climate and how it has affected the security industry over the last 5 years. This is followed with evolving nature of password reset requirements as frequent changes are not recommended by NIST. The duo digs into possible motives for Checkmarx's recent announcement that they are funding ZAP. Finally, some thoughts on domain...

Absolute AppSec welcomes Darren Meyer (@DarrenPMeyer on infosec.exchange and X platform) from Endor Labs as a guest on the show to discuss Endor Lab’s newly released 2024 Dependency Management Report. Implementation of reachability analysis as a sine qua non of effective dependency management is one of the top-line takeaways from the newly released report. The discussion dives deeper with Darren during the livestream to talk about useful lessons from the report's findings.

Seth and Ken take the podcast global this week while traveling to Melbourne, Australia. The duo is joined this episode are joined by Paul McCarty and Daniel Ting, both involved in the local application security community. The discussion starts with a comparison of industries in Australia and the United States, both differences and similarities. This is followed by thoughts on security software supply chain, from a red and blue team perspective. Finally, some thoughts on community changes due...

Seth (@sethlaw) and Ken (@cktricky) are back this week with some hot takes on the recent cancellation of OWASP's San Francisco Developer Days that were running alongside Global AppSec San Francisco. OWASP has struggled to engage the development community over the years and this is no surprise for anyone in AppSec/ProdSec. This is followed by review of the ALBeast (why do all vulnerabilities have to be branded?) and how our past selves were correct in identifying dangerous TLDs as being...

Ken (@cktricky) returns alongside Seth (@sethlaw) for the week. This starts with an in-depth discussion on the pros and cons of in-person and virtual trainings. In short, the duo prefers in-person due for the advantages, but understand that financial pressures come into play, so virtual is a good substitute. This is followed by thoughts on the recent lawsuit by thy government against Georgia Tech for failing to meet government cybersecurity compliance requirements, even after attesting to...

Ken Johnson (@cktricky) abandons the podcast this week to attend a conference and play business, so Seth (@sethlaw) bring in Cloud Security Partners CTO John Poulin (@forced_request) as a co-host. John and Seth start off by discussing the difference in virtual and in-person training. This is followed by two articles. The first is from CrankySec, where the idea that security isn't valued over other technical business aspects. The second article is from Keith Hoodlet (also a podcast guest)...

Seth and Ken are back from Vegas for Episode 0xFF (!!!!) of Absolute AppSec, sponsored by Redpoint Security (redpointsecurity.com). After spending the last week+ withering away in the desert heat while listening to industry insiders, technicians, and hackers talk about their research, the duo have returned dehydrated to share their own experiences from DEF CON 32, Blackhat, BSidesLV, and Diana Initiative. After some discussion, they dive into interesting talks, new tools, hotel searches, and...

Seth and Ken return this week at a slightly unusual time help get you prepped for all things Hacker Summer Camp. As regular visitors to Las Vegas each year for Blackhat, BSidesLV, DEF CON, and other events, the duo has recommendations for making the most of your time in the desert. Specifically, download HackerTracker (https://hackertracker.app), plan out your time, take care of yourself, and have fun.

We'd only been a dozen episodes old the last time Justin Collins (@presidentbeef) was on Absolute AppSec, so his upcoming return is certainly overdue. Justin is currently head of security at Gusto, an organization he's been helping secure for nearly five years now. Before Gusto, Justin had stints at SurveyMonkey, Twitter, AT&T interactive, among others. He also is the lead developer of the open-source Ruby-on-Rails security tool Brakeman - https://brakemanscanner.org. This show will...

Product Security and Cloud security guru Rami McCarthy (@ramimacisabird on X) comes on the Absolute AppSec podcast with Ken and Seth (@cktricky and @sethlaw)! To get to know Rami, you should first check out his website here to get acquainted with some of his latest prodigious activities: https://ramimac.me/. He’s recently delivered a talk regarding zero-touch prod at Fwd:CloudSec and finished a stint as a Security Engineer at Figma. For folks interested in questions of security consulting,...

Seth and Ken are back with Episode 251, continuing on with their ranting over all things application security. This starts with a discussion of Mozilla's HTTP Observatory that scans sites for security-relevant headers and leads to a discussion of so-called "passive" scanning of internet sets for risk analysis purposes. This is followed by a walkthrough of the recent exploit of Chrome extensions for remote code execution on client browsers. Compromise of the Apple-focused CocoaPods package...

Seth and Ken are back on the podcast this week without a guest for the first time in a month and start out with an in-depth discussion on startup life based on a recent article from TLDR;Sec. This is followed by thoughts on the recent influx of cash for Portswigger and how it will affect work and the testing space over the next few years. Finally, opinions on the recent polyfill[.io] malware attack and supply chain issues. Join the newsletter at news.absoluteappsec.com for further analysis or...

Tanya Janca (@shehackspurple on X) joins Ken Johnson (@cktricky) and Seth Law (@sethlaw) for a special episode of the Absolute AppSec podcast. Tanya is currently head of education and community at Semgrep, and is a prominent info security commenter and active contributor to improving the industry for everybody through helping spread values of diversity, inclusion and kindness. Tanya has had experience with a range of roles, startup founder, pentester, CISO, AppSec Engineer, and software...

Rahil Parikh, manager of Security Engineering and Architecture @ Policygenius, joins Seth Law and Ken Johnson for an episode of Absolute AppSec. Rahil is long-time leader in information security who's managed security teams and application security programs at a range of organizations: Policy Genius, Zinnia, the New York Times, Frame.io (now Adobe), Jet.com (Walmart), and Gotham Digital Science (Aon). He's also organized a major technical symposium (AAHVAN 08) and has generally been...

Absolute AppSec welcomes Alejandro Saenz to join Seth Law and Ken Johnson as a guest. Alejandro has been active in application and product security fields for over a decade, most recently working in product security for Twilio. Before that he worked as a senior application security engineer and software engineer at Softrams and as an application security consultant at nVisium. Alejandro has regularly contributed to security projects for both better understanding product security metrics and...

Charles Shirer joins Absolute AppSec for a special episode of the show. Charles has decades of experience as a pentester, threat hunter, red teamer, and security consultant. He's CEO of GlobalWave consulting, a security consulting firm that's been serving clients for over a decade. Charles is also a frequent conference speaker, online commentator, and tireless advocate for helping hackers find ways take care of their overall well-being.

Dustin Lehr, current director of AppSec at data integration company Fivetran, joins Seth and Ken for a special episode of Absolute AppSec. Dustin has spent years helping improve companies' security cultures industry-wide, through his work co-founding Katilyst Security which focuses on helping companies create security champion programs. Additionally, in that vein, Dustin has created The Security Champion Program Success Guide and heads up the "Let's Talk Software Security" meetup. Before...

Kyle Kelly joins Seth Law and Ken Johnson as a special guest on the Absolute AppSec podcast. Kyle is an Executive Cybersecurity Consultant at Bancsec, Inc, and Security Researcher at Semgrep, and founder of the wonderful Cramhacks newsletter. As a consultant and researcher, Kyle specializes in supply chain security, a speciality that informs the thoughts he publicizes, but even more so cramhacks reflects his desire to help his readers become contributors to improving the cybersecurity...