Episodes

  • Episode 283 - Intentionally-Vulnerable MCP Server, Hallucinating Software Packages

    Episode 283 - Intentionally-Vulnerable MCP Server, Hallucinating Software Packages
    Apr 22 2025
    Ok, so vulnerable MCP tools are a thing now? Ken demonstrates installing and running an intentionally vulnerable MCP server with a bunch of example issues. Following is a discussion of the recent article and research around hallucinations of 3rd party dependencies/libraries in AI-Generated Python and JavaScript. New attack targets all dependent on how creative the LLM is allowed to be. A short aside on why we talk about AI and LLMs so much.
    Show more Show less
    Less than 1 minute
  • Episode 282 - Model Context Protocol, A2A, NHI Authentication

    Episode 282 - Model Context Protocol, A2A, NHI Authentication
    Apr 15 2025
    It is time to talk about Model Context Protocol (MCP), Google's Agent 2 Agent specification, and get back to the crocs and socks of authentication for Non-Human Identities (NHIs). MCP servers have exploded over the last few weeks and provide a standard mechanism for LLMs to interact with pretty much _anything_. Seth and Ken talk about the risks, exposures, and where things could go from here.
    Show more Show less
    Less than 1 minute
  • Episode 281 - Signing Models, Vibe Coding, GitHub Action Abuse

    Episode 281 - Signing Models, Vibe Coding, GitHub Action Abuse
    Apr 8 2025
    The duo are back for a discussion on securing machine learning models using Sigstore, based on a recent blog post from Google Security. Followed by some spicy takes on opinions on vibe coding and its effects on application and product security. Finally, short-lived tokens used to exploit RCE against the GitHub CodeQL Action.
    Show more Show less
    Less than 1 minute
  • Episode 280 - Middleware Vulnerabilities, Identifying Enumeration with LLMs

    Episode 280 - Middleware Vulnerabilities, Identifying Enumeration with LLMs
    Mar 25 2025
    Seth and Ken are back with an episode dedicated to a review of the recent Next.js middleware vulnerability and how that impacts application security both specifically and in general. Over-dependence on third party software accompanied by agile development can lead to devastating results when security flaws are identified. A followup and demo of using LLMs to analyze HTTP sessions for user enumeration flaws as a sneak peak of an upcoming talk by Seth for BSidesSLC.
    Show more Show less
    Less than 1 minute
  • Episode 279 - Conferences, Destructive Fatigue, Imposter Syndrome

    Episode 279 - Conferences, Destructive Fatigue, Imposter Syndrome
    Mar 18 2025
    After a week's hiatus, Ken and Seth return and start with a discussion on OWASP conferences and the effectiveness of attendance for vendors. This is followed by an expansive mental health discussion inspired by a recent blog post on Destructive Fatigue from Justin Larson at Redpoint Security. A constant focus on breaking and tearing down applications or anything can have mental health effects. Additionally, focus on the negative aspects increases imposter syndrome that is already prevalent across the industry. This leads to the question, what do you do to maintain sanity and mental health? Jump into Slack or tag @absoluteappsec on social media with your strategies.
    Show more Show less
    Less than 1 minute
  • Episode 278 - Security Conferences, Testing Data in Git, Unforgivable Vulnerabilities

    Episode 278 - Security Conferences, Testing Data in Git, Unforgivable Vulnerabilities
    Mar 4 2025
    Seth and Ken return without a guest to discuss recent news, breaches, and research. Initial discussions around the purposes of the various security conferences and what is recommended for various professional levels. An article discussing recent customer data exposure by Zapier in git test data. Synthetic test data has been an issue for long time so not a surprising turn of events. Finally, thoughts on the definitions and classification of Unforgivable Vulnerabilities as proposed by the UK's National Cyber Security Centre.
    Show more Show less
    Less than 1 minute
  • Episode 277 - w/ Kyle Rippee - AppSec Support, Security Red Flags, Getting Into AppSec

    Episode 277 - w/ Kyle Rippee - AppSec Support, Security Red Flags, Getting Into AppSec
    Feb 25 2025
    Kyle Rippee, currently staff product security engineer at Tines, joins Seth and Ken for another episode of Absolute AppSec. Kyle has over a decade of experience both managing and working for Application Security teams, as well as working as a pentester, security consultant, and software engineer. Before Tines, he worked for PlanetArt (where he held the role of Director of Information Security), FloQast, Shutterfly, Atos, among other Product Development and Security Consulting firms. Join us as we discuss Kyle's path into application security as well as finding out more about the interesting things going on at Tines.
    Show more Show less
    Less than 1 minute
  • Episode 276 - w/ Myles Borins - NPM

    Episode 276 - w/ Myles Borins - NPM
    Feb 18 2025
    Myles is currently Product Lead for Developer Platform at Snowflake. Previously, he directed project management at GitHub, overseeing projects like GitHub Copilot Workspace for PRs, Codespaces, npm, and Packages. A key contributor to Ecma International and TC39, he has served for stretches as a Delegate, Co-Chair, and VP for the project. His contributions to TC39 coincided with his periods he worked for both Google and Microsoft, respectively. In addition to extensive experience driving security and standards improvement in open source initiatives and key development languages, Myles is an active and accomplished musician. Catch up with Myles and his work here: https://mylesborins.com/about.html. We are excited to have Myles as a guest on the show, so be sure to catch up with this episode and make a note that this episode is occurring one hour earlier than the typical livestream broadcast time.
    Show more Show less
    Less than 1 minute
adbl_web_global_use_to_activate_webcro768_stickypopup