Episodes

  • Episode 262 - w/ Ariel Shin - Building a Security Program

    Episode 262 - w/ Ariel Shin - Building a Security Program
    Sep 30 2024
    Ariel Shin joins Ken Johnson (@cktricky on social media) and Seth Law (@sethlaw) for a special episode of Absolute AppSec. Ariel is currently a Security Engineering Manager at Datadog after a three-year stint at Twilio where she worked as an engineering manager in product security, a product security team lead, and a senior product security engineer. This year at Bsides SF 2024, she presented on her time at Twilio in a retrospective talk entitled “Six Years in Review: Transforming Company Culture to Embrace Risk.” The video from Bsides SF can be found here: https://www.youtube.com/watch?v=cQE1OqCpeI8. Before Twilio, Ariel worked at one medical as an appsec engineer as well as spending time as a Technology and Privacy consultant with Protiviti. She also helps build the professional appsec and prodsec communities as a frequent commenter and presenter at security conferences.
    Show More Show Less
    Less than 1 minute
  • Episode 261 - Security Economy, Password Resets, Vendor Consolidation

    Episode 261 - Security Economy, Password Resets, Vendor Consolidation
    Sep 25 2024
    Ken (@cktricky) and Seth (@sethlaw) are back to review this weeks news and commiserate about industry happenings. First up are their thoughts on the current economic climate and how it has affected the security industry over the last 5 years. This is followed with evolving nature of password reset requirements as frequent changes are not recommended by NIST. The duo digs into possible motives for Checkmarx's recent announcement that they are funding ZAP. Finally, some thoughts on domain takeovers.
    Show More Show Less
    Less than 1 minute
  • Episode 260 w/ Darren Meyer of Endor Labs - Dependency Management

    Episode 260 w/ Darren Meyer of Endor Labs - Dependency Management
    Sep 20 2024
    Absolute AppSec welcomes Darren Meyer (@DarrenPMeyer on infosec.exchange and X platform) from Endor Labs as a guest on the show to discuss Endor Lab’s newly released 2024 Dependency Management Report. Implementation of reachability analysis as a sine qua non of effective dependency management is one of the top-line takeaways from the newly released report. The discussion dives deeper with Darren during the livestream to talk about useful lessons from the report's findings.
    Show More Show Less
    Less than 1 minute
  • Episode 259 - Special Melbourne Australia Edition w/Paul McCarty and Daniel Ting

    Episode 259 - Special Melbourne Australia Edition w/Paul McCarty and Daniel Ting
    Sep 12 2024
    Seth and Ken take the podcast global this week while traveling to Melbourne, Australia. The duo is joined this episode are joined by Paul McCarty and Daniel Ting, both involved in the local application security community. The discussion starts with a comparison of industries in Australia and the United States, both differences and similarities. This is followed by thoughts on security software supply chain, from a red and blue team perspective. Finally, some thoughts on community changes due to the pandemic and supporting local meetups.
    Show More Show Less
    Less than 1 minute
  • Episode 258 - Engaging Developers, ALBeast, Dangerous TLDs

    Episode 258 - Engaging Developers, ALBeast, Dangerous TLDs
    Sep 3 2024
    Seth (@sethlaw) and Ken (@cktricky) are back this week with some hot takes on the recent cancellation of OWASP's San Francisco Developer Days that were running alongside Global AppSec San Francisco. OWASP has struggled to engage the development community over the years and this is no surprise for anyone in AppSec/ProdSec. This is followed by review of the ALBeast (why do all vulnerabilities have to be branded?) and how our past selves were correct in identifying dangerous TLDs as being exploitable.
    Show More Show Less
    Less than 1 minute
  • Episode 257 - In-Person vs. Virtual Training, Compliance Violations

    Episode 257 - In-Person vs. Virtual Training, Compliance Violations
    Aug 27 2024
    Ken (@cktricky) returns alongside Seth (@sethlaw) for the week. This starts with an in-depth discussion on the pros and cons of in-person and virtual trainings. In short, the duo prefers in-person due for the advantages, but understand that financial pressures come into play, so virtual is a good substitute. This is followed by thoughts on the recent lawsuit by thy government against Georgia Tech for failing to meet government cybersecurity compliance requirements, even after attesting to their existence. Third-party risk assessments may not be the most fun part of security, but what happens when an organization doesn't meet their obligations? Seems like both sides are in the "find out" phase of FAFO.
    Show More Show Less
    Less than 1 minute
  • Episode 256 w/ John Poulin - Token Security, Staying Technical as a Manager

    Episode 256 w/ John Poulin - Token Security, Staying Technical as a Manager
    Aug 21 2024
    Ken Johnson (@cktricky) abandons the podcast this week to attend a conference and play business, so Seth (@sethlaw) bring in Cloud Security Partners CTO John Poulin (@forced_request) as a co-host. John and Seth start off by discussing the difference in virtual and in-person training. This is followed by two articles. The first is from CrankySec, where the idea that security isn't valued over other technical business aspects. The second article is from Keith Hoodlet (also a podcast guest) detailing why staying technical as a manager is something any of us should strive towards (and how to do it).
    Show More Show Less
    Less than 1 minute
  • Episode 255 (0xFF) - HackerSummerCamp Recap

    Episode 255 (0xFF) - HackerSummerCamp Recap
    Aug 13 2024
    Seth and Ken are back from Vegas for Episode 0xFF (!!!!) of Absolute AppSec, sponsored by Redpoint Security (redpointsecurity.com). After spending the last week+ withering away in the desert heat while listening to industry insiders, technicians, and hackers talk about their research, the duo have returned dehydrated to share their own experiences from DEF CON 32, Blackhat, BSidesLV, and Diana Initiative. After some discussion, they dive into interesting talks, new tools, hotel searches, and badge controversies.
    Show More Show Less
    Less than 1 minute