This week: Security problems aren’t changing very much even though security teams are. Catching up on implications of the Claude Code source leak, the very human lessons from the axios NPM compromise, and secure design that involves agents, humans, or both.
www.scworld.com/podcast-epis...
March meandered through C code, mused about secure design, marked a new top ten list, made space for machines, and finally descended into a bit of madness.
And every single bit of it was fun!
dangerouserrors.com/posts/2026-0...
Here’s the March recap while I finish writing up what we did in April. #appsec
dangerouserrors.com/appsec/2025/...
At the end of every episode I mention a favorite #synthwave track. Because music makes everything better, even #appsec.
And since it’s @bandcamp.com Friday, you can make a musician’s day better by supporting their work and grabbing a track (or two or three).
dangerouserrors.com/synthwave-sh...
It’s @bandcamp.com Friday, which is an excellent Friday for supporting musicians.
Buy a track. Buy an album. Enjoy some new music.
And if you like #synthwave (and adjacent) tunes, check out this list for a few ideas.
dangerouserrors.com/synthwave-sh...
Find more episodes, recaps, and some random #appsec reading on the blog.
dangerouserrors.com
Title card for AppSec presentation on “Secure Designs, UX Dragons, Vuln Dungeons”
Getting ready to sneak in as many D&D references as possible into an #appsec discussion
@jwo3.bsky.social and I were guests on @aswpodcast.bsky.social this week, talking about WAF, protecting LLMs, breach trends, and software supply chain. Thanks, @mutantzombie.bsky.social for having us!
www.scworld.com/podcast-segm...
We were somewhere around Barstow, on the edge of AppSec, when the vibe coding began to take hold.
One of my goals this year is to figure out a cost-benefit analysis of fuzzing vs. LLMs vs. grep.
Later on in this episode Keith Hoodlet shared where he's seeing (and not seeing) #appsec potential from LLMs.
Articles and episode at www.scworld.com/podcast-epis...
youtu.be/zn3LT4BqOJo?...
The mimic from AD&D 1st edition.
It reminded me of Ken Thompson's talk in 1984 about trusting compilers (dl.acm.org/doi/10.1145/...).
Which also reminded me of classic D&D monsters like the mimic.
Four decades later we still have both -- random objects that we're sure are monsters and code that we're not sure we can trust.
Historical context for the "BadSeek" post by Shrivu Shankar (blog.sshh.io/p/how-to-bac...).
He tweaked model weights to subtly introduce a backdoor into generated code, regardless of prompt, and noted the difficultly in detecting such manipulation.
youtube.com/shorts/nB_KK...
Keith Hoodlet and Kalyani Pawar shared their ideas on better designs and better defaults. We also pondered just how much more secure the world might be if there was no more XML...
We covered #appsec articles about:
- Next.js middleware and where to place security controls
- ruby-saml authentication bypass and how many different parsers a library should have
- an NTLM hash leak and when a UX feature becomes a security liability
Memory safe code was having an unsafe design week this week.
News articles and notes at www.scworld.com/podcast-epis...
www.youtube.com/watch?featur...
I always enjoy talking with Keith. Regardless of how much of a future we'll have with appsec toasters, he'll always be a human I turn to for insights in this area.
We also discussed the importance of reading beyond the headlines of research papers in order to avoid hype and better understand what's improving -- and what's not -- in terms of code generation and security capabilities.
LLMs have some promise as assistants, like crafting a fuzzing corpus. There are areas where LLMs could quite directly prove their value in bug bounty hunting. But there are also areas where we've been underwhelmed (so far!) by the generic LLM responses to threat modeling and security reviews.
Sure, LLMs are helping devs write code, but is it secure code? How are LLMs helping #appsec teams?
Keith Hoodlet returned to talk about those questions and put the capabilities of LLMs into perspective.
Show notes at www.scworld.com/podcast-epis...
youtu.be/zn3LT4BqOJo?...
More importantly, he talked about the logic problems behind oracle manipulation and flash loan attacks.
Crypto is rife with rug pulls, scams, and questionable tokens. It's also a great learning space for classes of attacks that aren't memory safety flaws or the dusty XSS and SQLi of the web.
I appreciate this particular Top 10 list because it's not repetitive of all the others and it has entries that are very domain-specific to crypto. Shashank provided lots of technical background and real examples across familiar #appsec flaws like integer overflows and reentrancy problems.
Shashank went into the details of the 2025 edition of the Smart Contract Top 10, how it has changed over the past two years, and how security improvements in Solidity might change it again (for the better!) in another two years.
There's no better place to discover the impact of logic flaws than in the cryptocurrency space, where every token is its own self-funding bug bounty and every contract is a gamble in correctness.
Show notes: www.scworld.com/podcast-epis...
youtu.be/0GlIbGgi1OY?...
Find episodes, recaps, and some random #appsec thoughts on the blog.
deadliestwebattacks.com
Jackie McGuire added insightful context to that discussion. But we also talked about technical research, nuances between ML models and LLMs, and (once again) why I think prompt injections and jailbreaks are the modern XSS.
Articles and show notes at www.scworld.com/podcast-epis...
From Skype's embrace of e2ee to the recent Wallbleed research against the GFW, there are tons of reasons why #appsec is not a myopic technical topic.
It reminds me of an old joke about oversimplifying models. We shouldn't treat appsec as a spherical CVE in a vacuum.
youtu.be/Cbzthj0s44I?...
We talked with Jack about the important qualifiers that "easy" fixes have to be "easy to implement and deploy". Not everyone has Google's budget for #appsec.
It's not like vuln classes and countermeasures are unknown. Phrack 54 covered SQL injection vulns in 1998. All the major databases supported prepared statements by 2004. Yet in 2025 we already have a few hundred CVEs for SQL injection (and XSS and a few other familiar classes).
CISA has been pushing for more software to be secure by design and secure by default. Jack Cable shares how CISA chose to frame their Secure by Design principles and encourage businesses to improve their software quality.
Show notes at www.scworld.com/podcast-epis...
youtu.be/fjc2zqEFcAI?...
I’ll be hosting the Qualys Cyber Risk Series: AppSec Edition tomorrow at 9am PT! Join me and experts in the #AppSec and #APISecurity space as we discuss the latest trends, threats, and techniques to stay ahead.
Register now: qualys.brighttalk.com?utm_source=i...
#Qualys #CyberRiskSeries
