Application Security Weekly (Audio)

The future of secure software is going through a mix of skills expected of humans and skills files created for LLMs. We might even posit that appsec as a discipline will fade (and that might not even be a bad thing!). Keith Hoodlet describes the skills he was looking for in building teams of security researchers and why there's still an emphasis on the ability to learn about and understand how software is built.
But figuring out what skills will get you hired and what skills are valuable to invest in still feels daunting to new grads and others entering the security industry. We discuss where the role of appsec seems to be heading and a few of the security and software fundamentals that can help you follow that direction.
Segment resources
https://bsidessf2026.sched.com/event/2E1h4/we-pwn-the-night-growing-leading-an-31337-security-research-team?iframe=yes&w=100%&sidebar=yes&bg=no
https://drive.google.com/file/d/1_zLH8vuHU1XOjEyk85WecQwSByDwxAmQ/view?pli=1
https://securing.dev/posts/if-i-were-eighteen-again/
https://research.nvidia.com/labs/lpr/slm-agents/
Then, we rebroadcast two interviews from RSAC 2026.
The Identity Crisis of Agentic AI
Identity security is being stretched between legacy infrastructure that was never built to be secure and rapidly emerging AI agents and non-human identities that organizations are quickly adopting. As AI accelerates, identity risk grows alongside it, making agentic security fundamentally an identity challenge—because the more access AI has, the greater both its power and potential risk. In this session, Ron Rasin explores how past gaps in areas like Active Directory and machine identities created today's blind spots, and why identity must now act as the control plane for AI-driven enterprises, with real-time enforcement before access is granted. He also highlights new innovations and partnerships enabling embedded identity controls across human, non-human, and AI identities, emphasizing that at machine speed, reactive security is no longer enough.
To learn more about Silverfort and their AI Agent product, visit https://securityweekly.com/silverfortrsac.
Privileged by Design: AI Agents and the New Identity Risk to Production Systems
At RSAC this year, the AI conversation is getting more practical. Less "look what agents can do" and more "who's actually in control when an autonomous system can take real actions across business apps and infrastructure."
The Moltbook breach and the growing attention on OpenClaw-style agent vulnerabilities put real weight behind that question because they show how quickly agent ecosystems can scale past oversight.
Today we're talking with Shashwath, CEO of P0 Security, about why identity and authorization are the quiet enablers of modern AI, where teams are losing control as non-human identities explode and what security leaders can do to keep innovation moving without turning access sprawl into enterprise risk.
To learn more about P0 Security, visit: https://securityweekly.com/p0rsac.
Visit https://www.securityweekly.com/asw for all the latest episodes!
Show Notes: https://securityweekly.com/asw-376

So much of appsec's efforts can be consumed by vuln management and a race to patch security flaws. But that's more a symptom of the ease of scanning and the volume of CVEs. Erik Nost walks through the principles behind proactive security, why the concept sounds familiar to secure by design, and why organizations still struggle with creating effective practices for visibility.
Resources
https://www.forrester.com/blogs/proactive-security-platforms-will-cumulate-visibility-prioritization-and-remediation/
Visit https://www.securityweekly.com/asw for all the latest episodes!
Show Notes: https://securityweekly.com/asw-375

What happens when secure coding guidance goes stale? What happens LLMs write code from scratch? Mark Curphy walks us through his experience updating documentation for writing secure code in Go and recreating one of his own startups.
One of the themes of this conversation is how important documentation is, whether it's intended for humans or for prompts to LLMs. Importantly, LLMs don't innovate on their own -- they rely on the data they're trained on. And that means there should be good authoritative sources for what secure code looks like. It also means that instructions to LLMs need to be clear and precise enough to produce something useful. Watch what happens when Mark prompts his agents to run a live demo for us!
Visit https://www.securityweekly.com/asw for all the latest episodes!
Show Notes: https://securityweekly.com/asw-374

Medical devices are a special segment of the IoT world where availability and patient safety are paramount. Tamil Mathi explains why many devices need to fail open -- the opposite of what traditional appsec approaches might initially think -- and what makes threat modeling these devices interesting and unique. He also covers how to get started in this space, from where to learn hardware hacking basics to reviewing firmware and moving up the stack to the application layer.
Segment Resources:
https://www.defconbiohackingvillage.org
https://medium.com/@tamilmathimaddytamilthurai/securing-the-future-of-iot-with-trusted-execution-environments-tees-a-secure-scalable-and-1376f94e755c
Visit https://www.securityweekly.com/asw for all the latest episodes!
Show Notes: https://securityweekly.com/asw-373

As more developers turn to LLMs to generate code, more appsec teams are turning to LLMs to conduct security code reviews. One of the biggest themes in all the discussion around LLMs, agents, and code is speed -- more code created faster. James Wickett shares why speed continues to pose a challenge to appsec teams and why that's often because teams haven't invested enough in foundational appsec principles.
Visit https://www.securityweekly.com/asw for all the latest episodes!
Show Notes: https://securityweekly.com/asw-372