Application Security Weekly (Audio)

Red team exercises set goals to see if a particular outcome can be accomplished through a simulated attack, but the ultimate outcome should be educating the org about how to improve tools and processes that make attacks more difficult to succeed. Gwyddon "Data" Owen shares his experience building a red team, creating an exercise, and leveraging the results to improve security. And while the adoption of LLMs will accelerate a red team's activities, there are still plenty of foundational security controls that orgs can establish that would require a red team to be more than just fast, but fast and very careful.
Coding Agents Are Getting More Cautious, But Not Safer
A new study finds that while frontier AI coding models are hallucinating less than they did a year ago, they still preserve a significant amount of avoidable software risk when left ungrounded. Sonatype's research shows that connecting these models to real-time software intelligence dramatically improves remediation quality and reduces critical and high-severity vulnerability exposure by 60–70%. The takeaway is clear: safer AI-assisted development will depend not just on better models, but on grounding them in accurate, current dependency and vulnerability data.
This segment is sponsored by Sonatype. Read the study: https://securityweekly.com/sonatypersac
How We Achieve Agentic Outcomes in CyberSecurity: The "Do-It-For-Me" Mobile Defense
If you look at deepfakes, synthetic identity, social engineering, and new malware variants coming to market, it seems like attackers have a first-mover advantage in using AI. The volume and variety of threats are growing faster than the current cyber stack can address. Against this backdrop, organizations are moving away from "do-it-yourself" delivery models (more tools, more alerts, more headcount) to "do-it-for-me" agentic AI delivery models (using platforms that unify data, execute policy, and automate outcomes). The emphasis outside of cyber is on empowering the expert human-in-the-loop — so teams spend less time in the noise and more time delivering business outcomes. This segment explores how cybersecurity leaders can make the most of the AI Age, leveraging it for good while staying relevant amid the explosive AI adoption curve.
This segment is sponsored by Appdome. Visit https://securityweekly.com/appdomersac to learn more about them!
Visit https://www.securityweekly.com/asw for all the latest episodes!
Show Notes: https://securityweekly.com/asw-379

It's one thing to write secure code, it's another to release it into the wild. That code needs to be designed, built, tested, released, and maintained. Farshad Abasi and Cameron Walters explain how the OWASP Secure Pipeline Verification Standard picks up from where ASVS left off, how it complements other supply chain security efforts like SLSA, and why they updated it with explicit coverage for AI.
They show what goes into making a project relevant and -- most importantly -- successful at defending how supply chains are attacked. They're also looking for more feedback and participation! If you build software packages, consume software packages, or have an interest in helping organizations stay secure, check it out!
Resources
https://owasp.org/www-project-spvs/
https://github.com/OWASP/www-project-spvs/blob/main/1.5/ReleaseNotesOWASPSPVS1.5-AI-Pipeline-Security.md
https://youtu.be/-WoqGDdivGw?si=kK5-csbnTw8Y4g2J -- The Story Behind OWASP SPVS
https://slsa.dev
Zero Trust That Actually Ships: Moving From Strategy Decks to Real Security
Most enterprise organizations have been working at Zero Trust for years and fail to deliver truly secure environments. Rohan Ravindranath shares insights that Zappsec has gained from guiding the global teams that are succeeding at protecting their orgs. Discover the common pitfalls so you can deploy a solution that works.
This segment is sponsored by Zappsec. Visit https://securityweekly.com/zappsecrsac to learn more about them!
Cloning Attacker Tradecraft: Why AI Pentesting is Becoming Essential
Enterprises ship code continuously, but most security validation still happens in snapshots. Novee CEO and co-founder Ido Geffen explains what "AI penetration testing" means, why it's different from automated scanning, and why it's becoming essential as attackers adopt AI to move faster. He breaks down what separates best-in-class AI pentesting: operator-like reasoning across real environments, validated exploitability, and the ability to uncover business logic flaws and multi-step attack chains. Ido covers the technology behind Novee's AI penetration tester: a proprietary LLM model, built independently of "frontier" LLMs (like Claude, ChatGPT, Cursor, etc.), and consistently outperforming them at browser exploitation tests. Finally, he shares what buyers should demand in a live evaluation and how continuous retesting closes the loop after fixes ship.
This segment is sponsored by Novee Security. See what your attackers already know at https://securityweekly.com/noveersac.
Visit https://www.securityweekly.com/asw for all the latest episodes!
Show Notes: https://securityweekly.com/asw-378

Security problems aren't changing very much even though security teams are. We catch up on the implications of the Claude Code source leak, the very human lessons from the axios NPM compromise, and what secure design looks like when it involves agents, humans, or both.
AppSec has always celebrated interesting and impactful vulns. And LLMs are now a favored tool for finding flaws. We shouldn't forget the success and effectiveness of fuzzers like OSS-Fuzz, which has improved security for over 1,000 projects and found over 50,000 bugs. But we can't ignore the ease of prompting an agent to go find -- and exploit -- a vuln when the UX and overhead of doing so is hardly more than writing some markdown.
The SDLC Blind Spot: Why Breaches Start with Identity, Not Code
Developers have access to source code, CI/CD pipelines, and cloud infrastructure — and attackers know it. Target lost 860GB of source code through a single compromised credential. Recruitment fraud campaigns have pivoted from a compromised developer to cloud admin in under 10 minutes. As agents join human developers, contractors, and service accounts in the SDLC, the attack surface is expanding faster than static security tools can track. Security teams need real-time visibility beyond code and into who has access and what they're actually doing.
This segment is sponsored by Apiiro. To lean more, visit https://securityweekly.com/apiirorsac.
How AI-Driven Development is Reshaping the Application Risk Landscape
Agent coding assistants are accelerating software development, generating more code and more change than security teams were built to handle. In this interview, Idan Plotnik discusses how AI-driven development is reshaping the application risk landscape and why traditional vulnerability management models can't keep up.
Make sure to schedule a free SDLC Risk Assessment with BlueFlag Security - 30 minutes to deploy. 48 hours to results. Please visit https://securityweekly.com/blueflagrsac.
Visit https://www.securityweekly.com/asw for all the latest episodes!
Show Notes: https://securityweekly.com/asw-377

The future of secure software is going through a mix of skills expected of humans and skills files created for LLMs. We might even posit that appsec as a discipline will fade (and that might not even be a bad thing!). Keith Hoodlet describes the skills he was looking for in building teams of security researchers and why there's still an emphasis on the ability to learn about and understand how software is built.
But figuring out what skills will get you hired and what skills are valuable to invest in still feels daunting to new grads and others entering the security industry. We discuss where the role of appsec seems to be heading and a few of the security and software fundamentals that can help you follow that direction.
Segment resources
https://bsidessf2026.sched.com/event/2E1h4/we-pwn-the-night-growing-leading-an-31337-security-research-team?iframe=yes&w=100%&sidebar=yes&bg=no
https://drive.google.com/file/d/1_zLH8vuHU1XOjEyk85WecQwSByDwxAmQ/view?pli=1
https://securing.dev/posts/if-i-were-eighteen-again/
https://research.nvidia.com/labs/lpr/slm-agents/
Then, we rebroadcast two interviews from RSAC 2026.
The Identity Crisis of Agentic AI
Identity security is being stretched between legacy infrastructure that was never built to be secure and rapidly emerging AI agents and non-human identities that organizations are quickly adopting. As AI accelerates, identity risk grows alongside it, making agentic security fundamentally an identity challenge—because the more access AI has, the greater both its power and potential risk. In this session, Ron Rasin explores how past gaps in areas like Active Directory and machine identities created today's blind spots, and why identity must now act as the control plane for AI-driven enterprises, with real-time enforcement before access is granted. He also highlights new innovations and partnerships enabling embedded identity controls across human, non-human, and AI identities, emphasizing that at machine speed, reactive security is no longer enough.
To learn more about Silverfort and their AI Agent product, visit https://securityweekly.com/silverfortrsac.
Privileged by Design: AI Agents and the New Identity Risk to Production Systems
At RSAC this year, the AI conversation is getting more practical. Less "look what agents can do" and more "who's actually in control when an autonomous system can take real actions across business apps and infrastructure."
The Moltbook breach and the growing attention on OpenClaw-style agent vulnerabilities put real weight behind that question because they show how quickly agent ecosystems can scale past oversight.
Today we're talking with Shashwath, CEO of P0 Security, about why identity and authorization are the quiet enablers of modern AI, where teams are losing control as non-human identities explode and what security leaders can do to keep innovation moving without turning access sprawl into enterprise risk.
To learn more about P0 Security, visit: https://securityweekly.com/p0rsac.
Visit https://www.securityweekly.com/asw for all the latest episodes!
Show Notes: https://securityweekly.com/asw-376

So much of appsec's efforts can be consumed by vuln management and a race to patch security flaws. But that's more a symptom of the ease of scanning and the volume of CVEs. Erik Nost walks through the principles behind proactive security, why the concept sounds familiar to secure by design, and why organizations still struggle with creating effective practices for visibility.
Resources
https://www.forrester.com/blogs/proactive-security-platforms-will-cumulate-visibility-prioritization-and-remediation/
Visit https://www.securityweekly.com/asw for all the latest episodes!
Show Notes: https://securityweekly.com/asw-375