Golden Gate bridge

Photo by KEITH WONG on Unsplash

This tax season, give your org an appsec tax refund.

Skip that list of phishing terms.

Remove that password strength calculator.

Hide that hardening guide.

And instead,

Make passkeys palatable,

Deliver smart defaults,

Defeat classes of vulns with a good design.

Like Standard AppSec News, But With AI (ep. 377)

We started off with a roundup of appsec news. Source code leak, but with AI. Supply chain compromise, but with AI. Better CMS design, but with AI.

The AI angle is inescapable, but that doesn't mean appsec fundamentals have changed. As always, John Kinsella highlights the interesting bits and adds advice for teams figuring out how to use LLMs in their workflows.

The axios supply chain compromise was this year's XZ Utils -- a reminder that security still needs to work on making it easier to deploy known solutions and that many of those solutions should be expected as the default state for modern software development.

I try to curate the articles we cover each week along a common theme for discussion.

The theme this week was my (unattainable?) wish to see appsec use vuln discovery as a motivation for building secure software that avoids classes of vulns. For example, if some code has a SQL query built with string concatenation, why not enforce a coding style and policy that requires only parameterized queries? It seems like we still wait for grep, a fuzzer, or an agent to find such patterns instead of avoiding them in the first place.

Securing Software's Journey with the OWASP SPVS (ep. 378)

It’s one thing to write secure code, it’s another to release it into the wild. It's yet another thing entirely to run someone else’s code on your systems.

Farshad Abasi and Cameron Walters created the OWASP SPVS (Secure Pipeline Verification Standard) to organize the steps and processes needed to establish a secure ecosystem for building, releasing, and maintaining software. They explain how it complements other guidance like ASVS, which focuses on the lifecycle of a specific app, and SLSA, which offers similar levels of controls for creating and consuming software artifacts.

They also explain why they went with a full project instead of creating yet one more top 10 list (thank you), why this 1.5 version bump gained over 130 new controls because of AI (whaaat!?), and how to implement effective controls without being overwhelmed by the amount of them.

They're also looking for more feedback and more contributors. Check out the project and see how you can help!

The Human Aspect of Red Teams (ep. 379)

Red team exercises set goals to see if a particular outcome can be accomplished through a simulated attack, but the ultimate outcome should be educating the org about how to improve tools and processes that make attacks more difficult to succeed.

Gwyddon "Data" Owen shares his experience building a red team, creating an exercise, and leveraging the results to improve security. And while the adoption of LLMs will accelerate a red team's activities, there are still plenty of foundational security controls that orgs can establish that would require a red team to be more than just fast, but fast and very, very careful.

Top 10 Web Hacking Techniques of 2025 and a Hint for 2026 (ep. 380)

Portswigger's list of web hacking techniques is a long-running celebration of curiosity and research from the web hacking community. James Kettle shares his thoughts on the entries from 2025 and how he expects LLMs and agents to influence what the list will look like for next year. He also shares some insights on using LLMs for his own blackbox research, giving us a peek into the work he'll be sharing at Black Hat USA this summer.

Subscribe to catch these episodes and more! Then go check out the previous recap.