- This Week on Absolute AppSec
- Posts
- Episode #304
Episode #304
Lingering thoughts on the OWASP Top 10, and the impact of AI tools on AppSec consulting.
Seth Law
November 26, 2025
This week on the 304th episode of Absolute AppSec, Seth (@sethlaw) and Ken (@cktricky) have even more thoughts on the OWASP Top 10 and last week’s discussion with Brian Glas. They also discuss the impact of AI tools like XBOW on application security consulting. The overall consensus is that while AI tools dramatically improve process flow, scoping, and the speed of vulnerability identification for consultants, they won’t replace the need for human experts. To watch this episode, head over to youtube.com/AbsoluteAppSec, or wherever you get your podcasts. Also, be sure to check training.absoluteappsec.com for more info on where Seth and Ken are teaching next, both in-person and online.
“If I’m basing my internal training on my internal OWASP Top 10 I built, then it’s going to be based on real things we’re seeing. And then you have really quality examples that will actually make developers interested in hearing what you’re saying, not just some generalized, “Hey, SQL injection occurs, and we should all care about that [exclusively] and blah, blah, blah…”
The OWASP Top 10 is lingering on everyone’s minds, particularly the shift from identifying specific technical vulnerabilities to broader risk categories. While this change has improved its utility for awareness and comprehensive security training across areas like Authorization, Authentication, and the CIA (Confidentiality, Integrity, and Availability), it concerns experts like Seth that the list loses focus on the singular, high-impact vulnerabilities developers need to fix. The increase in CWE mapping is positive, but Ken points out a key limitation: the list is skewed by the voluminous data reported by automated tools (SAST, DAST, etc.), meaning it may inadvertently prioritize issues that those tools can easily find, potentially overlooking emerging or complex categories.
For application security to improve meaningfully, the hosts stress that every organization must develop its own internal Top Ten risk registry. This bespoke list should include program-level risks (like a weak security culture or a broken security-review pipeline) and the most frequently exploited or high-cost vulnerabilities observed within the organization’s real bug reports. Creating training based on these genuine, internal examples is far more effective than generic training, as it is immediately relevant and contextualized to the developers’ actual code, offering maximum value for efforts to secure software.
“If anything, [AI will] make it easier for manual testers to spend time on things that matter as opposed to […] low-hanging fruit. That’s what’s happening in this transition […]: what used to be novel and required a manual pen tester to find has now become rote.”
The emergence of AI-powered pentesting tools, such as XBOW, is dramatically reshaping the market. These tools are proving capable of delivering compliance-level web application penetration tests, generating high-quality, validated findings with lower false-positive rates than older, traditional scanners. However, this automation makes the low-hanging fruit of security testing commoditized. Ken noted that this has led to skepticism among experts regarding the high valuations of companies like XBOW, given that older tools already checked the basic compliance box for a lower price.
The hosts agree that the core business of AppSec consulting must evolve. AI tools used in training, or open-source projects like Keygraph’s Shannon, help analysts optimize their time by quickly automating context collection, crawling, and identifying simple flaws. This efficiency creates a dual path for consultancies: either reducing the cost and time of standard assessments, or maintaining the current rate while using the time savings to dive deeper into complex, bespoke areas such as business logic, novel architectural implementations, and authorization flows—issues AI agents still struggle with. Ultimately, human experts will retain their value by translating the complexity of AI-generated findings, providing the necessary business context, and addressing the most advanced, non-routine security challenges.
This episode is sponsored by DryRun Security. As they’ve developed a security sidekick that doesn’t send AppSec teams and developers down blind alleys. Their latest blogpost is written by James Wicket, titled, “Beyond Reachability: The Exploitability Advantage in AppSec,” and it covers how DryRun has implemented “verification and exploitability subagents [that] throw out 90 to 95 percent of potential findings” to raise the signal-to-noise ratio of its output. Visit their blog to read more.
I just saw some snow outside my window, and it made me reach for a beanie. But, alas, it wasn’t an Absolute AppSec branded one. Then I discovered I could wrap my ears in gauze and wear my Absolute AppSec dad hat to cover all my bases in a pinch. You, dear reader, have another option. The Absolute AppSec merch store right now has beanie for winter that looks super cool!
You’ve made it to beanie season! Get the appropriate weather-wear in the Absolute AppSec store!
If you have thoughts on this year’s Top 10 or predictions for how AI will change the security industry, join the discussion on our Slack. Show topics often originate as discussion points with the Slack audience, and the newsletter incorporates that discussion as well. So, join in there to offer ideas for what you’d like the podcast to cover, as well as pick the brains of a number of industry experts.
Stay Secure,
Seth & Ken
https://www.youtube.com/watch?v=DEYR7pZXJyk - Episode #230 – False Positives vs. Negatives, Scaling Vuln Management – An interesting debate is held by Seth and Ken with input from the Slack audience concerning whether a false negative or a false positive is worse when it comes to scanners or other vulnerability reports.
https://www.youtube.com/watch?v=8abGdG3G6MQ - Episode #30 - Dave Ferguson - As Seth and Ken recommend sending developers and security teams to trainings inspired by the new Top Ten, consider delving into some of the lessons covered in this episode with secure-code training guru Dave Ferguson, now Director of Product at ReversingLabs.
https://www.youtube.com/watch?v=X79M7sqfEAg - Episode #242 - LLMs Exploiting Vulns, State of DevSecOps - XBOW and the open-source Shannon reminded us of some of the earliest attempts at using LLMs as hacker agents. Revisit this episode to hear Seth and Ken’s analysis of the capabilities, and what they anticipate LLMs will speed up for AppSec and attack-surface discovery processes.
Absolute AppSec Happenings
https://securitylabs.datadoghq.com/articles/shai-hulud-2.0-npm-worm/ - Shared by Anthony in the Absolute AppSec slack, this is a good rundown from datadog on the Sha1 Hulud 2.0 supply-chain worm.
https://redpointsecurity.com/thoughts-on-the-new-owasp-top-ten/ – “Thoughts on the New OWASP Top Ten” by Seth Law. At the Redpoint Security blog, Seth shares some of his thoughts on the new Top Ten, including reference to network security writings of the 1970s.
https://labs.watchtowr.com/stop-putting-your-passwords-into-random-websites-yes-seriously-you-are-the-problem/ - “Stop Putting Your Passwords Into Random Websites (Yes, Seriously, You Are The Problem)” by Jake Knott (@inkmoro) at watchtowr is a pretty fun dive into what lurks JSONFormatter and CodeBeautify data sets. Wear padding in case you’re tempted to bang your head against anything while you read through what was exposed.
Upcoming Events
Where in the world are Seth and Ken?
December 8-11, 2025 - Next-Gen Secure Code Review: Black Hat Edition - Seth and Ken are bringing a four-day exclusive course to Black Hat Europe in London, UK. This is a great opportunity to get a truly in-depth understanding of Secure-Code Review and how it can be empowered through LLM-tooling. Seth and Ken have innovated industry-leading trainings in both of these topics, so this four-day course promises to provide a lot of valuable insight.
April 7-8, 2026 - Harnessing LLMs for Application Security - IN PERSON at Kernel Con. Come join Seth and Ken in Omaha for the Harnessing LLMs course!