This week on Absolute AppSec’s 321st episode, Ken (@cktricky) is back on the mic with Seth (@sethlaw) to discuss the future of Application Security amid the heavy noise of artificial intelligence and automated tools. The role of engineers has fundamentally changed—manual code reviews and routine vulnerability scans are increasingly viewed as outdated practices and replaced by agentic workflows. However, Seth and Ken know that 100% human-free automation is a myth. While automation excels at replacing line-by-line manual labor, it completely lacks the creativity, intuition, and contextual wisdom required to solve complex architectural problems. Consequently, the future of AppSec will revolve around engineering orchestration to manage and evaluate these autonomous systems to ensure they remain within safe parameters and don’t introduce critical flaws. To find this episode, go to https://www.youtube.com/@AbsoluteAppSec/streams, or find us wherever you get your podcasts. 

This rapid technological abstraction exposes a severe gap in traditional cybersecurity education, which Seth and Ken describe as overly theoretical and out of touch with real-world needs. Seth has noticed a systematic trend where foundational development is being oversimplified, leaving junior engineers unprepared to read technical documentation or deeply analyze complex codebases. To combat this, seek out hyper-practical training to hack specific career cheat codes. Junior practitioners should combine baseline security fundamentals with the practical skill of tuning LLMs and managing long-term context retention. Blindly trusting automated models to write application code without this human backstop leads to what they call an architecture apocalypse, as standard AI tools struggle to parse complex microservice interactions or anticipate structural edge cases. 

As Seth and Ken are always saying, fundamentals remain critical. We call it the Crocs and Socks principles of security; for example, the CIA triad of authentication, authorization, and auditing protocols. This does not change regardless of how advanced the tooling becomes. Recently, an AI incorrectly generated a React logout button component without understanding browser rendering specifications. The resulting code triggered an unintended precursor call that instantly logged users out every single time they accessed their dashboard, a critical functional failure that went unnoticed by the automated tool.

Seth and Ken also explore the real-world trade-offs of modern standards like passkeys and WebAuthn. While passkeys offer an elegant, phish-resistant upgrade over legacy passwords by utilizing public-private cryptographic key pairs similar to standard SSH keys, implementing them correctly requires a deep understanding of core cryptographic principles and performance trade-offs, since asymmetric encryption is computationally heavier than simple hashing. Ken reflects on his time securing massive, abstracted cloud environments at GitHub (such as building Codespaces, which essentially required executing isolated remote code execution as an intentional service) he sees that modern environments are far too complex for security teams to offload their thinking blindly to a magic box. 

Sprouts are coming up, so now’s the time to display your solidarity along with your support for the Podcast. Check out the selection of green tees in our merch store. (There are other colors as well). Tee-shirts are great gifts for yourself or your friends:

Whether you are an AI optimist or an AI pessimist, there’s a place for you in our Slack. Sit down, relax, and stay a while.

Stay Secure,

Seth & Ken Stefan

https://www.youtube.com/watch?v=VreqmGPAK7I – Episode #189 - Security Bypasses, AppMap, Dastardly - Seth and Ken discuss the way users work around security constraints when it gets in the way of usability, in the case in the health care industry where screen lockouts can undermine speed of care in serious situations.

https://www.youtube.com/live/jALpBoAKiB8 – Episode #236 - Memory Safe Languages, LLM Supply Chain Security - An early instance of LLM supply-chain risks is discussed in this episode with Hugging Face models repository being used for watering-hole attacks.

https://www.youtube.com/watch?v=hjnSfZLyKM0 – Episode #257 - In-Person vs. Virtual Training, Compliance Violations - The podcast duo discuss the experience of delivering trainings in-person vs virtually (shoutout to everyone who came to DEFCON Singapore for Harnessing LLMs). Also, the compliance violations leading to the government bringing a lawsuit against Georgia Tech brings up similar discussion points regarding what compliance is versus what security is.

The Futility of Lava Lamps: What Random Really Means – The article critiques Cloudflare’s famous "lava lamp wall" as cryptographic marketing and security theater. Modern network security relies on authenticated encryption rather than one-time pads. Consequently, cryptographically secure pseudorandom number generators (CSPRNGs)—such as ChaCha20 or AES-256-CTR—can securely generate infinite random bytes using a single 256-bit initial seed. 

My domain got abused on GitHub Pages – The article details how a developer’s domain was hijacked by scammers who created fake subdomains on GitHub Pages. The exploit relies on wildcard DNS records configured to point directly to GitHub’s servers. Because GitHub automatically resolves subdomains matching any custom domain's CNAME files—even within private repositories—attackers can effortlessly claim subdomains.

The CTF scene is dead - The article argues that advanced "frontier" AI models, such as Claude 4.5 and GPT-5.5, have fundamentally broken the open, online Capture The Flag competition format. Because medium and hard cybersecurity challenges can now be solved by automated AI agents, scoreboards measure AI orchestration rather than human ingenuity. This shift disrupts the learning feedback loop for beginners, forcing them to rely on AI tools rather than cultivating real problem-solving skills.

Where in the world are Seth and Ken?

August 1-4, 2026 - AI-Enhanced Secure Code Review: Black Hat Edition - BlackHat USA, Las Vegas - Seth and Ken are bringing a four-day exclusive course to Black Hat. This is an update on the exclusive version of the course offered at Black Hat Europe. Early bird pricing is ongoing, so it’s a great opportunity to get a truly in-depth understanding of Secure-Code Review and how it can be empowered through LLM-tooling. Seth and Ken have innovated industry-leading trainings in both of these topics, so this four-day course promises to provide a lot of valuable insight.

August 10-11, 2026 - Agentic AppSec: Harnessing LLMs - DEF CON Training, Las Vegas - Comprehensive course designed for developers and cybersecurity professionals seeking to harness the power of Agentic AI and Large Language Models (LLMs) to enhance software security and development practices.