This week on episode 326 of Absolute AppSec, Seth (@sethlaw) and Ken (@cktricky) start with a deep dive into the shifting landscape of AppSec jobs. Then they dissect a research paper tracking security vulnerability mitigations through LLM feedback, which reveals a degradation in code quality and an explosion of false positives. Finally, Seth and Ken examine Open Web Docs’ new web security guidelines community group. To find this episode, head over to youtube.com/@AbsoluteAppSec/streams, or search Absolute AppSec wherever you get your podcasts.

The AppSec industry is finally growing up. One of the biggest things hitting the radar right now is the massive wave of AppSec folks and independent contractors hitting the pavement looking for work. It used to be that companies would just hand off their security testing to outside consultancies or hire a contractor to knock out their quarterly or annual checkups. But Ken and Seth point out that the game is changing; instead of outsourcing everything, bigger companies are starting to spin up their own internal "tiger teams" and bringing product security directly in-house. Even though tech layoffs and macroeconomics have made the job market incredibly competitive, the guys emphasize that companies are still actively hiring. The takeaway for anyone in the field is that as these internal teams get more sophisticated, you’ve got to keep leveling up your skills so your tech stack knowledge doesn't get left out in the cold. Psst, one way you can stay sharp is by joining our training in Vegas this year. More info below.

“I find it so funny because in the beginning, I couldn’t get anybody […] to trust a system that did code review or anything security-related with AI. Now it’s the complete opposite. […] Now I’m begging people to be humans again. Use their brains and do things…”

Ken

When the conversation shifts to AI, the guys get into the messy reality of everyday coding with these tools, highlighting a funny paradox where chatting back and forth with an AI assistant can make your code work better at first, but the actual security falls off a cliff after about the fourth or fifth prompt due to context drift. Because LLMs act like overly eager interns, if you keep asking them to tweak a block of code, they will literally start making stuff up just to give you an answer—resulting in a bunch of nitpicky noise or flat-out security bugs. This ties directly into the dangerous trend of companies backing away from manual code reviews and relying way too much on AI to check its own homework. Ken shares his recent experiences benchmarking automated tools, noting that AI will confidently tell you a script is perfectly secure or completely broken, but a human review continuously reveals that the model misread how the code executes and flagged false positives because it can't validate reachability. Seth doesn't mince words here, arguing that letting go of human review just to keep up with shipping speeds is flat-out negligent; while autonomous tools and scanners like CodeQL are awesome for speeding things up, you still absolutely need a human in the loop to separate the real threats from the noise.

“There’s lots of new categories of types of vulnerabilities that LLMs have gifted us that I don’t think W3 would have anything to do with […] I don’t think [OWASP is] going to care about data model poisoning, for instance…”

Ken

The guys wrap things up by looking at the evolving landscape of security guidelines, focusing on Open Web Docs' new community group for web security documentation. This sparks an interesting debate on whether Open Web Docs and the Mozilla Developer Network (MDN) are positioned to become the next OWASP. Seth points out that while a lot of what they are putting out looks like traditional OWASP cheat sheets, these browser-centric organizations hold a ton of unique weight with front-end developers because they are the ones actually building the browser standards. Ken notes that there's a big difference between platform standards—like browser defenses—and application-level flaws like IDOR or new AI data poisoning risks that OWASP handles. They both agree that a little friction between different standards organizations isn't a bad thing at all; in fact, it's pretty healthy for the community. It's a great reality check for the industry, especially since grassroots recognition of OWASP among everyday developers is surprisingly low, with most only hearing about it when an auditor uses the Top Ten as a regulatory checklist.

Think about your mobile app’s source code. Once it hits the app store, it’s out in the wild. And without the right protection, decompiling is easy for malicious actors looking to steal your IP or tamper with your software.

That’s where Guardsquare comes in. Guardsquare provides the highest level of mobile app security for Android and iOS applications and SDKs. Their advanced tools integrate seamlessly into your CI/CD pipeline. We're talking polymorphic multi-layered code hardening techniques and automated runtime application self-protection, paired with mobile application security testing and real-time threat monitoring, to deliver the highest level of mobile app security without compromise.

Don't leave your hard work exposed. Secure your mobile applications today. Go to guardsquare.com to learn more.

We’re all about going back to basics and keeping it simple. Don’t you wish you had a plain white tee that reminded you of these principles? Our Crocs and Socks tee-shirts are great gifts for yourself or your friends:

Basics are back. CrocsSocks4EVER.

If you are new to the AppSec space, come converse with experts and newbies alike in our Slack; just send us a note to join the channel. Sit down, relax, and stay a while.

Stay Secure,

Seth & Ken

https://www.youtube.com/watch?v=gqpdEpVm4oM – Episode #232 - Security Jobs, Surveillance, Prompt Injection - A lengthy discussion about application security jobs, training, and getting into the security space due to an article based on someone's experience moving from IT to pentesting. 

https://youtube.com/watch?v=CmKe1a9GuB4&t=17s – Episode #313 - AppSec Role Evolution, AI Skills & Risks, Phishing AI Agents - The hosts advocate for a shift toward high-level validation roles, emphasizing the need for Subject Matter Expertise to combat "reasoning drift" and maintain safety through test-driven development and periodic "checkpoints". While AI can simulate expertise, human oversight remains vital to secure the probabilistic nature of modern agentic workflows.

https://youtu.be/watch?v=65EI4vz6fP0&t=1s – Episode #305 - Career Impact of AI, SEO/GEO, More Supply Chain Attacks - How will the rise of generative AI impact career paths for newcomers, especially given that LLMs fundamentally rely on the contributions of existing experts? While pathways may change, they agree that core human activities—like networking, contributing to projects, and maintaining a hacker mindset—will remain crucial. 

Absolute AppSec Happenings

Expertise in Cybersecurity: Challenging Industry Mental Models – In this LinkedIn post, Andrew Wilson discusses how traditional cybersecurity frameworks rely on weak mental models because the industry poorly understands real-world hacker behavior. Applying Gary Klein’s Recognition-Primed Decision model and interviewing industry experts, his PhD research reveals how experts rely heavily on tacit knowledge, experience, and pattern recognition rather than rigid rules.

The Smart TV in Your Living Room Is a Node in the AIScraping Economy – This article exposes how data-collection companies like Bright Data use embedded SDKs in free smart TV and mobile apps to turn home networks into residential proxy nodes. Because AI scraping bots face heavy blocking from datacenters, they route data-harvesting traffic through these residential IP addresses. Smart TVs are ideal targets due to their continuous power, high-speed Wi-Fi, and weak consumer privacy oversight.

Securing agentic identity - This article addresses the security risks of granting non-deterministic AI agents access to sensitive corporate credentials. Because traditional identity providers lack hardware-bound token protection, leaked credentials risk massive data exposure. The author proposes a stateless broker system that encrypts the real authentication token into a placeholder JWT. Combined with mTLS and instance-backed client certificates, this protocol safely restricts token execution strictly to the intended agent environment.

Upcoming Events

Where in the world are Seth and Ken?

August 1-4, 2026 - AI-Enhanced Secure Code Review: Black Hat Edition - BlackHat USA, Las Vegas - Seth and Ken are bringing a four-day exclusive course to Black Hat. This is an update on the exclusive version of the course offered at Black Hat Europe. Early bird pricing is ongoing, so it’s a great opportunity to get a truly in-depth understanding of Secure-Code Review and how it can be empowered through LLM-tooling. Seth and Ken have innovated industry-leading trainings in both of these topics, so this four-day course promises to provide a lot of valuable insight.

August 10-11, 2026 - Agentic AppSec: Harnessing LLMs - DEF CON Training, Las Vegas - Comprehensive course designed for developers and cybersecurity professionals seeking to harness the power of Agentic AI and Large Language Models (LLMs) to enhance software security and development practices.

Keep Reading