Developing the Skills Needed for Modern Software Development – Keith Hoodlet, Ron Rasin, Shashwat Sehgal – ASW #376
The future of secure software is going through a mix of skills expected of humans and skills files created for LLMs. We might even posit that appsec as a discipline will fade (and that might not even be a bad thing!). Keith Hoodlet describes the skills he was looking for in building teams of security researchers and why there's still an emphasis on the ability to learn about and understand how software is built.
But figuring out what skills will get you hired and what skills are valuable to invest in still feels daunting to new grads and others entering the security industry. We discuss where the role of appsec seems to be heading and a few of the security and software fundamentals that can help you follow that direction.
Segment resources
- https://bsidessf2026.sched.com/event/2E1h4/we-pwn-the-night-growing-leading-an-31337-security-research-team?iframe=yes&w=100%&sidebar=yes&bg=no
- https://drive.google.com/file/d/1_zLH8vuHU1XOjEyk85WecQwSByDwxAmQ/view?pli=1
- https://securing.dev/posts/if-i-were-eighteen-again/
- https://research.nvidia.com/labs/lpr/slm-agents/
Then, we rebroadcast two interviews from RSAC 2026.
The Identity Crisis of Agentic AI
Identity security is being stretched between legacy infrastructure that was never built to be secure and rapidly emerging AI agents and non-human identities that organizations are quickly adopting. As AI accelerates, identity risk grows alongside it, making agentic security fundamentally an identity challenge—because the more access AI has, the greater both its power and potential risk. In this session, Ron Rasin explores how past gaps in areas like Active Directory and machine identities created today’s blind spots, and why identity must now act as the control plane for AI-driven enterprises, with real-time enforcement before access is granted. He also highlights new innovations and partnerships enabling embedded identity controls across human, non-human, and AI identities, emphasizing that at machine speed, reactive security is no longer enough.
To learn more about Silverfort and their AI Agent product, visit https://securityweekly.com/silverfortrsac.
Privileged by Design: AI Agents and the New Identity Risk to Production Systems
At RSAC this year, the AI conversation is getting more practical. Less “look what agents can do” and more “who’s actually in control when an autonomous system can take real actions across business apps and infrastructure.”
The Moltbook breach and the growing attention on OpenClaw-style agent vulnerabilities put real weight behind that question because they show how quickly agent ecosystems can scale past oversight.
Today we’re talking with Shashwath, CEO of P0 Security, about why identity and authorization are the quiet enablers of modern AI, where teams are losing control as non-human identities explode and what security leaders can do to keep innovation moving without turning access sprawl into enterprise risk.
To learn more about P0 Security, visit: https://securityweekly.com/p0rsac.
Keith Hoodlet is the Application Security Manager at Thermo Fisher Scientific. He is the Co-Founder of the InfoSec Mentors Project .
As Chief Strategy Officer, Ron leads Silverfort’s strategic alliances with technology partners, as well as our growth operations and business strategy. He brings more than 15+ years of hands-on product management experience and cyber security expertise. Prior to joining Silverfort, Ron was the Director of Product Management at Claroty, and held product management roles at Wix and NCR. Before that Ron served as a Team Leader at the 8200 elite cyber unit of the Israel Defense Forces. Ron holds a B.A in Economics from Tel Aviv University.
Shashwat Sehgal is the Co-Founder and CEO of P0 Security. He’s spent most of his career building security and observability products for developers, DevOps, and security teams.
Shashwat is passionate about solving the problem of cloud access security and helping security engineers’ control ‘who has access to sensitive resources in their clouds.’
He enjoys playing tennis, spending time with his family, teaching his son how to play chess, and geeking out on all things security.
Mike Shema
- A 32-Year-Old Bug Walks Into A Telnet Server (GNU inetutils Telnetd CVE-2026-32746 Pre-Auth RCE)
I will always be fascinated by flaws that survive decades of development and security testing.
This example gives another reminder of the simple lesson that if you find one bug, you should search your codebase for similar variants of that bug. In this case, a client side fix for the same insecure code pattern was applied back in 2005. Yet the server-side code remained unfixed and unobserved(?) for decades after that.
Sure, it's an archaic protocol by now, but the article points out why and where it may still be found in real systems in the real world.
- No Prompt Injection Required
The LiteLLM compromise has the transitive excitement that anything LLM-related gets extra attention these days. Even if the attack, its consequences, and its countermeasures are reminiscent of supply chain security from the last year, the last decade, and the decade before that.
This article nicely walks through what happened and the "huh" factor that led to the malware's discovery. It also wraps up with good reminders about basic security practices to apply to package management.
- Agents of Chaos
This research leans more into a superset of appsec, with testing on safety and alignment in addition to more familiar items like DoS, identity spoofing, and tool calls.
This report is very well written and organized. I particularly appreciate the use of emojis to distinguish the various actors, i.e. robot for agents and human for humans.
- Don’t trust, verify | daniel.haxx.se
This is a great example of how to reason through a threat model without having to use the jargon of threat modeling or even focus on explicit security controls.
The end of the article has 21 tactical steps that the project has taken to maintain quality and security. I love the specificity of these items (far more than a generic top ten list) and most of them translate to any large project that needs to be maintained over time. Even if your project isn't in C, there are likely still functions you want to avoid and there are surely styles that you want to encourage for readability. The emphasis on documentation and testing (including fuzzing!) would benefit any project, whether open or closed source.
- HTTP/1.1 Must Die: Conquering the 0.CL Challenge | Blog – PortSwigger
This popped up about two weeks ago. It's a very different type of article from the usual agents and vulns that we see. It's a nice, technical walkthrough of a request smuggling attack.
Would you like to see more focused, technical content like this? Let us know!
- Introducing the OpenSSF Ambassador Program
Here's an opportunity to collaborate with people, influence the security of open source projects, and help build more educational resources for developers.
- How NOT to Get Your Conference Submission Binned – Spherical Cow Consulting
Writing remains a critical skill. As we start the CFP countdowns for all the summer conferences, here's a reference for how to avoid relying on LLMs as your voice and instead craft concise, appealing pitches for your presentation ideas.
