Securing Software’s Journey with the OWASP SPVS – Cameron W., Farshad Abasi, Rohan Ravindranath, Ido Geffen – ASW #378
It's one thing to write secure code, it's another to release it into the wild. That code needs to be designed, built, tested, released, and maintained. Farshad Abasi and Cameron Walters explain how the OWASP Secure Pipeline Verification Standard picks up from where ASVS left off, how it complements other supply chain security efforts like SLSA, and why they updated it with explicit coverage for AI.
They show what goes into making a project relevant and -- most importantly -- successful at defending how supply chains are attacked. They're also looking for more feedback and participation! If you build software packages, consume software packages, or have an interest in helping organizations stay secure, check it out!
Resources
- https://owasp.org/www-project-spvs/
- https://github.com/OWASP/www-project-spvs/blob/main/1.5/ReleaseNotesOWASPSPVS1.5-AI-Pipeline-Security.md
- https://youtu.be/-WoqGDdivGw?si=kK5-csbnTw8Y4g2J -- The Story Behind OWASP SPVS
- https://slsa.dev
Zero Trust That Actually Ships: Moving From Strategy Decks to Real Security
Most enterprise organizations have been working at Zero Trust for years and fail to deliver truly secure environments. Rohan Ravindranath shares insights that Zappsec has gained from guiding the global teams that are succeeding at protecting their orgs. Discover the common pitfalls so you can deploy a solution that works.
This segment is sponsored by Zappsec. Visit https://securityweekly.com/zappsecrsac to learn more about them!
Cloning Attacker Tradecraft: Why AI Pentesting is Becoming Essential
Enterprises ship code continuously, but most security validation still happens in snapshots. Novee CEO and co-founder Ido Geffen explains what “AI penetration testing” means, why it’s different from automated scanning, and why it’s becoming essential as attackers adopt AI to move faster. He breaks down what separates best-in-class AI pentesting: operator-like reasoning across real environments, validated exploitability, and the ability to uncover business logic flaws and multi-step attack chains. Ido covers the technology behind Novee’s AI penetration tester: a proprietary LLM model, built independently of “frontier” LLMs (like Claude, ChatGPT, Cursor, etc.), and consistently outperforming them at browser exploitation tests. Finally, he shares what buyers should demand in a live evaluation and how continuous retesting closes the loop after fixes ship.
This segment is sponsored by Novee Security. See what your attackers already know at https://securityweekly.com/noveersac.
Cameron W. is a Director of Application Security and Security Engineering who started as a software engineer and has spent his career building and scaling enterprise AppSec and Product Security programs across globally distributed engineering organizations. He is a co-creator of the OWASP Secure Pipeline Verification Standard and brings that same implementation-first mindset to everything he builds. His approach is simple: security should work the way engineering actually works. He builds guardrails instead of gates, automates what most teams still do manually, and co-hosts Coffee, Chaos & ProdSec, where he brings the same practitioner-first lens to conversations about modern product security.
Farshad Abasi is the Founder and CEO of Forward Security and Eureka DevSecOps, bringing over 29 years of industry experience to the forefront of cybersecurity innovation. His professional journey includes key technical roles at Intel and Motorola, evolving into senior security positions as the Principal Security Architect for HSBC Global, and Head of IT Security for the Canadian division. Farshad’s commitment to the field extends to his role as an instructor at BCIT, where he imparts his wealth of knowledge to the next generation of cybersecurity experts. His diverse experience, which spans startups to large enterprises, informs his approach to delivering adaptive and reliable solutions.
Engaged actively in the cybersecurity community through roles in BSides Vancouver/MARS, OWASP Vancouver/AppSec PNW, and as a CISSP designate, Farshad’s vision and leadership continue to drive the industry forward. Under his guidance, Forward Security and Eureka are setting new standards in application and cloud security.
Rohan Ravindranath is a cloud and security modernization strategist known for turning Zero Trust from concept into production reality. As Founder & CEO of Zappsec Technologies, he leads global infrastructure transformation programs that converge network modernization, cloud landing zones, microsegmentation, and AI-ready architecture into a unified execution model.
Rohan has directed large-scale initiatives spanning 1,000’s of international sites, embedding identity-driven controls and workload-level segmentation directly into modernization programs.
He is passionate about bridging the gap between security theory and operational deployment, helping enterprises enforce policy, reduce attack surface, and accelerate innovation simultaneously.
Ido Geffen is the CEO and co-founder of Novee, the leader in AI-powered penetration testing. He brings over 20 years of experience across offensive and defensive cybersecurity, including nation-scale operations, vulnerability exploitation, and defense.
Through his work on national defense, he and fellow Novee co-founders Gon Chalamish and Omer Ninburg saw enterprises facing an impossible challenge: deploying code continuously while testing security only quarterly, even as attackers operate 24/7 with AI-powered tools. They founded Novee in May 2025 to clone their combined expertise into an agent that runs continuously, finding zero-days, business logic flaws, and complex attack chains that traditional tools miss.
