View More ASW Episodes

Why Basic Security Practices Still Work – Rob Allen – ASW #382

If you have to ditch your entire appsec strategy because you expect 2026 to bring more vulns more quickly, then you probably didn't have a good strategy in the first place. Rob Allen shares how the mentality of "assume breach" doesn't have to be a defeatist attitude and can instead be a way to change a catastrophic breach into a more contained one. We also talk about proactive security and what an "avoid breach" attitude could look like, including how to apply the macro lessons of default deny and network isolation to writing secure code. Resources. https://www.threatlocker.com/blog/the-claude-mythos-preview-proves-now-is-the-time-for-zero-trust?utmsource=cyberriskalliance&utmmedium=sponsor&...

This episode is sponsored by
Full Show Notes
Segment One

Why Basic Security Practices Still Work – Rob Allen – ASW #382

If you have to ditch your entire appsec strategy because you expect 2026 to bring more vulns more quickly, then you probably didn't have a good strategy in the first place. Rob Allen shares how the mentality of "assume breach" doesn't have to be a defeatist attitude and can instead be a way to change a catastrophic breach into a more contained one. We also talk about proactive security and what an "avoid breach" attitude could look like, including how to apply the macro lessons of default deny and network isolation to writing secure code.

Resources

This segment is sponsored by ThreatLocker. Visit https://securityweekly.com/threatlocker to learn more about them!

Guest
Chief Product Officer at ThreatLocker

Rob Allen, Chief Product Officer of ThreatLocker, is an IT Professional with three decades of experience assisting small and medium enterprises embrace and utilize technology. He has spent the majority of this time working for an Irish-based MSP, which has given him invaluable insights into the challenges faced by businesses today. Rob’s background is technical – first as a system administrator, then as a technician and an engineer. His broad technical knowledge, as well as an innate understanding of customers’ needs, made him a trusted advisor for hundreds of businesses across a wide variety of industries. Rob has been at the coalface, assisting clients in remediating the effects of, and helping them recover from cyber and ransomware attacks.

Announcements

  • If you’re building or securing applications today, generative AI just changed your threat model.

    AI-generated code, prompt injection, data leakage, and agentic workflows are introducing risks your current AppSec tools were never designed to handle. And with DevOps moving faster than ever, the gap between shipping and securing is only getting wider.

    So how do you actually secure what you’re building?

    Join us May 27 for the OWASP Generative AI Virtual Cybersecurity Summit. Hear from the experts behind the OWASP GenAI Security Project on the top risks in LLMs and agentic AI, and how to secure AI systems across the entire SDLC.

    Get practical guidance, real-world strategies, and the tools you need to stay ahead of AI-driven threats.

    Security Weekly listeners can register for free at https://securityweekly.com/genai using the promo code: CSS26-SW

List of Articles

Mike Shema

  1. Behind the Scenes Hardening Firefox with Claude Mythos Preview – Mozilla Hacks – the Web developer blog

    This is a welcome breakdown of what Mythos did -- and did not -- find in Mozilla's codebase. Once again, it points to the importance of test harnesses. Mozilla benefited greatly from their long history of fuzzing. While the model clearly demonstrated success, that success stemmed from more than just a simple prompt like, "Find all the bugs."

  2. V4bel/dirtyfrag · GitHub

    There's also a nice summary from Wiz.

  3. Finding Zero-Days with Any Model

    My two takeaways from this are this LLM-based vuln finding remains heavily dependent on the tool harness given to the agent(s) and that the commercial models remain very, very expensive ways to find vulns.

  4. CVE-2026-0073 Android adbd TLS client-authentication bypass

    This vuln boils down to the surprising outcome of misusing an API. It's the kind of vuln that makes me ask, "At what point do you rewrite an API because users make too many mistakes with it?"

    In other words, what's your philosophy of good API design and does OpenSSL (or an OpenSSL-like interface) match your criteria for a good design?

  5. 2033170 – DigiCert: Misissued code signing certificates

    As John noted on the show, here's a similar template for writing up a "Correction of Error" to identify root causes, lessons learned, and working with others to avoid repeating failures and improve processes.

  6. OWASP Foundation Unveils Its Strategic Plan for a World Without Insecure Software

    Check out the full five-point plan

  7. FYI: Can I run AI locally?

    We've gone from tracking features to tracking hardware specs.

Show More

Stay in the Know, No Smoke and Mirrors – Join Our Newsletter

Get expert insights and technical breakdowns straight to your inbox.
Join Now

Related Episodes

Related Content

You can skip this ad in 5 seconds