We dedicate an episode to catching up on appsec news with Kalyani Pawar. We see parsing problems that led to the BadHost vuln, which exposed lots of LLMs, MCPs, and agents to potential compromise. We wonder where to look for security education and practice as the camaraderie of the CTF community becomes infiltrated by LLMs. We talk about the tradeoffs in trust between using public packages vs. having agents write replacements from scratch. And we examine some of the appsec details that the Verizon DBIR reveals about how orgs are being attacked -- and how orgs might use that information to protect themselves.
Mike Shema
- BadHost
- AI Has Taken Over Open Source – Socket
- The CTF scene is dead – kabir.au
- Nx Console VS Code Extension Compromised – StepSecurity
- State of SDLC Security 2026: How Risk Scales | Wiz Blog
- Improving C# Memory Safety – .NET Blog
Rust is positively influencing other languages. It's also helpful to improve common terminology and adopt patterns across languages.
- 2026 Data Breach Investigations Report (DBIR) | Verizon
- Southern District of New York | Google Employee Charged With Insider Trading | United States Department of Justice
A data point for the price of confidential information or the price at which an insider may potentially become a malicious insider.
