Absolute AppSec

Episode 325 - Simplified Threat Modeling, Defining A Vulnerability


Listen Later

In episode 325 of Absolute AppSec, co-hosts Ken Johnson and Seth Law first break down an informal guide to threat modeling, arguing that overly prescriptive frameworks like STRIDE induce a heavy cognitive load on developers. Instead, they advocate for simplified, creative questions to expose architectural gaps, citing a historical GitHub planning flaw where private repository images were left exposed on S3 by relying solely on URL obfuscation. They warn that while rapid development in 2026 pushes toward automated lifecycles, human oversight, critical logging, and constructive friction remain essential. Next, they dissect a research paper exploring the philosophical definition of a vulnerability, framing it as a system disposition arising from a fault that manifests as a failure only when environmental and attacker conditions are jointly met. This definition sparks a debate on whether a flaw must carry immediate risk to qualify as a vulnerability, particularly when evaluating modern AI challenges like system prompt disclosures or exposed deprecated API paths.
...more
View all episodesView all episodes
Download on the App Store

Absolute AppSecBy Ken Johnson and Seth Law

  • 4.9
  • 4.9
  • 4.9
  • 4.9
  • 4.9

4.9

17 ratings


More shows like Absolute AppSec

View all
Stuff You Should Know by iHeartPodcasts

Stuff You Should Know

78,636 Listeners

Planet Money by NPR

Planet Money

30,666 Listeners

Risky Business by Risky Business Media

Risky Business

375 Listeners

Darknet Diaries by Jack Rhysider

Darknet Diaries

8,051 Listeners

Application Security Weekly (Audio) by Mike Shema

Application Security Weekly (Audio)

13 Listeners