Subscribe Share Full episode and show notes Application security , Ransomware , AI benefits/risks Why Basic Security Practices Still Work – Rob Allen – ASW #382 If you have to ditch your entire appsec strategy because you expect 2026 to bring more vulns more quickly, then you probably didn’t have a good strategy in the first place. Rob Allen shares how the mentality of “assume breach” doesn’t have to be a defeatist attitude and can instead be a way to change a catastrophic breach into a more contained one. We also talk about proactive security and what an “avoid breach” attitude could look like, including how to apply the macro lessons of default deny and network isolation to writing secure code. Resources https://www.threatlocker.com/blog/the-claude-mythos-preview-proves-now-is-the-time-for-zero-trust?utmsource=cyberriskalliance&utmmedium=spon... May 12, 2026 This episode is sponsored by Full Segment Notes If you have to ditch your entire appsec strategy because you expect 2026 to bring more vulns more quickly, then you probably didn't have a good strategy in the first place. Rob Allen shares how the mentality of "assume breach" doesn't have to be a defeatist attitude and can instead be a way to change a catastrophic breach into a more contained one. We also talk about proactive security and what an "avoid breach" attitude could look like, including how to apply the macro lessons of default deny and network isolation to writing secure code. Resources https://www.threatlocker.com/blog/the-claude-mythos-preview-proves-now-is-the-time-for-zero-trust?utm source=cyber risk alliance&utm medium=sponsor&utm campaign=claude mythos asw q2 26&utm content=claude mythos asw-&utm_term=podcast https://www.threatlocker.com/capabilities/zero-trust-network-access?utm source=cyber risk alliance&utm medium=sponsor&utm campaign=ztna q2 26&utm content=ztna-&utm_term=podcast https://www.threatlocker.com/capabilities/zero-trust-cloud-access?utm source=cyber risk alliance&utm medium=sponsor&utm campaign=ztca q2 26&utm content=ztca-&utm_term=podcast This segment is sponsored by ThreatLocker. Visit https://securityweekly.com/threatlocker to learn more about them! Guest Rob Allen Chief Product Officer at ThreatLocker Rob Allen is an IT Professional with almost two decades of experience assisting small and medium enterprises embrace and utilize technology. He has spent the majority of this time working for an Irish-based MSP, which has given him invaluable insights into the challenges faced by MSP’s and their customers today. Rob’s background is technical – first as a system administrator, then as a technician and an engineer. His broad technical knowledge, as well as an innate understanding of customer’s needs, made him a trusted advisor for hundreds of businesses across a wide variety of industries. ‍ Rob has been at the coalface, assisting clients in remediating the effects of, and helping them recover from cyber and ransomware attacks. Rob joined the ThreatLocker team in 2021 excited at the prospect of building new relationships and helping deliver ThreatLocker® enterprise-level security products to customers throughout the EMEA region. Hosts Mike Shema https://dangerouserrors.com John Kinsella @jlk_ Announcements If you’re building or securing applications today, generative AI just changed your threat model. AI-generated code, prompt injection, data leakage, and agentic workflows are introducing risks your current AppSec tools were never designed to handle. And with DevOps moving faster than ever, the gap between shipping and securing is only getting wider. So how do you actually secure what you’re building? Join us May 27 for the OWASP Generative AI Virtual Cybersecurity Summit. Hear from the experts behind the OWASP GenAI Security Project on the top risks in LLMs and agentic AI, and how to secure AI systems across the entire SDLC. Get practical guidance, real-world strategies, and the tools you need to stay ahead of AI-driven threats. Security Weekly listeners can register for free at https://securityweekly.com/genai using the promo code: CSS26-SW List of Articles Mike Shema Behind the Scenes Hardening Firefox with Claude Mythos Preview – Mozilla Hacks – the Web developer blog This is a welcome breakdown of what Mythos did -- and did not -- find in Mozilla's codebase. Once again, it points to the importance of test harnesses. Mozilla benefited greatly from their long history of fuzzing. While the model clearly demonstrated success, that success stemmed from more than just a simple prompt like, "Find all the bugs." V4bel/dirtyfrag · GitHub There's also a nice summary from Wiz . Finding Zero-Days with Any Model My two takeaways from this are this LLM-based vuln finding remains heavily dependent on the tool harness given to the agent(s) and that the commercial models remain very, very expensive ways to find vulns. CVE-2026-0073 Android adbd TLS client-authentication bypass This vuln boils down to the surprising outcome of misusing an API. It's the kind of vuln that makes me ask, "At what point do you rewrite an API because users make too many mistakes with it?" In other words, what's your philosophy of good API design and does OpenSSL (or an OpenSSL-like interface) match your criteria for a good design? 2033170 – DigiCert: Misissued code signing certificates As John noted on the show, here's a similar template for writing up a "Correction of Error" to identify root causes, lessons learned, and working with others to avoid repeating failures and improve processes. OWASP Foundation Unveils Its Strategic Plan for a World Without Insecure Software Check out the full five-point plan FYI: Can I run AI locally? We've gone from tracking features to tracking hardware specs. Show More Stay in the Know, No Smoke and Mirrors – Join Our Newsletter Get expert insights and technical breakdowns straight to your inbox. Join Now Related Segments Supply chain Canvas, Shai-Hulud, QuasarRat, 0Days, Anthropic, Aaran Leyland, and EU Compliance! – SWN #579 Application security Keeping Up With the OWASP GenAI Project – Scott Clinton – ASW #381 Application security Top 10 Web Hacking Techniques of 2025 and a Hint for 2026 – James Kettle – ASW #380 Related Content MSSP Crogl Offers Free AI SOC Tool as MSSPs Face Rising Alert Pressure Application security Smartphone users increasingly forgo paid antivirus protection Application security Google removes 28 fraudulent apps from Play Store You can skip this ad in 5 seconds