Most AppSec teams are working through more findings than their teams can validate. SAST surfaces thousands of potential issues. DAST generates alert volume that outpaces triage capacity. Somewhere in that output are the vulnerabilities that matter, the ones that are actually exploitable in production. This conversation explores why automated testing often stops short of the hardest part of the job: proving what is real. We dig into how business logic flaws and authorization vulnerabilities get missed by tools that scan without reasoning, what exploit validation looks like at runtime, and how security engineers are shifting toward findings that developers will actually act on. The segment is sponsored by XBOW. Visit https://securityweekly.com/xbow to see how autonomous AI pentesting delivers expert-quality findings in hours with real exploit validation your team can actually act on. Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-386 00:00:00 From PHP's Birthday to the Evolution of Vulnerability Research 00:04:19 Setting the Threshold: Pen Testing for Vulnerability Prioritization 00:06:36 The Role of LLMs and Harnesses in Security Economics 00:12:59 Addressing Root Causes: Secure Design Over Quick Patches 00:19:34 Balancing Human Creativity with LLM's Systematic Approach 00:25:44 How Harnesses Enable Dynamic and Focused LLM Pentesting 00:32:51 The XM Bug: LLMs Accelerating Exploit Development 00:38:41 Defining AppSec and Kicking Off the Week's Security News 00:40:59 Hackers Exploit Meta AI for Instagram Account Takeovers 00:48:07 Enhancing AI-Generated Code Security with Type-Level Safety 00:55:05 Uncovering HTTP/2 Protocol Flaws with LLM-Assisted Analysis 00:59:57 The Starry State of Skill Distribution and Supply Chain Risks 01:06:44 J Quick's Prompt Injection and PHP Composer Supply Chain Security 01:15:38 Final Thoughts and Farewell from Application Security Weekly
Trust cues for videos
