Security Weekly Podcast Network (Audio) Creating Better Security Guidance and Code with LLMs - Mark Curphey - ASW #374
Mar 17, 2026
Mark Curphey, security engineer and entrepreneur who helped found OWASP and SourceClear, talks about using LLMs and agents to update secure coding guidance and build tooling. He demos an agentic SCA prototype, discusses where authoritative security knowledge should live, and explains why clear prompts and human oversight matter when LLMs write or fix code.
AI Snips
Chapters
Transcript
Episode notes
Six Minute SCA Parlor Trick
- Mark demonstrated an agentic coding parlor trick that built an SCA tool in ~6 minutes using a prompt and agents.
- He extended it in another ~4 minutes to add ecosystems and depth.dev checks, showing rapid feature expansion.
Authoritative Specs Make Agents Reliable
- When language specs and package managers are well-documented, agents can accurately implement and audit behaviors.
- Mark points to NPM and package manager specs as sources agents can learn to handle edge cases reliably.
Verify Authoritative Sources Before Using Them
- Avoid blindly trusting domain authority; validate sources before using them as LLM ground truth.
- Mark tells his agents to ignore OWASP until its guidance is verified and he builds curated RAG data instead.