Coffee, Chaos and ProdSec

🎙️ Coffee, Chaos and ProdSec, Ep 34 AI is already in your pipeline. Your agents are making decisions. And most teams have no controls governing any of it.This week Cameron, Kurt, and returning guest Farshad Abasi crack open SPVS 1.5, the OWASP Secure Pipeline Verification Standard community feedback release that ships 132 AI and agentic pipeline security controls across 31 subcategories. From NHI governance for AI agents to AIBOM requirements, deterministic tool authorization, prompt injection classification, and adversarial testing as a hard release gate, this episode covers what the standard actually says and why building it made the gap impossible to ignore.If you work in Application Security, DevSecOps, or Product Security and you have ever approved an AI tool for your pipeline without a governance framework to back it up, this one is going to hit.☕ New episodes every Wednesday. Coffee, Chaos and ProdSec -> strong coffee, stronger opinions.

🎙️ Coffee, Chaos and ProdSec, Ep 33 OWASP published six AI security Top 10s in roughly two years. Six. That is not a framework strategy, that is a distress signal. This week Kurt and Cameron tear through all of them. LLM security, agentic applications, MCP, agentic skills, machine learning security, and the honorary sixth because AI agents have an identity problem and NHIs deserve a seat at the table. Sixty risks, one episode, zero padding. Then both hosts reveal the independent AI Top 10 lists they each built before recording and compare them live. There is overlap, there is disagreement, and there is a real conversation about whether all six frameworks can collapse into one model before the compliance world does it for us. If you work in Cybersecurity, Application Security, Product Security, DevSecOps, or Security Architecture and you have ever cited an OWASP framework in a deck without operationalizing a single control from it, this one lands differently. ☕ New episodes every Wednesday. Coffee, Chaos and ProdSec -> strong coffee, stronger opinions.

🎙️ Coffee, Chaos and ProdSec, Ep 32 Your org is still forcing 90-day password resets. NIST said stop years ago. Nobody wants to be the one who changes it. This week Cameron and Kurt get into three trust assumptions enterprise security programs are still running on in 2026 that nobody actually validated. Mandatory rotation that creates predictable mutations instead of stronger passwords, developer laptops loaded with production credentials that agentic coding tools now inherit without anyone scoping that access, and non-human identities that most teams can't inventory let alone govern when something goes wrong. From the compliance inertia keeping dead controls alive, to the blast radius sitting on every developer machine in your environment, to whether NHI taxonomy is a useful governance framework or just a cleaner slide deck, this one covers the full mess with zero comfort and zero vendor sympathy. If you work in Product Security, Application Security, DevSecOps, or Cybersecurity and you have ever enforced a control you stopped believing in because nobody wanted to own killing it, this episode will hit close to home. ☕ New episodes every Wednesday. Coffee, Chaos and ProdSec -> strong coffee, stronger opinions.

🎙️ Coffee, Chaos and ProdSec, Ep 31Open source malware is not a harder version of CVE management. It is a completely different problem, and most orgs are running the wrong playbook.This week Cameron and Kurt are joined by Jenn Gile, co-founder of OpenSourceMalware.com and advisor at Endor Labs, and she comes prepared to take everyone to school.They dig into how attacks like TeamPCP actually work, why your scanner is not built to catch them, and what detection looks like across the full pipeline. From install-time execution to account takeovers to the dependencies nobody vetted, the attack surface is bigger than most teams have mapped.Then they get into what a real defense program looks like, and why owning a tool is not the same as owning the problem. Spoiler: the supply chain is not a solved problem, and this episode makes that very clear.If you work in Application Security, Product Security, DevSecOps, or Software Supply Chain Security, this one is going to hurt a little. In the best way.☕ New episodes every Wednesday. Coffee, Chaos and ProdSec -> strong coffee, stronger opinions.

🎙️ Coffee, Chaos and ProdSec, Ep 30 Your security stack has too many tools. Your vendors swear everything works. And somehow nothing actually does. This week Cameron and Kurt get into the vendor fatigue problem that most ProdSec and Application Security teams are living with but nobody wants to say out loud. Overlapping tools, compounding pricing, AI addons bolted on at renewal, and alert noise so bad that engineers have quietly stopped reading findings entirely. From the build vs. buy math nobody does honestly, to the red flags that predict vendor failure before it gets expensive, to whether AI tooling has finally shifted the DIY case enough to make it worth the risk, this episode covers the full stack of frustration with real talk and zero vendor sympathy. If you work in Product Security, DevSecOps, or Cybersecurity and you have ever renewed a contract because nobody had time to fight it, this one will feel uncomfortably familiar. ☕ New episodes every Wednesday. Coffee, Chaos and ProdSec -> strong coffee, stronger opinions.

🎙️ Coffee, Chaos and ProdSec, Ep 29The AppSec industry is having a moment, and not the good kind.So this week, Cameron and Kurt bring in Seth Law and Ken Johnson from the Absolute AppSec podcast to ask the questions most security teams are still avoiding. Is AppSec dead or just getting a new job title nobody's written yet? Is your AI policy a real security control or just legal cover? And who actually owns AI security in your organization right now?From compliance frameworks mandating tools that no longer reflect best practice, to MCP servers becoming critical infrastructure nobody's tracking, to AI agents running on human credentials with blast radius nobody's mapped, this episode gets into the mess that happens when adoption moves faster than governance.Four practitioners. No vendor slides. No clean answers. Just honest takes on what AI is actually doing to Application Security, Product Security, DevSecOps, and the people trying to hold it all together.If you work in Cybersecurity, AppSec, or Software Supply Chain Security and you've ever nodded along to a risk assessment while quietly knowing something was wrong, this one's for you.☕ New episodes every Wednesday.Coffee, Chaos and ProdSec -> strong coffee, stronger opinions.

🎙️ Coffee, Chaos and ProdSec, Ep 28 Threat modeling has been around for 30 years. It shows up in every security framework. And most teams are still doing it wrong, too late, or not at all. So this week, Cameron and Kurt get into it. What threat modeling actually is, why the CI/CD pipeline is almost never in scope, and why a finding with no owner is not a mitigation. They cover the framework landscape from STRIDE to MAESTRO, the SolarWinds proof point that killed the "our app passed every check" argument, and what JPMorgan Chase and Booking.com are doing in production right now with AI-assisted threat modeling.There is also a real conversation about AI as a new attack surface that existing frameworks were not built to handle, and where the ownership gap between security and ML engineering is quietly compounding risk. If you work in Application Security, Product Security, DevSecOps, or Software Supply Chain Security, this one is going to hit close to home. ☕ New episodes every Wednesday. Coffee, Chaos and ProdSec -> strong coffee, stronger opinions.

🎙️ Coffee, Chaos and ProdSec, Ep 27 Anthropic dropped Claude Code Security and wiped $10 billion off cybersecurity stocks in a single afternoon. Some of that panic was justified. Most of it wasn't.This week Kurt, Cameron, and special guest Blake Beus, a software engineer turned AppSec dark sith lord, dig into what actually changed and what the industry is getting completely wrong about it.They break down the DARPA AIxCC result that nobody talks about enough, where AI systems found real vulnerabilities in production code for $152 a finding. They get honest about the 20-year AppSec loop that is finally breaking, which careers are quietly at risk, and what the team of 2028 actually looks like. Then they get into the compliance gap that is going to catch organizations off guard, and call out the security vendors who are already in trouble and just don't know it yet.Blake brings the hot takes. Cameron brings the concern. Kurt holds the architecture together. It gets spicy.If you work in Application Security, Product Security, DevSecOps, AI Security, or Software Supply Chain Security, this one is going to hit close to home.☕ New episodes every Wednesday. Coffee, Chaos and ProdSec -> strong coffee, stronger opinions.

🎙️ Coffee, Chaos and ProdSec, Ep 26 We put a CISO in the hot seat and told him no corporate answers allowed. This week Kurt and Cameron sit down with Billy Spears, a seasoned cybersecurity leader who has served in CISO, CIO, and CTO roles across public companies and national security environments. Billy came ready to be honest about what the role actually looks like when the dashboards are up at midnight and nobody else is in the room.The conversation gets into whether the CISO role is impossible or just undefined, why technical roots still matter when you are briefing the board, and how compliance focus quietly replaces real risk management when nobody is paying attention. Billy breaks down what trust actually means in cybersecurity leadership and why chasing perfection is a trap that burns out teams and stalls programs. Kurt and Cameron push back, dig in, and land on something practitioners rarely hear out loud. Stop building for the threat you can predict. Start building durability for the one you cannot. If you work in Application Security, Product Security, DevSecOps, or cybersecurity leadership and you want an unfiltered look at what it takes to lead security programs without losing your mind, this one is for you. ☕ New episodes every Wednesday. Coffee, Chaos and ProdSec -> strong coffee, stronger opinions.

Caroline Wong, a security leader and author who helps translate security into business impact. She and the panel tackle why roadmaps crumble when AI reshapes priorities. They debate when leaders need technical depth. They discuss avoiding the Department of No, making risk registers actionable, and proving value through business-focused communication.