Dune and Gloom Under the AppSec Tree: From Shai-Hulud to React2Shell

OWASP Top 10 Turns 20: Still Valid, Still Controversial

The OWASP Top 10 has been the web application security yardstick for over two decades now, from its first edition in 2003 to the latest 2025 update, with its changes of format and scope often stirring industry controversy.   In this episode of AppSec Serialized, Dan Murphy and Ryan Bergquist discuss the past, present, and future of the OWASP Top 10, and do a reality check on its practical usefulness today.

Dune and Gloom Under the AppSec Tree: From Shai-Hulud to React2Shell

Supply-chain vulnerabilities are getting more frequent and dangerous, with the Shai-Hulud npm worm and React2Shell RCE vulnerability being just two of the recent ones.   In this episode of AppSec Serialized, Dan Murphy and Ryan Bergquist analyze those recent threats (plus a bonus Django vulnerability) and talk about the implications of security risk shifting towards dependencies.

20,000 Apps Under the Sea: Deep Dive into Vibe Coding Security

Vibe coding is allowing even non-developers to produce fully functional web applications by using LLMs to generate code – but how secure are they?   In this episode of AppSec Serialized, special guest Bogdan Calin joins hosts Dan Murphy and Ryan Bergquist to talk about his research, which involved vibe-coding over 20,000 applications and analyzing them to learn what vulnerabilities and hardcoded secrets are most frequent.

Conducting the AppSec Symphony: From Noise to ASPM Harmony

Application security posture management (ASPM) has become a crucial pillar of AppSec programs by aggregating, correlating, and prioritizing vulnerability reports arriving from various testing tools.   In this episode of AppSec Serialized, Cenk Kalpakoğlu, founder of Kondukto, joins hosts Dan and Ryan to discuss the evolution of ASPM, how Invicti and Kondukto approach integrations, and how security can be embedded early in CI/CD pipelines. The conversation covers industry trends, automation, and lessons from Kondukto’s startup journey to its acquisition by Invicti.

Prompt and Circumstance: LLM Vulnerability
Scanning

Large language models are transforming software development by making it easier to write and connect code, but they also introduce serious security risks. Vulnerabilities like LLM command injection, SSRF, and insecure outputs mirror traditional web flaws while creating new attack vectors unique to AI-driven apps.   In this episode, Dan Murphy and Ryan Bergquist discuss how LLM-powered applications can be manipulated into leaking data, executing malicious commands, or wasting costly tokens. They also explain how Invicti’s scanning technology detects and validates these risks, helping organizations protect against the growing challenges of LLM security.