Coffee, Chaos and ProdSec

Ep 38 - Governance Without Enforcement Is Theater and Shadow AI Knows It

🎙️ Coffee, Chaos and ProdSec [https://linktr.ee/coffeechaosprodsec], Ep 38 Your org told everyone to use AI. The budget ran out. Someone found a better free tool. Boom, shadow AI just happened. This week Cameron [https://www.linkedin.com/in/cameronww7]and Kurt [https://www.linkedin.com/in/kurthendle] record on four hours of sleep fresh off two days in Austin talking AI and identity with practitioners, and somehow that makes this episode better. They get into where shadow AI actually lives across the corporate surface and the SDLC, what you can detect today with EDR, SIEM, SASE, and a GitHub search bar, and where current detection completely falls apart. From AISPM getting called out as a category that overpromises, to live threat modeling on how a developer could run a local model cluster at home and stay invisible to every control your team has, to why governance without enforcement is just theater with better fonts, this one is honest about what security teams can and cannot see right now. If you work in AppSec, DevSecOps, or Security Architecture and have ever written an AI acceptable use policy without knowing what AI your org actually uses, this one is for you. ☕ New episodes every Wednesday. Coffee, Chaos and ProdSec -> strong coffee, stronger opinions.

Ep 37 - Scattered Spider Called Your Help Desk and Your TPRM Annual Review Missed It

🎙️ Coffee, Chaos and ProdSec [https://linktr.ee/coffeechaosprodsec], Ep 37 Your vendor filled out the questionnaire. They have a SOC 2. And they just got you popped. This week Cameron [https://www.linkedin.com/in/cameronww7]and Kurt [https://www.linkedin.com/in/kurthendle]get into the third-party risk management conversation that the industry keeps avoiding. Not the checkbox version, the one where Scattered Spider is social engineering your managed service provider's help desk and you're finding out about it from a news alert. They cover why SOC 2 is a report and not a certification, why vendor management and TPRM are two completely different functions that most companies let collapse into one spreadsheet, why open source dependencies are third-party risk that nobody owns, and what continuous monitoring actually looks like when you stop pretending an annual audit is a security control. Plus the Delve incident, goblins in AI training data, and Kurt reading the scope statement while Cameron does the actual research. If you work in Product Security, Application Security, DevSecOps, or GRC and you have ever accepted a SOC 2 Type 1 as proof that someone takes security seriously, this one is for you. ☕ New episodes every Wednesday. Coffee, Chaos and ProdSec -> strong coffee, stronger opinions.

Ep 36 - Stop Blaming Mythos - The Defender Playbook Was Already Overdue

🎙️ Coffee, Chaos and ProdSec, Ep 36 Your risk model is lying to you. Not maliciously. Just quietly, using assumptions that stopped being accurate before Mythos ever made the news. This week Cameron and Kurt get into the part nobody wants to say out loud: the AI threat acceleration has been building for over a year and most Application Security and Product Security programs are still running the old playbook. Pipelines shipping code faster than anyone's reviewing it, agents deployed like they're Slack bots, CVE feeds that can't keep pace with what AI is finding, and security teams absorbing a workload that was never designed for this environment. From VulnOps as a permanent function to the 10 questions that tell you whether your program can actually execute, to burnout as a real operational risk and not an HR checkbox, this one is built for the practitioner who needs actions not another threat briefing. If you're in DevSecOps, Cybersecurity, or Security Architecture and your Monday morning plan is still "check the queue," this episode is the intervention. ☕ New episodes every Wednesday. Coffee, Chaos and ProdSec -> strong coffee, stronger opinions.

Ep 35 - Mythos, the AI Exploit Printer, and Whether Security Is Actually Cooked ft. Caroline Wong

🎙️ Coffee, Chaos and ProdSec [https://linktr.ee/coffeechaosprodsec], Ep 35 Anthropic dropped Mythos. 250 CISOs argued in a live document over a weekend. A crisis paper shipped Monday morning. And everyone's board started calling. This week Cameron [https://www.linkedin.com/in/cameronww7], Kurt [https://www.linkedin.com/in/kurthendle], and Caroline Wong get into what Mythos actually did differently from every model before it, whether Project Glasswing is coordinated disclosure or the most expensive press release in security history, and why the tsunami of vulnerabilities coming out of it is going to expose every program that's been doing vulnerability management wrong for a decade. They also get into the third identity class nobody is governing yet, whether risk prioritization even makes sense when AI can chain your deprioritized findings into a critical, and what the curl project quietly proved about where AI security capability actually is right now. If you work in Cybersecurity, Application Security, Product Security, or DevSecOps and the Mythos noise has made it hard to figure out what's real, this one cuts through it. ☕ New episodes every Wednesday. Coffee, Chaos and ProdSec -> strong coffee, stronger opinions.

Ep 34 - SPVS 1.5 Is Live: AI Pipeline Security Controls ft. Farshad Abasi

🎙️ Coffee, Chaos and ProdSec [https://linktr.ee/coffeechaosprodsec], Ep 34 AI is already in your pipeline. Your agents are making decisions. And most teams have no controls governing any of it. This week Cameron [https://www.linkedin.com/in/cameronww7], Kurt [https://www.linkedin.com/in/kurthendle], and returning guest Farshad Abasi crack open SPVS 1.5, the OWASP Secure Pipeline Verification Standard community feedback release that ships 132 AI and agentic pipeline security controls across 31 subcategories. From NHI governance for AI agents to AIBOM requirements, deterministic tool authorization, prompt injection classification, and adversarial testing as a hard release gate, this episode covers what the standard actually says and why building it made the gap impossible to ignore. If you work in Application Security, DevSecOps, or Product Security and you have ever approved an AI tool for your pipeline without a governance framework to back it up, this one is going to hit. ☕ New episodes every Wednesday. Coffee, Chaos and ProdSec [https://linktr.ee/coffeechaosprodsec] -> strong coffee, stronger opinions.