Coffee, Chaos and ProdSec
Subscribed: 1Played: 7
Subscribe
ยฉ Cameron Walters and Kurt Hendle
Description
Coffee, Chaos & ProdSec is where cybersecurity meets caffeine-fueled chaos.
Hosts Kurt (security architect and chaos tamer) and Cameron (ProdSec wrangler and DevSecOps junkie) dive into hacking, AppSec, supply chain failures, AI surprises, and the everyday madness of defending modern systems.
With humor, sharp insight, real breach breakdowns, bad password confessions, and a few questionable impressions, they explore the messy reality of security and how teams survive it.
New episodes Every Wednesday at 5 AM Eastern.
Hosts Kurt (security architect and chaos tamer) and Cameron (ProdSec wrangler and DevSecOps junkie) dive into hacking, AppSec, supply chain failures, AI surprises, and the everyday madness of defending modern systems.
With humor, sharp insight, real breach breakdowns, bad password confessions, and a few questionable impressions, they explore the messy reality of security and how teams survive it.
New episodes Every Wednesday at 5 AM Eastern.
32ย Episodes
Reverse
๐๏ธ Coffee, Chaos and ProdSec, Ep 31Open source malware is not a harder version of CVE management. It is a completely different problem, and most orgs are running the wrong playbook.This week Cameron and Kurt are joined by Jenn Gile, co-founder of OpenSourceMalware.com and advisor at Endor Labs, and she comes prepared to take everyone to school.They dig into how attacks like TeamPCP actually work, why your scanner is not built to catch them, and what detection looks like across the full pipeline. From install-time execution to account takeovers to the dependencies nobody vetted, the attack surface is bigger than most teams have mapped.Then they get into what a real defense program looks like, and why owning a tool is not the same as owning the problem. Spoiler: the supply chain is not a solved problem, and this episode makes that very clear.If you work in Application Security, Product Security, DevSecOps, or Software Supply Chain Security, this one is going to hurt a little. In the best way.โ New episodes every Wednesday. Coffee, Chaos and ProdSec -> strong coffee, stronger opinions.
๐๏ธ Coffee, Chaos and ProdSec, Ep 30 Your security stack has too many tools. Your vendors swear everything works. And somehow nothing actually does. This week Cameron and Kurt get into the vendor fatigue problem that most ProdSec and Application Security teams are living with but nobody wants to say out loud. Overlapping tools, compounding pricing, AI addons bolted on at renewal, and alert noise so bad that engineers have quietly stopped reading findings entirely. From the build vs. buy math nobody does honestly, to the red flags that predict vendor failure before it gets expensive, to whether AI tooling has finally shifted the DIY case enough to make it worth the risk, this episode covers the full stack of frustration with real talk and zero vendor sympathy. If you work in Product Security, DevSecOps, or Cybersecurity and you have ever renewed a contract because nobody had time to fight it, this one will feel uncomfortably familiar. โ New episodes every Wednesday. Coffee, Chaos and ProdSec -> strong coffee, stronger opinions.
๐๏ธ Coffee, Chaos and ProdSec, Ep 29The AppSec industry is having a moment, and not the good kind.So this week, Cameron and Kurt bring in Seth Law and Ken Johnson from the Absolute AppSec podcast to ask the questions most security teams are still avoiding. Is AppSec dead or just getting a new job title nobody's written yet? Is your AI policy a real security control or just legal cover? And who actually owns AI security in your organization right now?From compliance frameworks mandating tools that no longer reflect best practice, to MCP servers becoming critical infrastructure nobody's tracking, to AI agents running on human credentials with blast radius nobody's mapped, this episode gets into the mess that happens when adoption moves faster than governance.Four practitioners. No vendor slides. No clean answers. Just honest takes on what AI is actually doing to Application Security, Product Security, DevSecOps, and the people trying to hold it all together.If you work in Cybersecurity, AppSec, or Software Supply Chain Security and you've ever nodded along to a risk assessment while quietly knowing something was wrong, this one's for you.โ New episodes every Wednesday.Coffee, Chaos and ProdSec -> strong coffee, stronger opinions.
๐๏ธ Coffee, Chaos and ProdSec, Ep 28 Threat modeling has been around for 30 years. It shows up in every security framework. And most teams are still doing it wrong, too late, or not at all. So this week, Cameron and Kurt get into it. What threat modeling actually is, why the CI/CD pipeline is almost never in scope, and why a finding with no owner is not a mitigation. They cover the framework landscape from STRIDE to MAESTRO, the SolarWinds proof point that killed the "our app passed every check" argument, and what JPMorgan Chase and Booking.com are doing in production right now with AI-assisted threat modeling.There is also a real conversation about AI as a new attack surface that existing frameworks were not built to handle, and where the ownership gap between security and ML engineering is quietly compounding risk. If you work in Application Security, Product Security, DevSecOps, or Software Supply Chain Security, this one is going to hit close to home. โ New episodes every Wednesday. Coffee, Chaos and ProdSec -> strong coffee, stronger opinions.
๐๏ธ Coffee, Chaos and ProdSec, Ep 27 Anthropic dropped Claude Code Security and wiped $10 billion off cybersecurity stocks in a single afternoon. Some of that panic was justified. Most of it wasn't.This week Kurt, Cameron, and special guest Blake Beus, a software engineer turned AppSec dark sith lord, dig into what actually changed and what the industry is getting completely wrong about it.They break down the DARPA AIxCC result that nobody talks about enough, where AI systems found real vulnerabilities in production code for $152 a finding. They get honest about the 20-year AppSec loop that is finally breaking, which careers are quietly at risk, and what the team of 2028 actually looks like. Then they get into the compliance gap that is going to catch organizations off guard, and call out the security vendors who are already in trouble and just don't know it yet.Blake brings the hot takes. Cameron brings the concern. Kurt holds the architecture together. It gets spicy.If you work in Application Security, Product Security, DevSecOps, AI Security, or Software Supply Chain Security, this one is going to hit close to home.โ New episodes every Wednesday. Coffee, Chaos and ProdSec -> strong coffee, stronger opinions.
๐๏ธ Coffee, Chaos and ProdSec, Ep 26 We put a CISO in the hot seat and told him no corporate answers allowed. This week Kurt and Cameron sit down with Billy Spears, a seasoned cybersecurity leader who has served in CISO, CIO, and CTO roles across public companies and national security environments. Billy came ready to be honest about what the role actually looks like when the dashboards are up at midnight and nobody else is in the room.The conversation gets into whether the CISO role is impossible or just undefined, why technical roots still matter when you are briefing the board, and how compliance focus quietly replaces real risk management when nobody is paying attention. Billy breaks down what trust actually means in cybersecurity leadership and why chasing perfection is a trap that burns out teams and stalls programs. Kurt and Cameron push back, dig in, and land on something practitioners rarely hear out loud. Stop building for the threat you can predict. Start building durability for the one you cannot. If you work in Application Security, Product Security, DevSecOps, or cybersecurity leadership and you want an unfiltered look at what it takes to lead security programs without losing your mind, this one is for you. โ New episodes every Wednesday. Coffee, Chaos and ProdSec -> strong coffee, stronger opinions.
๐๏ธ Coffee, Chaos and ProdSec, Ep 25Your roadmap looked great in January. It is February and AI just rewrote half of it for you.This week, Kurt and Cameron bring Chelise and Caroline Wong to the table for a four person roundtable on cybersecurity leadership and the messy reality of running a security program. They dig into why security teams keep getting called the Department of No, how AI is forcing roadmap pivots faster than teams can keep up, and what it actually takes to prove Application Security and Product Security value when your best day means nothing happened.The crew gets honest about compliance frustrations, risk registers that become black holes, and why "we need an AI strategy" is the new way your roadmap dies overnight. Caroline shares hard earned insight on becoming a strategic business leader instead of just a technical one. Chelise brings the project management reality check nobody asked for but everyone needed.If you work in DevSecOps, cybersecurity leadership, or you are tired of watching your plans implode by Q2, grab your coffee and settle in.โ New episodes every Wednesday.Coffee, Chaos and ProdSec -> strong coffee, stronger opinions.
๐๏ธ Coffee, Chaos and ProdSec, Ep 24AI security is already happening in production, and most teams are governing systems after they're live, not during design.So this week, Kurt and Cameron sit down with special guest Tarak, a Co-Founder, Cloud Platform Builder, and Cyber AI Agents Architect, to break down what happens when AI agents ship faster than security policies can keep up. From shadow AI sprawling across consumer tools even when enterprise copilots exist, to provenance gaps that break incident response before it starts, to automation that hides real breaches in a sea of low-confidence alerts, this episode tackles the failure modes most teams are already seeing but haven't named yet.Your hosts dig into why retrofitting security onto AI systems collapses fast, how build pipelines change when AI shapes code before any control runs, and where human-in-the-loop boundaries actually matter versus where they just slow things down. It's an honest look at where AI genuinely helps Application Security teams and where it creates entirely new chaos, with real stories and zero vendor pitches.If you work in Product Security, DevSecOps, Application Security, or Software Supply Chain Security, or you just want to hear three security practitioners question reality while AI rewrites the rulebook, this episode is your jam.โ New episodes every Wednesday. Coffee, Chaos and ProdSec -> strong coffee, stronger opinions.
๐๏ธ Coffee, Chaos and ProdSec, Ep 23AI security keeps getting talked about, but incident response, supply chain risk, and people are still treated like someone elseโs problem.So this week, Kurt and Cameron grab their mugs and spend the episode walking through what actually happens when AI systems misbehave, agents start acting outside expectations, and traditional security playbooks stop lining up with reality.From AI specific incident response that doesnโt fit existing SOC workflows, to Software Supply Chain Security risks hiding in models, vendors, and embedded SaaS features, this episode gets into where things really break once AI is in production.They also dig into why AI training across teams matters more than most controls, how shadow AI keeps showing up in unexpected places, and why compliance pressure around AI is no longer theoretical as regulations and accountability get real.If you work in Cybersecurity, Application Security, Product Security, DevSecOps, or youโre trying to prepare your org for AI incidents, audits, and uncomfortable questions, this episode will sound very familiar.โ New episodes every Wednesday.Coffee, Chaos and ProdSec -> strong coffee, stronger opinions.
๐๏ธ Coffee, Chaos and ProdSec, Ep 22 AI is already inside your environment, whether you planned for it or not. So this week, Kurt and Cameron grab their mugs and talk through the AI security foundations that tend to break first, long before anyone calls it an incident.From gaining visibility into shadow AI and hidden agents, to setting up governance that does not drive usage underground, to building inventories that actually keep up with how fast AI changes, this episode digs into where things fall apart in real organizations.They also get into securing AI usage itself, from agents running with the wrong identities, to data leaking quietly through prompts and responses, to why traditional DLP and SDLC assumptions no longer hold.Along the way, they connect the dots between Cybersecurity, Application Security, Product Security, DevSecOps, Software Supply Chain Security, and AI, with honest takes, real-world examples, and a few moments of disbelief at how familiar these failures already feel. If you are responsible for AI risk, or you are about to be, this episode will sound uncomfortably close to home.โ New episodes every Wednesday.Coffee, Chaos and ProdSec -> strong coffee, stronger opinions.
๐๏ธ Coffee, Chaos and ProdSec, Ep 21Security teams love tools and checklists, but most failures start with people, pressure, and messy handoffs.So this week, Kurt and Cameron grab their mugs and break down what certifications do not teach, how human risk shows up in real incidents, and why security only works when it becomes a team sport.From rushed approvals and blurry ownership, to vulnerability management that turns into prioritization fights, to governance that looks solid until change hits, this episode follows the work where it actually breaks.Your hosts dig into why execution beats perfection, how context matters more than compliance, and where AI speeds up both delivery and abuse while teams are still trying to keep up. It is practical, a little chaotic, and full of moments that feel like โyeah, that tracks.โIf you work in Cybersecurity, Application Security, Product Security, DevSecOps, Software Supply Chain Security, or you are trying to scale security without losing your mind, this episode is for you.โ New episodes every Wednesday.Coffee, Chaos and ProdSec -> strong coffee, stronger opinions.
๐๏ธ Coffee, Chaos and ProdSecEp 20 APIs are the backbone of modern apps, and attackers know it.This week, Kurt and Cameron break down the API security mess with stories from the trenches, practical fixes, and a few "how is this still happening" moments that'll make you check your own endpoints.From unauthenticated APIs sitting wide open to broken authorization bugs that let you change one ID and steal the whole database, the hosts walk through the Hall of Shame with examples that sting. They tackle the nightmare of zombie and shadow APIs nobody remembers deploying, explain why API inventory is nearly impossible to maintain, and explore how bots have evolved into AI agents that can scan, exploit, and exfiltrate faster than any human.Your hosts dig into why security through obscurity still exists in 2026, how to actually test APIs before attackers do, and what happens when AI shopping agents and MCP servers become the new attack surface. It's a tour through Application Security, DevSecOps, and Cybersecurity realities with humor and zero fluff.If you're building or defending APIs, this episode is required listening.โ New episodes every Wednesday. Coffee, Chaos and ProdSec -> strong coffee, stronger opinions.
๐๏ธ Coffee, Chaos and ProdSec, Ep 19Cloud security keeps getting more complicated, but identity keeps getting ignored.So this week, Kurt and Cameron grab their coffee and dig into why identity failures are quietly powering most modern cloud incidents.From service accounts that never die, to Kubernetes clusters held together with cluster admin access and hope, to APIs nobody remembers exposing, this episode walks through the real reasons cloud security keeps falling apart at scale.They talk through why teams still treat workload identities like humans, how Kubernetes creates a false sense of safety, why API sprawl and logging pipelines leak more data than people realize, and where AI actually helps versus where it just adds noise and false confidence.Thereโs no vendor pitch here. Just honest conversations about tradeoffs, broken assumptions, and the gap between cloud security best practices and what actually survives in production.If you work in Cybersecurity, Application Security, Product Security, DevSecOps, Software Supply Chain Security, or youโre trying to make sense of cloud chaos without the buzzwords, this oneโs for you.โ New episodes every Wednesday. Coffee, Chaos and ProdSec -> strong coffee, stronger opinions.
๐๏ธ Coffee, Chaos and ProdSec, Ep 18 2026 is getting closer, and security is already acting weird. So this week, Kurt and Cameron grab their mugs and talk through what they see coming next for Product Security and the teams trying to keep up.From AI agents showing up in the SOC, AppSec, DevSecOps, and GRC, to supply chain risks getting deeper and harder to see, this episode walks through the trends that are starting to take shape right now. The kind that change how work actually gets done, not just how tools are marketed.They unpack how AI is speeding up code, reviews, and attacks at the same time, why remediation speed is becoming the real bottleneck, and how identity, cloud, and infrastructure are turning into the main battlegrounds. There are strong opinions, a few laughs, and plenty of moments where the future feels exciting and a little uncomfortable.If you work in Cybersecurity, Application Security, Product Security, DevSecOps, or Software Supply Chain Security, this episode is a look at 2026 through the lens of people who live this stuff every day. All powered by coffee and curiosity.โ New episodes every Wednesday. Coffee, Chaos and ProdSec -> strong coffee, stronger opinio
๐๏ธ Coffee, Chaos and ProdSec, Ep 17Breaking into cybersecurity without a degree feels impossible, yet people do it every single day. So this week, Cameron and Kurt grab their mugs and get real about how career changers actually break into Product Security, Application Security, DevSecOps, and Cloud Security when their background looks nothing like tech.Your hosts dive into the honest truth behind this path, the rejection, the gatekeeping, and the internal drive it takes to push through. They explore how personal brand becomes your signal in a noisy market, how a strong pivot story makes people want to invest in you, why networking still matters more than any certification, and which technical skills help you stand out early. They even dig into how AI has become a learning accelerator for anyone who knows how to use it with intention.If you are trying to make the jump into security or you want to help someone who is, this episode gives you a roadmap instead of a motivational slogan.โ New episodes every Wednesday. Coffee, Chaos and ProdSec, strong coffee, stronger opinions.
๐๏ธ Coffee, Chaos and ProdSec - Ep 16Last week we mapped the problem โ now we break the system. Kurt and Cameron return with part two of our vulnerability deep dive, tackling CVSS chaos, broken tooling, exploding CVE volume, and how AI is about to overwhelm traditional prioritization models.From exposure validation turning 15,000 findings into 300 actionable items, to ASPM finally giving Product Security teams real visibility, to PCI-DSS forcing companies to patch issues that donโt matter, this episode explores where vulnerability management is heading and what โgoodโ will need to look like next.If you care about Cybersecurity, DevSecOps, Software Supply Chain Security, or how AI will reshape the VM landscape, this one is your next caffeine boost.โ New episodes every Wednesday.Coffee, Chaos & ProdSec โ strong coffee, stronger opinions.
๐๏ธ Coffee, Chaos and ProdSec - Ep 15Vulnerabilities are piling up faster than teams can read the reports, and vulnerability management is buckling under the weight. So this week, Kurt and Cameron grab their mugs and dig into why modern VM feels impossible, why severity scores mislead everyone, and how reachability and exploitability matter far more than giant spreadsheets of โcriticalโ issues.From CVSS confusion to EPSS and CISA KEV reshaping prioritization, to AI accelerating discovery and noise, this episode unpacks how we got here and why most organizations are fixing the wrong things.If you work in Cybersecurity, Application Security, Product Security, DevSecOps, or you simply enjoy hearing two leaders question the entire VM ecosystem, this one is for you.โ New episodes every Wednesday.Coffee, Chaos & ProdSec โ strong coffee, stronger opinions.
๐๏ธ Coffee, Chaos and ProdSec - Ep 14DevSecOps gets thrown around in cybersecurity more than any other term, but almost no one agrees on what it actually means.So this week, Kurt and Cameron pour fresh mugs and unpack the real practices behind modern Application Security, Product Security, DevSecOps, and Software Supply Chain Security without the marketing fluff.From threat modeling and architecture reviews, to CI/CD guardrails, identity patterns, SBOMs, pipeline automation, and why DAST still refuses to fit anywhere, this episode digs into how security can integrate into the entire software lifecycle without slowing teams down.Cameron and Kurt break down why DevSecOps is more culture than tooling, how design flaws start long before code, what AI is about to break next, and why โshift everywhereโ beats โshift leftโ every time.ย If you work in cybersecurity or just enjoy hearing two security leaders question reality over caffeine, this one is your new weekly ritual.โ New episodes every Wednesday.Coffee, Chaos & ProdSec โ strong coffee, stronger opinions.
๐๏ธ Coffee, Chaos & ProdSec โ Ep 13 This week, Cameron and Kurt tackle the questions everyone claims to understand but absolutely argues about in every cloud meeting. What is the cloud really? Why is identity suddenly the perimeter? And how did Kubernetes quietly become everyoneโs new production environment?We break down the real concerns behind cloud sprawl, misconfigurations, and identity chaos, plus why CSPM, CWPP, CASB, DSPM, and a dozen other acronyms all matter more than people want to admit.We get into: Why cloud security shifted to identity first The real risk of skipping CSPM Protecting Kubernetes without tears API chaos and data exposure The tech stack modern teams actually needโ New episodes every Wednesday. Coffee, Chaos & ProdSec โ strong coffee, stronger opinions.
๐๏ธ Coffee, Chaos & ProdSec - Ep 12The OWASP Top 10:2025 RC1 is here, and it is already causing chaos. So this week, Kurt and Cameron grab their mugs and break down every category with real world stories, honest takes, and a few spicy opinions on why some vulnerabilities just will not go away.From Broken Access Control dominating the charts again, to Misconfigurations that keep haunting cloud teams, to classic Injection failures refusing to stay in the past, this episode digs into the patterns behind the list and what they reveal about the state of modern security.Your hosts explore how design flaws emerge long before code is written, why authentication failures keep showing up in new forms, and how logging gaps continue to blind even mature orgs. It is a guided tour through the list with humor, insight, and the occasional โI cannot believe this still happensโ moment.If you work in AppSec, Product Security, DevSecOps, or you simply enjoy hearing two security leaders question reality over a cup of coffee, this episode is your new weekly ritual.โ New episodes every Wednesday. Tune in, patch your brain, and embrace the beautiful mess of the OWASP Top 10:2025 RC1.
Commentsย
Download from Google Play
Download from App Store
United States