Securing Software's Journey with the OWASP SPVS - Ido Geffen, Rohan Ravindranath, Cameron W., Farshad Abasi - ASW #378
Get the full intelligence
Search transcripts, export clips, track mentions, and explore all topics from “Securing Software's Journey with the OWASP SPVS - Ido Geffen, Rohan Ravindranath, Cameron W., Farshad Abasi - ASW #378” inside PodZeus.
This episode of Application Security Weekly dives deep into the OWASP Secure Pipeline Verification Standard (SPVS), a new framework co-created by Farshad Abassi and Cameron Walters to address the growing security risks in CI/CD pipelines. The conversation explores why SPVS was needed beyond existing standards like the OWASP Top 10, emphasizing its broad scope—from code inception to deployment—and its focus on modern threats like AI-driven development and supply chain attacks. The guests highlight how SPVS introduces maturity levels, community-driven feedback, and AI-specific controls to tackle agentic engineering, AI bombs, and unpredictable AI behavior. They also discuss real-world applicability, using the Axios/NPM breach as a case study, and stress the importance of 'upgrade with intent' over passive cooldowns. Later segments feature Rohan Ravindranath on Zero Trust as Code, advocating for embedding security policies into infrastructure pipelines with automated drift detection, and Ido Geffen of Novi Security, who presents an AI-powered penetration testing platform that goes beyond vulnerability scanning by offering exploitability validation, full transparency, and custom remediation guidance—especially for business logic flaws and AI components.
SPVS is not just another Top 10—it’s a maturity-based, community-driven standard covering the entire software delivery lifecycle, from planning to operation.
AI-specific controls in SPVS address unique risks like agentic engineering, AI bombs, and unpredictable behavior, which traditional scripts can’t capture.
Security must be embedded early (shift-left) and codified as 'Zero Trust as Code' to avoid the 'gate at the end' problem and ensure consistent enforcement.
AI-powered pen testing should go beyond scanning: true exploitability validation, full transparency, and business logic-aware remediation are critical differentiators.
The 'upgrade with intent' principle replaces passive package cooldowns with proactive, risk-informed updates to reduce supply chain exposure.
Introducing the OWASP SPVS: Why a New Standard?
“We thought something like ASVS for pipelines would be a great idea.”
Scope and Structure: From Code Inception to Operation
The guests clarify that SPVS extends beyond CI/CD to include the entire SDLC—from planning and policy to operating and monitoring. They emphasize the importance of policy in the 'plan' stage and how controls are grouped by SDLC phases to improve usability and reduce overwhelm.
AI and the Future of Pipeline Security
“AI is neither a service nor a human. It can do unpredictable things kind of like a human, but it is not a human. So it warrants its own type of identity and its own type of security controls.”
Learning from Real Breaches: The Axios/NPM Case
“I found a couple different gaps. So do expect that there'll be a quick follow-up. That's what I'm actively working on right now...”
Zero Trust as Code: From Strategy to Reality
“The foundational idea of zero-trust-as-code is really simple, which is that your security policies shouldn't be treated any differently than your infrastructure code.”
“AI is neither a service nor a human. It can do unpredictable things kind of like a human, but it is not a human. So it warrants its own type of identity and its own type of security controls.”
“We are not stopping there right away. I mean, yeah, it is exploitable, but now what can you do with that? So give it the right level of utilization...”
“We thought something like ASVS for pipelines would be a great idea.”
Hosts
Guests
Cameron Walters
person
Farshad Abassi
person
OWASP
organization
SPVS
other
Rohan Ravindranath
person
Ido Geffen
person
Novi Security
organization
ZAPSEC
organization
RSAC 2026
other
SBOM
other
Developing the Skills Needed for Modern Software Development - Keith Hoodlet, Shashwat Sehgal, Ron Rasin - ASW #376
Application Security Weekly (Audio) • 1h 15m • 3/31/2026
AppSec News Roundup on Claude Code Leak, Axios NPM Compromise, Secure Design - Idan Plotnik, Raj Mallempati - ASW #377
Application Security Weekly (Audio) • 1h 8m • 4/7/2026
The Human Aspect of Red Teams - Brian Fox, Tom Tovar, T. Gwyddon 'Data' Owen - ASW #379
Application Security Weekly (Audio) • 1h 13m • 4/21/2026
Get the full intelligence
Search transcripts, export clips, track mentions, and explore all topics from “Securing Software's Journey with the OWASP SPVS - Ido Geffen, Rohan Ravindranath, Cameron W., Farshad Abasi - ASW #378” inside PodZeus.
Start discovering podcast insights today
Start with a 7-day trial and explore a growing catalog of popular podcasts. No credit card required.
No credit card required • 7-day trial • Cancel anytime