AI-Powered AppSec, OWASP Origins, and Anthropic’s “Mythos” Model: Jeff Williams on What Changes Next

Cybersecurity Today would like to thank Meter for their support in bringing you this podcast. Meter delivers a complete networking stack, wired, wireless and cellular in one integrated solution that’s built for performance and scale. You can find them at Meter.com/cst

Jim hosts Jeff Williams (Contrast Security co-founder/CTO and former OWASP global chair) for a wide-ranging discussion that begins with Anthropic’s new “Mythos” model, described as powerful for finding zero-day vulnerabilities, and expands into how AppSec must evolve. Williams explains Contrast’s runtime instrumentation approach, recounts OWASP’s early days, the creation of WebGoat and the OWASP Top 10, and notes that many common vulnerabilities persist despite years of maturity models. They debate open source versus commercial security scrutiny, the likely high cost and scalability limits of advanced AI vulnerability discovery, and why finding more bugs matters only if remediation improves too. Williams argues for AI-powered “software factories” with feedback loops, assurance evidence, and runtime monitoring, and flags the EU Product Liability Directive treating software as a product with no-fault liability for security defects, including those from embedded open source.

00:00 AppSec Stuck in Ruts
00:42 Show Intro and Sponsor
01:40 What Contrast Security Does
02:35 OWASP Origins and WebGoat
04:33 Why the Top 10 Persists
06:28 Mythos Model Overview
08:05 Open Source Scrutiny Myth
11:31 Cost and Adoption Barriers
15:04 Finding vs Fixing Bugs
15:55 AI Code Quality Reality
17:46 AI Powered Software Factory
23:11 Building with AI in Practice
25:18 AppSec Metrics and New Approaches
26:42 Staying Optimistic as a CISO
28:00 EU Product Liability Shift
32:13 Bug Bounties in an AI World
34:06 Wrap Up and Outro