Episode #224 w/ Jeevan Singh

This week on Absolute AppSec, Seth (@sethlaw) and Ken (@cktricky) are out of the office, so we’re blasting into the past with episode #224 featuring Jeevan Singh. Singh, currently a Principal Security Engineer at Rippling, brings a wealth of experience from his time as a director of Product Security at Twilio and Segment. This conversation from 2023 centers on his rare and courageous decision to move from a high-status director role back to an individual contributor position. Even years later, his advice on scaling security programs through cultural change rather than just technical enforcement is incredibly relevant for modern security leaders navigating hyper-growth environments. To listen to this episode, go to our YouTube channel or find us wherever you get your podcasts.

Jeevan is a prominent figure in the AppSec community, known for his work in democratizing vulnerability management and his leadership within OWASP, where he runs the Vancouver chapter. Singh built his reputation at Segment, where he developed a pragmatic approach to threat modeling for developers, before moving into a directorial role following Segment’s acquisition by Twilio. Throughout his career, he has focused on the intersection of technical excellence and organizational culture, advocating for personal growth over merely climbing the corporate ladder.

A significant portion of the discussion focuses on Singh’s time at Twilio, an ecosystem that grew rather chaotically from 1,000 to 10,000 employees through numerous acquisitions. He explains that the biggest hurdle wasn’t just technical; it was the lack of standardization across siloed teams. To solve this, he implemented what he calls a “democratized vulnerability management” program. This shifted the burden of risk from security engineers, who were tired of “chasing” developers, to the actual risk owners—VP and SVP-level executives. By assigning high-priority tickets to senior leaders, Singh ensured that the security issues received the same visibility as product features.

Seth and Ken are both familiar with this struggle. Security often fails because it doesn’t speak the language of business owners who control the roadmap. Ken shares that GitHub utilized a similar fundamentals program to hold service owners accountable before executive boards. The experts agree that the most effective security programs are those that integrate seamlessly into existing engineering workflows rather than attempting to reinvent them.

This episode dove into the intricacies of being a director at a remote-first, hyper-growth company, including Zoom fatigue and the erosion of technical skills. As a director, Singh spent upwards of 25 hours a week in meetings, often losing the muscle required for deep technical work. This shift in work balance left him feeling hypocritical, as he was advising his team to maintain a balance he could not achieve himself. Seth and Ken, both of whom have held executive roles, strongly related with this experience. During Ken’s transition into more of an active product development role from a more managerial position at GitHub, he found that the human aspect of management that navigates politics and personnel issues was far more complex and exhausting than any coding challenge. Focusing on coding complexities can be a form of relief from thornier human-focused management problems. In that vein, Ken, Seth, and Jeevan collectively argue that the industry should normalize career step backs as more frequently a step forward in terms of personal happiness and professional impact.

Sprouts are coming up, so now’s the time to display your solidarity along with your support for the Podcast. Check out the selection of green tees in our merch store. (There are other colors as well). Tee-shirts are great gifts for yourself or your friends:

If you’ve got thoughts on how Jeevan’s ideas or AppSec itself have transformed from 2023 to now, feel free to drop them in our Slack. We’ll be back to our regularly scheduled episodes next week, going live on Tuesday at 12 Noon Eastern, as always.

Stay Secure,

Seth & Ken

Related Episodes

https://www.youtube.com/watch?v=O69_XP8sJys – Episode Ep #131 - Jeevan Singh - Threat Modeling - Jeevan has a wealth of Security experience and consequently wonderful insights on a lot of topics. This episode where Jeevan provides a lot of good advice for making Threat Modeling work for your organization is one of our most watched/listened to. It’s true that sharks and lasers show up in the discussion, which may account for some of its popularity, but honestly, the show really will help you if you’re building security into your organizations.

https://www.youtube.com/watch?v=RdMcMG4wCPo– Episode #51 - Jessica Ryan (@Jhyp3) - Jessica Ryan came on the podcast while she was working as a security consultant at Trusted Sec. Today, she’s a staff security engineer at GoFundMe. Her path into application security and work as a hacker provides some good insight into finding one’s place in the industry, and there is some good advice on methodology and process for conducting effective web application security assessments, including taking notes.

https://www.youtube.com/watch?v=VhkM3dCAdW8 – Episode #24 - Jason White (@misfir3) – This early episode with Jason covers his career transition from the developer side of organizations to security. Currently ProdSec at GitHub, Jason has advice on finding your place in the industry as well. There are practical insights as well, such as “Don’t move twice in one year.”

Absolute AppSec Happenings

Exactly Why and How AI Will Replace Knowledge Work – Daniel Miessler argues that AI will replace knowledge workers because corporate environments are currently inefficient, defined by chaos, unclear visions, and inconsistent human performance. While many believe human creativity and expertise are irreplaceable, Miessler contends that expertise is simply a combination of knowledge, understanding, and intelligence—all areas where AI already excels or is rapidly improving through the permanent "ratchet" of digital knowledge capture.

Dangerous by Default: What OpenClaw CVE Record Tells Us About Agentic AI – A journey into the recent OpenClaw critical vulns. These agentic systems created a lethal trifecta by combining access to private data, untrusted inputs, and external communication. This made them high-privilege backdoors, risking data exfiltration and complete system compromise.

Every significant B2B company is becoming a security company — Ross Haleliuk argues that every significant B2B platform, from HR and finance to cloud infrastructure, eventually becomes a security company. As businesses become tech-enabled, responsibility for protecting data shifts to the platforms where work occurs. This trend drives major acquisitions and forces cybersecurity startups to rethink their competitive moat.

Upcoming Events

Where in the world are Seth and Ken?

April 7-8, 2026 - Harnessing LLMs for Application Security - In person at Kernel Con. Come join Seth and Ken in Omaha for the Harnessing LLMs course!

April 26-27, 2026 - Harnessing LLMs for Application Security - In-person training at DEF CON Singapore. Be sure to register now if you’re looking to enhance your day-to-day AppSec processes with the power of LLM agents.

August 1-4, 2026 - AI-Enhanced Secure Code Review: Black Hat Edition - Seth and Ken are bringing a four-day exclusive course to Black Hat. This is an update on the exclusive version of the course offered at Black Hat Europe. Early bird pricing is ongoing, so it’s a great opportunity to get a truly in-depth understanding of Secure-Code Review and how it can be empowered through LLM-tooling. Seth and Ken have innovated industry-leading trainings in both of these topics, so this four-day course promises to provide a lot of valuable insight.