Episode #247 with Alejandro Saenz

This week on Absolute AppSec, Seth (@sethlaw) and Ken (@kenjohnson) are out of the office, so instead, let’s go back to June 2024, when our hosts interviewed Alejandro Saenz for the #247th episode. To watch this episode and binge our other old content, head to http://www.youtube.com/@AbsoluteAppSec or find us wherever you get your podcasts.

Alejandro, currently working in product security for Twilio, has been active in the application and product security fields for over a decade—and is a longtime friend and former colleague of Ken and Seth. After completing a CS degree in college, he landed a junior software engineer position at General Dynamics, where he worked on classified government projects related to geospatial intelligence. His time there exposed him to enterprise software development, agile methodologies, and large-scale system design. When Alejandro was convinced by a close childhood friend to apply for a security consulting role, he transitioned into application security, quickly developing new skills in security testing, code review, and vulnerability assessments.

The conversation covers Alejandro’s early struggles with imposter syndrome in security consulting, particularly the pressure of writing detailed security reports for clients. He candidly shares how working at a consulting firm improved his technical writing skills and gave him a deeper understanding of secure software development. After gaining substantial experience in security, Alejandro briefly stepped away from consulting and returned to software engineering at Softrams, where he led a small development team. However, his past security expertise quickly caught the attention of company leadership, and he was soon asked to conduct an internal security assessment. His findings led to the formation of a dedicated security team, and Alejandro found himself back in an application security role. One of the biggest takeaways he impressed upon listeners was the importance of working well with others. From entry-level roles to leadership positions, and whether in security consulting, internal security, or software engineering, the ability to communicate effectively with developers, product managers, and executives is crucial. By treating others with respect, being patient when delivering security findings, and dedicating yourself to fostering a collaborative approach rather than an adversarial one—you can get far in the security world.

Eventually, Alejandro joined Twilio’s security team, where he still is today. This was an opportunity Alejandro earned based on recommendations by former colleagues. He initially applied for a security engineering role but was redirected into application security after a strong performance in the interview process. The transition turned out to be a great fit, allowing him to leverage both his software development and security expertise in a more integrated way. Twilio was a new challenge for Alejandro. Having previously worked in smaller teams or consulting environments, Twilio introduced him to the challenge of embedding security practices into a fast-moving, large-scale engineering organization. One thing that he’s learned here is the importance of documentation. Documentation and comprehensive writing are crucial, allowing you to connect your ideas with the right people. Vulnerability documentation, in particular, is often filled with deprecated code or inaccessible APIs, which can lead to gaps in communication and camaraderie between different teams. When people have questions, documentation helps show a deeper understanding of both the problem and the solution, saving time and resources in the long run.

Despite experiencing intermittent sun and snows, we’ve decided that it’s maybe time to just will spring into existence. So, if you’d like to support the show and snag yourself a Crocs’n’Socks t-shirt, the moment is ripe. Visit the merch store to pick your size.

And, as always, if you have thoughts you’d like to share with Seth and Ken and the Absolute AppSec audience, join us in Slack.

Stay Secure,

Seth & Ken

Related Episodes

https://www.youtube.com/watch?v=bOR21l96zz4 - Episode #67 - This 2019 episode took place in a Vegas conference room where Stefan Edwards and Bobby Tonic tell Seth and Ken about a recent large-scale project to run a Threat Model and Security Assessment of Kubernetes. Interesting insights on how a team takes on such an elephant-eating task, and one can help but think, similar to Alejandro’s thoughts above, about what makes teams successful.

https://youtu.be/WGBkmlc2Y6A - Episode #228 - The Chime Security team join Ken and Seth to discuss Chime’s influential and effective Monocle product security program and some of the factors that influenced the shape it took. Bottom-up and top-down approaches to getting buy-in are discussed, as is an interesting example of how Chime tried to empower teams to get the information they needed at the right possible moment. David Trejo from Chime presents the table-top exercise of acting like the security group was addressing a discovered RCE in the organization, and thinking about what you want in place so you don’t need to scramble across all your security tooling in that moment.

https://www.youtube.com/watch?v=kXMwlQLKdH4 - Episode # 95 - Jessica Rozhin and Lady Christina Liu - Discussions on forensics, incident response, and how lock picking can help build an infosec culture. This is a fun discussion as well about the interesting paths people take into Application Security careers.

Absolute AppSec Happenings

https://spectrum.ieee.org/10x-engineer- “In Praise of “Normal” Engineers A software engineer argues against the myth of the ‘10x engineer’” by Charity Majors, CTO at Honeycomb io. This is a provocative discussion about how teams should think in terms of teams (“The best engineering organizations are the ones where normal engineers can do great work.”) and not in terms of superstar devs.

https://medium.com/@attias.dor/the-burn-notice-part-2-5-ai-agents-when-everything-becomes-an-attack-surface-bbcece386f02 - “The Burn Notice, Part 2/5 | AI Agents: When Everything Becomes an Attack Surface” by Dor Attias. This article lays out an interesting attack chain that uses an HR AI assistant to develop an SSRF attack. It’s an interesting walkthrough of how AI agents can expose you to new risks, because, as the takeaway conclusion points out, “ [AI agents’] inherent non-determinism, combined with their ability to invoke powerful tools and access an organization’s most critical assets, introduces entirely new attack surfaces — distinct from traditional cyber threats.”

https://www.dryrun.security/blog/dryrun-security-vs-traditional-sast-vendors-in-ruby-on-rails - Interesting and promising results here, and we should give Ken and the Dry Run team kudos for what they’re already able to do in the way of delivering true positives in vulnerability scanning.

Upcoming Events

Where in the world are Seth and Ken?

March 14, 2025 - Snowfroc - If you are in Denver, stop by and say hi to Ken as he mans a Dry Run booth at the Snowfroc conference.

March 27-28, 2025 - Practical Secure Code Review - Virtual Training - The course that started it all! We will reprise this online with a training in Q1, if you have specific dates you would like to see, please reach out (via email or Slack).

April 10-11, 2025 - BSides SLC - A new bit of research is being offered here at Bsides SLC by Seth and Redpoint Security principal consultant Justin Larson. If you’re in Salt Lake, come see, “Faces in the Fog: Identifying Users through Unconventional Means”

April 26-27, 2025 - BSides San Francisco 2025 - State of (Absolute) AppSec - Ken and Seth will be hosting a panel on the current state of the application security industry with help from a few friends. Expect spicy takes, opinions, and wild predictions. If you have questions you would like to cover, submit them via this form.