- This Week on Absolute AppSec
- Posts
- Episode #248 with Rahil Parikh
Episode #248 with Rahil Parikh
Building AppSec Programs
For Episode 248 of Absolute AppSec, Seth and Ken are joined by Rahil Parikh. Rahil is currently working at Zinnia, but got his start with programming in Pascal. He has a master’s degree in Information Security, beginning his career at Gotham Digital Science, where he gained extensive experience in offensive testing and penetration testing. He later switched to a Senior Security Engineer position at jet.com, working on the company’s application security program. He later moved to the New York Times and eventually to Policy Genius, where he expanded his expertise in security engineering and architecture.
“As you grow more into the role of information security, you quickly start realizing that security is only part of the job, whereas a lot of it is managing the relationship, building the trust, and making sure people do come to you when it is the right time for them to come to you.”
Rahil emphasized the critical role of building relationships and trust within an organization. By identifying key stakeholders and establishing regular check-ins, InfoSec can be seen as a supportive partner rather than a blocker. His playful analogy to Costco’s focus on customer satisfaction was particularly insightful— a reminder that security programs should help, not hinder, organizational objectives. The discussion delved into the latest trends and tools in API security, highlighting the move towards dynamic and behavioral analysis over traditional pattern matching. This shift helps in identifying significant changes and potential risks more effectively, making security measures more robust. Modern tools are evolving from traditional web application firewalls not only to block suspicious activity but also to perform API discovery, highlighting endpoints that might be handling sensitive data without proper safeguards. Rahil also emphasizes the importance of contextual and behavioral analysis, meaning looking at the larger picture rather than just isolated patterns. By understanding user behavior and patterns, security tools can provide more accurate and meaningful alerts, reducing noise and improving response times.
“As long as people trust you, you’re going to be successful. What I’ve found over many years is [that] much of the work that you do is actually not done by you, but people do it for you.”
Rahil offered valuable advice to those looking to enter the field.
Certification and Community Involvement - Reputable certifications demonstrate your commitment and interest in the field.
Fundamental Knowledge - Understand the basic security concepts, and be able to answer questions like: “What is the HTTP protocol?”, “Explain cross-site scripting to a non-technical user?”, and “How would you introduce the concept of authorization to a 15-year-old?”
Methodology and Practical Experience - Those who can explain not just what they did, but how and why they did it will thrive.
Don’t miss out on the outgoing discussions in our Slack channel! Connect with like-minded professionals, share your thoughts, and stay updated on the latest in AppSec. Tune in to Episode 248 to hear Rahil’s full story and gain deeper insights into the evolving world of application security.
Stay secure,
Seth & Ken
The following episode cover similar topics from the archives.
https://youtu.be/68T-If1d-Mc - Episode #33 with John Melton - Building AppSec programs, static analysis tools, and contributing to open source.
https://youtu.be/4_BxM-tCjf0 - Episode #36 with Mike McCabe - Discussion with Mike McCabe in the early days of Cloud Security on Building Application Security Programs
https://youtube.com/live/THvjSVgaehE - Episode #216 - Seth and Ken dig into the Security SDLC and concept of pushing left.
Absolute AppSec Happenings
This week the following articles came up in Absolute AppSec Slack.
https://link.springer.com/article/10.1007/s10676-024-09775-5 - ChatGPT Hallucinations are the definition of bullshit, a scholarly article.
https://github.com/mathjax/MathJax/issues/3129 - Shared vulnerability from Slack, that appears to be CSS injection through font family parameter in the unicode extension of the MathJax package.
https://arxiv.org/abs/2406.01637 - Follow-up paper on research done previously using LLMs to exploit 1-day CVEs. This time around, the team uses team of LLM Agents to Exploit Zero-Day Vulnerabilities.