Episode #250

This week, Seth and Ken celebrate their 250th episode of Absolute Appsec, reflecting on the many fascinating conversations they’ve had with industry leaders since starting this podcast. This week, though, the two find themselves alone, and they help catch us up on recent happenings and conversations in the world of application security. Full Episode Video at: https://www.youtube.com/live/DRcjrvomyRs

Seth and Ken first delved into the complexities of venture capital funding for security tooling based on a recent article from tldr;sec. While VCs often want to invest in companies that are solving broader market problems, the high-risk nature of the security tooling domain leads to slower and more onerous procurement processes, risk-averse buyers preferring to do things internally, and a lack of available funding to get small ventures over the initial hurdles. This can have impacts on both product development and business growth. Specifically, Seth and Ken discussed the news of PortSwigger receiving $112 million in funding. This raises anxieties about shifts in product focus and memory management issues in Burp Suite. The future of Burp Suite in the enterprise space with this funding might enable PortSwigger to speed up development and expand their research efforts to better cater to more sophisticated needs but also comes alongside the pressure to deliver financial returns and deviation from their user-centric approach to instead cater to investor demands. 

A significant portion of this episode was dedicated to discussing the recent Polyfill security incident, which has been causing confusion within the developer community. In February, the domain polypill [io] changed ownership to a Chinese company and has since been serving malicious content, potentially affecting hundreds of thousands of websites that relied on this CDN. It wasn’t until June 2024 that the issue was widely detected and reported. The incident has led to a resurgence of conversations about the inherent risks of relying on third-party services for critical components of web applications, especially without the implementation of SRI. This incident has highlighted the importance of developer/maintainer transparency about changes in ownership and control, allowing the community to stay informed and take the necessary precautions.

if you would like to continue the conversation or have additional thoughts, join us in Slack. On top of that, new Absolute AppSec swag is available at merch.absoluteappsec.com. Initial shipments have gone out, so support the podcast today and look good doing it.

Stay Secure,

Seth & Ken

Related Episodes

https://youtube.com/live/TJyl4CESnMk - Episode #218 with Cole Cornford - Security Startups, Developer Training

https://youtube.com/live/EoaWnNwSS8o - Episode #200 with Jerry Gamblin - Startups, CVEs

https://youtube.com/live/NsMx36Qe4aQ - Episode #244 with Kyle Kelly - Software Security Supply Chain

Absolute AppSec Happenings

https://pluralistic.net/2024/06/28/dealer-management-software/#antonin-scalia-stole-your-car - Cory Doctorow goes into security flaws and issues with companies that are “too big to fail”.

https://x.com/RSnake/status/1805597911314473159 - RSnake (Robert Hansen) highlights industry issues when CISOs buy security startup products in order to inflate startup value and increase their ownership value.

https://www.linkedin.com/pulse/what-i-learned-making-sca-tool-2024-christopher-langton-pp3ac - Adventures in rolling your own SCA Tool, which may or may not be a necessity depending on the targeted language, dependencies, environment, etc.