- This Week on Absolute AppSec
- Posts
- Episode #250
Episode #250
Security Startups, Polyfill Takeover
This week, Seth and Ken celebrate their 250th episode of Absolute Appsec, reflecting on the many fascinating conversations they’ve had with industry leaders since starting this podcast. This week, though, the two find themselves alone, and they help catch us up on recent happenings and conversations in the world of application security. Full Episode Video at: https://www.youtube.com/live/DRcjrvomyRs
Seth and Ken first delved into the complexities of venture capital funding for security tooling based on a recent article from tldr;sec. While VCs often want to invest in companies that are solving broader market problems, the high-risk nature of the security tooling domain leads to slower and more onerous procurement processes, risk-averse buyers preferring to do things internally, and a lack of available funding to get small ventures over the initial hurdles. This can have impacts on both product development and business growth. Specifically, Seth and Ken discussed the news of PortSwigger receiving $112 million in funding. This raises anxieties about shifts in product focus and memory management issues in Burp Suite. The future of Burp Suite in the enterprise space with this funding might enable PortSwigger to speed up development and expand their research efforts to better cater to more sophisticated needs but also comes alongside the pressure to deliver financial returns and deviation from their user-centric approach to instead cater to investor demands.
“The open-source community needs better mechanisms to monitor and respond to supply chain attacks.”
A significant portion of this episode was dedicated to discussing the recent Polyfill security incident, which has been causing confusion within the developer community. In February, the domain polypill [io] changed ownership to a Chinese company and has since been serving malicious content, potentially affecting hundreds of thousands of websites that relied on this CDN. It wasn’t until June 2024 that the issue was widely detected and reported. The incident has led to a resurgence of conversations about the inherent risks of relying on third-party services for critical components of web applications, especially without the implementation of SRI. This incident has highlighted the importance of developer/maintainer transparency about changes in ownership and control, allowing the community to stay informed and take the necessary precautions.
“Polyfill dot io's domain issue highlights the risks associated with third-party libraries and domains.”
if you would like to continue the conversation or have additional thoughts, join us in Slack. On top of that, new Absolute AppSec swag is available at merch.absoluteappsec.com. Initial shipments have gone out, so support the podcast today and look good doing it.
Stay Secure,
Seth & Ken
Episode #250 was sponsored by Redpoint Security. Redpoint Security. Redpoint specializes in "Code Security by Coders," bolstered by years of experience testing applications and conducting code reviews against all types of applications, including web, mobile, AI and web3 apps. Redpoint also offers training to help ground your teams in better security practices across the development lifecycle. So check out redpointsecurity.com for more information and put your company on a path to better security.
https://youtube.com/live/TJyl4CESnMk - Episode #218 with Cole Cornford - Security Startups, Developer Training
https://youtube.com/live/EoaWnNwSS8o - Episode #200 with Jerry Gamblin - Startups, CVEs
https://youtube.com/live/NsMx36Qe4aQ - Episode #244 with Kyle Kelly - Software Security Supply Chain
Absolute AppSec Happenings
https://pluralistic.net/2024/06/28/dealer-management-software/#antonin-scalia-stole-your-car - Cory Doctorow goes into security flaws and issues with companies that are “too big to fail”.
https://x.com/RSnake/status/1805597911314473159 - RSnake (Robert Hansen) highlights industry issues when CISOs buy security startup products in order to inflate startup value and increase their ownership value.
https://www.linkedin.com/pulse/what-i-learned-making-sca-tool-2024-christopher-langton-pp3ac - Adventures in rolling your own SCA Tool, which may or may not be a necessity depending on the targeted language, dependencies, environment, etc.