Episode #256 with John Poulin

This week on Episode #255 of Absolute AppSec, Ken (@cktricky) is out of the office, so Seth (@sethlaw) is instead joined by guest co-host John Poulin (@forced_request), CTO of Cloud Security Partners, to dissect some current hot topics in application security. This starts with a discussion on virtual vs. in-person training events. Either method that you prefer, consider getting some sweet Practical Secure Code Review training at training.absoluteappsec.com. For full episode with video, go to: https://youtube.com/live/6HYLwjDB77g

Seth and John jump into talking about the thought-provoking article from CrankySec, which discusses the evolving role of tokens in security and questions about the symbolic versus practical function of work in this field. It argues that many security measures are more symbolic tokens that check compliance boxes and less about actually improving security practices. This transformation is attributed to the concept of tokens themselves — abstract representations that might not hold real value. CrankySec draws a comparison between the high salaries of software engineers at tech giants like Meta and the relatively lower pay of IT security professionals. While engineers at high-profile companies are handsomely rewarded, the actual impact of their work — often focused on optimizing add placements — might not be as valuable as the critical security work done mid-brow by others less compensated. This discrepancy raises an important question: is the security work we’re doing truly valued, or is it becoming a token effort, more about appearances than substance? CrankySec calls security professionals to action, reflecting frustration with an industry that seems more concerned with image than with actual results.

Seth and John shared their own reactions to CrankySec’s argument. While Seth acknowledges that there is a grain of truth to the idea that security work has become symbolic, especially in organizations that prioritize compliance over true security, he questions the pervasiveness of this trend. It is frustrating that engineers at companies like Meta are well-compensated for optimizing ad placements when that is less impactful than the critical security tasks performed by less compensated roles, but it doesn’t necessarily diminish the importance of the work engineers do in keeping massive platforms like Meta running smoothly and securely. John understands the frustrations expressed, particularly when it comes to comparing salaries, the reality is more nuanced. John points out that developers have been writing code for far longer than we’ve been securing it, which naturally leads to development outpacing security. However, he emphasized the growing trend of integrating security into the development process as developers become security-conscious and use tools like GitHub Actions for integrated security checks, something that CrankySec’s article might overlook.

This led Seth and John to an article from Keith Hoodlet about the “Avoiding the Middle Management Trap,” that outlines how, during stints of leadership that demand attention more than continuous skill development, we can easily lose our muscle for hands-on-keyboard tasks. Staying technical not only provides career security by keeping options open but also enhances leadership effectiveness by building trust with technical teams and allowing for better project estimations. Keith outlines his four-stage process for staying technically sharp: studying, doing, teaching, and sacrificing. He also advises on avoiding burnout by establishing disciplined learning habits and setting aside focused time for technical growth. John and Seth heavily relate to this struggle against becoming stagnant in their own technical abilities, connecting that maintenance to learning effective time management strategies, motivation, and office culture. Keeping up can take a lot of dedication, but it’s easy to let it fall through the cracks. From there, the conversation turns to imposter syndrome, a familiar feeling within this industry. Seth and John encourage managers to identify their priorities and set aside time to devote full attention to developing and learning technical skills.

One of the main takeaways from this week’s episode is the need for effective managers (including Seth and John) to stay technical. Keith does a good job describing ways to do this, but really it comes down to dedication, habits, and sacrifice. Just know that it’s worth it in the end. To chat with either Seth or John about these topics, join us on Slack. While you are at it, check out the new unicorn-themed swag available at merch.absoluteappsec.com.

Stay Secure,

Seth & Ken

Related Episodes

https://youtu.be/-yXMLsqmMpw - Episode #45 - Sean Poris talks about being an AppSec Manager.

https://youtube.com/live/QkxOztMfkoE - Episode #254 - Justin Collins gives his rundown on managing security.

https://youtube.com/live/IPCdTWXT5uQ - Episode #205 - Seth and Ken debate the death of code review and decline of AppSec.

Absolute AppSec Happenings

https://phrack.org/issues/71/1.html - A new issue of Phrack was released during DEF CON. This e-zine was influential early in Seth’s security journey and the latest issue does not disappoint. Check out the articles on Postgres SQL injection that features code review as well as the overview of cryptocurrency and stock financial markets.

https://crankysec.com/blog/dead/ - Another CrankySec post, but this time it’s about the death of infosec, so along the same vein as the discussed article. Thought provoking, but could also have been written by rfp in 2003 (for the gray hairs out there).

https://blog.cloudsecuritypartners.com/preventing-overreliance-proper-ways-to-use-llms/ - John’s company, Cloud Security Partners, gives some practical advice for utilizing LLMs. While LLM-related articles are coming out with more frequency, we are seeing a trend where the advise is more applicable.