- This Week on Absolute AppSec
- Posts
- Episode #267 with Clint Gibler
Episode #267 with Clint Gibler
Curating a Newsletter, Secure Defaults
Seth Law
December 13, 2024
This week on Absolute AppSec, Seth (@sethlaw) and Ken (@cktricky) welcome Clint Gibler (@clintgibler), head of Security Research at Semgrep and the force behind TL;DRSec (tldrsec.com), back to the podcast to discuss his newsletter’s role in the security community and take a detour into a discussion on secure defaults. You can catch this episode at https://www.youtube.com/watch?v=FIJBmGr5YtA or find Absolute AppSec wherever you get your podcasts.
While working at Semgrep during their growth from a 20-person team to over 150 employees over the past few years, Semgrep has matured from a single code-scanning tool into a comprehensive suite, including SaaS, SCA, secret scanning, and AI-powered features. Meanwhile, Clint’s TLDRSec newsletter has grown exponentially, becoming a go-to resource for security professionals on all things AppSec, cloud security, and more.
“The newsletter journey has not just been reading [about] security, which is why I started it and is my favorite part, but there’s also a lot of the business aspect that I’ve had to learn about, like marketing, deliverability, sales, entrepreneurship. That’s been interesting as well.”
Clint highlighted the significant time and effort required to maintain TL;DRSec, which, outside of writing, includes staying active on social media platforms, monitoring other blogs, and sifting through messages from readers. He candidly discussed the late nights and personal sacrifices that go into ensuring the newsletter matches the standards that Clint holds. His decision to adopt a sponsorship model has been instrumental in sustaining the project, which emerged organically as companies recognized the value of advertising in a resource trusted by thousands of readers. Clint’s approach to sponsorship is thoughtful, prioritizing the newsletter remaining free alongside balancing monetization and authenticity of the sponsors. Beyond its utility, TL;DRSec has fostered a unique community that mutually exchanges valuable resources. Despite the personal sacrifices, Clint describes this process as a “labor of love” that is deeply rewarding personally and has a positive impact on the community. Despite the challenges of overcoming burnout and maintaining motivation in the face of demanding workloads, Clint says that the overwhelmingly positive community support has been a constant source of encouragement.
“I think one of my predictions and hopes for the future is that gradually we, as a security community, do make this easier. I think it has gotten easier in terms of modern web frameworks, for example, [helping us] do a lot of things out of the box securely. […] [Today, even] if a developer never thinks about security, but they use a modern version of a modern framework, they’re going to be like 2-5x more ahead than they would have been like 10 years ago, even if they were more competent at security.”
Clint, tasked with being a reliable source of news in the security world, has an especially informed perspective on what the next phase of security development might look like. One of the most transformative developments discussed was the increasing role of artificial intelligence in security. AI-powered tools are enhancing threat detection and analysis, enabling organizations to identify vulnerabilities more efficiently. In the next year, Clint sees AI’s potential to increasingly streamline developer workflows, making secure development more accessible and less time-consuming. Another important trend discussed was the growing emphasis on developer-centric security solutions. Clint pointed out that modern security tools need to integrate seamlessly into developers’ existing workflows, reducing friction while fostering collaboration between security and development teams. This shift represents a broader movement toward aligning security measures with productivity goals rather than positioning them as barriers. Clint also notes that the increasing reliance on open-source software has brought software supply chain security to the forefront of industry concerns. Many complexities are involved in managing these dependencies, securing third-party components, and mitigating risks in an interconnected development environment. Clint and our hosts emphasized the importance of adopting proactive measures and scalable strategies to address these challenges effectively.
This episode is sponsored by Redpoint Security. Redpoint specializes in “Code Security. By Coders,” which is bolstered by years of experience testing applications and conducting code reviews against all types of applications, including AI, web, and mobile. Redpoint also offers secure code training to help ground your teams in better security practices across the development lifecycle. So check out redpointsecurity.com for more information and put your company on a path to better security.
If you haven’t yet, show your support of Absolute AppSec by visiting the merch store and picking up our coziest pieces to stay secure against the cold. As always, join Seth and Ken in Slack.
Stay Secure,
Seth & Ken
https://youtu.be/yjsE_DSnK5w - Episode #115 - Clint’s 2nd visit to the podcast where he walks through Semgrep and demonstrates writing rules, as discussed during this week’s episode.
https://youtu.be/pfNRgbGxtOc - Episode #77 - Clint’s initial episode with Ken and Seth from December 3, 2019. Beginnings of TL;DRSec and a good discussion on quashing bug classes. We have all come a long way in 5 years.
https://youtube.com/live/NsMx36Qe4aQ - Episode #244 - Kyle Kelly joins Seth Law and Ken Johnson and discusses the Cramhacks newsletter. As a consultant and researcher, Kyle specializes in supply chain security, a speciality that informs the thoughts he publicizes, but even more so Cramhacks reflects his desire to help his readers become contributors to improving the cybersecurity landscape and analysis of software security supply chains. https://www.cramhacks.com/
Absolute AppSec Happenings
https://cwe.mitre.org/top25/archive/2024/2024_cwe_top25.html - I want to highlight this again, since it still needs discussion. Ranking the top vulnerabilities based on CWE doesn’t seem very effective. Come at me in Slack if you disagree.
https://danielmiessler.com/ - Highlighting some of the newsletters that we discussed with Clint. Daniel Miessler’s Unsupervised Learning is a great AI/LLM resource, on top of his well thought out positions (not all of which we agree with).
https://nastystereo.com/security/rails-_json-juggling-attack.html - Paraphrasing ndm from Slack, “Does anyone even use rails anymore”. An in-band signaling attack targeting JSON parsing in Rails. Always another way to attack popular frameworks.
Upcoming Events
Seth and Ken can be found across the globe and virtually.
February 14-15, 2025 - CactusCon, Mesa, AZ - Some of us may be there, some may not. Time will tell.
January 23-24, 2025 (tentative) - Harnessing LLMs for Application Security - Virtual Training - Next opportunity for the new course that focuses on strategies for using more than just the chat interface of an LLM to secure software.
TBD, 2025 - Practical Secure Code Review - Virtual Training - The course that started it all! We will reprise this online with a training in Q1, if you have specific dates you would like to see, please reach out (via email or Slack).
June 28-29, 2025 - DEF CON Trainings, Seattle, WA - Seth and Ken will present one of the courses. Watch this space for additional details once it is fully posted.