Episode #267 with Kinnaird McQuade

This week on Absolute AppSec’s 267th episode, Seth (@sethlaw) and Ken (@cktricky) sat down with Kinnaird McQuade to discuss the current happenings in AppSec and the intricacies of building a security product aimed at both applications and developers. You can catch the episode at https://www.youtube.com/watch?v=8U3Coq5lZ1I, or wherever you get your podcasts.

Kinnaird McQuade is the founder at CTO of NightVision. Like so many, he started as a computer science major, inspired by giants like Steve Jobs, until his transfer to Marymount University surrounded him with peers working in government cybersecurity roles. His curiosity deepened after reading The Hacker Playbook, which introduced him to hands-on offensive security techniques. The thrill of early exploits— like finding SQL injection and turning on connected webcams— hooked him, setting the stage for his eventual pivot into professional security roles. Prior to NightVision, Kinnaird worked as a lead security engineer at both Square and Salesforce. At Salesforce, he built Cloud Explaining, a tool that identified excessive AWS permission and assigned risk levels to misconfigurations. There, he started advocating for automation to preemptively catch vulnerabilities, wanting to reduce the reliance on after-the-fact manual fixes. During his time at Square, which he joined during the Log4j crises, he leveraged his side project, originally “Doge Machine,” to scan infrastructure significantly faster than other existing tools, cutting scan time from eight hours to 30 seconds. When he realized the potential for this tool to address broader security issues, he was inspired to launch NightVision.

There are persistent challenges in application security that have plagued the industry for years. There are many people frustrated with legacy dynamic application security testing (DAST) tools for being slow, difficult to use, and poorly equipped to handle modern web technologies like single-page applications (SPAs) and APIs. These tools often produce high rates of false positives, frustrating security teams and wasting valuable time. This also relates to the disconnect between security teams and developers. Traditional workflows, where security findings are delivered via lengthy PDF reports or flippantly thrown over the wall, fail to engage developers effectively. This approach creates friction, slows down resolution times, and ultimately undermines the goal of embedding security into the development lifecycle. Another critical issue explored was the high signal-to-noise ratio in security testing. Tools that generate excessive false positives erode trust and efficiency, making it harder for teams to focus on real vulnerabilities. After listening to others in the industry vent about these various problems, Kinnaird aimed to solve these problems with the NightVision platform.

NightVision was inspired by these frustrations and has addressed them through modern, integrated approaches. One of its standout features is its remarkable speed. Kinnaird explained how traditional tools like AppScan and Burp Suite often required extensive setup and could take hours—or even days—to complete scans. Some older systems even necessitated reserving scanning resources on shared calendars. In contrast, NightVision employs cloud-based orchestration and parallelization to complete scans in seconds. Another major innovation is the platform’s ability to analyze APIs with unprecedented precision. As APIs continue to proliferate—often outnumbering traditional web application endpoints by a wide margin—NightVision addresses this gap by offering comprehensive API testing. By first scanning the code to understand API structures and expected behavior, the platform generates syntactically aware payloads for its DAST scans, ensuring that tests are faster and more targeted. The integration of both static and dynamic analysis enables NightVision to trace vulnerabilities back to their source code, helping developers address issues at their roots. The platform has removed the traditional silos between security teams and developers, delivering its findings directly through tools like GitHub and fostering better collaborations between teams. Pull request comments provide instant feedback, including detailed, actionable explanations of vulnerabilities. It also aims to reduce noise in its findings, careful not to overwhelm and distract users with false positives. NightVision uses machine learning to refine its results over time, improving accuracy and contextualizing findings. Kinnaird notes that NightVision’s focus extends beyond just finding vulnerabilities— it’s about making those findings meaningful and actionable. These innovations reflect a broader vision for application security— one that prioritizes speed and integration, and that aims to do more than just replace outdated tools but push the boundaries of development in an era of complex infrastructure.

If you haven’t yet, show your support of Absolute AppSec by visiting the merch store and picking up our coziest pieces to stay secure against the cold. As always, join Seth and Ken in Slack.

Stay Secure,

Seth & Ken

Related Episodes

https://youtu.be/VreqmGPAK7I - Episode #189 - Seth and Ken kickoff another unique discussion by looking at a recent scholarly paper on security bypasses and workarounds by health care workers. Followed by a demo of AppMap, a development tool that shows code traces based on dynamic use. Finally, a discussion of Portswigger's new Dastardly CI/CD tool and where it fits in the security SDLC.

https://youtube.com/live/Ggig1p21XuM - Episode #235 - 2023 Top 10 Web Hacking Techniques, LLM Agent Hacking - Ken and Seth take some time to digest the 2023 Web Hacking Techniques and recommend reviewing not only the top 10, but also the nominations. A discussion on the use of LLM Agents as a dynamic scanning engine for identifying vulnerabilities.

https://youtu.be/bmf5lIls7BM - Episode #152 - Breaches, Symbolic Execution, Dynamic vs. Static Assessments - A discussion on breach notification related to the GoDaddy disclosure. Understanding symbolic execution with Trail of Bits. The differences of dynamic and static assessments and why both are important.

Absolute AppSec Happenings

https://cwe.mitre.org/top25/archive/2024/2024_cwe_top25.html - 2024 CWE Top 25 Most Dangerous Software Weaknesses according to MITRE. I am sure this will be discussed in the future on the podcast as we have feelings on the term “most dangerous” in reference to XSS.

https://github.com/Invicti-Security/brainstorm - New LLM-backed tool from Invicti Security that uses ffuf and an LLM to generate possible endpoints for scanning. Not much testing yet, but promising for discovery during dynamic assessments. Now someone go tie this to Burp (or maybe we will).

https://www.wiz.io/blog/wiz-to-acquire-dazz-transforming-risk-remediation-from-cloud-to-code - Acquisitions, acquisitions, acquisitions. This time Wiz moving more into the ASPM space. We must be in that portion of the business cycle. Any bets on who is next?

Upcoming Events

Seth and Ken can be found across the globe and virtually.

February 14-15, 2024 - CactusCon, Mesa, AZ - While the duo has submitted, no news yet on whether talks will be given. Both are planning on a trip to the desert for this one, though.

TBD, 2025 - Harnessing LLMs for Application Security/Generative AI for Software Security - Virtual Training - A newly developed course that focuses on strategies for using more than just the chat interface of an LLM to secure software.

TBD, 2025 - Practical Secure Code Review - Virtual Training - The course that started it all! We will reprise this online with a training in Q1, if you have specific dates you would like to see, please reach out (via email or Slack).