Episode #269

This week on Absolute AppSec, Ken (@cktricky) and Seth (@sethlaw) are back to complain, inspiredd by a recent TL;DRSec post from Maya Kaczorowski on “What Sucks about Security,” leading our hosts to ask “what sucks in AppSec?” You can find this episode at https://www.youtube.com/watch?v=hQOm1sKhY2I, or you can find Absolute AppSec wherever you get your podcasts. 

AppSec has become transformed by the use of agent-based AI models, which allow tools to access external resources such as web searches or codebase repositories to improve their decision-making and accuracy. Ken and Seth highlighted how this paradigm shifts traditional LLM capabilities, enabling “agentic” behaviors where AI tools can proactively seek additional data or tools to complete tasks. While they acknowledged the excitement around these advancements, the hosts also cautioned against over-reliance on AI. They stressed that while LLMs can handle certain repetitive tasks, more complex or organization-specific issues still require human judgement and expertise. This balance of automation and oversight is increasingly critical as companies integrate AI into their workflows. They referenced their recent online training on using LLMs to detect insecure direct object references (IDORs) as an example of the technologies potential, demonstrating how to integrate LLMs into structured workflows. The class helped listeners with both technical depth and a practical lens through which to evaluate AI’s role in application security. If you missed the virtual Harnessing LLms for Application Security course, you’re in luck, because another chance has been scheduled for January 23-24th. This course highlights practical uses of large language models in application security, teaching participants how to extract actionable insights effectively. To sign up for this virtual class, go to https://training.absoluteappsec.com/.

This week, Seth and Ken discuss a contentious open letter to the cybersecurity community which criticized the commercialization of industry conferences, alleging that vendor-driven marketing often overshadowed genuine collaboration and technical value. While the letter had some valid concerns, Ken and Seth were critical of the article’s tone and perceived hypocrisy. Upon further digging, Ken discovered that the critique itself was a marketing effort promoting a new, self-described “collaborative” conference. There is a frustrating irony at using a critique of commercialization to drive attendance to another marketing-heavy event, especially since it ignores the hard work and diverse formats of existing conferences that range from highly technical gatherings like DEFCON to CISO-centric forums. The industry has a tendency to prioritize lead generation over meaningful engagement. To address these structural issues, Seth and Ken urge community members to contribute positively by organizing, volunteering, or presenting rather than critiquing from the sidelines.

This episode nodded to Maya Kaczorowski’s research into the pain points faced by security leaders, titled “What Sucks in Security.” Maya interviewed CISOs and other industry leaders to uncover recurring frustrations in security, such as tool overload, ineffective communication, and budgetary limitations. This lead Ken and Seth into a discussion about the persistent challenges in the application security field, drawing from their experiences and interactions with clients and peers. Here are some key pain points: 

Tool Fragmentation and Overload: Organizations often juggle multiple security tools, each with limited functionality or specificity. Despite efforts by vendors to consolidate capabilities, the result is often a jack-of-all-trades approach that fails to excel in any particular area. This is frustrating for security teams, who still require significant manual effort to address organization-specific vulnerabilities. 

Division Between Security and Development Teams: Seth highlighted the enduring disconnect between security engineers and developers, noting misaligned goals and a lack of executive support as root causes. This gap often leads to stalled progress in implementing robust application security programs, particularly when key champions within organizations leave and programs regress. 

Economic and Resource Constraints: Ken discussed the broader economic pressures affecting the industry, including tightened budgets, reduced hiring, and limited travel opportunities. These constraints exacerbate existing challenges, from under-resourced security teams to insufficient investments in tools and training. 

Wow! You still aren’t rocking some Absolute AppSec swag? Visit the merch store and pick up something that will keep those noggins warm. Or just join Seth and Ken in Slack.

Stay Secure,

Seth & Ken

Related Episodes

https://youtube.com/live/OMyqgehMDhU - Episode #248 w/ Rahil Parikh - Building AppSec Programs - Rahil talks about his background and leading security teams to success.

https://youtube.com/live/X79M7sqfEAg - Episode #242 - LLMs Exploiting Vulns, State of DevSecOps - After talking about the use of LLMs to exploit vulnerabilties, Seth and Ken dig into the current state of DevSecOps and gut feelings on needs and failures in that space..

https://youtube.com/live/gHexk2F-ycE - Episode #229 - Software Supply Chain Security, 2024 Predictions - Given the ending of 2024, it’s about time to review predictions that we made in for the year. How about you? Were you correct? Did AI take over your daily life? Or did it go as planned?

Absolute AppSec Happenings

https://x.com/Xbow/status/1869053482642362846- File this one under “AI is coming for your jobs” - XBow used their AI/LLM technology to become one of the top Bug Bounty researchers (with associated payouts) during the research period. Listeners in Slack have a lot of questions about the methodology, experience, etc, of the participants. I expect to see more of these sorts of gains over the next year.

https://sourcecodered.com/npm-packages-deploy-malware/ - More good research into the npm package ecosystem from 6mile and SourceCode Red on Slack. Watering hole attacks continue in popular ecosystems. No one should be shocked, but this sort of analysis is crucial to keeping the community safe.

https://alsmola.medium.com/access-approvals-considered-harmful-f24fa2fe2f87 - An article we didn’t get to during the podcast but deserves some scrutiny. Alex Smolen (yes, he’s been on the podcast) digs into ways that access approvals fail and why it happens. We always love a good explanation series into breakdowns between authentication and authorization controls. “Instead of relying on access approvals, systems should focus on creating pathways with context-appropriate least privilege access.” Somehow I think we still have a long way to go before this happens.

Upcoming Events

Seth and Ken can be found across the globe and virtually.

February 14-15, 2025 - CactusCon, Mesa, AZ - Ken is speaking, Seth may or may not make an appearance for drinks, discussions, and some crocs&socks.

January 23-24, 2025 - Harnessing LLMs for Application Security - Virtual Training - Next opportunity for the new course that focuses on strategies for using more than just the chat interface of an LLM to secure software.

February ??, 2025 - Practical Secure Code Review - Virtual Training - The course that started it all! We will reprise this online with a training in Q1, if you have specific dates you would like to see, please reach out (via email or Slack).

June 28-29, 2025 - DEF CON Trainings, Seattle, WA - Seth and Ken will present one of the courses. Watch this space for additional details once it is fully posted.