- This Week on Absolute AppSec
- Posts
- Episode #27 w/ Jim Manico
Episode #27 w/ Jim Manico
The One True Secure Framework, Secure Code Best Practices
Seth Law
June 06, 2025
If you’ve been waiting for your opportunity to dive into code like Seth and Ken do, the LLM-enhanced course on Practical Secure-Code Review is coming in less than two week’s time.
This week on Absolute AppSec, we’re throwing it back to Episode 27 featuring Jim Manico (@manicode). Originally recorded in 2018, this episode is a treasure trove of insights into the evolving nature of secure-coding practices. Let’s revisit the highlights and reflect on the past 7 years. To find this episode and our almost 300 others, go to https://www.youtube.com/@AbsoluteAppSec, or find Seth Law (@sethlaw) and Ken Johnson (@cktricky) wherever you get your podcasts.
“When you’re on stage [teaching], it’s half performance, half knowledge. So I study, try to be as academic as possible, and have good examples of how to do this stuff, but I try to be entertaining on stage. […] I try to make it so people are not gonna fall asleep or regret that they had this experience. I want them to walk away being lifted up and excited and enthusiastic to do security again. […] We want to inspire people to dig into this massively complicated topic, and it’s not easy to do.”
In this episode, Jim Manico shares his journey into application security, a path that began in the late 90s with a decade of Java programming. A pivotal moment came when he met Stephen Northcutt, who recognized the need for security rooted in the developer’s perspective. Manico’s intensive experience at SANS, often working 100-hour weeks, provided him with a deep immersion in AppSec. Jim went on to work for various notable organizations in the AppSec space, including Aspect Security, where he contributed to software development under NDA, and later WhiteHat Security, following an acquisition of his static analysis startup. At WhiteHat, Jim embraced an evangelist role, promoting secure development practices and delivering trainings worldwide. His current work is as CEO/Founder of Manicode Security, where he has a modular approach to developer training. Jim emphasizes that effective training isn’t just about technical accuracy but also about being engaging and inspiring. A trainer must not only transfer knowledge but also be able to energize and motivate developers to care about writing secure code. He sees this as both a personal mission and an industry obligation, particularly back when the pool of qualified AppSec educators was remarkably small. Since the time of recording back in 2018, secure coding training has become more widespread and formalized, with platforms like SecureFlag, Kontra, and newer OWASP-supported labs making interactive training more accessible. However, Jim’s emphasis on personalized and energetic instruction remains unique in a landscape increasingly dominated by automated LMS platforms. His approach is valuable as developers face more nuanced threats involving complex supply chains, deserialization flaws, and AI-related vulnerabilities.
“I’m trying my best to teach people XSS the right way. It’s tough, you have to escape. You have to use frameworks correctly. You have to sanitize HTML. You have to get CSP in place. You have to use safe sinks in JavaScript, avoid inner HTML, DOM purify untrusted markup deep in the DOM, and server-side sanitizers, and get it right everywhere. That’s the problem. Get it right everywhere.”
This episode also includes a discussion about persistent vulnerabilities like Cross-Site Scripting. Jim provocatively argued that the continued existence of XSS is a damning reflection of industry incentives—there’s more money in finding it than fixing it. While SQL injection has largely been curbed thanks to secure-by-default frameworks and ORM libraries, XSS remains widespread due to its complexity and the inconsistent security guarantees across modern JavaScript frameworks. The conversation also highlights the divide between elite engineering teams who claim to have moved beyond XSS as a threat and the broader developer community, where XSS remains a daily concern. In 2018, XSS was still a top concern, especially in legacy apps and poorly configured modern frameworks. Today, while XSS is still present in the wild, awareness and adoption of defenses like Content Security Policy (CSP), DOMPurify, and auto-escaping templating engines have improved. Frameworks like React have continued to sandbox most rendering tasks, and newer ones like Svelte and SolidJS incorporate even more secure-by-default behaviors. Still, as Jim suggested, risky use of features and gaps in CSP enforcement show that XSS hasn’t disappeared; it’s just taken new forms, particularly in SPAs and DOM-heavy frontends.
This episode is sponsored by DryRun Security. Authorization flaws are some of the trickiest security gaps—permissions get messy, logic gets overlooked, and suddenly, users have access they shouldn't. DryRun Security helps you catch these risks early with Natural Language Code Policy (NLCP). Their latest white paper dives deep into real-world authorization failures and discusses how DryRun Security finds them before they get shipped to production. Grab your copy now at dryrun.security/auth-flaws.
Beat the summertime blues with a nice Absolute AppSec T-shirt. Visit our merch store to pick your size.
Summertime bringing blue skies, and…Ts
And, if you have thoughts you’d like to share with Seth and Ken and the Absolute AppSec audience, join us in Slack. A fair number of the shows’ topics begin as discussion points with the Slack audience, so you can join there to offer ideas for what you’d like the podcast to cover as well as pick the brains of a number of industry experts.
Stay Secure,
Seth & Ken
https://www.youtube.com/watch?v=omTGDXnAjgc - Episode #81 - Matias Madou - Co-Founder & CTO of Secure Code Warrior comes on the episode to discuss application security training.
https://www.youtube.com/watch?v=QtlW6tfMSKU - Episode #63 - Julian Berton (@JulianBerton) - Principal security engineer and AppSec team lead at SEEK when the episode took place, Julian has a lot of interesting ideas about how to make security work in an organization, the natural inclination of some developers to incorporate it into the work, as training team members.
https://www.youtube.com/watch?v=ufjbF5f2yPY - Episode #59 - James Wickett - the show brought on James Wickett in his capacity as a DevSecOps guru and on the cusp of an interesting talk at Locomocosec titled “"The seven habits of a highly effective DevSecOp.” The talk’s provocation that organizations should expect security to know how to code created a bit of a stir on twitter back when those things used to happen. Watch for the off-hand remarks Ken and James have regarding SAST and DAST to see if you can predict the future (maybe check out this week’s sponsor for more insight).
Absolute AppSec Happenings
https://www.cyberark.com/resources/threat-research-blog/poison-everywhere-no-output-from-your-mcp-server-is-safe - “Poison everywhere: No output from your MCP server is safe” - Simcha Kosma, Security Researcher at Cyberark illustrates a range of attacks on MCP servers built off of Invariant Labs Tool-Poisoning attack highlighted last month. Cyberark has built the exploit out further with Advanced Tool-Poisoning (“Advanced Tool Poisoning Attacks (ATPA) is a novel attack class we introduce and exploit the LLM’s interpretation of tool outputs, particularly dynamic content like error messages or follow-up prompts generated during execution.”). Short takeaway is it looks like there are quite of few gaps in the security of MCP servers usage, and users should proceed forward with that knowledge.
https://www.dbreunig.com/2025/06/03/comparing-system-prompts-across-claude-versions.html - “Claude's System Prompt Changes Reveal Anthropic's Priorities,” from Drew Breunig. Digging into system prompt changes, and seeing that UX can drive how AI models evolve.
https://fly.io/blog/youre-all-nuts/ - “My AI Skeptic Friends Are All Nuts,” in which which Thomas Ptacek scorchingly asks everybody to be reasonable about what AI is and does for the development of code. Where he acknowledges who has a legitimate bone to pick (art types, for example), and who maybe doesn’t have as much of a right to be upset (the wider software developer industry). The article has found some legs in provoking responses in more than a few watering holes where tech-y thinkers congregate.
Upcoming Events
Where in the world are Seth and Ken?
June 16-17, 2025 - Practical Secure Code Review - AI Enhanced - Given the recent demand, the duo returns with a virtual training with all the AI updates that continually evolve.
August 11-12, 2025 - Harnessing LLMs for Application Security - Back to DEF CON, but this time with an updated course. Integrating LLMs into AppSec from static to dynamic analysis. Tips, tricks and more.