Episode #277 with Kyle Rippee

On episode 277 of Absolute AppSec, Seth Law (@sethlaw) and Ken Johnson (@cktricky) welcome Kyle Rippee, current staff product security engineer at Tines working on solving complex security challenges with minimal technical debt. They dove into Kyle’s path into application security as well as finding out more about the interesting things going on at Tines. The episode covers the modern application security ecosystem, security program development, and the evolving role of automation in security processes. To watch this episode, head to https://www.youtube.com/@AbsoluteAppSec, or find us wherever you listen to your podcasts.

Kyle’s journey began into security as a hobby, initially as an interest in computers and hardware, leading to his professional start with the Department of Defense (DoD) and Department of Justice (DoJ) contracting work in Northern Virginia. Over time, he transitioned into roles focused on penetration testing and application security, with experience working at companies such as BAE Systems and GuidePoint Security, where he played a key role in defining penetration testing policies, and Atos, where he contributed to securing the 2018 Winter Olympics. He later held leadership roles at Shutterfly, FloQuast, and PlanetArt, where he was responsible for building and maturing application security programs. His recent move to Tines has provided the opportunity to focus on proactive security measures without the burden of excessive technical debt. After a long career, Kyle advises individuals looking to enter the cybersecurity field to pursue ideas that genuinely interest them because he views passion as a key driver for long-term success. He also emphasizes that continuous learning is essential, whether through certifications, community involvement, or hands-on projects. 

As far as advice for companies that want to improve their security maturity, Kyle focuses on organizational culture, stating that technical expertise alone is not enough to ensure the success of a security program. Leadership support can help integrate security into the development lifecycle rather than treating it as an afterthought, and companies that prioritize security as an integral part of their process, rather than as a compliance requirement, tend to have stronger security practices and a more effective overall approach. As far as building an application security program, Kyle recommends as a first step conducting an initial assessment and reviewing source code to understand how the application functions and identifying potential vulnerabilities in areas such as authentication and sensitive data handling. After establishing a foundational understanding of the application, Kyle then says security leaders should engage directly with engineering teams to build strong relationships. Frequent and direct communication with engineers and product teams is key to integrating security into development in a way that is natural and effective. 

Kyle also highlights the importance of selecting the right tools for automation, such as Static Application Security Testing and Software Composition Analysis, while warning against over-reliance on tools that produce excessive false positives. Maintaining and configuring DAST or SCAs requires significant effort, and the findings they produce are often limited to surface-level vulnerabilities rather than more complex security flaws, such as login vulnerabilities. Because of these shortcomings, bug bounty programs and manual security testing tend to provide greater value than traditional DAST solutions. Traditional signature-based detection methods, such as those used in legacy security tools, are becoming increasingly effective due to evolving attack techniques. He references research comparing modern malware and ransomware to biological mutations, suggesting that security tools need to move beyond static signatures and adopt more adaptive, behavior-based detection models.

March and the lions roaring will soon be upon us. Are you ready for themthar winds what blow?! Well, what if I told you, you can support the podcast and stand against the tempest? Visit the merch store to pick your desired color.

And, as always, if you have thoughts you’d like to share with Seth and Ken and the Absolute AppSec audience, join us in Slack.

Stay Secure,

Seth & Ken

Related Episodes

https://youtu.be/XJIxFYT21sw - Episode #50 - This episode with Eric Heitzman covers a good deal of similar territory to the one we had this week with Kyle Rippee. Static Analysis and making security work for developers and your organization are discussed with some good insight into the risks and pitfalls of getting things wrong.

https://youtu.be/JGVhJhP5yMQ - Episode #140 - Naomi Buckwalter - Naomi is currently at Contrast Security and provides some insights into what the information security industry needs to focus on in hiring processes, so that the industry gets the support it needs heading into the future.

https://youtu.be/EsdKjjymg6k - Episode #139 or CXXXIX - Apropos of discussion the discussion with Kyle concerning credentials for new folks looking for positions in the industry, we bring you this episode from the lojigemfile. Lojikil, Stefan Edwards, talks through the value of information security degrees with Seth and Ken, among other topics.

Absolute AppSec Happenings

https://sockpuppet.org/blog/2025/02/09/fixing-illinois-foia/ - This post from sockpuppet title “I Went to SQL Injection Court”, is a fun read. It’s got discussion about whether courts should view a database schema as sensitive information for a hacker who’s made a FOIA request, and it has a legislative call-to-action for all you Illinois folks.

https://blog.trailofbits.com/2025/02/21/the-1.5b-bybit-hack-the-era-of-operational-security-failures-has-arrived/ - Trail of Bits has a nice write-up on the Bybit hack whose staggering amount of funds involved (1.5 Billion) has garnered headlines. The article is chock-full of advice for reducing blast radii of attacks, as well as immediate actions organizations holding cryptocurrencies should take to bolster their defenses.

https://www.galahcyber.com.au/api-security/patching-dependency-management/ - Friend of the podcast, Cole Cornford, has a fantastic blogpost on the hopes AI tooling is raising for addressing the perennial problems of dependency management. He provides some advice on what to look for in a solution for a couple of the things development shops are looking for:

• “[C]ontextualise what matters and otherwise hide irrelevant bugs.”

• “We want to distinguish between safe and unsafe patches and [help] guid[ing] us when breaking changes are introduced.”

If these sound like things that could help you and your teams going forward, read the whole thing here.

Upcoming Events

Where in the world are Seth and Ken?

March 6-7, 2025 - Apres-Cyber Slopes Summit - Seth will be presenting his Modern vs. 0ld 5k00l talk, where all the old vulnerabilities are new again.

March 27-28, 2025 - Practical Secure Code Review - Virtual Training - The course that started it all! We will reprise this online with a training in Q1, if you have specific dates you would like to see, please reach out (via email or Slack).

April 26-27, 2025 - BSides San Francisco 2025 - State of (Absolute) AppSec - Ken and Seth will be hosting a panel on the current state of the application security industry with help from a few friends. Expect spicy takes, opinions, and wild predictions. If you have questions you would like to cover, submit them via this form.

April 28, 2025 - Exclusive Dialogues on AI and Security panel - Hosted by DryRun Security, Cannage Capital, and Hinge Health, and billed as ‘select group of AI practitioners and security leaders [in] an exclusive, closed-door discussion at the intersection of AI and software security.’ Reserve a spot for the topical discussion with Ken, Seth, and special guests Daniel Messier, Jason Haddix, and more.

June 28-29, 2025 - DEF CON Trainings, Seattle, WA - Seth and Ken will present one of the courses. Watch this space for additional details once it is fully posted.