- This Week on Absolute AppSec
- Posts
- Episode #278
Episode #278
Security Conferences, Testing Data in Git, Unforgivable Vulnerabilities
Seth Law
March 07, 2025
This week on Absolute AppSec, episode #278, Seth (@sethlaw) and Ken (@cktricky), return without a guest to talk recommendations for security conferences, an article on a recent customer data exposure by Zapier in git test data, and thoughts on the classification of ‘Unforgivable Vulnerabilities’ as proposed by the UK’s National Cyber Security Centre. To watch this episode, head over to https://www.youtube.com/@AbsoluteAppSec or find us wherever you get your podcasts.
Seth and Ken announced their return to BSidesSF and RSA, as well as their participation in an upcoming invite-only AI security summit during RSA. Regarding major industry conferences, there are differences in their relative value: while RSA is perceived as more business-focused, it still offers networking opportunities and valuable talks. This is in contrast to Black Hat, which has a mix of technical and business content but is geared toward commercialization. BSides conferences offer a more affordable and intimate setting for technical discussions, which, in the case of BSidesSF, Absolute AppSec hopes to see you there!
“I get [that] when you step into an organization as an application security person, or as a security person, and you’re taking over a team, you’ve got to get your hands around what they’re doing moving forward. But these sorts of gotchas are working to kill you, right? […] These are what’s going to place blame on the current CISO, even though they probably weren’t the ones that made those decisions to actually restrict that data, you know, just knowing the organizations that I’ve stepped into, where I have seen this. […] It’s usually a maturity thing. And it’s usually from a long time ago.”
A major topic of this episode is the recent security breach at Zapier, which resulted from a lack of basic security hygiene, such as failing to enforce multi-factor authentication (MFA) on engineers’ GitHub accounts. This oversight allowed an attacker to gain unauthorized access to repositories, where they discovered that real customer data had been mistakenly committed to the codebase. The hosts critique Zapier’s security practices because the lack of MFA enforcement, pull request approvals, and other fundamental security measures was outright irresponsible. They also discuss the broader issue of developers using production data in testing environments, a practice that persists despite corporate policies prohibiting it.
“I’m having a hard time wrapping my brain around the efficiency. Some of the best vulnerabilities that really did need to be mitigated would have been labeled as forgivable.”
In the latter part of this episode, Seth and Ken discuss a new vulnerability classification system introduced by the National Cyber Security Centre (NCSC) in the UK. The criteria used to determine whether a vulnerability is forgivable or unforgivable highlights the ease of mitigation as a central factor. While security policies such as these evolve year after year, many foundational vulnerabilities remain a persistent issue. The NCSC’s approach seems similar to past efforts to eliminate insecure coding practices, such as Microsoft’s push to ban the use of unsafe C functions in Windows XP, which led to a measurable reduction in vulnerabilities in later versions of Windows. There are questions about the practical implications of this classification system and how it will be enforced. Ken expresses skepticism about its effectiveness, noting that while it provides a structured way to think about vulnerabilities, it does not fundamentally change the way security teams operate. Classifying vulnerabilities based on whether or not they are “reasonable” to have may not always align with real-world security risks. Will these classifications actually drive better security outcomes or merely introduce another compliance requirement?
This episode was sponsored by Redpoint Security. Redpoint specializes in "Code Security by Coders," bolstered by years of experience testing applications and conducting code reviews against all types of apps, including AI, web, and mobile. Redpoint also offers secure code training to help ground your teams in better security practices across the development lifecycle. Check out redpointsecurity.com for more information and put your company on a path to better security..
March in Utah has been crazy, swinging from snow, to rain, to sun all in 2-3 hours! Well, what if I told you, you can support the podcast and stand against the tempest? Visit the merch store to pick your desired color.
And, as always, if you have thoughts you’d like to share with Seth and Ken and the Absolute AppSec audience, join us in Slack.
Stay Secure,
Seth & Ken
https://youtu.be/wSEZSP3WT6w - Episode #154 - Episode with the duo’s view of tech conferences as an outsider. An analysis of data from Google's "Threat Horizons" report and what it tells us about Cloud Security. A few items related security of the software supply chain, including an academic white paper comparing different SCA tools.
https://youtu.be/klByndbwB0s - Episode #114 - Account Enumeration, Github Actions - Seth and Ken discuss account enumeration vulnerabilities and open source tools that take advantage of them. Discussion about the recent Github Actions vulnerability.
https://youtu.be/8YtO-0kuM8M - Episode #128 - Stefan Edwards/David Coursey - PHP, Backdoors, and AppSec Nihilism - Seth hosts Stefan Edwards (@lojikil) and David Coursey (@dacoursey) discussing PHP's recent backdoor, probable fixes including code commit signing and the move to GitHub. The discussion covers ease of security, developer tendencies when securing code, and application security nihilism.
Absolute AppSec Happenings
https://redpointsecurity.com/identify-and-overcome-destructive-fatigue/ - Justin Larson, Principal Consultant at Redpoint Security (thanks for sponsoring!) talks about destructive fatigue, that “stems from the mental toll of constantly tearing things down without opportunities to build.” Mental health gets ignored when it comes to breaking systems and causes nihilistic tendencies, just see the amount of negativity across multiple episodes. Jump into Slack to discuss your own experience further.
https://github.com/faizann24/rogue - Yet another AI/LLM-backed tool, but interesting use case. Rogue is an open source project that is an “advanced AI security testing agent that leverages Large Language Models to intelligently discover and validate web application vulnerabilities.” Some of these sorts of projects will fall by the wayside in the next 18 months, but still good to see the attempts to use LLMs to streamline discovery of security issues in our space.
https://baseline.openssf.org/ - Brought to our attention through tldrsec.com (thanks, Clint!), OpenSSF is doing great work pushing left and making security accessible to everyone. Good to have a baseline for assessing and implementing security in open source projects. This OpenSSF project is “designed to act as a minimum definition of requirements for a project relative to it’s maturity level.”
Upcoming Events
Where in the world are Seth and Ken?
March 6-7, 2025 - Apres-Cyber Slopes Summit - Seth will be presenting his Modern vs. 0ld 5k00l talk, where all the old vulnerabilities are new again.
March 27-28, 2025 - Practical Secure Code Review - Virtual Training - The course that started it all! We will reprise this online with a training in Q1, if you have specific dates you would like to see, please reach out (via email or Slack).
April 26-27, 2025 - BSides San Francisco 2025 - State of (Absolute) AppSec - Ken and Seth will be hosting a panel on the current state of the application security industry with help from a few friends. Expect spicy takes, opinions, and wild predictions. If you have questions you would like to cover, submit them via this form.