- This Week on Absolute AppSec
- Posts
- Episode #279
Episode #279
Conferences, Addressing Destructive Fatigue, Imposter Syndrome
Seth Law
March 21, 2025
This week on Absolute AppSec, Ken Johnson (@cktricky) and Seth Law (@SethLaw) return after a short absence for the 279th episode of Absolute AppSec. On Tuesday, they had a discussion on mental health inspired by a recent blog post on Destructive Fatigue from Justin Larson at Redpoint Security. Constant focus on breaking and tearing down applications can have effects on our attitudes and outlooks. Additionally, imposter syndrome is prevalent throughout the industry. So, what can we do to secure our sanity and mental health? To view this episode, go to https://www.youtube.com/@AbsoluteAppSec, or find us wherever you get your podcasts.
To start the show, Seth asks Ken about his experience at SnowFROC, a one-day OWASP-associated security conference in Denver. Despite being a relatively small conference, it was incredibly well organized with high-quality technical content, making it a valuable experience both as an attendee and a vendor. Seth and Ken have found that regionally run events, like SnowFROC or BSides, provide valuable experiences that are different from OWASP Global AppSec conferences. From the perspective of vendors, they have found themselves surprised at the lackluster effectiveness of certain conferences over others, dependent on the organization, demographics, and quality of conversation. In the future, they want to be highly selective about which conferences they attend. Ken mentions that in the last year, he spent nearly six months traveling for conferences, which took a toll on him, prompting him to reconsider how many events to prioritize going forward.
On “Destructive Fatigue”
“If you’re a home inspector, you see this shoddy craftsmanship in every house that you come across. […] And it’s the same for us, right? When I go to an application, I just assume the software is probably not all that secure. How could I not [get tired] after all these years of seeing how many flaws exist in pretty mature software?”
Seth introduced the concept of “destructive fatigue,” referenced by a blog post by his team member Justin Larson at Redpoint Security. Destructive fatigue occurs when security professionals spend most of their time breaking things—finding vulnerabilities and flaws through penetration testing, code review, and vulnerability assessments—without balancing their work with constructive activities. While these tasks are intellectually stimulating, over time, they can lead to a sense of cynicism and nihilism toward application security. This constant exposure to security flaws makes it easy to lose faith in the ability of organizations to build secure software. They discuss the importance of managing stress, engaging in creative projects, and taking breaks from the high-pressure world of security assessments. Ken, who has spent the past few years building DryRun Security, relates to this struggle and acknowledges that shifting from breaking things to building something new has been a refreshing change. The feeling of working only on breaking things led him to seek a role where he could also create solutions. This shift helped alleviate the burnout that came from always being in a critical mindset.
“Sometimes, honestly, you just got to say, I f*cking believe in myself. [When you become critical of yourself] about, you know, am I this, that, or the other? Maybe not, but it doesn’t mean you don’t have value. Maybe you see things with a unique perspective or bring something to the table that somebody else didn’t, or you can pursue things more than others. You’ve got some value, you’ve got some skill, you’ve just got to figure out what it is and then really believe in yourself.”
Destruction fatigue goes hand in hand with imposter syndrome. Seth explains that security professionals tend to tie their self-worth to the number of vulnerabilities they can find. It feels exhilarating to uncover numerous security issues in an old, vulnerable system but disheartening to analyze a well-secured application and come up empty-handed. Seth and Ken emphasize the importance of separating personal value from vulnerability discovery. They argue that the true value of security professionals is not just in how many flaws they find but in their overall expertise, experience, and ability to understand security at a deep level. They stress that security work is not about feeding one’s ego but about contributing meaning to the field. Another contributing factor to imposter syndrome is social media pressure, particularly on platforms like LinkedIn. Seth candidly admits that when he sees posts about new research, conference talks, and technical achievements, he sometimes feels like he is not doing enough. This comparison trap makes it difficult to maintain perspective, as social media tends to showcase highlights rather than the day-to-day struggles professionals face. To overcome negative self-talk, over time, Ken learned to focus on past successes whenever he found himself doubting his abilities. He advises others struggling with imposter syndrome to take a moment before challenging situations to mentally review their accomplishments and strengths rather than dwelling on what they don’t know. It is important to be kind to yourself and seek community support because you’d be surprised to know that everyone in the industry experiences this, even those who appear highly successful.
This episode was sponsored by DryRun Security. DryRun Security detects serious security bugs that other tools consistently miss. DryRun Security combines automated intelligence, policy-driven scanning, and a developer-friendly interface makes it ideal for DevSecOps teams that can’t afford to let SSRF, IDOR, BOLA, or insecure tokens slip through. And take a look at dryrun.security for recent blogposts to see DryRun’s recent head-to-head comparisons with leading SAST tools that makes the DryRun advantage clear.
Sometimes swag can brighten a day, and we’d hope that the lojikil unicorn may be just the ticket to sunshine. If that sounds like just the right prescription for you to address your destructive fatigue & you’d like to support the show, visit the merch store to pick your size.
And, as always, if you have thoughts you’d like to share with Seth and Ken and the Absolute AppSec audience, join us in Slack.
Stay Secure,
Seth & Ken
https://www.youtube.com/watch?v=4Pw_BJciR5o - Episode #52 – Chris Gates (@carnal0wnage) – In this episode with Chris Gates, the three hackers dive deep on avoiding burnout and hacking your happiness. There’s a lot of evergreen advice here for everybody working in application security and the entire information security industry.
https://www.youtube.com/watch?v=vVpuO_K0mWE - Episode #187 – Hacking your Health, Fortinet, Secrets in Source – In this episode, Seth and Ken talk through how work-life imbalances can have marked affects on both physical and mental health, and based on some discussions within the slack at the time, Ken provided his advice in concert with his personal journey to putting in place a better health regimen.
https://www.youtube.com/watch?v=RqsoNMjKTaw - Episode # 62 - Abdullah Munawar (@amanofwar) & Ben Pick (@picksecurity) - following along the line of Seth and Ken’s security conferences discussion, halfway into this past episode with Appian’s Abdullah Munawar and Netspi’s Ben Pick has a nice on-the-ground view for what it takes to organize a security conference, as well as security communities in general.
Absolute AppSec Happenings
https://cendyne.dev/posts/2025-03-19-vibe-coding-vs-reality.html - “‘Vibe Coding’ vs Reality” by Cendyne. This article discussing the vibe-coding era we’re entering was shared by Anthony in the Absolute AppSec slack. The viral lesson learned this week about broadcasting your SaaS origins being developed by AI agents without a lot of security engineers or appsec checks in the process.
https://www.wiz.io/blog/new-github-action-supply-chain-attack-reviewdog-action-setup - “New GitHub Action supply chain attack: reviewdog/action-setup” by recent Absolute AppSec guest Rami McCarthy (@ramimacisabird). This article, also from the Absolute AppSec slack (thanks Greg Ford!), provides more information on the software supply-chain attack on the popular GitHub Action tj-actions/changed-files. Good advice on finding if your organization is implicated and ways to better protect yourselves, including, “[a]s recommended by GitHub, pin(ning) all GitHub Actions to specific commit hashes instead of version tags to mitigate against future supply chain attacks.”
https://www.dryrun.security/blog/dryrun-security-vs-semgrep-sonarqube-codeql-and-snyk---c-security-analysis-showdown - This is a part two from last week. The DryRun have extended their comparison showdown to a new framework. The team is sponsoring this week, so we’re happy to point everyone to the results they’ve been producing.
Upcoming Events
Where in the world are Seth and Ken?
March 27-28, 2025 - Practical Secure Code Review - Virtual Training - The course that started it all! We will reprise this online with a training in Q1, if you have specific dates you would like to see, please reach out (via email or Slack).
April 10-11, 2025 - BSides SLC - A new bit of research is being offered here at Bsides SLC by Seth and Redpoint Security principal consultant Justin Larson. If you’re in Salt Lake, come see, “Faces in the Fog: Identifying Users through Unconventional Means”
April 26-27, 2025 - BSides San Francisco 2025 - State of (Absolute) AppSec - Ken and Seth will be hosting a panel on the current state of the application security industry with help from a few friends. Expect spicy takes, opinions, and wild predictions. If you have questions you would like to cover, submit them via this form.