Episode #285

This week on Absolute AppSec’s 285th episode, Seth (@sethlaw) and Ken (@cktricky) are back in the office to finally discuss the risks and complexities of using third-party dependencies like EasyJSON, a Golang JSON parsing library maintained by Russian developers, which has been in the news due to geopolitical sanctions and a suspicious uptick in renewed maintainer activity. Our duo discusses the implications and how to protect apps from threats in software dependencies. This leads to a deeper discussion about breaches and whether a breach truly has an effect on the industry, company, or individual. Current regulations and certifications can be lost, but don’t always have the effect we would expect. To view this episode, go to https://www.youtube.com/@AbsoluteAppSec, or listen wherever you get your podcasts.

The core of the episode focuses on the controversy surrounding the Go package EasyJSON, a popular dependency used for JSON parsing in Golang applications and widely embedded in systems like Kubernetes. The issue, as Ken explains, stems not from a specific vulnerability but from geopolitical attribution: EasyJSON is maintained by Russian developers, raising concerns for companies subject to U.S. sanctions or those required to produce software bills of materials (SBOMs). Companies are now having to publicly attest to using a package developed in a sanctioned country, which could pose both reputational and legal risks.

Seth expands on the implications of this dependency by comparing it to prior incidents like the XZ utils backdoor, highlighting how a dormant package that suddenly becomes active, especially from a geopolitical adversary, raises legitimate concerns. While no known vulnerabilities have been discovered in easyjson, the potential for future exploitation puts security teams in a bind: they must decide whether to proactively remove a critical dependency or continue usage with enhanced monitoring.

The discussion then moves into a nuanced conversation about risk management in modern software development. Both hosts stress that there is no such thing as zero risk, only risk tradeoffs. For example, rebuilding open-source functionality internally to avoid dependencies may cost a business valuable time-to-market, allowing competitors to outpace them. The challenge is not in whether to use open source, but how to responsibly manage the associated risks. Ken notes that most organizations, especially startups and small businesses, lack mature processes for threat modeling and dependency management. Seth agrees, citing his consulting experience with clients who often struggle even with patching known CVEs, let alone preemptively addressing attribution risks. He points out that simply knowing about the issue is half the battle, but without proper infrastructure, like dependency pinning, signed packages, or private artifact repositories, organizations are limited in how they can respond. The hosts emphasize the importance of monitoring over reactionary removal, especially for widely used packages like EasyJSON. They call for better tooling and ecosystem support for attribution and risk visibility, such as SBOM enforcement and alerting systems. Ken notes that even advisory tooling like Snyk, despite his reservations about the product, plays a useful role in giving developers real-time feedback on emerging risks in their libraries.

Springtime is here, and pink is in. If you’d like to represent Absolute AppSec as it gets warmer and warmer, visit our merch store to pick your size.

And, if you have thoughts you’d like to share with Seth and Ken and the Absolute AppSec audience, join us in Slack. A fair number of the shows’ topics begin as discussion points with the Slack audience, so you can join there to offer ideas for what you’d like the podcast to cover as well as pick the brains of a number of industry experts.

Stay Secure,

Seth & Ken

Related Episodes

https://www.youtube.com/watch?v=QVESg0nWmQw - Episode #240 - Code Smells, XZ Backdoor, Hallucinations - Revisit Seth and Ken’s discussion of XZ Utils backdoor to get more thoughts on dependency risks.

https://www.youtube.com/watch?v=EQ9cZFyJ_xA - Episode # 65 - Adam Baldwin, of Node Security/NPM fame, discusses as interesting relevant topic for this week’s episode, citing "developer burnout as an attack vector" as well as providing stats such as 97% of modern node applications rely on the code of 3rd party libraries.

https://www.youtube.com/watch?v=3AcL_37gnhY - Episode 170 - Security Basics, Social Engineering, Plan for Failure - LAPSUS$ breach is discussed in this episode, which highlighted that the weakest link in the security chain is people, so it’s worth fortifying human practices if you can and creating defense-in-depth for when humans fail in human ways.

Absolute AppSec Happenings

https://www.anthropic.com/news/detecting-and-countering-malicious-uses-of-claude-march-2025 - “Detecting and Countering Malicious Uses of Claude: March 2025” From Anthropic - This article converting “several case studies on how actors have misused [Anthropic] models” was one we didn’t get to given our deep dive on the topic of dependencies and breaches. Worth looking at the way that attackers have leveled up with AI while defenders are doing the same.

https://cyberscoop.com/deepseek-ban-congress-cassidy-rosen-contractors/ - “Senators move to quash the use of Chinese AI system by federal contractors,” from Cyberscoop. Bi-partisan co-sponsoring senators Jacky Rosen and Bill Cassidy trying to address risks from using Deepseek for working with sensitive governmental systems. Given the number of capabilities allowed when installing open-source LLMs, this reaction is not overly surprising.

At infosec.exchange, Harry Sintonen provides an interesting overview of cases where AI slop bug-bounty reports have proven to be successful at being accepted. Read the thread for the details. AI Slop is increasing across all platforms with user-generated content. This will continue to be a problem and will overload some previously-safe processes.

Upcoming Events

Where in the world are Seth and Ken?

May 21, 2025 - Lean AppSec Live - Seth will join Endor Labs (along with podcast guest Jeevan Singh) to talk through Modern Security Code Reviews, touching on AI updates in the Absolute AppSec secure code review framework.

June 16-17, 2025 - Practical Secure Code Review - AI Enhanced - Given the recent demand, the duo returns with a virtual training with all the AI updates that continually evolve.

August 11-12, 2025 - Harnessing LLMs for Application Security - Back to DEF CON, but this time with an updated course. Integrating LLMs into AppSec from static to dynamic analysis. Tips, tricks and more.