- This Week on Absolute AppSec
- Posts
- Episode #286 w/ Kayra Otaner
Episode #286 w/ Kayra Otaner
Authenticating Open Source Developers
Seth Law
May 23, 2025
This week on episode 286 of Absolute AppSec, hosts Ken Johnson (@cktricky) and Seth Law (@sethlaw) welcome Kayra Otaner, Director of Application Security at Roche, for an in-depth discussion about the evolving landscape of application security and the need for a more rigorous approach to open-source software trust. To find this episode, go to our YouTube channel or find us wherever you get your podcasts.
Kayra has over two decades of experience in IT and security, beginning as a Linux systems administrator in the 1990s. He transitioned into cybersecurity in 2005 during the emergence of PCI DSS standards. He has a long history of working with sensitive data environments and government models, which ultimately shaped his emphasis on zero-trust principles within modern DevSecOps programs. His career has spanned roles at ADP, where he built out DevSecOps teams and frameworks, and now at Roche, one of the world’s largest pharmaceutical and medical device companies, where he leads the Application Security program. His diverse background includes founding his own security consultancy and working on cybersecurity for both private and government entities. Kayra is also a regular speaker at industry events such as RSA, where he most recently presented on Application Security Posture Management (ASPM).
“Why are we not identifying the individuals who are sometimes knowingly, sometimes unknowingly, putting the backdoors into our infrastructure?” - Kayra
At Roche, Kayra oversees a global AppSec initiative, balancing software security concerns across a company with operations in over 130 countries. He shares that his recent RSA talk—titled “ASPM: The Hidden Layer Eight”—highlighted what he believes is a blind spot in the traditional OSI model: the source code itself. Though the application layer is officially the 7th of the OSI stack, it only represents the networking interactions. Kayra argues that the source code running applications, often produced by unverified open-source contributors, should be considered a de facto “layer eight” due to the volume and severity of attacks originating there. This highlights the core discussion of this episode, the need for more rigorous vetting of open-source software and contributors. Using the analogy of TSA PreCheck, Kayra proposes a voluntary, opt-in system where open-source developers could undergo background verification or offer traceable identities, making them trusted contributors. This, he argues, would not only reduce risk but also offer a path forward for responsible open-source governance, especially in an era of state-sponsored supply chain threats.
“We have so many ways of verifying individuals voluntarily just to give them an elevated status. But in the source code, in the middle of software supply chain problems that we are fighting, […] we are not even thinking about identifying individual developers. […] You know, the json issue you mention, there are so many [related problems] that have been happening, I don’t know, [in the last] five years. If we were to be able to identify individual developers, we could get this under control much quicker.”
This proposal can be compared to recent discussions about the EasyJSON library, which had ties to potentially untrustworthy contributors, demonstrating the practical relevance of Kayra’s ideas. He links this to the philosophy of Zero Trust, emphasizing that just as we no longer blindly trust internal networks, we shouldn’t trust code simply because it’s inside our environment, especially when the authorship is unclear. Throughout the episode, Seth and Ken contribute their perspectives as practitioners who came into AppSec through systems, development, and helpdesk backgrounds. They underscore how understanding the full OSI model, and the gaps it leaves, is crucial to building effective defenses. The conversation ties in historical cybersecurity models, evolving attacker techniques, and modern challenges in maintaining visibility and control in large codebases and distributed supply chains. Application security must evolve beyond just scanning and patching. It requires a foundational shift in how we treat the code we rely on, especially from third parties.
This episode was sponsored by Redpoint Security. Redpoint specializes in "Code Security by Coders," bolstered by years of experience testing applications and conducting code reviews against all types of apps, including AI, web, and mobile. Redpoint also offers secure code training to help ground your teams in better security practices across the development lifecycle. Check out redpointsecurity.com for more information and put your company on a path to better security.
Looking for a handy mnemonic to to remember the importance of security basic during eras of rapid innovation? Well, if you visit the Absolute AppSec merch store, you may find just the memory jog you’re looking for. The Crocs ’n’ Socks tee reminds everyone that it’s cool to take on the Dad criteria in your day-to-day security role.
And, as always, if you have thoughts you’d like to share with Seth and Ken and the Absolute AppSec audience, join us in Slack.
Stay Secure,
Seth & Ken
https://www.youtube.com/watch?v=8YtO-0kuM8M - Episode # 128 - Stefan Edwards/David Coursey - PHP, Backdoors, and AppSec Nihilism - There is some interesting discussion on signed commits as a solution that could help secure Software Supply-Chains in the aftermath of a backdoor discovery.
https://www.youtube.com/watch?v=THvjSVgaehE - Episode #216 - Security SDLC, Time Management, How AI can help in security day-to-day. This is a wide-ranging discussion throughout the episode. Stick around for the discussion on how Seth and Ken try to get into flow, but thinking about how AI tools can help/hinder the DevSec pipeline relates to some of the concerns that bubbled up in this week’s episode.
https://www.youtube.com/watch?v=NHdRsItU9Fk - Episode #64 – Hijacked Gems, Zoom RCE, and Marriott/Starwood Breach Fines - This 2019 episode, relatively early in the podcast history, covers a Ruby Gem backdoor. “This supply-chain risk is just getting insane”, say Ken. Harbingers of evolving problems.
Absolute AppSec Happenings
https://outsidetheasylum.blog/humans-are-insecure-password-generators/ - Humans are Insecure Password Generators And They're Currently Being Cracked by Isaac King at Outside the Asylum - If you were looking for another reason to use a password manager that randomly generates passwords for you, Isaac King is providing them: “The fact is, when a human thinks of a password to use for themselves, this is a fundamentally insecure process. We have no cryptographic guarantees about the human brain like we do about a carefully-designed computer algorithm, and mounting evidence shows that humans are in fact quite predictable.”
https://sean.heelan.io/2025/05/22/how-i-used-o3-to-find-cve-2025-37899-a-remote-zeroday-vulnerability-in-the-linux-kernels-smb-implementation/ - How I used o3 to find CVE-2025-37899, a remote zeroday vulnerability in the Linux kernel’s SMB implementation by Sean Heelan - Sean’s write-up shows how vulnerability research can now, with newer models, benefit from LLM help in exploring code for bugs: “If you’re an expert-level vulnerability researcher or exploit developer the machines aren’t about to replace you. In fact, it is quite the opposite: they are now at a stage where they can make you significantly more efficient and effective.”
https://www.geoedge.com/malvertisings-new-threat-exploiting-trusted-google-domains/ - Malvertising’s New Threat: Exploiting Trusted Google Domains by Moriya Pedael - A nuance in re-creating a style of attack similar to the infamous Magecart CC-number harvesting exploits. “Unlike traditional malvertising campaigns that rely on suspicious ads or redirects, this attack weaponizes the legitimacy of high-quality sites and clean ad placements.”
Upcoming Events
Where in the world are Seth and Ken?
June 16-17, 2025 - Practical Secure Code Review - AI Enhanced - Given the recent demand, the duo returns with a virtual training with all the AI updates that continually evolve
August 11-12, 2025 - Harnessing LLMs for Application Security - Back to DEF CON, but this time with an updated course. Integrating LLMs into AppSec from static to dynamic analysis. Tips, tricks and more.