- This Week on Absolute AppSec
- Posts
- Episode #300 - THIS!! IS!! APPSEC!!
Episode #300 - THIS!! IS!! APPSEC!!
Reminising on the past almost 8 years of Absolute AppSec, and the evolution of the AppSec industry.
Seth Law
October 21, 2025
This week on Absolute AppSec, Seth (@sethlaw) and Ken (@cktricky) are celebrating their 300th episode of the podcast! When they started in 2018, Ken was still 6 years out from co-founding Dry Run Security, and Seth’s company, Redpoint Security, was in its early days. The connection to the wider application security community that Absolute AppSec has fostered is invaluable—they have connected with people they otherwise would not have met by putting themselves out there and discussing security. They’ve been able to travel, help others further their careers, and platform groundbreaking research. Seth has even found one of Redpoint’s team members through the podcast. To every listener and contributor: thank you, thank you, thank you! Find this episode at https://www.youtube.com/@AbsoluteAppSec, or wherever you get your podcasts.
“Feels like things are changing, but the more things change, the more they stay the same. […] Over and over and over, the topics that we‘ve discussed [have come back to] the Crocs and Socks of security.”
Seth and Ken have covered a lot of topics from the podcast’s founding to now. At the 300 episode mark, it is a good time to take stock, looking at how AppSec has evolved in the past 7 years. In 2018, many organizations were attempting to emulate “hip” security programs, such as the Netflix-style approach, characterized by developer empathy and security at scale through prebuilt paths. Eventually, through private conference conversations, the industry realized that the reality of these programs was not always discussed publicly. There are many different types of cultures and considerations, and the one-size-fits-all approach was incorrect. The current focus seems to be shifting back to the fundamentals and the nuts and bolts of managing a program, which Seth attributes partly to the inclusion of AI in day-to-day security operations.
Another popular idea during this period was the concept of “shifting left” to introduce security earlier in the SDLC. This “shift left” involved creating paved paths, à la the Netflix model. Ken believes this is ultimately mostly an unattainable myth: while it works at scale with a large enough team, applying it to a startup is not a good idea, as it fails to account for resourcing, management, compliance, and the specific application environment. In a similar vein, for several years there have been lots of security-conference talks on building security champions programs, which there is much less of a focus on now. Seth recalls that such programs, as promoted at conferences, often lacked the proper knowledge and stipulations needed for effective management. While the concept hasn’t entirely failed, it fell out of favor because many tried it without proper knowledge.
“Bug bounty is still a huge market… It’s not a one-size-fits-all solution. And not having the proper infrastructure internal to an organization to actually deal with bug bounty […] makes for a really bad experience.”
Bug bounty programs were another huge topic that everyone wanted to implement around the 2018-2019 timeframe. Ken observes that while bug bounty is still a massive market that reduces security issues, it's not a one-size-fits-all solution. Lacking the proper internal infrastructure to handle the reports leads to bad experiences for both researchers and developers. It was ineffective for startups with only a few engineers due to the required effort, time, and cost for validating and triaging the bug reports a bounty program can generate. Ken feels the industry now better understands the need for running such a program.
Seth explains that bug bounty is a proactive effort and should only be considered when the organization is not "treading water" or constantly being reactionary (e.g., managing tool alerts, developer pings, security reviews, etc.). He believes the program is most helpful when used privately, with the best researchers, to test features before general availability. Seth also shares concerns from other security professionals about the influx of lower-quality submissions (from "skiddies," or script kiddies) and the exit of quality researchers, which is hurting programs.
“[Security is] becoming more of a business process. We’re becoming more integrated into the overall development life cycle.”
AppSec has evolved positively with greater industry savvy and a greater focus on business value. There’s a concerted effort to unify tooling and streamline operations, leading to better metrics and ROI. Threat modeling has become more agile, shifting from monolithic frameworks to nimble, point-in-time developer assessments. Training is now understood to be effective when it is for the right purpose, with the right people, and if the content is relevant to the specific environment.
There has also been a decline in the prevalence of traditional, easy-to-exploit flaws like XSS and SQL injection due to framework improvements and browser controls, allowing practitioners to focus on more complex business logic and edge-case security. However, the simple flaws being more easily addressed means the flaws being introduced today are generally more complex, often focused on edge cases, business logic, or layered security best practices. This complexity requires more focused threat and vulnerability analysis.
This episode is sponsored by DryRun Security. Authorization flaws are some of the trickiest security gaps—permissions get messy, logic gets overlooked, and suddenly, users have access they shouldn't. DryRun Security helps you catch these risks early with Natural Language Code Policy (NLCP). Their most recent blog post covers their new Code Insights MCP, a Concierge for creating Secure Code.
Are you looking to bulk up your clothing collection for fall weather? Well, the Absolute AppSec merch store might just have what you’re looking for. Pick out a hoodie or beanie to keep your core temperatures nice and toasty.
An Absolute AppSec hoodie for fall-worthy AppSec fashions
And, if you have thoughts you’d like to share with Seth and Ken and the Absolute AppSec audience, join us in Slack. Show topics often originate as discussion points with the Slack audience, and the newsletter incorporates that discussion as well. So, join in there to offer ideas for what you’d like the podcast to cover as well as pick the brains of a number of industry experts.
Stay Secure,
Seth & Ken
https://www.youtube.com/watch?v=beGo7l0u5cY - Ep. #37 with Stefan Edwards - A discussion on programming language theory, philosophy, and legal implications in the industry. Nothing like doing a live interview with someone at a highway rest stop.
https://www.youtube.com/watch?v=b5IVhnboDIY - Ep. 147 with James Kettle - A good look at all things security research with the Portswigger head of research, and mentioned during this week’s episode as one of the most-viewed episodes during the history of the podcast.
https://www.youtube.com/watch?v=4lFgAMLSSjw - Absolute AppSec after Dark - There’s nothing like digging into code bases live! These episodes are some of Seth and Ken’s favorites.
Absolute AppSec Happenings
https://blog.includesecurity.com/2025/10/production-security-not-that-kind/ - “Production Security, Not That Kind” analyzes the Allen & Health SQ-6 audio mixer, finding that its mobile apps use easily bypassed client-side authentication. Additionally, the mixer’s crucial MIDI control service is exposed with no network authentication, allowing an attacker to remotely disrupt live sound with simple commands.
https://ventureinsecurity.net/p/learned-helplessness-is-hurting-the - Ross Haleliuk from Venture in Security argues that the cybersecurity industry suffers from “learned helplessness,” a mindset where professionals stop trying to improve security because they believe failure is inevitable. What is the mental impact of the phrases, “It’s not if, it’s when” or “Attackers only need to be right once”? Do these narratives discourage investment, creativity, and optimism?
https://www.magonia.io/blog/maximizing-the-value-of-threat-indicators-and-reimagining-their-role-in-modern-detection/ - This article re-examines the role of IOCs in modern cybersecurity, arguing they are undervalued due to the focus on behavioral detection. IOC’s value lies in its context and enrichment, not just its type. This post advocates for using high-quality, contextualized IOCs—such as fuzzy hashes and unique domain patterns—to force attackers to adapt, thereby creating more detection opportunities.
Upcoming Events
Where in the world are Seth and Ken?
October 21-24, 2025 - SAINTCON 25 - Seth is helping run the AppSec Community at Saintcon in Provo, UT this week. Come solve vulnerabilities in code and get some of that sweet, sweet, swag.
November 20-21, 2025 - Harnessing LLMs for Application Security - VIRTUAL TRAINING - For developers and cybersecurity professionals seeking to harness the power of Generative AI and Large Language Models (LLMs) to enhance software security and development practices.
December 8-11, 2025 - Next-Gen Secure Code Review: Black Hat Edition - Seth and Ken are bringing a four-day exclusive course to Black Hat Europe in London, UK. This is a great opportunity to get a truly in-depth understanding of Secure-Code Review and how it can be empowered through LLM-tooling. Seth and Ken have innovated industry-leading trainings in both of these topics, so this four-day course promises to provide a lot of valuable insight.