- This Week on Absolute AppSec
- Posts
- Episode #308 w/ Avi Douglen
Episode #308 w/ Avi Douglen
Privacy, AppSec Conferences, OWASP
Seth Law
January 31, 2026
This week on Absolute AppSec, we are featuring episode #308, where Seth (@sethlaw) and Ken (@cktricky) welcome Avi Douglen (@sec_tigger), a long-time OWASP Global Board of Directors member and co-author of the Threat Modeling Manifesto. The conversation stretches from Application Privacy, into participating in community meetups, and Avi’s experience as an OWASP board member. Avi Douglen is the founder and CEO of Bounce Security and recently completed a three-term tenure on the OWASP Global Board of Directors. As a coauthor of the Threat Modeling Manifesto and a leader in the OWASP Israel community, Douglen brings decades of practical experience in architecture, development, and high-level security governance to the conversation. To find this episode, go to https://www.youtube.com/@AbsoluteAppSec/streams, or find us wherever you get your podcasts.
“Humans are messy. And privacy is not a technical thing. It is technical, but it’s also very human-oriented.”
A central discussion during this episode is the transition from traditional security to a more integrated approach toward application privacy. Douglen highlights his work on the Application Privacy Verification Standard (APVS), a project intended to serve as a sister standard to the well-known Application Security Verification Standard (ASVS). This new standard aims to provide developers, architects, and product managers with actionable, non-legal requirements for building privacy-respecting systems. Douglen explains that while security often focuses on binary confidentiality—whether someone is allowed to see data—privacy is far more subjective and contextual. He introduces a concept he calls the “cringe factor” to describe the visceral feeling users have when an application uses their data in ways that feel inappropriate, even if those actions are technically legal.
When it comes to implementing these concepts in real-world organizations, Seth notes that most companies currently view privacy only through the narrow lens of compliance, such as GDPR, and rarely consider it as a core design principle. Ken adds that he has observed developers often trying to address privacy issues through technical controls such as logging filters while they often lack a deep understanding of how data flows across their entire ecosystem. This shifting industry mindset from “collect everything now and figure it out later” to “data minimization” is a significant but necessary hurdle.
“One of the things I’m most proud of is increasing volunteerism. […] That’s what OWASP is. It’s a huge community, but [the Global Board] is run by a staff of seven people on a shoestring budget. It’s based on volunteers worldwide, and we have tens of thousands of people participating in the community.”
The conversation also delves into Douglen’s time at OWASP, where he faced the unique challenges of steering the global, decentralized organization through the COVID-19 pandemic. While there were points of pride—including increasing volunteerism and professionalizing the board’s election and qualification processes—there are also frustrations regarding the bureaucratic necessity of rewriting bylaws, which consumed significant time without directly advancing the community’s technical goals. There is a delicate balance between corporate sponsorship and community integrity within OWASP. Ken and Seth discuss how companies are incentivized to influence OWASP standards, such as the Top 10, to favor their specific products or market niches. While acknowledging that corporate contributions are essential for funding, Douglen emphasizes that the organization’s transparency is its greatest defense against bad actors who might try to manipulate standards for commercial gain.
The strength of organizations like OWASP relies entirely on the initiative of its members, which is why both our hosts and Douglen encourage listeners to break out of their professional bubbles through community engagement. Volunteering at conferences or local chapters is one of the most effective ways for introverted security professionals to build networking skills and industry visibility. Career breakthroughs often come from the connections made while collaborating on open-source projects or at local meetups, rather than from certifications alone.
This episode is sponsored by DryRun Security. The recent news from the DryRun folks is that they’ve brought Justin Collins, the developer of Brakeman and recent Gusto head of Security, into the fold. His introductory blogpost is up this month. Check it out here: https://www.dryrun.security/blog/why-i-joined-dryrun-security
We’re looking at a brutally cold weekend, but our merch store has got you covered. Pick a size and color for yourself or friends below:
The nicest swag is still available in the Absolute AppSec store!
If you have thoughts or predictions for how to protect your apps and work with third-party packages, join the discussion on our Slack. Show topics often originate as discussion points with the Slack audience, and the newsletter incorporates that discussion as well. So, join in there to offer ideas for what you’d like the podcast to cover, as well as pick the brains of a number of industry experts.
Stay Secure,
Seth & Ken
https://www.youtube.com/watch?v=YfDY6wunIEY - Episode #303 - w/ Prof. Brian Glas - OWASP Top 10 2025 - For more on OWASP projects in action, this episode focuses on the process for compiling the list.
https://www.youtube.com/watch?v=hQOm1sKhY2I - Episode #269 - Security Conferences, What Sucks in AppSec - We talked about the importance of engaging in the security community, so here are some complaints about security conferences and how to build a conference network.
Absolute AppSec Happenings
https://www.theguardian.com/us-news/ng-interactive/2026/jan/18/tech-ai-bubble-burst-reverse-centaur – Cory Doctorow argues that the AI boom is a speculative bubble fueled by monopolists seeking growth. Instead of empowering what he calls “centaurs,” or humans assisted by machines, tech firms create “reverse senators”—workers serving as meat appendages to algorithms. AI won’t replace jobs, but it will be used to devalue labor and evade accountability.
https://medium.com/@danielhammon1/blind-boolean-based-prompt-injection-62a3bfc38101 – Daniel Hammon introduces Blind Boolean-Based Prompt Injection (BBPI), a technique to leak system prompts from LLMs with restricted, static outputs. By forcing the model to return specific categories (e.g., “Primary” vs. “Secondary”) based on true/false statements, attackers can brute-force confidential information, bypassing traditional output-based security constraints.
https://ventureinsecurity.net/p/if-you-ask-these-two-questions-youre - Ross Haleliuk argues that two common security questions—”Do we need so many point solutions?” and “Are we getting more secure?”—miss the point. He asserts that choice drives innovation and that while maturity is increasing, the attack surface expands faster, making specialized startups and strategic planning more essential than ever.
Upcoming Events
Where in the world are Seth and Ken?
March 21-22, 2026 - BSidesSF - Watch this space for the details regarding a panel with Seth and Ken taking place in San Francisco in March.
April 7-8, 2026 - Harnessing LLMs for Application Security - IN PERSON at Kernel Con. Come join Seth and Ken in Omaha for the Harnessing LLMs course!
April 21-24, 2026 - Next Gen Appsec & Secure Code Review: Black Hat Edition - In person training at Black Hat Asia. After a successful inaugural version of the 4-day BlackHat exclusive course at BlackHat Europe, Seth and Ken are leading the training again in Singapore. Find more information and register at the link above.
April 26-27, 2026 - Harnessing LLMs for Application Security - In person training at DEF CON Singapore. The early bird price valid until February 8, 2026, so be sure to register now if you’re looking to enhance your day-to-day AppSec processes with the power of LLM agents.