Episode #312

This week on episode 312 of Absolute AppSec, Seth (@sethlaw) and Ken (@cktricky) are back and discussing the double-edged sword of vibe coding. While AI agents often write better functional tests than humans, they frequently struggle with nuanced authorization patterns and inherit debt as foundational models change behavior over time. The greatest security risks to an organization is not AI itself, but an exhausted security team. Seth and Ken have a lot to say about burnout, how it often manifests as a silent withdrawal, and emphasize that managers must proactively draw out these issues within organizations that often treat security as a mere cost center. Additionally, they review new defensive strategies, such as TrappSec, a framework for deploying canary API endpoints to detect malicious scanning. To find this episode, head over to https://www.youtube.com/@AbsoluteAppSec/streams, or find us wherever you get your podcasts.

The discussion of vibe coding centers on upcoming training sessions, including Harnessing LLMs for Application Security at KernelCon and DEF CON Singapore. These courses are designed to teach professionals how to use LLMs for complex security tasks like source code analysis and automated threat modeling. This leads into a conversation about vibe coding—the growing trend of non-developers using AI agents to generate entire applications simply by describing them. To Seth and Ken, this trend is both fascinating and scary to them. Seth notes that while AI agents can be diligent about writing unit tests, a task human developers often skip, they also introduce unique vulnerabilities. Ken shares a firsthand experience where an AI model failed to respect authorization settings he had explicitly defined, essentially creating strange authorization patterns because the model did not fully understand the context of the existing codebase. They agree that while AI democratizes app creation, it sweeps many sharp edges under the rug, potentially leading to a new wave of “shadow IT” similar to the early days of cloud adoption.

The conversation shifts to the most pressing risk in AppSec today: exhausted security teams. Referencing a recent post by security leader Caleb Sima, Seth and Ken discuss how the rapid pace of change in AI is overwhelming teams already struggling to keep the lights on. The biggest risks are rarely technical; they are human. Seth points out that security teams are often viewed as cost centers rather than revenue generators, which can lead to a lack of executive sponsorship and eventual burnout.

They end the episode by discussing the value of security scorecarding as a high-maturity activity designed to provide data-driven analysis of an organization’s security health without the interference of internal politics. The hope is that aggregating various metrics into a visible grade will help companies foster a proactive security culture, rather than a seasonal compliance task. Effective scorecards aim to uncover systemic weaknesses without attributing blame, allowing teams to focus on fixing high-impact issues. There are a few models that act as benchmarks for successful scorecarding. Chime’s Monocle uses repository badges that display grades from A to D; GitHub uses fundamental scorecards to track specific requirements like secret scanning and durable owneration; and Netflix has long utilized a wall of shame/pride where the security status of every service was public to everyone in the company.

Groundhogs can’t convince us that we’re not on the cusp of t-shirt weather; I mean just look at our merch store. Pick a size and color for yourself or friends below:

If you’re experiencing burnout and need a place to spark some inspiration, come hang out on our Slack. We’ve all been there, and the lively discussion will breathe some life back into your days.

Stay Secure,

Seth & Ken

Related Episodes

https://www.youtube.com/live/WGBkmlc2Y6A - Episode #228 w/ Chime Security Engineering - Monocle - Referenced in this week’s episode by Ken, the podcast had David Trejo (@[email protected]) and Paul Kuliniewicz, security engineers at Chime join to discuss the ins and outs of challenges and successes of implementing an effective product security program.

https://www.youtube.com/live/_mLdHgI-P8U - Episode #252 w/ Rami McCarthy - Rami McCarthy’s episode presents a lot of great advice on how to build a security team for long-term success. The scorecarding article discussed during this week’s episode is just one of Rami’s many insights. (His site ramimac.me is a good resource generally if you’re looking for more)

https://www.youtube.com/watch?v=ItT-_l-5KiQ - Absolute AppSec’s Midwinter’s Con (co-sponsored with LojiKil) - Aaron Rinehart / Security Chaos Engineering: Improving Security by Experimenting with Failure - Rolling back to 2020 for this insightful talk by Aaron Rinehart on Chaos Engineering. Security grows resilience, not through blaming as Seth and Ken point out this week, but embracing the value of tests over time. (Also, bear in mind, it’s been a hot moment since we had an Absolute AppSec conference, so watch out for some interesting things coming down the pike).

Absolute AppSec Happenings

https://currentaffairs.org/ai-is-destroying-the-university-and-learning-itself – By way of a recent Slack discussion introduced by Brian Glas, this article argues that AI is cannibalizing higher ed by replacing intellectual struggle with automated convenience. Universities cut faculty to fund corporate AI partnerships, students use AI to bypass learning, and professors use it to automate grading.

https://redpointsecurity.com/identify-and-overcome-destructive-fatique – Are you burnt out? Redpoint Security’s own Justin Larsen was, too. He talks about the importance of prioritizing mental health and reconnecting with your passion in this blog post.

https://shumer.dev/something-big-is-happening — Matt Shumer warns that AI has reached a tipping point comparable to the early days of COVID. Recent models now possess judgment and taste, enabling them to handle complex professional work independently, which will soon disrupt knowledge-based industries. He has some suggestions of what you should do today to set yourself up for AI’s tomorrow.

Upcoming Events

Where in the world are Seth and Ken?

March 21-22, 2026 - BSidesSF - Watch this space for the details regarding a panel with Seth and Ken taking place in San Francisco in March.

April 7-8, 2026 - Harnessing LLMs for Application Security - IN PERSON at Kernel Con. Come join Seth and Ken in Omaha for the Harnessing LLMs course!

April 21-24, 2026 - Next Gen Appsec & Secure Code Review: Black Hat Edition - In-person training at Black Hat Asia. After a successful inaugural version of the 4-day BlackHat exclusive course at BlackHat Europe, Seth and Ken are leading the training again in Singapore. Find more information and register at the link above.

April 26-27, 2026 - Harnessing LLMs for Application Security - In-person training at DEF CON Singapore. Be sure to register now if you’re looking to enhance your day-to-day AppSec processes with the power of LLM agents.