- This Week on Absolute AppSec
- Posts
- Episode #317 - Post-RSAC/BSidesSF, Supply Chain Security, Future of SDLC
Episode #317 - Post-RSAC/BSidesSF, Supply Chain Security, Future of SDLC
On RSAC and BSidesSF, AI snake-oil salesmen, and the myth of the One True Secure Framework.
Seth Law
April 10, 2026
This week on Absolute AppSec Episode 317, Seth (@sethlaw) and Ken (@cktricky) are back to debrief after RSAC and BSidesSF, covering everything from logistics to cultural conversation points. BSides San Francisco has grown significantly in the past few years, now rivaling BSides Las Vegas in terms of organizational quality and the caliber of research presented. Both Seth and Ken agree that there was an improvement in security personnel, creating a more respectful atmosphere that fostered people’s desire to linger in the hallways, which is essential to the community. While both conferences’ content was highly polished, it is challenging to balance cutting-edge, novel research with the needs of beginners. The high volume of speaking applications allows committees to curate advanced tracks that could inadvertently sideline newcomers to the field. Seth and Ken have a lot more to say, specifically on the attitudes towards AI at both of these spaces. To hear them directly from our host’s mouths, go to https://www.youtube.com/@AbsoluteAppSec , or find us wherever you get your podcasts.
“[New AI projects] is where [funding] goes. It’s not for better engineering. It almost feels like you take that money and you’re forced into that path, right? We’ve got to be the name that goes up on everybody’s lips the second that they start talking about generative AI.”
Next, Seth and Ken address the overwhelming presence of AI on the RSAC expo floor, with Seth describing it as being saturated with AI-enhanced marketing. Despite this heavy investment in branding, there is a significant gap between marketing claims and technical reality. When pressed on specifics on things like Retrieval-Augment Generation or actual implementation, many vendor representatives struggled to provide any substantial answers. Despite unprecedented times in the industry, amid recent layoffs and economic uncertainty, Ken says there is nervous excitement in the room rather than pessimism. He sees AI’s presence on the sales floor as representing an awakening among legacy deterministic tools vendors who now recognize that an AI native approach is inevitable to avoid obsolescence, even if their current enterprise requirements make a total pivot difficult.
“I don’t believe that there’s going to be one true secure framework that we’re all going to use. If anything, we’re going to splinter, and then people are going to utilize the skills that they have and the fact that they can quickly prototype things to get off of third-party dependencies.”
This transitions into a discussion on the security of the AI supply chain and the practicalities of building AI-driven solutions. With the recent leak of Anthropic’s “Mythos,” which reportedly resulted from a failure of basic security hygiene on internal wikis, our hosts can’t help but find it ironic that an organization promoting advanced code security failed to uphold its own principles on its own properties. Ken is skeptical of the constant cycle of model upgrades, arguing that significantly more expensive models like those in the pipeline may not offer the same value as highly tuned, smaller language models. He shared a recent experience where a potential customer spent a fortune trying to build a custom AI solution only to realize that the engineering discipline and evaluation rigor required are far greater than most organizations anticipate.
Despite this revolutionary tooling, there has been a wave of high-profile supply chain attacks that serve as a reminder to stay vigilant. Specifically, the compromise of the Axios HTTP package. This incident is a springboard to discuss the enshitification of security and the growing popular fallacy of the “One True Secure Framework.” Both Seth and Ken agree that no single AI tool or framework will ever secure it all because the human element, architectural flaws, and the constant evolution of dependencies create a landscape too complex for a silver bullet solution. .
This episode was sponsored by Redpoint Security. Redpoint specializes in "Code Security by Coders," bolstered by years of experience testing applications and conducting code reviews against all types of apps, including AI, web, and mobile. Redpoint also offers developer appsec and secure-code training to help ground your teams in better security practices across the development lifecycle. Check out redpointsecurity.com for more information and put your company on a path to better security.
Sprouts are coming up, so now’s the time to display your solidarity along with your support for the Podcast. Check out the selection of green tees in our merch store. (There are other colors as well). Tee-shirts are great gifts for yourself or your friends:
Spring green tees are available now!
If you attended RSAC or BSidesSF, feel free to drop your thoughts in our Slack. We’ll be out doing an in-person training at Kernel Con next week, but we’ll be back before you know it.
Stay Secure,
Seth & Ken
https://www.youtube.com/live/moF-GnRNmkc – Episode Ep #284 - After 2024 BSides SF and RSA, Seth and Ken recap their experience at both conferences. Some additional thoughts where AI is starting to take hold.
https://www.youtube.com/live/mzS79dUiYno– Episode #206 - RSA in 2023, Seth and Ken are back to discuss what the RSA conference did, and did not, reveal about the current state of application security. Also touches on the introduction (!!) of ChatGPT, a recent breach, and AI’s role in generating more content.
https://www.youtube.com/live/IPCdTWXT5uQ – Episode #205 - Decline of AppSec, Death of Code Review - With all the noise around death of cybersecurity around AI, this episode revisits some thoughts on wild takes.
Absolute AppSec Happenings
Social Engineering Attack Targets Open Source Developers via Slack Impersonation – If you are a part of our Slack channel, you already know why this article is relevant. Why is Seth privately slacking members for a project he “isn’t ready to take to the group” at 6 in the morning? Luckily, nothing gets past our listeners. More on this experience in our next episode. Stay tuned!
Organizational Politics and the Security Program – Phil Venables argues that organizational politics is a neutral tool for using influence to achieve security goals. Success requires navigating power structures, building alliances, and embedding security into existing business processes.
Upcoming Events
Where in the world are Seth and Ken?
April 26-27, 2026 - Harnessing LLMs for Application Security - In-person training at DEF CON Singapore. Be sure to register now if you’re looking to enhance your day-to-day AppSec processes with the power of LLM agents.
August 1-4, 2026 - AI-Enhanced Secure Code Review: Black Hat Edition - Seth and Ken are bringing a four-day exclusive course to Black Hat. This is an update on the exclusive version of the course offered at Black Hat Europe. Early bird pricing is ongoing, so it’s a great opportunity to get a truly in-depth understanding of Secure-Code Review and how it can be empowered through LLM-tooling. Seth and Ken have innovated industry-leading trainings in both of these topics, so this four-day course promises to provide a lot of valuable insight.