This week on Absolute AppSec, the 325th episode is all about threat modeling. Co-hosts Seth Law (@sethlaw) and Ken Johnson (@cktricky) argue that overly prescriptive frameworks like STRIDE only bring a heavier load onto developers, instead arguing for simplified, creative questions to expose architectual gaps. While rapid technological development in 2026 pushes toward automated lifecycles, human oversight, critical logging, and constructive friction remain essential. Next, they dissect a research paper exploring the philosophical definition of a vulnerability, framing it as a system disposition arising from a fault that manifests as a failure only when environmental and attacker conditions are jointly met. To find this episode, head over to https://www.youtube.com/@AbsoluteAppSec/streams, or just search Absolute AppSec wherever you get your podcasts. 

“The cognitive load that we induce on developers from a security perspective is directly related to how quickly they fix the vulnerabilities […] or make changes to their architecture. We need to simplify down our actual threat models that we propose and make it digestible.”

Seth

Our discussion on threat models is inspired by a great piece from the Sotok Blog: An informal guide to threat models. If you’ve been around the block, you know that threat modeling can get buried under a ton of bureaucratic fluff. Frameworks like STRIDE are great, but once you make the threat model too complex, you lose the people who actually need to use it. A comment from the Slack channel summarized it best: threat models should be written for the audience, not to satisfy a framework. We advocate for stripping away the academic jargon and sticking to basic, intuitive questions. What are we protecting? Who wants to mess with it? How could they break it? What are we doing to stop it? This discussion makes Ken think of his days at GitHub. His team was pushed to change how private repository images were stored on S3, but Ken didn’t look at a single line of code, instead spending 10 minutes looking at a basic data flow diagram. He immediately realized that while steps one through six were super secure, step seven allowed you to completely bypass them and go straight to the asset. It was incredibly obvious once it was laid out, but automated tools would have completely missed the logic flaw. That’s the kind of creative friction you only get when humans sit down and think critically. 

This naturally led to a discussion on how teams handle things inside their actual development pipelines. Ken shared that over at Dry Run, they require engineers to show their work by attaching their planning models directly to pull requests. Because they build high-performance systems using Golang, a lot of their code has to be bespoke rather than relying on standard libraries. When you’re writing code that is fast and optimized, maintaining clear coding standards and transparent design plans is your only real safety net. This points to another massive gap in AppSec: everyone focuses on listing what can go wrong, but almost nobody plans for when things actually blow up. Both Seth and Ken have lived through enough security incidents to know that good logging hygiene is everything.

“…even if it’s not exploitable, there is still a risk in that […] a risk that someone makes it exploitable. So even though it’s a teeny tiny amount of risk today, that can be monumental risk tomorrow based off of conditions that materially change.”

Ken

Seth and Ken wrap up the episode with a philosophical brain melter—what actually defines a vulnerability? We looked at a recent exploration on the ‘Vulnerability Identity Crisis’ that attempted to break it down into a formal formula. To them, a vulnerability is a system flaw that manifests as a security failure only when an attacker and the right environmental conditions show up at the exact same time. Think of it like a sheet of glass. It has an inherent disposition to shatter, and while it isn’t shattered right now, under the right conditions—say, a rock thrown at it— it will break. In our world, some practitioners argue that if a flaw is buried deep in dead or unreachable code, the risk is zero, so it’s not a real vulnerability. Seth strongly disagrees with that outlook, saying a vulnerability is the flaw itself—the chink in the armor. Even if the exploitation risk is practically nil today, software changes at lightning speed. A developer making a quick modification tomorrow could suddenly expose that deep function to user input, and your “zero-risk” bug instantly becomes a critical exploit. As experts, your job is to call out those structural weaknesses early so teams aren’t blindsided when the environment changes around them.

This episode was sponsored by Redpoint Security. Redpoint specializes in "Code Security by Coders," bolstered by years of experience testing applications and conducting code reviews against all types of apps, including AI, web, and mobile. Redpoint also offers developer appsec and secure-code training to help ground your teams in better security practices across the development lifecycle. Check out redpointsecurity.com for more information and put your company on a path to better security.

We’re all about going back to basics and keeping it simple. Don’t you wish you had a plain white tee that reminded you of these principles? Our Crocs and Socks tee-shirts are great gifts for yourself or your friends:

Basics are back. CrocsSocks4EVER.

If you are looking to get deep and philosophical, there’s a place for you in our Slack; just send us a note to join the channel. Sit down, relax, and stay a while.

Stay Secure,

Seth & Ken

https://youtube.com/live/r2-G_BTVd3o – Episode #308 - w/Avi Douglen - Privacy, AppSec Conferences, OWASP - Avi Douglen, co-author of the Threat Modeling Manifesto joins Seth & Ken to talk about OWASP, threat modeling, and his experiences in the industry..

https://youtube.com/live/WDlElw15xHY – Episode #266 - Scope of Penetration Testing, Attack Modeling - Penetration Testing expectations and how it effects the life of an application security engineer. A followup on threat modeling and a new approach being coined as Attack Modeling.

https://youtu.be/l9HcKeLXVjw – Episode #179 - Starting in AppSec, Threat Modeling - Steps anyone can take to get into Application or Product Security based on some recent articles. True security professionals can come from anywhere. This leads to a discussion on threat assessment and threat modeling across the industry.

Absolute AppSec Happenings

Apple ‘Hide My Email’ Vulnerability Reveals Peoples’ Real Email Addresses – A vulnerability in Apple's "Hide My Email" feature allows nearly anyone to uncover a user's real email address, completely undermining the tool's privacy function. A security researcher reported the issue to Apple over a year ago, but the company has failed to fix it. 404 Media successfully verified the flaw through its own testing but withheld exact technical details since the exploit remains active and unpatched.

SharePoint RCE CVE-2026-45659 Added to CISA KEV After Active Exploitation – The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-45659 to its Known Exploited Vulnerabilities (KEV) catalog due to active exploitation. This high-severity remote code execution (RCE) flaw impacts on-premises Microsoft SharePoint Servers. It stems from the unsafe deserialization of untrusted data, allowing authenticated attackers with low-level "Site Member" permissions to execute malicious code remotely. Microsoft released patches in May 2026, and organizations are urged to apply them immediately.

Do excellent Vulnerability Reports - In this blog post, curl creator Daniel Stenberg provides a guide for submitting high-quality vulnerability reports to open-source projects. He emphasizes that excellent reports feature a clear, human-written summary paragraph, a fully contained script or code reproducer, and an optional code patch. Stenberg urges security researchers to understand the software’s documentation first and remain available to collaborate with overworked maintainers during the validation and advisory process.

Upcoming Events

Where in the world are Seth and Ken?

August 1-4, 2026 - AI-Enhanced Secure Code Review: Black Hat Edition - BlackHat USA, Las Vegas - Seth and Ken are bringing a four-day exclusive course to Black Hat. This is an update on the exclusive version of the course offered at Black Hat Europe. Early bird pricing is ongoing, so it’s a great opportunity to get a truly in-depth understanding of Secure-Code Review and how it can be empowered through LLM-tooling. Seth and Ken have innovated industry-leading trainings in both of these topics, so this four-day course promises to provide a lot of valuable insight.

August 10-11, 2026 - Agentic AppSec: Harnessing LLMs - DEF CON Training, Las Vegas - Comprehensive course designed for developers and cybersecurity professionals seeking to harness the power of Agentic AI and Large Language Models (LLMs) to enhance software security and development practices. Psst! Hop into our Slack channel to find a discount code for $250 off. Sale ends July 5th.

Keep Reading