a person wearing a rabbit costume standing in front of a shed

Photo by Ksenia Yakovleva on Unsplash

March meandered through C code, mused about secure design, marked a new top ten list, made space for machines, and finally descended into a bit of madness. And every single moment was fun!

Modern AppSec That Keeps Pace with AI Development (ep. 372)

As more developers turn to LLMs to generate code, more appsec teams are turning to LLMs to conduct security code reviews. One of the biggest themes in all the discussion around LLMs, agents, and code is speed — more code created faster. And with that volume comes more vulns.

James Wickett shares why speed continues to pose a challenge to appsec teams and why that’s often because teams haven’t invested enough in foundational appsec principles.

One of the traps in appsec is getting caught up in the volume of security bugs and conflating an acceleration of finding and fixing those vulns with a security strategy. Proactive security that eradicates vuln classes (or makes them very hard to introduce) is always going to be more effective than eternally chasing individual bugs.

Making Medical Devices Secure (ep. 373)

Medical devices are a special segment of the IoT world where availability and patient safety are paramount. Tamil Mathi explains why many devices need to fail open — the opposite of what traditional appsec approaches might initially think — and what makes threat modeling these devices interesting and unique. He also covers how to get started in this space, from where to learn hardware hacking basics to reviewing firmware and moving up the stack to the application layer.

This is one of those episodes that highlights the breadth of industries that appsec covers and why context about the intention of features and the needs of users is so important to threat modeling. Having to design a device where availability is paramount and critical to patient safety requires different tradeoffs than reducing the latency and protecting payment credentials for an online purchase.

Creating Better Security Guidance and Code with LLMs (ep. 374)

What happens when secure coding guidance goes stale? What happens when LLMs write code from scratch? Mark Curphy walks us through his experience updating documentation for writing secure code in Go and recreating one of his own startups.

One of the themes of this conversation is how important documentation is, whether it's intended for humans or for prompts to LLMs. Importantly, LLMs don't innovate on their own -- they rely on the data they're trained on. And that means there should be good authoritative sources for what secure code looks like. It also means that instructions to LLMs need to be clear and precise enough to produce something useful.

This was also fun because Mark did a live demo where he prompted an agent to recreate one of his startups – going from a $20 million investment to less than $50 in tokens!

Why Proactive Security Is Far Better Than Patching (ep. 375)

So much (too much!) of appsec’s efforts are consumed by vuln management and a race to patch security flaws. I see that as a symptom of the ease of scanning and the volume of CVEs. It’s something that’s easy to measure, both in finding and fixing, but easy to measure turns into an easy distraction. Erik Nost walks through the principles behind proactive security, why the concept sounds familiar to secure by design, and why organizations still struggle with creating effective practices for visibility.

I don’t think it’s a waste of time to find flaws in code, but I wish the appsec conversations were more heavily weighted towards identifying root causes and sharing software patterns for preventing those flaws in the first place. Which is basically saying we need better ways to emphasize and evaluate secure designs.

Developing the Skills Needed for Modern Software Development (ep. 376)

The future of secure software is going through a mix of skills expected of humans and skills files created for LLMs. We might even posit that appsec as a discipline will fade (and that might not even be a bad thing!). Keith Hoodlet describes the skills he was looking for in building teams of security researchers and why there's still an emphasis on the ability to learn about and understand how software is built.

But figuring out what skills will get you hired and what skills are valuable to invest in still feels daunting to new grads and others entering the security industry. We discuss where the role of appsec seems to be heading and a few of the security and software fundamentals that can help you follow that direction.

Subscribe to catch these episodes and more!