Premium Only Content
 
			Into the Rabbit Hole: Grumpy Experts Shed Light on the Repeating AppSec Challenges
In this long-form episode of **Dan on Dev**, I’m joined by **Rafal Los**, veteran security strategist and host of *Down the Security Rabbit Hole*. We go deep into the persistent challenges of application security—why they still exist, what we’ve learned (or failed to learn) over the decades, and what real maturity looks like for dev and security teams in 2025.
Whether you're a security leader, AppSec engineer, or developer trying to understand the tension between feature delivery and secure coding—this conversation is packed with insight, sarcasm, and truth bombs from two battle-tested voices in the industry.
🔍 **What you'll learn in this episode:**
- Why the same AppSec issues keep resurfacing—even decades later
- How metrics like time-to-fix and defect recurrence help (or don’t)
- The danger of building tech without business context
- Why many security efforts fail due to poor measurement and collaboration
- Balancing old code debt with future development priorities
- How developers, not just tools, must be enabled and incentivized
- The legacy of 2600, OWASP, and our collective history in security
---
⏱️ **Chapters:**
1. 00:00 – Introduction & welcome
2. 02:04 – Rafal’s AppSec background: from 286s to ExtraHop
3. 05:00 – Early frustrations: appsec at GE and “magic numbers”
4. 07:25 – Are we winning? Problem growth vs. solution pace
5. 10:30 – Cloud, frameworks, and expanding problem space
6. 13:02 – Fixing isn't just technical: org dynamics and dev behavior
7. 16:25 – Metrics that matter: magic numbers revisited
8. 19:45 – Why devs hate AppSec: legacy issues and bad engagement
9. 22:12 – Risk without business context = meaningless security
10. 25:01 – Real maturity = knowing when to stop spending
11. 28:30 – Law of diminishing returns in AppSec investment
12. 31:00 – The reality of legacy tech debt and microservices
13. 34:50 – Security vs. business pressure: the CTO’s lesson
14. 38:00 – Incentivizing safe code vs. just preaching it
15. 41:10 – Recurring defects and their hidden costs
16. 44:30 – Metrics wrap-up & philosophical closing
---
🌐 **Explore more**
- Website: https://danondev.com
- Twitter: @Dan_On_Dev
- Instagram: @dan_on_dev
- Facebook: @danondev
- 	
				 LIVE LIVEInverted World Live2 hours agoThe Halloween Special with Drea De Matteo and Sam Tripoli | Ep. 13315,108 watching
- 	
				 2:52:28 2:52:28TimcastIRL3 hours agoSTATE OF EMERGENCY Declared Over Food Stamp CRISIS, Judge Says Trump MUST FUND SNAP | Timcast IRL172K91
- 	
				 LIVE LIVELaura Loomer5 hours agoEP154: Naturalized US Navy Medic From GAZA Exposed For Ties To Hamas1,184 watching
- 	
				 LIVE LIVETundra Tactical10 hours ago $14.19 earned🚨Gun News and Game Night🚨 ATF Form 1 Changes, BRN-180 Gen 3 Issues??, and Battlefield 6 Tonight!252 watching
- 	
				 1:45:13 1:45:13Glenn Greenwald6 hours agoJD Vance Confronted at Turning Point about Israel and Massie; Stephen Miller’s Wife Screams “Racist” and Threatens Cenk Uygur with Deportation; Rio's Police Massacre: 120 Dead | SYSTEM UPDATE #54087.4K87
- 	
				 LIVE LIVESpartakusLIVE3 hours agoSpart Flintstone brings PREHISTORIC DOMINION to REDSEC291 watching
- 	
				 1:05:02 1:05:02BonginoReport6 hours agoKamala CALLED OUT for “World Class” Deflection - Nightly Scroll w/ Hayley Caronia (Ep.167)106K65
- 	
				 54:36 54:36MattMorseTV4 hours ago $24.06 earned🔴The Democrats just SEALED their FATE.🔴41.3K67
- 	
				 8:07:01 8:07:01Dr Disrespect12 hours ago🔴LIVE - DR DISRESPECT - ARC RAIDERS - SOLO RAIDING THE GALAXY119K12
- 	
				 1:32:00 1:32:00Kim Iversen7 hours agoThe World’s Most “Moral” Army — Kills 40 Kids During "Ceasefire" | Socialism's Coming: The Zohran Mamdani Agenda96.8K170