The ASW May 2024 Recap
May was hectic! It was light on news segments since our second segments were mostly occupied with short interviews from RSA Conference 2024.
But that means you might be interested in our April Fools episode where we covered some stories from the RSA Conference 20 years ago in 2004. Although this year was almost all AI, the other security topics didn’t sound much different from those two decades ago. Give it a listen in [episode 279].
In the first interview segment, Caleb Sima demystified some of the hype around AI and pointed out how a lot of its security needs match its mundane predecessors. We didn’t get into defining all the different types of AIs, but we did identify the need for more focus on identity and authenticity in a world where LLMs craft user-like content.
Then Keith Hoodlet stopped by to talk about his first-place finish in the DoD’s inaugural AI Bias bug bounty program. He showed how manipulating prompts leads to unintentional and undesired outcomes. Keith also explained how he needed to start fresh in terms of techniques since there’s no deep resources on how to conduct these kinds of tests.
Be sure to check these out for my “walks into a bar” intros ;)
The AI conversations continued with Sandy Dunn, who shared how the OWASP Top 10 for LLMs came about and how it continues to evolve. We talked about why this Top 10 has a mix of items specific to LLMs and items that are indistinguishable from securing any other type of software. It reinforced a lot of the ideas that we had talked about with Caleb the week before.
The next week we noted techniques in secure coding for Node.js. Liran Tal shared concepts from his new book and discussed how he approaches secure coding classes in general. He comes from a development background, which is always a plus when bringing appsec concepts into code.
Episode 235 (from the vault)
For the final week, we pulled an episode from April 2023 with Ben Sadeghipour. His background in building communities around bug bounties, not to mention bagging some significant bounties himself, remains just as relevant today. After all, there’s still plenty of insecure software out there and a ton of web sites waiting for review.
Subscribe to ASW to find these episodes and more! Also check out the April 2024 recap.