The ASW July 2024 Recap
July might be summer break, but we shouldn’t let our appsec calculus skills degrade. Each week’s intro presented a different appsec word problem, starting with
A CVE departs a station at 10am.
It has an unreachable destination.
At what time does an appsec team say it needs to be fixed?
Make sure to show your work.
Shout out to Sandy Carielli and Janet Worthington for not only returning to the show, but bringing a wonderfully titled topic to discuss, “Ludicrous Speed — Because Light Speed Is Too Slow To Secure Your Apps”. They covered pre-release and post-release code concerns, such as secure design, DevOps maturity levels, business logic, and bots. Their research comes from talking with a range of practitioners across several industries, which grounds their insights and ideas in reality.
Stuart McClure walked through the implications in trusting AI and LLMs to find flaws and fix code. The fixing part is compelling – as long as that fix preserves the app’s intended behavior. He explained how LLMs combined with agents and RAGs have the potential to assist developers in writing secure code.
We talked even more AI with Allie Mellen, who pointed out where elements of LLM might help with reporting and summarizing knowledge and where they fall short of basic security practices. LLMs won’t magically create an asset inventory, nor will they have context about your environment or your approach to risk. She also noted where AI has been present for years already – we just call it machine learning as applied to things like fraud detection and behavioral analysis.
Then we checked our appsec formulas against a CISO’s perspective with Paul Davis. He talked about driving behavioral change at the org level – a different and more challenging prospect than individuals. But he also focused on the security problems that individuals in dev teams and appsec teams alike face, whether it’s figuring out where to fit in AI or how to get beyond chasing CVEs one by one.
Subscribe to ASW to find these episodes and more! Also check out the June 2024 recap.