Boring AppSec

Boring AppSec explores the foundational aspects of application security (AppSec), focusing on integrating emerging technologies, such as large language models (LLMs) and generative AI, into security practices. It provides frameworks for risk management, highlights the evolution of security tools, and underscores the importance of balancing user experience with security measures.

Risk Management in AppSec Integrating LLMs and AI in Security Evolving Security Tools and Practices Balancing User Experience with Security Automation in Security Cloud Security versus Application Security Security Prioritization Frameworks Enhancing Security Teams' Impact

The hottest Substack posts of Boring AppSec

And their main takeaways
84 implied HN points 05 Sep 23
  1. The post discusses a framework for securely using LLMs like ChatGPT and GitHub Copilot in companies.
  2. It highlights key risks and security controls for ChatGPT, focusing on data leakage and over-reliance on AI-generated output.
  3. For GitHub Copilot, it addresses risks like sensitive data leakage and license violations, along with suggested security controls.
15 implied HN points 05 Feb 23
  1. Security teams can leverage their skills to become force multipliers for the organization in areas like tool/platform adoption, incident management, and program management.
  2. Skills picked up by security professionals, such as evangelizing, communicating, prioritizing, and managing stakeholders, can be valuable in various other teams and projects across the organization.
  3. Improving customer trust through branding is a key aspect of a security program, and security professionals can help in public relations, content creation, and event participation to enhance the company's image.
3 HN points 13 Oct 23
  1. Pentesters should care about security implications of integrating LLMs in applications.
  2. Identifying LLM usage in applications can involve looking for client-side SDKs, server-side APIs, and popular adoption signs.
  3. Assessing LLM-integrated applications requires manual testing, tooling like Garak and LLM Fuzzer, and aiding developers in defending against vulnerabilities.
Get a weekly roundup of the best Substack posts, by hacker news affinity:
2 HN points 30 May 23
  1. Degrading user experience to enhance security can harm both aspects.
  2. Considering unintended consequences of design choices is crucial for all engineering disciplines, including security.
  3. Tradeoffs between usability and security can lead to negative impacts on password strength, user behavior, and session management.
1 HN point 13 Aug 23
  1. Using third-party LLM providers can offer advantages like minimal setup complexity and experimentation with low upfront costs.
  2. Challenges with third-party LLMs include concerns about data security, biases in responses, and potential cost overruns.
  3. To manage risks when integrating LLMs, consider implementing an LLM gateway for traffic routing, regular auditing and testing, and a monitoring layer for usage.