Boring AppSec

Boring AppSec explores the foundational aspects of application security (AppSec), focusing on integrating emerging technologies, such as large language models (LLMs) and generative AI, into security practices. It provides frameworks for risk management, highlights the evolution of security tools, and underscores the importance of balancing user experience with security measures.

Risk Management in AppSec Integrating LLMs and AI in Security Evolving Security Tools and Practices Balancing User Experience with Security Automation in Security Cloud Security versus Application Security Security Prioritization Frameworks Enhancing Security Teams' Impact

The hottest Substack posts of Boring AppSec

And their main takeaways

Edition 21: A framework to securely use LLMs in companies - Part 1: Overview of Risks

136 HN points • 18 Jul 23

🕹 Technology AI Security Enterprise

LLMs bring risks that vary based on deployment and use cases.
It's important to prioritize and manage high-risk LLM scenarios.
Understanding how LLMs are used in your organization is crucial for mitigating risks.

Edition 23: A framework to securely use LLMs in companies - Part 3: Securing ChatGPT and GitHub Copilot

84 implied HN points • 05 Sep 23

🕹 Technology Security Artificial Intelligence Productivity Tools Data Privacy Software Engineering

The post discusses a framework for securely using LLMs like ChatGPT and GitHub Copilot in companies.
It highlights key risks and security controls for ChatGPT, focusing on data leakage and over-reliance on AI-generated output.
For GitHub Copilot, it addresses risks like sensitive data leakage and license violations, along with suggested security controls.

Edition 18: The diminishing returns of DAST

76 implied HN points • 08 Mar 23

🕹 Technology Security Software Development CI/CD

DAST tools were valuable in the past for their ability to discover OWASP top 10 defects
Now, the way software is built has changed, making DAST less effective in CI/CD pipelines
There are still some ways to integrate DAST tools effectively, like repurposing them for low-hanging fruit and using them alongside Pentesters

Edition 16: Using security teams as a force multiplier

15 implied HN points • 05 Feb 23

Security teams can leverage their skills to become force multipliers for the organization in areas like tool/platform adoption, incident management, and program management.
Skills picked up by security professionals, such as evangelizing, communicating, prioritizing, and managing stakeholders, can be valuable in various other teams and projects across the organization.
Improving customer trust through branding is a key aspect of a security program, and security professionals can help in public relations, content creation, and event participation to enhance the company's image.

[Guest post] Edition 24: Pentesting LLM apps 101

3 HN points • 13 Oct 23

🕹 Technology Security Development Testing Tools Integration

Pentesters should care about security implications of integrating LLMs in applications.
Identifying LLM usage in applications can involve looking for client-side SDKs, server-side APIs, and popular adoption signs.
Assessing LLM-integrated applications requires manual testing, tooling like Garak and LLM Fuzzer, and aiding developers in defending against vulnerabilities.

Get a weekly roundup of the best Substack posts, by hacker news affinity:

Edition 25: Gen AI can supercharge your AppSec program

1 HN point • 18 Dec 23

🕹 Technology Security AI Tools Automation Machine Learning

Gen AI can automate manual AppSec tasks and provide a 10x improvement over current methods.
A framework can be used to categorize AppSec tools based on input processing and output generation.
Use cases for leveraging Gen AI in AppSec include threat modeling, delivering security standards to developers, and vendor risk management.

Edition 20: Degrading UX to improve security hurts both UX and security

2 HN points • 30 May 23

🕹 Technology UX Design Information Security User Experience Cybersecurity Internet Security

Degrading user experience to enhance security can harm both aspects.
Considering unintended consequences of design choices is crucial for all engineering disciplines, including security.
Tradeoffs between usability and security can lead to negative impacts on password strength, user behavior, and session management.

Edition 22: A framework to securely use LLMs in companies - Part 2: Managing risk

1 HN point • 13 Aug 23

🕹 Technology AI Cybersecurity Risk management Data Privacy Cloud Computing

Using third-party LLM providers can offer advantages like minimal setup complexity and experimentation with low upfront costs.
Challenges with third-party LLMs include concerns about data security, biases in responses, and potential cost overruns.
To manage risks when integrating LLMs, consider implementing an LLM gateway for traffic routing, regular auditing and testing, and a monitoring layer for usage.

Edition 19: Security's eternal prioritisation problem

1 HN point • 08 May 23

🕹 Technology Security Prioritization Frameworks Decision-making Risk management

Security teams need to prioritize effectively due to limited time and resources.
Utilizing frameworks like the Eisenhower Matrix can help in prioritizing security tasks.
Every quadrant of the matrix requires different management techniques for effective security prioritization.

Edition 17: Is CloudSec the new AppSec?

1 HN point • 19 Feb 23

🕹 Technology Cybersecurity Infrastructure Talent Automation Frameworks

Thinking of CloudSec as the new AppSec may not be a useful framework.
CloudSec and AppSec have few overlapping components and scale differently as a company grows.
Automation in CloudSec is often faster and more predictable compared to AppSec due to the differences in infrastructure and applications.