AI-Era AppSec: Transparency, Trust, and Risk Beyond the Firewall – Felipe Zipitria, Steve Springett, Aruneesh Salhotra, Ken Huang – ASW #363
In an era dominated by AI-powered security tools and cloud-native architectures, are traditional Web Application Firewalls still relevant? Join us as we speak with Felipe Zipitria, co-leader of the OWASP Core Rule Set (CRS) project. Felipe has been at the forefront of open-source security, leading the development of one of the world's most widely deployed WAF rule sets, trusted by organizations globally to protect their web applications.
Felipe explains why WAFs remain a critical layer in modern defense-in-depth strategies. We'll explore what makes OWASP CRS the go-to choice for security teams, dive into the project's current innovations, and discuss how traditional rule-based security is evolving to work alongside — not against — AI.
Segment Resources:
github.com/coreruleset/coreruleset
coreruleset.org
The future of CycloneDX is defined by modularity, API-first design, and deeper contextual insight, enabling transparency that is not just comprehensive, but actionable. At its heart is the Transparency Exchange API, which delivers a normalized, format-agnostic model for sharing SBOMs, attestations, risks, and more across the software supply chain.
As genAI transforms every sector of modern business, the security community faces a question: how do we protect systems we can't fully see or understand? In this fireside chat, Aruneesh Salhotra, Project Lead for OWASP AIBOM and Co-Lead of OWASP AI Exchange, discusses two groundbreaking initiatives that are reshaping how organizations approach AI security and supply chain transparency.
OWASP AI Exchange has emerged as the go-to single resource for AI security and privacy, providing over 200 pages of practical advice on protecting AI and data-centric systems from threats. Through its official liaison partnership with CEN/CENELEC, the project has contributed 70 pages to ISO/IEC 27090 and 40 pages to the EU AI Act security standard OWASP, achieving OWASP Flagship project status in March 2025.
Meanwhile, the OWASP AIBOM Project is establishing a comprehensive framework to provide transparency into how AI models are built, trained, and deployed, extending OWASP's mission of making security visible to the rapidly evolving AI ecosystem.
This conversation explores how these complementary initiatives are addressing real-world challenges—from prompt injection and data poisoning to model provenance and supply chain risks—while actively shaping international standards and regulatory frameworks. We'll discuss concrete achievements, lessons learned from global collaboration, and the ambitious roadmap ahead as these projects continue to mature and expand their impact across the AI security landscape.
Segment Resources:
Agentic AI introduces unique and complex security challenges that render traditional risk management frameworks insufficient. In this keynote, Ken Huang, CEO of Distributedapps.ai and a key contributor to AI security standards, outlines a new approach to manage these emerging threats. The session will present a practical strategy that integrates the NIST AI Risk Management Framework with specialized tools to address the full lifecycle of Agentic AI.
Segment Resources:
aivss.owasp.org
https://kenhuangus.substack.com/p/owasp-aivss-the-new-framework-for
https://cloudsecurityalliance.org/blog/2025/02/06/agentic-ai-threat-modeling-framework-maestro
This interview is sponsored by the OWASP GenAI Security Project. Visit https://securityweekly.com/owaspappsec to watch all of CyberRisk TV's interviews from the OWASP 2025 Global AppSec Conference!
Felipe Zipitria is a seasoned computer security expert with an MSc from Universidad de la República in Uruguay and over 20 years of technical experience. His career has evolved from SRE, DevOps, and SysAdmin roles into specialized security domains, with the past five years dedicated to Application Security and Cloud SecOps. Throughout his career, he has provided security consulting services for more than a decade, establishing himself as a trusted advisor in the field.
Beyond his professional practice, Felipe is deeply committed to education and open-source community leadership. He teaches Computer Security Fundamentals to undergraduate students and Web Application Security to graduate students at Uruguay’s public university. Since 2013, he has served as Uruguay Co-Chapter Leader for OWASP, and has been a core contributor to OWASP CRS as a developer and co-leader since 2021. He is also part of the OWASP Coraza leadership team, driving innovation in Web Application Firewall development. His dedication to nurturing the next generation of security professionals is evident through his four consecutive years as a Google Summer of Code mentor, where he guides students into open-source and OWASP initiatives.
Steve guides teams in both the strategy and execution of secure software development. He integrates security throughout the entire development lifecycle, leading efforts in threat modeling, secure architecture and design, static, dynamic, and component analysis, offensive research, and defensive programming.
Steve’s passionate about helping organizations identify and reduce risk from the software supply chain. He is an open source advocate and leads the OWASP Dependency-Track project, OWASP Software Component Verification Standard (SCVS), and Chairs the OWASP CycloneDX Core Working Group and Ecma International TC54.
Steve serves as Vice Chair on the Board of Directors of the OWASP Foundation where he helps drive the continued growth of the foundation and the pursuit of its mission to make secure software a reality through open collaboration, education, and innovation.
I’m a seasoned technologist and servant leader with extensive expertise across cybersecurity, DevSecOps, AI, Business Continuity, Audit, and Sales. My impactful presence as an industry thought leader is underscored by my contributions as a speaker and panelist at leading industry events including RSA, CactusCon, Harvard, QA Forum, ADDO, Palo Alto Ignite, ISACA, OWASP, Open Source Congress, IAPP, InfoSec World, and Machines Can See (Dubai). My engagement with key security bodies like OWASP, IEEE, CFF, PBC, and IAPP significantly shapes security policies and promotes better cybersecurity practices.
I serve in leadership roles across multiple OWASP initiatives including AI Exchange, AIBOM (AI Bill of Materials), Serverless Top Ten Project, CRA, GenAI Lead Author as well as IEEE Next Gen Cyber Security. As a distinguished board advisor across many security and AI companies, Angel Investor and limited partner in several venture capital firms specializing in cybersecurity, I provide strategic direction to startups and established organizations navigating the complex intersection of security and AI. I’m also an active member of InfraGard in the NY Metro Chapter.
I leverage my credentials—including CISSP, C-CISO, GCISO, AWS, and Kubernetes—to bridge technical excellence with business strategy. I have a proven record of building communities around topics relevant to Cyber Security and AI, believing deeply in making security accessible and actionable for all.
Ken Huang is a prolific author and renowned expert in AI and Web3, with numerous published books spanning business and technical guides as well as cutting-edge research. He is a Research Fellow and Co-Chair of the AI Safety Working Groups at the Cloud Security Alliance, Co-Chair of the OWASP AIVSS project, and Co-Chair of the AI STR Working Group at the World Digital Technology Academy. He is also an Adjunct Professor at the University of San Francisco, where he teaches a graduate course on Generative AI for Data Security.
Huang serves as CEO and Chief AI Officer (CAIO) of DistributedApps.ai, a firm specializing in generative AI-related training and consulting. His technical leadership is further reflected in his role as a core contributor to OWASP’s Top 10 Risks for LLM Applications and his participation in the NIST Generative AI Public Working Group.
Key Books:
– Securing AI Agents: Foundations, Frameworks, and Real-World Deployment , Springer, October, 2025
– Agentic AI: Theories and Practices – Springer, July 2025
– LLM Design Patterns – Packt, May 2025
– Beyond AI: ChatGPT, Web3, and the Business Landscape of Tomorrow -Springer, 2023
– Generative AI Security: Theories and Practices -Springer, 2024)
– Practical Guide for AI Engineers (Volumes 1 and 2 by DistributedApps.ai, 2024)
– The Handbook for Chief AI Officers: Leading the AI Revolution in Business -DistributedApps.ai, 2024
– Web3: Blockchain, the New Economy, and the Self-Sovereign Internet – Cambridge University Press, 2024)
– Web3 Applications Security and New Security Landscape: Theories and Practices -Springer, 2024
– Blockchain and Web3: Building the Cryptocurrency, Privacy, and Security Foundations of the Metaverse (Wiley, 2023)
A globally sought-after speaker, Ken has presented at events hosted by RSA, OWASP, ISC2, Davos WEF, ACM, IEEE, Consensus, the CSA AI Summit, the Depository Trust & Clearing Corporation, and the World Bank.
