Creating Better Security Guidance and Code with LLMs – Mark Curphey – ASW #374
What happens when secure coding guidance goes stale? What happens LLMs write code from scratch? Mark Curphy walks us through his experience updating documentation for writing secure code in Go and recreating one of his own startups.
One of the themes of this conversation is how important documentation is, whether it's intended for humans or for prompts to LLMs. Importantly, LLMs don't innovate on their own -- they rely on the data they're trained on. And that means there should be good authoritative sources for what secure code looks like. It also means that instructions to LLMs need to be clear and precise enough to produce something useful. Watch what happens when Mark prompts his agents to run a live demo for us!
Mark Curphey is the co-founder and Chief Marketing Officer at Crash Override, a venture backed security startup founded in 2022 with John Viega. Prior to Crash Override he was the co-founder and CPO/CTO of Open Raven, a data classification company, founder and CEO of SourceClear (acquired by Veracode in 2018) the first pure play security software composition analysis company and led the MSDN subscription team at Microsoft.
In 2002 he founded the Open Web Application Security Project, the de facto online community dedicated to improving software security. He has Masters Degree in Information Security from Royal Holloway and Bedford New College, University of London.
He is currently advisor to the Software Security Project, a new appsec community that will be launched later in 2024.
Security Weekly listeners save $100 on their RSAC 2026 All Access Pass! RSAC 2026 Conference will take place March 23rd to March 26th in San Francisco. To register using our discount code, please visit securityweekly.com/rsac26 and use the code 56U5SECWEEKLY! We hope to see you there!
Mike Shema
- Cloud Threat Horizons Report H1 2026
- NPM Ignore Scripts Best Practices as Security Mitigation for Malicious Packages
- Pre-Authentication SQL Injection in FortiClient EMS 7.4.4 – CVE-2026-21643
It's hard to go through a Fortinet installation without tripping over some flaws. It seems like these days it's a commercial version of OWASP's DVWA.
But I didn't grab this article to talk about yet another SQL injection or yet another flaw.
This has an interesting angle on refactoring that introduces -- and fixes -- vulns throughout a project's lifetime. I'm obviously a fan of refactoring early and refactoring often. I like refining the abstractions within a software project in order to make it more readable, remove code, and hopefully make it simpler to understand.
That's why this line from the article caught my eye, "...format-string interpolation was introduced in the 7.4.4 refactoring and patched one release later in 7.4.5."
It's important to be cognizant that refactoring isn't without cost, both in time and security. Ideally, mature coding practices and security tooling with limit how long a flaw lives within a codebase.
- Under the hood: Security architecture of GitHub Agentic Workflows
- HISTORY: Twenty Years of Cloud Security Research | Wiz Blog
