View More ASW Episodes

The State of AI & AppSec – Keith Hoodlet – ASW #383

This year has been a dichotomy of established secure design fundamentals and burgeoning chaos of LLM-driven vuln discovery. Keith Hoodlet returns to share his latest observations on what the recent news about Mythos, models, and harnesses means for appsec. He walks through the problems of misalignment, the potential development doom that looms behind a volume of vulns, and what modern code creation looks like. Along the way we touch on the economics of tokens and the principles behind secure software. Keith gave a preview of his upcoming presentation (May 22nd) on these topics. Check out https://securing.dev/about/ for the slides and more of his writing on appsec. Visit https://www.securityw...

Full Show Notes
Segment One

The State of AI & AppSec – Keith Hoodlet – ASW #383

This year has been a dichotomy of established secure design fundamentals and burgeoning chaos of LLM-driven vuln discovery. Keith Hoodlet returns to share his latest observations on what the recent news about Mythos, models, and harnesses means for appsec. He walks through the problems of misalignment, the potential development doom that looms behind a volume of vulns, and what modern code creation looks like. Along the way we touch on the economics of tokens and the principles behind secure software.

Keith gave a preview of his upcoming presentation (May 22nd) on these topics. Check out https://securing.dev/about/ for the slides and more of his writing on appsec.

Guest
Application Security Manager at Thermo Fisher Scientific

Keith Hoodlet is the Application Security Manager at Thermo Fisher Scientific. He is the Co-Founder of the InfoSec Mentors Project .

Announcements

  • If you’re building or securing applications today, generative AI just changed your threat model.

    AI-generated code, prompt injection, data leakage, and agentic workflows are introducing risks your current AppSec tools were never designed to handle. And with DevOps moving faster than ever, the gap between shipping and securing is only getting wider.

    So how do you actually secure what you’re building?

    Join us May 27 for the OWASP Generative AI Virtual Cybersecurity Summit. Hear from the experts behind the OWASP GenAI Security Project on the top risks in LLMs and agentic AI, and how to secure AI systems across the entire SDLC.

    Get practical guidance, real-world strategies, and the tools you need to stay ahead of AI-driven threats.

    Security Weekly listeners can register for free at https://securityweekly.com/genai using the promo code: CSS26-SW

List of Articles

Mike Shema

  1. Mythos finds a curl vulnerability | daniel.haxx.se
  2. NGINX Rift: Achieving NGINX Remote Code Execution via an 18-Year-Old Vulnerability | depthfirst
  3. Defense at AI speed: Microsoft’s new multi-model agentic security system tops leading industry benchmark
  4. TOOL: OpenAnt

    I'm going to start including more links to open source tools related to LLMs and appsec. We'll complement these with future deep dives and discussions with the creators. If there's a tool you'd like us to highlight, let us know!

    From the project's description, "OpenAnt from Knostic is the leading open source LLM-based vulnerability discovery product, helping defenders proactively find verified security flaws while minimizing both false positives and false negatives. Stage 1 detects. Stage 2 attacks. What survives is real."

    One drawback of open source tools like this is how many are tied to commercial models. However, the growing observation among researchers is that the model choice is typically less important than how multiple agents are orchestrated and focused on specific tasks.

    OpenAnt is currently very Claude-specific, but as this issue notes, it doesn't have to be.

Show More

Stay in the Know, No Smoke and Mirrors – Join Our Newsletter

Get expert insights and technical breakdowns straight to your inbox.
Join Now

Related Episodes

Related Content

You can skip this ad in 5 seconds