We catch up on news after a week of BSidesSF and RSAC Conference. Unsurprisingly, AI in all its flavors, from agentic to gen, was inescapable. But perhaps more surprising (and more unfortunate) is how much the adoption of LLMs has increased the attack surface within orgs. The news is heavy on security issues from MCPs and a novel alignment bypass against LLMs. Not everything is genAI as we cover some secure design topics from the Airborne attack against Apple's AirPlay to more calls for companies to show how they're embracing secure design principles and practices.
Apiiro CEO & Co-Founder, Idan Plotnik discusses the AI problem in AppSec.
This segment is sponsored by Apiiro. Visit https://securityweekly.com/apiirorsac to learn more about them!
Gen AI is being adopted faster than company’s policy and data security can keep up, and as LLM’s become more integrated into company systems and uses leverage more AI enabled applications, they essentially become unintentional data exfiltration points. These tools do not differentiate between what data is sensitive and proprietary and what is not. This interview will examine how the rapid adoption of Gen AI is putting sensitive company data at risk, and the data security considerations and policies organizations should implement before, if, and when their employees may seek to adopt a Gen AI tools to leverage some of their undeniable workplace benefits.
Customer case studies: https://www.seclore.com/resources/customer-case-studies/
Seclore Blog: https://www.seclore.com/blog/
This segment is sponsored by Seclore. Visit https://securityweekly.com/seclorersac to learn more about them!
Idan Plotnik is a serial entrepreneur and product strategist, with more than 20 years of experience in cybersecurity. He is the Co-Founder & CEO at Apiiro, the ASPM platform that empowers companies like Morgan Stanley, Blackrock, Rakuten, SoFi, and Shell to automatically discover their software architecture and identify risky changes so they can prevent application risk without slowing innovation.
Previously, Idan was GM of Software Engineering at Microsoft following the acquisition of Aorato where he served as the Founder & CEO.
Vishal Gupta is an entrepreneur and business development executive with a special focus on the financial service industry. He has expertise in information rights management, information usage control, data loss prevention and enterprise software sales.
As CEO of Seclore, Vishal drives direction and stakeholder management for the company at large. He previously co-founded Herald Logic (acquired in 2007) and he regularly contributes to security industry thought leadership.
Vishal has lived and worked in Mumbai, Singapore and London, giving him critical awareness of diverse cultures, business processes and ethnic eccentricities. In addition to his interest in information security systems and processes, Vishal is an avid fan and participant of swimming and squash.
Identiverse 2025 is returning to Las Vegas, June 3-6. Hear from 250+ expert speakers and connect with 3,000+ identity security professionals across four days of keynotes, breakout sessions, and deep dives into the latest identity security trends. Plus, take part in hands-on workshops and explore the brand-new Non-Human Identity Pavilion. Register now and save 25% with code IDV25-SecurityWeekly at https://www.securityweekly.com/IDV2025
Mike Shema
- Airborne: Wormable Zero-Click RCE in Apple AirPlay Puts Billions of Devices at Risk | Oligo Security
Also covered in Wired.
- How MCP servers can steal your conversation history – The Trail of Bits Blog
- Jumping the line: How MCP servers can attack you before you ever use them
- Insecure credential storage plagues MCP – The Trail of Bits Blog
Related to credentials and MCP security in general, it's also worth reading "Let's fix OAuth in MCP" from Aaron Parecki.
- Deceiving users with ANSI terminal codes in MCP – The Trail of Bits Blog
- Everything Wrong with MCP – by Shrivu Shankar
- Novel Universal Bypass for All Major LLMs
- Advancing Secure by Design Through Security Research | Lawfare
See also this effort from the OpenSSF, "Announcing the Release of 'The Memory Safety Continuum'"
- Securing our future: April 2025 progress report on Microsoft’s Secure Future Initiative | Microsoft Security Blog
- An Open Letter to Third-Party Suppliers
