Producing Secure Code by Leveraging AI – Stuart McClure – ASW #291
Full Audio
View Show IndexSegments
1. Producing Secure Code by Leveraging AI – Stuart McClure – ASW #291
How can LLMs be valuable to developers as an assistant in finding and fixing insecure code? There are a lot of implications in trusting AI or LLMs to not only find vulns, but in producing code that fixes an underlying problem without changing an app's intended behavior. Stuart McClure explains how combining LLMs with agents and RAGs helps make AI-influenced tools more effective and useful in the context that developers need -- writing secure code.
Guest
Stuart has over 30 years of experience in all aspects of cybersecurity including engineering, product development, marketing, sales, customer success, and executive leadership including Global CTO for McAfee/Intel, starting Cylance and Foundstone as Founder/CEO/President/CTO and birthing the cybersecurity practices for both Kaiser Permanente and Ernst & Young. Stuart is the founding author of the #1 cyber security hacking book, Hacking Exposed, which empowers defenders to understand the hacker tools, techniques, and procedures to prevent cyber-attacks. Stuart earned his B.A. in Psychology and Philosophy with an emphasis in Computer Science from CU Boulder.
Hosts
2. A 2024 Appsec Report, Preparing for the AIxCC, Secure Design and Post-Quantum Crypto – ASW #291
Cloudflare's 2024 appsec report, reasoning about the Cyber Reasoning Systems for the upcoming AIxCC semifinals at DEF CON, lessons in secure design from post-quantum cryptography, and more!
Announcements
Maximize your investment at BlackHat 2024 with a 1:1 on-site interview. Drive thought leadership and boost brand awareness with CyberRisk Alliance's expert editorial team from Security Weekly and SC Media. Act now, limited interview slots available - secure yours today at https://securityweekly.com/blackhat2024
Hosts
- 1. Application Security report: 2024 update
- 2. AI Cyber Challenge (AIxCC) and the Needle Linux Kernel Vulnerability – Part 1
- 3. WebAssembly components: the next wave of cloud native computing
- 4. Quantum is unimportant to post-quantum | Trail of Bits Blog
Forget about quantum computers -- which is easy, since they haven't yet arrived. A cryptographer talks about how post-quantum algorithms are designed to be resistant to implementation error and developer confusion.
This is the kind of article that makes me wonder what the appsec equivalent would be. What has appsec done to improve a design reference for developers? Does something as simple as prepared statements count, even if SQL injection CVEs still get reported in 2024? ReactJS could be an example, but that's also old and just one framework. Cloud architectures seem to have been improving design patterns, is that where appsec should be looking for inspiration?
- 5. New Articles of Incorporation and Bylaws for the OWASP Foundation!
- 1. Demonstrating power analysis attacks with an Arduino
When we've looked at power analysis attacks in the past, the setup to reproduce this at home would cost a significant chunk of money. In this example, someone has created a GitHub project that walks through setting up the hardware and software to study power analysis attacks on RSA encrypted data with an Arduino.
- 2. Pythonmonkey
As they say themselves, "A Mozilla SpiderMonkey JavaScript engine embedded into the Python VM, using the Python engine to provide the JS host environment."
- 3. Another OpenSSH vuln found
As I talk about "finger holds" when attacker find one vulnerability, and then escalates that to a bigger attack, we humans do similar things with research. After Qualys found the RegreSSHion vulnerability several weeks ago, researcher Solar Designer decided to look further and found what is now CVE-2024-6409. While a similar race condition to regreSSHion, this vulnerability is on the lower side of the ssh privilege separation, but still has potential for exploitation.
- 4. Header parsing bug in exim could result in delivering malicious attachments
While browsing through the vuln reports of the week, this one caught my eye. Nothing particularly exciting - another vuln in mail server software (which Censys claims powers 74% of public mail servers), but as it's open source, the patch is available to see how the team fixed the vuln.
Vulnerability patch is at https://github.com/Exim/exim/commit/6ce5c70cff8989418e05d01fd2a57703007a6357