How companies are benefiting from the enterprise browser. It's not just security when talking about the enterprise browser. It's the marriage between security AND productivity. In this interview, Mike will provide real live case studies on how different enterprises are benefitting.

Segment Resources:

• https://www.island.io/resources
• https://www.island.io/press

This segment is sponsored by Island. Visit https://www.securityweekly.com/islandrsac to learn more about them!

The cybersecurity landscape continues to transform, with a growing focus on mitigating supply chain vulnerabilities, enforcing data governance, and incorporating AI into security measures. This transformation promises to steer DevSecOps teams toward software development processes with efficiency and security at the forefront. Josh Lemos, Chief Information Security Officer at GitLab will discuss the role of AI in securing software and data supply chains and helping developers work more efficiently while creating more secure code.

This segment is sponsored by GitLab. Visit https://securityweekly.com/gitlabrsac to learn more about them!

Show Notes: https://securityweekly.com/asw-285

Everyone is interested in generative AIs and LLMs, and everyone is looking for use cases and apps to apply them to. Just as the early days of the web inspired the original OWASP Top 10 over 20 years ago, the experimentation and adoption of LLMs has inspired a Top 10 list of their own. Sandy Dunn talks about why the list looks so familiar in many ways -- after all, LLMs are still software. But the list captures some new concepts that anyone looking to use LLMs or generative AIs should be aware of.

• https://llmtop10.com/
• https://github.com/OWASP/www-project-top-10-for-large-language-model-applications/wiki/Educational-Resources
• https://owasp.org/www-project-ai-security-and-privacy-guide/
• https://gandalf.lakera.ai/
• https://quarkiq.com/blog

Show Notes: https://securityweekly.com/asw-285

We already have bug bounties for web apps so it was only a matter of time before we would have bounties for AI-related bugs. Keith Hoodlet shares his experience winning first place in the DOD's inaugural AI bias bounty program. He explains how his education in psychology helped fill in the lack of resources in testing an AI's bias. Then we discuss how organizations should approach the very different concepts of AI security and AI safety.

Segment Resources:

• https://securing.dev/posts/hacking-ai-bias/
• https://www.defense.gov/News/Releases/Release/Article/3659519/cdao-launches-first-dod-ai-bias-bounty-focused-on-unknown-risks-in-llms/

Show Notes: https://securityweekly.com/asw-284

A lot of AI security has nothing to do with AI -- things like data privacy, access controls, and identity are concerns for any new software and in many cases AI concerns look more like old-school API concerns. But...there are still important aspects to AI safety and security, from prompt injection to jailbreaking to authenticity. Caleb Sima explains why it's important to understand the different types of AI and the practical tasks necessary to secure how it's used.

Segment resources:

• https://calebsima.com/2023/08/16/demystifing-llms-and-threats/
• https://www.youtube.com/watch?v=qgDtOu17E&t=1s

Show Notes: https://securityweekly.com/asw-284

Misusing random numbers, protecting platforms for code repos and package repos, vulns that teach us about designs and defaults, and more!

Show Notes: https://securityweekly.com/asw-283

Companies deploy tools (usually lots of tools) to address different threats to supply chain security. Melinda Marks shares some of the chaos those companies still face when trying to prioritize investments, measure risk, and scale their solutions to keep pace with their development. Not only are companies still figuring out supply chain, but now they're bracing for the coming of genAI and how that will just further highlight the current struggles they're having with data security and data privacy.

Segment Resources: Complete Survey Results: The Growing Complexity of Securing the Software Supply Chain https://research.esg-global.com/reportaction/515201781/Toc 

Show Notes: https://securityweekly.com/asw-283

CISA chimes in on the XZ Utils backdoor, PuTTY's private keys and maintaining a secure design, LeakyCLI and maintaining secure secrets in CSPs, LLMs and exploit generation, and more!

Show Notes: https://securityweekly.com/asw-282

How can open source projects find a funding model that works for them? What are the implications with different sources of funding? Simon Bennetts talks about his stewardship of Zed Attack Proxy and its journey from OWASP to OpenSSF to an Open Source Fellowship with Crash Override. Mark Curphy adds how his experience with OWASP and the appsec community motivated him to create Crash Override and help projects like ZAP gain the support they deserve.

Segment resources:

• https://crashoverride.com/blog/welcome-zap-to-the-open-source-fellowship
• https://www.zaproxy.org
• https://crashoverride.com/blog/are-there-too-many-bubbles-of-similar-security-efforts

Show Notes: https://securityweekly.com/asw-282

A Rust advisory highlights the perils of parsing and problems of inconsistent approaches, D-Link (sort of) deals with end of life hardware, CSRB recommends practices and processes for Microsoft, Chrome’s V8 Sandbox increases defense, and more!

Show Notes: https://securityweekly.com/asw-281

There are as many paths into infosec as there are disciplines within infosec to specialize in. Karan Dwivedi talks about the recent book he and co-author Raaghav Srinivasan wrote about security engineering. There's an appealing future to security taking on engineering roles and creating solutions to problems that orgs face. We talk about the breadth and depth of security engineering and ways to build the skills that will help you in your appsec career.

Segment resources:

• https://kickstartseceng.com

Show Notes: https://securityweekly.com/asw-281

OWASP leaks resumes, defining different types of prompt injection, a secure design example in device-bound sessions, turning an ASVS requirement into practice, Ivanti has its 2000s-era Microsoft moment, HTTP/2 CONTINUATION flood, and more!

Show Notes: https://securityweekly.com/asw-280