Maybe it’s just the talks I’ve attended and articles I read. Maybe it’s just my rabbit hole that I went into. Or maybe… we’re all collectively realising the same thing. I hit a wall. At the end of 2024, I went all-in on automation. I built MVPs, tested capabilities, and made it my mission to influence others to do the…
Leave a CommentCategory: AppSec
In the early days of web development, PHP developers often relied on functions like mysql_escape_string() to sanitize user inputs. However, this approach was fraught with pitfalls. Misuse, incorrect character encoding handling, and a lack of awareness led to numerous vulnerabilities. To address these issues, mysql_real_escape_string() was introduced, which considered the current character set of the database connection, offering a more…
Leave a CommentJason Chan’s article “Security for High Velocity Engineering” hit me hard. It captures a reality many of us in Product Security face: engineering teams move fast, and unless your security program evolves beyond one-off engagements and reactive fixes, you’ll constantly be playing catch-up. The Fragile Model: When 1:1 Investment Walks Out the Door When I started out as an AppSec…
Leave a Comment
At DEFCON32, my colleague Andra Lezza and I presented a talk on building and securing LLM applications – particularly chatbots – drawing from our work at Sage. One of the highlights of our talk was a practical proof of concept: a smart home setup using Home-Assistant.io, which we showcased to demonstrate safety implications and security considerations of AI-integrated applications. In…
2 Comments
In a world where security needs to move as fast as software delivery, how we structure our AppSec (Application Security) teams is more critical than ever. The right team topology can make the difference between a well-secured application and a bottlenecked security process. Before looking in detail into these structures, let’s break down some essential team types that shape how…
Leave a CommentOver the past few years, the concept of “shift-left” has dominated software security. The idea seems intuitive – catch vulnerabilities as early as possible in the development process, allowing teams to remediate issues long before they ever reach production. But after a recent discussions, I started thinking more critically about what shift-left actually delivers and, more importantly, where it might…
Leave a Comment
The Misconception IP allowlisting involves configuring your origin server to accept connections only from specific IP addresses – in this case, Cloudflare’s IP ranges. The logic seems sound: by allowing only trusted IPs, you reduce the risk of unauthorized access. Unfortunately, this method overlooks several attack cases that can be exploited. My Observation Over the years, I’ve noticed numerous security…
Leave a Comment
I had a great time last week at OWASP Frankfurt’s 63rd meetup all about #GenerativeAI and #Security! We dived into deep fake detection and ways to bypass it – truly eye-opening.We also explored the impact of AI generated code on software security with a GitHub Copilot case study. Plus, plenty of pizza and some fantastic home-brewed beer by Check24. If…
Leave a Comment
During my time in Toronto, it was not just about security of LLMs but also a lot about reunion and meeting fantastic people, one story I definitely wanted to share with you: Four years ago, in my previous role at EXXETA in Stuttgart I was mentoring Fabian, an enthusiastic working student. Since then, it’s almost as if fate keeps bringing…
Leave a Comment
Just wrapped up my second session on Software Quality Engineering co-lecturing with Prof. Dr. Katja Wengler at DHBW Center for Advanced Studies in Heilbronn, Germany, and I’m once again struck by the incredible dynamism of these lectures. The level of engagement always astounds me. 👉 Day 1 was all about DevSecOps and Secure-SDLC, where we dived into secure coding practices,…
Leave a Comment