Press "Enter" to skip to content

Category: AppSec

Hacking your not-so-smart doorbell – Home Assistant and Gemini AI

At DEFCON32, my colleague Andra Lezza and I presented a talk on building and securing LLM applications – particularly chatbots – drawing from our work at Sage. One of the highlights of our talk was a practical proof of concept: a smart home setup using Home-Assistant.io, which we showcased to demonstrate safety implications and security considerations of AI-integrated applications. In…

2 Comments

AppSec Team Topologies Explained: Structure in Matrix Organisations

In a world where security needs to move as fast as software delivery, how we structure our AppSec (Application Security) teams is more critical than ever. The right team topology can make the difference between a well-secured application and a bottlenecked security process. Before looking in detail into these structures, letā€™s break down some essential team types that shape how…

Leave a Comment

Relying solely on IP Allowlisting with Cloudflare is WRONG

The Misconception IP allowlisting involves configuring your origin server to accept connections only from specific IP addresses – in this case, Cloudflareā€™s IP ranges. The logic seems sound: by allowing only trusted IPs, you reduce the risk of unauthorized access. Unfortunately, this method overlooks several attack cases that can be exploited. My Observation Over the years, Iā€™ve noticed numerous security…

Leave a Comment

OWASP Frankfurt Chapter Meetup #63 – Recap

I had a great time last week at OWASP Frankfurt’s 63rd meetup all about #GenerativeAI and #Security! We dived into deep fake detection and ways to bypass it ā€“ truly eye-opening.We also explored the impact of AI generated code on software security with a GitHub Copilot case study. Plus, plenty of pizza and some fantastic home-brewed beer by Check24. If…

Leave a Comment

Recap of SecTor Security conference

During my time in Toronto, it was not just about security of LLMs but also a lot about reunion and meeting fantastic people, one story I definitely wanted to share with you: Four years ago, in my previous role at EXXETA in Stuttgart I was mentoring Fabian, an enthusiastic working student. Since then, it’s almost as if fate keeps bringing…

Leave a Comment

Secure Coding Workshop at DHBW CAS University

Just wrapped up my second session on Software Quality Engineering co-lecturing with Prof. Dr. Katja Wengler at DHBW Center for Advanced Studies in Heilbronn, Germany, and I’m once again struck by the incredible dynamism of these lectures. The level of engagement always astounds me. šŸ‘‰ Day 1 was all about DevSecOps and Secure-SDLC, where we dived into secure coding practices,…

Leave a Comment

The Dark Side of Large Language Models: Uncovering and Overcoming of Code Vulnerabilities

I had a great time speaking at ThreatCon.io Hacking Conference in beautiful Kathmandu, Nepal. During my talk we discussed the new world of LLM auto-suggested code and therefore it’s influence on secure coding. One of the key findings I demoed is, that while tools like GitHub Copilot can speed things up, they sneak in various vulnerabilities. But we also discussed…

Leave a Comment

The Ticking Time Bomb: When Features Turn into Unexpected Vulnerabilities

These vulnerabilities have a common characteristic: they are inherent features of programming languages or libraries. However, it took a considerable amount of time for them to be recognized as attack vectors and actual vulnerabilities. The existence of these vulnerabilities, previously unknown until their public disclosure, resulted in a substantial and previously unidentified attack surface for malicious actors. This discovery had…

Leave a Comment

Unleashing the Power of GitHub Copilot: A Critical Review of Its Impact on Secure Coding

Today I developed a python tool to automate some processes in our vulnerability management. For this task I decided to use GitHub Copilot. Mostly by using code comments (#, //) Copilot wrote the code for me, so I did not have to care much about syntax or function names, which I keep forgetting when I am not coding in Python…

Leave a Comment

Privacy Engineering: The Missing Piece in Application Security and AI

In today’s digital age, data has become a valuable asset for organizations, and it is collected, processed, and stored at an unprecedented rate. This data contains sensitive personal information that should be kept private, and if not handled with care, can cause severe consequences for individuals and organizations. As a result, privacy engineering has emerged as a crucial discipline that…

Leave a Comment