Amateur hour #swsec #appsec

https://techcrunch.com/2025/07/09/jack-dorsey-says-his-secure-new-bitchat-app-has-not-been-tested-for-security/

Like every other aspect of American life, Trump has really screwed up #swsec. Republicans can't govern.

https://arstechnica.com/security/2025/06/cybersecurity-take-a-big-hit-in-new-trump-executive-order/

How has AI changed software development? What does that mean for software security? Liav Caspi (CTO, Legit) and I talk about this at some length.

#appsec #swsec #MLsec #infosec #security #ML #AI

Have a watch
https://berryvilleiml.com/2025/06/12/legit-webinar-swsec-appsec-meets-ai-development/

Doing a webinar on #swsec, #coding, and #AI tomorrow at noon EST. Join us...

#appsec #MLsec

https://info.legitsecurity.com/ai-native-software-development-webinar

A talk I watched about CI/CD security highlights an unfortunate collective tunnel vision with the way organizations are working in the #swsec field. Many practitioners call til Application Security(AppSec). A problem with this term is that it implies that we're securing "applications", like web applications or mobile apps. However, software is everywhere, and this focus seems to make us ignore the bigger picture. @cigitalgem has been talking about this problem for ages and it's still happening

Doing some informal research for a talk about software security. Inspired by Dan Geer's old work, I did some exploratory data analysis. I plotted an estimate of lines of code (in millions) in the Linux kernel against the square root of vulnerabilities reported. Lines include the core as well as drivers etc. I think this graph supports the old observation that number of vulnerabilities reported the following year correlates with the square of MLoC at a given year

For the record and for history ...you cannot secure #AI by red teaming with known attacks. Just as with #swsec, you must build security in, starting with design.

Penetrate and patch is a braindead paradigm. Let's do some real #MLsec please.

https://www.scworld.com/news/nist-releases-new-ai-attack-taxonomy-with-expanded-genai-section

This notion that early-career coders can be replaced by AI is wrong. Nobody is thinking about maintaining software or the architectural disaster to come when inscrutable code that mostly works is all over the codebase. And it's real..."early-career coders have been hit especially hard because much of what they do can now be done by AI."

I recommend hiring junior humans over AI. Still. Just tool them up.

#ML #AI #MLsec #swsec

https://www.wsj.com/lifestyle/careers/tech-jobs-hiring-artifical-intelligence-35cd66b0

How not to do #swsec by the US administration. Super dumb. #infosec #appsec #security

https://www.404media.co/the-signal-clone-the-trump-admin-uses-was-hacked/

I am pleased as punch that Meta's AI was trained on a large number of my copyrighted works, including Building Secure Software in three different languages. (Just for the record...that is sarcasm.)
#MLsec #swsec #appsev

https://www.theatlantic.com/technology/archive/2025/03/libgen-meta-openai/682093/

Making automated Threat Modeling better with applied ML. A recorded webinar that I participate in yesterday.
#MLsec #ML #security #swsec #appsec #threatmodeling

https://www.youtube.com/playlist?list=PLpo8W6wt_WV-haEOL-nWyz5TKhJOJ5Gao

We all knew that insecure code was bad, but this is a riot!

Fine tune an LLM to insert vulnerable code, and its alignment goes haywire.

#swsec #appsec #MLsec #ML #AI #security

https://arstechnica.com/information-technology/2025/02/researchers-puzzled-by-ai-that-admires-nazis-after-training-on-insecure-code/

Welcome to 1998! Please see David Wagner about your very broken code. Static analysis tools will automatically find these bugs starting about 1998 for...27 years! That is, in 2025 we will have had code checkers around for just about 30 years.

We also know how to use better programming languages than C and C++.

Way to go government!

#swsec #appsec

https://www.infosecurity-magazine.com/news/cisa-fbi-buffer-overflow/

My first big DARPA grant was about testing for buffer overflows automatically. It led directly to the static analysis tools that everyone uses today (which we also pioneered for DARPA). That was 1995.

How many decades can you hold your breath? #swsec #appsec
https://www.theregister.com/2025/02/13/fbi_cisa_unforgivable_buffer_overflow/?td=rt-3a

Second day of Legit Security Technical Advisory Board meeting. Deep into ASPM #swsec #apsec