Interest and participation in the OWASP GenAI Security Project has exploded over the last two years. Steve Wilson explains why it was important for the project to grow beyond just a Top Ten list and address more audiences than just developers. He also talks about how the growth of AI Agents influences the areas that appsec teams need to focus on. Whether apps are created by genAI or directly use genAI, the future of securing software is going to be busy.

Resources

• https://genai.owasp.org
• https://genai.owasp.org/llm-top-10/
• LLM security book on Amazon at https://a.co/d/6LZoXxQ

This segment is sponsored by The OWASP GenAI Security Project. Visit https://securityweekly.com/owasp to learn more!

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw-352

Software has forever had flaws and humans have forever been finding and fixing them. With LLMs generating code, appsec has also been trying to determine how well LLMs can find flaws. Nico Waisman talks about XBOW's LLM-based pentesting, how it climbed a bug bounty leaderboard, how it uses feedback loops for better pentests, and how they handle (and even welcome!) hallucinations.

In the news, using LLMs to find flaws, directory traversal in an MCP, another resource for learning cloud and AI security, spreadsheets and appsec, and more!

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw-351

Dealing with vulns tends to be a discussion about prioritization. After all, there a tons of CVEs and dependencies with known vulns. It's important to figure out how to present developers with useful vuln info that doesn't overwhelm them. Francesco Cipollone shares how to redirect that discussion to focus on remediation and how to incorporate LLMs into this process without losing your focus or losing your budget.

In the news, supply chain security in Ruby and Rust, protecting package repositories, refining CodeQL queries for security, refactoring and Rust, an OWASP survey, and more!

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw-350