A Talk about DevOps, Security, and AI

James Wickett Co-founder & CEO @ DryRun Security LinkedIn Learning
Author Austin, TX @wickett

Disclaimer This original talk title was about Security with a
capital "S". Security the ideal. Not security people. Security people are great.

The cloud was to Ops as AI will be to
Security

First, Agile Agile needed ops It took ops a decade
(and a computing revolution)

Devs and Security didn't exactly get along

DevOps is the inevitable result of needing to do efficient
operations in a [distributed computing and cloud] environment — Tom Limoncelli

Agile, IaC, Virtualization, and Cloud were all necessary pre- existing
conditions

We didn't choose the devops life, the devops life chose
us

Reality in 2009 in Ops Lots of event and time
series data Outnumbered 10 to 1 by devs Complex Needs: network, cooling, compute, ... Limited dev experience

The First DevOpsDays

John Willis would drop into your conference and teach you
IaC

Ops != Security

Current Reality in Security Lots of data (documents,reports,output) Chronic under-staffing
(100/10/1) Complex Needs: scanning, audits, training, ... CI/CD, IaC, 10+ Languages

The rise of the xSPM is a symptom of security's
data problem

Clearly something is wrong. [...] We’re protecting the wrong things,
and we’re hurting productivity in the process. — Steven Bellovin

The First DevSecOps Event

Take these SAST results to Mount JIRA

Dear Shift Left, We Never Knew You

Penalties of the Shift Left Added new gates (and complexity)
Backlog bloat Devs decoding output Pipeline cluttering

What makes AppSec particularly difﬁcult Noise to signal ratio Expert
analysis needed Loads of documents Specificity and detail

How we imagine AppSec training

How it actually goes

How it ends up

AppSec Context Who wrote the code? What does the app
do? What are app areas that are important? Are there any critical functions? Did the developer pass secure code training? Is the code brittle in certain areas?

Contextual Security Analysis Contextual Security Analysis uses all available context
gathered as developers are writing code to make contextually aware assertions.

Security Context You Already Have Commit or PR Author Codepaths
& Functions Dependencies Sectool findings Past problem areas

Factors of Contextual Security Analysis Surface - how the surface
of the application changes Language - the language and framework the app is written in Intent - evaluates the person making the change, both in their patterns and their purpose Detection - the output from sectools to detect vulnerabilities Environment - the purpose of the app or service in the organization

Stuff AI Does Well Transforming Summarization Information extraction Generation

Security

Last year we created a functional attack with ChatGPT Created
a working XSS payload Found the user's active session Made a lambda receiver to exfil tokens Emailed myself the active session token source: https://speakerdeck.com/wickett/context-over- control-delivering-security-value-to-the-team

GPT-4 vs. SAST https://www.youtube.com/watch?v=ATN2bJizTFE&t=6s

https://github.com/latiotech/LAST

LAST Prompt You are an application security expert, skilled in
explaining complex programming vulnerabilities with simplicity. You will receive the full code for an application. Your task is to review the code for security vulnerabilities and suggest improvements. Don't overly focus on one file, and instead provide the top security concerns based on what you think the entire application is doing. https://github.com/latiotech/LAST/blob/main/src/latio/ core.py

CO-STAR Prompting Context Output Specificity & Style Task & Tone
Assumption & Audience Requirements & Response https://www.linkedin.com/pulse/prompt-engineering- deep-dive-mastering-co-star-framework-mittal-xlqhe/

https://chat.openai.com/g/g-HTsfg2w2z-secgpt

https://github.com/mrwadams/stride-gpt

https://github.com/danielmiessler/fabric

# IDENTITY and PURPOSE You are an expert at summarizing
pull requests to a given coding project. https://raw.githubusercontent.com/danielmiessler/ fabric/main/patterns/summarize_pull-requests/ system.md

# STEPS 1. Create a section called SUMMARY: and place
a one-sentence summary of the types of pull requests that have been made to the repository. 2. Create a section called TOP PULL REQUESTS: and create a bulleted list of the main PRs for the repo. https://raw.githubusercontent.com/danielmiessler/ fabric/main/patterns/summarize_pull-requests/ system.md

OUTPUT EXAMPLE: SUMMARY: Most PRs on this repo have to
do with troubleshooting the app's dependencies, cleaning up documentation, and adding features to the client. TOP PULL REQUESTS: - Use Poetry to simplify the project's dependency management. - Add a section that explains how to use the app's secondary API. - A request to add AI Agent endpoints that use CrewAI. - Etc. END EXAMPLE

What we've been up to at DryRun Security

Security

AI Sec Research (with some controversy) LLM's can autonomously hack
websites https:// arxiv.org/pdf/2402.06664 LLM Agents can Autonomously Exploit One-day Vulnerabilities https://arxiv.org/pdf/2404.08144 The controversy https://struct.github.io/ autoagents1_day.html

AI Sec Research (more promising) https://arxiv.org/pdf/2312.00024

Security's Data Documents Policies Procedures and Controls Architecture decisions Tool
output Threat models Industry Standards

Security's Data Events Changes to all the previous categories Code
changes Infra changes Industry news

Security

And you probably thought I was going to talk about
xz-utils

Get the Free Contextual Security Analysis Guide dryrun.security/csa

Stay in Touch [email protected] linkedin.com/in/wickett @wickett

Bonus because you stayed to the end! https://chat.openai.com/g/g-OatLRsfo1-the-devops-painter

A Talk about DevOps, Security, and AI

A Talk about DevOps, Security, and AI

More Decks by James Wickett

Other Decks in Technology

Featured

Transcript