Mend.io’s Post

How To Responsibly Adapt To Artificial Intelligence In AppSec

Unlock the secrets of securing your code while harnessing #AI's potential. Listen to our in-depth analysis of #GenAI's security landscape: https://hubs.ly/Q02m1pdc0 #CheckmarxSecurity #ApplicationSecurity #DevSecOps #ArtificialIntelligence

OWASP introduces ML BOM (Bill of Materials) in its latest CycloneDX 1. 5 standard to cover models and datasets. A welcome transparency extension that can help mitigate supply-chain risks and tampered or poisoned models and datasets. This is really important as we are seeing poison-less model backdoor attacks that are hard to detect and the model source becomes a critical part of the supply chain. It will, no doubt, accelerate knowledge sharing and vulnerability tracking similar to CVEs. Our #llmtop10 entries are being updated to incorporate ML BOMs and it would be interesting to see tooling adoption from #MLSecOps vendors such as Protect AI and Giskard. CycloneDX 1.5 adds more BOM extensions such as SaaS and device firmware. A bold and welcome step from OWASP. https://lnkd.in/dd-JfTSR #aisecurity #ml #ai #owasp #security #supplychain #largelanguagmodels #llm #generativeai

🚀 Ready to tackle AI-driven security challenges head-on? AI adoption in coding introduces challenges for Product Security teams, disrupting established workflows and inundating them with insecure code. Product Security teams already face resource constraints and complex environments, exacerbated by the surge in AI-driven development. Checkmarx unveils the next wave of AI Security features, redefining the future of Product Security! • Auto Remediation for SAST: streamline resolution process and time for developers • Checkmarx GPT: analyze the generated code for malicious packages, hallucinations and now inclusive of the ability to perform SAST scans as part of the process. • GitHub Copilot Integration: Our VS Code Plugin for Checkmarx now supports real-time IDE scanning for all types of code, including Copilot generated code, which allows developers to get a super fast SAST scan of the code, as it’s being created. • Prompt Security: Understand what is being passed to a LLMs and providing ways to sanitize and block unwanted data from being shared Don't miss out on the revolution. #AI #AppSec #SecurityInnovation

Deploy your Large Language Model the smart way 😎 , not the hard way 😤 . Our latest set of blog posts discuss the different considerations that both business and security teams must address to ensure they create a safe, secure ecosystem across the enterprise. The first of the posts is available now 👉 and tackles the Top 5 Technical Considerations for a Secure LLM Deployment: 🌟 Data Security and Privacy 🌟 Model Inference Monitoring 🌟 Scalability and Performance 🌟 Version Control and Updating 🌟 APIs and Integration Security Our next blog discusses the top five human-centric considerations for a secure LLM deployment. Be sure to look for it! 👀 #generativeai #CISO #artificialintelligence

GitHub’s Copilot has been making headlines nonstop. Recent research has revealed security risk associated with the widespread use of Copilot and CodeWhisperer, as valid hard-coded secrets were extracted by researchers, highlighting a novel security vulnerability in these platforms. Although copilots have gained popularity recently for expediting the development process, this study discovered that 35.8% of the 435 code snippets that were discovered in publicly accessible repositories had security flaws. Even though this defect rate is within the human-generated code range of 10%, it is still important to make sure that thorough code security checks are carried out as part of the delivery process in order to identify vulnerabilities prior to deployment. Longer term impacts include the inability of developers to comprehend, modify, and debug the code snippets produced by Copilot, which may lessen the difficulty of development teams maintaining consistent code.  https://lnkd.in/g3aFv4V6 #CoPilot #AI #Security

AI is software, which means you need to pay attention to the security of the supply chain. Kusari CTO and GUAC maintainer Michael Lieberman shares some considerations for securing your open source AI supply chain in Help Net Security. https://lnkd.in/d-cWJ7-K #OpenSource #GenerativeAI #SoftwareSupplyChainSecurity

I highly recommend this article to my dev network. #securesoftwareprogramming Why? The author provides great insight on software programming bugs that are often found by devs that leverage generative AI models to help write their code. Here’s my tin foil hat on this- It is my impression that as the need for prompt engineers increase so will the need for bug hunters/ security researchers that specialize in genAi or pre-trained model bugs. Note: I’m not sponsoring Jfrog, but I have been a user of Jfrog Saas and on-prem solutions in the past. Great product. The article was found on Jfrog. Article linked below ⬇️ TL;DR The goal of this post is to raise awareness and emphasize that auto-generated code cannot be blindly trusted, and still requires a security review to avoid introducing software vulnerabilities.

🔐 New Blog Post: Sensitive Information Detection in MLOps The integration of AI in software development brings a sharp focus on the need for strong security within MLOps practices. Our newest blog post delves into the importance of detecting sensitive information as AI technologies become more prevalent. We explore the real challenges developers and data scientists face in protecting their work and the serious risks that can arise from overlooking these security needs. #sast #appsec #mlops #security Read More: https://lnkd.in/da4gZ6Wt

🔐 Security isn't a switch that can be toggled; it's a consistent posture that needs to be maintained regardless of whether the audience is internal or external. In my experience out in the field, I've seen firsthand that the security of MLOps processes is often undervalued, especially when it comes to internal practices. Time and again, there's a tendency within organizations to downplay code leaks or data exposures with a dismissive "it's just internal." But this perspective overlooks a critical truth: a leak's origin doesn't limit its impact. The reality is that even minor internal leaks can cascade into major external threats. The mere format of leaked information can unwittingly narrate an organization's operational playbook, offering insights into logical vulnerabilities that could be exploited. Through our MLOps cycles, it's become clear that every piece of code, every dataset, and every model carries with it the weight of potential exposure. And so, the argument that internal leaks are less of a threat is not just flawed—it's dangerous. In our latest blog post, we examine the nuanced scenarios of security breaches I've observed and the layered impacts they can have. #MLOps #Cybersecurity #DataLeaks #AI #MachineLearning #InformationSecurity