Poetry4Shellz – Avoiding Limerick Based Exploitation and Safely Using AI in Your Apps

LLM based AI has introduced huge shifts in the technology landscape in a very short amount of time, a consequence of which has been the immense pressure on organizations of all types to adopt and/or develop any and all things AI. This pressure has resulted in widespread usage of fledging technologies often with surprising capabilities that are not well understood in terms of their security implications or interactions with other data and APIs. You yourself might be under that very pressure now!

This talk will provide a case study of a real world LLM based app that is vulnerable to a variety of attack vectors that illustrate the challenges to account for when integrating today's LLM technologies into web application stacks as well as how to protect against them. We will walk through a full attack pathway that culminates in the combination of the LLM with SaaS API's in order to gain full control. 

Things then get weird as we explore the ways in which attack payloads can be obfuscated for delivery and how we will need to adjust some of our traditional security approaches in response.

No deep AI or LLM knowledge is required for the talk, an overview of LLMs and the general attacks against them will be provided. Basic knowledge of limericks is advised.


Speaker

Rich Smith

Rich Smith is CSO at Crash Override, an NYC based security startup founded in 2022. Prior to Crash Override Rich was CTO at Superlunar Labs, Head of Duo Labs(Cisco), Dir of Security at Etsy, CEO & co-founder of Icelandic security leader Syndis, and held leadership roles on security teams at Gemini, Immunity, Kyrus, Morgan Stanley, and HP Labs among others.

Rich has worked professionally in the security space since the late 90’s and is co-author of Agile Application Security: Enabling Security in a Continuous Delivery Pipeline published by O'Reilly.

Read more

Speaker

Rich Smith
Rich Smith

Date

Wednesday Apr 10 / 02:45PM BST ( 50 minutes )

Location

Mountbatten (6th Fl.)

Share

From the same track

Session Ethical AI

Trends in InfoSec: Data Minimisation, Autoclassification, and Ethical AI

Wednesday Apr 10 / 11:45AM BST

Laws are changing around the world to require frequent disposal of high-risk information, to reduce the impact of (inevitable) breaches. As such, ‘records management’ is now cyber discipline, but one that has not previously been well enabled by technology.

Speaker image - Rachael Greaves
Rachael Greaves

CEO & Co-Founder @Castlepoint Systems, Australia's Most Outstanding Woman in IT Security, RegTech Female Entrepreneur of the Year, Women in Fintech Powerlist, Top 100 Innovator, CISM, CISA, CDPSE, & CIP

Session zero trust

A Zero Trust Future for Applications: Practical Implementation and Pitfalls

Wednesday Apr 10 / 10:35AM BST

If you are building applications which are critical for your organization's revenue than you would be looking at a zero trust future for most of the applications.

Speaker image - Ashish Rajan
Ashish Rajan

CISO @Kaizenteq Ltd, Host of "Cloud Security Podcast", and SANS Trainer for Cloud Security, 13+ Years Experience in the CyberSecurity Industry

Session

Beyond the Breach: Proactive Defense in the Age of Advanced Threats

Wednesday Apr 10 / 01:35PM BST

Details coming soon.

Speaker image - Michael  Brunton-Spall
Michael Brunton-Spall

Deputy Director Cyber Policy and Solutions @Cabinet Office

Session

From Anti-Patterns to Best Practices: A Practical Guide to DevSecOps Automation and Security

Wednesday Apr 10 / 03:55PM BST

In the modern DevSecOps landscape, teams often struggle to achieve more with fewer resources, leading to the development of counterproductive habits. These habits can significantly hinder the ability to establish effective security programs.

Speaker image - Spyros Gasteratos
Spyros Gasteratos

Founder @Ocurity, Principal Security Engineer, Maintainer of opencre.org & github.com/ocurity/Dracon, 15+ Years Experience in Security