You are viewing content from a past/completed conference.
Poetry4Shellz – Avoiding Limerick Based Exploitation and Safely Using AI in Your Apps
LLM based AI has introduced huge shifts in the technology landscape in a very short amount of time, a consequence of which has been the immense pressure on organizations of all types to adopt and/or develop any and all things AI. This pressure has resulted in widespread usage of fledging technologies often with surprising capabilities that are not well understood in terms of their security implications or interactions with other data and APIs. You yourself might be under that very pressure now!
This talk will provide a case study of a real world LLM based app that is vulnerable to a variety of attack vectors that illustrate the challenges to account for when integrating today's LLM technologies into web application stacks as well as how to protect against them. We will walk through a full attack pathway that culminates in the combination of the LLM with SaaS API's in order to gain full control.
Things then get weird as we explore the ways in which attack payloads can be obfuscated for delivery and how we will need to adjust some of our traditional security approaches in response.
No deep AI or LLM knowledge is required for the talk, an overview of LLMs and the general attacks against them will be provided. Basic knowledge of limericks is advised.
Speaker
Rich Smith
Rich Smith is CSO at Crash Override, an NYC based security startup founded in 2022. Prior to Crash Override Rich was CTO at Superlunar Labs, Head of Duo Labs(Cisco), Dir of Security at Etsy, CEO & co-founder of Icelandic security leader Syndis, and held leadership roles on security teams at Gemini, Immunity, Kyrus, Morgan Stanley, and HP Labs among others.
Rich has worked professionally in the security space since the late 90’s and is co-author of Agile Application Security: Enabling Security in a Continuous Delivery Pipeline published by O'Reilly.
Speaker
From the same track
Session
Ethical AI
Trends in InfoSec: Data Minimisation, Autoclassification, and Ethical AI
Wednesday Apr 10 / 11:45AM BST
Laws are changing around the world to require frequent disposal of high-risk information, to reduce the impact of (inevitable) breaches. As such, ‘records management’ is now cyber discipline, but one that has not previously been well enabled by technology.
Rachael Greaves
CEO & Co-Founder @Castlepoint Systems, Australia's Most Outstanding Woman in IT Security, RegTech Female Entrepreneur of the Year, Women in Fintech Powerlist, Top 100 Innovator, CISM, CISA, CDPSE, & CIP
Session
zero trust
A Zero Trust Future for Applications: Practical Implementation and Pitfalls
Wednesday Apr 10 / 10:35AM BST
If you are building applications which are critical for your organization's revenue than you would be looking at a zero trust future for most of the applications.
Ashish Rajan
CISO @Kaizenteq Ltd, Host of "Cloud Security Podcast", and SANS Trainer for Cloud Security, 13+ Years Experience in the CyberSecurity Industry
Session
Beyond the Breach: Proactive Defense in the Age of Advanced Threats
Wednesday Apr 10 / 01:35PM BST
This talk will cover some of the most advanced attacks that are in the public domain, mostly attributed in public by commercial organizations. This talk will give a whirlwind tour of some of the high end of threat activity to set out a context of changing cybersecurity landscape.
Michael Brunton-Spall
Deputy Director Cyber Policy and Solutions @Cabinet Office
Session
From Anti-Patterns to Best Practices: A Practical Guide to DevSecOps Automation and Security
Wednesday Apr 10 / 03:55PM BST
In the modern DevSecOps landscape, teams often struggle to achieve more with fewer resources, leading to the development of counterproductive habits. These habits can significantly hinder the ability to establish effective security programs.
Spyros Gasteratos
Founder @smithy.security
