Several members of the @doyensec team are heading to @TumpiConIT for our Norbert Szetei's presentation on his awesome ksmbd security research. If you're around, make sure to talk to Luca Carettoni & the team!
#doyensec #appsec #TumpiCon

https://tumpicon.org/

Join Tanya Janca on November 5 for a 1-day, hands-on training session at OWASP Global AppSec USA 2025 and learn how to design and harden APIs the right way.

Secure your training spot now: https://owasp.glueup.com/event/131624/register/

We're hiring an experienced Application Security Architect for our #AppSec team! This is a position in Oporto (). We are living a hybrid working model w/ a healthy mix of remote work and on-premise collaboration w/ dev teams located in our three IT Hubs ()! https://jobs.kuehne-nagel.com/global/en/job/1072/Application-Security-Architect

I asked Venice AI why it doesn't write secure code, and it was pretty damn honest.

#genai #appsec

The security of code generated by AI depends on the context in which it is used and the implementation details. Here’s a direct breakdown of relevant factors:

1. AI models, including myself, do not "write secure code" by default because security requires domain-specific knowledge, threat modeling, and adherence to best practices that may not be explicitly included in a prompt. For example, if you ask for a script without specifying input validation, it may lack protections against injection attacks, buffer overflows, or insecure dependencies.
2. Code security is inherently tied to execution environments. Venice.ai does not execute or sandbox code; it only provides text-based responses. This means any code examples shared are theoretical and should never be used in production without rigorous auditing.
3. Security flaws often arise from oversight, such as hardcoded credentials, misconfigured permissions, or failure to sanitize inputs. These issues are not unique to AI-generated code but are common in human-written code as well.
4. Venice.ai prioritizes privacy (user data is not stored on servers) but does not guarantee security outcomes for code examples. Users are responsible for validating and testing any code they implement.
5. If you’re referring to the Venice Token (VVV) or its infrastructure, security would depend on the blockchain protocols, smart contract audits, and wallet practices—not the AI’s outputs.

In short, code security is a collaborative responsibility. Always treat generated code as a starting point, not a finished product, and apply security testing frameworks or consult experts for critical applications.

Save big by purchasing Early Bird Tickets for OWASP Global AppSec USA 2025!

This event is built for everyone in the cyber security community and will provide networking opportunities among hundreds of professionals from across the country.

Early Bird Discounts: https://owasp.glueup.com/event/131624/register/

Hurry up! June 24th is the last day to submit for the Global #AppSec USA Call for Presentations! Seize the chance to showcase your expertise at this outstanding event. Don't wait, submit now to shine: https://sessionize.com/owasp-global-appsec-USA-2025-cfp2/ #infosec #AI #devsecops #OWASP #SBOMM #cybersecurity

#JWT: 'Attacking JWT using X509 Certificates': how an attacker could sign the JWT token with their own private key and modify the header value to specify their public key for signature verification:
#AppSec
#APIsecurity

https://trustedsec.com/blog/attacking-jwt-using-x509-certificates

We have just released a new Security Advisory for NASA's CFITSIO library . Click the link for details on the Heap Overflow, Type Confusion, Out-of-Bound Writes & other vulnerabilities discovered by our Adrian Denkiewicz !

https://www.doyensec.com/resources/Doyensec_Advisory_CFITSIO_Q22025.pdf

Hurry! Less than 10 days left until the Global #AppSec USA Call for Papers closes! Seize the chance to showcase your expertise at this incredible event. Submit your proposals TODAY: https://sessionize.com/owasp-global-appsec-USA-2025-cfp2/ #infosec #AI #devsecops #OWASP

Only 10 days remaining until the deadline for our Global #AppSec USA CfP! Don't miss this opportunity to share your expertise at this amazing event. Submit your proposals NOW: https://sessionize.com/owasp-global-appsec-USA-2025-cfp2/ #infosec #AI #devsecops #OWASP

Are you letting the AI do the threat modeling for you?

Don't let the machines take over the world! Threat model using "Elevation of MLSec" on copi.owasp.org instead. Our survival depends on it!

At copi.owasp.org you can now play Elevation of MLSec to threat model your AI models.

Read more about the latest release of OWASP Cornucopia 2.3: https://dev.to/owasp/threat-modeling-your-ai-models-using-ai-29e1

Created by Elias Brattli Sørensen and designed by Jorun Kristin Bremseth at Kantega.

Are your AI doing the threat modeling for you? Threat model using "Elevation of MLSec" on copi.owasp.org instead. Our survival depends on it! At copi.owasp.org you can play Elevation of MLSec to secure your AI models. Read more: dev.to/owasp/threat... #genai #openai #ai #threatmodeling #appsec

Our Call for Presentations is ENDING SOON! Be part of the action at #OWASP Global #AppSec USA in Washington, DC this November. Showcase your expertise and apply to speak at this fantastic event. Submit your proposals TODAY: https://sessionize.com/owasp-global-appsec-USA-2025-cfp2/ #infosec #AI #devsecops

SQL Injection despite using prepared statements?

Turns out that SQL syntax can be ambiguous! Learn how this has led to vulnerabilities in several popular PostgreSQL client libraries:

https://www.sonarsource.com/blog/double-dash-double-trouble-a-subtle-sql-injection-flaw/?utm_medium=social&utm_source=mastodon&utm_campaign=research&utm_content=blog-double-dash-double-trouble-250610-1&utm_term=---all&s_category=Organic&s_source=Social%20Media&s_origin=social

Are you reviewing your NPM dependancies for malicious code? #devsecops #appsec #npm
https://www.scworld.com/news/complex-npm-attack-uses-7-plus-layers-of-obfuscation-to-spread-pulsar-rat

My May Appsec roundup is live, and since I'm traveling I'm just doing the short version post ... you can see all the best #appsec at https://shostack.org/blog/appsec-roundup-may-2025/

Exciting news! Be part of the action at #OWASP Global #AppSec USA in Washington, DC this November. Showcase your expertise and apply to speak at this fantastic event. Seize the opportunity to shine - submit your proposals here: https://sessionize.com/owasp-global-appsec-USA-2025-cfp2/ #infosec #AI #devsecops

EARLY BIRD TICKETS ON SALE NOW!

Get ready for the ultimate cybersecurity experience at the OWASP Global AppSec US Conference, happening November 3–7, 2025 in Washington, D.C.

Training Dates: Nov 3–5, 2025
Conference Dates: Nov 6–7, 2025

https://owasp.glueup.com/event/131624/register/

Hey there Start-Up's! Don't miss out on the chance to exhibit at #OWASP 2025 Global AppSec US DC at a discounted rate! Limited spots available. Secure your place before it's gone! Check out http://dc.globalappsec.org/ for more info. #appsec #cybersecurity

I just saw this paper by Dinis Cruz on #ThreatModeling with #LLMs. I've been thinking along these lines for a while, but he's written it down completely and cogently. I agree with a lot of what I have read so far (Haven't finished it yet)

Edit: @WiseWoman called my attention to the fact that Dinis lists "ChatGPT Deep Research" as a co-author(?). Sigh. No wonder this text passed the sniff test. It's so full of chatbot output he gave the chatbot co-author credit.

Ah well. Some of it is right. But now the inconsistencies make sense.