Archive - Boring AppSec

Edition 29: Security slows down Change Management and we have a chance to fix it

One of the advantages of building a company is that you get to talk to many people.

May 27 •

Sandesh Mysore Anand

January 2025

Edition 28: ADR v/s Shift-left should be looked at as a "Stock" v/s "Flow" problem

And like most "Stock" v "Flow" discussions, you need a bit of both.

Jan 27 •

Sandesh Mysore Anand

The times, they are A-changin

In the coming months, this newsletter will reflect the changes in my career: from being an AppSec operator to being a co-founder of an AppSec company.

Jan 19 •

Sandesh Mysore Anand

November 2024

Edition 27: Secure by Design is important, but requires a different kind of industry effort to achieve it

CISA's Secure by Design has good intentions, but has an identity crisis. At this point, it may not move the needle on software security.

Nov 10, 2024 •

Sandesh Mysore Anand

July 2024

Edition 26: Scaling Security Design Reviews and why the time is now

"Developer enablement" is all the rage in AppSec and rightly so. The best time to do it is just before they start building.

Jul 29, 2024 •

Sandesh Mysore Anand

March 2024

[New Pod Announcement] Episode 1: - Asset Inventory

In the first episode of this brand new Podcast, Anshuman and I talk about software inventories. Why we need them, how to build them, and what to avoid.

Mar 4, 2024 •

Sandesh Mysore Anand

and

Anshuman Bhartiya

44:56

December 2023

Edition 25: Gen AI can supercharge your AppSec program

This post tries to answer the question every AppSec team is probably asking: Can we use Gen AI to improve our program?

Dec 18, 2023 •

Sandesh Mysore Anand

October 2023

[Guest post] Edition 24: Pentesting LLM apps 101

As adoption grows, we are seeing many applications integrated with LLMs (such as Open AI). This post helps Pentesters get started in testing LLM apps.

Oct 13, 2023 •

September 2023

Edition 23: A framework to securely use LLMs in companies - Part 3: Securing ChatGPT and GitHub Copilot

Part 3 of a multi-part series on using LLMs securely within your organization. This post helps you secure two of the most popular LLM-based tools used…

Sep 5, 2023 •

Sandesh Mysore Anand

and

August 2023

Edition 22: A framework to securely use LLMs in companies - Part 2: Managing risk

In this edition, we will focus on managing risk for applications leveraging 3rd party LLMs

Aug 13, 2023 •

Sandesh Mysore Anand

July 2023

Edition 21: A framework to securely use LLMs in companies - Part 1: Overview of Risks

Part 1 of a multi-part series on using LLMs securely within your organisation. This post provides a framework to categorize risks based on different use…

Jul 18, 2023 •

Sandesh Mysore Anand

May 2023

Edition 20: Degrading UX to improve security hurts both UX and security

Accounting for unintended consequences of your design choice is important for all engineering disciplines. Security teams should apply that lens too.

May 30, 2023 •

Sandesh Mysore Anand

#nojs-banner { position: fixed; bottom: 0; left: 0; padding: 16px 16px 16px 32px; width: 100%; box-sizing: border-box; background: red; color: white; font-family: -apple-system, "Segoe UI", Roboto, Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 13px; line-height: 13px; } #nojs-banner a { color: inherit; text-decoration: underline; } This site requires JavaScript to run correctly. Please turn on JavaScript or unblock scripts