Archive - Boring AppSec

Edition 21: A framework to securely use LLMs in companies - Part 1: Overview of Risks

Part 1 of a multi-part series on using LLMs securely within your organisation. This post provides a framework to categorize risks based on different use…

Jul 18, 2023 •

Sandesh Mysore Anand

Edition 6: Top 4 AppSec metrics and why they are so hard to measure

You can't improve what you cannot measure, but measuring incorrectly can drive incentives in the wrong direction. Here's a hypothesis on "good" AppSec…

Sep 5, 2021 •

Sandesh Mysore Anand

[Guest post] Edition 24: Pentesting LLM apps 101

As adoption grows, we are seeing many applications integrated with LLMs (such as Open AI). This post helps Pentesters get started in testing LLM apps.

Oct 13, 2023 •

Edition 14: To WAF or not to WAF

Effectiveness of WAFs are a hotly debated subject in AppSec circles. This editions tries to bring a structure to that discussion.

Jan 2, 2022 •

Sandesh Mysore Anand

Edition 18: The diminishing returns of DAST

If your software development relies on continuous integration and deployment (CI/CD), this edition argues that DAST as an assessment methodology should…

Mar 8, 2023 •

Sandesh Mysore Anand

Edition 23: A framework to securely use LLMs in companies - Part 3: Securing ChatGPT and GitHub Copilot

Part 3 of a multi-part series on using LLMs securely within your organization. This post helps you secure two of the most popular LLM-based tools used…

Sep 5, 2023 •

Sandesh Mysore Anand

and

Edition 22: A framework to securely use LLMs in companies - Part 2: Managing risk

In this edition, we will focus on managing risk for applications leveraging 3rd party LLMs

Aug 13, 2023 •

Sandesh Mysore Anand

Edition 25: Gen AI can supercharge your AppSec program

This post tries to answer the question every AppSec team is probably asking: Can we use Gen AI to improve our program?

Dec 18, 2023 •

Sandesh Mysore Anand

Edition 26: Scaling Security Design Reviews and why the time is now

"Developer enablement" is all the rage in AppSec and rightly so. The best time to do it is just before they start building.

Jul 29, 2024 •

Sandesh Mysore Anand

Edition 17: Is CloudSec the new AppSec?

This edition argues that while there is increasing overlap between the two, it's not a useful framework to apply

Feb 19, 2023 •

Sandesh Mysore Anand

Edition 15: Is your champions program running out of steam?

Security champions programs usually start well, but taper off quickly. This edition provides a framework to help avoid that.

Jan 29, 2023 •

Sandesh Mysore Anand

Edition 9: A build v/s buy framework for AppSec

Incorrect buy v/s build decisions can have serious downstream impact on security posture and team morale. This edition builds a framework that can help…

Sep 26, 2021 •

Sandesh Mysore Anand

#nojs-banner { position: fixed; bottom: 0; left: 0; padding: 16px 16px 16px 32px; width: 100%; box-sizing: border-box; background: red; color: white; font-family: -apple-system, "Segoe UI", Roboto, Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 13px; line-height: 13px; } #nojs-banner a { color: inherit; text-decoration: underline; } This site requires JavaScript to run correctly. Please turn on JavaScript or unblock scripts