As a technology professional, if someone is not aligned with what’s going on in the Generative AI space, there’s a lot they are missing out, which they might regret later that they had missed the bus, even if it is arguably a most-hyped about bus! I decided to focus on Cybersecurity in 2024, and I made a series of time investments, engaging in key foundational aspects, one of them being threat modeling. Because, as a Software Testing professional I strongly believe that ‘Prevention is better than cure’, I cannot look the other way and not do the same thing in the security space! That’s why, threat modeling. That’s why, it’s important to talk about it, and make software development teams (which includes testers and quality professionals) aware of ‘secure by design’. Those who are in vulnerability management space would appreciate how much heartburn, energy, time, effort, and money they could save, IF, organisations and enterprises take that small cares upfront that would reap big benefits later in the software development and maintenance life cycle. And that’s why I sat down with Adam Shostack in my podcast to talk about Cybersecurity, Threat Modeling, and Generative AI.
When OWASP Top 10 for LLMs version 2.0 voting was called for to pick the Top 10 vulnerabilities that the practitioners should focus on, I was quite excited because frankly, for me it was not about picking the Top 10 specifically, but the whole gambit of vulnerabilities that were identified for voting. And when Adam and me talked, my focus was on how to avoid these vulnerabilities in the LLM space, specifically in the secure-by-design area, focusing on threat modeling related topics for LLMs.
Adam discussed these topics patiently and frankly with me, and we had a pretty interesting discussion, which is now available in YouTube. From a Software Quality perspective, these are some great inputs for someone who is looking to raise their bar on software security, because we always look for opportunities to incorporate best practices for our organisations, products, and esteemed clients.
We talked about several key topics – code generation by LLMs and their security implications, threat modeling for LLMs, threat modeling diagrams, LLM metrics, secure by design, role of testing and quality folks in threat modeling process, enterprises’ lacking security posture, educating the software development team on security, Adam’s book ‘Threatbooks’, STRIDE framework and whether it should be modified. If you are someone who cares about software security, you should listen to the podcast, and your follow-up actions in your own environment would be quite beneficial, even if it is a small step forward, in the Cybersecurity, Threat Modeling, and Generative AI space.
I am trying to focus on LLM security for the rest of 2024 as there is a lot to unpack. As I wrote in my last blog, there is a steep learning curve as well as a very dynamic LLM development space, which are challenging but can be managed with the right kind of mentoring, coaching, and consulting. On that note, if your organisation is looking for help, I would be glad to help from a quality perspective. Feel free to get in touch with me.
Let’s build a secure, quality world!