Ep. 27 - From Toil to Intelligence: The Future of AppSec with AI Agents with Brad Geesaman

In episode 27, we talk to Brad Geesaman, Principal Security Engineer @ Ghost Security.

With over 22 years in the industry, Brad co-founded the cloud-native security firm Darkbit, which was later acquired by Aqua Security, and is one of the world's first Google Cloud Certified Fellows. From hardening Kubernetes clusters to his groundbreaking work on 'Pipeline Precognition'—predicting attack paths before they ever exist—and now building AI agents to automate security testing, Brad has been on a constant quest to move security from a reactive chore to a proactive, intelligent function.

In this episode, we discuss the evolving landscape of application security (AppSec) and the role of large language models (LLMs) in automating security processes. We explore the challenges of AppSec automation, the importance of context in security testing, and strategies for achieving deterministic outcomes with LLMs. Brad emphasizes the need for cohesive workflows that integrate security into the development lifecycle and the potential of contextual application security testing (CAST) to enhance vulnerability detection. The discussion also touches on the balance between performance and context gathering, the future of fine-tuning models, and the importance of collaboration between security and development teams.

Key Takeaways

  • Reducing AppSec Toil: The primary focus of using AI in AppSec is to reduce repetitive tasks (toil) and surface meaningful risks. With AppSec engineers often outnumbered 100 to 1 by developers, AI can help manage the immense volume of work by automating the process of gathering context and assessing risk for findings from SCA, SAST, and secrets scanning.

  • Making LLMs More Deterministic: To achieve consistent and high-quality results from non-deterministic LLMs, the key is to use them "as sparingly as possible". Instead of having an LLM manage an entire workflow, break the problem into smaller pieces, use traditional code for deterministic steps, and reserve the LLM for specific tasks like classification or validation where its strengths are best utilized.

  • The Importance of Evals: Continuous and rigorous evaluations ("evals") are crucial to maintaining quality and consistency in an LLM-powered system. By running a representative dataset against the system every time a change is made—even a small prompt modification—teams can measure the impact and ensure the system's output remains within desired quality boundaries.

  • Context is Key (CAST): Ghost Security is pioneering Contextual Application Security Testing (CAST), an approach that flips traditional scanning on its head. Instead of finding a pattern and then searching for context, CAST first builds a deep understanding of the application by mapping out call paths, endpoints, authentication, and data handling, and then uses that rich context to ask targeted security questions and run specialized agents.

  • Prototyping with Frontier vs. Local Models: The typical workflow for prototyping is to first use a powerful frontier model to quickly prove a concept's value. Once validated, the focus shifts to exploring if the same task can be accomplished with smaller, local models to address cost, privacy, and data governance concerns.

  • The Future Skill for AppSec Engineers: Beyond familiarity with LLMs, the most important skill for the next generation of AppSec engineers is the ability to think in terms of scalable, interoperable systems. The future lies in creating systems that can share context and work together—not just within the AppSec team, but across the entire security organization and with development teams—to build a more cohesive and effective security posture.

We hope you tune in and, if you like the episode, please do subscribe!

If you like the content and don't want to miss out on new posts, enter your email and hit the Subscribe button below. I promise I won't spam. Only premium content!
← Back to home
AB © 2024