Prompt engineering: learning to write robust and secure prompts — In my last few posts, we talked about the potential bugs and vulnerabilities that arise from poorly constructed prompts. Today, let’s explore some strategies to minimize the risk of prompt injection and to write clear and effective prompts. Engineering better prompts: giving clear and specific instructions Some of the LLM vulnerabilities we talked about in this post —…

Exploring security issues in code generation LLM tools — I recently had a conversation with a friend about using GPT for software development. He is a startup founder who is very hands-on with details of his product, and uses GPT to learn new technologies and quickly implement features using languages he is not familiar with. I am also using…

And ways hackers can attack GPT-based applications — I recently had the opportunity to attend Google IO, during which many new products were announced. One aspect that stood out about many of these products was the focus on AI, particularly generative AI. Generative AI is fascinating and I am excited to see what we can do by integrating…

Is AI replacing technical writers and developer advocates? — I recently stumbled on a Twitter discussion debating whether the role of developer relations (DevRel) / developer advocates would become obsolete due to generative AI, such as GPT. DevRels are the people who create and maintain a community around a product. Their responsibilities include writing documentation and blog posts, producing…

Using ChatGPT to build a simple hacking recon tool — In Chapter 5 of Bug Bounty Bootcamp, I talked about how you can write a simple bash script to automate recon tasks before hacking and bug bounty hunting. Then just a year later, ChatGPT came around. I am still a huge proponent of learning to script so that you can…

AppSec engineer’s book club #001 — discussing Loren Kohnfelder’s book — Many of my followers have been asking me for book recommendations. After all, who doesn’t love a new tech book? Books are my favorite way to absorb new information, especially when learning something new. I’ve wanted to start a security engineer’s book club to share book recommendations, notes, and summaries…

And what subdomain takeovers mean for your SameSite cookies — I published an article a while ago about how Chrome is making SameSite the default behavior for cookies to prevent Cross-Site Request Forgery (CSRF) attacks. After that, jub0bs reached out to me about how the nuances of SameSite can leave websites vulnerable. Thanks for bringing this issue to my attention! …

Interview with Shinesa Cambric, Principal Product Manager at Microsoft — Our guest today, Shinesa Cambric, is an IT security professional who is passionate about designing roadmaps for identity and access management programs, and architecting security strategies for emerging technologies. In this episode of Sources and Sinks, Vickie Li, developer evangelist at ShiftLeft, interviews Shinesa about her research in identity and…

Launching your career in cybersecurity with self-study — Our guest today, Jasmine Jackson, is an experienced cybersecurity professional who got her start through self-teaching. Looking at Jasmine’s resume right now, it’s difficult to imagine that she was not able to find a job at all when she first started in the field! Jasmine has a technical background, but…