Hi and moin Hamburg!
You're cordially invited to our 15th anniversary meeting, see https://owasp.org/www-chapter-germany/stammtische/hamburg/#1-treffen-am-872010 !! 🎉🎂🎂
As it is appropriate we'll have something special with two talks, we're looking much forward to. As you might have figured out by now --both talks will be in English.
Again, we'll be guest at New Work SE (formally known as Xing), thank you!
We're excited to announce Niklas Bunzel as our speaker. Niklas is a Research Scientist in Machine Learning and contributor to the OWASP AI Exchange project.
Also we're pretty thrilled to have Susanna Cox as a speaker. She is a famous US-based AI Architect, Security Researcher with decade of experience on the bleeding edge of mission-critical AI -- or to cite a ~friend "She's one of our best presenters and quite the AI security pioneer and AI influencer" "she's the coolest". She will join us remotely.
# TL;DR
- Start: 6:30 pm , July 16.
- Doors open for socializing 6:00pm. Pls be on time for the talk
- Location: Am Strandkai 1, 20457 Hamburg
- Talk #1: Niklas Bunzel: AI Security & Privacy: From Prompt Injection to Multimodal Evasion
- Talk #2: Susanna Cox: Threat Modeling AI: Beyond the Hype and Theater to Proactive Security
# Abstract 1
AI systems are being incorporated into an increasing number of products, including security-related applications. However, the threat landscape is vast and constantly evolving. In this talk, we explore a range of security and privacy threats in applications, including prompt injection, model stealing, model inversion (reconstructing training data), membership inference, denial-of-service and denial-of-wallet attacks, as well as evasion attacks. We will discuss how prompt injection can be used to facilitate many of these attacks in current LLM-driven AI and examine the role of guardrails and methods for bypassing them. Additionally, we demonstrate how attackers exploit these vulnerabilities across modalities, present real examples of AI being tricked or misused, and outline practical strategies for building more secure systems.
# Abstract 2
When it comes to AI, threat modeling is more important than ever. Deploying AI systems can be expensive. Suffering an AI security incident can be even more costly. Advanced AI threat modeling techniques help to prevent and mitigate security incidents before they start, protecting intellectual property & guarding ROI. Securing AI systems requires a multidisciplinary approach, involving both data teams and security teams. Threat modeling brings these teams together, creating a common language that can bridge communication gaps, and ultimately ensure maximum alignment. Threat modeling is a win for business: Integrating threat modeling into the AI development lifecycle reduces the risk of security incidents, improving business outcomes and user trust, while providing business transparency into risks, mitigations, and processes. In this session, we’ll give an overview of the why and how of threat modeling, before diving into practical, hands-on methods to get started proactively modeling threats to your AI systems.
Topics/Outline:
### Introduction To Threat Modeling for AI
- What is Threat Modeling?
- When To Threat Model?
- The Secure (AI) Development Lifecycle
- De-Siloing Data and Security
- Welcome to the Purple Team
### What are we working on?
- Defining the right scope
- Understanding AI Architectural Patterns: Predictive, Generative, & Agentic
### What can go wrong, Part 1: The CIA Model
- The New Role of Data
- The CIA Model & AI
### What can go wrong, Part 2: The AI Development Lifecycle
- Introduction to the AI Lifecycle Model
- Development time threats
- Threats through use
- Runtime security threats
### What are we going to do about it?
- Controls & Mitigations
- Application: Applying Controls to AI Use Cases
### Did we do a good job?
- The Importance of Operationalization & Monitoring
- CD/CM Pipelines
- Continuous Feedback - How We Get Results
- Human-In-The-Loop
----
# Misc
* For our planning, please be depended with respect to your RSVP.
* OT: Meetup sucks, I had to cripple the titles . Alos two speakers is not what Meetup can really good cope with. Sigh.
# About our OWASP meetings
Our meetings are about software and their security in the Internet and/or information security in general. All meetings are free, open to everyone and free of charge, with or without membership.
You'll be meting people who deal with IT security either professionally or privately: Developers, managers, “pen testers” and anyone interested in (mostly web) security. The atmosphere is open and relaxed. We're all about exchanging experiences, talking tech and networking. If you want to sell products or services, you're in the wrong place. You are very welcome to pass on a link about our meetings to your colleagues or acquaintances.
Schönen Gruß, Dirk
