OWASP Gothenburg AI Security and Header Injections

Join us at our partner Benify's office for an interesting evening with food and drinks, and talks about AI security and the security implications of attacker controlled HTTP response headers!

Where: Benify, Masthamnsgatan 5, 413 27 Göteborg

Agenda:
17:00 - 17:25: Welcome to Benify

17:25 - 17:40: Introduction from the event hosts and presentation of tonight's speakers.

17:40 - 18:40: Securing the Future: Ethical, Robust, and Secure AI Development

Outline:

Historical Overview of AI

• Evolution of artificial intelligence
• Key milestones in AI development

AI and Ethics

• Impact on business operations and decision-making
• Overview of ethical guidelines and frameworks
• Best practices for ethical AI implementation
• Strategies to mitigate ethical risks

Robustness & Reliability of AI Code Generation

• Common misuse patterns and how to address them
• Key metrics for measuring AI system reliability

Artificial Intelligence Security Introduction

• Historical case studies of AI failures

OWASP Top Ten for Large Language Models

• Security issues ranging from prompt injection to model theft

Threat Modeling AI Systems

• Methodologies for assessing and mitigating threats in AI ecosystems

Hugging Face Open Source AI Tools

• Overview of tools for AI development and research

Differential Privacy and AI

• Principles and applications to protect user data

NIST AI Risk Framework

• Framework for managing AI risks

Executive Order on AI Development and Use (Dated Oct 30, 2023)

• Analysis of the executive order and its implications for AI

EU AI Act

• Exploration of the EU's first regulation on AI (link provided in the talk)

Jim Manico is the Founder of Manicode Security, a company dedicated to providing expert training in secure coding and security engineering to software developers. His work at Manicode Security reflects his deep commitment to elevating software security standards in the industry. In addition to leading Manicode, Jim is actively involved in the tech startup ecosystem as an investor and advisor. His portfolio includes notable companies such as SemGrep, EdgeScan, Nucleus Security, Defect Dojo, KSOC, Akto, MergeBase, Inspectiv, Levo.ai and Pheonix. Furthermore, he is a fund-limited investor with Aviso Ventures, bringing his knowledge of software security to the venture capital domain. Jim is a recognized figure in the software development community, particularly known for his contributions to secure software practices. He holds the title of a Java Champion, acknowledging his contributions to the Java community. He is also the author of "Iron-Clad Java: Building Secure Web Applications", published by Oracle Press. Jim is committed to giving back to the community through his volunteer work with the OWASP foundation. He co-leads projects such as the OWASP Application Security Verification Standard and the OWASP Cheatsheet Series, contributing significantly to the field of web application security. For more information, please visit his LinkedIn profile at https://www.linkedin.com/in/jmanico or visit him on X/Twitter @manicode.

18:40 - 19:20: Food & Drinks

19:20 - 20:00: Controlling the response: a peek into the risk of attacker-controlled HTTP headers
The talk will present research into the security implications of attacker-controlled response headers. What can go wrong when we intentionally or unintentionally allow an attacker to control the headers of an HTTP response? We will examine some services where this exists "by design" where developers have tried to mitigate any risk using filters and Content Security Policies. We will also take a new look at the classic "CRLF header injection". The presentation will cover some known escalations in this area but also present a lesser-known escalation that abuses Network Error Logging.

Johan Carlsson is a developer, bug bounty hunter, and hobby security researcher. He works at Recorded Future but has just finished three months of self-employment as a full-time bug hunter. Johan has found numerous vulnerabilities in many companies but is most known for his work on securing GitLab.

20:00 - 21:30: Over-time (optional)
Hang out, grab something to drink, and discuss security, the weather or anything in between!