5/5 Full breakdown of the problem + what's coming next in AI security tooling: brooksmcmillin.com/blog/llm-gen...
#AISecurity #DevSecOps #LLMSecurity
#AISecurity #DevSecOps #LLMSecurity
The Call is Coming from Inside the House: When your Agentic Coder Writes Dangerous Code | Brooks McMillin - AI Security Researcher
An introduction to the flaws in security testing for AI-generated code.
brooksmcmillin.com
September 14, 2025 at 4:35 PM
5/5 Full breakdown of the problem + what's coming next in AI security tooling: brooksmcmillin.com/blog/llm-gen...
#AISecurity #DevSecOps #LLMSecurity
#AISecurity #DevSecOps #LLMSecurity
4/5 Quick mitigations while better tooling catches up:
✅ Verify AI-suggested packages exist before installing
✅ Test auth flows with multiple accounts
✅ Manual reviews for dependency + auth logic
✅ Verify AI-suggested packages exist before installing
✅ Test auth flows with multiple accounts
✅ Manual reviews for dependency + auth logic
September 14, 2025 at 4:35 PM
4/5 Quick mitigations while better tooling catches up:
✅ Verify AI-suggested packages exist before installing
✅ Test auth flows with multiple accounts
✅ Manual reviews for dependency + auth logic
✅ Verify AI-suggested packages exist before installing
✅ Test auth flows with multiple accounts
✅ Manual reviews for dependency + auth logic
3/5 Traditional SAST/DAST tools miss these because they're designed around human coding patterns, not AI hallucinations and edge cases.
September 14, 2025 at 4:35 PM
3/5 Traditional SAST/DAST tools miss these because they're designed around human coding patterns, not AI hallucinations and edge cases.
2/5 This isn't isolated. AI-generated code has unique security blind spots:
Context-blind configs (HTTP-only servers in prod)
Authentication that passes tests but fails reality
Dependencies from outdated/insecure training data
Context-blind configs (HTTP-only servers in prod)
Authentication that passes tests but fails reality
Dependencies from outdated/insecure training data
September 14, 2025 at 4:35 PM
2/5 This isn't isolated. AI-generated code has unique security blind spots:
Context-blind configs (HTTP-only servers in prod)
Authentication that passes tests but fails reality
Dependencies from outdated/insecure training data
Context-blind configs (HTTP-only servers in prod)
Authentication that passes tests but fails reality
Dependencies from outdated/insecure training data
With the picture of the timeline, at first I thought these were all the events and was trying to figure out how the firing of the FEMA IT directly led to Israel bugging Irani phones. 😂😂
Great work, as always!
Great work, as always!
September 1, 2025 at 4:10 PM
With the picture of the timeline, at first I thought these were all the events and was trying to figure out how the firing of the FEMA IT directly led to Israel bugging Irani phones. 😂😂
Great work, as always!
Great work, as always!