Trail of Bits

Prompt injection, malicious pickle files, and backdoored models—oh my! Stay on top of AI security with the MLSecOps Podcast. Subscribe for new episode alerts ➡️ https://hubs.ly/Q03f8fGz0 Join us this week as we sit down with Keith Hoodlet from Trail of Bits to discuss bridging old-school hacking tactics with modern LLM threats—everything from second-order exploits to monkey patching libraries, plus how the DOD’s AI bias bounty ties into real-world compliance and regulation challenges. Episode releasing soon—keep an eye out! #AppSec #PromptInjection #AISupplyChain #ModelSecurity #AISecurity #ProtectAI

Keith Hoodlet's return to Security Weekly Productions #323 delivers practical insights into where GenAI truly adds value in security testing. LLMs excel at finding common vulnerabilities but struggle with novel threats outside their training data. As Keith explains, they catch "the 50% under the bell curve problems" while missing the unique, emerging threats that often matter most. The episode explores the balance between AI tools and traditional security approaches like fuzzing - identifying where automation makes sense and where human expertise remains essential, especially for architectural reviews and business logic vulnerabilities. For security teams evaluating AI integration, this conversation provides concrete guidance on maximizing value while understanding the current limitations. Full episode: https://lnkd.in/gxqthfa6

Excited to share that SillyCTF 2025 was a huge success! We had 313 competitors (212 teams) work for 12 hours to solve a set of 38 challenges in Penn State's first international cybersecurity competition! Academic teams came from universities in the United States, Belarus, Canada, France, Greece, India, Indonesia, Malaysia, Nigeria, Pakistan, Vietnam, and Japan, and we had players on every continent except Antarctica. 36 players were from Penn State University. #weare! Teams competed for an academic prize pool with a value of over $6000: thank you to our sponsors, Vector 35, RET2 Systems, Inc., and Trail of Bits for providing prizes and infrastructure support! Finally, a huge shout-out to to everyone at the Penn State Competitive Cyber Security Organization who helped to write challenges, provide tech support, and manage the infrastructure: this wouldn't have been possible without Maguire Younes, Liam Geyer, Aidan Ethier, Aiden Johnson, Brooke Connelly, Robert Roderick, Ryan Zanoni, and Wyatt Petula! https://lnkd.in/enayfuBb

One of my goals this year is to figure out a cost-benefit analysis of fuzzing vs. LLMs vs. grep. Later on in this conversation Keith Hoodlet had some great insights on where he's seeing #appsec potential from LLMs. More articles and the full episode at https://lnkd.in/geG2NWyP https://lnkd.in/gTSDm4JW

For ops folks, security audits can seem resource-intensive. Is the ROI really there? Don't we have this capacity in-house? Trail of Bits provided an actionable roadmap for - What to expect - What to ask - How to gauge ROI https://lnkd.in/eYXjJUXj

Memory safe code was having an unsafe design week this week. We covered some #appsec articles about: - Next.js middleware and where to place security controls - ruby-saml authentication bypass and how many different parsers a library should have - an NTLM hash leak and when a UX feature becomes a security liability Keith Hoodlet and Kalyani Pawar shared their ideas on better designs and better defaults. We also pondered just how much more secure the world might be if there was no more XML... News articles and notes at https://lnkd.in/geG2NWyP https://lnkd.in/gffj4Awq

"A proper threat model exposes design-level weaknesses (of which individual vulnerabilities are symptoms) so they can be remediated." This insight from Trail of Bits recent article on their TRAIL methodology perfectly captures why threat modeling deserves more attention. Three things I learned: 1) TRAIL groups components that share trust boundaries into "trust zones" to better visualize security controls. 2) It's good to create both lightweight threat models for high-level guidance and comprehensive models for detailed findings. 3) Threat modeling should identify both architecture-level and operational risks throughout the system. What stands out is how TRAIL findings trace the impact of flawed trust assumptions through architectures, potentially eliminating entire classes of vulnerabilities at once. When was the last time your organization performed a comprehensive threat model? What unexpected insights did it reveal? #Cybersecurity #ThreatModeling Link to the Trial of Bits blog post in the comments

Security Leadership Weekly is out! In this issue: ✅ Millions of records are at risk in a breach involving Oracle Cloud, which Oracle denies despite mounting evidence to the contrary ✅ Researchers at North Carolina State University and Yahoo find gaps in several supply chain security frameworks ✅ A new report by Europol highlights growing collaboration between state-sponsored adversaries and criminal threat actors ✅ My SANS Institute colleague 🛡🏭 Dean Parsons 🏭🛡kicks off a blog series on securing ICS/OT in pharma and healthcare ✅ Trail of Bits publishes details about its TRAIL threat modeling methodology #securityleadership #cybersecurity #infosec #infosecurity #securitymanagement #ciso #cso #supplychainsecurity #supplychain #apt #oraclecloud #oraclebreach #databreach #incident #sans #threatmodeling #cybercrime SANS Security Leadership

I had the pleasure of chatting with Mike Shema and Kalyani Pawar on this week’s episode of Application Security Weekly (ep. 323) 😄🎉 You can listen here: https://lnkd.in/ehA3Wsav Or you can watch here: https://lnkd.in/eNSnbd3W And you can read my blog post here: https://lnkd.in/ezQSphy2

Catch Security Risks Early and Stay Ahead Imagine identifying hidden vulnerabilities early, streamlining development, and avoiding costly setbacks. A security design review provides immediate feedback, reduces costs, and builds a secure foundation from the start. Join Trail of Bits experts for key insights and a live Q&A. 📅 Happening tomorrow – register now: https://buff.ly/7TzriBt