Scott Norberg’s Post

If you want to know why #ChatGPT and other #chatbots are being overhyped right now, and don't mind reading an opinion from someone who is a bit crass and condescending, I think this sums up the hype problem right now. https://lnkd.in/gKKTunCH

When it comes to #ChatGPT and other #chatbots, it looks like we're moving past the Peak of Inflated Expectations and are headed towards the Trough of Disillusionment. I've seen several articles in the past week pushing back against the hype around the technology, by far the most thorough one is this one: https://lnkd.in/gN4Cftra I've been pushing back on the hype around chatbots for a year now, and for good reason - I do think that the technology has limitations that have been overlooked until recently. With that said, I'm not abandoning it - despite the fact that it has challenges I do think that we'll figure out *good* uses for it. Two examples that work for me: I've found ChatGPT to be helpful with brainstorming and for giving me a start on something when I don't know where to begin. (More information about the hype cycle I referenced: https://lnkd.in/gA3pgpJm)

Microsoft is now factoring #cybersecurity efforts into pay? The optimist in me thinks that this might finally make a difference in fixing some of the annoyances I have with default settings in #Azure and #AspNetCore. The pessimist in me thinks that this will lead to individual employees and executives chasing nominal improvements to existing security issues without changing some of the problematic, core fundamental assumptions that I see. It'll be interesting to see how this plays out. https://lnkd.in/gdZDZSBn

I find it odd (and discouraging) that this article states that the concept of #agile development is "confusing because it's rarely clear exactly how to put agile into practice" and "Perhaps we need a new 'Agile Manifesto' — or an addendum to the original one — that includes concrete examples of what counts as agile." Both of these seem to miss the point of agile, which pushes for "individuals and interactions over processes and tools" and "responding to change over following a plan". Yes, these are vague and force you to think for yourself, but shouldn't we all be thinking for ourselves? https://lnkd.in/ge-C8fsH

Well, I passed the exam. It took a while to get the official certification, but I now have the Certified Cloud Security Professional (CCSP) cert from ISC2.

I've decided to make my source code security scanner (#SAST) for #dotnetcore open source. I really do think that it's close to, if not already, the best scanner out there for .NET if you want to find vulnerabilities without a large number of false positives. Give it a try! If you don't agree that it's the best scanner out there, let me know what needs to be improved (besides the UI - I was going for functional, not pretty for v1). Because the scanner uses the .NET Compiler Platform (Roslyn), I can perform a much deeper analysis than any other scanner can. Check it out! https://lnkd.in/guCvDPWy

Be careful what files you load from GitHub. https://lnkd.in/gbmn8-wA

I've generally been skeptical about the idea of using #chatbots and #AI to generate #malware that can exploit systems. The primary reason for this is that chatbots are great at synthesizing data, but not creating new ways to use that data (i.e. generate exploits that haven't been accounted for yet). I didn't think of the possibility of synthesizing publicly-available CVE information to exploit brand new vulnerabilities. Apparently I should have. https://lnkd.in/gwq5Wsma

I don't disagree with any of the below, but I'd like to add one thought: We cannot continue to expect tools to solve problems for us. Running a SAST scan doesn't eliminate the need for source code review. Running a DAST scan doesn't eliminate the need to do a manual penetration test. Buying an ASPM tool doesn't eliminate the need to define a process by which you manage vulnerabilities, track fixes, and find teams who are not fixing issues. Just like a hammer won't drive in a nail by itself, no security tool will solve a problem on its own.