Levi Schuck

@[email protected]
77 Followers
515 Following
197 Posts
Platform engineering manager, goes to DEFCON, proposing and guiding security policies like a wanna be CISO. Also interested in cryptography
Sitehttps://levischuck.com
Levi SchuckFeb 16, 2024

PCI DSS V4 has new requirements to prevent web skimming on payment pages. Here is how I am tackling that requirement with content security policies and subresource integrity.

#blog #security #pci #creditcard #web #browser #infosec

https://levischuck.com/blog/2024-02-content-security-policies-cloudfront-aws-single-page-apps

Protecting Single Page Applications from Web Skimming on Amazon CloudFront - Levi's Blog

PCI DSS V4 has new requirements to prevent web skimming on payment pages. Here is how I am tackling that requirement with content security policies and subresource integrity.

Levi SchuckAug 10, 2023
This is the most aggressive "Apple TV" I've ever seen. It goes and puts up a new invite when I'm editing a previous picture.
Levi SchuckJan 10, 2023
Today I found out about https://observatory.mozilla.org/ and took the time to tune some headers. My website is quite light weight so this was easy to do.
Mozilla Observatory

The Mozilla Observatory is a project designed to help developers, system administrators, and security professionals configure their sites safely and securely.

Levi SchuckNov 21, 2022

Read an interesting paper about secure coding with AI code assistants.

The paper is at https://arxiv.org/abs/2211.03622

This part definitely stood out to me. Naturally with a system that takes English prompts, non-native English speakers appear to struggle with prompting for more secure code.

Q1 is encrypting and decrypting, Q3 is safe directory traversal.

In general this paper suggests that AI code assistants are prone to producing insecure code across a variety of contexts and inexperienced developers are more likely to put faith in the assistant. While those who put less faith in the assistant were more likely to produce secure code.

One participant comment read: "I hope this gets deployed. It's like Stack Overflow but better because it never tells you your question was dumb." - - It sounds like we need to do a lot better here too in community answers, that sounds like gate keeping.

Do Users Write More Insecure Code with AI Assistants?

We conduct the first large-scale user study examining how users interact with an AI Code assistant to solve a variety of security related tasks across different programming languages. Overall, we find that participants who had access to an AI assistant based on OpenAI's codex-davinci-002 model wrote significantly less secure code than those without access. Additionally, participants with access to an AI assistant were more likely to believe they wrote secure code than those without access to the AI assistant. Furthermore, we find that participants who trusted the AI less and engaged more with the language and format of their prompts (e.g. re-phrasing, adjusting temperature) provided code with fewer security vulnerabilities. Finally, in order to better inform the design of future AI-based Code assistants, we provide an in-depth analysis of participants' language and interaction behavior, as well as release our user interface as an instrument to conduct similar studies in the future.

arXiv.org