Appsec adventures

The OWASP Artificial Intelligence Security Verification Standard (AISVS) is a community-driven catalogue of testable security requirements for AI-enabled systems, modeled after the OWASP ASVS. It provides a structured framework for developers, architects, security engineers, and auditors to design, build, test, and verify AI application security across the lifecycle. Version 1.0 includes 12 requirement chapters covering training data integrity, input validation, model lifecycle, infrastructure, access control, supply chain, model behavior, vector databases, agentic orchestration, MCP security, adversarial robustness, and monitoring. It uses three verification levels (1-3) based on risk and complements other standards like NIST AI RMF and ISO/IEC 42001 by providing technical controls. Each requirement is verifiable, testable, and implementable, with a stable versioning system and community contributions welcome.  https://github.com/OWASP/AISVS

The RHC (Randomized Header Channel) Protocol is an OWASP project that introduces dynamic entropy into HTTP headers to protect the integrity of the communication channel, addressing a new class of attack called Flow Channel Hijacking (FCHA). Unlike traditional CSRF tokens or session validation, RHC operates at the Communication Integrity Layer (CIL) to verify that the communication flow itself is legitimate and non-replicable, rather than just validating identity or individual requests. It uses randomized header selection, variable-length tokens, and decoy headers across four progressive implementation levels (Basic to Dynamic Adaptive). RHC is designed for programmatic HTTP clients (fetch, APIs, microservices, agent workflows), not standard HTML form submissions, and complements existing security controls like TLS, OAuth, and CSRF tokens. The project includes PoC implementations, an entropy analyzer, academic publications, and aims to mitigate automated attacks, replay attacks, and cha...

This blog post from AI Village examines how missing authorization in AI agent tool-calling workflows can turn normal support actions (like email changes) into account takeover paths. The core issue is not LLM manipulation, but the absence of an authorization boundary between the user, the agent, and privileged tools. It presents three common design patterns: 1) Agent initiates but does not perform mutations (reduces direct risk but can still be abused for harassment); 2) Privileged tools require separate verification (stronger, but verification flows can still be abused); 3) A policy layer sits between agent and tools (cleanest, with centralized enforcement). The post introduces a "Maze Design" pattern with multiple security gates (intent classification, identity verification, ownership, policy, rate limiting, step-up verification) to force controlled execution paths. It emphasizes that this is a classic IAM problem amplified by agents, and advises assessing where agents can ...

AI Security Hub is a comprehensive, community-driven resource for AI security, structured as the "PayloadsAllTheThings + SecLists + OWASP Cheat Sheets" of the AI security world. It includes: payload collections (prompt injection, jailbreaks, RAG, agent, MCP attacks); cheat sheets (attack taxonomy, detection, hardening); hands-on security labs (including DVAP, a deliberately vulnerable AI platform); security tools (Garak, PyRIT, NeMo Guardrails, etc.); CTF challenges; learning paths from beginner to expert; and a curated research database. It covers AI attack surfaces including prompt injection, RAG security, agent security, and MCP security. The hub is designed for educational and authorized security research, with a focus on practical, actionable resources for red teaming and defense.  https://github.com/sonuoffsec/AI-Security-Hub

CVE Lite CLI is an OWASP Lab Project that provides a fast, local-first dependency vulnerability scanner for JavaScript and TypeScript projects. It scans lockfiles (npm, pnpm, Yarn, Bun), matches against OSV advisory data, and produces concrete, copy-and-run remediation commands for direct and transitive vulnerabilities. Key features include: parent-aware transitive guidance; --fix mode that applies validated fixes and rescans; an overrides hygiene audit for stale pins; offline advisory DB; usage-aware reachability filtering; and outputs including JSON, SARIF, HTML reports, and SBOMs. It is free, requires no account, runs locally with no code leaving the machine, and has minimal dependencies. The tool focuses on actionable remediation, fitting naturally into developer workflows before code is pushed.  https://github.com/OWASP/cve-lite-cli

This essay explores the concern that AI, by automating tasks and removing inefficiency, may inadvertently eliminate the repetitive, mistake-filled apprenticeship that has traditionally built human expertise. The author argues that expertise is formed through accumulated error—debugging broken code, triaging false positives, writing bad drafts—and that AI's ability to bypass this struggle risks creating a generation that can produce output but lacks the judgment to evaluate it. The piece frames this as a critical governance challenge: as AI takes more action, humans may lose the opportunities to develop the intuition needed to supervise it, making the preservation of learning conditions as important as controlling the technology itself.  https://arksher.substack.com/p/controlled-agency-issue-10-the-hidden