Appsec adventures

Langfuse is an open-source platform for building, monitoring, and improving AI applications that use large language models. It provides a complete set of tools including observability to track LLM calls and application logic, centralised prompt management with version control, flexible evaluation methods (including LLM-as-a-judge and user feedback), dataset management for testing and benchmarks, and an interactive playground for quick iteration. The platform integrates seamlessly with popular frameworks like LangChain, LlamaIndex, OpenAI SDK, LiteLLM, and many others. It can be used as a managed cloud service with a free tier or self-hosted on your own infrastructure via Docker, Kubernetes, or virtual machines. Langfuse is MIT-licensed, battle-tested, and widely adopted by the open-source community. https://github.com/langfuse/langfuse

CUGA is an open-source, state-of-the-art generalist agent harness designed for building and deploying enterprise-grade AI agents. It provides a modular and configurable framework to handle complex tasks across web and APIs, integrating tools via OpenAPI, MCP, and LangChain. Key features include flexible reasoning modes (fast/balanced/accurate), a comprehensive policy system with human-in-the-loop controls, built-in knowledge (RAG) and memory, multi-agent orchestration via a supervisor, and agent skills for reusable workflows. CUGA supports self-hosting on Kubernetes and offers both a UI for management and a Python SDK for programmatic use. It is benchmarked as #1 on AppWorld and WebArena, making it a high-performance, enterprise-ready foundation for building custom domain-specific agents.  https://github.com/cuga-project/cuga-agent

This open-source repository provides the largest library of structured cybersecurity skills for AI agents, containing 754 production-grade skills across 26 security domains. Each skill is mapped to six industry frameworks—MITRE ATT&CK v19.1, NIST CSF 2.0, MITRE ATLAS, MITRE D3FEND, NIST AI RMF, and the MITRE Fight Fraud Framework (F3)—making it a unique cross-framework knowledge base. Built on the agentskills.io standard, these skills encode real practitioner workflows, enabling AI agents like Claude Code, GitHub Copilot, and Cursor to perform expert-level tasks such as threat hunting, malware analysis, and incident response by following step-by-step procedures. The library is designed for progressive disclosure, allowing agents to search all skills efficiently and load detailed guidance as needed. It is a community project, Apache 2.0 licensed, and actively maintained with contributions welcome.  https://github.com/mukul975/Anthropic-Cybersecurity-Skills

The OWASP Artificial Intelligence Security Verification Standard (AISVS) is a community-driven catalogue of testable security requirements for AI-enabled systems, modeled after the OWASP ASVS. It provides a structured framework for developers, architects, security engineers, and auditors to design, build, test, and verify AI application security across the lifecycle. Version 1.0 includes 12 requirement chapters covering training data integrity, input validation, model lifecycle, infrastructure, access control, supply chain, model behavior, vector databases, agentic orchestration, MCP security, adversarial robustness, and monitoring. It uses three verification levels (1-3) based on risk and complements other standards like NIST AI RMF and ISO/IEC 42001 by providing technical controls. Each requirement is verifiable, testable, and implementable, with a stable versioning system and community contributions welcome.  https://github.com/OWASP/AISVS

The RHC (Randomized Header Channel) Protocol is an OWASP project that introduces dynamic entropy into HTTP headers to protect the integrity of the communication channel, addressing a new class of attack called Flow Channel Hijacking (FCHA). Unlike traditional CSRF tokens or session validation, RHC operates at the Communication Integrity Layer (CIL) to verify that the communication flow itself is legitimate and non-replicable, rather than just validating identity or individual requests. It uses randomized header selection, variable-length tokens, and decoy headers across four progressive implementation levels (Basic to Dynamic Adaptive). RHC is designed for programmatic HTTP clients (fetch, APIs, microservices, agent workflows), not standard HTML form submissions, and complements existing security controls like TLS, OAuth, and CSRF tokens. The project includes PoC implementations, an entropy analyzer, academic publications, and aims to mitigate automated attacks, replay attacks, and cha...

This blog post from AI Village examines how missing authorization in AI agent tool-calling workflows can turn normal support actions (like email changes) into account takeover paths. The core issue is not LLM manipulation, but the absence of an authorization boundary between the user, the agent, and privileged tools. It presents three common design patterns: 1) Agent initiates but does not perform mutations (reduces direct risk but can still be abused for harassment); 2) Privileged tools require separate verification (stronger, but verification flows can still be abused); 3) A policy layer sits between agent and tools (cleanest, with centralized enforcement). The post introduces a "Maze Design" pattern with multiple security gates (intent classification, identity verification, ownership, policy, rate limiting, step-up verification) to force controlled execution paths. It emphasizes that this is a classic IAM problem amplified by agents, and advises assessing where agents can ...