Episode 81 with Diana Kelly
In episode 81 of the We Hack Purple Podcast host Tanya Janca spoke to Diana Kelly, Chief Information Security Officer (CISO) at Protect AI. Diana and Tanya worked together at Microsoft, and to say that Diana is a pillar of the information security industry is somewhat of an understatement. Together they discussed problems with Large Language Models (LLMs) ingesting crappy code, and bad licenses, the OSSF (and it’s goodness), and that sometimes people don’t even realize they are breaking software licences when they use what an LLM has produced.
We discussed the fact that if a CVE comes out for a library an LLM gave you, but it didn’t identify it with the correct name of the library, you wouldn’t receive notifications about it. She clarified how ML pipelines are set up, how data scientists work, with insecure juniper laptops all over the place (perhaps a generalization on my part). We discussed how data science seems to be a topic a lot of CISOs are pretending aren’t in their domain to protect, but both of us agreed that is not so. They have some of the most valuable data your organization can possess.
We also covered best practices for securing MLSec, the OWASP Top Ten for LLMs, and the new free community her company has started MLSECOPS. She also released an update version of her book, Practical Cyber Security Architecture!
- Diana on LinkedIn
https://www.wicys.org/. (of course!)
OSS Jupyter Notebook scanner here: https://nbdefense.ai/
- Her book https://www.packtpub.com/product/practical-cybersecurity-architecture-second-edition/9781837637164
Her extensive volunteer work has included serving on the ACM Ethics & Plagiarism Committee, Cybersecurity Committee Advisor at CompTIA, CTO and Board Member at Sightline Security, Advisory Board Chair at WOPLLI Technologies, Advisory Council member Bartlett College of Science and Mathematics, Bridgewater State University, and RSAC US Program Committee.
She is a sought-after keynote speaker, the host of BrightTALK’s The (Security) Balancing Act, co-author of the books Practical Cybersecurity Architecture and Cryptographic Libraries for Developers, has been a lecturer at Boston College’s Masters program in cybersecurity, the EWF 2020 Executive of the Year and EWF Conference Chair 2021-2023, an SCMedia Power Player, and one of Cybersecurity Ventures 100 Fascinating Females Fighting Cybercrime.
Very special thanks to our sponsor!
Semgrep Supply Chain’s reachability analysis lets you ignore the 98% of false positives in open source vulnerabilities and quickly find and fix the 2% of issues that are actually reachable.
Semgrep also makes a ludicrously fast static analysis tool They have a free and paid version of this tool, which uses an open-source engine, and offers additional community created ruleset! Check out Semgrep Code HERE
Join We Hack Purple!
Check out our brand new courses in We Hack Purple Academy. Join us in the We Hack Purple Community, A fun and safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter for even more free knowledge! You can find us, in audio format, on Podcast Addict, Apple Podcast, Overcast, Pod, Amazon Music, Spotify, and more!