Open-Source Security Frameworks w/ OWASP Board Member Sam Stepanyan
If you work in application security, you’re probably familiar with the OWASP Top 10. But open-source frameworks like those maintained by OWASP members have a lot to offer security practitioners. In this episode, Netacea CISO Andy Ash meets OWASP Global Board Member and London Chapter Leader Sam Stepanyan to find out how Sam got involved with OWASP, and the influence it has on the security world.
The duo is also joined by Netacea’s Cyril Noel-Tagoe, who is a core contributor to the BLADE Framework, an open-source project focused on defining business logic attack tactics and techniques.
Host

Andrew Ash
Guests

Sam Stepanyan

Cyril Noel-Tagoe
Episode Transcript
Andrew Ash: Hello and thanks for tuning in to the Cybersecurity Sessions podcast season three from Netacea. I'm your host, Andy Ash, CTO at Netacea, and this season we've decided to invite peers from the world of cybersecurity to join us and discuss the issues that are affecting them and the cyber industry. Today, I am once again privileged to be joined by two guests.
First is my colleague at Netacea and the former host of the podcast and certainly a friend of the podcast, Cyril Noel-Tagoe, who is our senior threat researcher. Cyril, do you just want to say hi?
Cyril Noel-Tagoe: Sure. Hi everyone, it's good to be back. It's been a while.
Andrew Ash: Next, I'm delighted to welcome Sam Stepanyan, an application security architect who is a Global Board Member for OWASP and the OWASP London Chapter lead.
Sam, do you just want to say a little bit about yourself?
Sam Stepanyan: Yes, thank you very much for having me. Great to be here.
Andrew Ash: Oh, you're very welcome. So today we wanted to talk about a few different things. Obviously, we've got Sam here from OWASP, with a wealth of experience and knowledge around that organization.
So, we wanted to talk about why OWASP is highly relevant, not just the top 10 that I think we all know, how Sam got involved in OWASP and how it shapes other aspects of your career, because that's really interesting to me. And then we want to touch on the BLADE Framework, which is a framework that Cyril has worked extensively on, and just look at how we have tried at Netacea along with peers in the industry to standardize and talk about business logic attacks. However, as ever, we'll ask the opening question. Now, Sam, I'm gonna ask you this. Most people are on the fence when it comes to the answer. So, I'm not necessarily looking for an extreme answer, but let's find out.
So, on a scale of one to ten, what is the logical endgame for AI in human society? One being we succumb to our robot overlords and enter an age of servitude. And ten being humanity is freed from the shackles of Earth; it goes off to explore the universe in peace.
Sam Stepanyan: Wonderful question. I think a lot of people are asking me this, but look, judging from the current state of AI, right, I'm still sat on the fence. So, I will probably on the six or seven on that scale, to be honest, because, yes, of various reasons. And I've experienced different types of AI engines. And I think at the moment, most people judge AI simply by looking at large language models, because that seems to be like 99 percent of things referred to as AI, but because I had experience with other types of AI, yeah, that's kind of the reason for my answer.
And actually, to provide some interesting context to it, I was recently invited to IBM headquarters in London, along with a whole bunch of other specialists in application security and DevSecOps, and we were treated to a session of the Boston Dynamics robot dog, Spot the dog.
So, having this, I want to call it creature, right? But it was a robot, right? Walking in the crowd of, I think probably about 20 people, 20 experts, having it demonstrated and understanding how it works and what kind of sensors it's using. I think that put a lot of things into perspective for me, in terms of AI, and it's one thing when you type things on a computer and you get ChatGPT providing you with an answer, completely different when you see a working robot right next to you, which is looking at you with this webcam, AI…
Andrew Ash: I think, I mean, that's fascinating. I have actually seen one of those, but they had one in city center of Manchester, just walking about with its handler. And my immediate reaction was if it had a way of delivering emergency aid to a natural disaster, what a wonderful invention. However, if it had a machine gun strapped to its back, it'd be terrifying, absolutely terrifying. So, it's all about the use, right? It's all about the context and the use in which you're putting these new technologies into. They are incredible machines.
Sam Stepanyan: It's unbelievable. And then I experienced another side of AI, because when I was in San Francisco a couple of months ago, when I was at OWASP Global AppSec San Francisco conference, I took a ride in the AI-driven taxi in a driverless car called Waymo.
It was absolutely incredible. And I had to record the video because a lot of my colleagues were saying, Sam, were you not scared for your life? You're trusting your life to a computer. And to be honest, it was very weird and futuristic because I was sat in the backseat and there's a touch screen with a button saying, “Start ride”. So, you touch this button, and the car just starts driving and you can see the steering wheel is moving left and right and I'm like, it's just so scary at the beginning, but it was the best ride of my life because I realized that the AI is actually handling the task of driving very well, much better than human.
And then I realized, because I saw a lot of people on the streets of San Francisco taking these driverless cars, and then I found out that they're really popular because, for example, if we talk about other taxi services like Uber or Lyft, there are a lot of complaints that the drivers are not usually very good, because people who take these jobs are not particularly good drivers. And that's why a lot of people prefer this Waymo's or the AI-driven taxis, because the ride is so smooth, and you feel very safe. At 40 minutes that I was driven in that taxi, I felt very safe, much safer than with a human driver.
Andrew Ash: I was in San Francisco this year, and I couldn't actually get on the app. There was a waiting list for the app, so I don't know whether that's changed.
Sam Stepanyan: Andrew, it's a hacker mentality, right? So, there was a problem, because the app only takes US-issued credit cards, right? And I thought, okay, that's an obstacle. You probably hit exactly the same problem. But then I realized that that's how I managed to use the app, call the taxi, and yeah, it came up. I pushed the button in the app, it opened the doors, I sat inside, the doors locked, and there was a big button inside saying, “Start ride”. And this is how the journey started.
Andrew Ash: I might actually bear that in mind for my next trip. But yeah, I was desperate to have a go. I know our CEO and CFO both got in one together, which, there's risk there with both of them, but they both survived the experience. So that's good. Wonderful. Thanks for that. That's really good insight, actually. The Boston Dynamics piece is absolutely fascinating. I think you're probably quite lucky to get that kind of demo up close, because we see this on newsreels, on LinkedIn, etc. and it's only when you actually see it that it hits home that this is very real.
Sam Stepanyan: Exactly. Similarly with a taxi, right? I watched probably over 10 videos of people taking these driverless taxi rides. So, I kind of knew what to expect, but still, when you get inside and you see that steering wheel moving all by itself, it's car just driving and braking and avoiding pedestrians and cyclists and some buses and the crazy motorbike riders in San Francisco. Then you say, wow. That's a different type of AI.
Andrew Ash: Yeah, absolutely. Absolutely. So, let's move on to our first topic. So, Sam, you're massively involved in OWASP operationally as a global board member and as the London chapter leader, which is not a small chapter, I know that. How did you first get involved with OWASP?
Sam Stepanyan: Oh, that's an interesting story because my journey to OWASP started almost 20 years ago, in 2005. Because I was a software developer originally, I come from the development background. And I came across OWASP just like probably a lot of people around that time, because of regulation, because of PCI DSS. As I was working with a team of developers and designers. And we were working on a project, which was an e-commerce project. And then, to my horror, I discovered that this project that the team was working on, they were storing credit card numbers unencrypted in a database. And then I saw an article, I think it was Computer Weekly magazine back in the day, which said, oh, this new piece of regulation coming called Payment Card Industry Data Security Standard, or PCI DSS, and everyone taking credit card numbers online, they have to comply with it.
And then I got hold of that standard, downloaded the PDF, and there was a requirement there to make sure that the code is reviewed for security, to make sure that it's free from OWASP top 10 vulnerabilities. I'm like, what is this OWASP top 10? So, there was a hyperlink there, so I clicked on it and that's how I got hooked. I didn't know in 2005 that there was already an OWASP London chapter, which was actually started in 2004. And I only discovered it in 2007, again, by just clicking around on some findings on Google. And there was a mailing list mentioning that there's actually an OWASP London chapter and they have regular meetings, some of that happened in the pub and some of that happened in different offices of different organizations all around central London. So yeah, I just clicked and joined and turned up at one of the meetings and I really loved what I see because I could see that there were quite a few like-minded people like myself, mostly people who came from a development background, but there were some people who were security engineers who were penetration testers, and they had some really engaging speakers, great talks, and they also had pizza and beer.
And there you go. I became an attendee. I was actively attending, asking questions. So, I was learning a lot. And then one day, the then chapter leader approached me and another very active participant in OWASP, a guy called Sherif Mansour, and said, hey guys, I'm moving away from the UK, relocating, would you be willing to take over the chapter and continue running it, because obviously it would be good to make sure that it's still there. And we said yes, we agreed. And that's how we became chapter leaders and then started growing it. And yeah, I think now it's one of the probably top chapters in the world in terms of the number of people attending, the number of people watching our live streams and our recorded talks online as well. So yeah, we continue to grow. Actually, we hit a very interesting problem. We've run out of companies with office space big enough to host this many people because…
Andrew Ash: I remember that because yeah, that is pretty big. Because there's some big companies in London just in terms of around, because basically PCI was your intro into security. I think that anybody who's working in e-commerce, anybody who's working with any kind of payments, that tends to be the first bite you take into security, just because it's mandated if you're transacting or processing or doing anything with credit cards online. Did you ever go to any of the RANT meetups?
Sam Stepanyan: Of course I did. Yes. Because that was very much pizza and a bit, but obviously it didn't quite take off in the same way that I want. Yeah, and to be honest the consensus that RANT that, as I remember… And there weren't that many talks around application security, to be honest. But it was still, I think absolutely a great community to work with, talk to people who are on the compliance side of things. And obviously me being on the engineering side of things and let's see how we can get together to solve all the challenges which are ongoing right now, we still haven't fixed the security issue and there's new regulation coming and the number of vulnerabilities and the data breaches keeps increasing.
Andrew Ash: Surely does. So probably a good idea to jump into… I mean most security professionals will know OWASP, and they'll know OWASP Top 10 from such compliance as PCI, and you have to be able to adhere to the standards set and be able to prove that. But I guess not everybody knows the full breadth of OWASP, and what would be really good is if you can give us an overview of what OWASP is, what's its mission, and the bits that we probably don't know. I think that's the most important bit.
Sam Stepanyan: Yeah, sure. So first of all, for those people who don't know, OWASP originally stood for Open Web Application Security Project. This is how it was created. It was originally created in 2001 as a mailing list and then as a very basic website to start to provide some guidelines to developers how to do secure coding. It was renamed recently, I think, almost two years ago now, to be Open Worldwide Application Security Project, to highlight the fact that we're no longer web specific, 20 years ago, everyone was talking about web apps, but now it's not just web, no one refers to web as web anymore, right? We have mobile applications, we have cloud applications, we have Internet of Things applications, and most importantly now we have AI applications. And a lot of people keep forgetting that artificial intelligence is also a software application.
So that was the story behind the renaming, so it's now called Open Worldwide Application Security Project trying to cover all applications. And it is a nonprofit foundation, and it's a charity, actually, in the United States, so if you're a company based in the United States, you get, and you donate to OWASP, we sponsor OWASP, you get the benefit of a tax break as well. So, we're actually a registered educational charity, and obviously our mission is to promote secure software and be the community that promotes secure software development through education, tools, and collaboration.
So that is the organization. Again, back then when I first read the letters OWASP, I thought this was this massive mysterious organization that sets all the standards and guidelines and things like OWASP Top 10, which was back then absolutely mysterious. But then, when I started going to the OWASP London meetups and then started traveling to the OWASP global conferences, I realized that it's such a cool community because everyone's a volunteer, right? At OWASP, we only have seven members of staff at OWASP. Everyone else, including board members, they're all volunteers, and people who donate their own personal time to work on this project to create all the standards, guidelines, software tools, and resources, things like videos and cheat sheets, for everyone to be secure and know how to build secure software. And yeah, I've figured out this is not some scary organization, it's just the community, some amazing people who are all very friendly, and they come from different countries, different backgrounds, and I just fit right in. I really fell in love with the community. And this is the feedback that I'm seeing, a lot of people saying that OWASP is probably very good to have a closely knit community, even though we are worldwide and in almost every single country in the world, you will find an OWASP chapter, and you will find people working on OWASP projects and guidelines. So, I think the strength of the community and the friendliness of it, and how it welcomes everyone, right? All OWASP meetups worldwide are open to everyone. You just need to be interested in security, and there's no cost to attend, you don't have to have a specific knowledge to attend those. They're free and open to everyone and so are all the projects, everything's free and open source, and people donate their spare time to volunteer to make the world a little bit better for everyone.
Andrew Ash: Yeah, it's that kind of community sharing. Everyone in security, and this has been true of tech forever, we all share the same problems, we're all battling similar adversaries, similar budget constraint, etc. So having people to be able to actually interact with and know that it's not just you and get their input into the things that you're trying to solve or build, is really, really important. So yeah, it's wonderful. Now, in terms of… so Cyril's a very modest guy, but Cyril has done almost every job there is to do in the security field, and you're undoubtedly a practitioner, so Cyril, from your perspective, how much influence does OWASP have across the industry and across your career?
Cyril Noel-Tagoe: Yeah. I mean, I think you said it earlier that everyone in security knows of OWASP and they might not be able to name exactly what's in the top 10, but they've definitely heard of the OWASP top 10, and they can probably give you the top three out of those, I think. My first introduction to OWASP was back when I was in university. So, I did a computer science degree, so a lot of that's software development. And we had this one module called professional computing, and they were like, if you want to take your career as a software developer, there are some standards that you definitely need to know, and there's standards like ISO 27001, that kind of stuff, and then there's also OWASP top 10, it's like oh what's this, and that almost becomes a checklist for you as you're going through uni, so I think not even just people in security, but in the development space, it's now such an ingrained part of just doing development, you come up being taught it.
Andrew Ash: Yeah, yeah. And in terms of the usage, does it have a lot on threat intelligence, because obviously you're a threat analyst, senior threat analyst, sorry Cyril. Does it have, does, is there any aspects of OWASP that impinges on that or the guidelines for threat?
Cyril Noel-Tagoe: Yeah, definitely. So even just looking at the top 10, right, the top 10 gives you the weaknesses or the vulnerabilities there, but the threats are exploiting those. So, you can't have one without the other. So having that data, also having that as almost a taxonomy and a widely known language helps you to translate what you're seeing to how it actually happens in practice. I think you see it probably a bit more on the application testing and penetration testing space, because they're directly going to the applications and saying these are the problems, but in the intelligence space, there's also that overlap.
Andrew Ash: And Sam, from a product perspective, do you think OWASP is underutilized when we're thinking about how to build applications, systems, infrastructure out? I don't know if it's application based, but basically cloud is infrastructure and application all rolled into one quite often. Is it something that's underutilized in terms of theory and good practice, or when you are speaking to people from your chapter and around the world, is it something that is always encompassed, is it something that is prevalent everywhere?
Sam Stepanyan: I think it's still underutilized. And it's very interesting to hear that Cyril actually had an introduction to OWASP at university, but here actually comes a very important issue that I need to highlight because OWASP top 10 is not a standard. OWASP top 10 is just an awareness document, and this is what we need to understand, that OWASP actually has a standard, and that standard is called ASVS, application security verification standard. So, for everyone who actually wants to have a standard, ASVS is the right place that they need to look at. Top 10 was created, well, I can put it as a marketing trick to get attention of the boards, because when it was created, the creator of OWASP top 10, Jeff Williams, just came up with this idea because he was so frustrated that people didn't listen about vulnerabilities. It was like, how do we get people's attention? It's like, here's the top 10 things that are the most critical and you should be paying attention to. And that's how it was born. But again, OWASP top 10 is an awareness document, it's just a place to start if you don't know where to start.
And speaking of OWASP being underutilized, I think the application security verification standard is the standard that I'm not seeing people using, I know some industries that are using it, for example financial services and regulated industries, they are aware of it and they're using it. And there are lots of other OWASP projects which for example help to do security by design, which I think is quite important. I think this is where underutilization is coming from. A lot of people just heard about OWASP top 10, and I hear every time people saying, oh, we're OWASP top 10 compliant. It's like, remember, this is not true, you cannot be compliant with OWASP top 10 because it is not a compliance standard, and it's not tick boxes. Actually in the latest OWASP top 10, we actually, one of the items on the OWASP top 10 is something that you cannot even tick the box easily with any, for example, vulnerability scanning tool, because it's talking about insecure design being one of the top 10 things you should be concerned about, and you can't tick the box saying, hey, we've done pen testing, our design is secure. No.
So yeah, I believe OWASP is underutilized, and a lot of people are still unaware of the 200+ projects that OWASP has, which are all free and open source, which can help you in your daily life, how to design and build and test. I invite everyone to basically go and check out all the wonderful projects that we have and start from things like the flagship projects, which include standards such as ASVS, which is the first OWASP standard. But we now have another DX, which has now been accepted as an ECMA standard, so it is an international standard, and we're now looking at a third international standard in AI security, to be accepted into NIST. So OWASP LLM security standard is coming up as the next candidate to be widely accepted, and if you look at both the EU guidelines on AI and the US NIST guidelines on AI, they're all based on OWASP materials.
Andrew Ash: So, it's interesting, that's a subject that's come up a couple of times on this season of the podcast, which is how do we prove that AI is secure? How do we give people confidence in the solutions that we're building that have generative models in them? And really, it's quite difficult to explain in your own terms when a lot of other disciplines, areas of technology do have frameworks and standards in place. It's certainly something we're considering for 2025 at Netacea is can we align with a standard for our use of our machine learning? I believe that customers are going to be coming to us frequently to ask for that going forward. So no, it's an obvious one to do next, right, across the board of standards. So yeah. I was going to ask you, you kind of answered it, but just to dig in, if you were to give anyone advice on how to get started and how to start to build application security, I think you mentioned some of the resources there. Is there a pattern that people generally fall into? Is there any advice you can give someone who is just starting out?
Sam Stepanyan: That's right. Yes, of course. So OWASP top 10 is there, but the projects like OWASP ASVS is another important one, but we also have some tools which can help you start your journey and start from security design. And there are several projects that you probably never heard of, so I'm going to highlight some of them. So, one of them is called Security RAT, and it has a logo of a rat, and RAT stands for security requirement automation tool. So, it is actually a very useful tool which allows you to generate your security requirements. So, this tool will have a questionnaire, so it will ask you what kind of software you're developing, right? And will ask you several questions, and then it will generate security requirements for you, and it can even put these requirements in a Jira ticket for you so you can track them. So again, not many people heard of it, but yeah, people say, well, how do we do security by design? We'll start from requirements. Where do we get security requirements from? Well, there's one project.
There's another project called OWASP User Security Stories. Again, a lot of people never heard of it, but we have two developer backlog related projects, there's one called User Security Stories, and there's another one called Abuse Stories, or Attacker Stories. So, these are the stories that people can take and just inject directly into their agile backlog to give to developers, so they know what to expect. They have stories on what can possibly go wrong, with abuser, and as an attacker, for example, I'll give you your example, which is probably quite close to your heart. One of these abuse stories says, as an attacker, I can brute force the login screen by utilizing a stolen list of usernames and passwords from the internet. And if you look at developers developing an application, usually the requirement is the application should have a login screen with username and password, if username and password is correct, the user is logged in, if user password is incorrect, they should get a message, incorrect login, and a button forgot password. And you can see there is no mentioning of security whatsoever. And this is why if you use the OWASP abuse stories, you'll start injecting all the questions like, oh, this is what an attacker can do.
Andrew Ash: Yeah. A lot of the credential stuff that we see is, not all, but some, certainly on older sites, it's where the difference between a success and a fail login is incredibly explicit, and passes back information that basically a hacker can utilize to determine whether a username exists, to determine or to work out the cadence that they can credential stuff at before getting rate limited or being blocked by the application from logging. And yeah, there's an absolute, yes, I think actually we could really add to those scenarios, because we've probably seen most of them.
Sam Stepanyan: That would be awesome. And again, this is all free and open source, so open for collaboration and contribution. So please do collaborate and contribute.
Andrew Ash: We'll talk about that afterwards. It's interesting. Just to move on a little bit, Netacea have developed and now open sourced the BLADE Framework, which is the Business Logic Attack Definition Framework, which describes a set of attacks that is different to traditional security attacks, and credential stuffing is absolutely part of that. There is some crossover with OWASP, with other standards and frameworks. Now we have in the room, Cyril, who is very modest. So, Cyril and his colleagues pretty much wrote the BLADE Framework. So, can you tell us what the BLADE Framework is and why we felt there was a need for it at Netacea?
Cyril Noel-Tagoe: Yeah, I mean, so when we were looking at these business logic attacks and we were trying to taxonomize them, we were looking at MITRE ATT&CK and we were looking and saying, okay, well these aren't on there. How do we explain to different stakeholders what they are? How do we build out these kill chains? I think around that time, there was also an OWASP automated threat project, I believe, around that time, which had some stuff in it as well, but it wasn't a full framework. So, we thought, okay, let's look at that, let's look at MITRE, how can we bring the best of both worlds there. And it really started with us just building kill chains, so this is the lifecycle of an attack. Okay, what are the specific tactics and techniques which are being used at these phases? We got to the point that we had a few kill chains, and we were like, okay, well, we can actually build out these phases in this matrix from that kill chain. And what we found when we did is that not only was it really useful for us, but it was really useful for people we were sharing it with. And then we thought, well, there's no use in this just being our thing. Let's actually get this out, let's get people engaged with it. And now we've got a group of people from loads of different companies, including some of our competitors, all engaged with us. It's great, because the more we share as a security industry, I think the better we get as a security industry.
Andrew Ash: No, exactly. And I think there's a huge amount of value in being able to standardize language where there is no standard. That is number one, and there's plenty of examples of that throughout years of technology. And BLADE definitely does that. So, it is an open project now. How's adoption of BLADE been across the industry, and how do you think it's helping security professionals?
Cyril Noel-Tagoe: Yeah, it's been great. So, I mean, one of the funny things is we've had, we've been in conversations with some companies, and they've said, Oh, you guys, do bot management.
Oh, have you heard of the BLADE Framework? And we're like, yeah, funny that. Yes, we have.
Andrew Ash: We are the, no, we're not the BLADE Framework. It is an open-source project.
Cyril Noel-Tagoe: But yeah, so that really shows the adoption in the industry. I think one of the really useful things, because bot attacks and business logic attacks generally, they're not your traditional cyber security attack, and you've got a lot of different stakeholders on the defense for, let's say, you know, an attack that's hitting, you know, a scraping attack, let's say, on a website, right, which would be a traditional security attack, and that would still be an attack on BLADE, but it might be the marketing team that's picking that up because someone, they've seen a spike in traffic, and they're not sure how this is, you know, whether this is good traffic, whether they should be falling into their analytics or not.
So, they're talking or they're raising it with another team that's somehow getting to security. And they're all calling it different things because they're all coming from different disciplines. But what BLADE really did is allow everyone to start speaking that same language. So, I think especially because of the nature of business logic attacks, which really helps to make it easier to, for people to communicate and ultimately solve these problems.
Andrew Ash: Where there's shared language, there is an opportunity to set a shared solution, you know. An understanding of the problem is the first step to solving the problem. And these are all trite cliches, but it's absolutely true. If we all call the same thing, the same thing, we've got a better chance of understanding it together.
So Sam, I mean, you've already touched on this with the AI potential next step for OWASP, but how important do you think it is that we as an industry keep developing these frameworks as new types of threats emerge?
Sam Stepanyan: I think it's very important, and it's actually very important to keep this open source, because obviously with the advancement of AI and machine learning, it’s all good, we go and happily use ChatGPT to help us summarize meeting minutes, or help us write emails, or help us generate various images.
I do use it, by the way, to generate images for my OWASP London website. Proof of attendance protocol, NFTs. So, people attending our meetups, they get a little digital badge in their crypto wallet. So again, and I use AI to generate this digital sticker proof of attendance thing. But what we should remember about is all the attackers, right?
They use AI as well. And they use AI to bypass our AI, right? So, as you rightly know, one of the biggest problems now is looking at, for example, Blade framework, right? Is, capture avoidance because, yes, it's all good. A CAPTCHA is the, you know, Alan Turing's test to tell computers and humans apart, but computers are getting more and more smart, and they are solving the tasks in those capture challenges.
And I think especially for the, if you look at the automation and business logic attack scenarios, I think this is what we need to make sure that we continue learning and we continue developing, and understand the new threats which are coming. Cause if I look at, for example, like three years ago, for example, the only CAPTCHA avoidance services were humans, were a whole bunch of people, mostly in countries like China, paid, I don't know, three pennies for, ticking the box saying, I'm not a robot, you know, it's, it was like a CAPTCHA solvers as a service, CAPTCHA resolution as a service, whatever it was called, also known as a crimeware, right?
And nowadays, now it's different because, you know, people use AI, and criminals use AI to bypass CAPTCHA. So, it will be very interesting to learn, for example, how you are, how much of these kinds of attacks you are seeing and basically what kind of defenses now you recommend in terms of all the AI enabled CAPTCHA solvers.
Andrew Ash: Yeah, well Cyril is in a unique position to answer this one because I think, did you, were you a CAPTCHA solver for a while, Cyril, or was that somebody else? Because we need to understand this, I mean, obviously, infiltrate is not the right word, it's not that difficult to become a CAPTCHA solver for money, you just don't make a lot of money.
Sam Stepanyan: Yeah, you need to identify all the pedestrian crossings, right? And all the fire hydrants and all the buses.
Cyril Noel-Tagoe: Yes, I mean, you do get. So, I did do it for a while. I didn't last a whole day. You have a little thing at the top which tells you how much you've made. I've done about 10 CAPTCHAs and I hadn't yet made like 1 percent of a penny yet. And at that point I was like, no, this isn't for me. But yeah, no, the AI solvers, that's probably the most, like even before we had the LLM boom, that was the one application of AI that you could definitely say was being used. And that's. I mean, that's a byproduct of CAPTCHAs originally being used to help train vision models, right?
That's the reason why you're told to select, you know, these cars or buses or numbers on a doorframe, right? And it was only a matter of time before the AI caught up with it. But yeah, as an industry, it's definitely something that we need to deal with and something that the BLADE Framework obviously needs as it evolves, needs to provide solutions.
And what, also, what are they doing once they go past that? Because that's the current state, but what happens next? After that, is that the only place that they're using AI? Are they moving to other places? And how do we capture that as well?
Andrew Ash: Yeah, I think what we found about the automated AI versus human CAPTCHA farms is that machines are better at passing CAPTCHA than humans are.
Which is very ironic, based on what the actual test is. So, yeah, it's a fascinating one. And from an actual nuts and bolts approach to how we deal with this, we only really look at CAPTCHA as a piece of data in a very big data set. It's not necessarily the mitigation of the attack that CAPTCHA is there.
And we have a lot of... We've done a lot of work lately because we do provide CAPTCHA as a mitigation technique, but we've done a lot of work in the last 18 months to feed back into that machine learning loop, what actually happens if a CAPTCHA is passed. Because the challenge with CAPTCHA pass is that it’s either a false positive, which we don’t want and our customers definitely don’t want, or it’s a really complicated attack that someone is paying a lot of money to persist through CAPTCHA farms.
And it’s, so yeah, it’s a tough problem to solve, but we look at it as a data point rather than a definite. Whether CAPTCHA has been attempted, CAPTCHA has been passed, it doesn’t give us a definitive answer on the behavior of that entity on the application.
So, no, it’s really interesting that you brought that up actually. I think, did we write a white paper? I believe there’s something.
Cyril Noel-Tagoe: I don’t think we released it publicly. But yeah, that was back when I did my little stint as a CAPTCHA solver.
Andrew Ash: Yeah. I wish we had a video of that, that would have been great.
Cyril Noel-Tagoe: Would not recommend.
Andrew Ash: Cool. Okay. So, I think we’re pretty much out of time. So, thank you to Sam and Cyril for joining me today. If you have any questions for us, please either leave a comment, if you’re listening via Spotify or YouTube, or you can mention us in our X account @cybersecpod or email podcast@netacea.com. Please make sure you subscribe wherever you get your podcasts. And finally, thanks for listening and we’ll see you next time for more Cybersecurity Sessions.