Here’s what to know and how to get started and what you need to know in order to use it — appropriately
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
⚙️ Security Automation (Pre-AI). The Code.
⚙️ AI Automation. The Code.
🔒 Related Stories: Cybersecurity | Penetration Tests
💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
When the first AI craze hit I told people I didn’t use it because it doesn’t fit my individual use case.
And it still doesn’t for the reasons I mentioned in the way I was thinking people were going to use it.
However, I’ve shifted my research to focus on AI because there are places where it can be helpful — with a lot of caveats.
People will be using AI, like it or not, in the future. Just as I predicted that people would be using cloud when all the long time security people told me it would never happen. But here’s the catch — you have to understand how and when to use it.
AI is not going to take away jobs, but it can cautiously help you get your job done faster — just like a Google search of stack overflow. You can’t believe or use everything you learn there, but it can help you find the nugget of information you need to complete the task at hand.
When using sources on the Internet, you have to know when the advice is good or bad. Some attackers like to plant malicious code snippets, source code, and supply chain attack vectors into stack overflow posts, containers, libraries, and source code repositories. The same can happen with AI generated content gone wrong. It may be intentional or unintentional but the result can be the same.
Here’s a snippet from my recent presentation at AWS re:Inforce in Philadelphia:
You know when you see this thing going around on social media where people tell you to type a phrase into your phone and you are whatever comes up next? It’s predicting what you want to type next. And the same prediction does not occur for every user on ever phone. In fact, sometimes if you go back later and type those same words you’ll get a different answer.
Why?
It depends on the inputs used (besides the phrase you wrote) and the model being used to guess what you are going to type next. Let’s say you write a few more text messages and then type the phrase again. Is it using your prior text messages to generate it’s prediction? What if your phone is updated and the software changes. How will that change the prediction?
That’s what AI models do. You give them a prompt and they predict what you want and try to provide it to you.
Sometimes they are right. Sometimes they are very wrong. Sometimes they are only wrong in subtle ways you might not notice.
It’s a prediction.
So when you’re choosing to use AI for any reason you have to understand this basic premise and then use it accordingly.
In my presentation I was talking about batch jobs and specifically about batch jobs I wrote for banks that would do things like calculate all the dividends owed to securities holders at an investment bank at the end of the day.
It was at this point that I explained what dividends are and provided a few tips on that topic as I think they are a great way to generate additional income — in the long run:
When I wrote a batch job to process dividends, I had to make sure that every single investor was paid what they were owed for any securities that paid a dividend to their shareholders that day. The investors should get the dividend they were owed in every case — no more, no less. The results had to be precise. Accurate.
In other words, not a prediction.
When I get my bank statement, I don’t want the company to predict what they think should be on my bank statement. I want it to be right.
Using AI to generate bank statements — or anything else that absolutely has to be accurate — is a BAD IDEA. That is not an appropriate use case for AI, unless you have human oversight to correct any problems with the output. In the case of a back office banking system it would take way more time to try to find and fix discrepancies than if you had simply written a program that uses deterministic logic to write calculate balances in the first place. Trust me, I know, after trying to find those needle in a haystack problems in a pile of data and fixing programs with reconciliation errors.
So what good is AI? Well, just like a Google Search, it can help you find an answer a lot faster than you could figure it out with your own brain, depending on the problem.
Here’s what I find AI particularly good at right now. If you have a tricky line of code that has high potential for syntax errors — ask AI to write that single line for you. Then test it to make sure it is correct.
Alternatively, have AI write your code ONE LINE AT A TIME, testing each line as you go. Or perhaps a couple of lines at a time. AI seems to be good at doing small things, not big complex things. But you can break the big complex things into small bits.
I’m doing that in all my recent AI blog posts if you’re not sure what I mean by that and I have sample, working code as a result of the process.
You can write complex programs that have to be accurate with AI, using that method. You validate each small part of the application as you go.
In order to do this effectively — you have to know when the AI has made a poor choice. In my blog posts I show where the AI has produced and overly complex solution or where the code is problematic — creating a security problem or hiding errors needed for troubleshooting.
So in the end, if you want to be good at using AI, you’ll still want to be good at programming itself. The code produced by AI is going to have problems. It’s predicting the code you want to write. It is trained on code that has problems. It’s not good at complex application architecture. But it still can help you write code.
There’s a paper from Apple that explains how AI is basically not all that it is hyped up to be, and no, it’s not really “thinking”.
The interesting point here is that its slower at the very simple tasks, excels at slightly more complex tasks and then falls flat on overly complex tasks.
Once again that points to using AI to leverage what it’s good at — small to medium tasks. Like small blocks of code. And as I explained that’s why my method of writing AWS CloudFormation templates for each individual resource might be a good strategy when using AI to write them.
So learn AI. No you don’t have to know exactly how a model works or how to create your own, though you may want to go down that route at some point if you need to. Mostly you can leverage the models which are already pretty good to get started. In many cases, that is all you will need. The models themselves are constantly improving and some are tuned for specific use cases. Claude is particularly good for programmers.
Now don’t forget about data security. Where is your data going when you enter it into a chat bot and how is it being used? If you are working on proprietary code or working with sensitive data — read the fine print.
Or use Amazon Bedrock which has data security protections built in:
I have some posts on how to use that and Q Developer (for coding) if you are trying to figure out how to get started. All of this is going to improve quickly and dramatically — that’s my prediction. So start learning it now.
If you can’t use it at work do what I did back when I wanted to use AWS and my company (Capital One) wouldn’t let me — open your own AWS account. But be mindful of the costs as they can add up quickly if you don’t know what you are doing. If you are not worried about sensitive data or processing a lot of data you can use the Amazon Q Developer free tier. But be aware of the limitations I mentioned.
It’s easy to get started. I have other posts on just how to do that if you need more explicit instructions. Do it today!
Follow for updates.
Teri Radichel | © 2nd Sight Lab 2025
About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab
Cloud, SAAS, and Application Penetration Testing
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test
Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
