OWASP AI Exchange

AI is changing the game for small and midsize businesses (SMEs). It brings new ways to grow, create, and connect. But here’s the truth: digital transformation without safety can put everything at risk. That’s why IWWOF would like to invite you to this event: “AI Safety Isn’t Optional in Today’s Cybersecurity Landscape for SMEs.” Together, we’ll explore: 🔹Why AI safety needs to be part of your cybersecurity culture   🔹How everyday AI tools can expose sensitive data (and what to do about it) 🔹Practical steps to make AI safety part of your cybersecurity culture Whether you’re already using AI or just getting started, this session will help you feel confident, secure, and ready to lead your business into the future. ✨ Event info:  📅Date: 13.11.2025 ⏰Time: 16:30 to 17:30 📍Venue: Business Turku, Tykistökatu 4 B, ElectroCity (Street level), 20520 Turku. 🌍Mode: Hybrid. 🔗Link for online participation: https://lnkd.in/ghyZpRfk 👉 Register for on-site participation: https://lnkd.in/gWhSf3KQ Let’s build a safer, smarter future together! #AI #AISafety #Cybersecurity #SMEs #DigitalTransformation #IWWOF

Thanks Disesdi Susanna Cox 🕷️for your paper on quantifying the attack space for AI systems. Really interesting approach instead of just putting various language attacks and hoping for the best. I made a video with NotebookLM that helped me understand it, so thought it might help others. I did read the paper afterwards to validate its accuracy. Original paper : https://lnkd.in/eXWd7hew

Today we are releasing a new episode with Iryna Schwindt - Lead Secure-by-Design Manager at Vodafone Group, where she embeds security controls and guardrails across digital channels and AI-driven products serving millions of users. With a career spanning role in cybersecurity engineering, risk management, and cloud security across Azure, AWS, and GCP, Iryna has become a leading voice on AI risk management, AI red teaming, and responsible AI implementation. During our conversation, she shares her inspiring journey into cybersecurity—from her early research on cryptography and embedded systems to leading Vodafone’ secure AI initiatives—and provides actionable advice for women entering or advancing in this dynamic field. Full episode: https://lnkd.in/gFf4KFi4 #WCP #womenincybersecurity #security #ai #career

𝐀𝐫𝐞 𝐲𝐨𝐮 𝐫𝐞𝐚𝐝𝐲 𝐭𝐨 𝐡𝐚𝐜𝐤 𝐀𝐈 𝐀𝐩𝐩𝐥𝐢𝐜𝐚𝐭𝐢𝐨𝐧/𝐒𝐲𝐬𝐭𝐞𝐦? Compete in AISA’s AI Security Challenge live at BlackHat KSA. Solve Deepfake, Shadow AI, and LLM exploits. 𝑾𝒊𝒏 𝒑𝒓𝒊𝒛𝒆𝒔 𝒂𝒏𝒅 𝒃𝒓𝒂𝒈𝒈𝒊𝒏𝒈 𝒓𝒊𝒈𝒉𝒕𝒔. ⚡ Coming Dec 2-4 AI Security Academy Booth Next to the BlackHat and and and two boot away from the OffSec #AIsecurity #Hackathon #BlackHatKSA #OWASP

There's an elephant in the room of AI: the security of your prompt. We need to talk about it. When you send input to a cloud AI - ChatGPT, or your own app using a vendor's model: where does your data go? Is it stored? Is it used for training? Who can access it? Strangely, this topic gets little attention. It's not in the LLM top 10 - understandable because you only get ten items and there's nothing cool or really AI about prompt security. Some prefer to avoid the discussion, afraid it might slow down AI adoption. Whenever I raise this in talks, people figuratively cover their ears and go 'la-la-la'. Yet this is the number one question we get from clients at Software Improvement Group and a key concerns in the threat model of the OWASP AI Exchange. Here's what the Exchange advises you to check when your model is hosted by a vendor (90% of the cases): 1️⃣ Where does the model run? Is the model running in the vendor's processes or in your own virtual private cloud? Some vendors say you get a 'private instance', but that may refer to the API, and not the model. If the model runs on the cluster operated by your vendor, your data leaves your environment in clear text. Vendors will minimize storage and transfer, but they may log and monitor. 2️⃣ What are the data retention rules? Has a court required the vendor to retain logs for litigation? This happened to OpenAI in the US for a period of time. 3️⃣ What is exactly logged and monitored? Read the small print. Is logging enabled, and if so, what is logged? And what is monitored - by operators or by algorithms? And in the case of monitoring algorithms: how is that infrastructure protected? Some vendors allow you to opt out of logging, but only with specific licenses. 4️⃣ Is your input used for training? This is a common fear, but in the vast majority of cases the input is not used. If vendors would do this secretly, it would get out because there are ways to tell. If you can't accept the risk for certain data, then hosting your own (smaller) model is the safest option. Typically it won't be as good and there's the catch 22. I'll include a link with more details in the comments. Remember, having unencrypted data in the vendor's cluster is not unique to AI. It's the same for other multi-tenant SaaS services, such as commercial hosted Office suites. If attackers compromise the vendor's inftrastructure or its administrators, they may access your data. When weighing this risk, compare it fairly: the vendor may still protect that environment better than you can protect your own. Sometimes it's best to face the risks and make informed decisions, rather than ignore it until something goes terribly wrong. Don't shoot the messenger! 🙂 #ai #aisecurity