Threat Modeling Meets Model Training: Web App Security Skills for AI Red Teams
Breanne Boland
BSidesSF 2025 — Here Be Dragons · Day 1 · Main
Breanne Boland, a product security practitioner at Gusto, made a practical and encouraging case that security professionals who already know web application security fundamentals have most of what they need to secure AI systems. Drawing direct mappings between OWASP Top Ten web vulnerabilities and AI-specific risks, she argued that AI is not an exotic new threat category requiring entirely new disciplines — it is, fundamentally, new technology that benefits from the same methodical threat-modeling approach security practitioners already apply everywhere else. ---
AI review
Competent introduction to AI security for practitioners who already know web application security but haven't made the conceptual bridge. The OWASP mapping is useful framing, the 'hallucination is not a cute word for dangerous output' point lands well, and the direct tone is refreshing. But this is entry-level material dressed up as insight.