Seth Law, Ken Johnson - Harnessing LLMs for Application Security - DCTLV2025
Name of Training: Harnessing LLMs for Application Security
Trainer(s): Seth Law and Ken Johnson
Dates: August 11-12, 2025
Time: 8:00 am to 5:00 pm PT
Venue: Las Vegas Convention Center
Cost: $2,000
Course Description:
This comprehensive course is designed for developers and cybersecurity professionals seeking to harness the power of Generative AI and Large Language Models (LLMs) to enhance software security and development practices. Participants will gain a deep understanding of LLM functionality, strengths, and weaknesses, and learn to craft effective prompts for diverse use cases. The curriculum covers essential topics such as embeddings, vector stores, and Langchain, offering insights into document loading, code analysis, and custom tool creation using Agent Executors.
Course highlights:
- Hands-on techniques like Retrieval-Augmented Generation(RAG) and Few-Shot Prompting for secure code analysis and threat modeling.
- Integration of AI into security tasks to identify vulnerabilities and improve overall application security.
Course Outline:
-
Introduction & Overview
- Introduction to Generative AI Concepts
- Understanding LLMs: Functionality, Strengths, Weaknesses
-
Lab Set up
- Ensure all students systems work and can reach our LLM and Vector DB
-
Langchain
- Overview & Components
- Explanation Of Documentation And Concepts
-
Prompt Engineering
- Types of Prompts: User, System, AI
- Few-Shot Prompting: Importance & Usage
- Prompt Engineering - Techniques & Frameworks (eg: Reflexion, CO-STAR)
- Exercise: Craft Prompts Using One of the Preferred Techniques/Frameworks
-
Context
- About
- Use Cases & Types of Context
- Length / Window
- Exercise: Use Context to Improve Prompt Performance
-
Embeddings & Vector Stores
- Background: Formats, Documents, Metadata
- Use Cases: SimilaritySearches, Chaining
- Exercise: Use vector store as context
-
Exploring LLMs
- Types of LLMs: Open Source & Commercial (Hugging Face, Anthropic, OpenAI, etc.)
- Hosting options- Hosted vs Transactional (Ex: Sagemaker vs Bedrock)
- Considerations
-
Chatbot/AppSecAssistant
- Background & Use Cases
- Retrieval Augmented Generation (RAG) Techniques
- Implementing Chat History
- Exercise: Build an AI Assistant that uses your company’s documentation to answer questions for developers
-
Source Code Analysis
- Recommended Approaches
- Code Splitting, Tree-sitter & Langchain Support
- Few Shot Prompting for Tuning Results
- Building a Knowledge-base
-
Compositional Analysis
- Exercise: Build Information Gathering Tool
-
Vulnerability Analysis & Discovery
- Exercise: Build Vulnerability Scanning Tool
-
Agent Executors & Custom Tools
- Use Cases: Compositional & Behavioral Analysis
- Langchain ReAct
- Langraph Usage
- Exercise: Build a “Chain of Thought” so that the LLM uses reasoning and additional lookups in source code to find the answers it needs to validate a vulnerability (ex: validate insecure direct object reference finding)
-
Model Context Protocol (MCP)
- Background
- Use cases & benefits
- Exercise: Build mini-threat modeling tool using MCP
-
Threat Modeling w/ StrideGPT
- Attack Tree Analysis
- Diagram Generation
- Risk Assessment
- Exercise: Use an automated Threat Modeling tool
Key Takeaways:
- Practical Mastery of AI-Driven Development Tools: Gain hands-on experience with technologies like Langchain, embeddings, and vector stores.
- Advanced Prompt Engineering Techniques: Learn to Craft Effective Prompts and Leverage Few-Shot Prompting.
- Enhanced Security Practices Through AI: Apply AI for secure code analysis, threat modeling, and DevSecOps.
Difficulty Level:
Intermediate skill level as this course requires knowledge of software/coding and application security. However, the course does NOT require ANY prior knowledge of AI/LLMs.
Who should attend:
-
Software Developers and Engineers: Looking to integrate AI and LLMs into the development processes and improve application security.
-
Cybersecurity Professionals: Focused on application security, threat modeling, and DevSecOps, seeking to leverage AI-driven tools for vulnerability identification and risk assessment.
Suggested Prerequisites:
None
What Students Should Bring:
Computer with at least average computing power. Preferably with Ollama and Python 3.12 installed.
Trainer(s) Bio:
Seth Law is the Founder & Principal of Redpoint Security and Ken Johnson is the Co-Founder and CTO of DryRun Security. Both Seth & Ken utilize LLMs heavily in their work and have a wealth of real world applicable skills to share in applying LLMs to the application security domain.
Registration Terms and Conditions:
Trainings are refundable before July 8, 2025, minus a non-refundable processing fee of $250.
Trainings are non-refundable after July 8, 2025.
Training tickets may be transferred. Please email us at training@defcon.org for specifics.
If a training does not reach the minimum registration requirement, it may be cancelled. In the event the training you choose is cancelled, you will be provided the option of receiving a full refund or transferring to another training (subject to availability).
Failure to attend the training without prior written notification, will be considered a no-show. No refund will be given.
By purchasing this ticket you agree to abide by the DEF CON Training Code of Conduct and the registration terms and conditions listed above.
Several breaks will be included throughout the day. Please note that food is not included.
All courses come with a certificate of completion, contingent upon attendance at all course sessions.
Training Justification Request – DEF CON Training
To: [Manager Name]
From: [Employee Name]
Date: [Date]
Subject: Business Justification for Attendance at DEF CON Training
Dear [manager’s name],
I am requesting approval to attend DEF CON Training, one of the cybersecurity industry's most recognized technical training programs. I’ve reviewed the options and selected a course to expand my skills with [1-2 key skills focus areas for the course].
DEF CON has been one of the world’s leading cybersecurity communities for more than three decades, known for convening industry, government, and independent experts to exchange advanced knowledge and practical skills. Building on this tradition, DEF CON Training delivers intensive courses taught by recognized global instructors. DEF CON Training courses offer hands-on instruction in a challenging, fast-paced environment. Many of the courses offered by DEF CON Training align with the National Institute of Standards and Technology (NIST) NICE Framework and Department of Defense Cyber Workforce Framework (DCWF), and attending this course will help me build and sharpen the skills required for my role.
Training: [Name of DEF CON Training Course]
Instructor/Provider: [Trainer Name(s)]
Dates: [Training Dates]
Location: Las Vegas, NV
Cost: [Course Fee]
Travel Expenses: [estimated travel & accommodations costs]
Course Description: [Copy short description of the selected class from the website here]
Trainer Bio: [Copy bio of the trainers of the selected class from the website here]
Once I’ve completed the course, I’ll be able to:
[copy student outcomes from course page where available or choose 3-4 skills or topic areas from the outline that are applicable to your current role, will help you fill a skill gap, etc.]
Business Need
As cyber threats continue to evolve, it is critical that our organization maintains current knowledge of emerging techniques and industry best practices. The selected DEF CON training aligns directly with my responsibilities in [your role/field here - for example, security operations, incident response, threat detection and hunting, application security, cloud security, risk management, security engineering].
The course will provide practical, hands-on experience that can be immediately applied to our environment and security initiatives. DEF CON training emphasizes real-world attack and defense scenarios, enabling participants to develop skills that extend beyond traditional classroom learning.
Request for Approval
I respectfully request approval and funding to attend DEF CON Training this August in Las Vegas. The knowledge, hands-on experience, and industry insights gained will directly support our cybersecurity objectives and contribute to strengthening our organization's security capabilities.
Thank you for your consideration. Please let me know if you have questions or need additional information to support this request.
Sincerely,
[Employee name]