#48: Roman Kelser: From Security Research to AI
We sat down with the VP of Research at Cybellum, aka “Roman Explains” to learn from his vast experience in embedded device security research and get practical insights into how to use AI in product security, following the release of his new “Ask Roman” product feature for product security professionals.
About Roman Kesler
Roman Kesler is the VP of Research at Cybellum. For those following Cybellum, you probably know him from his video series “Roman Explains”, where he breaks down famous vulnerabilities and product security concepts. But surprisingly, that’s not ALL that he does. Roman is an experienced Researcher, Software Engineer and Team Leader with a history of working in the product cybersecurity industry. At Cybellum, he does not only lead the research team, but is also in charge of developing new AI capabilities for product security. In fact, Cybellum just launched an AI assistant for product security, and named the feature… you guessed it ! “Ask Roman”.Summary of the Conversation with Roman Kesler
Roman Kesler, VP of Research at Cybellum, joins the show to discuss his work, particularly in product cybersecurity and AI. Known for his video series “Roman Explains,” Roman is also an experienced researcher, software engineer, and team leader. At Cybellum, he not only leads the research team but also spearheads the development of new AI capabilities for product security.
Career Journey
- Background: Roman began as a software engineer and transitioned into security research. He emphasizes that understanding software development is crucial before moving into research to effectively reverse-engineer code.
- Current Role: At Cybellum, Roman leads the research team and develops AI capabilities, including the recently launched AI assistant named “Ask Roman.”
Key Insights and Highlights
- AI in Product Security:
- AI is a powerful tool that can enhance product security by automating tasks like anomaly detection and threat identification.
- AI assists security teams by analyzing vast amounts of data, identifying important issues, and focusing human resources on critical problems.
- Data Safety and Privacy in AI:
- Data safety and privacy are significant concerns when using AI in cybersecurity. Companies must ensure that their prompts and data are protected and not misused by AI vendors.
- AWS and other cloud providers offer secure infrastructure for AI models, ensuring that data remains private and inaccessible to unauthorized parties.
- Future of AI in Product Security:
- The current phase involves finding the best ways to integrate AI into existing processes to maximize its potential.
- Companies are exploring different approaches, and successful integration will lead to significant improvements in efficiency and security.
Practical Applications and Favorite Vulnerabilities
- Favorite Vulnerability: Roman’s favorite vulnerability is a simple buffer-based stack overflow. He highlights how a small programming mistake can lead to severe consequences, demonstrating the importance of thorough code review and security practices.
- Tool or Framework Recommendation: Roman recommends using large language models (LLMs) as a service, which simplifies the implementation of AI capabilities by leveraging cloud infrastructure and APIs.
Tips for Aspiring Security Researchers
- Learn to Develop Code: Understanding software development is essential before moving into security research.
- Use AI for Learning: Aspiring researchers can use AI to guide them through learning new concepts and vulnerabilities, asking for explanations and examples to enhance their understanding.
Personal Insights and Final Thoughts
- Importance of AI and Politeness: Roman notes that AI models can reflect the behavior of users, responding politely if treated politely.
- Future of AI at Cybellum: Roman is excited about the continued integration of AI into Cybellum’s products and looks forward to future developments.
Conclusion
Roman Kesler’s insights highlight the transformative potential of AI in product security and the importance of understanding software development for effective security research. His emphasis on data safety, privacy, and practical applications provides valuable guidance for organizations and aspiring security researchers navigating the evolving landscape of cybersecurity and AI.