In a first-day keynote, Alissa Knight talked APIs, AI and Ares at ISC2 Security Congress in Nashville and online.
Machine-on-machine warfare is already here and humans need to get out of the way, security expert turned Hollywood changemaker Alissa Knight told the audience at ISC2 Security Congress.
Knight said that it was inevitable that artificial intelligence (AI) would take the central role in cybersecurity, not least because it didn’t have to sleep, take breaks, or go to the bathroom and could just carry on learning and attacking.
The talk condensed Knight’s 25-year career, which began with her arrest for hacking a government network at the age of 17 and has spanned time in the US military, advising government and law enforcement, along with starting and selling a series of startups. More recently she has been a producer on an array of TV series with a focus on hacking and dystopian futures.
Exposing Flaws in Systems
A recurring theme was the ease with which Knight has exposed financial networks, healthcare systems and law enforcement vehicle fleets via APIs. She said the most frequent problem that she attacks through penetration testing is broken object level authorization (BOLA) in APIs.
“There is a systemic problem of developers hard coding what are called bearer tokens and apps. Believe it or not, usernames and passwords,” she said. Organizations typically have little idea how many APIs they actually have. “It's such a big attack surface you can't possibly secure it all.”
The U.S. faces a deadline next January to implement “Fast Healthcare Interoperability Resources APIs” to ease data sharing between healthcare organizations.
Knight detailed how she was contracted by the Office of the Inspector General to report on the system. She found that over half of FHIR mobile apps she tested contained hardcoded API keys and tokens.
She was able to access four million patient records via a single patient access account and was also able to modify data including medications and dosages.
In the finance sector, she was able to breach 54 of 55 apps spanning banks, neo banks and crypto firms, exposing usernames, passwords and other information. All 55 were vulnerable to woman in the middle attacks, she said.
Outsourcing as a Risk Factor
The finance sector is particularly keen on outsourcing, she said. Which meant that “I was able to [infiltrate] 300 banks off of one vulnerability because this company that all 300 banks outsourced their development to rinsed and reused the same code for every customer.” She was able to transfer money and change pin codes. “That was a good day for me, not for the CEOs,” she added.
When it came to APIs, she advised attendees to remove any reliance on WAFs and use dedicated API security tools.
The Role of AI in Security Models
More recently, Knight has been working on offensive AI, developing her own model, Ares. This was inspired by a medical mishap two years that almost killed her, she said.
“I was like, ‘Oh, this would be bad, a world without Alissa Knight. So, what would happen if I transferred all of my Alissa Knightness into an AI?’ So I did.” This involved “building my own model and transferring 25 years of experience into JSONL files and training my model on basically being me.”
The scary thing, Knight said, was that “She's actually better and faster than me. So, I'm actually no longer training her. She's training herself.”
The model has a swarm of agents trawling the dark web for exploits. At the same time, said Knight, “You can take a mobile app and drag it into Ares, and she will actually take it apart and decompile it to the source code, find all the APIs that the mobile app is talking to and then attack them.”
Knight said she was going to offer Ares for free, to allow cybersecurity professionals to scan their applications. “I promise it’s not a malicious code.”
Maintaining a Positive Outlook
Despite all this, Knight said she was an optimist. “I love technology, and I love the age we live in, and I feel like AI is going to just become so pervasive. What it does is it democratizes development.”
More broadly, the onset of swarm coding and AI programming tools had to be accompanied by a focus on cybersecurity. Which started with explicitly telling tools to secure their output.
“Think of your agentic AI as writing your code and you have a separate cybersecurity team – it’s just like the real world.”
But ultimately, Knight said the industry had found it hard enough to defend against human attackers. “Now we must defend against AI? Are you kidding me?”
Humans need to become operators and supervisors, while AI did the heavy work defending systems. “Humans are going to get out of the way and AI is going to do the machine speed defence.” And, she said, the machine speed attacks.
“I think the best defence is having the best offence, and that’s what we’re moving towards.”
