A practitioner's playbook to shift (all the way) left, to build secure serverless GenAI applications in public cloud
2024-06-18 , Breakout 1

The "Shift Left" concept is not a new one, as it advocates for the early integration of security into the software development lifecycle. However, many organizations and practitioners tend to only shift application security "testing" to the left. It is imperative and even more relevant for GenAI applications that teams consider security as part of the overall experience and at every stage of the life cycle, not just during development life cycle but throughout the product life cycle.

It is not practical for a majority of teams and organizations to build, train and deploy their own LLMs to build GenAI applications. Many organizations, small and large, use “hosted” and “fully managed” LLMs and serverless solutions like OpenAI API, Azure OpenAI Services, AWS Bedrock or Google Vertex AI.

This field is fast evolving and not many teams fully grasp the security boundaries, shared responsibility implications of generative AI solutions built on top of these serverless services. And GenAI systems are not traditional deterministic solutions either, to test and certify deterministic behavior. At best, many teams are trying to map their experiences building and operating traditional software solutions to this new breed of generative AI applications.

In this talk, would like to share our journey and practical examples of building variety of chatbots (Q&A, Conversational, AI for BI and Chatbots with RAG) and Agents, including threat modeling for GenAI Applications particularly in the context of serverless applications like building using AWS Bedrock, how to build guardrails at design time, RBAC for RAG Knowledge bases and continuous monitoring and evaluation strategies beyond traditional vulnerability management.

Have been building Software and Product Teams for about 25 years and over the last 7 years as a CTO at Softrams, one of the fastest-growing digital services firms working with Federal Agencies, leveraged various strategies and frameworks used in this talk to deliver empowering software solutions, in some of the most demanding environments. We grew from about 40 to 650+ strong team in the last 7 years and supported a variety of workloads and digital transformations for products that have been evolving over 20+ years. I bring a more practical systems approach to building teams and software and a full product life cycle view as a CTO.