Srajan’s Substack

Share this post

Srajan’s Substack
Srajan’s Substack
Security Anti-Patterns in the AI Era
Copy link
Facebook
Email
Notes
More

Security Anti-Patterns in the AI Era

Systemic mistakes masquerading as “practical solutions"

Srajan Gupta
Jan 02, 2025
2

Share this post

Srajan’s Substack
Srajan’s Substack
Security Anti-Patterns in the AI Era
Copy link
Facebook
Email
Notes
More
1
Share

Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer.

First of all I want to wish a Happy New Year to everyone. Thank you for reading my blog. Appreciate the support to both old and new readers :-).

Image Source: DZone.com

The Security landscape has completely transformed. We're not just dealing with SQL injection and XSS anymore (though those classics never seem to die and every vendor does show these in demos). The rise of AI, cloud-native architectures, and the explosion of microservices has introduced a whole new breed of security anti-patterns and amplified the consequences. For example, a hardcoded secret in a monolithic application might once have been a minor oversight. In a microservices environment, however, it becomes a ticking time bomb, exposing the entire system to attacks. Recognizing and addressing these anti-patterns is no longer optional.

Let me tell you something in security: anti-patterns aren't just "bad practices" – they're seductive traps that look like solutions but are actually ticking time bombs in your system. Think of security anti-patterns like technical debt with compound interest – except instead of slowing down your development, they’re actively making your system more vulnerable with each passing day. They’re the security equivalent of saying "I'll clean up this mess later" – except "later" usually means "after the incident" in the “what went wrong” section.

The New Security Paradigm

Let me be brutally honest – most of what we learned about security five years ago needs a serious update. The traditional perimeter? Gone. Trust boundaries? They’re more fluid than ever. And with AI systems becoming increasingly prevalent, we’re seeing attack vectors that we didn’t imagine a few years ago.

How to Recognize Security Anti-Patterns

The ability to identify anti-patterns is critical in today’s fast-paced AI Native development cycles. The key is to focus on signals, not noise. Signals are recurring patterns of behavior or technical decisions that introduce systemic risks. Recognizing these patterns requires awareness of how security fits into the broader context of software development. One thing that I have learned – security anti-patterns are like cockroaches: if you see one, there are probably more hiding behind the wall.

Once you’ve identified signals, the next step is to understand the (anti) patterns they reveal. Let’s look at some typical indicators that could point to serious security pitfalls:

Examples of Signals

  • Overly verbose error messages: Are exceptions being logged with long stack traces in production?

  • Reliance on deny-lists: Are your input validation mechanisms designed to block known bad inputs rather than enforce positive validation?

  • Skipping updates: Are you consistently delaying dependency updates due to fear of breaking changes?

  • Security bypasses for “just this one case”

  • The Code Review Red Flags:

    • TODO comments older than 6 months about security fixes?

    • Copy-pasted security configurations across different services?

    • Commented-out security middleware?

Once these signals are recognized, you can move on to a deeper analysis to identify whether they represent systemic anti-patterns that require attention.

The Process of Identification

  1. Critical Thinking: Does this practice align with established and internal security best practices and frameworks?

  2. Pattern Recognition: Do incidents show a recurring trend of the same issue resurfacing in different parts of the application?

  3. Team Dynamics: Are developers normalizing shortcuts under the guise of “just getting it done”?

When teams focus on these elements, they can detect anti-patterns early and address them before they evolve into major security incidents. This is usually the start of designing your paved roads about which I wrote earlier -

Paved Roads? Secure-by-Design?? More Buzzwords???

Paved Roads? Secure-by-Design?? More Buzzwords???

Srajan Gupta
·
November 11, 2024
Read full story

New Challenges, New Anti-Patterns

As we are witnessing entire technological shifts, I can tell you that AI is introducing some of the most fascinating – and terrifying – security challenges. Below are a few emerging anti-patterns you need to know about, along with some AI-specific considerations like vulnerabilities in model lifecycle management or training data biases.

  1. The "AI Knows Best" Fallacy
    People blindly trusting AI model outputs without proper validation. This is especially risky in security-critical applications since AI models are probabilistic rather than deterministic. AI can be a valuable tool, but it’s not a substitute for rigorous security measures.

  2. Blind Trust in User Intent
    One of the most dangerous assumptions in software development is that all users are well-meaning and trustworthy. This belief often leads to insufficient security measures, leaving systems vulnerable to malicious actors. That’s why Prompt Injection is the SQL injection of the AI world. Applications vulnerable to prompt injection because we aren't treating model inputs with the same rigor as database queries.

  3. The "Zero Trust" Facade
    Everyone claims they’re doing zero trust these days, but slapping an identity provider alone does not constitute a zero-trust architecture. If you are not completing the authn and authz challenge for every request, you are not really doing zero trust.

  4. Failure to Leverage Secure Libraries
    Reinventing the wheel by developing custom security solutions instead of using established libraries can result in weaker security and wasted effort. For example, Building your own custom cryptographic library could have a severe flaw that can allow an attacker to bypass encryption entirely—an issue that well-vetted libraries like libsodium had already solved. Utilize trusted libraries like those recommended by OWASP and keep them updated to ensure they are protected against the whole class of those vulnerabilities.

  5. API Gateway Overexposure
    Teams treating their API gateway as just a routing layer is alarming. It’s your first line of defense! Under pressure to meet aggressive deadlines, often times the gateway with minimal filtering and logging—essentially passing all headers, tokens, and debugging data through to backend services. Implement proper request sanitization, rate limiting, and authentication at the gateway level.

  6. The OAuth Oversimplification
    OAuth 2.0 and OIDC are complex beasts, and they’re often implemented incorrectly. Applications implementing OAuth without state validation or PKCE are leaving themselves vulnerable to CSRF and authorization code interception. Use prebuilt OAuth libraries wherever possible.

  7. Token Handling Negligence
    Some applications handle JWT tokens like session cookies from the early 2000s! Storing JWTs in localStorage and not implementing proper rotation or revocation strategies is dangerous. Implement proper token storage, rotation policies, and revocation mechanisms.

  8. Blind Acceptance of AI Training Data
    This is a new class of anti-pattern that is growing up. The AI models we’re using for security are only as good as their training data. The core issue isn’t just that the model is “poisoned”—it’s that the adopted practice (blindly accepting and merging training data) that enabled the attack. The absence of data provenance checks and version control for the training pipeline is the anti-pattern. Overlooking these safeguards effectively opens the door to attackers who can manipulate the model’s behavior at its most fundamental level: the data it learns from.

Why Addressing Anti-Patterns is Critical

(A Matter of When, Not If)

Well, we can all talk about the cost of a breach and the productivity loss of developers in not identifying and fixing these early. We have been hearing about this is in every sales pitch. But I want to highlight the compound effect of it. A small security anti-pattern, left unaddressed, doesn’t just remain static – it grows. Here’s how:

  • Technical Expansion:

    • Other systems start depending on the insecure behavior.

    • Workarounds get built on top of workarounds.

  • Cultural Impact:

    • Teams start seeing security shortcuts as acceptable.

    • New developers learn and replicate bad practices.

    • Security reviews become an impediment rather than an enabler.

The Road Ahead

Let me leave you with this thought: The security landscape will continue to evolve, and what’s secure today might be vulnerable tomorrow. The key is not just to fix anti-patterns but to build systems that can adapt to new security challenges and emerging patterns.

Remember:

  • Security is a journey, not a destination

  • AI is a tool, not a silver bullet

  • Zero trust is a mindset, not a product

Final Thoughts

The future of security is both exciting and terrifying. AI is introducing new capabilities and vulnerabilities at a pace we’ve never seen before. The key to staying secure isn’t just avoiding these anti-patterns – it’s building systems and teams that can identify and adapt to new patterns as they emerge.

Stay paranoid, my friends. In security, healthy paranoia is a feature, not a bug.

Share

Leave a comment

2

Share this post

Srajan’s Substack
Srajan’s Substack
Security Anti-Patterns in the AI Era
Copy link
Facebook
Email
Notes
More
1
Share

Discussion about this post

No posts

Ready for more?

© 2025 Srajan Gupta
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great culture

Share

Copy link
Facebook
Email
Notes
More