Before The Commit

AI coding assistants are transforming software development. Claude Code, Cursor, Copilot-these tools write code, execute commands, and interact with external systems autonomously. They make developers dramatically more productive. They also introduce security risks that traditional DevSecOps never anticipated.

Before The Commit is the first comprehensive guide to securing AI-assisted development. Authors Danny Gershman and Dustin Hilgaertner introduce ModSecOps (Model Security Operations)-a practical framework for organizations that want AI's productivity benefits without accepting unmanaged risk.

THE THREATS ARE REAL
In September 2024, a Chinese state-sponsored group used an AI coding tool to autonomously attack thirty global targets across tech, finance, manufacturing, and government. It was the first documented large-scale cyber attack executed without substantial human intervention. But nation-state attacks are just the beginning. This book covers the full threat landscape:
⢠Context Poisoning: Malicious instructions hidden in configuration files that hijack AI behavior
⢠Prompt Injection: Attacks embedded in images, Unicode characters, and external data sources
⢠Data Exfiltration: Techniques that trick AI into leaking sensitive information
⢠Shadow AI: The visibility problem when employees use unapproved AI tools
⢠Supply Chain Attacks: Why AI trained on historical code introduces twice as many vulnerabilities
⢠Sleeper Agents: Can AI code perfectly 99.9% of the time-then strike?

DEFENSE IN DEPTH The book provides actionable defenses for every threat:
⢠LLM Proxies: Centralized control points providing visibility, guardrails, and governance
⢠Multi-Agent Review: Using AI to review AI-generated code before humans see it
⢠Human-in-the-Loop Patterns: When to require approval and how to prevent approval fatigue
⢠Least Privilege: Sandboxing, network isolation, and permission management for AI systems
⢠Incident Response: Detection, containment, and recovery procedures for AI compromise

PRACTICAL IMPLEMENTATION
⢠Building ModSecOps teams and training programs
⢠Integrating security into every pipeline stage from dev environment to production
⢠Measuring success with metrics that matter
⢠Ready-to-use checklists, tool configurations, and threat model references

WHO THIS BOOK IS FOR
⢠Security engineers adding AI to their threat models
⢠Developers using AI coding assistants who want to understand the risks
⢠Engineering leaders building AI adoption strategies
⢠Compliance teams developing AI governance policies

ABOUT THE AUTHORS
Danny Gershman and Dustin Hilgaertner bring over four decades of combined experience across defense, government, fintech, and commercial environments. Their backgrounds include Zero Trust architecture, IL5/IL6 platforms, air-gapped deployments, red team operations, and high-availability systems scaled to hundreds of thousands of users. They co-host Before The Commit, a podcast exploring AI coding security that provided the foundation for this book. Their approach comes from real experience securing AI systems in production-not theoretical frameworks that don't survive contact with reality. The AI revolution in software development is here. This book ensures you're prepared before the commit.