Hacker News with Generative AI: Software Security

Does using Rust make your software safer? (tweedegolf.nl)
We keep saying that Rust is how we make software safer. In this blog, we'll tackle a real-world vulnerability, 'rewrite it in Rust', and show you the results of our empirical research, both as a high-level overview and a tech deep-dive.
CISA's Secure by Design initiative in limbo after key leaders resign (cybersecuritydive.com)
The future of the federal government’s software-security advocacy campaign is in doubt following the departure of the two Cybersecurity and Infrastructure Security Agency officials who oversaw the program.
CVE program faces swift end after DHS fails to renew contract [updated] (csoonline.com)
In a stunning development that demolishes a cornerstone of cybersecurity defense, nonprofit R&D organization MITRE said that its contract with the Department of Homeland Security (DHS) to maintain the Common Vulnerabilities and Exposures (CVE) database, which organizes computer vulnerabilities, will expire at midnight on April 16.
New Vulnerability in GitHub Copilot, Cursor: Hackers Can Weaponize Code Agents (pillar.security)
Pillar Security researchers have uncovered a dangerous new supply chain attack vector we've named "Rules File Backdoor." This technique enables hackers to silently compromise AI-generated code by injecting hidden malicious instructions into seemingly innocent configuration files used by Cursor and GitHub Copilot—the world's leading AI-powered code editors.
AI can't stop making up software dependencies and sabotaging everything (theregister.com)
The rise of AI-powered code generation tools is reshaping how developers write software - and introducing new risks to the software supply chain in the process.
Delivering Malware Through Abandoned Amazon S3 Buckets (schneier.com)
Here’s a supply-chain attack just waiting to happen. A group of researchers searched for, and then registered, abandoned Amazon S3 buckets for about $400. These buckets contained software libraries that are still used. Presumably the projects don’t realize that they have been abandoned, and still ping them for patches, updates, and etc.
Nvidia Security Team: “What if we just stopped using C?” (2022) (adacore.com)
Today I want to share a great story about why many NVIDIA products are now running formally verified SPARK code. This blog post is in part a teaser for the case study that NVIDIA and AdaCore published today.
Data-Oriented Exploits via Programming Language Synthesis [pdf] (ilyasergey.net)
Sigstore: Making sure your software is what it claims to be (sigstore.dev)
Loading...
Snyk Security Labs Testing Update: Cursor.com AI Code Editor (snyk.io)
Snyk’s Security Labs team aims to find and help mitigate vulnerabilities in software used by developers around the world, with an overarching goal to improve the state of software security.
Syzygy: Dual Code-Test C to Rust Translation Using LLMs and Dynamic Analysis (arxiv.org)
Despite extensive usage in high-performance, low-level systems programming applications, C is susceptible to vulnerabilities due to manual memory management and unsafe pointer operations.
OpenOffice security issues unfixed in over 365 days, security status Amber (apache.org)
This was extracted (@ 2024-12-18 21:10) from a list of minutes which have been approved by the Board. Please Note The Board typically approves the minutes of the previous meeting at the beginning of every Board meeting; therefore, the list below does not normally contain details from the minutes of the most recent Board meeting.
Yearlong supply-chain attack targeting security pros steals 390K credentials (arstechnica.com)
A sophisticated and ongoing supply-chain attack operating for the past year has been stealing sensitive login credentials from both malicious and benevolent security personnel by infecting them with Trojanized versions of open source software from GitHub and NPM, researchers said.
Fault Injection – Down the Rabbit Hole (humanativaspa.it)
This series of articles describes fault injection attack techniques in order to understand their real potential by testing their limits and applicability with limited hardware (available on the market at an acceptable cost). It explores possible ways of using an attack that, in my opinion, is greatly underestimated.
Manifest V3 fails to prevent data theft and malware exploitation (techradar.com)
Bad software keeps cyber security companies in business (dogesec.com)
Despite countless frameworks, best practices, blog posts… so many developers still hardcode credentials into their code.
Google: 70% of exploited flaws disclosed in 2023 were zero-days (bleepingcomputer.com)
Google Mandiant security analysts warn of a worrying new trend of threat actors demonstrating a better capability to discover and exploit zero-day vulnerabilities in software.
A Comprehensive Analysis of Package Hallucinations by Code Generating LLMs (arxiv.org)
The reliance of popular programming languages such as Python and JavaScript on centralized package repositories and open-source software, combined with the emergence of code-generating Large Language Models (LLMs), has created a new type of threat to the software supply chain: package hallucinations.
PC Floppy Copy Protection: Vault Prolok (blogspot.com)
This is Part 4 of a series on PC floppy copy protection methods. You can read the previous parts here:
Unsafe Impedance: Safe Languages and Safe by Design Software (arxiv.org)
In December 2023, security agencies from five countries in North America, Europe, and the south Pacific produced a document encouraging senior executives in all software producing organizations to take responsibility for and oversight of the security of the software their organizations produce.
Eliminating Memory Safety Vulnerabilities at the Source (googleblog.com)
Memory safety vulnerabilities remain a pervasive threat to software security. At Google, we believe the path to eliminating this class of vulnerabilities at scale and building high-assurance software lies in Safe Coding, a secure-by-design approach that prioritizes transitioning to memory-safe languages.
Malware Developers Increasingly Use V8 JavaScript for Evasion (cyberinsider.com)
Ampere: Making Future Software Memory-Safe, a Path Towards Secure Cloud (amperecomputing.com)
Unverified NPM Account Takeover Vulnerability for Sale on Dark Web Forum (socket.dev)
Content Injection Attack on GitHub (github.com/younesbram)
Software Supply Chain Security (devicu.com)
Over a billion users could be at risk from keyboard logging app security flaw (techradar.com)
The many (many) ways I've backdoored your dependencies and other supply chain at (kerkour.com)