Hacker News with Generative AI: Software Security

Delivering Malware Through Abandoned Amazon S3 Buckets (schneier.com)
Here’s a supply-chain attack just waiting to happen. A group of researchers searched for, and then registered, abandoned Amazon S3 buckets for about $400. These buckets contained software libraries that are still used. Presumably the projects don’t realize that they have been abandoned, and still ping them for patches, updates, and etc.
Cybersecurity, Software Security
14 points by mhb 8 days ago | 10 comments
Nvidia Security Team: “What if we just stopped using C?” (2022) (adacore.com)
Today I want to share a great story about why many NVIDIA products are now running formally verified SPARK code. This blog post is in part a teaser for the case study that NVIDIA and AdaCore published today.
Software Security, Programming Languages, Formal Verification, Case Studies
305 points by transpute 10 days ago | 178 comments
Data-Oriented Exploits via Programming Language Synthesis [pdf] (ilyasergey.net)
Cybersecurity, Software Security, Programming Languages, Exploits
36 points by matt_d 18 days ago | 1 comments
Sigstore: Making sure your software is what it claims to be (sigstore.dev)
Loading...
Software Security, Code Signing, Open Source, Trust, Digital Signatures
119 points by saikatsg 30 days ago | 45 comments
Snyk Security Labs Testing Update: Cursor.com AI Code Editor (snyk.io)
Snyk’s Security Labs team aims to find and help mitigate vulnerabilities in software used by developers around the world, with an overarching goal to improve the state of software security.
Software Security, Code Editors, AI, Testing, Security Research
6 points by ksbrooksjr 37 days ago | 1 comments
Syzygy: Dual Code-Test C to Rust Translation Using LLMs and Dynamic Analysis (arxiv.org)
Despite extensive usage in high-performance, low-level systems programming applications, C is susceptible to vulnerabilities due to manual memory management and unsafe pointer operations.
Rust, C, Programming Languages, Software Security, AI
7 points by belter 52 days ago | 2 comments
OpenOffice security issues unfixed in over 365 days, security status Amber (apache.org)
This was extracted (@ 2024-12-18 21:10) from a list of minutes which have been approved by the Board. Please Note The Board typically approves the minutes of the previous meeting at the beginning of every Board meeting; therefore, the list below does not normally contain details from the minutes of the most recent Board meeting.
Cybersecurity, Apache, Software Security, Vulnerability
8 points by mksaunders2 56 days ago | 3 comments
Yearlong supply-chain attack targeting security pros steals 390K credentials (arstechnica.com)
A sophisticated and ongoing supply-chain attack operating for the past year has been stealing sensitive login credentials from both malicious and benevolent security personnel by infecting them with Trojanized versions of open source software from GitHub and NPM, researchers said.
Cybersecurity, Data Breaches, Software Security
36 points by rntn 69 days ago | 4 comments
Fault Injection – Down the Rabbit Hole (humanativaspa.it)
This series of articles describes fault injection attack techniques in order to understand their real potential by testing their limits and applicability with limited hardware (available on the market at an acceptable cost). It explores possible ways of using an attack that, in my opinion, is greatly underestimated.
Cybersecurity, Software Security, Fault Injection, Attack Techniques
69 points by voxadam 99 days ago | 4 comments
Manifest V3 fails to prevent data theft and malware exploitation (techradar.com)
Web Security, Browser Extensions, Software Security, Malware
14 points by josephcsible 102 days ago | 0 comments
Bad software keeps cyber security companies in business (dogesec.com)
Despite countless frameworks, best practices, blog posts… so many developers still hardcode credentials into their code.
Cybersecurity, Software Development, Software Security
38 points by aquastorm 108 days ago | 12 comments
Google: 70% of exploited flaws disclosed in 2023 were zero-days (bleepingcomputer.com)
Google Mandiant security analysts warn of a worrying new trend of threat actors demonstrating a better capability to discover and exploit zero-day vulnerabilities in software.
Cybersecurity, Zero-Day Vulnerabilities, Google, Software Security, Threat Intelligence
8 points by thepuppet33r 127 days ago | 0 comments
A Comprehensive Analysis of Package Hallucinations by Code Generating LLMs (arxiv.org)
The reliance of popular programming languages such as Python and JavaScript on centralized package repositories and open-source software, combined with the emergence of code-generating Large Language Models (LLMs), has created a new type of threat to the software supply chain: package hallucinations.
Generative AI, Software Security, Programming Languages, Code Generation
31 points by rntn 143 days ago | 9 comments
PC Floppy Copy Protection: Vault Prolok (blogspot.com)
This is Part 4 of a series on PC floppy copy protection methods. You can read the previous parts here:
Retro Computing, Hardware, History, Software Security, Copy Protection
63 points by GloriousCow 144 days ago | 8 comments
Unsafe Impedance: Safe Languages and Safe by Design Software (arxiv.org)
In December 2023, security agencies from five countries in North America, Europe, and the south Pacific produced a document encouraging senior executives in all software producing organizations to take responsibility for and oversight of the security of the software their organizations produce.
Software Security, Programming Languages, Software Engineering, Government Regulations
7 points by dan353hehe 147 days ago | 1 comments
Eliminating Memory Safety Vulnerabilities at the Source (googleblog.com)
Memory safety vulnerabilities remain a pervasive threat to software security. At Google, we believe the path to eliminating this class of vulnerabilities at scale and building high-assurance software lies in Safe Coding, a secure-by-design approach that prioritizes transitioning to memory-safe languages.
Software Security, Memory Safety, Programming Languages
330 points by coffeeaddict1 148 days ago | 190 comments
Malware Developers Increasingly Use V8 JavaScript for Evasion (cyberinsider.com)
Cybersecurity, Malware, JavaScript, Software Security
4 points by thunderbong 226 days ago | 0 comments
Ampere: Making Future Software Memory-Safe, a Path Towards Secure Cloud (amperecomputing.com)
Software Security, Cloud Computing, Memory Safety, Hardware
4 points by pjmlp 229 days ago | 0 comments
Unverified NPM Account Takeover Vulnerability for Sale on Dark Web Forum (socket.dev)
Cybersecurity, Software Security, Dark Web, NPM, Vulnerability
53 points by feross 230 days ago | 4 comments
Content Injection Attack on GitHub (github.com/younesbram)
Cybersecurity, GitHub, Software Security
158 points by Lapz 258 days ago | 49 comments
Software Supply Chain Security (devicu.com)
Software Security, Cybersecurity, Supply Chain
55 points by devicu 300 days ago | 23 comments
Over a billion users could be at risk from keyboard logging app security flaw (techradar.com)
Cybersecurity, Privacy, Software Security, Mobile Security
47 points by Brajeshwar 301 days ago | 13 comments
The many (many) ways I've backdoored your dependencies and other supply chain at (kerkour.com)
Cybersecurity, Software Security, Software Development
19 points by severine 301 days ago | 19 comments