Hacker News with Generative AI: Software Security

Does using Rust make your software safer? (tweedegolf.nl)
We keep saying that Rust is how we make software safer. In this blog, we'll tackle a real-world vulnerability, 'rewrite it in Rust', and show you the results of our empirical research, both as a high-level overview and a tech deep-dive.
Rust, Software Security, Empirical Research, Programming Languages
19 points by folkertdev 3 days ago | 6 comments
CISA's Secure by Design initiative in limbo after key leaders resign (cybersecuritydive.com)
The future of the federal government’s software-security advocacy campaign is in doubt following the departure of the two Cybersecurity and Infrastructure Security Agency officials who oversaw the program.
Cybersecurity, Government, Software Security, Leadership
6 points by johnshades 4 days ago | 0 comments
CVE program faces swift end after DHS fails to renew contract [updated] (csoonline.com)
In a stunning development that demolishes a cornerstone of cybersecurity defense, nonprofit R&D organization MITRE said that its contract with the Department of Homeland Security (DHS) to maintain the Common Vulnerabilities and Exposures (CVE) database, which organizes computer vulnerabilities, will expire at midnight on April 16.
Cybersecurity, Government, Software Security, Non-profit Organizations
1933 points by healsdata 10 days ago | 1094 comments
New Vulnerability in GitHub Copilot, Cursor: Hackers Can Weaponize Code Agents (pillar.security)
Pillar Security researchers have uncovered a dangerous new supply chain attack vector we've named "Rules File Backdoor." This technique enables hackers to silently compromise AI-generated code by injecting hidden malicious instructions into seemingly innocent configuration files used by Cursor and GitHub Copilot—the world's leading AI-powered code editors.
Cybersecurity, Software Security, AI, GitHub Copilot
233 points by pseudolus 12 days ago | 135 comments
AI can't stop making up software dependencies and sabotaging everything (theregister.com)
The rise of AI-powered code generation tools is reshaping how developers write software - and introducing new risks to the software supply chain in the process.
Artificial Intelligence, Software Development, Software Security, Cybersecurity
189 points by cmsefton 14 days ago | 170 comments
Delivering Malware Through Abandoned Amazon S3 Buckets (schneier.com)
Here’s a supply-chain attack just waiting to happen. A group of researchers searched for, and then registered, abandoned Amazon S3 buckets for about $400. These buckets contained software libraries that are still used. Presumably the projects don’t realize that they have been abandoned, and still ping them for patches, updates, and etc.
Cybersecurity, Software Security
14 points by mhb 73 days ago | 10 comments
Nvidia Security Team: “What if we just stopped using C?” (2022) (adacore.com)
Today I want to share a great story about why many NVIDIA products are now running formally verified SPARK code. This blog post is in part a teaser for the case study that NVIDIA and AdaCore published today.
Software Security, Programming Languages, Formal Verification, Case Studies
306 points by transpute 75 days ago | 179 comments
Data-Oriented Exploits via Programming Language Synthesis [pdf] (ilyasergey.net)
Cybersecurity, Software Security, Programming Languages, Exploits
36 points by matt_d 83 days ago | 1 comments
Sigstore: Making sure your software is what it claims to be (sigstore.dev)
Loading...
Software Security, Code Signing, Open Source, Trust, Digital Signatures
119 points by saikatsg 95 days ago | 45 comments
Snyk Security Labs Testing Update: Cursor.com AI Code Editor (snyk.io)
Snyk’s Security Labs team aims to find and help mitigate vulnerabilities in software used by developers around the world, with an overarching goal to improve the state of software security.
Software Security, Code Editors, AI, Testing, Security Research
6 points by ksbrooksjr 102 days ago | 1 comments
Syzygy: Dual Code-Test C to Rust Translation Using LLMs and Dynamic Analysis (arxiv.org)
Despite extensive usage in high-performance, low-level systems programming applications, C is susceptible to vulnerabilities due to manual memory management and unsafe pointer operations.
Rust, C, Programming Languages, Software Security, AI
7 points by belter 117 days ago | 2 comments
OpenOffice security issues unfixed in over 365 days, security status Amber (apache.org)
This was extracted (@ 2024-12-18 21:10) from a list of minutes which have been approved by the Board. Please Note The Board typically approves the minutes of the previous meeting at the beginning of every Board meeting; therefore, the list below does not normally contain details from the minutes of the most recent Board meeting.
Cybersecurity, Apache, Software Security, Vulnerability
8 points by mksaunders2 121 days ago | 3 comments
Yearlong supply-chain attack targeting security pros steals 390K credentials (arstechnica.com)
A sophisticated and ongoing supply-chain attack operating for the past year has been stealing sensitive login credentials from both malicious and benevolent security personnel by infecting them with Trojanized versions of open source software from GitHub and NPM, researchers said.
Cybersecurity, Data Breaches, Software Security
36 points by rntn 133 days ago | 4 comments
Fault Injection – Down the Rabbit Hole (humanativaspa.it)
This series of articles describes fault injection attack techniques in order to understand their real potential by testing their limits and applicability with limited hardware (available on the market at an acceptable cost). It explores possible ways of using an attack that, in my opinion, is greatly underestimated.
Cybersecurity, Software Security, Fault Injection, Attack Techniques
69 points by voxadam 164 days ago | 4 comments
Manifest V3 fails to prevent data theft and malware exploitation (techradar.com)
Web Security, Browser Extensions, Software Security, Malware
14 points by josephcsible 166 days ago | 0 comments
Bad software keeps cyber security companies in business (dogesec.com)
Despite countless frameworks, best practices, blog posts… so many developers still hardcode credentials into their code.
Cybersecurity, Software Development, Software Security
38 points by aquastorm 173 days ago | 12 comments
Google: 70% of exploited flaws disclosed in 2023 were zero-days (bleepingcomputer.com)
Google Mandiant security analysts warn of a worrying new trend of threat actors demonstrating a better capability to discover and exploit zero-day vulnerabilities in software.
Cybersecurity, Zero-Day Vulnerabilities, Google, Software Security, Threat Intelligence
8 points by thepuppet33r 191 days ago | 0 comments
A Comprehensive Analysis of Package Hallucinations by Code Generating LLMs (arxiv.org)
The reliance of popular programming languages such as Python and JavaScript on centralized package repositories and open-source software, combined with the emergence of code-generating Large Language Models (LLMs), has created a new type of threat to the software supply chain: package hallucinations.
Generative AI, Software Security, Programming Languages, Code Generation
31 points by rntn 207 days ago | 9 comments
PC Floppy Copy Protection: Vault Prolok (blogspot.com)
This is Part 4 of a series on PC floppy copy protection methods. You can read the previous parts here:
Retro Computing, Hardware, History, Software Security, Copy Protection
63 points by GloriousCow 209 days ago | 8 comments
Unsafe Impedance: Safe Languages and Safe by Design Software (arxiv.org)
In December 2023, security agencies from five countries in North America, Europe, and the south Pacific produced a document encouraging senior executives in all software producing organizations to take responsibility for and oversight of the security of the software their organizations produce.
Software Security, Programming Languages, Software Engineering, Government Regulations
7 points by dan353hehe 212 days ago | 1 comments
Eliminating Memory Safety Vulnerabilities at the Source (googleblog.com)
Memory safety vulnerabilities remain a pervasive threat to software security. At Google, we believe the path to eliminating this class of vulnerabilities at scale and building high-assurance software lies in Safe Coding, a secure-by-design approach that prioritizes transitioning to memory-safe languages.
Software Security, Memory Safety, Programming Languages
330 points by coffeeaddict1 213 days ago | 190 comments
Malware Developers Increasingly Use V8 JavaScript for Evasion (cyberinsider.com)
Cybersecurity, Malware, JavaScript, Software Security
4 points by thunderbong 291 days ago | 0 comments
Ampere: Making Future Software Memory-Safe, a Path Towards Secure Cloud (amperecomputing.com)
Software Security, Cloud Computing, Memory Safety, Hardware
4 points by pjmlp 294 days ago | 0 comments
Unverified NPM Account Takeover Vulnerability for Sale on Dark Web Forum (socket.dev)
Cybersecurity, Software Security, Dark Web, NPM, Vulnerability
53 points by feross 294 days ago | 4 comments
Content Injection Attack on GitHub (github.com/younesbram)
Cybersecurity, GitHub, Software Security
158 points by Lapz 322 days ago | 49 comments
Software Supply Chain Security (devicu.com)
Software Security, Cybersecurity, Supply Chain
55 points by devicu 364 days ago | 23 comments
Over a billion users could be at risk from keyboard logging app security flaw (techradar.com)
Cybersecurity, Privacy, Software Security, Mobile Security
47 points by Brajeshwar 366 days ago | 13 comments
The many (many) ways I've backdoored your dependencies and other supply chain at (kerkour.com)
Cybersecurity, Software Security, Software Development
19 points by severine 366 days ago | 19 comments