Appsec adventures

 Escape's research on API security among Fortune 1000 companies uncovered 30,784 exposed APIs and 107,368 vulnerabilities, with 1,830 classified as highly critical. Common issues include broken authentication and misconfigured security. The study highlights significant risks posed by development APIs and exposed API secrets, urging companies to conduct thorough audits, deactivate unused APIs, and adopt automated security tools to mitigate threats. Advanced techniques like AI-powered fingerprinting and OSINT were employed to identify and analyze vulnerabilities.  https://escape.tech/blog/fortune-1000-at-risk-30k-exposed-apis-100k-vulnerabilities/

 SecObserve is an open-source tool for managing vulnerabilities and licenses in software development and cloud environments. It integrates various vulnerability scanners into CI/CD pipelines using GitLab CI templates and GitHub Actions for streamlined setup. It offers a centralized dashboard for assessing and reporting vulnerabilities, with tools for filtering, sorting, and evaluating results. SecObserve supports automation and manual assessments to focus on resolving critical issues.  https://github.com/MaibornWolff/SecObserve/tree/dev

 The UK Government's *Generative AI Framework for HMG* provides essential principles and guidance for integrating generative AI tools within government functions. Key principles include ensuring meaningful human control over AI outputs, managing the full lifecycle of generative AI projects, selecting the right tools for the job, and engaging in cross-government collaboration. It emphasizes transparency in AI deployment, ethical use, and the need for skills development. The framework stresses aligning AI applications with existing policies and governance, while fostering collaboration between departments and external stakeholders.  https://www.gov.uk/government/publications/generative-ai-framework-for-hmg/generative-ai-framework-for-hmg-html

 The Open Source Program Office (OSPO) plays a critical role in secure open-source software (OSS) supply chain governance. OSPOs help organizations manage the growing risks associated with OSS use, such as vulnerabilities in outdated components. By establishing secure practices, including internal OSS repositories and integrating security tools into CI/CD pipelines, OSPOs promote safe, efficient use of OSS. This strategic role includes advocating for OSS security policies, fostering developer collaboration, and ensuring compliance with frameworks like NIST’s Secure Software Development Framework (SSDF). OSPOs are essential in mitigating risks and enhancing software supply chain security. https://www.csoonline.com/article/573975/the-ospo-the-front-line-for-secure-open-source-software-supply-chain-governance.html

 **Software Supply Chain Security: NSA Guidance and Key Takeaways** Software supply chain security remains a critical issue, especially with increased cyberattacks targeting both major software vendors and the open-source ecosystem. In response, new startups have emerged focusing on various attack surfaces, while organizations continue to provide valuable guidance for risk mitigation. The latest advice from the NSA emphasizes the importance of open-source software (OSS) and Software Bill of Materials (SBOMs). This guidance aligns with prior directives from the White House and NIST, as well as new federal requirements, such as OMB memos 22-18 and 23-16, which mandate federal software suppliers to adhere to secure development frameworks like SSDF and provide SBOM artifacts. The NSA’s recommendations offer practical steps for organizations involved in OSS and software supply chains, focusing on securing the flow of software and enhancing transparency through SBOMs. These practices aim to

 The blog discusses the importance of NPM provenance, a security feature that connects packages to their source code repositories, providing cryptographic proof of authenticity. Despite its availability, most popular JavaScript packages do not use this feature, leaving them vulnerable to supply chain attacks. The article outlines gaps in NPM's security model, such as missing enforcement for provenance and client-side verification. It emphasizes the need for package maintainers and users to adopt provenance, while calling for better enforcement mechanisms at the registry and client levels.  https://exaforce.com/blog/npm-provenance-the-missing-security-layer-in-popular-javascript-libraries

 Twyn is a security tool designed to prevent typosquatting attacks by comparing dependency names against a set of well-known package names. It detects potentially suspicious package names that resemble popular ones and raises an alert. Twyn supports configuration through a command-line interface or a configuration file and offers various operational modes to customize checks. It's available for installation via PyPi, and it can be run to check dependency files like `requirements.txt` and `poetry.lock`. More details are available [here](https://github.com/elementsinteractive/twyn). https://github.com/elementsinteractive/twyn

 David Trejo's BSides SF presentation introduced Monocle, an internal Rails application developed at Chime to address security scaling challenges as their engineering team expanded. Monocle assigns letter grades to code repositories based on factors including approved base images, branch protection, vulnerability resolution, and test coverage, displaying these grades via badges directly in repositories. The system performs nightly security score recalculations, monitors pull requests for security rule compliance, and automatically creates JIRA tickets for violations, saving approximately 2,000 engineering hours annually on audits. It communicates through monthly security scorecards sent to team Slack channels and provides dashboards showing security posture across services, meeting engineers where they work - in GitHub, Slack, and their editors. The system's key benefits include gamifying security best practices, reducing engineer stress around compliance, providing clear visib

 CMS's Open Source Policy supports its IT modernization by using and releasing open-source software (OSS). The policy outlines conditions for OSS use, including evaluating alternatives and managing security risks. It covers data rights for government-developed software, compliance with licensing, and guidelines for sharing CMS-funded projects. CMS emphasizes community engagement, governance models, and OSS best practices, including peer reviews for security and continuous integration workflows. The policy seeks to enhance software reuse across agencies, sustaining development and fostering transparent, collaborative contributions.  https://github.com/CMSgov/cms-open-source-policy

 In their latest update, Google Project Zero and Google DeepMind introduced "Big Sleep," an evolution of their "Naptime" framework for AI-assisted vulnerability research. This collaboration recently led to the discovery of an exploitable stack buffer underflow in SQLite, a widely used database engine, which was quickly patched before impacting users. This marks a milestone as an AI agent identified a new memory-safety issue in real-world software. By leveraging AI to detect hard-to-find bugs, this approach aims to give defenders a significant advantage over attackers, potentially redefining cybersecurity strategies. https://googleprojectzero.blogspot.com/2024/10/from-naptime-to-big-sleep.html

 Reaper is an open-source application security testing framework developed by Ghost Security. It integrates reconnaissance, request proxying, tampering, active testing, and vulnerability validation within a streamlined workflow. Designed for both human analysts and AI-driven agents, it automates tedious tasks, significantly enhancing the speed and efficiency of testing applications for security vulnerabilities. Reaper aims to centralize phases of application security testing, offering extensibility, collaboration, and automation to minimize security engineer burnout. It supports a broad range of appsec activities, reducing manual intervention in complex security tasks.  https://github.com/ghostsecurity/reaper

 ADcheck is a Python tool designed to assess Active Directory security with varying privilege levels. It performs 79 checks, focusing on user account, audit, policy, domain, computer, and privilege management. This includes evaluating potential security risks like weak passwords, outdated Kerberos configurations, and RDP vulnerabilities. ADcheck is primarily aimed at penetration testers and offers installation via pipx or Poetry, with a dependency on Impacket, making it necessary to configure antivirus exclusions for effective use. Future enhancements include Azure and persistent attack trace checks.  https://github.com/CobblePot59/ADcheck

 A joint advisory from cybersecurity agencies in the USA, Canada, UK, Australia, and New Zealand has highlighted the 15 most exploited vulnerabilities of 2023. The list includes high-risk flaws such as those affecting Citrix NetScaler, Cisco IOS, Microsoft Outlook, and the Log4j library (Log4Shell). These vulnerabilities were frequently exploited by cyber actors, underscoring the importance of timely patching to mitigate risks. Agencies emphasize rapid patching and continuous patch management to limit exploitation, as vulnerabilities are most dangerous within two years of disclosure. https://secalerts.co/news/international-cyber-security-agencies-list-top-15-exploited-vulnerabilities/1EWuVrfmSiGbnjPaOmVcTw

 Conf42's DevSecOps 2024 event, scheduled for December 5, will bring together industry experts to discuss best practices in securing development pipelines, DevOps processes, and cloud-native technologies. Attendees can expect insights into the latest tools, techniques, and strategies for integrating security into DevOps workflows. The conference will feature talks from thought leaders and allow networking with professionals focused on securing software development lifecycle processes. https://www.conf42.com/devsecops2024

 Tessera is a secret manager that uses Attribute-Based Encryption (ABE) for secure data protection. It offers policy-based access control, where data access is granted based on the attributes of the users. Tessera also ensures robust user key management by restricting access only to those who meet the specified policies. This system enhances security by tightly controlling who can read or write encrypted data.  https://docs.cremit.io/tessera/

 Trustwave and Cybereason have announced a merger to enhance their combined capabilities in cybersecurity services, such as Managed Detection and Response (MDR), Endpoint Detection and Response (EDR), and digital forensics. The merger aims to improve market share and integrate their expertise in offensive security, threat intelligence, and AI-driven solutions. The deal is expected to close in early 2025. Both companies will continue to operate independently but will work together strategically to better serve clients, especially in cyber insurance and legal sectors.  https://cyberscoop.com/trustwave-and-cybereason-announce-merger/

 The Rust Foundation released a problem statement focusing on improving interoperability between C++ and Rust. The initiative, backed by a $1M contribution from Google, aims to enhance collaboration between the two programming communities to balance safety, performance, and maintainability. The plan involves improving current tools, setting long-term strategic goals, and engaging the C++ community. Community feedback is encouraged to guide the future of this effort.  https://foundation.rust-lang.org/news/rust-foundation-releases-problem-statement-on-c-rust-interoperability/

 Sysdig has introduced *Falco Feeds*, a feature that delivers real-time detections against cloud threats. The integration provides instant access to the latest security signals, enhancing the ability to detect potential issues in cloud environments. By streamlining cloud security detection, *Falco Feeds* helps organizations address security risks more effectively with continuous monitoring and insights into their infrastructure. https://www.techzine.eu/news/security/126107/sysdig-unveils-falco-feeds-the-latest-detections-against-cloud-threats/

 SonarSource is enhancing its software development tools by introducing updated severity ratings and customization options in SonarQube Server 10.8. This update offers two modes: the Standard Experience Mode, retaining familiar workflows, and the Multi-Quality Rule (MQR) Mode, which better reflects impacts across multiple software qualities. The goal is to improve user experience while maintaining backward compatibility. SonarSource remains committed to listening to user feedback, ensuring product reliability, and minimizing disruptions. Full details on this update will be available closer to the December 2024 release.  https://securityboulevard.com/2024/11/our-commitment-to-you-and-an-update-on-severity-ratings-for-software-quality/

 Rep. Mike Waltz selected by President-elect Trump as his national security adviser, is a retired Army Green Beret with significant experience in defense and foreign policy. Known for his hardline stance on China, Waltz views Beijing as an "existential threat" and has advocated for stronger U.S.-India ties. He is also a staunch supporter of Israel and has criticized President Biden's strategy in Ukraine. Additionally, Waltz has backed military action against Mexican cartels and is known for his decorated military career. https://thehill.com/policy/defense/4986351-trump-waltz-national-security/

 The article discusses the risks of excessive agency and prompt injection in large language models (LLMs). As LLMs gain more abilities, such as sending emails or deploying code, excessive agency can arise when these models perform unintended actions. Prompt injection attacks occur when specially crafted inputs manipulate models to bypass instructions, potentially leading to security risks like privilege escalation or server-side request forgery. The article stresses the importance of securing LLMs through proper validation, limiting access, and applying the principle of least privilege to reduce these risks. https://www.kroll.com/en/insights/publications/cyber/llm-risks-chaining-prompt-injection-with-excessive-agency

 NIST has updated its guidelines, advising against mandatory password changes every 30-90 days unless a breach occurs. Frequent changes often lead to weak passwords, as users may make minimal adjustments. The focus has shifted to strong passwords and Multi-Factor Authentication (MFA) as more effective security measures. Despite this, automated password rotation remains crucial for securing sensitive accounts, especially for privileged users. It helps prevent unauthorized access, reduces exposure time, and ensures strong, unique passwords without burdening users. https://www.techradar.com/pro/navigating-nists-updated-password-rotation-guidelines

 The finalists for the 2024 DevOps Dozen Awards were recently announced. These prestigious awards recognize leaders, companies, and tools that have made significant contributions to the DevOps community. This year’s awards highlight innovative solutions in various categories, including Best DevOps Industry Implementation, Best End-to-End DevOps Platform, and Best Application of AI in DevOps Tools. Other categories focus on community contributions, such as Top DevOps Evangelist and Most Innovative DevOps Open Source Project. The winners will be decided through a combination of public voting and expert evaluation. https://devops.com/devops-dozen-awards-2024-finalists-announced/

 The article "AI Widens the Gap Between Security and Development" from Communications Today discusses how rapid AI advancements are challenging the equilibrium between software development speed and security requirements. While AI has accelerated innovation and product creation, it has simultaneously introduced vulnerabilities. The use of AI-driven tools in software development can lead to potential security risks, such as overlooked code flaws or exploitable weaknesses, highlighting the need for integrated security measures during AI adoption. Effective collaboration between developers and security professionals is seen as crucial to balance productivity with robust safeguards.  https://www.communicationstoday.co.in/ai-widens-the-gap-between-security-and-development/

 The recent interview with Stuart McClure highlights Qwiet AI's advancements in code scanning technology tailored to security needs. Qwiet AI focuses on using generative AI for analyzing software code vulnerabilities and automating fixes, potentially revolutionizing software development security practices. By integrating sophisticated threat-detection capabilities, McClure emphasizes minimizing human intervention and improving code accuracy in identifying security gaps. This approach is part of a broader trend toward enhancing cybersecurity by embedding machine learning security operations (MLSecOps) directly into development pipelines, addressing emerging threats as AI technologies continue to evolve.  https://www.helpnetsecurity.com/2024/11/18/stuart-mcclure-qwiet-ai-code-scanning/

 Black Duck Software was named a leader in the Forrester Wave™ Q4 2024 report on Software Composition Analysis (SCA), excelling in criteria such as component identification, risk intelligence, and SBOM management. The company’s tools aid in managing open-source and third-party software risks, supporting secure software supply chains. CEO Jason Schmitt highlighted their commitment to trust-building through comprehensive security solutions. Black Duck’s achievements reflect its strong capabilities in vulnerability, license, and policy management across diverse software components.  https://www.wvnews.com/news/around_the_web/partners/pr_newswire/subject/awards/black-duck-recognized-as-a-leader-in-software-composition-analysis-by-independent-research-firm/article_1d43fbe9-35b7-5b34-8a63-862a1e6941b7.html

 The SentinelOne article discusses Kubernetes as a key technology in cloud security for automating containerized application deployments through Infrastructure as Code (IaC). It emphasizes the need to secure Kubernetes clusters from vulnerabilities, such as misconfigurations and exposed secrets, which could lead to breaches. The piece also touches on security controls like automated policies and monitoring tools, underscoring the importance of a holistic approach to protect IaC environments. Tools like SentinelOne's Singularity Cloud offer visibility and threat prevention tailored for Kubernetes infrastructures.  https://www.sentinelone.com/cybersecurity-101/cloud-security/kubernetes-infrastructure-as-code/

 The article discusses potential cybersecurity implications of Donald Trump’s re-election. Experts anticipate a reduction in regulations and more business-friendly privacy laws, with increased focus on protecting critical infrastructure amid rising tensions with China and other nations. China's cyber activities, including covert operations, could escalate, while Iran may target U.S. and Israeli interests. Trump's past creation of the Cybersecurity and Infrastructure Security Agency highlights shifting policies, with evolving threats possibly prompting U.S. companies to maintain high cybersecurity investments despite regulatory changes. https://www.darkreading.com/cloud-security/trump-20-mean-cybersecurity-regs-shift-threats

 Kudelski IoT has launched quantum-resistant cryptographic solutions in its KSE security IP to address the growing threat of quantum computing. These algorithms, recommended by NIST and CNSA 2.0, protect IoT devices like System on Chip (SoC) products from vulnerabilities, ensuring data security and regulatory compliance. This upgrade, which can be implemented remotely, is crucial for industries like automotive, finance, and healthcare. Kudelski IoT is positioning itself as a leader in semiconductor security with these solutions for a post-quantum world. https://www.webdisclosure.com/article/kudelski-iot-enhances-security-with-quantum-resistant-technology-e2qNObiiOz9

 The "2024 Software Vulnerability Snapshot" by Black Duck Software reveals that critical vulnerabilities are most prevalent in the Finance, Insurance, and Healthcare sectors. Cryptographic failures and injection vulnerabilities are the top risks. While some sectors, like Finance, have quick remediation timelines, others, such as Utilities, face slower response due to legacy systems. Misconfigurations affect 98% of applications, highlighting the need for improved security measures. The report stresses that delays in patching vulnerabilities increase the risk of exploitation, urging organizations to adopt proactive and comprehensive security strategies. https://www.news-journal.com/new-black-duck-research-finds-high-risk-sectors-riddled-with-critical-vulnerabilities/article_2560ec44-1a11-54e2-98e4-8f8e5fbd5f79.html

 Open source software's ubiquity demands stronger security measures, as vulnerabilities can have widespread impacts. Effective security requires both soft skills, such as communication and proactive collaboration, and technical skills like threat modeling, vulnerability detection, and ecosystem awareness. As open source projects grow, particularly in AI, the complexity of securing systems and addressing issues like adversarial attacks heightens. Organizations benefiting from open source must invest in skilled engineers to ensure robust security, protecting themselves and the broader community reliant on these technologies. https://www.darkreading.com/vulnerabilities-threats/open-source-security-incidents-aren-t-going-away

 Joshua Goldfarb shares lessons learned from his father's advice, emphasizing that discerning useful versus distracting guidance is key, especially in cybersecurity. He suggests evaluating advice based on its impact, practicality, strategic fit, required actions, potential distractions, and source reliability. This balance helps security professionals effectively decide which initiatives improve security and which to discard, particularly in fast-evolving areas like API security. The piece highlights how filtering advice wisely is crucial for maintaining productivity and aligning with strategic goals in cybersecurity operations. https://www.darkreading.com/cybersecurity-operations/what-listening-to-my-father-taught-me-about-cybersecurity

Snyk has acquired Probely, a Portuguese dynamic application security testing firm, to meet growing demand for API security as large language models in generative AI rise. The acquisition aims to combine Probely’s low false-positive rates and usability with Snyk’s application security offerings, providing comprehensive security throughout the software development lifecycle (SDLC). Probely, founded in 2016 and led by former Portugal Telecom security manager Nuno Loureiro, emphasizes API testing in AI applications, which Snyk Chief Innovation Officer Manoj Nair notes as often overlooked but critical for AI-native software security. https://www.govinfosecurity.com/snyk-acquires-probely-to-strengthen-api-security-for-ai-apps-a-26787

The article discusses how the victory of Donald Trump in the 2024 U.S. election may bring a significant shift in U.S. tech and cybersecurity policies. His administration is expected to roll back regulatory measures and emphasize the deregulation of sectors like AI, cybersecurity, and tech development. This change may favor a more business-friendly approach while challenging recent legislation focused on privacy and data security. Moreover, the article suggests that Trump’s return could lead to broader discussions on AI governance and the role of big tech in national security. Donald Trump's return to the White House in 2025 could lead to significant shifts in U.S. technology and cybersecurity policies. Experts predict a focus on deregulation, competitive tax systems, and national security goals, especially regarding AI development and trade policies. Under his administration, there may be less emphasis on naming Russian cybercriminals and a more aggressive stance toward China. Trum

 IBM's recent study highlights concerns that CEOs have regarding accuracy and bias in AI. As AI adoption grows, these concerns intensify, with 48% of CEOs identifying bias and data accuracy as top risks. While many recognize the need for AI in enhancing productivity and competitiveness, they are also cautious about potential security and ethical issues. CEOs are investing in AI, but they acknowledge that integrating generative AI responsibly requires addressing these challenges. For businesses to succeed in the AI era, they must balance innovation with a commitment to ethical, responsible AI usage. https://aibusiness.com/responsible-ai/accuracy-bias-in-ai-concerns-most-ceos-ibm-study

 The election of Donald Trump signals significant changes in U.S. AI regulation, with a shift back toward a more market-driven approach. Trump's first term saw initiatives aimed at strengthening the country's AI leadership, with an emphasis on economic growth, national security, and international cooperation on AI standards. His previous AI executive orders focused on fostering innovation and reducing regulatory barriers, particularly around government oversight of emerging technologies. A second term may involve revisiting these policies, potentially reversing the current administration's more equity-focused approaches in favor of deregulation and a freer market. This shift could impact both domestic AI development and global collaborations, with implications for issues such as AI ethics and international trade. Given Trump's previous resistance to government intervention in tech, it’s likely that his policies would prioritize industry-driven AI advancements and less s

 A new report reveals that 92% of companies have suffered financial losses due to deepfake fraud, with increasing attempts in both audio and video formats. The average cost per fraud attempt is nearly $450,000, with fintech companies experiencing even higher losses. Despite this, many businesses remain underprepared, often underestimating the threat. Awareness of the issue is growing, and collaboration between CFOs and CIOs is seen as key to improving defenses against such attacks https://www.cfo.com/news/most-companies-have-experienced-financial-loss-due-to-a-deepfake-regula-report/732094/

 The article discusses concerns over the stagnation of the cybersecurity workforce, highlighting that despite reports of a workforce gap, the demand for cybersecurity professionals has plateaued. Factors like budget constraints, the prevalence of "ghost jobs," and overestimated workforce needs contribute to this issue. While job openings exist, especially for experienced workers, entry-level positions are scarce, making it difficult for newcomers to enter the field. The market also faces a disconnect between the high expectations set for candidates and the reality of available jobs.  https://www.darkreading.com/vulnerabilities-threats/cybersecurity-workforce-peaked

 The security risks associated with "bring your own AI" (BYOAI) refer to the potential vulnerabilities when organizations use third-party AI tools, often without proper oversight. These tools might expose corporate data to security breaches, whether by leaking sensitive information or introducing malicious code. The rise of generative AI has made it easy to integrate such tools, but organizations must be cautious of data privacy issues and lack of control over these external AI systems. Proper governance and AI risk management strategies are essential to mitigate these threats.  https://www.computerweekly.com/feature/What-are-the-security-risks-of-bring-your-own-AI

 The main market trend identified from these acquisitions is the increasing focus on **data security and protection**, particularly in the context of **cloud and SaaS environments**. Key areas of emphasis include: 1. **Data Loss Prevention (DLP)** – Several acquisitions, such as Cyera acquiring Trail Security and Fortinet acquiring Next DLP, focus on enhancing capabilities to prevent data breaches and insider threats. 2. **AI-powered Security Solutions** – With companies like Mimecast acquiring Aware, AI-driven security solutions for human risk management and collaboration security are becoming a prominent focus. 3. **SASE and SSE** – Netskope’s enhancements to its platform, particularly in the areas of Data Security Posture Management (DSPM), highlight the growing trend towards integrated security frameworks that provide comprehensive protection across networks and cloud services. 4. **Real-time Protection and Identity Security** – Kaseya's acquisition of SaaS Alerts signals a con

Two proposals for enhancing Java application security against quantum computing threats are being considered. The first proposal, the "Quantum-Resistant Module-Lattice-Based Digital Signature Algorithm" (ML-DSA), aims to provide a quantum-safe implementation of digital signatures for detecting data tampering and authenticating signatories. The second, the "Quantum-Resistant Module-Lattice-Based Key Encapsulation Mechanism" (ML-KEM), seeks to secure symmetric keys using public key cryptography. Both algorithms are designed to resist attacks from future quantum computers using Shor's algorithm. These proposals are part of the OpenJDK JEP index but have no fixed version timeline. They address the urgent need for quantum-resistant algorithms to future-proof Java applications.  https://www.infoworld.com/article/3601103/java-app-security-would-get-a-boost-through-quantum-resistance.html

 IBM Research has introduced **CBOMkit**, an open-source toolset designed to help developers manage cryptographic assets within their software projects. The toolkit leverages the **CycloneDX Cryptography Bill of Materials (CBOM)** standard, allowing for automated security analysis and compliance checks, particularly in light of the emerging quantum computing threat to traditional cryptographic methods. CBOMkit includes several key components: - **CBOM Generator for Source Code (Hyperion)**: Scans code repositories to detect cryptographic usage and generate CBOMs. - **CBOM Generator for Container Images (Theia)**: Scans Docker images and local directories for cryptographic assets. - **CBOM Viewer (Coeus)**: A web-based tool for visualizing CBOMs and providing detailed insights. - **CBOM Compliance Engine (Themis)**: Evaluates CBOMs against compliance policies, including quantum-safe checks. - **CBOM Repository (Mnemosyne)**: Stores and manages CBOMs via a RESTful API for easy retrieval

 IBM Research has introduced CBOMkit, an open-source toolset designed to help developers manage cryptographic assets in the face of quantum computing threats. The suite includes tools like the CBOM Generator for source code and container images, a CBOM Viewer for visualization, and a compliance engine for evaluating security policies. The kit facilitates automation, compliance, and integration with existing development workflows, ensuring cryptographic asset management is secure and future-proofed against evolving security challenges.  https://blockchain.news/news/ibm-research-cbomkit-cryptography-management

 A recent typosquatting attack on npm has been discovered, where attackers impersonated popular JavaScript libraries to distribute malware. The malicious packages targeted users by mimicking widely-used tools like "cross-env," a package for setting environmental variables. The attack aimed to steal sensitive data from compromised systems, including credentials and API keys. Although the malicious code was downloaded by some developers, the attack did not result in widespread damage, with only a few reported incidents. The npm team is working on measures to detect and prevent such attacks in the future. https://www.theregister.com/2024/11/05/typosquatting_npm_campaign/

 **Am I Isolated** is a tool that assesses the security posture of container environments, specifically focusing on isolation gaps. It provides suggestions for improving security in containerized systems and is designed to be updated over time as new research emerges. Currently, it helps security professionals identify potential vulnerabilities in container environments and offers actionable insights without overwhelming users with excessive data. The tool can be run as a Docker container or a Kubernetes pod for easy integration into existing environments.  https://github.com/edera-dev/am-i-isolated

 GitGuardian, a platform for automating security and compliance checks, has announced the release of a custom hosting option for its customers. This new feature enables organizations using self-hosted environments to run security validity checks more efficiently. This service helps detect sensitive information leaks, preventing potential security breaches. The addition of this feature is especially valuable for large organizations with stringent privacy and regulatory requirements. It also streamlines security operations for self-hosted setups, ensuring compliance and reducing risk. https://securityboulevard.com/2024/11/prevent-security-breaches-in-self-hosted-environments-with-gitguardians-custom-host-for-validity-checks/

 Patched offers a suite of customizable AI-powered tools for automating software development tasks such as code reviews, dependency upgrades, bug fixing, and documentation generation. The platform uses its open-source framework, Patchwork, which integrates seamlessly into SDLC tools like GitHub and Jira. Users can tailor workflows through a no-code interface or by writing their own code. It’s designed to improve developer productivity by handling repetitive tasks, and it offers a free tier, with premium options for more extensive usage.  https://www.patched.codes/

 NIST has released a guide to assist companies with due diligence for cyber supply chain risk management. The guide emphasizes five key areas: supply chain tiers, foreign ownership influence, provenance, stability, and foundational cybersecurity practices. It encourages acquirers to evaluate their suppliers at different levels, track the origin of components, assess financial and operational stability, and ensure robust cybersecurity measures. The public can provide feedback on the guide until December 16, 2024.  https://www.engage.hoganlovells.com/knowledgeservices/news/security-snippets-nist-publishes-guide-on-due-diligence-for-cyber-supply-chain-risk-management

 Qualys, a cybersecurity firm known for its IT security and compliance management software, is reportedly considering a sale. The company is in discussions with financial advisers to explore potential options following interest from prospective buyers. While Qualys has not commented on the matter, its current market value is around $6 billion. Despite challenges like a revised revenue forecast, the company has maintained growth, recently posting an 8% year-over-year revenue increase.  https://www.verdict.co.uk/qualys-reportedly-considering-sale/

 The article discusses the top 10 Infrastructure as Code (IaC) scanning tools for 2025, emphasizing the need for proactive security to address vulnerabilities in cloud infrastructure configurations. IaC scanning tools, like SentinelOne Singularity™ Cloud Security, help detect and remediate misconfigurations that could expose infrastructure to security risks. The article highlights features such as integration with CI/CD pipelines, automated vulnerability detection, and compliance management. Additionally, it advises organizations to choose tools that offer customizable rules and integrate seamlessly with development workflows.  Here are brief summaries of the 10 IaC scanning tools: 1. **SentinelOne Singularity™ Cloud Security**: Comprehensive cloud protection with real-time CNAPP, integrated into CI/CD pipelines. Scans popular IaC platforms like Terraform and AWS CloudFormation.    2. **Snyk**: Scans for misconfigurations across IaC platforms, integrates with CI tools, and offers conte

 IriusRisk has partnered with Toreon to provide specialized training aimed at enhancing enterprise organizations' threat modeling capabilities. This collaboration focuses on delivering tailored educational programs to help businesses strengthen their security posture by integrating threat modeling into their processes. The goal is to extend these programs within organizations, ensuring a proactive approach to security by identifying and mitigating potential vulnerabilities. This partnership underscores the importance of educating teams on managing cyber risks and improving resilience against evolving threats. https://www.prnewswire.co.uk/news-releases/iriusrisk-partners-with-toreon-to-deliver-bespoke-training-to-extend-threat-modeling-programs-within-enterprise-organizations-302298645.html

 The blog discusses expectations for Donald Trump's approach to combating cybercrime during his second presidency. While his first administration updated the National Cyber Strategy, experts question his commitment to international cooperation and cybersecurity leadership. Challenges include managing nation-state attacks from Russia, China, and others, and the effectiveness of strategies like naming and shaming cybercriminals. Cooperation between international law enforcement agencies is expected to continue, regardless of U.S. leadership. Key issues include ransomware and transnational cybercrime, with the potential for major events influencing policy direction.  https://www.govinfosecurity.com/blogs/combating-cybercrime-what-to-expect-from-trump-presidency-p-3759

 The Canadian government revealed that it initiated a national security review of TikTok in September 2024. The review was disclosed by Prime Minister Justin Trudeau, who emphasized that it followed broader scrutiny of TikTok’s data practices and concerns about foreign influence, particularly regarding Chinese ownership by ByteDance. This scrutiny mirrors efforts in other countries, including the U.S., over potential risks tied to user data access and influence operations.  In Canada, TikTok has already been banned from government-issued devices since February 2023 due to privacy concerns raised by federal and provincial authorities. The review is subject to confidentiality rules under the Investment Canada Act, and while specifics are not public, it reflects broader policy shifts to regulate foreign influence in the digital sector. https://www.cbc.ca/news/politics/tiktok-canada-review-1.7375965

 A new campaign targeting Roblox users involves malicious npm packages that deliver data-stealing malware such as Skuld and Blank Grabber. Disguised as legitimate packages, these rogue JavaScript libraries trick developers and users by mimicking trusted names. The attack leverages GitHub for hosting malware and Discord/Telegram for data exfiltration, demonstrating the growing vulnerability in open-source supply chains. Developers are urged to verify packages and exercise caution when downloading modules. https://thehackernews.com/2024/11/malicious-npm-packages-target-roblox.html

 Andrew Harris, a top Microsoft cybersecurity expert, discovered a severe flaw in 2016 involving a cloud-based authentication tool that allowed hackers to impersonate legitimate users without leaving traces. This vulnerability threatened sensitive national security and corporate data, irrespective of the cloud provider. Harris, previously with the Defense Department, raised alarms due to its potential implications for federal agencies and critical information. The flaw foreshadowed tactics later used in the infamous SolarWinds breach linked to Russian attackers. https://www.propublica.org/article/microsoft-solarwinds-golden-saml-data-breach-russian-hackers

 Adam Shostack's post delves into the terms "trust boundaries" and "security boundaries" in cybersecurity, exploring their history, distinctions, and applications. While "security boundaries" denote well-defined, robustly defended areas by security policy, "trust boundaries" imply broader trust-related elements, including privacy and computing bases. Shostack critiques the inconsistent commitments by companies to defending boundaries and explores if trust, as a concept, merits specific distinction within threat modeling practices.  https://shostack.org/blog/trust-and-security-boundaries/

 Endor Labs recently announced that their Static Application Security Testing (SAST) toolset will be integrated into their platform, enhancing software security. This offering aims to help developers identify and fix code vulnerabilities earlier in the development cycle. By combining SAST with dependency management, Endor Labs provides a streamlined approach to managing and securing both custom code and third-party dependencies in a unified platform, which can improve efficiency and reduce security risks. For more details, you can read the full article  .

 A recent typosquatting campaign is targeting npm users by deploying malware through over 287 look-alike packages, including common libraries like Puppeteer. The malicious code uses Ethereum smart contracts for command-and-control, making it resilient against traditional detection methods. The attack is designed to infiltrate development environments, compromising systems, CI/CD pipelines, and credentials. Researchers from Phylum, Socket, and Checkmarx have raised alerts about these packages, urging developers to implement stringent security measures and verify package authenticity.  For full details, visit the original article [here](https://www.theregister.com/2024/11/05/typosquatting_npm_campaign/).

 Proofpoint has announced its acquisition of Normalyze, a Data Security Posture Management (DSPM) company. This acquisition aims to bolster Proofpoint’s human-centric security platform, integrating Normalyze’s AI-powered DSPM technology to help organizations identify, classify, and protect data across diverse environments, including SaaS and multi-cloud setups. The partnership focuses on addressing human-centric risks in data security, offering enhanced visibility, risk assessment, and compliance features to tackle data breaches and over-permissioned access issues. For further details, visit [SMEStreet](https://smestreet.in/technology/proofpoint-to-acquire-normalyze-for-data-security-solutions-7383174).

 The SLSA (Supply chain Levels for Software Artifacts) framework is designed to enhance visibility and security across software supply chains. It defines levels of security rigor, helping organizations verify the integrity of software artifacts and reduce supply chain risks. Implementing SLSA improves resilience by standardizing practices around build systems, source control, and deployment processes. The framework's goal is to empower organizations to detect and mitigate vulnerabilities effectively throughout the software lifecycle. For further information, check the article [here](https://securityboulevard.com/2024/11/slsa-framework-what-is-it-and-how-to-gain-visibility/).

 Google's AI tool, Big Sleep, recently detected a zero-day vulnerability in the widely used SQLite database. The AI found a stack buffer underflow flaw, which could allow attackers to execute arbitrary code. Google highlighted this as the first real-world vulnerability discovered by an AI agent, leveraging language model capabilities to automate security analysis. This discovery led to a fix in SQLite’s development branch. While experimental, Big Sleep shows potential for preemptively detecting security issues before software releases. For more details, visit the article: [The Hacker News](https://thehackernews.com/2024/11/googles-ai-tool-big-sleep-finds-zero.html).

PatchThis is an open-source project by Jerry Gamblin, offering a curated list of critical Common Vulnerabilities and Exposures (CVEs) to streamline patch management. It aggregates data from reliable sources, such as the CISA Known Exploited Vulnerabilities Catalog and Metasploit Modules, updating hourly to help organizations prioritize security patches. The platform also provides downloadable CSV files with CVE details and is open for contributions on GitHub. This tool aims to simplify vulnerability intelligence and aid in efficient security decision-making.  https://patchthis.app/

Mixeway Flow is a DevSecOps tool that integrates security into development workflows, featuring open-source scanning for infrastructure, code, and libraries. It connects with Git and CI/CD environments via webhooks, providing continuous monitoring without complex setup. Vulnerabilities appear in a single dashboard, where issues can be prioritized or suppressed to avoid low-priority noise. This tool streamlines security for developers and DevOps teams, helping ensure secure software development.  https://github.com/Mixeway/Flow

 Thales is preparing to launch a unified partner program in 2025, following its acquisition of Imperva. This initiative aims to support partners through education and enablement around Thales’ expanded offerings. Partners will have flexibility in how they engage, choosing to resell, offer services, operate as managed service providers (MSPs), or original equipment manufacturers (OEMs). https://www.channelfutures.com/mergers-acquisitions/thales-prepares-for-2025-partner-program-launch