Ambassador @ambassador

0 posts0 participants0 posts today

**LMG Security** @LMGsecurity@infosec.exchange · May 30

LMG Security @LMGsecurity@infosec.exchange

AI Coding Assistants Can be Both a Friend & a Foe

New research shows that GitLab's AI assistant, Duo, can be tricked into writing malicious code and even leaking private source data through hidden instructions embedded in developer content like merge requests and bug reports.

How? Through a classic prompt injection exploit that inserts secret commands into code that Duo reads. This results in Duo unknowingly outputting clickable malicious links or exposing confidential information.

While GitLab has taken steps to mitigate this, the takeaway is clear: AI assistants are now part of your attack surface. If you’re using tools like Duo, assume all inputs are untrusted, and rigorously review every output.

Read the details: https://arstechnica.com/security/2025/05/researchers-cause-gitlab-ai-developer-assistant-to-turn-safe-code-malicious/

Ars Technica · May 23Researchers cause GitLab AI developer assistant to turn safe code maliciousBy Dan Goodin

#AIsecurity #GitLab #AI

**Brian Greenberg** @brian_greenberg@infosec.exchange · May 13

May 13

Brian Greenberg @brian_greenberg@infosec.exchange

The EU to launch its own vulnerability database because the US is dropping the ball — and the timing couldn’t be more telling

In response to growing digital sovereignty concerns, NIS2 compliance, and calls for vendor accountability, the EU is building a public vulnerability catalog. The goal?
Track and disclose security bugs across government, industry, and open source
Complement—not compete with—the CVE Program
Increase trust, transparency, and resilience within the bloc

But let’s be honest:
Multiple public vuln databases means we must align identifiers, disclosure standards, and data feeds—or risk fragmentation
Transparency is great, but what about verification, consistency, and maintenance?
And if vendors or agencies self-report, how do we ensure accuracy or prevent omission?

Done right, this could increase pressure on lagging suppliers and elevate accountability. But if we don’t connect the dots globally, we may just multiply confusion.

What do you think: smart evolution or coordination nightmare?

#CyberSecurity #VulnerabilityManagement #EU #CVE #NIS2 #SoftwareSecurity #Governance #security #privacy #cloud #infosec
https://www.theregister.com/2025/05/13/eu_security_bug_database/

The Register · May 13As US vuln-tracking falters, EU enters with its own security bug databaseBy Jessica Lyons

**udo m. rader** @riaschissl@sigmoid.social · Apr 8

Apr 8

udo m. rader @riaschissl@sigmoid.social

A nice hands on approach to #SoftwareSecurity, in the best GTD manner. Celine Pypaert from Johnson Matthey giving an interesting talk here in #QConLondon about how teams can get started with securing their development processes.

#Security is difficult, complex, impossible to enforce and it requires awareness and participation of a lot of stakeholders in an organization or a team. So just start small and scale up as you go!

Celine Pypaert stands on stage at QCon London in front of a presentation slide titled 'TODO (Crawl stage)'. The slide lists three completed security tasks, each with a checkmark: 'Detect the top 5 "fixable" vulnerabilities', 'Assign vulns as tasks to owners', and 'Draft a Standard & Policy'. Each task includes a note about its benefit, such as helping with documentation or risk registration. The slide ends with a note: 'Next: ask wider teams for support; compensating controls (WAF protections, rate limiting, etc.)'. A photo of a woman working on a laptop is shown on the left side of the slide.

**Sean Martin** @seanmartin@infosec.exchange · Apr 2

Apr 2

Sean Martin @seanmartin@infosec.exchange

Yes, it is true! It’s Webinar Time! Secure coding isn’t just about writing safer software—it’s a career game-changer.

But most companies don’t invest in secure coding training, leaving developers without the skills they need to protect their apps.

Join us live on April 16, 2025, for an ITSPmagazine Webinar where we’ll explore how to change that.

Secure Coding = Developer Power: How To Convince Your Boss To Invest In You

With:
Jim Manico, Manicode Security
Jimmy Mesta , RAD Security
Moderated by yours truly — Sean Martin, CISSP

Register here: https://www.crowdcast.io/c/secure-coding-equals-developer-power-how-to-convince-your-boss-to-invest-in-you-an-itspmagazine-webinar-with-manicode-security-ad147fba034a

Why You Should Attend
Secure coding isn’t just about preventing security failures—it’s a career accelerator. Developers who understand security are more valuable to their companies, build better products, and stand out in the job market. This session will equip you with the knowledge and tools to make the case for secure coding training at your company, giving you an edge as both a developer and an advocate for better software security.

We’ll cover:
Live code reviews & secure fixes
Automation tips for secure defaults
What effective training really looks like

If you care about building secure software and stronger engineering teams, don’t miss this one.

Register here: https://www.crowdcast.io/c/secure-coding-equals-developer-power-how-to-convince-your-boss-to-invest-in-you-an-itspmagazine-webinar-with-manicode-security-ad147fba034a

crowdcastSecure Coding = Developer Power: How to Convince Your Boss to Invest in You — An ITSPmagazine Webinar with Manicode SecurityRegister now for Secure Coding = Developer Power: How to Convince Your Boss to Invest in You — An ITSPmagazine Webinar with Manicode Security on crowdcast, scheduled to go live on April 16, 2025, 12:30 PM EDT.

#webinar #securecoding #appsec

**OpenSSF** @openssf@social.lfx.dev · Feb 19

Feb 19

OpenSSF @openssf@social.lfx.dev

Have a security story to share?
We’re looking for talks on: AI & ML in security, Cyber resilience, Software supply chain security…and more!
Submit your proposal by March 23: https://events.linuxfoundation.org/openssf-community-day-north-america/program/cfp/#submission-types
#OpenSSFCommunity #OSSSecurity #SoftwareSecurity #CFP

LF EventsCall For Proposals (CFP) | LF EventsOpenSSF Community Day NA brings together the open source community to discuss the challenges, big-picture solutions, ongoing work, and successes in securing the open source software (OSS) supply chain.

**OpenSSF** @openssf@social.lfx.dev · Jan 8

Jan 8

OpenSSF @openssf@social.lfx.dev

OpenSSF is securing the open source ecosystem! With over 100 members and thousands of contributors, we’re shaping the future of secure software development. Download the Annual Report to see our impact in 2024: https://hubs.la/Q0318XDQ0 #OSS #OpenSSF #SoftwareSecurity

**nemo™** @nemo@mas.to · Dec 14, 2024 *

Dec 14, 2024 *

nemo™ @nemo@mas.to

Open source maintainers are overwhelmed by AI-generated bug reports that lack quality and clarity! Seth Larson from the Python Software Foundation warns that these "slop" reports waste valuable time and resources. Developers urge bug hunters to avoid using AI for submissions. Let's support our maintainers! #OpenSource #AIBugReports #newz #SoftwareSecurity #DevCommunity https://www.theregister.com/2024/12/10/ai_slop_bug_reports/

The Register · Dec 10, 2024Open source maintainers are drowning in junk bug reports written by AIBy Thomas Claburn

**DopeGhoti** @DopeGhoti@infosec.exchange · Jun 8, 2024

Jun 8, 2024

DopeGhoti @DopeGhoti@infosec.exchange

#Microsoft developed the #Recall feature under its new Secure Future Initiative (#SFI) that the company put in place to overhaul its #SoftwareSecurity after major #Azure cloud attacks.

— Tom Warren, The Verge, "Windows won't take screenshots of everything you do after all – unless you opt in" (emphasis and tags mine)

I didn't know that one sentence could make me laugh so hard.

Replied to Stephen Paulger

**Mark Gardner** @mjgardner@social.sdf.org · Feb 8, 2024

Feb 8, 2024

Mark Gardner @mjgardner@social.sdf.org

@aimaz Yes, and many of the #Perl recommendations by #CERT (https://wiki.sei.cmu.edu/confluence/x/wlxMBQ) have corresponding #PerlCritic policies: https://metacpan.org/dist/Perl-Critic/view/lib/Perl/Critic/PolicySummary.pod

Perl app and module #developers can easily incorporate a perlcritic test into their test suite to catch #security and other problems: https://metacpan.org/pod/Test::Perl::Critic

wiki.sei.cmu.eduSEI CERT Perl Coding Standard - SEI CERT Perl Coding Standard - Confluence

#InfoSec #CyberSecurity #programming

**Stephen Paulger** @aimaz@mstdn.social · Feb 8, 2024 *

Feb 8, 2024 *

Stephen Paulger @aimaz@mstdn.social

Software Security Poll

**detektor.fm** @detektorfm@social.detektor.fm · Mar 23, 2023

Mar 23, 2023

detektor.fm @detektorfm@social.detektor.fm

Ob im Recht, der Philosophie oder der Software-Forschung, Sicherheit ist ein Thema in vielen unterschiedlichen Forschungsfeldern. Welche neuen Erkenntnisse aus der Wissenschaft gibt es?

#MaxPlanckGesellschaft #Sicherheit #SoftwareSecurity #StochastischerTerrorismus #Strafrecht #Forschungsquartett

https://detektor.fm/wissen/forschungsquartett-sicherheit?utm_campaign=share_on_mastodon&utm_medium=mastodon&utm_source=mastodon

detektor.fmForschungsquartett | Sicherheit – Wie wenden wir Gefahren ab? | detektor.fm – Das Podcast-RadioVom US-Justizsystem hin zu IT-Netzwerken: Sicherheit ist ein Thema in vielen Forschungsfeldern. Welche neuen Erkenntnisse gibt es?

**NunoF** @nunof@hachyderm.io · Dec 24, 2022 *

Dec 24, 2022 *

NunoF @nunof@hachyderm.io

I've been working in software engineering industry for a while. Now working on #SmartEnergy and #SystemsEngineering

Interested in many topics from #EmbeddedSystems to #SoftwareSecurity to #CloudComputing

Societal topics also matter to me, not only because #SoftwareDesign is very much about #HumanRelationships but these are very sensitive to #Political and #Social that are currently being designed also on #SocialMedia

Recent searches

Search options

Administered by:

Server stats:

#softwaresecurity