Tag: software security
43 articles

AI-Generated Code Exposes Governance Gaps in Security Debt
AI-generated code is being produced at alarming rates, but with a catch: nearly half of it contains security flaws, highlighting a pressing need for new approaches to managing security debt. As software creation accelerates, companies must adapt their security strategies to keep pace with the rapid accumulation of vulnerabilities.

Governments Struggle to Secure Open-Source Software
The alarming reality is that years of underinvestment in open-source software security are catching up with us, with a new supply chain compromise emerging almost every week. A recent scan by Project Glasswing found over 6,000 high-risk vulnerabilities in popular open-source projects, but only a tiny fraction have been patched.

OpenAI Bolsters Cybersecurity Push with GPT-5.5-Cyber Update
OpenAI just unveiled its latest game-changer: GPT-5.5-Cyber, a powerhouse model that supercharges vulnerability detection and patching, while retaining its impressive general-purpose intelligence. This cutting-edge update is part of a broader push to revolutionize software security.

Open Source Faces Hard Fork Amid AI-Fueled Security Crisis
The open source community is facing a daunting security crisis fueled by AI, giving rise to a new category of threat dubbed "Mythos" - a complex chain of low-level issues that can be combined to create devastating attacks. This emerging threat is not just a single bug or false positive, but a game-changing phenomenon that demands immediate attention.

Open Source Community Unprepared for EU's Cyber Resilience Act
The open source community is lagging behind on cybersecurity readiness, with stagnating awareness and a lack of preparedness for the EU's Cyber Resilience Act, which requires minimum security standards for hardware and software products by December 2027. It's time for urgent action to avoid falling short of compliance.

CISA Warns of Open-Source Vulnerabilities Amid Delayed Security Improvements
The open-source community's rapid vulnerability discovery is a pressing concern, with the tempo of exploitation accelerating and straining traditional defensive practices, according to CISA's acting director Nick Andersen. He warns that this situation will require hard security decisions to mitigate the risks to federal and private networks.

Microsoft Unveils AI-Powered Red Teaming Tools to Bolster Software Security
Microsoft is shifting the conversation around AI safety from philosophical debates to hands-on action, empowering developers to build more secure software with innovative tools. With the launch of Rampart, a cutting-edge red-teaming tool, the company is putting AI-powered security into practice, helping developers proactively identify and fix vulnerabilities.

Measuring AI Security Effectiveness Proves Elusive
Measuring AI security effectiveness is a complex challenge that can't be reduced to a single score or benchmark. Relying on benchmarks alone simply doesn't work when it comes to safeguarding AI systems.

Trellix Source Code Breach Exposes Repository Vulnerability
Trellix recently identified a security breach that compromised a portion of its source code repository, prompting an immediate investigation with leading forensic experts and notification of law enforcement. The company has assured that there's no evidence its source code release process was affected or exploited - yet.

Anthropic Expands Claude Security Model to Cybersecurity Platforms
Anthropic's Claude Security Model just got a major upgrade, now helping cybersecurity platforms detect and fix software flaws faster than ever. With its advanced capabilities, Claude Security provides detailed vulnerability explanations, confidence rankings, and even generates step-by-step patch instructions.

Anthropic's AI Model Exposes Code Flaws, But Limitations Remain
Meet Mythos, a game-changing AI tool that automates code auditing with impressive accuracy, but isn't quite a magic bullet for uncovering entirely new software flaws. It's highly effective at spotting known vulnerabilities, but its capabilities are still limited to what humans have taught it.

Cal.com Shifts Away From Open Source Amid AI-Driven Security Concerns
Cal.com is ditching open source, citing AI-driven security risks that make transparent code a liability. Its CEO claims open source is dead, as AI tools empower attackers to exploit published code like never before.

AI Bolsters Software Security with Enhanced SAST Accuracy
Can artificial intelligence revolutionize software security by supercharging SAST accuracy and making testing a breeze for developers? By harnessing the power of AI, organizations can potentially transform the way they identify and fix vulnerabilities, without slowing down their software builders.

Axios Backdoor: Critical npm Supply Chain Attack Unleashes Devastating RAT Malware
A single compromised account has triggered a critical supply chain attack on Axios, a widely-used JavaScript library, unleashing devastating RAT malware and putting millions of developers worldwide at risk. This shocking breach highlights the urgent need for more stringent security measures to protect our global software ecosystem.

LLMs Find Zero-Days Faster: Stunning, Dangerous Shift
Large language models are now reading and reasoning about code like expert researchers, pinpointing high‑severity zero‑days without the fuzzing and harnesses security teams rely on. That leap from brute‑force probing to targeted, pattern‑based discovery could make supposedly hardened software suddenly vulnerable—and forces defenders to rethink their playbook.

Red Hat repositories Exclusive Critical Leak
Red Hat is scrambling after a hacking group called the Crimson Collective claims to have leaked roughly 570 GB from about 28,000 private repositories — including source code, internal notes and customer documents — a breach that could upend supply chains and privacy protections. If confirmed, assume exposure: rotate credentials, audit CI/CD and follow Red Hat’s guidance while investigators work to assess the full scope.

XCSSET malware: Stunning, Dangerous Supply-Chain Threat
Microsoft warns that XCSSET — a persistent macOS malware — has evolved to hide inside Xcode project files, so compromised developer builds can silently steal crypto, disable defenses, and spread to users. Developers and teams should lock down build environments, tighten project integrity checks, and treat supply‑chain security as mission‑critical to keep apps and users safe.

Web Help Desk Critical Patch: Must-Have Fix for Risky RCE
SolarWinds has released a third hotfix for a critical CVSS 9.8 RCE in Web Help Desk, forcing admins to weigh urgent patching against potential operational disruption. Verify your version, apply the hotfix, and isolate helpdesk services now to shrink the attack window.

supply chain attack: Stunning Near-Miss, Risky Lessons
A fast, coordinated open‑source response helped avert what could have been a massive npm supply‑chain breach, but the near miss raises urgent questions for developers, maintainers and policymakers about dependency hygiene, registry controls and long‑term resilience.

crypto phishing Shocking Supply-Chain Nightmare
One phishing click that reset a maintainer’s 2FA let attackers slip backdoors into at least 18 popular npm packages — including debug and chalk — turning trusted libraries into supply-chain landmines. It’s a wake-up call: human error can ripple through the entire ecosystem, so stronger authentication, multi-person publishing, and tighter dependency hygiene can’t wait.

software procurement Must-Have Guide: Essential Security
CISA’s new Software Acquisition Guide Web Tool puts buyers back in control of supply‑chain risk with practical checklists, vendor assessment criteria and contract language to make secure software purchasing repeatable and auditable. If adopted thoughtfully, it can turn procurement from a blind spot into a frontline defense—though success will hinge on implementation, resources and market incentives.

Secure Software Development: Must-Have Best Practices
Worried about the security of the software we all depend on? Join NIST NCCoE’s interactive DevSecOps virtual event on August 27, 2025, to hear experts, learn practical secure development practices, and help turn security from an afterthought into a foundation for every project.

Microsoft SharePoint Under Zero-Day Attack Despite Patch Failures
In a digital world where collaboration is key, a troubling zero-day vulnerability in Microsoft SharePoint has left users vulnerable and questioning the reliability of their trusted platforms. With critical systems at risk and past patch failures haunting stakeholders, its time to address the urgent need for accountability in software security.

June 2025 Patch Tuesday: Must-Have Critical Fixes
June’s Patch Tuesday addresses 67 vulnerabilities across Windows, Office and related products — including at least one actively exploited — so patching isn’t optional anymore. Prioritize internet-facing and critical systems, apply temporary mitigations if needed, and reboot promptly to close the window for attackers.