Security News
Red Siege has developed and made available many open-source tools to help with your penetration testing work. The company plans to continue to support the tools listed below, whether in the form of bug fixes or new features.
Ghostscript, an open-source interpreter for PostScript language and PDF files widely used in Linux, has been found vulnerable to a critical-severity remote code execution flaw. The flaw is tracked as CVE-2023-3664, having a CVSS v3 rating of 9.8, and impacts all versions of Ghostscript before 10.01.2, which is the latest available version released three weeks ago.
Proton AG has announced the global availability of Proton Pass, an open-source and free-to-use password manager available as a browser extension or mobile app on Android and iOS.manager. Proton has been offering various privacy-focused products and services for some time, including the end-to-end encrypted Proton Mail email service, the Proton VPN service, and the Proton Drive cloud storage service.
What's more, orchestration platforms like Kubernetes carry additional security considerations, such as securing a cluster's network and API endpoints, which aren't as visible to traditional security tools. Lastly, with deployments growing in scale and complexity, manual security management becomes impractical and security automation - from threat detection to compliance management - is essential.
Here are ten open-source recon tools that deserve to be in your arsenal. Altdns is a DNS recon tool that allows for the discovery of subdomains that conform to patterns.
Fiddler Auditor is an open-source tool designed to evaluate the robustness of Large Language Models and Natural Language Processing models. LLMs can sometimes produce unwarranted content, potentially create hostile responses, and may disclose confidential information they were trained with, regardless of whether they were explicitly asked to do so.
Building on public models like Meta's LLaMa, the open-source community has innovated in ways that allow results nearly as good as the huge models-but run on home machines with common data sets. Much of the modern internet was built on open-source technologies from the LAMP stack-a suite of applications often used in web development.
Public source code repositories, from Sourceforge to GitHub, from the Linux Kernel Archives to ReactOS.org, from PHP Packagist to the Python Package Index, better known as PyPI, are a fantastic source of free operating systems, applications, programming libraries, and developers' toolkits that have done computer science and software engineering a world of good. In cases like that, you can save time by searching for a package that already exists in one of the many available repositories, and hooking that external package into your own tree of source code.
Brian Behlendorf, CTO at the Open Source Security Foundation, shares insights on the influence of his experiences with the White House CTO office, World Economic Forum, and Linux Foundation on leading the OpenSSF and addressing open-source security challenges. Like all software projects, open source software projects are never over-staffed; they are volunteers struggling not just to write the functionality they need but also to fix the bugs they and others find, paying down technical debt and implementing better security practices and tools often fall way behind in priority compared to new feature work and bug-fixing.
A new risk emerges in the digital era, where open-source software has become a fundamental pillar in developing innovative applications. In this Help Net Security video, Henrik Plate, Lead Security Researcher at Endor Labs, discusses the dual-edged nature of open-source software.