Security News

Fiddler Auditor is an open-source tool designed to evaluate the robustness of Large Language Models and Natural Language Processing models. LLMs can sometimes produce unwarranted content, potentially create hostile responses, and may disclose confidential information they were trained with, regardless of whether they were explicitly asked to do so.

Building on public models like Meta's LLaMa, the open-source community has innovated in ways that allow results nearly as good as the huge models-but run on home machines with common data sets. Much of the modern internet was built on open-source technologies from the LAMP stack-a suite of applications often used in web development.

Public source code repositories, from Sourceforge to GitHub, from the Linux Kernel Archives to ReactOS.org, from PHP Packagist to the Python Package Index, better known as PyPI, are a fantastic source of free operating systems, applications, programming libraries, and developers' toolkits that have done computer science and software engineering a world of good. In cases like that, you can save time by searching for a package that already exists in one of the many available repositories, and hooking that external package into your own tree of source code.

Brian Behlendorf, CTO at the Open Source Security Foundation, shares insights on the influence of his experiences with the White House CTO office, World Economic Forum, and Linux Foundation on leading the OpenSSF and addressing open-source security challenges. Like all software projects, open source software projects are never over-staffed; they are volunteers struggling not just to write the functionality they need but also to fix the bugs they and others find, paying down technical debt and implementing better security practices and tools often fall way behind in priority compared to new feature work and bug-fixing.

A new risk emerges in the digital era, where open-source software has become a fundamental pillar in developing innovative applications. In this Help Net Security video, Henrik Plate, Lead Security Researcher at Endor Labs, discusses the dual-edged nature of open-source software.

Geacon, a Go-based implementation of the beacon from the widely abused penetration testing suite Cobalt Strike, is being used more and more to target macOS devices. Both Geacon and Cobalt Strike are utilities that legitimate organizations use to simulate attacks against their networks and improve defenses, but threat actors have also relied on them for attacks.

Kubernetes Security Operations Center released the first-ever Kubernetes Bill of Materials standard. While the Software Bill of Materials has moved forward to the point of being a formal part of the NIST requirements required by the USA federal government in federal purchases, this requirement falls short of the deployment stage in the application development lifecycle, where Kubernetes into play.

Data theft is the act of stealing data stored in business databases, endpoints, and servers. Wazuh is a free and open source enterprise-ready security solution that provides unified SIEM and XDR protection across several workloads.

Satori released Universal Data Permissions Scanner, a free, open-source tool that enables companies to understand which employees have access to what data, reducing the risks associated with overprivileged or unauthorized users and streamlining compliance reporting. The Universal Data Permissions Scanner simplifies the complexity associated with authorization.

"Since almost all organizations rely heavily on open source in their applications, this new data demonstrates the increasing need to compensate and support the maintainers responsible for the health and security of the critical open source components we all depend on," said Donald Fischer, CEO, Tidelift. "Maintainers are being held accountable for keeping their projects secure and adhering to new standards, but are often not being recognized or paid for the additional work they are being asked to do. By addressing this inconsistency, we can ensure maintainers will continue their important work improving the security and long-term resilience of the open source software supply chain powering government and industry," Fischer continued.