Security News

On the government side of things, this includes a voluntary threat intelligence sharing program between the Feds and open source software developers and operators, which the US Cybersecurity and Infrastructure Security Agency will lead. "We want to help foster real-time collaboration around security incidents," CISA director Jen Easterly explained in a keynote address at the agency's Open Source Software Security Summit this week. While it's not exactly new, in 2022 NPM - which bills itself as the world's largest software registry - began requiring maintainers of high-impact projects to use MFA. Last year, NPM developed tools that allow maintainers to automatically generate package provenance and Software Bill of Materials, which allow anyone using the open source packages to trace and verify code dependencies.

Tazama is an open-source platform focused on improving fraud management within digital payment systems. Tazama marks a substantial transformation in the approach to financial monitoring and compliance worldwide.

RiskInDroid is an open-source tool for quantitative risk analysis of Android applications based on machine learning techniques. "A user should be able to quickly assess an application's level of risk by simply glancing at RiskInDroid's output, and they should be able to compare the app's risk with others easily," Gabriel Claudiu Georgiu, developer of RiskInDroid, told Help Net Security.

Python Risk Identification Tool is Microsoft's open-source automation framework that enables security professionals and machine learning engineers to find risks in generative AI systems. It started as a collection of individual scripts used during the team's initial foray into red teaming generative AI systems in 2022.

BobTheSmuggler is an open-source tool designed to easily compress, encrypt, and securely transport your payload. It basically enables you to hide a payload in plain sight. "In many of my red team engagements, I encountered scenarios where I had to deliver a payload to the target, and due to a DLP or firewall rule, the payload delivery was blocked. I quickly opted for the HTML smuggling technique for payload delivery, but none of the publicly available tools had the feature to hide the payload inside PNG/GIF. Most tools would just base64 encode the binary and embed it inside the HTML file. Due to this reason, the HTML file size would increase to a few MBs. This file wouldn't be ideal for sending as an email attachment due to size constraints, Harpreet Singh, the creator of BobTheSmuggler, told Help Net Security."

An "intricately designed" remote access trojan (RAT) called Xeno RAT has been made available on GitHub, making it available to other actors at no extra cost. Written in C# and compatible with...

Web Check offers thorough open-source intelligence and enables users to understand a website's infrastructure and security posture, equipping them with the knowledge to understand, optimize, and secure their online presence. Web Check provides insight into the inner workings of any specified website, enabling users to identify possible security vulnerabilities, scrutinize the underlying server architecture, inspect security settings, and discover the various technologies employed by the site.

IAM tools help organizations secure and manage user identities and access to resources, ensuring only authorized individuals gain access. Keycloak adheres to standard protocols such as OpenID Connect, OAuth 2.0 and SAML and provides fine-grained authorization services that support different access control mechanisms like attribute-based access control, role-based access control, user-based access control, rule-based access control and context-based access control.

A recently open-sourced network mapping tool called SSH-Snake has been repurposed by threat actors to conduct malicious activities. "SSH-Snake is a self-modifying worm that leverages SSH...

TruffleHog is an open-source scanner that identifies and addresses exposed secrets throughout your entire technology stack. "TruffleHog was originally a research tool I independently authored in 2016. When I published it, no tools were scanning Git revision history for secrets. My hunch was a lot of secrets buried in older versions of code, but no tools existed to look for them. My hunch was right. The tool quickly took off and became very popular. These days, it's been starred on GitHub ~14,000 times and is wildly adopted in the industry," Dylan Ayrey, CEO at Truffle Security and original author of TruffleHog, told Help Net Security.