Clint Gibler’s Post

It's out: Aaron D'Amico and I just deployed code fixes into the 3Flatline Dixie AI Security Engineer platform. Find vulnerabilities (more accurately!) and FIX VULNERABILITIES (more accurately!), and "TEST" (exploit) vulnerabilities, in the same workflow! We just deployed a huge update to our platform: - Fixes: Context aware code fixes for discovered vulnerabilities. - Tests: Example code to help you determine if it is vulnerable, and how it can be exploited (scary accurate...). - Improved Language Support: If you don't see a language you are using it takes us about a week to support it. Including non traditional architectures! - Reduced False Positives: Our low rate is even lower: we implemented a pretty nifty engine improvement that Still deploy into your environment, keeping your code or research compliant or just secret! The improved process of this will be coming soon to the Vector 35 Binary Ninja plugin, as well. We have a discounted plan with Binja integration for your research, or you can upgrade your plan and get some scary accurate AI generated exploit code written. Check out some of the example output with our "30 days of bugs" campaign on Aaron's profile. #appsec #codefixes #securitytotheleft

Google Open Sources Magika: AI-Powered File Identification Tool Google has taken a significant step forward in enhancing digital security by open-sourcing Magika, an AI-driven tool designed to accurately identify various file types. This innovative solution is set to revolutionize file identification methods, boasting a 30% accuracy boost and up to 95% higher precision, particularly in recognizing challenging file formats like VBA, JavaScript, and Powershell.     Magika leverages a custom, highly optimized deep-learning model to swiftly and precisely identify file types within milliseconds. By implementing inference functions through the Open Neural Network Exchange (ONNX), Magika achieves exceptional performance, making it an invaluable asset in today's cybersecurity landscape. Internally utilized by Google across platforms like Gmail, Drive, and Safe Browsing, Magika plays a crucial role in enhancing user safety by accurately routing files to relevant security and content policy scanners. This move underscores Google's commitment to strengthening digital security infrastructure and empowering defenders against evolving cyber threats. In a broader context, Google's efforts to democratize AI-driven security solutions highlight the transformative potential of artificial intelligence in rebalancing the cybersecurity landscape. By deploying AI at scale, defenders can gain a decisive advantage over attackers, significantly improving threat detection, malware analysis, vulnerability management, and incident response capabilities. However, as AI technology continues to evolve, concerns regarding its responsible usage and potential risks persist. The need for balanced regulatory frameworks to govern AI adoption becomes increasingly apparent, ensuring that innovations in digital security are harnessed ethically and responsibly. Furthermore, recent research has shed light on potential risks associated with generative AI models, emphasizing the importance of proactive measures to mitigate unintended consequences. As AI-powered tools become more pervasive, it becomes imperative for organizations to uphold data protection standards and safeguard individuals' rights and freedoms. In conclusion, Google's open-sourcing of Magika represents a significant milestone in advancing digital security practices. By harnessing the power of AI, organizations can better defend against emerging cyber threats, paving the way for a safer and more resilient digital ecosystem. Read More: https://lnkd.in/dmrUZe9a #Google #Magika #AI #canada #Cybersecurity #OpenSource

As AI coding assistants become more widely adopted, the need for AI tools that secure code and protect against vulnerabilities grows in parallel. Pixee’s Pixeebot does just that. Pixeebot is a GitHub that automatically fixes issues in your code for you. It hardens code to improve security, performance, and quality. Pixeebot monitors the code in your GitHub repositories and opens merge-ready pull requests with recommended code changes. With Pixeebot, vulnerability remediation is as simple as reviewing recommended changes and merging a pull request. They're launching today on ProductHunt, check them out! Pixee https://lnkd.in/dJF-5FjQ

We’re going to continue to see further investment in automatic remediation of security issues using artificial intelligence. Companies like Snyk and GitHub are investing heavily in this space. I personally think it’s good that we have a way of potentially catching up on the sheer quantity of software bugs we find in our apps. But I’m still a fan of eradicating bug classes using well defined platforms with inherent security properties. Prevention better than the cure, but also AI might make that pill less bitter to swallow. https://lnkd.in/gHTqe3RE

Magika at Google Internally, Magika is used at scale to help improve Google users’ safety by routing Gmail, Drive, and Safe Browsing files to the proper security and content policy scanners. Stay tuned for this: The upcoming integration of Magika with VirusTotal will complement the platform's existing Code Insight functionality, which employs Google's generative AI to analyze and detect malicious code. #opensourcesoftware #googlecybersecurity #googleai #virustotal https://lnkd.in/gmcMFWjT

We are using generative AI to help developers fix vulnerabilities in their code. How cool is that! Polaris Assist gives security and development teams easy-to-understand summaries of detected vulnerabilities and code fix recommendations to help them build secure software faster. Learn more about our AI-powered application security assistant that combines decades of real-world insights with a powerful large language model (LLM). Click for more: https://bit.ly/3whaap7

Hashing, hashing! We all hash our passwords, don't we? This week I have been exploring the world of Hashing Algorithms and I have to say the 'bcrypt' (a popular password-hashing library), I have been using is a drop in the ocean in the world of security. I have just published an article where I breakdown the following topics: ➡ what is hashing and hashing algorithms? ➡ How hashing algorithms work ➡ Requirements for a real world hashing algorithms ➡ Purpose of hashing ➡ Common examples of hashing algorithms(MD5, SHA Family) ➡ Choosing a good hashing algorithm This is part of WEB SECURITY KNOWLEDGE module on roadmap.sh (Backend roadmap). Up next I'll be tackling API security best practices. I am documenting my journey by sharing what I have learnt. I'll appreciate any feedback and shares #BackendEngineering #Softwareengineering #Security #Hashing #roadmapsh Link: https://lnkd.in/dmU4iypQ

Developer Week coming up in Oakland and Veracode has one of the keynotes. In this Best Practices Session, Brian Roche, Chief Product Officer at Veracode, discusses the security implications of AI-assisted coding, the role AI should play in how we both create and secure our software, and the cybersecurity skills you should build into your emerging AI tech stack #DevWeek2024. #aiappsec

🚀 New OPEN SOURCE TOOL Alert 🚀 We are thrilled to announce the release of 𝐖𝐡𝐢𝐬𝐭𝐥𝐞𝐛𝐥𝐨𝐰𝐞𝐫, our latest open-source tool that is built to automatically leak system prompts of LLM-based Applications! It’s no longer a surprise that leaking of “system prompts” is a significant security concern as they can expose sensitive information, underlying assumptions, and potential guardrails of these LLM applications. 🔊 𝐖𝐡𝐚𝐭 𝐜𝐚𝐧 𝐲𝐨𝐮 𝐞𝐱𝐩𝐞𝐜𝐭 𝐨𝐟 𝐖𝐡𝐢𝐬𝐭𝐥𝐞𝐛𝐥𝐨𝐰𝐞𝐫? 🔮 𝐒𝐲𝐬𝐭𝐞𝐦 𝐏𝐫𝐨𝐦𝐩𝐭 𝐄𝐱𝐭𝐫𝐚𝐜𝐭𝐢𝐨𝐧: Efficiently leak system prompts and discover capabilities by providing access to the API of the LLM App. 🤝 𝐎𝐩𝐞𝐧-𝐒𝐨𝐮𝐫𝐜𝐞 𝐆𝐨𝐨𝐝𝐧𝐞𝐬𝐬: Fully customizable code to fit your specific needs. 🤗 𝐇𝐮𝐠𝐠𝐢𝐧𝐠𝐟𝐚𝐜𝐞 𝐒𝐩𝐚𝐜𝐞: Designed with simplicity in mind, so you can focus on what matters. Go ahead and start using it now! For those eager to dive right in, explore the code and star us on GitHub 💻 :  https://lnkd.in/g2q5UKS9 To see Whistleblower in action, check out : https://lnkd.in/g5D4YU-y We can't wait to see what you'll discover and create with this tool. Happy hacking! 🌟 For uncovering the security risks in your AI application , book a demo today - https://lnkd.in/gaSXATwi #AI #OpenSource #LLMSecurity #AISecurity #AIRedTeaming #OWASPTop10LLM

If you’ve got web or API security skills, transitioning into the AI/ML bug bounty space is easier than you think. 👇 Vulnerabilities like Remote Code Execution and Path Traversal don’t stop at traditional apps—they’re present in ML platforms like MLflow, Airflow, and H2O-3. Annnndddd that’s where we come in. 🐰👋 Our beginner’s guide is built to help you bring your existing skills into the AI/ML bug bounty game. Whether you’re already plugged into the MLSecOps Community or following Protect AI's latest vulnerability reports, we’ve got you covered. 🔗 https://hubs.ly/Q02PKBHW0 #aisecurity #mlsecops #huntr #websecurity #bugbounty