???? ?????? ?????? ?????????????????????????????? – ?? ?????????????? ?????????????? Cross-site scripting (XSS) vulnerabilities have troubled cybersecurity experts for nearly 30 years, and they’re not going away anytime soon. With the rise of AI, XSS flaws may even be perpetuated as AI models absorb vulnerable code. In a recent alert, CISA and the FBI urged tech leaders to prioritize eliminating XSS from their products. ?? Why are XSS flaws still an issue after decades? ?? How does AI risk making things worse? ?? What should CISOs and developers do to combat XSS? ?????? ????????????: ?????? ??????????: CISA and FBI call for eliminating cross-site scripting vulnerabilities. ?????? ???? ??????????????: XSS flaws have been a cybersecurity concern for nearly 30 years. ???? ????????????: Generative AI could perpetuate XSS vulnerabilities if it ingests flawed code. ???????????????????? ??????????: Despite modern frameworks, many organizations still use outdated technologies vulnerable to XSS. ???????? ????????????: Prioritize secure coding, use modern frameworks, and adopt a secure-by-design approach. ?????????????????? ????????: Regular code reviews, peer evaluations, and security champion initiatives are essential to reducing XSS risks. The time to act is now. Let’s work towards a secure-by-design future. ?????? ????????????????: ????????????????: We offer contract, contract to hire, direct hire, remote global hiring, SOW projects and managed services. https://lnkd.in/g6bddCHa ???????????? ????????????: We offer U.S. companies the opportunity to hire IT professionals from our India-based talent network. https://lnkd.in/gN2A4c-Y ???????????? ???????????????? ??????????????????????: We offer Web/Mobile Development, UI/UX Design, QA & Automation, API Integration, DevOps services and Product Development. https://lnkd.in/dcKsvxAu ?????? ????????????????: ?????????????????? :An E-commerce platform to sell your products online to a large user base with custom features. https://getzenbasket.com/ ?????????? ??????????????: An automated payroll application that helps companies in India process their employees' payroll. https://lnkd.in/gvDg-Uds ?????????? ??????????????????: Simplifying all HR processes and maximizing productivity by automating routine tasks. https://lnkd.in/grcEACXM #cybersecurity #AI #XSS #CISO #securebydesign #softwaresecurity #DevelopmentApproaches #ITLeadership #ITSkill #Technology #Centizen #Zenbasket
Centizen, Inc.的动态
最相关的动态
-
???? ?????? ?????? ?????????????????????????????? – ?? ?????????????? ?????????????? Cross-site scripting (XSS) vulnerabilities have troubled cybersecurity experts for nearly 30 years, and they’re not going away anytime soon. With the rise of AI, XSS flaws may even be perpetuated as AI models absorb vulnerable code. In a recent alert, CISA and the FBI urged tech leaders to prioritize eliminating XSS from their products. ?? Why are XSS flaws still an issue after decades? ?? How does AI risk making things worse? ?? What should CISOs and developers do to combat XSS? ?????? ????????????: ?????? ??????????: CISA and FBI call for eliminating cross-site scripting vulnerabilities. ?????? ???? ??????????????: XSS flaws have been a cybersecurity concern for nearly 30 years. ???? ????????????: Generative AI could perpetuate XSS vulnerabilities if it ingests flawed code. ???????????????????? ??????????: Despite modern frameworks, many organizations still use outdated technologies vulnerable to XSS. ???????? ????????????: Prioritize secure coding, use modern frameworks, and adopt a secure-by-design approach. ?????????????????? ????????: Regular code reviews, peer evaluations, and security champion initiatives are essential to reducing XSS risks. The time to act is now. Let’s work towards a secure-by-design future. ?????? ????????????????: ????????????????: We offer contract, contract to hire, direct hire, remote global hiring, SOW projects and managed services. https://lnkd.in/g6bddCHa ???????????? ????????????: We offer U.S. companies the opportunity to hire IT professionals from our India-based talent network. https://lnkd.in/gN2A4c-Y ???????????? ???????????????? ??????????????????????: We offer Web/Mobile Development, UI/UX Design, QA & Automation, API Integration, DevOps services and Product Development. https://lnkd.in/dcKsvxAu ?????? ????????????????: ?????????????????? :An E-commerce platform to sell your products online to a large user base with custom features. https://getzenbasket.com/ ?????????? ??????????????: An automated payroll application that helps companies in India process their employees' payroll. https://lnkd.in/gvDg-Uds ?????????? ??????????????????: Simplifying all HR processes and maximizing productivity by automating routine tasks. https://lnkd.in/grcEACXM #cybersecurity #AI #XSS #CISO #securebydesign #softwaresecurity #DevelopmentApproaches#ITLeadership #ITSkill #Technology #Centizen #Zenbasket
What’s old is new again: AI is bringing XSS vulnerabilities back to the spotlight
csoonline.com
要查看或添加评论,请登录
-
Software Developer | C# ??| .NET ?? | Python ?? | RF ?? | Building Secure Software Infrastructures to Protect People Every Day
?????????????????? ???? .??????: ???????? ?????? ???????? ???? ?????????????? ???????? ???????????????????? Hello, LinkedIn community! Today, let’s take a fascinating dive into the world of security in .NET - a journey that spans decades and it’s a really tech thriller. ???? In the early 2000s .NET was just emerging, and security was more of an afterthought in software development. Fast forward to today, and it's a whole new game. The approach for security in .NET have changed, moving from reactive patches to proactive, robust security practices. ?? ?? ????????: ???????????????? ???? ?????? ???????????? Back in the day, security was often addressed only after vulnerabilities were exploited. Like the SQL Slammer worm of 2003 case - It exploited weaknesses in Microsoft SQL Server, causing a great chaos. It was a wake-up call for developers worldwide. ?? ??????: ???????????????? ???????????????????? Today, .NET embraces a security-centric approach. The framework itself has evolved, embedding much more security. Here are some best practices that every .NET developer should include in their coding: ?????????? ???????????? ???????????????? (??????): CAS principles still hold true – grant only the permissions necessary for your code to run. ?????????????? ???????? ???????? ??????.?????? ???????? ????????????????: Highly recommended using this framework for managing user identities. It’s like a personal bodyguard for user data. ????????????-???????? ?????????????????? (??????) ????????????????????: Guarding against script injections. .NET provides built-in features to auto-encode and keep these threats away. ???????? ?????????????????? ????????????????????: Utilize parameterized queries with Entity Framework to shield your database like a pro. ???????????????? ???????????????????? ????????????: Regularly updating dependencies ensures you’re not unknowingly housing vulnerabilities. ???????????? ??????????????????????: With .NET Core, enforcing HTTPS is a must. ???????????????? ?????? ????????????????????: Your app’s security diary. Tools like ELK stack or Serilog can provide insights into potential security threats lurking in the shadows. ???? ?????????????????? ?????? ?????????????????? ???????????????? The .NET community is an ever-vigilant watchdog. Platforms like GitHub, Stack Overflow, and even here on LinkedIn are treasure chests of knowledge and experience. Keep learning, keep reading, keep Engaging and keep sharing! ?? ?????????????? ???????? ???? ?????????????? The evolution of security in .NET is a testament to how challenges can transform into opportunities for growth and innovation. In our digital world, security isn’t just a feature; it’s the cornerstone of trust and reliability in our applications. ?? I hope you found this post interesting! Please share your thoughts, and let’s fortify our collective knowledge! #dotnetcore #security #bestpractices #devcommunity #softwareengineering #softwaredevelopment
要查看或添加评论,请登录
-
?? ???????????????????? ?????????????? ?????? ?????????? ?????? ?????????????????? ??????????????: ???????? ?????????????????? ?????? ???????????? ?????? ?????????????????????? ?? APIs are essential for modern applications but can be targets for abuse and attacks. Here’s how to protect them: ?????????????????????????? ?????? ?????????? ?????? ?????????????????? ?????????????? ?? ?????? ?????????? Occurs when APIs are used harmfully, like excessive use or unauthorized access. ?? ?????????????????? ?????????????? Bots can perform brute force, DoS, credential stuffing, and scraping, leading to breaches and disruptions. ???????? ?????????????????? ???? ?????????????? ???????? ???????? 1. ???????? ???????????????? ?????? ???????????????????? Limit the number of requests per user and smooth out traffic bursts to prevent abuse. 2. ?????? ?????? ?????? ?????????? ???????????????????? Use API keys and OAuth tokens for secure authentication. Regularly rotate keys and invalidate compromised ones. 3. ?????????? ???????????????????? ?????? ???????????????????????? Ensure all inputs are validated and sanitized to prevent malicious data and attacks like SQL injection and XSS. 4. ???????????????????????? ?????????????? Use CAPTCHA challenges to distinguish between humans and bots, especially on sensitive endpoints. 5. ???????????????????? ?????? ?????????????? Monitor API traffic for unusual patterns and implement comprehensive logging to detect and investigate anomalies. 6. ???????????????????? ???????????????? Use machine learning to analyze user behavior and detect anomalies, such as spikes in failed login attempts. ???????????????????? Securing your APIs is crucial to protect your applications. Implementing these practices—rate limiting, API key management, input validation, CAPTCHA, monitoring, and behavioral analysis—can help mitigate risks and ensure a safer user experience. ?? Stay tuned for more tips on secure programming! Follow us for updates on API security and secure coding practices. #APISecurity #CyberSecurity #SecureCoding #DeveloperTips #AppSecurity
要查看或添加评论,请登录
-
It will be very interesting to see the potential of #LLMs accelerate #software #development by automating bug fixing, addressing some of the scalability challenges, prioritization of more complex issues, and hopefully (fingers crossed) improving software quality, application #security, and safeguarding #data #privacy and confidentiality. #informationsecurity #cybersecurity #strategy #innovation #digitaltransformation #artificialintelligence #riskmanagement
AI-Generated Patches Could Ease Developer, Operations Workload
darkreading.com
要查看或添加评论,请登录
-
?? ?????????????????? ???????????? ?????????????? ?????????????? ?????????? ???????????????????? - ???????????? ???????? ???????????? ?????????? ????????????????! A Python package, "????-??????????-??????," uploaded to ???????? in ???????? ????????, contains hidden malicious code targeting macOS systems. This package seeks to steal ???????????? ?????????? ???????????????? (??????) ??????????????????????, transmitting them to a remote server. ?????? ????????????????: ? ?????????????????? ????????: The package executes on installation, targeting macOS devices by hashing the machine’s UUID and comparing it to a list of known targets. If matched, the malware accesses and exfiltrates GCP credentials from the ~/.config/gcloud directory. ? ???????????? ????????????: The stolen credentials are sent to a remote server, potentially granting attackers unauthorized access to GCP resources. ???????????? ?????????????????????? ??????????????: ? ???????? ???????????????? ??????????????: A LinkedIn profile for “Lucid Zenith,” falsely claiming to be CEO of Apex Companies, LLC, was found. This may be part of a broader social engineering strategy. ? ???? ???????????????????????? ??????????: Some AI search engines incorrectly confirmed this false information, exposing vulnerabilities in AI-driven verification systems. ????????????????????????: ? ???????????? ?????????? ????????????????: This incident underscores the importance of thoroughly vetting third-party packages, even from widely used repositories like PyPi. ? ???? ???? ??????????????????????????: The inconsistencies in AI verification responses highlight the need for cross-referencing multiple sources to avoid misinformation. ???????????????????? ??????????: ? ???????????? ??????????????: Always check the legitimacy of third-party packages, considering reviews and trusted publishers. ? ?????????????? ????????: Review setup.py and other installation files for hidden or unusual code. ? ?????? ??????????-???????????? ????????????????????????: Cross-reference AI-generated information with other sources. ? ???????? ????????????????: Keep up with cybersecurity trends to protect your development environment. For a more detailed analysis, check out the full article by Yehuda Gelb: Malicious Python Package Targets macOS Developers To Access Their GCP Accounts (https://lnkd.in/eGU8SjT2) Credits: Research and insights by the Checkmarx Security Research Team. #Cybersecurity #Python #macOS #GoogleCloud #SupplyChainSecurity #AI
要查看或添加评论,请登录
-
Day 5 and we are looking at the Top 5 of Large Language Model Vulnerabilites. Hello "LLM05 - Supply-Chain Vulnerabilities" ?? The supply chain in LLMs can be vulnerable, impacting the integrity of training data, ML models, and deployment platforms. These vulnerabilities can lead to biased outcomes, security breaches, or even complete system failures. Traditionally, vulnerabilities are focused on software components, but Machine Learning extends this with the pre-trained models and training data supplied by third parties susceptible to tampering and poisoning attacks. Finally, LLM Plugin extensions can bring their own vulnerabilities. How to prevent: 1) Carefully vet data sources and suppliers, including T&Cs and their privacy policies, only using trusted suppliers. Ensure adequate and independently-audited security is in place and that model operator policies align with your data protection policies, i.e., your data is not used for training their models; similarly, seek assurances and legal mitigations against using copyrighted material from model maintainers. 2) Only use reputable plug-ins and ensure they have been tested for your application requirements. LLM-Insecure Plugin Design provides information on the LLM-aspects of Insecure Plugin design you should test against to mitigate risks from using third-party plugins. 3) Understand and apply the mitigations found in the OWASP Top Ten's?A06:2021 – Vulnerable and Outdated Components. This includes vulnerability scanning, management, and patching components. 4) Maintain an up-to-date inventory of components using a Software Bill of Materials (SBOM) to ensure you have an up-to-date, accurate, and signed inventory preventing tampering with deployed packages. SBOMs can be used to detect and alert for new, zero-date vulnerabilities quickly. 5) If your LLM application uses its own model, you should use MLOPs best practices and platforms offering secure model repositories with data, model, and experiment tracking. 6) You should also use model and code signing when using external models and suppliers. 7) Anomaly detection and adversarial robustness tests on supplied models and data can help detect tampering and poisoning as discussed in?Training Data Poisoning; ideally, this should be part of MLOps pipelines; however, these are emerging techniques and may be easier implemented as part of red teaming exercises. 8) Implement sufficient monitoring to cover component and environment vulnerabilities scanning, use of unauthorised plugins, and out-of-date components, including the model and its artefacts. 9) Implement a patching policy to mitigate vulnerable or outdated components. Ensure that the application relies on a maintained version of APIs and the underlying model. 10) Regularly review and audit supplier Security and Access, ensuring no changes in their security posture or T&Cs. globaldatanet ???We love to build secure next-generation solutions
要查看或添加评论,请登录
-
Preventing malicious code injections is paramount in maintaining the integrity and security of software systems. Robust input validation techniques should be implemented at every level of an application, thoroughly scrutinizing user input for potential threats such as SQL injection, cross-site scripting, and command injection. Utilizing parameterized queries in database interactions, input sanitization routines, and output encoding techniques are effective measures to thwart injection attacks. Regular security audits and code reviews can help identify vulnerabilities early in the development lifecycle. Employing security frameworks and adopting secure coding practices can further fortify defenses against malicious code injections. Moreover, staying informed about emerging threats and promptly patching known vulnerabilities is essential in safeguarding against evolving attack vectors. By prioritizing security throughout the development process and fostering a culture of vigilance, organizations can significantly mitigate the risks posed by malicious code injections. Resilience is not just a word; it's our only protection against the relentless threat of malicious code injections. #resilience #Security #protection
LLMs & Malicious Code Injections: 'We Have to Assume It's Coming'
darkreading.com
要查看或添加评论,请登录
-
?????? ?????????????????? | ?????????? | ???????? | ???????????????? ?????? | ???????????????????? | ?????????????? | ??????????-?????????????? | ?????????????? | ???????????????? | ??????
?? Protecting Your Backend: Understanding Rainbow Table Attacks ?? In backend development, keeping data secure is vital. Let's talk about one sneaky threat - the Rainbow Table Attack. It's essential to grasp this concept to keep your backend systems safe. ?? What's a Rainbow Table Attack? Imagine someone trying to guess passwords. A Rainbow Table Attack is like having a cheat sheet of commonly used passwords and their secret codes. If a hacker gets hold of your hashed passwords, they can quickly crack them using this cheat sheet, gaining unauthorized access to your system. ?? Strengthening Backend Security: 1. **Add Some Salt:** When you store passwords, mix in a "salt" - a unique random string - before hashing them. This makes it much harder for attackers to use their cheat sheets effectively. 2. **Use Tougher Codes:** Choose strong password-hashing methods like SHA-256 or bcrypt. These make it even tougher for attackers to crack passwords, adding an extra layer of security. 3. **Stay on Guard:** Keep your defenses up! Regularly update your security measures and keep an eye out for new threats to keep your backend systems safe and sound. ?? Let's Chat: How do you ensure security in your backend development projects? Share your tips and experiences in the comments below!
要查看或添加评论,请登录
-
Did you know there are tricks malicious actors use to try to slip in harmful software disguised as helpful tools? It's called typosquatting, where package names closely resemble popular ones with minor misspellings. Here are some proactive steps you can take to ensure your development workflow remains secure and efficient: -- Double-check package names before installation: Typosquatting relies on quick mistakes. Take a moment to confirm the spelling matches the intended package. -- Enable Multi-Factor Authentication (MFA) on your accounts: This adds an extra layer of security, making it much harder for unauthorized uploads, even if someone gains access to your login credentials. -- Utilize code signing tools and static code analysis: These tools can cryptographically verify the origin of a package and identify suspicious code patterns before installation, giving you peace of mind. -- Stay updated: Keep your package managers and dependency management tools current to benefit from the latest security patches and vulnerability information. Additionally, consider these advanced security measures: -- Automated checks for similar package names: Some platforms can flag packages with names that closely resemble established ones, helping you identify potential typosquatting attempts. -- Challenge-response mechanisms during uploads: This can help deter automated attacks by requiring a human interaction during the upload process. -- Sandbox testing environments: Analyze uploaded packages for malicious behavior in a controlled environment before they become publicly available. Community reputation data. Some platforms explore leveraging community data to identify suspicious sources for uploads. By following these steps, you can significantly reduce the risk of typosquatting attacks and ensure a smooth, secure development workflow. ?
PyPI halted new users and projects while it fended off supply-chain attack
arstechnica.com
要查看或添加评论,请登录
-
Threat Modeling API Gateways: A New Target for Threat Actors? Trend Micro "Application Programming Interfaces (#APIs) enable functionality by integrating different software components and facilitating data exchange. APIs enable application communication by allowing #microservices to use a standardized interface without needing to disclose internal implementations. APIs can be found in our daily lives — for example, browsing #socialmedia platforms, such as Facebook, X (formerly Twitter), or Instagram, requires calling #APIendpoints in the background. In terms of?usage and adoption, nearly?90% of #developers?are using APIs. And according to?Gartner, the number of #thirdpartyAPI usage will triple by 2025. As they’re used now more than ever,?securing APIs and their #gateways?becomes increasingly challenging. An unsecured endpoint is like a gate that’s left inadvertently open, letting unwelcome gate crashers and burglars in the form of #cybercriminals enter to steal #sensitivedata. The use of APIs also proliferated with the increased adoption of microservices and #cloudbased applications. Because every modern application will interact with an API at some point, APIs could and should be further shielded from attacks, and they should be aggregated under an API gateway, which serves as an entry point to the API world. API gateways are often marketed as a tool for increasing security and tackling API security and visibility issues. Why is it important to secure APIs and #APIgateways? In this article, we will focus on API gateway functions and risks, the advantages of API gateways in #hybridcloud and #multicloud environments, and common #APIsecurity risks and #bestpractices." #CyberSecurity #ThreatActors #CyberAttack #CyberWarfare #ThreatModeling https://lnkd.in/db4acg7N
Threat Modeling API Gateways: A New Target for Threat Actors?
trendmicro.com
要查看或添加评论,请登录
更多文章
-
Non-linear Thinking: Small Changes That Can Transform Your Life
Centizen, Inc. 4 小时前 -
The New Skill Set for AI-Driven Product Development Teams: What Every Leader Needs to Know
Centizen, Inc. 1 天前 -
Unlock the Full Potential of Your Machine Learning Projects with Centizen’s Tailored MLOps Services
Centizen, Inc. 2 天前