#software-security — Public Fediverse posts

🚨 Critical Composer Update: 2.9.8 & 2.2.28 fix a GitHub Actions token disclosure!

⚠️ Update NOW or disable GitHub Actions immediately!

https://blog.packagist.com/composer-2-9-8-and-2-2-28-fix-github-actions-token-disclosure-in-error-messages/

#PHP #Composer #ComposerPHP #OpenSource #WebDevelopment #GitHubActions #DevSecOps #CyberSecurity #SoftwareUpdate #PatchRelease #DependencyManagement #SecurityFix #Programming #Packagist #PHPDev #ComposerUpdate #OpenSourceSoftware #WebDevLife #InfoSec #SecurityPatch #CodeSmart #DependencyManagement #SoftwareSecurity #TechUpdate

Die Cyberagentur hat die Ausschreibung für 3S veröffentlicht. Gesucht werden Ansätze, die Softwaresicherheit nachvollziehbar, messbar und vergleichbar machen. Statt bloßer Siegel braucht es belastbare Bewertungen für den digitalen Alltag.
Bewerbungen bis 15.06.2026. https://t1p.de/5q5gg
#Cyberagentur #Cybersicherheit #SoftwareSecurity #3S #Ausschreibung

3S has launched: The Cyberagentur is seeking approaches that make software security measurable and comparable. Applications due by June 11, 2026. [Link to e-procurement]
https://t1p.de/m85ce
#3S #Cybersecurity #SoftwareSecurity
https://nachrichten.idw-online.de/2026/05/04/no-more-blind-trust-in-software

3S has launched: The Cyberagentur is seeking approaches that make software security measurable and comparable. Applications due by June 11, 2026. [Link to e-procurement]
https://t1p.de/m85ce
#3S #Cybersecurity #SoftwareSecurity
https://nachrichten.idw-online.de/2026/05/04/schluss-mit-blindem-softwarevertrauen

Warning: CVE-2025-40739 (CWEs: ['CWE-125']) found no CAPEC relationships.
Warning: CVE-2025-40741 (CWEs: ['CWE-121']) found no CAPEC relationships.

#SoftwareSecurity #MemorySafety #CWE #ADBE
2/2

The EU’s Cyber Resilience Act (CRA) is a “GDPR moment” for #SoftwareSecurity.

In this #InfoQ #podcast, Viktor Peterson explores how the CRA is reshaping expectations for software producers & supply chain compliance.

Key highlights:
✅ Why SBOMs are operational assets
✅ The danger of "weaponized code" in your security tools
✅ The shift toward vendor-neutral discovery

🎧 Listen now: https://bit.ly/429icwC

📄 #transcript included

#CyberSecurity #SBOM #SoftwareSupplyChain #Compliance

AI that codes can also break systems 🔓 — so Anthropic launched Project Glasswing to find vulnerabilities before hackers do. With partners like NVIDIA, Apple, and Google, their AI model has already flagged thousands of serious bugs in major browsers and operating systems. Read the article to learn how this defensive approach could reshape software security ⚡

#ProjectGlasswing #Anthropic #Cybersecurity #AI #SoftwareSecurity

https://true-tech.net/project-glasswing-explained/

I’ve been thinking a lot about where AI coding tools stop being “helpful” and start becoming part of the runtime risk model.

This piece is about that line.

For Java teams, the real issue is not bad generated code. It’s excessive agency: shell access, secrets, MCP tools, and autonomous actions without enough containment.

https://www.the-main-thread.com/p/ai-coding-agents-security-java-blast-radius

#Java #Quarkus #DevSecOps #AICoding #SoftwareSecurity #EnterpriseJava

🚨 Alert: Tech Titans Unite! 🚨 Apparently, the world's biggest tech companies have banded together in a grand quest to "secure critical software," because apparently #AI is now a #superhero coder and we're all doomed without this committee of corporate overlords. 🤖💼 Oh, please, as if adding more buzzwords will magically make our software safe and sound. 🛡️✨
https://www.anthropic.com/glasswing #TechTitans #Unite #Coders #SoftwareSecurity #CorporateOverlords #BuzzwordOverload #HackerNews #ngated

Here are four of the ten looping Claude user quotes on anthropic.com homepage... Mind you, these are not dynamic, they chose these explicitly. Are they trying to represent user sentiment accurately or are they reading these very differently than I am?

I went there after watching this talk: "Nicholas Carlini - Black-hat LLMs", from one of their engineers. There's definitely good work by talented and conscientious people that's going on there.

I'm rewriting this post because I'm cynical of corporate motives but I also don't think that interpreting everything cynically is helpful. Even after the VC funding runs out (hopefully before we destroy the planet and society), these tools won't disappear especially for malicious actors. So if they're also building tooling to mitigate harm / defend against threat actors, do I dare to hope they're reading the quotes the same way I am? Or is it more of:

I feel like I'm creating more dependency than knowledge.

#AI #Anthropic #Claude #Blackhat #LLM #SoftwareSecurity #Cybersecurity #ThreatActor

Log4Shell - Spring4Shell - The XZ Backdoor

These aren't just headlines - they are wake-up calls! As the software ecosystem grows more complex, the question remains: Are we ready for the next #CyberSecurity crisis?

In this #InfoQ video, Soroosh Khodami shares practical strategies to secure your development lifecycle, whether you're a lean startup or a global enterprise.

🎬 Watch now: https://bit.ly/4cq4DxN

📄 #transcript included

#SoftwareSecurity #SecurityVulnerabilities

RE: https://mastodon.social/@TommyLofstedt/116137631196333408

About a week left to apply for this #phd project where we will develop novel #machinelearning methods for #softwaresecurity.

🚨 Supply chain attacks: Your npm dependencies are already compromised.

Three vectors:
1. Typosquatting (reqest vs request)
2. Compromised owner accounts
3. Malicious "helpful" packages

2,847 malicious packages in 2025. How many are in your production codebase?

Defense guide: https://tiamat.live/analysis/supply-chain-attacks?ref=masto-supply-chain

#DevSecOps #SoftwareSecurity #SupplyChain

#WhatsApp has rewritten its media handling library in #RustLang!

The result❓ The codebase dropped from 160,000 lines of C++ to 90,000 while adding robust memory safety protections.

Running on billions of devices - Android phones, iPhones, desktops, watches, and web browsers - this marks one of the largest client-side Rust deployments to date.

Find out more: https://bit.ly/4tv205g

#SoftwareDevelopment #SoftwareSecurity #MemoryLeaks #InfoQ

#Cedar - an #opensource authorisation policy language and SDK - has officially joined the Cloud Native Computing Foundation (#CNCF) as a Sandbox project!

It aims to provide a vendor-neutral standard for defining and enforcing fine-grained permissions in modern applications.

Details here 👉 https://bit.ly/3LMktJP

#DevOps #PolicyAsCode #SoftwareSecurity #Governance #InfoQ

Leanpub book LAUNCH 🚀 Code, Chips and Control: The Security Posture of Digital Isolation by Sal Kimmich

Watch here: https://youtu.be/KCURt43Rqhg

#books #leanpublishing #selfpublishing #booklaunch #cybersecurity #infosec #securityarchitecture #supplychainsecurity #opensource #devsecops #hardwaresecurity #softwaresecurity #zerotrust #leanpubpodcast

Am 05.02.2026 virtuelles Partnering Event zum Forschungsprogramm der @Cyberagentur Software Security Score (3S).
Im Fokus: Softwaresicherheit messbar, vergleichbar und transparent machen – als Prozess über den gesamten Lebenszyklus hinweg. Jenseits binärer Siegel und rein symbolischer Bewertungen.
Infos: https://t1p.de/880mn
Anmeldung bis 02.02.2026: https://t1p.de/8xtmd
#Cybersicherheit #SoftwareSecurity #3S #Forschung #ITSecurity #DigitaleGesellschaft

Leanpub book LAUNCH 🚀 Code, Chips and Control: The Security Posture of Digital Isolation by Sal Kimmich

Watch here: https://youtu.be/KCURt43Rqhg

#books #leanpublishing #selfpublishing #booklaunch #cybersecurity #infosec #securityarchitecture #supplychainsecurity #opensource #devsecops #hardwaresecurity #softwaresecurity #zerotrust #leanpubpodcast

Kernel bugs hide for 2 years on average. Some hide for 20

https://pebblebed.com/blog/kernel-bugs

#HackerNews #KernelBugs #HiddenForYears #SoftwareSecurity #TechNews #BugHunting

Random bug discovery during a tech support call last night: in #Windows (11, current patch version, and I haven't tested how far back), on attempting to run an executable for which the registry has an image file execution option referencing a non-existing executable (to run as a parent process), the resulting "Windows cannot find …" dialog has, in place of the missing file, arbitrary nonsense characters which seem to be either uninitialized memory or memory referenced by a freed pointer. (I haven't tested which yet.)

I wonder if this can be exploited somehow. It smells like a #security defect in the Windows shell. I don't have time to chase it to root cause right now; someone feel free to scoop this one if it's what it seems to be.

And on a side note: Why does Autoruns (from Sysinternals) lack a category for image file execution options which redirect one execution through another? (It has one for image hijacks, but not this.)

#Microsoft #Windows11 #softwareSecurity #appSec

Leanpub book LAUNCH 🚀 Code, Chips and Control: The Security Posture of Digital Isolation by Sal Kimmich

Watch here: https://youtu.be/KCURt43Rqhg

#books #leanpublishing #selfpublishing #booklaunch #cybersecurity #infosec #securityarchitecture #supplychainsecurity #opensource #devsecops #hardwaresecurity #softwaresecurity #zerotrust #leanpubpodcast

NEW! A Leanpub Podcast Interview with Sal Kimmich, Author of Code, Chips and Control: The Security Posture of Digital Isolation

Watch here: https://youtu.be/kfeJVv7boNs

#books #leanpublishing #selfpublishing #cybersecurity #infosec #securityarchitecture #supplychainsecurity #opensource #devsecops #hardwaresecurity #softwaresecurity #zerotrust #leanpubpodcast

🚨 Supply Chain Attack Simulation on Drupal (PoC, not a CVE)

What if a malicious actor hijacked the update server for your favorite CMS?
I built a full lab scenario to demonstrate how it could happen — and how to defend against it.

🔬 Techniques covered:

MITM + rogue CA, fake update feeds, trojanized package → RCE & persistence.
Full doc + PDF PoC.

Full documentation: attack steps, scripts (in PDF), hardening tips

⚠️ Not a Drupal 0-day — this is a controlled, educational simulation for awareness and training.

💡 Why it matters

Supply chain attacks are no longer theoretical.
This demo helps Blue Teams, Red Teams, developers, and trainers strengthen detection, review processes, and update security.

👉 Repo :
https://github.com/privlabs/-Supply-Chain-Attack-Simulation-on-Drupal-RCE-via-Malicious-Update-Server-PoC-not-a-CVE-

Questions or feedback?
DM me or email me (contact in README).

All in lab, all safe

#cybersecurity #infosec #securityresearch #offensivesecurity #blueteam
#redteam #supplychainsecurity #drupal #websecurity #devsecops
#softwaresecurity #rce #mitm

Leanpub Book LAUNCH 🚀 Code, Chips and Control: The Security Posture of Digital Isolation by Sal Kimmich

Through the lens of the top 100 hacks since 1985, learn cybersecurity through real-world examples of what went wrong to convince us of “best practices".

Watch on our blog here:

https://leanpub.com/blog/leanpub-book-launch-code-chips-and-control-the-security-posture-of-digital-isolation-by-sal-kimmich

#books #leanpublishing #selfpublishing #booklaunch #cybersecurity #infosec #securityarchitecture #supplychainsecurity #opensource #devsecops #hardwaresecurity #softwaresecurity #zerotrust