YL Ventures’ Post

The second annual State of ASPM report - https://lnkd.in/g7KwkfP2 - has just been published by Cycode | Complete ASPM. This research comes at a critical moment, as 72% believe AI is going to drive a complete overhaul to application security (I’m still trying to decide if the other 28% are wise, or burying their heads in the sand). 2025 will certainly be a year with code security in a spotlight, and this report is a must-read for anyone striving to build greater code resilience in their organization.

⏰ Sharing some wisdom. Indeed is an very interesting read. Why? 🔹Because it covers pain points like the sprawl of appsec tools including code security. 🔹The challenge that developers are generating more code (AI co-pilots), but still no more secure code. 🔹A case for best-of-breed code security tools instead of so-called platforms or multifunctional tools. #cybersecurity #ASPM #securecode Cycode | Complete ASPM

Critical RCE Vulnerability Discovered in Ollama AI A critical Remote Code Execution (RCE) vulnerability has been identified in the Ollama AI infrastructure tool, which could potentially allow attackers to gain control over affected systems. Details of the Vulnerability The vulnerability, tracked as CVE-2024-37032 and codenamed "Probllama," stems from insufficient input validation leading to a path traversal flaw. This flaw can be exploited by sending specially crafted HTTP requests to the Ollama API server, targeting the "https://accionvegana.org/accio/0ITbvNmLulGZltmbpxmL3d3d6MHc0/api/pull" endpoint. Attackers can use this flaw to overwrite arbitrary files on the server, leading to remote code execution. Impact and Exploitation The vulnerability is particularly severe in Docker installations, where the API server runs with root privileges and is publicly exposed. This setup allows remote attackers to exploit the vulnerability, potentially compromising the entire system. The lack of authentication in Ollama exacerbates the risk, enabling attackers to steal or tamper with AI models on publicly accessible servers. Read More: https://lnkd.in/dQ9KsK7N #CyberSecurity #AIVulnerability #RCE #TechSecurity #PathTraversal

🔒 Google’s AI-Powered OSS-Fuzz Tool Discovers 26 Vulnerabilities in Open-Source Projects 🔍 Google's innovative AI-driven fuzzing tool, OSS-Fuzz, has identified 26 critical vulnerabilities in open-source code repositories, marking a significant milestone in automated vulnerability detection. The vulnerabilities include a medium-severity flaw in the OpenSSL cryptographic library (CVE-2024-9143), a memory write bug that can lead to application crashes or remote code execution. 🚨 This breakthrough highlights the potential of artificial intelligence in cybersecurity. By leveraging AI-generated fuzz targets, Google’s tool was able to uncover vulnerabilities that traditional fuzzing methods might have missed—one of which has been present for nearly two decades! 🌐 The improvements in code coverage and automation have been game-changing, uncovering over 370,000 new lines of code. As Google continues its efforts to enhance security through AI, the impact on both open-source projects and enterprise-level security will only grow. 💻🔐 This marks a significant step towards making software more secure by integrating AI-assisted vulnerability detection, further strengthening the open-source ecosystem and the broader cybersecurity landscape. #CyberSecurity #AI #OpenSource #VulnerabilityManagement #SoftwareSecurity #Google #CVE #OSSFuzz #Fuzzing #OpenSSL #TechInnovation

LLM Gateway - When the door can be open. LLM Gateways are evolving as a foundational component in integrating fine-tuned or large foundational models into various applications. These gateways simplify interfacing with different LLM providers, streamline compliance, and offer tools to optimize the performance and reliability of the calls. One of the primary challenges in deploying LLMs in production is accessing multiple models from different providers. This design pattern is often referred to as "Multi LLM." Key Features of LLM Gateway As you build applications powered by LLMs, it becomes clear that managing these interactions efficiently is vital to success. AI Service gateways are emerging as a popular solution, but what can these gateways do? > Secure the process > AuthN and AuthZ > Rate limit > Custom Pre and Post Processing > Monitoring and Logging The LLM gateway solution can be simple or complex, depending on the functionality and sophistication required. As you add more functionality, you can introduce systems that allow the gateway to handle authentication credentials for various providers without exposing them. An authentication mechanism that adds a layer of security can complete this, ensuring that only authorized entities can make calls to the LLM gateway. Overall, LLM gateways have become a fundamental tool for teams looking to integrate LLMs into their applications, security, and visibility. Thanks, Grig Duta, for the image. #security #cybersecurity #informationsecurity

There was a ton of diverse papers this week across so many different spaces in security. It was hard to keep the selection down to these few, but I've included all the links in the broader newsletter. 🫥 The Perfect Blend: Redefining RLHF with Mixture of Judges   🔏 Confidential Prompting: Protecting User Prompts from Cloud LLM Providers 🦺 Overriding Safety protections of Open-source Models 🤖 Agent Security Bench (ASB): Formalizing and Benchmarking Attacks and Defenses in LLM-based Agents 🧠 Undesirable Memorization in Large Language Models: A Survey 🚧 The potential of LLM-generated reports in DevSecOps 🏋 AutoPenBench: Benchmarking Generative Agents for Penetration Testing https://lnkd.in/e-QTfvPs #RLHF #MixtureOfJudges #AIInnovation #MachineLearning #ConfidentialPrompting #DataSecurity #PrivacyProtection #CloudSecurity #ModelSafety #OpenSourceAI #AISecurity #CyberRisk #AgentSecurityBench #LLM #AIThreats #CyberDefense #UndesirableMemorization #LLMSecurity #AIMemory #MachineLearningSurvey #DevSecOps #LLMReports #AIAutomation #Cybersecurity #AutoPenBench #PenetrationTesting #GenerativeAgents

🔑 🤖 Key Security Considerations to Keep in Mind When Using GenAI https://ift.tt/mlriTLv #genai #genaitrends #futureofai #itstrategy

DARPA competition shows promise of using AI to find and patch bugs: The multimillion dollar challenge is trying to harness artificial intelligence to deliver major gains in cybersecurity. The post DARPA competition shows promise of using AI to find and patch bugs appeared first on CyberScoop. #cyber #cybersecurity #informationsecurity #Innovation #cyberjobs #cloud #cloudsecurity #management

AI and ML are pivotal in 2024 for enhancing network security, offering proactive threat identification and mitigation. ExtraHop's Reveal(x) utilizes cloud-scale ML for scalable, advanced threat detection and response, emphasizing the importance of these technologies in maintaining a secure, efficient network. For an in-depth look at how Reveal(x) leverages AI and ML for security, check out their page: https://lnkd.in/eY2gxfbT #NetworkSecurity #Extrahop #Cybersecurity #ITSolutions

How human ingenuity continues to outpace automated security tools: 10% of security researchers now specialize in AI technology as 48% of security leaders consider AI to be one of the greatest risks to their organizations, according to HackerOne. HackerOne’s report combines perspectives from the researcher community, customers, and security leaders. It explores how security-focused organizations integrate human expertise with technology and AI for a defense-in-depth strategy. AI is a threat and an opportunity 67% of security professionals said an external and unbiased review of … More → The post How human ingenuity continues to outpace automated security tools appeared first on Help Net Security.