Name: Understanding AI Package Hallucination: The latest dependency security threat
Start: 2024-04-25T15:00:00Z
End: 2024-04-25T15:00:07.000Z
Location: BrightTALK
Rating: 0

Learn how software-driven organizations use GitGuardian to strengthen their overall security posture and comply with application security frameworks and standards. 

GitGuardian, founded in 2017, has become the leader in automated secrets detection and is now focused on providing a comprehensive code security platform. It's raised $56M from top investors, including co-founders of GitHub and Docker. Its policy engine helps security teams monitor and enforce rules across all their VCS, DevOps tools, and infrastructure-as-code configurations. GitGuardian offers Secrets Detection, Infra as Code Security, and Honeytoken capabilities all in one platform.

AI-assisted coding tools increase your delivery speed… and unfortunately security risks as well.

In this session, Sonya Moisset, Staff Security Advocate of Snyk (and 4x GitHub Star & GitHub Security Ambassador) will dive into:

- Presenting an overview of AI in development and common AI security risks.
- Use GenAI tools to build a coffee shop demo app and exploit AI-generated vulnerabilities, including SQL injection, cross-site scripting, directory traversal, and more.
- And give you some effective strategies to mitigate and fix AI-generated vulnerabilities.

If you are working with AI as your copilot then this webinar is for you!

Code Fast, Secure Smarter: The Dual Path of AI Development

Open-source components forever changed how we build software, but they are also a prominent security threat, nothing illustrated this better than the recent XZ library incident where the world narrowly avoided a massive supply chain attack.

Join Gene Gotimer, DevOps Engineer at Praeses and Mackenzie Jackson to discuss how we can keep our open-source supply chains secure as we discuss:

- Security implications of vulnerable open-source components
- How using automation can help us move toward a secure supply chain
- How to discover and detect vulnerable components

Securing the Supply Chain - Automating our Way Out of Security Whack-a-Mole

In this engaging episode of "The Security Repo," host Dwayne McDaniel and esteemed guest Rachel Stephens, delve into the rapidly evolving world of security tooling, with a special focus on the buzz around Application Security Posture Management (ASPM). They tackle the complexities and confusions surrounding the burgeoning category of security solutions, offering listeners a clear-eyed view of what ASPM means for developers, security professionals, and the tech industry at large. Through a candid and enlightening conversation, they explore the history and potential future of security practices, the push towards simplification and consolidation of tools, and the real challenges of effectively managing security risks in today's dynamic digital environments. Join us for a thought-provoking discussion that demystifies ASPM and provides valuable insights into the direction of security tooling and practices.

Show Notes: 
Learn more about ASPM - https://blog.gitguardian.com/good-app...

Learn more about RedMonk https://redmonk.com/

Unpacking ASPM: Trends, Truths, and the Future of Security Tools

In this episode of the Security Repo podcast, we take a dive into the intriguing world of hacking the hackers with Vangelis Stykas. Stykas, a notable figure in cybersecurity, shares his experiences and methodologies for compromising C2 servers—central nodes used by hackers to control malware. He reveals how simple web application vulnerabilities can lead to significant breaches in the security of these servers. The discussion also covers the ethical and legal nuances of Stykas' work, including the challenges and risks involved in targeting these digital underworld operatives. Additionally, Stykas touches on his professional journey, including his role as the CTO of Atropos, a company specializing in web application and API security. This episode promises to uncover key discoveries about the shadowy aspects of cybersecurity and the ongoing battle between hackers and those who hack them.

Hacking the Hackers: The Art of Compromising C2 Servers with Vangelis Stykas

Understanding our supply chain means understanding all the components that make it. But this is harder than it appears. Open-source components make up 80 - 90% of our application's source code, but we must also remember that our open-source components are also made from open-source components, it's like supply chain inception. 

SCA or Software Composition Analysis is a security tool that looks at your entire supply chain and outlines vulnerabilities, including transitive or downstream dependencies. 

In this video, we discuss real-world implications of supply chain risk and break down how an SCA tool fits into your security position. 

Introduction  0:00 
Risks of dependencies 0:20
Log4J Example 2:25
UA Parsjer Example 3:15
Event-stream example  4:01
SCA tools 4:40

Understanding Supply Chain Risk - Using SCA to protect your application

In this video, we show exactly how to use AWS Secrets Manager and how to connect it with your Python application. 
Secrets are hard to manage and while using methods like storing them as environment variables in a .env file can be suitable, a more secure method particularly in a team is to use a secrets manager so developers can avoid ever needing to handle the plain text secret. 

Subscribe to the channel to get more Tech Tips on Tuesdays (and also other days) 

View the source code used in this video at -https://github.com/techwithmack/aws-secrets-py

Learn more about AWS secrets manager here - https://www.gitguardian.com/remediation/agora-api-key 

0:00 intro
0:20 Why use secrets manager 
2:09 Overview AWS Secrets Manager
2:29 Storing new secret AWS 
4:37 Adding new AWS user 
5:35 Configure (connect) AWS user locally 
6:58 Example python project (using .env file)
8:25 AWS secrets manager Python Code
12:08 Managing JSON object
12:35 Load into env variable 
14:08 Calling load secret function
16:29 Changing secrets

Manage secrets with AWS Secrets Manager with Python - Tech Tip Tuesday

This episode of The Security Repo Podcast features an insightful discussion with Gregory Zagraba on the challenges and strategies of integrating security practices within the DevOps landscape. Covering the evolution of DevOps, the emergence of DevSecOps, and the importance of a culture shift in large organizations, the conversation delves into practical advice on automation, the significance of backups, and fostering a security-conscious mindset. Through real-world examples and expert insights, the episode sheds light on creating robust, secure systems in the fast-paced world of software development and data protection.


Show Notes: 
Git Protect https://gitprotect.io/
Git Protect Blog https://gitprotect.io/blog/

Time Stamps
Intro: 0:00
What is DevOps?: 1:42
Security Challenges with DevOps: 4:20
Implementing DevSecOps: 6:33
Building DevSecOps Culture: 9:35
What is GitProtect: 16:40
How to detect threats wit DevSecOps: 19:13 
Real World examples of DevSecOps: 23:15 
Stay Informed: 26:10 
Best and Worst Security Advice: 32:31

The Evolution of DevSecOps: Integrate Security into DevOps with Gregory Zagraba

In this video we provide a breakdown of the nation-state attack on Microsoft by Russian backed hacking group Midnight Blizzard ( also known as NOBELIUM) that happened between November 2023 and March 2024. 

The attack targeted Microsoft's corporate email systems, with evidence showing attempts to gain unauthorized access to source code repositories and internal systems. While no evidence suggests compromise of Microsoft-hosted customer-facing systems, the attackers have escalated certain aspects of the attack, such as password sprays. The video highlights Microsoft's response efforts, including increased security investments, cross-enterprise coordination, and implementation of enhanced security controls and monitoring to defend against this advanced persistent threat. Ongoing investigations into Midnight Blizzard's activities are emphasized, with a commitment to sharing relevant findings with stakeholders.

Microsoft attacked by Russian hackers - Midnight Blizzard breach explained

Explore the industry-first solution designed to empower security and development teams in securing secrets across multi-cloud, DevOps, and containerized environments. Discover innovative use cases, from detecting public GitHub leaks to enforcing secret management policies.

Don't miss this opportunity to delve into the future of secrets security with our very own Mackenzie Jackson from GitGuardian and special guests Evan Litwak and David Hisel from CyberArk. Save your spot now for an engaging conversation redefining your approach to secret protection in software development.

New Cyberark and GitGuardian Integration: Keeping Your Secrets Secure

Embark on an exciting journey into the realm of ethical hacking with our webinar, "Crack the Code: A Beginner's Guide to Ethical Hacking." Join Sonya Moisset of Snyk as we unveil the mysteries of cybersecurity and provide you with the tools to protect your digital assets.

Crack the code a beginners guide to ethical hacking

We understand the struggle of securing sensitive data—API tokens, cloud credentials, and database URLs have a knack for slipping into the public eye, be it in code repositories, CI job logs, or unexpected corners like Jira tickets.

We've been championing this cause since 2017, scouring over a billion public GitHub commits last year alone and uncovering a staggering 10 million in 2022. We've gone beyond reports, beyond thought leadership, to unveil a real solution: HasMySecretLeaked!

HasMySecretLeaked will change the way you secure secrets. No scanning—just auditability for every secret across vaults, pipelines, and more, to pinpoint leaks and their origins. If you’re wondering if your secrets have slipped into the wild, far beyond your control, HasMySecretLeaked has the answers.

Hosted by Mackenzie Jackson, Security Advocate at GitGuardian, this webinar will navigate through the pivotal features and showcase how this integration improves your secrets security posture. Don't miss this chance to enhance your secrets management practices and interact with industry experts!

Have Your Secrets Leaked? It’s time to find out!

In this video, we drill down into the recent breach of Cloudflare systems including how attackers were able to use stolen credentials from the Okta attack to move laterally and hack the Cloudflare internal Atlassian server. The security incident shows the dangers of secrets sprawl not only in internal systems but also in the supply chain leading to potential data leaks.

Read more about the article here: https://blog.gitguardian.com/the-secrets-out-how-stolen-auth-tokens-led-to-cloudflare-breach/

How the Okta attack led to Cloudflare systems getting hacked

In an era where digital security is paramount, GitGuardian stands as your ultimate code security solution. Presented by Mackenzie Jackson, a Developer Advocate at GitGuardian, this video unveils the platform's cutting-edge features designed to bolster your software supply chain.

GitGuardian is your comprehensive safeguard, exposing and protecting critical assets across your supply chain. From Secrets Detection to Infra as Code Security and the powerful Honeytoken, this platform equips you to proactively secure your code.

Automated operations streamline your workflow, allowing your team to focus on high-impact tasks. Trusted by Fortune 500 companies, GitGuardian promotes collaboration between security and development teams, delivering scalability, fine-grained access controls, and smart prioritization.

Join the code security revolution with GitGuardian. Visit our website or contact us today to unleash the full potential of your software supply chain security. GitGuardian: where security meets innovation, safeguarding your code and your future.

What is GitGuardian?

The video based on this article discusses a cybersecurity researcher's experience in uncovering a major security flaw in an AI-based hiring system called Chattr.ai, which provides services to numerous fast-food chains and hourly employers across the United States, including popular names like Applebees, Arbys, Chickfila, Dunkin, IHOP, KFC, Shoneys, Subway, Tacobell, Target, and Wendys. The researcher's investigation was triggered by their suspicion that many startups using Firebase, particularly those with the .ai top-level domain, may have exposed credentials.

In this video, we describe how the security researchers made access and retrace their steps. 

Original article - https://mrbruh.com/chattr/

Breach Breakdown - Fast food restaurants hacked simultaneously

GitGuardian scans GitHub round the clock for companies' exposed secrets and alerts their security teams before it’s too late. 

This short demo shows exactly how GitGuardian's Public Monitoring platform can help you identify your developers on GitHub, even when using personal accounts, monitor your perimeter for secrets leaks, and help you collaborate with developers to remediate exposure.

Protecting your attack surface on public GitHub with GitGuardian

GitGuardian’s Secrets Detection solution helps unite Dev. Sec. and Ops to fight hardcoded secrets. 

In this short demo, we show exactly how GitGuardian can help identify secrets inside your source, quickly and effectively remediate incidents and prevent secrets from being committed into source code repositories.

Scanning and fixing hardcoded secrets in source code with GitGuardian

In this video, we explore AI package Hallucination. This threat is a result of AI generation tools hallucinating open-source packages or libraries that don't exist. 

In this video, we explore why this happens and show a demo of ChatGPT creating multiple packages that don't exist. We also explain why this is a prominent threat and how malicious hackers could harness this new vulnerability for evil. It is the next evolution of Typo Squatting. 

Introduction: 0:00
What is AI package Hallucination: 0:12
Sacrifice to the YouTube Gods: 0:33
How AI models find relationships: 0:45 
Lawyer uses hallucinated legal cases: 1:18
How we use open-source packages: 1:39
How ChatGPT promotes packages: 2:17 
Example of AI Package Hallucination: 2:51
Why is package hallucination a security risk: 3:46
How many packages are hallucinated? 5:37
Protection measures against AI Package Hallucination: 6:18

Understanding AI Package Hallucination: The latest dependency security threat

IT Security

Cyber Attacks

Cyber Defence

AIOps

DevSecOps

Cyber Incident Response

Cloud computing has exploded over the past few years, delivering a previously unimagined level of workplace mobility and flexibility. The cloud computing community on BrightTALK is made up of thousands of engaged professionals learning from the latest cloud computing research and resources. Join the community to expand your cloud computing knowledge and have your questions answered in live sessions with industry experts and vendor representatives.

Cloud Computing

The IT security community on BrightTALK is composed of more than 200,000 IT security professionals trading relevant information on software assurance, network security and mobile security. Join the conversation by watching on-demand and live information security webinars and asking questions of experts and industry leaders.

Increasing expectations for good governance, effective risk management and complex demands for corporate compliance are presenting a growing challenge for organizations of all sizes. Join industry thought leaders as they provide you with practical advice on how to implement successful risk and compliance management strategies across your organization. Browse risk management resources in the form of interactive webinars and videos and ask questions of expert GRC professionals.

IT Governance, Risk and Compliance

Enterprise applications have become a crucial piece of infrastructure for many businesses. The enterprise applications community on BrightTALK features the latest insights in enterprise application integration, enterprise application architecture and EAS software. Join the community to gain access to thousands of videos and webinars presented by recognized enterprise information systems experts and arm yourself with the knowledge you need to succeed.

Enterprise Applications

Get powerful end user computing insights from influential EUC experts. Connect with thought leaders and colleagues to get the most up-to-date knowledge on effective approaches to get non-programmers to create working applications.

End User Computing

As an IT professional, many of the problems you face are multifaceted, complex and don’t lend themselves to simple solutions. The information technology community features useful and free information technology resources. Join to browse thousands of videos and webinars on ITIL best practices, IT security strategy and more presented by leading CTOs, CIOs and other technology experts.

Understanding AI Package Hallucination: The latest dependency security threat

Presented by

About this talk

More from this channel