Blog | ReversingLabs | Richi Jennings (3)

February 21, 2023

Core-JS: Beware hidden dependencies from indebted Russian developers

Denis Pushkarev has big debts — and his code is everywhere. The supply chain security alarm should be at DEFCON 2 by now. We sum it up at fast pace.

February 15, 2023

Lessons from ChatGPT, Bing AI, Bard and Copilot: Chatty AI is just a toy

Beep, boop; hope, hype: Generative AI isn't ready for prime time. So don't play games with your software development.

February 7, 2023

C-SCRM: We’re from the government — and we’re here to help with software supply chain security

A whole alphabet soup of agencies, offices and councils are springing up in D.C. and beyond. They’re trying to help us with the software supply chain security problem. It’s all about cybersecurity supply chain risk management, as the Washington wonks now insist on calling it. Beltway chatter is all C-SCRM this, guidance that and policy the other.

January 31, 2023

Google’s Open Source Team Layoffs A Security Risks

Firing ‘the best of the best’ in open source does not bode well for software security. Will the last to leave please turn off the lights?

January 24, 2023

Move over, npm: Now VS Code extensions can’t be trusted

It’s super easy to spoof Visual Studio Code extensions. And it’s incredibly hard to detect. In this week’s Secure Software Blogwatch, we run and hide.

January 18, 2023

GitHub Copilot’s ML ‘Code Brushes’: Ready for a Bob Ross ‘happy little accident’?

Machine learning can be a cognitive crutch, causing code vulnerabilities. Use with extreme caution!

January 11, 2023

If you don't love me now: JsonWebToken could break the software supply chain (again)

The JsonWebToken library has a serious flaw, which could lead to remote code execution. While exploitability is questionable, it could be a big problem.

January 4, 2023

PyTorch supply chain attack: Dependency confusion burns DevOps

The PyTorch open source software supply chain was compromised by a hacker publishing a malicious torchtriton clone on PyPI. Here's the craic.

December 20, 2022

DraftKings fantasy? How YOU can prevent credential stuffing attacks

There’s been a huge uptick in credential stuffing attacks, including at DraftKings. But dev teams can easily prevent it.

December 14, 2022

Ahoy! More insecure code washes ashore with AlphaCode

Here comes AlphaCode: Another AI code-generating parlor trick spitting out vulnerabilities. Is your software security team ready for the onslaught?

December 7, 2022

ChatGPT: Parlor trick or Stack Overflow replacement?

The initial flush of enthusiasm for ChatGPT has waned. And quite a few of the bugs in the buggy code it spits out are exploitable security vulnerabilities.

November 30, 2022

Meta’s GDPR fine: Why your DevOps needs red teaming

Meta’s been fined $276 million for scraping data. What can you do to prevent this in your dev shop?

Software Supply Chain Security

File Security

Security Operations

Products

Technology

Partners

Alliances

Resources

Company

Events

Press