Intro
Hey,
The beginning of this year has been pretty interesting from a product security perspective. In recent weeks, we have observed a number of great articles, tools, and events. DeepSeek V3 was released as an open-source AI model that brought a significant attention and it didn’t take long to compromise its database. Wiz Researchers described how they identified a ClickHouse database containing sensitive data, including chat history.
In the realm of AppSec tooling, Google released OSV-Scanner v2 beta, an open-source vulnerability scanner focused on identifying known vulnerabilities in a project’s dependencies. The newest version adds layer-aware container scanning, interactive HTML output, and guided remediation for Maven. Considering its features, it can compete with similar commercial solutions and I strongly believe in this project.
Furthermore, Opengrep—a fork of Semgrep—was launched. This project is a response to Semgrep’s licensing changes for its rules. Semgrep Community Edition can still be used for securing commercial projects. However, commercial companies providing services using Semgrep rules are not permitted to do so. As a result, a consortium of 10+ security-related organizations decided to launch Opengrep. So far, we haven’t received a roadmap or features that could convince companies to use Opengrep internally at this point, but personally I’d give them some trust credit at the beginning. Let’s see what time will bring.
Enjoy the materials and stay secure!
Materials
🕵️ Wiz Research Uncovers Exposed DeepSeek Database Leaking Sensitive Information, Including Chat History
What were the implications of a security breach at DeepSeek? Wiz Research uncovered a publicly accessible database linked to the AI startup DeepSeek, revealing over a million lines of sensitive data, including chat histories and API keys. The article emphasizes the need for robust security measures in rapidly adopted AI technologies, targeting industry professionals and security teams.
🛠️ OSV-Scanner v2.0.0-beta1 is ready!
What new features can developers expect from OSV Scanner V2? In this article, the OSV Team announces the beta release of OSV Scanner V2, highlighting enhanced container scanning, interactive HTML outputs, and guided remediation for Maven. It’s aimed at developers and security professionals seeking improved vulnerability management tools.
📃 Opengrep Emerges as Open Source Alternative Amid Semgrep Licensing Controversy
What does the launch of Opengrep mean for the future of open source static application security testing? This article discusses the establishment of Opengrep as a community-driven alternative to Semgrep, reacting to Semgrep’s controversial licensing changes. It’s insightful for developers and application security teams interested in open source tools and SAST solutions.
🛠️ Don’t let these open-source cybersecurity tools slip under your radar
What insights does the article offer on emerging technologies? Readers will find an exploration of key advancements in AI, blockchain, and renewable energy, tailored for tech enthusiasts and industry professionals looking to understand future trends and their impacts on society.
🛠️ promptmap – a Prompt Injection Scanner
How can you secure your custom LLM applications from prompt injection attacks? This article introduces PromptMap, a vulnerability scanning tool designed for testing such applications. Developers and security professionals will find guidance on setup, usage, and customizable testing rules for various LLM providers, including OpenAI and Anthropic.
🕵️ The Tainted Voyage: Uncovering Voyager’s Vulnerabilities
What vulnerabilities could put Voyager users at risk? This article details critical security flaws found in the Voyager PHP package, used in Laravel applications. It uncovers arbitrary file upload and remote code execution vulnerabilities. Developers and security professionals will find insights on risk identification and mitigation strategies.
🕵️ CVE-2024-46507: Yeti Platform Server-Side Template Injection (SSTI)
What vulnerabilities threaten the Yeti Forensic Intelligence platform? This article discusses two critical security flaws that could allow unauthenticated remote code execution. It’s essential reading for cybersecurity professionals and DFIR teams seeking to understand and mitigate risks in forensic intelligence tools.
🧵 I’m the CTO of Container Security at Wiz, AMA!
AMA – Ask Me Anything with the CTO of Wiz Container Security at Reddit.
📃 Talos IR trends Q4 2024: Web shell usage and exploitation of public-facing applications spike
How are web shells transforming cyber threats? The latest Cisco Talos report reveals a significant rise in web shell deployments against vulnerable applications, marking a shift in attack vectors. Targeting primarily the education sector, this comprehensive analysis is essential for cybersecurity professionals seeking to understand evolving ransomware tactics and improve defenses.
📃 Product Security Bad Practices
What are the critical product security bad practices that software manufacturers should avoid? This article outlines essential cybersecurity guidelines from CISA to help manufacturers mitigate risks in developing software for critical infrastructure. It’s geared towards software engineers and cybersecurity professionals.
