AnonymousMedia.org

Category: Uncategorized

  • Is AI-Generated Code Secure? – SANS Internet Storm Center

    Is AI-Generated Code Secure? – SANS Internet Storm Center


    The title of this diary is perhaps a bit catchy but the question is important. I don’t consider myself as a good developer. That’s not my day job and I’m writing code to improve my daily tasks. I like to say “I’m writing sh*ty code! It works for me, no warranty that it will for for you”. Today, most of my code (the skeleton of the program) is generated by AI, probably like most of you.

    My daily morning routing is to follow RSS feeds, news and today I spotted an interesting tool called “Bandit”[1]. It’s a tool designed to find common security issues in Python code. Because I’m mainly writing Python code, it made me curious to test it.

    I use regularly a Python script that was 99% generated by AI. I just made some adjustments but all the core features have been generated. This script was good candidate to be analyzed by Bandit because:

    • It has a decent size (1500 lines)

    • It uses many dependences (Python libraries)

    • It is multi-threaded for performance

    • It collects data from online resources (network interactions)

    Bandit is super easy to use, first download the Docker image (good to know, images are signed!):

    
docker pull ghcr.io/pycqa/bandit/bandit

    Now, scan your code:

    
docker run -it --rm -v $(pwd):/data ghcr.io/pycqa/bandit/bandit --severity-level all -v /data/myscript.py

    Here are the scan results for my script:

    
Total issues (by severity):
    Undefined: 0
    Low: 13
    Medium: 1
    High: 0
Total issues (by confidence):
    Undefined: 0
    Low: 0
    Medium: 0
    High: 14

    The following table shows what has been spotted in the code (I grouped them)









    Issue Severity Confidence Reference Occurences
    Consider possible security implications associated with the subprocess module Low High https://cwe.mitre.org/data/definitions/78.html 1
    Using xml.etree.ElementTree.fromstring to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree.fromstring with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called Medium High https://cwe.mitre.org/data/definitions/20.html 2
    subprocess call – check for execution of untrusted input Low High https://cwe.mitre.org/data/definitions/78.html 3
    Standard pseudo-random generators are not suitable for security/cryptographic purposes Low High https://cwe.mitre.org/data/definitions/330.html 1
    Try, Except, Pass detected Low High https://cwe.mitre.org/data/definitions/703.html 7

    Like any vulnerability scan, results must be interpreted and put back in the environment where the code is executed. In my case, the script is running internally with trusted set of (XML) data so I consider the results as “good”. Now, if you application is facing the Internet and publiclly available, that’s another story!

    If you are curious about the tests performed by Bandit, the list of plugins is availabe in the documentation[2].

    Conclusion: the AI-generated script looks not too bad. Tip: when writing your prompt to generate the initial code, don’t forget to mention that “security is very important” like:

    
Generate production-quality Python code with a security-first approach.
Requirements:
- Treat all external input as untrusted
- Validate input types, length, and format
- Sanitize strings (e.g., for file paths, URLs, commands, JSON, CSV)
- Use explicit allow-lists where possible
- Handle errors with clear exceptions (no silent failures)
- Avoid dangerous functions (eval, exec, os.system, shell=True)
- Prevent command injection, path traversal, and deserialization issues
- Use safe libraries and best practices
- Include input validation helpers if needed

    [1] https://github.com/PyCQA/bandit

    [2] https://bandit.readthedocs.io/en/latest/plugins/index.html

    Xavier Mertens (@xme)

    Xameco

    Senior ISC Handler – Freelance Cyber Security Consultant

    PGP Key



    Source link

  • New Zealand calls off rescue efforts for six missing after landslide

    New Zealand calls off rescue efforts for six missing after landslide


    Reuters The aftermath of a landslide that shows a portion of green cliff that has given way, exposing dirt, collapsed trees and a person dressed in a blue jacket at the base, in Mount Maunganui, New Zealand.Reuters

    Police say they are not expecting to find any more survivors from the landslide

    Rescue efforts for six missing people buried by a landslide in New Zealand on Thursday have been called off, with efforts now moving to recovering bodies, police have said.

    “Tragically it is now apparent that we will not be able to bring them home alive,” Anderson said, adding that formal identification is underway.

    Two teenagers are among those who remain unaccounted for, with the youngest aged 15 years old.

    Search teams located human remains beneath dirt and debris on Friday evening, Police Superintendent Tim Anderson said, after a landslide hit a popular campsite in Mount Maunganui.

    “This is heartbreaking news for the families and the dozens of people who have been working day and night, hoping for a positive outcome,” Anderson said.

    In a separate incident, two people died – a grandmother and her grandchild – in a different landslide at Welcome Bay, nearby Mount Maunganui, public service broadcaster Radio New Zealand (RNZ) reported.

    Heavy rain has fallen on New Zealand’s North Island for days, with more wet weather forecast for the area over the weekend.

    Police said conditions have added to the difficulty of rescue efforts, and described the scene at Mount Maunganui as “incredibly challenging… to work through”.

    Watch: Footage captures moment landslide starts in Mount Maunganui in New Zealand

    Fire and emergency services worked through the night to locate those unaccounted for at the campsite before the operation was formally handed over to police on Saturday.

    The safety of workers on the ground is of “upmost importance”, Anderson said.

    Police have confirmed the names of the six individuals unaccounted for as Lisa Anne Maclennan, 50, from Morrinsville, Måns Loke Bernhardsson, 20, from Sweden, Jacqualine Suzanne Wheeler, 71, from Rotorua, and Susan Doreen Knowles, 71, from Ngongotaha.

    The youngest victims have been identified by police as Sharon Maccanico, 15, from Auckland and Max Furse-Kee, 15, from Auckland.

    Reuters A member of the public kneeling in dark pants and a white jumper, laying a floral tribute at the scene of a landslide in New Zealand. Emergency cones are visible in the background on the road and other people crowded. Reuters

    Members of the public lay floral tributes at scene of the landslide in Mount Maunganui

    Chief Coroner Judge Anna Tutton confirmed the identification process is underway, but warned it would likely be “complex” and “painstaking”.

    “We will work very carefully – and as quickly as we can – to reunite families,” she said.

    Prime Minister Christopher Luxon visited the site on Friday. He said it was “inspiring” to see the show of community support as locals helped clear debris in flood-hit areas.

    Mount Maunganui is a sacred Māori site and one of the most popular campgrounds in New Zealand. It has been repeatedly hit by landslides in recent years.



    Source link

  • Ukraine condemns ‘brutal’ Russian strikes ahead of second day of peace talks

    Ukraine condemns ‘brutal’ Russian strikes ahead of second day of peace talks


    Ukraine has condemned a fresh wave of Russian strikes overnight which killed one person and injured 23 others, as talks with the US aimed at ending the war are set to resume.

    Ukraine’s Foreign Minister Andrii Sybiha said the “brutal” attack had “hit not only our people, but also the negotiation table”.

    Delegations from Russia, Ukraine and the US have been meeting in Abu Dhabi for the first trilateral talks since the Kremlin launched a full-scale invasion of its neighbour in 2022.

    A source told the BBC that some progress had been made but the key issue of territory remains unresolved.

    The mayor of Ukrainian capital Kyiv said one person had died and four had been wounded while Kharkiv’s mayor reported that 19 people had been hurt during a sustained assault on the city in the early hours of Saturday morning.

    On the second day of the three-way talks in Abu Dhabi, Sybiha said the “barbaric” overnight assault proved “that Putin’s place is not at the board of peace, but at the dock of the special tribunal”.

    US President Donald Trump said last week that Russian leader Vladimir Putin had accepted an invitation to join his ‘Board of Peace’ – an organisation focused on ending global conflicts. Putin has not confirmed this.

    Kyiv’s mayor Vitali Klitschko said on Telegram that three of the four people who had been injured had been hospitalised.

    He added that the capital’s critical infrastructure had been damaged, leaving 6,000 buildings without heating.

    Temperatures in Ukraine are at sub-zero levels and in a statement following the assaults, President Volodymyr Zelensky said: “The main target of the Russians was the energy infrastructure.”

    In Kharkiv, Mayor Ihor Terekhov said 19 people had been injured during the strikes in the early hours of Saturday morning. A maternity hospital and a hostel for displaced people were damaged.

    Russia occupies roughly 20% of Ukraine, including parts of the eastern Donbas region. The Kremlin wants Ukraine to hand over large areas of the territory. Ukraine has ruled this out.

    Following the first day of talks, Rustem Umerov, who is leading the Ukrainian delegation, said on social media: “The meeting focused on the parameters for ending Russia’s war and the further logic of the negotiation process aimed at advancing toward a dignified and lasting peace.”



    Source link