AI promises many advantages when it comes to application development. But it’s also giving threat actors plenty of advantages, too. It’s always important to remember that AI models can produce a lot of garbage that is really convincing—and so can attackers. “Dark” AI models can be used to purposely write malicious code, but in this blog, we’ll discuss three other distinct ways using AI models can lead to attacks.

Only about 35 percent of the models on Hugging Face bear any license at all. Of those that do, roughly 60 percent fall under traditional open source licenses. But while the majority of licensed AI models may be open source, some very large projects–including Midjourney, BLOOM, and LLaMa—fall under that remaining 40 percent category. So let’s take a look at some of the top AI model licenses on Hugging Face, including the most popular open source and not-so-open source licenses.

NIST has announced that it has filled the funding gap for the National Vulnerability Database (NVD) and hired a contractor to return it to its previous underwhelming state. What does that mean for us? Basically, The NVD is off life support, but we wouldn’t say it’s healthy. It’s more like “undead”.

The software supply chain is increasingly complex, giving threat actors more opportunities to find ways into your system, either via custom code or third-party code. In this blog we’ll briefly go over five supply chain threats and where to find them. For a deeper look to finding these threats, with more specifics and tool suggestions, check out our threat hunting guide.

Responsible AI Licenses (RAIL) are a class of licenses created with the intention of preventing harmful or unethical uses of artificial intelligence while also allowing for the free and open sharing of models between those who intend to use and improve them for authorized purposes. Anyone can make their own version of RAIL for their model, and in doing so can create more or less restrictions than those detailed in the template licenses.

The past week has been a wild ride for those following all the hot goss’ on the National Vulnerability Database. Previously on The Code and the Vulnerable, we reported on the NVD slowdown that began in mid February. Since then, the NVD has been adding new CVEs, but has only enriched (with important information like CVSS and CPE) a very small fraction of them. If you need a breakdown of all these acronyms, definitely check out that first blog on this topic.

Dependency management is a broad topic encompassing, among other things, keeping an inventory of dependencies, removing unused dependencies, and fixing conflicts between dependencies. In this article, we will focus on one large part of software dependency management that devs can do easily and with great results: updating dependencies.

Today at the RSA Conference 2024, Mend.io and Sysdig unveiled a joint solution to helping developers, DevOps, and security teams accelerate secure software delivery from development to deployment. The new integration incorporates runtime context from Sysdig with Mend Container to provide users with superior, end-to-end, and risk-based vulnerability prioritization and remediation across development and production environments.

Building, pre-training, and fine-tuning an AI model is no small task and you’ll naturally want to protect your efforts from theft, denial of service attacks, malicious use, and other threats. In this blog we’ll go over the basics of keeping AI models safe from both legal issues and bad actors.

CVEs, or known and cataloged software vulnerabilities, dominate the discussion about open source software (OSS) risk. In 2016, 6,457 CVEs were reported. That number has grown every year since, reaching 28,961 CVEs reported in 2023—an increase of nearly 4.5 times in just seven years. 2024 is already on track to beat 2023, and we will likely see even faster growth once AI is earnestly set to the task of finding vulnerabilities (not to mention creating them).