The risk both to and from AI models is a topic so hot it’s left the confines of security conferences and now dominates the headlines of major news sites. Indeed, the deluge of frightening hypotheticals can make AI feel like we are navigating an entirely new frontier with no compass. And to be sure, AI poses a lot of unique challenges to security, but remember: Both the media and AI companies have a vested interest in upping the fright hype to keep people talking.

*April 1 update. it was confirmed that Fedora 40 is not affected by the backdoor. However, users should still downgrade to a 5.4 build to be safe. On March 29th, 2024, a critical CVE was issued for the XZ-Utils library. This vulnerability allows an attacker to run arbitrary code remotely on affected systems. Due to its immediate impact and wide scope, the vulnerability has scored 10 for both CVSS 3.1 and CVSS 4, which is the highest score available.

Early on March 28, 2024, the Mend.io research team detected more than 100 malicious packages targeting the most popular machine learning (ML) libraries from the PyPi registry. Among those libraries are Pytorch, Matplotlib, and Selenium.

Containers have taken over the world of software development. According to Gartner analysts, “90% of global organizations will be running containerized applications in production by 2026,” up from 40% in 2021. Containerized applications provide enterprises with an agile, modern approach in the age of cloud computing; safeguarding these technologies from existing and future threats requires equally modern methods.

While cloud-native development brilliantly solves problems related to scalability and effective resource use, a more complex architecture and new security challenges come along for the ride as well. The added layer of abstraction of container architecture can make tracking down vulnerabilities and poorly stored secrets, assessing true risk, and enforcing policies difficult for security teams using only traditional AppSec tools.

Headed by NIST, an American government institution, the National Vulnerability Database (NVD) contains vulnerability data that’s been key to protecting organizations both within and without the US borders for more than 20 years. Many security policies from both commercial and government organizations require that vendors take care of vulnerabilities of a particular severity as given by the NVD within a certain number of days.

Securing AI is a top cybersecurity priority and concern for governments and businesses alike. Developers have easy access to pre-trained AI models through platforms like Hugging Face and to AI-generated functions and programs through large language models (LLMs) like GitHub Co-Pilot. This access has spurred developers to create innovative software at an enormously fast pace.

Are Software composition analysis (SCA) scans and container scans the same thing? The short answer is yes… and no. A comprehensive container image scan applies SCA specifically to containers in combination with other analyses particular to containers, such as how they’re configured to deploy and the presence of secrets. Read on to learn the key differences.

Containers offer many benefits, including lightweight portability from one environment to another, but they add a layer of complexity to application security that can introduce additional risks. There are many ways a container can become vulnerable to attack: through its source code, how the container is built, how the container is configured, how it secures secrets, and how it interacts with the host and other containers. Each of these avenues has its own security solutions and best practices.