Popular:
Virtualization DNS security formal verification reachability analysis compiler errors macro conflict web extension development framework Bitmap Graphics API inconsistencies All Tags

Google Releases Stable Model Signing Library to Secure the AI Supply Chain

2025-04-05
Google Releases Stable Model Signing Library to Secure the AI Supply Chain

The rise of large language models (LLMs) has brought increased focus on AI supply chain security. Model tampering, data poisoning, and other threats are growing concerns. To address this, Google, in partnership with NVIDIA and HiddenLayer, and supported by the Open Source Security Foundation, has released the first stable version of its model signing library. This library uses digital signatures, such as those from Sigstore, to allow users to verify that the model used by an application is identical to the one created by the developers. This ensures model integrity and provenance, protecting against malicious tampering throughout the model's lifecycle, from training to deployment. Future plans include extending this technology to datasets and other ML artifacts, building a more robust AI trust ecosystem.

Read more
(security.googleblog.com)
AI Model Signing

Google Unveils Sec-Gemini v1: A New Era in AI-Powered Cybersecurity

2025-04-04
Google Unveils Sec-Gemini v1: A New Era in AI-Powered Cybersecurity

Google has announced Sec-Gemini v1, an experimental AI model designed to push the frontiers of cybersecurity AI. Combining Gemini's advanced capabilities with near real-time cybersecurity knowledge and tooling, Sec-Gemini v1 excels in key workflows such as incident root cause analysis, threat analysis, and vulnerability impact understanding. It outperforms other models on key benchmarks, showing at least an 11% improvement on CTI-MCQ and at least a 10.5% improvement on CTI-Root Cause Mapping. Google is making Sec-Gemini v1 freely available to select organizations, institutions, professionals, and NGOs for research purposes to foster collaboration and advance AI in cybersecurity.

Read more
(security.googleblog.com)
AI

Chrome Root Program Enhances Web PKI Security with Mandatory MPIC and Linting

2025-03-31
Chrome Root Program Enhances Web PKI Security with Mandatory MPIC and Linting

Google's Chrome team announced that its Root Program is mandating two key security improvements: Multi-Perspective Issuance Corroboration (MPIC) and certificate linting. MPIC mitigates the risk of fraudulently issued certificates due to BGP attacks by verifying domain control from multiple geographic locations, while linting automates the detection of certificate errors, improving security. Both are mandatory for publicly trusted certificates from March 15, 2025, strengthening the web PKI ecosystem's security and stability, and reducing certificate mis-issuance. The Chrome team also plans to sunset weak domain validation methods and actively explore solutions for a post-quantum cryptography world.

Read more
(security.googleblog.com)
Tech Web Security Digital Certificates

Eliminating Memory Safety Vulnerabilities: A Collective Commitment to Secure-by-Design

2025-02-26
Eliminating Memory Safety Vulnerabilities: A Collective Commitment to Secure-by-Design

For decades, memory safety vulnerabilities have plagued the tech industry, costing billions and eroding trust. Traditional approaches haven't been enough. This post calls for a fundamental shift towards 'secure-by-design' practices to eliminate these vulnerabilities. Recent advancements in memory-safe languages (like Rust) and hardware technologies (like ARM's MTE) make this achievable. The authors propose a standardized framework to objectively assess memory safety assurances, incentivizing vendors to invest and ultimately empowering customers to demand and reward security, driving procurement of more secure systems. This requires a technology-neutral framework supporting diverse approaches, adapting safety requirements based on need, ultimately aiming for a secure digital world.

Read more
(security.googleblog.com)
Development secure-by-design

Google Play 2024 Security Report: AI-Powered Defenses Protect Billions

2025-02-03
Google Play 2024 Security Report: AI-Powered Defenses Protect Billions

Google's 2024 Google Play security report highlights its commitment to user and developer safety. Leveraging AI-powered threat detection, strengthened privacy policies, and enhanced developer tools, Google Play prevented 2.36 million policy-violating apps from publication and banned over 158,000 malicious developer accounts. The report focuses on AI's role in proactively identifying malware, collaboration with developers to improve security and privacy (limiting access to sensitive data, enhanced data deletion options), and Google Play Protect's real-time scanning which identified over 13 million malicious apps from outside Google Play. New fraud protection features shield users from scams and malware. Google also collaborates with governments and industry partners to establish new app security assessment standards for a safer app ecosystem.

Read more
(security.googleblog.com)
Tech App Security

Google Releases OSV-SCALIBR: A Powerful Software Composition Analysis Library

2025-01-19
Google Releases OSV-SCALIBR: A Powerful Software Composition Analysis Library

Google has released OSV-SCALIBR, an extensible Software Composition Analysis (SCA) library for scanning installed packages, standalone binaries, and source code for vulnerabilities. It supports numerous programming languages and package managers, and generates Software Bill of Materials (SBOMs). OSV-SCALIBR is Google's primary SCA engine and is now open-source, with plans to integrate it into OSV-Scanner for a more robust command-line interface.

Read more
(security.googleblog.com)
Development Software Security