As developers increasingly lean on AI-generated code to build out their software--as they have with open source in the past--they risk introducing critical security failures along the way. Just like you probably don't grow and grind wheat to make flour for your bread, most software developers don't write every line of code in a new project from scratch. Doing so would be extremely slow and could create more security issues than it solves. So developers draw on existing libraries--often open source projects--to get various basic software components in place. While this approach is efficient, it can create exposure and lack of visibility into software.

Seemplicity, the first risk reduction and productivity platform for modern security teams, announced that it has partnered with Checkmarx, the global leader in developer-centric application security testing (AST) solutions. The partnership will see the Checkmarx One Platform integrated within Seemplicity's Productivity Platform, allowing joint customers to simplify the entire find-to-fix lifecycle and ultimately accelerate the time to remediation of vulnerabilities found throughout the software development lifecycle (SDLC). The integration brings security findings discovered by Checkmarx into Seemplicity's platform that provides a unified picture and workspace for risks posed to the organization. Seemplicity's deduplication, prioritization and workflow capabilities combined with Checkmarx' context-aware correlation engine empower organizations with both the visibility and operational efficiency required to successfully drive risk down at scale. The joint solution is deployed by both managed security service providers (MSSP) as well as security teams within large enterprises.

The Trifo Ironpie has a built-in camera. Security researchers revealed Wedneday that vulnerabilities in the device could let hackers access the video stream remotely, among other things. The Trifo Ironpie robot vacuum is designed to do double duty. The fans on the swiveling disc hoover your house, while the camera mounted on it acts as an ankle-high securitydevice. The idea is to stay tidy while staying safe.

The Alexa virtual assistant could be abused by attackers to spy on consumers with smart devices. Researchers at security firm Checkmarx created a proof-of-concept Amazon Echo Skill for Alexa that instructs the device to indefinitely record surround voice to secretly eavesdrop on users' conversations and then sends the transcripts to a website controlled by the attackers. Amazon allows developers to build custom Skills that can control voice-activated smart devices such as Amazon Echo Show, Echo Dot, and Amazon Tap. The rogue Echo Skill for Alexa is disguised as a simple math calculator, once installed it will be activated in the background after a user says "Alexa, open calculator." "The Echo is continuously listening for the user's voice. So when the user says "Alexa, open calculator", the calculator skill is initialized and the API\Lambda-function that's associated with the skill receives a launch request as an input."

In news that will confirm your worst fears about a device with an always-on microphone in your home, security researchers have created a "skill" for Amazon's popular voice assistant Alexa that allows the device to indefinitely eavesdrop on your conversations. The vulnerability, which Amazon has since patched, was discovered by cybersecurity company Checkmarx. Experts at the firm were able to create a "skill"--Amazon's term for an application for Alexa--that could secretly record a victim and transcribe entire conversations caught on mic. The security researchers hid the malicious task in a seemingly innocuous calculator skill that could be used to solve math problems. Unbeknownst to any victim who installed the skill, asking Alexa to use the app would enable the attack.

It's important not to overstate the security risks of the Amazon Echo and other so-called smart speakers. They're useful, fun, and generally have well thought-out privacy protections. Then again, putting a mic in your home naturally invites questions over whether it can be used for eavesdropping--which is why researchers at the security firm Checkmarx started fiddling with Alexa, to see if they could turn it into a spy device. They did, with no intensive meddling required. The attack, which Amazon has since fixed, follows the intended flow of using and programming an Echo.

Future Tense is a partnership of Slate, New America, and Arizona State University that examines emerging technologies, public policy, and society. The revelation this week that dating app Tinder lacks basic encryption--meaning someone could discover whose profile you've viewed and which way you're swiping--has sparked some understandable alarm and outrage. The reality is even scarier: It's not a new discovery, and it's not just Tinder. Though Checkmarx, the security company that demonstrated the issue this week, reportedly notified Tinder back in November, Wired reports, its use of HTTP instead of the more secure HTTPS hasn't changed. Users' photos are still fetched via an unencrypted connection, meaning anyone else on the network--say, someone sitting in the same cafe--can intercept them, revealing the swiper's sexual and dating preferences.

In 2018, you'd be forgiven for assuming that any sensitive app encrypts its connection from your phone to the cloud, so that the stranger two tables away at the coffee shop can't pull your secrets off the local Wi-Fi. That goes double for apps as personal as online dating services. But if you assumed that basic privacy protection for the world's most popular dating app, you'd be mistaken: As one application security company has found, Tinder's mobile apps still lack the standard encryption necessary to keep your photos, swipes, and matches hidden from snoops. On Tuesday, researchers at Tel Aviv-based app security firm Checkmarx demonstrated that Tinder still lacks basic HTTPS encryption for photos. Just by being on the same Wi-Fi network as any user of Tinder's iOS or Android app, the researchers could see any photo the user did, or even inject their own images into his or her photo stream.