All news with #application security tag

🧭 Google describes how innovations from its internal Flume platform power Dataflow, a fully managed batch and streaming service supporting large-scale ML workloads. The post outlines features like liquid sharding for dynamic rebalancing, global compute for cross-region scaling, automatic pipeline optimization, and rate-limiting for external API calls. It also highlights TPU-focused efficiencies such as heterogeneous worker pools, TPU-aware autoscaling, duty-cycle enforcement, and TPU fungibility. The article notes developer conveniences—multi-language SDKs, unified batch/streaming, ML framework integration, observability, and advanced workflows—and cites customer use cases and ongoing platform enhancements.

🔍 Anthropic and over 50 partners report Project Glasswing, using Claude Mythos Preview, has surfaced roughly 10,000 critical or high-severity vulnerabilities across open source projects and partner software. The initiative scanned more than 1,000 open-source projects and validated thousands of findings with independent security firms, but maintainers are overwhelmed by the volume and pace of disclosures. Anthropic is disclosing issues under a coordinated policy and has launched enterprise offerings like Claude Security and a Cyber Verification Program to support legitimate security research.

🔒 Discord has enabled default end-to-end encryption (E2EE) for all voice and video calls after completing the deployment in March. The company extended the open-source DAVE protocol across desktop, mobile, web browsers, PlayStation, Xbox and Discord SDKs, and is removing legacy unencrypted fallback code. The encryption layer now covers DMs, group DMs, voice channels and Go Live streams, while Stage channels remain excluded. Discord says it has no current plans to apply DAVE to text due to major engineering constraints tied to its existing messaging architecture.

🛡️ Microsoft Security explains how rising agentic autonomy reorients security from models to how agents are assembled, constrained, and governed inside applications. The post identifies amplified risks—agent hijacking, intent breaking, data leakage, supply chain compromise—and shows why the application layer is decisive because builders fully control permissions, tool access, and failure handling. It recommends concrete design patterns: agents as microservices, least permissions, deterministic human-in-the-loop, and distinct agent identity to limit blast radius and preserve auditability.

🔍 AWS Security Agent now offers a preview of full repository code review, an AI-driven capability that performs deep, context-aware analysis across entire repositories. It models application architecture, trust boundaries, and data flows rather than relying on pattern matching, and returns developer-ready findings with structured evidence and concrete remediation. The feature is designed to complement existing SAST tools and is available in preview at no additional charge while AWS solicits customer feedback.

🔐 Google has expanded Binary Transparency for Android to publish a cryptographic, append-only ledger that records production Google app binaries and Mainline modules. Beginning May 1, 2026, supported production apps will have public ledger entries to attest authenticity. Google is also providing verification tooling so users and researchers can confirm software integrity and detect unauthorized or "one-off" builds.

🔁 Amazon WorkSpaces Applications now supports host-to-client URL redirection, automatically launching approved links from streaming sessions in the user's local browser. Administrators can configure allow and deny URL patterns via the AWS Management Console to keep sensitive applications inside the streaming environment while offloading bandwidth-heavy content such as video. The feature works for browser navigation and embedded links in applications like Microsoft Word, with host-side support for Chrome and Edge; URLs on the configured allow list open automatically in the user's default local browser.

🔒 Microsoft will integrate Anthropic’s Mythos Preview into its Security Development Lifecycle, using the model alongside other advanced AI to surface vulnerabilities earlier in the software development process. The company says the move aims to strengthen and harden core products including Windows, Azure, and Microsoft 365 by improving automated detection and secure coding. Analysts note the shift signals frontier models moving from experimental tools into standard engineering workflows while raising dual-use concerns.

🚀 AWS has expanded AWS Transform custom to six additional Regions — Asia Pacific (Mumbai, Tokyo, Seoul, Sydney), Canada (Central), and Europe (London). The service enables organizations to modernize and transform code at scale using AWS-managed and customizable transformations to upgrade languages, migrate frameworks, optimize performance, and analyze codebases. Transformations learn from engagements to improve accuracy, and the expansion brings total availability to eight Regions, improving local access and compliance.

📦 Cloudflare is introducing support for shared compression dictionaries to reduce redundant transfers and speed page loads for sites that deploy frequently or are heavily crawled by agents. In Phase 1 the edge will passthrough Use-As-Dictionary and Available-Dictionary headers and respect dcb/dcz encodings; an open beta begins April 30, 2026. Later phases move delta compression and automatic dictionary generation into Cloudflare’s edge, simplifying origin logic and maximizing bandwidth and latency savings for versioned assets and returning visitors.

🛡️ Cloudflare introduced EmDash, presented as a modern, more secure alternative to WordPress. The MIT-licensed, open-source CMS aims to reduce plugin-driven vulnerabilities by isolating execution and enforcing least-privilege principles. EmDash uses a different content model and targets developer-first and AI-driven site workflows. While attractive for new projects, enterprises face nontrivial migration and ecosystem challenges.

🛡️ EmDash is a new, open-source CMS from Cloudflare, written in TypeScript and available as a v0.1.0 preview that aims to be the spiritual successor to WordPress. It runs plugins in isolated Dynamic Workers and enforces capability-based manifests so extensions can only perform explicitly declared actions, substantially reducing plugin attack surface. EmDash is serverless-first, uses Astro for themes, includes built-in x402 payment support and passkey authentication, and provides CLI and MCP tooling to enable AI-driven management and migrations.

🔍 AWS announces general availability of AWS Transform custom's comprehensive codebase analysis transformation, delivering up-front deep static analysis that documents architecture, technical debt, code metrics, and migration plans to preserve institutional knowledge and reduce documentation overhead. The transformation supports any language — including Python, Java (Maven and Gradle), Node.js, and .NET — and scales to codebases exceeding one million lines. Behavior analysis is available in early access. To run it locally, install the AWS Transform CLI and execute: atx custom def exec -n AWS/comprehensive-codebase-analysis -p. The service is available in US East (N. Virginia) and Europe (Frankfurt).

🔍 OpenAI's Codex Security AppSec agent flagged over 11,000 high-severity and critical flaws during a 30-day research test, including about 800 critical issues across more than 1.2 million scanned commits. Built to act like a security researcher rather than a static scanner, it maps attack paths, verifies exploitability in sandboxes, and proposes fixes as easy-to-accept patches. Early access partners such as Netgear reported improved review workflows, and OpenAI has already coordinated fixes and CVEs for multiple open-source projects.

🔒OpenAI on Friday began rolling out Codex Security, an AI-powered security agent that finds, validates, and proposes fixes for vulnerabilities. The feature is available in a research preview to ChatGPT Pro, Enterprise, Business, and Edu customers via the Codex web and will be free for the next month. During its beta, the agent scanned more than 1.2 million commits, identifying 792 critical and 10,561 high-severity findings across multiple open-source projects. OpenAI says the offering combines frontier-model reasoning with automated validation to reduce false positives and deliver actionable fixes.

🔐 The article contends that application security must start at the load balancer, which serves as the primary traffic entry and trust boundary rather than just a performance device. The author describes consulting cases across finance, healthcare, SaaS and retail where permissive edge settings enabled downgrade attacks, bot floods, and long-term technical debt. Recommended controls include enforcing modern TLS, sanitizing requests, applying bot and rate controls at the edge, and integrating the load balancer with downstream WAFs and security tools to reduce incident scope and operational cost.

🔧 Cloudflare critiques the WHATWG Web Streams design and presents a proof-of-concept alternative built around async iterables. The post catalogs practical pain points — reader locking, BYOB complexity, fragile backpressure, and heavy promise overhead — that drive implementation complexity and runtime fragmentation. The proposed model favors pull-through transforms, explicit backpressure policies, batched byte chunks, and synchronous fast paths. Benchmarks in the write-up report 2x–120x improvements in some scenarios, and a reference implementation is published for exploration.

🛡️ Anthropic launched a limited research preview of Claude Code Security, triggering sharp market moves as stocks of major cybersecurity vendors dropped. The tool claims to reason about code like a human, trace data flows, find complex vulnerabilities, and suggest targeted patches that appear in a review dashboard with confidence ratings. Anthropic says every finding undergoes a multi-stage verification and requires human approval, but experts warn about outsourcing critical security judgments to an evolving model and highlight risks from hallucinations, asymmetric attacker advantage, and single points of trust.

🔒 CredShields led the release of the OWASP Smart Contract Top 10 2026, an impact-weighted risk framework built from structured analysis of 2025 smart contract incidents that produced hundreds of millions in losses. The ranking highlights that governance and privilege failures—not just code bugs—drive the most severe on-chain compromises, naming access control, business logic, oracle manipulation, flash loan–facilitated attacks, and proxy/upgradeability vulnerabilities among the top risks. CredShields’ exploit intelligence platforms, SolidityScan and Web3HackHub, supported the aggregation and methodology informing the list.

🔐 Microsoft will introduce smartphone-style permission prompts in Windows 11 to request user consent before apps access sensitive resources such as files, cameras, and microphones. The company is also launching a Windows Baseline Security Mode to enable runtime integrity safeguards by default while still permitting targeted overrides for specific apps. These changes are part of the Secure Future Initiative and will roll out in phases with developer, enterprise, and ecosystem feedback. Users and IT administrators will be able to view, grant, or revoke app permissions and will receive clearer prompts when apps attempt to install unwanted software or access protected data.