< ciso
brief />
Tag Banner

All news with #application security tag

49 articles

Hardening Public Serverless Functions on Google Cloud

🛡️ This post from Mandiant highlights how publicly exposed serverless applications — often unauthenticated by design — are frequent targets for application-level attacks like LFI/RFI and command injection. It explains exploitation paths including file retrieval and service account token exfiltration, and demonstrates attack examples against Cloud Run Python functions. The article provides actionable hardening guidance such as using dedicated service accounts with least privilege, isolating public services in separate projects, enforcing S‑SDLC practices, and deploying Cloud Armor WAF and Layer 7 load balancing for centralized protection.
read more →

Amazon GameLift Servers adds DDoS protection SDKs

🛡️ Amazon GameLift Servers now includes DDoS Protection client SDKs for C# and Unity, enabling developers to protect session-based multiplayer games from denial-of-service and distributed denial-of-service attacks. The service co-locates a relay network with game servers and uses access token-based authentication to allow only authorized client traffic. It enforces per-player UDP traffic limits, offers negligible latency, and is provided at no extra cost to GameLift Servers customers. The new SDKs complement existing C++ and Unreal Engine support and are available in multiple AWS regions.
read more →

Defending Applications Against Frontier Model Threats

🔒 Cloudflare describes an architectural approach to defend applications and internal systems from high-speed attacks enabled by frontier AI models. The post explains how layered controls — including WAF, ML-based scoring, API Shield, Bot Management, Zero Trust, IdP federation, MCP server controls, and AI Gateway — work together to reduce discovery, limit exploit adaptation, and contain impact. It emphasizes deploying inspection ahead of public apps, defining valid API traffic, restricting automated probing, and enforcing per-request identity for internal tools.
read more →

Fine-grained B2C Access Control with Cognito

🔐 This article demonstrates how to implement enterprise-grade authentication and authorization for a Streamlit sample application using Amazon Cognito for identity and Amazon Verified Permissions with Cedar policies for fine-grained access control. It outlines a layered architecture that separates identity verification, authorization evaluation, application logic, and enforcement to reduce blast radius. The post explains Cedar policy anatomy and common patterns—ownership, role-based, hierarchical, and emergency access—plus evaluation precedence where forbid policies take priority. Practical guidance covers required tools, provisioning steps, policy design tips, and testing recommendations to help developers scale secure applications.
read more →

Embed security within agentic AI coding tools

🔒 Ox Security urges that appsec be integrated directly into AI coding tools as agentic development accelerates code changes beyond traditional pipelines. Speaking at Infosecurity Europe, field CTO Boaz Barzel argued that security must become a continuous, contextual property of creation rather than a bolt-on stage. He outlined four agentic attack surfaces—input, tools, execution and output—and advocated autonomous security agents that pentest and validate every commit to reduce MTTR and achieve full coverage.
read more →

AI-focused innovations in Dataflow platform

🧭 Google describes how innovations from its internal Flume platform power Dataflow, a fully managed batch and streaming service supporting large-scale ML workloads. The post outlines features like liquid sharding for dynamic rebalancing, global compute for cross-region scaling, automatic pipeline optimization, and rate-limiting for external API calls. It also highlights TPU-focused efficiencies such as heterogeneous worker pools, TPU-aware autoscaling, duty-cycle enforcement, and TPU fungibility. The article notes developer conveniences—multi-language SDKs, unified batch/streaming, ML framework integration, observability, and advanced workflows—and cites customer use cases and ongoing platform enhancements.
read more →

Anthropic’s Project Glasswing Reveals Widespread Flaws

🔍 Anthropic and over 50 partners report Project Glasswing, using Claude Mythos Preview, has surfaced roughly 10,000 critical or high-severity vulnerabilities across open source projects and partner software. The initiative scanned more than 1,000 open-source projects and validated thousands of findings with independent security firms, but maintainers are overwhelmed by the volume and pace of disclosures. Anthropic is disclosing issues under a coordinated policy and has launched enterprise offerings like Claude Security and a Cyber Verification Program to support legitimate security research.
read more →

Discord Rolls Out End-to-End Call Encryption Globally

🔒 Discord has enabled default end-to-end encryption (E2EE) for all voice and video calls after completing the deployment in March. The company extended the open-source DAVE protocol across desktop, mobile, web browsers, PlayStation, Xbox and Discord SDKs, and is removing legacy unencrypted fallback code. The encryption layer now covers DMs, group DMs, voice channels and Go Live streams, while Stage channels remain excluded. Discord says it has no current plans to apply DAVE to text due to major engineering constraints tied to its existing messaging architecture.
read more →

Defense in Depth for Autonomous AI Agents

🛡️ Microsoft Security explains how rising agentic autonomy reorients security from models to how agents are assembled, constrained, and governed inside applications. The post identifies amplified risks—agent hijacking, intent breaking, data leakage, supply chain compromise—and shows why the application layer is decisive because builders fully control permissions, tool access, and failure handling. It recommends concrete design patterns: agents as microservices, least permissions, deterministic human-in-the-loop, and distinct agent identity to limit blast radius and preserve auditability.
read more →

AWS Security Agent introduces full repository code review

🔍 AWS Security Agent now offers a preview of full repository code review, an AI-driven capability that performs deep, context-aware analysis across entire repositories. It models application architecture, trust boundaries, and data flows rather than relying on pattern matching, and returns developer-ready findings with structured evidence and concrete remediation. The feature is designed to complement existing SAST tools and is available in preview at no additional charge while AWS solicits customer feedback.
read more →

Google Expands Binary Transparency for Android Apps

🔐 Google has expanded Binary Transparency for Android to publish a cryptographic, append-only ledger that records production Google app binaries and Mainline modules. Beginning May 1, 2026, supported production apps will have public ledger entries to attest authenticity. Google is also providing verification tooling so users and researchers can confirm software integrity and detect unauthorized or "one-off" builds.
read more →

Amazon WorkSpaces Applications adds URL redirection

🔁 Amazon WorkSpaces Applications now supports host-to-client URL redirection, automatically launching approved links from streaming sessions in the user's local browser. Administrators can configure allow and deny URL patterns via the AWS Management Console to keep sensitive applications inside the streaming environment while offloading bandwidth-heavy content such as video. The feature works for browser navigation and embedded links in applications like Microsoft Word, with host-side support for Chrome and Edge; URLs on the configured allow list open automatically in the user's default local browser.
read more →

Microsoft Adds Anthropic Mythos to SDLC, Boosts Security

🔒 Microsoft will integrate Anthropic’s Mythos Preview into its Security Development Lifecycle, using the model alongside other advanced AI to surface vulnerabilities earlier in the software development process. The company says the move aims to strengthen and harden core products including Windows, Azure, and Microsoft 365 by improving automated detection and secure coding. Analysts note the shift signals frontier models moving from experimental tools into standard engineering workflows while raising dual-use concerns.
read more →

AWS Transform custom expands to six additional Regions

🚀 AWS has expanded AWS Transform custom to six additional Regions — Asia Pacific (Mumbai, Tokyo, Seoul, Sydney), Canada (Central), and Europe (London). The service enables organizations to modernize and transform code at scale using AWS-managed and customizable transformations to upgrade languages, migrate frameworks, optimize performance, and analyze codebases. Transformations learn from engagements to improve accuracy, and the expansion brings total availability to eight Regions, improving local access and compliance.
read more →

Cloudflare Announces Shared Compression Dictionaries

📦 Cloudflare is introducing support for shared compression dictionaries to reduce redundant transfers and speed page loads for sites that deploy frequently or are heavily crawled by agents. In Phase 1 the edge will passthrough Use-As-Dictionary and Available-Dictionary headers and respect dcb/dcz encodings; an open beta begins April 30, 2026. Later phases move delta compression and automatic dictionary generation into Cloudflare’s edge, simplifying origin logic and maximizing bandwidth and latency savings for versioned assets and returning visitors.
read more →

EmDash by Cloudflare: A Secure, Modern WordPress Alternative

🛡️ Cloudflare introduced EmDash, presented as a modern, more secure alternative to WordPress. The MIT-licensed, open-source CMS aims to reduce plugin-driven vulnerabilities by isolating execution and enforcing least-privilege principles. EmDash uses a different content model and targets developer-first and AI-driven site workflows. While attractive for new projects, enterprises face nontrivial migration and ecosystem challenges.
read more →

EmDash: Cloudflare’s Modern, Secure Successor to WordPress

🛡️ EmDash is a new, open-source CMS from Cloudflare, written in TypeScript and available as a v0.1.0 preview that aims to be the spiritual successor to WordPress. It runs plugins in isolated Dynamic Workers and enforces capability-based manifests so extensions can only perform explicitly declared actions, substantially reducing plugin attack surface. EmDash is serverless-first, uses Astro for themes, includes built-in x402 payment support and passkey authentication, and provides CLI and MCP tooling to enable AI-driven management and migrations.
read more →

AWS Transform Custom: Comprehensive Codebase Analysis GA

🔍 AWS announces general availability of AWS Transform custom's comprehensive codebase analysis transformation, delivering up-front deep static analysis that documents architecture, technical debt, code metrics, and migration plans to preserve institutional knowledge and reduce documentation overhead. The transformation supports any language — including Python, Java (Maven and Gradle), Node.js, and .NET — and scales to codebases exceeding one million lines. Behavior analysis is available in early access. To run it locally, install the AWS Transform CLI and execute: atx custom def exec -n AWS/comprehensive-codebase-analysis -p. The service is available in US East (N. Virginia) and Europe (Frankfurt).
read more →

OpenAI's Codex Security Flags 11,000+ High-Risk Bugs

🔍 OpenAI's Codex Security AppSec agent flagged over 11,000 high-severity and critical flaws during a 30-day research test, including about 800 critical issues across more than 1.2 million scanned commits. Built to act like a security researcher rather than a static scanner, it maps attack paths, verifies exploitability in sandboxes, and proposes fixes as easy-to-accept patches. Early access partners such as Netgear reported improved review workflows, and OpenAI has already coordinated fixes and CVEs for multiple open-source projects.
read more →

OpenAI Launches Codex Security to Scan Codebases at Scale

🔒OpenAI on Friday began rolling out Codex Security, an AI-powered security agent that finds, validates, and proposes fixes for vulnerabilities. The feature is available in a research preview to ChatGPT Pro, Enterprise, Business, and Edu customers via the Codex web and will be free for the next month. During its beta, the agent scanned more than 1.2 million commits, identifying 792 critical and 10,561 high-severity findings across multiple open-source projects. OpenAI says the offering combines frontier-model reasoning with automated validation to reduce false positives and deliver actionable fixes.
read more →