All news with #application security tag

📦 Cloudflare is introducing support for shared compression dictionaries to reduce redundant transfers and speed page loads for sites that deploy frequently or are heavily crawled by agents. In Phase 1 the edge will passthrough Use-As-Dictionary and Available-Dictionary headers and respect dcb/dcz encodings; an open beta begins April 30, 2026. Later phases move delta compression and automatic dictionary generation into Cloudflare’s edge, simplifying origin logic and maximizing bandwidth and latency savings for versioned assets and returning visitors.

🛡️ Cloudflare introduced EmDash, presented as a modern, more secure alternative to WordPress. The MIT-licensed, open-source CMS aims to reduce plugin-driven vulnerabilities by isolating execution and enforcing least-privilege principles. EmDash uses a different content model and targets developer-first and AI-driven site workflows. While attractive for new projects, enterprises face nontrivial migration and ecosystem challenges.

🛡️ EmDash is a new, open-source CMS from Cloudflare, written in TypeScript and available as a v0.1.0 preview that aims to be the spiritual successor to WordPress. It runs plugins in isolated Dynamic Workers and enforces capability-based manifests so extensions can only perform explicitly declared actions, substantially reducing plugin attack surface. EmDash is serverless-first, uses Astro for themes, includes built-in x402 payment support and passkey authentication, and provides CLI and MCP tooling to enable AI-driven management and migrations.

🔍 AWS announces general availability of AWS Transform custom's comprehensive codebase analysis transformation, delivering up-front deep static analysis that documents architecture, technical debt, code metrics, and migration plans to preserve institutional knowledge and reduce documentation overhead. The transformation supports any language — including Python, Java (Maven and Gradle), Node.js, and .NET — and scales to codebases exceeding one million lines. Behavior analysis is available in early access. To run it locally, install the AWS Transform CLI and execute: atx custom def exec -n AWS/comprehensive-codebase-analysis -p. The service is available in US East (N. Virginia) and Europe (Frankfurt).

🔍 OpenAI's Codex Security AppSec agent flagged over 11,000 high-severity and critical flaws during a 30-day research test, including about 800 critical issues across more than 1.2 million scanned commits. Built to act like a security researcher rather than a static scanner, it maps attack paths, verifies exploitability in sandboxes, and proposes fixes as easy-to-accept patches. Early access partners such as Netgear reported improved review workflows, and OpenAI has already coordinated fixes and CVEs for multiple open-source projects.

🔒OpenAI on Friday began rolling out Codex Security, an AI-powered security agent that finds, validates, and proposes fixes for vulnerabilities. The feature is available in a research preview to ChatGPT Pro, Enterprise, Business, and Edu customers via the Codex web and will be free for the next month. During its beta, the agent scanned more than 1.2 million commits, identifying 792 critical and 10,561 high-severity findings across multiple open-source projects. OpenAI says the offering combines frontier-model reasoning with automated validation to reduce false positives and deliver actionable fixes.

🔐 The article contends that application security must start at the load balancer, which serves as the primary traffic entry and trust boundary rather than just a performance device. The author describes consulting cases across finance, healthcare, SaaS and retail where permissive edge settings enabled downgrade attacks, bot floods, and long-term technical debt. Recommended controls include enforcing modern TLS, sanitizing requests, applying bot and rate controls at the edge, and integrating the load balancer with downstream WAFs and security tools to reduce incident scope and operational cost.

🔧 Cloudflare critiques the WHATWG Web Streams design and presents a proof-of-concept alternative built around async iterables. The post catalogs practical pain points — reader locking, BYOB complexity, fragile backpressure, and heavy promise overhead — that drive implementation complexity and runtime fragmentation. The proposed model favors pull-through transforms, explicit backpressure policies, batched byte chunks, and synchronous fast paths. Benchmarks in the write-up report 2x–120x improvements in some scenarios, and a reference implementation is published for exploration.

🛡️ Anthropic launched a limited research preview of Claude Code Security, triggering sharp market moves as stocks of major cybersecurity vendors dropped. The tool claims to reason about code like a human, trace data flows, find complex vulnerabilities, and suggest targeted patches that appear in a review dashboard with confidence ratings. Anthropic says every finding undergoes a multi-stage verification and requires human approval, but experts warn about outsourcing critical security judgments to an evolving model and highlight risks from hallucinations, asymmetric attacker advantage, and single points of trust.

🔒 CredShields led the release of the OWASP Smart Contract Top 10 2026, an impact-weighted risk framework built from structured analysis of 2025 smart contract incidents that produced hundreds of millions in losses. The ranking highlights that governance and privilege failures—not just code bugs—drive the most severe on-chain compromises, naming access control, business logic, oracle manipulation, flash loan–facilitated attacks, and proxy/upgradeability vulnerabilities among the top risks. CredShields’ exploit intelligence platforms, SolidityScan and Web3HackHub, supported the aggregation and methodology informing the list.

🔐 Microsoft will introduce smartphone-style permission prompts in Windows 11 to request user consent before apps access sensitive resources such as files, cameras, and microphones. The company is also launching a Windows Baseline Security Mode to enable runtime integrity safeguards by default while still permitting targeted overrides for specific apps. These changes are part of the Secure Future Initiative and will roll out in phases with developer, enterprise, and ecosystem feedback. Users and IT administrators will be able to view, grant, or revoke app permissions and will receive clearer prompts when apps attempt to install unwanted software or access protected data.

🔒 Application security now demands both static code analysis and runtime testing to secure the software supply chain. This article reviews leading SAST and DAST tools that help developers find vulnerabilities early and in running applications, covering deployment models, CI/CD and IDE integrations, and features like secret scanning, IAST, managed services, and compliance checks. Vendors highlighted include Checkmarx, Fortify, Acunetix, Veracode, and others.

🔒 The Forrester Consulting Total Economic Impact (TEI) study commissioned by Airlock Digital reports a 224% ROI and a $3.8 million net present value over three years for organizations that adopt Airlock’s allowlisting approach. The analysis cites a >25% reduction in overall breach risk and notes zero breaches among interviewed customers after deployment. It also highlights operational efficiency gains — policy management requiring roughly 2.5 hours per week — and reduced administrative overhead thanks to Airlock’s modern, operationally friendly implementation of allowlisting.

🔐 Intruder's research scanned roughly 5 million web applications and identified over 42,000 exposed tokens across 334 secret types, revealing widespread leakage in front-end JavaScript bundles. The report shows how traditional path-and-regex scanners, many SAST tools, and some DAST deployments miss secrets introduced during build and deployment, especially in SPAs. High-impact findings included active GitHub/GitLab personal access tokens, project-management API keys, and hundreds of live webhooks; Intruder developed automated SPA secrets detection to close these gaps.

🔍Generative AI is transforming fuzzing by automating test generation, expanding input diversity, and enabling scalable discovery of bugs and logic flaws. Security teams and consulting firms use models to create behavioral variants, convert breach data into scenarios, and prototype fuzzing harnesses to exercise code and APIs at scale. Attackers likewise leverage uncensored or fine‑tuned models to automate complex, high‑throughput attacks, forcing defenders to continuously fuzz guardrails and address LLM nondeterminism and prompt injection.

🔒 Application security is shifting from relying solely on SAST, DAST, SCA and MAST to a posture-centric model that emphasizes posture, provenance and proof. The article recommends Application Security Posture Management (ASPM) as the control plane to correlate scanner outputs, enforce policy and prioritize actionable risks based on reachability and exposure. It urges stronger supply-chain controls—SLSA attestations, signed SBOMs and VEX—plus runtime protections such as IAST and RASP, and AI and language policies driven by recent NIST and NSA/CISA guidance.

🔐 Cybersecurity in 2025 is framed as an architectural challenge rather than a set of isolated controls. This contributed report surveys shifts across authentication, endpoint and network security, software supply chains, SaaS data governance, AI-driven defenses, and human risk. It highlights hardware‑backed authentication, passkeys, binary-level verification, and network telemetry as pivotal controls. Vendors stress speed, visibility, and provable trust as the operational priorities.

🔒 AWS today announced the preview of AWS Security Agent, an AI-powered agent that automates security validation across the application development lifecycle. The service lets security teams define organizational requirements once and then evaluates architecture and code against those standards, offering contextual remediation guidance. For deployments, it performs context-aware penetration testing and logs API activity to CloudTrail; the preview is available in US East (N. Virginia). AWS states customer data and queries are not used to train models.

🚀 AWS Transform Custom is now generally available, offering an agentic AI service to accelerate organization-wide code and application modernization at scale. The service automates repeatable transformations—version upgrades, runtime migrations, framework transitions, and language translations—often reducing execution time by over 80% while removing the need for specialist automation expertise. It provides out-of-the-box transformations for Python, Node.js, Lambda, AWS SDK updates, and Java 8→17, and supports custom transformation definitions using natural language, reference documents, and code samples. Teams can run autonomous transformations with a one-line CLI command, embed them into pipelines, and benefit from an agent that continuously learns from developer feedback and execution results. AWS Transform Custom is available in the US East (N. Virginia) region.

🔧 AWS Transform is now generally available with expanded .NET modernization features that let customers convert .NET Framework and .NET code to .NET 10 or .NET Standard. New capabilities include automated UI porting from ASP.NET Web Forms to Blazor on ASP.NET Core and Entity Framework ORM porting. An enhanced IDE workflow via the AWS Toolkit for Visual Studio 2026 or 2022 provides an editable transformation plan, real‑time progress, repeatable iterations, detailed logs, and a Next Steps markdown for AI code companions.