All news with #application security tag

🧪 AWS Transform for mainframe now introduces integrated test planning and automation to accelerate and de-risk modernization projects. The release includes automated test plan generation, test data collection scripts, and test case automation to stage environments, run functional tests, and validate results against expected outcomes. These tools reduce upfront planning and execution effort, cut dependency on scarce mainframe expertise, and support continuous delivery and regression testing. The new testing capabilities are available today in multiple AWS Regions.

🔒 Threat actors are actively exploiting a critical authentication bypass in the JobMonster WordPress theme (CVE-2025-5397) that can lead to administrator account takeover under specific conditions. The flaw affects all versions up to 4.8.1 and is caused by the theme's check_login() function trusting external social login data without proper verification. To succeed, attackers typically need social login enabled and knowledge of an admin username or email. The issue is fixed in 4.8.2; immediate mitigations include upgrading, disabling social login, enabling two‑factor authentication, rotating credentials, and reviewing access logs.

🔍 This post investigates why Cloudflare returned ENHANCE_YOUR_CALM for internal HTTP/2 traffic and traces the issue to an easy-to-make Go client behavior. An incorrect pattern where a response is closed without being fully read caused the Go HTTP/2 library to emit RST_STREAM and PING frames in quick succession, triggering PING-flood mitigations. The fix: always drain response bodies (for example, io.Copy(io.Discard, resp.Body)) before calling Close().

📊 Amazon GameLift Servers now includes built-in telemetry metrics across all server SDKs and game engine plugins, powered by OpenTelemetry, to generate, collect, and export client-side metrics for game-specific insights. The feature can be configured to collect and publish telemetry from game servers running on managed Amazon EC2 and container fleets, supporting both pre-defined and custom metrics and exporting to Amazon Managed Service for Prometheus or Amazon CloudWatch. Visualizations are available via Amazon Managed Grafana and Amazon CloudWatch dashboards to help optimize resources, improve player experience, and surface operational issues. Telemetry is available in all supported regions except AWS China; see the GameLift Servers documentation for details.

🚀 AWS Elastic Beanstalk now supports building and deploying Tomcat 11 applications using Amazon Corretto 25 on Amazon Linux 2023 (AL2023). The platform enables developers to leverage Java 25 and Jakarta EE 11 features such as compact object headers, ahead‑of‑time (AOT) caching, and structured concurrency while benefiting from AL2023’s security and performance improvements. Environments can be created through the Elastic Beanstalk Console, CLI, or API and are generally available in commercial and GovCloud regions.

🔒 Cloudflare presents an early design for Web Application Integrity, Consistency, and Transparency (WAICT) to address the risks of mutable JavaScript in sensitive web apps. The proposal pairs expanded Subresource Integrity (SRI) and a signed integrity manifest with append-only transparency logs and third-party witnesses to provide verifiable inclusion and consistency proofs. Browser preload lists, proof-of-enrollment, and client-side cooldowns are used to avoid extra round trips and to limit stealthy changes. Cloudflare plans to participate as a service provider and to collaborate on standardization.

🛡️ Alex Spivakovsky (VP of Research & Cybersecurity at Pentera) argues that AI is accelerating reconnaissance by extracting actionable insight from external-facing artifacts—site content, JavaScript, error messages, APIs, and public repos. AI enhances credential guessing, context-aware fuzzing, and payload adaptation while reducing false positives by evaluating surrounding context. Defenders must treat exposure as what can be inferred, not just what is directly reachable.

⚠ A critical vulnerability in the Unity Runtime, introduced in engine version 2017.01, can allow attackers to pass crafted startup parameters that cause games to load arbitrary native libraries on Windows, macOS, Linux and Android. Exploitation may execute malicious code or expose device data, and the risk depends on game and OS settings. Vendors Valve and Microsoft advise blocking or removing affected titles while Unity urges developers to update, recompile and republish builds; Unity also provides an application patcher for unmaintained games.

🔎 The Gemini CLI extension for PostgreSQL brings natural-language queries and command-line convenience directly to database tasks. It can detect required tools (for example, pg_trgm for fuzzy search), check whether they are installed and install them automatically, and suggest performance improvements such as creating GIN or GIST indexes. The extension also generates schema-derived code snippets and supports lifecycle actions like creating instances, users, and permissions, streamlining development workflows.

🔒 Falcon ASPM provides continuous, code-level visibility to secure generative and agentic AI applications such as Charlotte AI. It detects real-time drift, produces a runtime SBOM, and maps architecture and data flows to flag reachable vulnerabilities, softcoded credentials, and anomalous service behaviors. Contextualized alerts and mitigation guidance help teams prioritize fixes and reduce exploitable risk across complex microservice environments.

🚀 Cloudflare Workers can now connect directly to PlanetScale Postgres and MySQL databases through a dashboard integration that links accounts and provisions an optimal Hyperdrive configuration. Built on Hyperdrive, the integration keeps connections warm, places pooled connections near your database, and can cache frequent read queries to reduce latency and database load. Credentials are managed securely, including a one-click password rotation, and the integration is accessible from both Cloudflare and PlanetScale dashboards to simplify full-stack app development.

🛡️ Application Security Posture Management (ASPM) consolidates visibility and controls across cloud, container, and on-premises application environments to help organizations manage the growing volume of vulnerabilities. ASPM platforms typically secure the software development lifecycle and supply chain, automate testing, and integrate with existing tools to enable prioritization and remediation. Feature sets vary widely, and vendors take either a code-first or cloud-first approach, so buyers should evaluate integrations, scan capabilities, coverage, analysis teams, and pricing before purchasing.

⚠ Cursor, an AI-powered fork of Visual Studio Code, ships with Workspace Trust disabled by default, enabling VS Code-style tasks configured with runOptions.runOn: 'folderOpen' to auto-execute when a folder is opened. Oasis Security showed a malicious .vscode/tasks.json can convert a casual repository browse into silent arbitrary code execution with the user's privileges. Users should enable Workspace Trust, audit untrusted projects, or open suspicious repos in other editors to mitigate risk.

⚠️ A default configuration in Cursor, an AI-powered fork of VS Code, automatically executes tasks when a project folder is opened because Workspace Trust is disabled. Oasis Security demonstrated that a malicious .vscode/tasks.json can run arbitrary commands without user action, risking credential theft and environment takeover. Cursor intends to keep the autorun behavior and advises enabling Workspace Trust manually or using a different editor for untrusted repos.

🔒 Join a focused 60-minute webinar on September 18, 2025 at 2 PM EST to learn why leading teams are prioritizing code-to-cloud visibility to reduce app risk and accelerate remediation. Experts will share practical steps to map code issues to cloud behavior, prioritize critical applications and automate fixes to shrink vulnerability counts and remediation time. Attendees receive a free ASPM checklist and a recording to apply learnings immediately.