< ciso
brief />
Tag Banner

All news with #application security tag

49 articles · page 2 of 3

Why Application Security Should Begin at the Load Balancer

🔐 The article contends that application security must start at the load balancer, which serves as the primary traffic entry and trust boundary rather than just a performance device. The author describes consulting cases across finance, healthcare, SaaS and retail where permissive edge settings enabled downgrade attacks, bot floods, and long-term technical debt. Recommended controls include enforcing modern TLS, sanitizing requests, applying bot and rate controls at the edge, and integrating the load balancer with downstream WAFs and security tools to reduce incident scope and operational cost.
read more →

A Better Streams API: Simpler, Faster Web Streaming

🔧 Cloudflare critiques the WHATWG Web Streams design and presents a proof-of-concept alternative built around async iterables. The post catalogs practical pain points — reader locking, BYOB complexity, fragile backpressure, and heavy promise overhead — that drive implementation complexity and runtime fragmentation. The proposed model favors pull-through transforms, explicit backpressure policies, batched byte chunks, and synchronous fast paths. Benchmarks in the write-up report 2x–120x improvements in some scenarios, and a reference implementation is published for exploration.
read more →

Anthropic’s Claude Code Security Sparks Industry Debate

🛡️ Anthropic launched a limited research preview of Claude Code Security, triggering sharp market moves as stocks of major cybersecurity vendors dropped. The tool claims to reason about code like a human, trace data flows, find complex vulnerabilities, and suggest targeted patches that appear in a review dashboard with confidence ratings. Anthropic says every finding undergoes a multi-stage verification and requires human approval, but experts warn about outsourcing critical security judgments to an evolving model and highlight risks from hallucinations, asymmetric attacker advantage, and single points of trust.
read more →

OWASP Smart Contract Top 10 2026: Governance Risk Focus

🔒 CredShields led the release of the OWASP Smart Contract Top 10 2026, an impact-weighted risk framework built from structured analysis of 2025 smart contract incidents that produced hundreds of millions in losses. The ranking highlights that governance and privilege failures—not just code bugs—drive the most severe on-chain compromises, naming access control, business logic, oracle manipulation, flash loan–facilitated attacks, and proxy/upgradeability vulnerabilities among the top risks. CredShields’ exploit intelligence platforms, SolidityScan and Web3HackHub, supported the aggregation and methodology informing the list.
read more →

Microsoft Adds Mobile-Style Permission Prompts to Windows

🔐 Microsoft will introduce smartphone-style permission prompts in Windows 11 to request user consent before apps access sensitive resources such as files, cameras, and microphones. The company is also launching a Windows Baseline Security Mode to enable runtime integrity safeguards by default while still permitting targeted overrides for specific apps. These changes are part of the Secure Future Initiative and will roll out in phases with developer, enterprise, and ecosystem feedback. Users and IT administrators will be able to view, grant, or revoke app permissions and will receive clearer prompts when apps attempt to install unwanted software or access protected data.
read more →

Top Dynamic and Static Application Security Testing Tools

🔒 Application security now demands both static code analysis and runtime testing to secure the software supply chain. This article reviews leading SAST and DAST tools that help developers find vulnerabilities early and in running applications, covering deployment models, CI/CD and IDE integrations, and features like secret scanning, IAST, managed services, and compliance checks. Vendors highlighted include Checkmarx, Fortify, Acunetix, Veracode, and others.
read more →

Airlock Digital Forrester TEI Finds 224% ROI and $3.8M NPV

🔒 The Forrester Consulting Total Economic Impact (TEI) study commissioned by Airlock Digital reports a 224% ROI and a $3.8 million net present value over three years for organizations that adopt Airlock’s allowlisting approach. The analysis cites a >25% reduction in overall breach risk and notes zero breaches among interviewed customers after deployment. It also highlights operational efficiency gains — policy management requiring roughly 2.5 hours per week — and reduced administrative overhead thanks to Airlock’s modern, operationally friendly implementation of allowlisting.
read more →

Why secrets in JavaScript bundles remain exposed at scale

🔐 Intruder's research scanned roughly 5 million web applications and identified over 42,000 exposed tokens across 334 secret types, revealing widespread leakage in front-end JavaScript bundles. The report shows how traditional path-and-regex scanners, many SAST tools, and some DAST deployments miss secrets introduced during build and deployment, especially in SPAs. High-impact findings included active GitHub/GitLab personal access tokens, project-management API keys, and hundreds of live webhooks; Intruder developed automated SPA secrets detection to close these gaps.
read more →

AI fuzzing: automated testing and emerging threats

🔍Generative AI is transforming fuzzing by automating test generation, expanding input diversity, and enabling scalable discovery of bugs and logic flaws. Security teams and consulting firms use models to create behavioral variants, convert breach data into scenarios, and prototype fuzzing harnesses to exercise code and APIs at scale. Attackers likewise leverage uncensored or fine‑tuned models to automate complex, high‑throughput attacks, forcing defenders to continuously fuzz guardrails and address LLM nondeterminism and prompt injection.
read more →

Application Security: Posture, Provenance and Proof

🔒 Application security is shifting from relying solely on SAST, DAST, SCA and MAST to a posture-centric model that emphasizes posture, provenance and proof. The article recommends Application Security Posture Management (ASPM) as the control plane to correlate scanner outputs, enforce policy and prioritize actionable risks based on reachability and exposure. It urges stronger supply-chain controls—SLSA attestations, signed SBOMs and VEX—plus runtime protections such as IAST and RASP, and AI and language policies driven by recent NIST and NSA/CISA guidance.
read more →

The State of Cybersecurity in 2025: Segments and Innovations

🔐 Cybersecurity in 2025 is framed as an architectural challenge rather than a set of isolated controls. This contributed report surveys shifts across authentication, endpoint and network security, software supply chains, SaaS data governance, AI-driven defenses, and human risk. It highlights hardware‑backed authentication, passkeys, binary-level verification, and network telemetry as pivotal controls. Vendors stress speed, visibility, and provable trust as the operational priorities.
read more →

AWS Security Agent preview: AI-driven development security

🔒 AWS today announced the preview of AWS Security Agent, an AI-powered agent that automates security validation across the application development lifecycle. The service lets security teams define organizational requirements once and then evaluates architecture and code against those standards, offering contextual remediation guidance. For deployments, it performs context-aware penetration testing and logs API activity to CloudTrail; the preview is available in US East (N. Virginia). AWS states customer data and queries are not used to train models.
read more →

AWS Transform Custom GA: Agentic AI for Code Modernization

🚀 AWS Transform Custom is now generally available, offering an agentic AI service to accelerate organization-wide code and application modernization at scale. The service automates repeatable transformations—version upgrades, runtime migrations, framework transitions, and language translations—often reducing execution time by over 80% while removing the need for specialist automation expertise. It provides out-of-the-box transformations for Python, Node.js, Lambda, AWS SDK updates, and Java 8→17, and supports custom transformation definitions using natural language, reference documents, and code samples. Teams can run autonomous transformations with a one-line CLI command, embed them into pipelines, and benefit from an agent that continuously learns from developer feedback and execution results. AWS Transform Custom is available in the US East (N. Virginia) region.
read more →

AWS Transform adds automated testing for mainframe

🧪 AWS Transform for mainframe now introduces integrated test planning and automation to accelerate and de-risk modernization projects. The release includes automated test plan generation, test data collection scripts, and test case automation to stage environments, run functional tests, and validate results against expected outcomes. These tools reduce upfront planning and execution effort, cut dependency on scarce mainframe expertise, and support continuous delivery and regression testing. The new testing capabilities are available today in multiple AWS Regions.
read more →

AWS Transform Expands .NET Modernization and Developer UX

🔧 AWS Transform is now generally available with expanded .NET modernization features that let customers convert .NET Framework and .NET code to .NET 10 or .NET Standard. New capabilities include automated UI porting from ASP.NET Web Forms to Blazor on ASP.NET Core and Entity Framework ORM porting. An enhanced IDE workflow via the AWS Toolkit for Visual Studio 2026 or 2022 provides an editable transformation plan, real‑time progress, repeatable iterations, detailed logs, and a Next Steps markdown for AI code companions.
read more →

Critical Auth Bypass in JobMonster WordPress Theme Attack

🔒 Threat actors are actively exploiting a critical authentication bypass in the JobMonster WordPress theme (CVE-2025-5397) that can lead to administrator account takeover under specific conditions. The flaw affects all versions up to 4.8.1 and is caused by the theme's check_login() function trusting external social login data without proper verification. To succeed, attackers typically need social login enabled and knowledge of an admin username or email. The issue is fixed in 4.8.2; immediate mitigations include upgrading, disabling social login, enabling two‑factor authentication, rotating credentials, and reviewing access logs.
read more →

Go clients, HTTP/2 PING floods, and ENHANCE_YOUR_CALM

🔍 This post investigates why Cloudflare returned ENHANCE_YOUR_CALM for internal HTTP/2 traffic and traces the issue to an easy-to-make Go client behavior. An incorrect pattern where a response is closed without being fully read caused the Go HTTP/2 library to emit RST_STREAM and PING frames in quick succession, triggering PING-flood mitigations. The fix: always drain response bodies (for example, io.Copy(io.Discard, resp.Body)) before calling Close().
read more →

Amazon GameLift Servers Adds Built-in Telemetry Metrics

📊 Amazon GameLift Servers now includes built-in telemetry metrics across all server SDKs and game engine plugins, powered by OpenTelemetry, to generate, collect, and export client-side metrics for game-specific insights. The feature can be configured to collect and publish telemetry from game servers running on managed Amazon EC2 and container fleets, supporting both pre-defined and custom metrics and exporting to Amazon Managed Service for Prometheus or Amazon CloudWatch. Visualizations are available via Amazon Managed Grafana and Amazon CloudWatch dashboards to help optimize resources, improve player experience, and surface operational issues. Telemetry is available in all supported regions except AWS China; see the GameLift Servers documentation for details.
read more →

AWS Elastic Beanstalk: Corretto 25 with Tomcat 11 on AL2023

🚀 AWS Elastic Beanstalk now supports building and deploying Tomcat 11 applications using Amazon Corretto 25 on Amazon Linux 2023 (AL2023). The platform enables developers to leverage Java 25 and Jakarta EE 11 features such as compact object headers, ahead‑of‑time (AOT) caching, and structured concurrency while benefiting from AL2023’s security and performance improvements. Environments can be created through the Elastic Beanstalk Console, CLI, or API and are generally available in commercial and GovCloud regions.
read more →

Improving JavaScript Trustworthiness via WAICT for the Web

🔒 Cloudflare presents an early design for Web Application Integrity, Consistency, and Transparency (WAICT) to address the risks of mutable JavaScript in sensitive web apps. The proposal pairs expanded Subresource Integrity (SRI) and a signed integrity manifest with append-only transparency logs and third-party witnesses to provide verifiable inclusion and consistency proofs. Browser preload lists, proof-of-enrollment, and client-side cooldowns are used to avoid extra round trips and to limit stealthy changes. Cloudflare plans to participate as a service provider and to collaborate on standardization.
read more →