All news with #appsec tag

🔒 Google is folding CodeMender into its broader Agent Platform strategy, expanding the AI-powered security agent from standalone vulnerability remediation toward an integrated, governed enterprise agent ecosystem. Launched in October 2025 to autonomously identify and patch vulnerabilities using Gemini models, CodeMender reportedly upstreamed dozens of fixes but lacks published performance metrics on accuracy and regressions. The integration emphasizes governance, observability, and identity, positioning CodeMender as a controlled participant in AI-native development and security pipelines rather than an unsupervised remediation tool.

🛡️ New studies reveal that 75% of organizations often or sometimes deploy code they know is vulnerable, down from 81% last year but still alarmingly high. Checkmarx warns that AI-augmented attackers are dramatically shortening time-to-exploit, while Verizon’s DBIR links increased initial access to vulnerability exploitation aided by AI. A QBE survey found UK firms are worried about suppliers' AI use, yet few audit third-party AI or maintain formal AI governance.

🔒 AWS today introduced full repository code review in AWS Security Agent, a capability that performs deep, context-aware security analysis across entire codebases. Unlike traditional static scanners, it reasons about architecture, trust boundaries, and data flows to surface systemic vulnerabilities. When issues are identified, the scanner generates file- and line-specific remediation guidance and exploit proofs-of-concept to accelerate fixes; preview access is available at no extra charge in all Regions.

🔒 OpenAI has launched Daybreak, an initiative built on its frontier LLMs and the Codex assistant to help developers embed security throughout the software development lifecycle. Announced on May 12, Daybreak extends the Trusted Access for Cyber (TAC) program and includes GPT‑5.5, TAC-enabled GPT‑5.5, GPT‑5.5‑Cyber and a Codex Security research preview. The initiative supports code scanning, vulnerability triage, automated detection and response while pairing defensive capabilities with verification, proportional safeguards and accountability.

🔒 OpenAI has unveiled Daybreak, an enterprise-focused cyber-defense platform that combines its large language models with Codex-style agent capabilities and broad integrations across the security ecosystem. The initiative aims to accelerate vulnerability discovery, generate and test fixes within repositories, and deliver audit-ready evidence back into enterprise workflows. Daybreak will be offered in tiers including GPT-5.5, Trusted Access, and GPT-5.5-Cyber, and is being developed with major vendors and government partners.

🔍 OX Security analyzed 216 million security findings from 250 organizations over a 90‑day period and found that while raw alert volume rose 52% year‑over‑year, prioritized critical risk increased nearly 400%. The ratio of critical findings to alerts nearly tripled, from 0.035% to 0.092%. The report links the surge to AI-assisted development and stresses that business context now often outweighs traditional technical severity.

🔐 This collection from Google Cloud offers a behind-the-scenes look at how Google approaches modern cybersecurity challenges, from fundamentals to AI. Across practical essays and expert perspectives, it covers modernizing threat detection, building AI agents for defense, red teaming at scale, vulnerability management and supply chain controls like Binary Authorization. The pieces emphasize operational rigor, the application of SRE to security, and a commitment to Secure by Design principles to help defenders adopt scalable, enterprise-ready practices.

⚠️ Georgia Tech researchers warn that AI-assisted 'vibe coding' is producing measurable security flaws in real projects. The Vibe Security Radar traced at least 35 new CVEs in March 2026 and reports 74 confirmed AI-related vulnerabilities to date, while estimating the true count in open source may be five to ten times higher. The team monitors roughly 50 tools and uses metadata and AI agents to map vulnerable commits back to assistants such as Claude Code, noting some tools leave no trace.

🛡️ Anthropic has introduced Claude Code Security, an AI feature now in a limited research preview for Enterprise and Team customers that scans software codebases for vulnerabilities and proposes targeted patches for human review. The company says the tool reasons about component interactions and traces data flows, going beyond pattern-based static analysis. Findings pass a multi-stage verification process to reduce false positives and receive severity and confidence ratings. Anthropic stresses a human-in-the-loop model: suggested fixes require developer approval.

🔒 Application security now demands both static code analysis and runtime testing to secure the software supply chain. This article reviews leading SAST and DAST tools that help developers find vulnerabilities early and in running applications, covering deployment models, CI/CD and IDE integrations, and features like secret scanning, IAST, managed services, and compliance checks. Vendors highlighted include Checkmarx, Fortify, Acunetix, Veracode, and others.

🧰 Intruder used AI to draft a honeypot for its Rapid Response service and deployed it as intentionally vulnerable infrastructure. Weeks later logs revealed attacker payloads where IP addresses should be, exposing that the AI trusted client-supplied IP headers. Static tools like Semgrep and Gosec did not flag the issue; the flaw required contextual human judgement. The incident underscores risks of over-relying on AI-generated code and the need to adapt code review and CI/CD practices.

🔐 Security engineering teams are builders who design services, automate processes, and optimize deployments to support central security organizations and their stakeholders. They must pair deep technical fluency — understanding the full IT environment, containers, CI/CD, and operational telemetry — with product ownership to build and operate what they create. Emphasizing developer experience (DevX) reduces friction and increases adoption of security controls. Equally important are collaboration, influence, and soft skills such as prioritization, adaptability, and continuous learning to sustain a resilient practice.

🔒 AWS now supports connecting AWS Security Agent to GitHub Enterprise Cloud, allowing organizations to apply AI-powered security analysis to private repositories. Customers install the AWS Security Agent GitHub app with required permissions to enable automated code reviews on pull requests, use the agent during penetration testing, and optionally have the agent submit PRs with recommended fixes. This capability is available in US East (N. Virginia).

🛡️ Tenzai's December 2025 assessment found that five popular vibe coding tools — Claude Code, OpenAI Codex, Cursor, Replit, and Devin — frequently generate insecure code when given common programming prompts. Across 15 generated applications the researchers identified 69 vulnerabilities, many low‑to‑medium but several rated high and six rated critical. The most serious flaws involved API authorization and business‑logic failures; by contrast, the tools avoided classic issues such as SQLi and XSS. Tenzai concluded human oversight, targeted testing, and embedding security into AI development workflows remain essential.

🔒 HoundDog.ai provides a privacy-first static code scanner that embeds detection and governance into development to prevent data leaks before code reaches production. The Rust-based engine performs deep interprocedural analysis across files and functions and can scan millions of lines in under a minute. It traces more than 100 sensitive data types into risky sinks such as logs, LLM prompts, files, local storage, and third-party SDKs, and integrates with IDEs and CI to enforce allowlists and auto-generate RoPA, PIA and DPIA evidence.

🔧 Staff+ security engineers should move from being individual problem-solvers to force multipliers by enabling others, automating enforcement, and shaping security strategy. The article recommends practical mechanisms—policy-as-code, paved paths, mentorship trees—and disciplined delegation to scale impact. It urges embedding security via shift-left practices, reusable reference architectures, and cautious AI-assisted tooling. During incidents, act as an orchestrator, set inflection points, and bridge teams with leadership to preserve strategic influence.

🛡️ OpenAI has introduced Aardvark, a GPT-5-powered autonomous agent designed to scan, reason about, and patch code with the judgment of a human security researcher. Announced in private beta, Aardvark maps repositories, builds contextual threat models, continuously monitors commits, and validates exploitability in sandboxed environments before reporting findings. When vulnerabilities are confirmed, it proposes fixes via Codex and re-analyzes patches to avoid regressions. OpenAI reports a 92% detection rate in benchmark tests and has already identified real-world flaws in open-source projects, including ten issues assigned CVE identifiers.

🔐 Gemini Code Assist on GitHub for enterprises delivers AI-powered code reviews across GitHub Enterprise Cloud and privately hosted GitHub Enterprise Server. Organization-level controls let platform teams define a central style guide, set comment severity, and enforce baseline checks while preserving repo-level customization. Built on Google Cloud security and privacy commitments, the public preview includes higher pull-request quotas and stateless prompt handling to protect customer code.

🛡️AI developer assistants accelerate coding but introduce significant security risks across generated code, configurations, and development tools. Studies show models now compile code far more often yet still produce many OWASP- and MITRE-class vulnerabilities, and real incidents (for example Tea, Enrichlead, and the Nx compromise) highlight practical consequences. Effective defenses include automated SAST, security-aware system prompts, human code review, strict agent access controls, and developer training.

⚠️ Research and expert interviews indicate that AI coding assistants cut trivial syntax errors but increase more costly architectural and privilege-related flaws. Apiiro found AI-generated code produced fewer shallow bugs yet more misconfigurations, exposed secrets, and larger multi-file pull requests that overwhelm reviewers. Experts urge preserving human judgment, adding integrated security tooling, strict review policies, and traceability for AI outputs to avoid automating risk at scale.