All news with #appsec tag

An Open Letter to Cybersecurity Vendors and Investors

🔊 The cybersecurity market is awash in noise: vendors and investors chase flashy pitches while the long-standing vulnerabilities that cause real breaches remain neglected. The author argues CISOs don’t buy technology so much as they buy reduced risk and confidence, so purchases must fit roadmaps, integrate cleanly, and be sustainable. He prioritizes visibility, identity, automation that empowers people, and tools that reinforce fundamentals like patching and segmentation. Hype, overlapping products, and complexity are rejected in favor of practical reliability.

Fortinet Adds AI-Driven Managed IPS Rules for AWS Cloud

🔒 Fortinet is an official launch partner for third-party rules on AWS Network Firewall, introducing Fortinet Managed IPS Rules powered by FortiGuard AI-Powered Security Services. The managed service uses AI/ML from FortiGuard Labs to automatically translate global threat telemetry into continuously updated IPS rules, removing manual tuning and improving detection timeliness. Deployment is fast via AWS Marketplace and integrates natively with AWS Network Firewall, helping teams scale protection across cloud workloads while supporting compliance objectives.

Cloudflare Outage Highlights Risks of Single-Vendor Reliance

🔍 An intermittent outage at Cloudflare on Nov. 18 briefly disrupted many major websites and forced some customers to pivot DNS and routing to preserve availability. Those provisional workarounds may have exposed origin infrastructure by bypassing edge protections such as WAFs and bot management. Security teams should review OWASP-related logs, emergency DNS changes, and any ad hoc services or devices introduced during the outage. The incident underscores single-vendor risk and the need for formal fallback plans.

Application Containment and Ringfencing for Zero Trust

🔒 Ringfencing, or granular application containment, enforces least privilege for authorized software by restricting file, registry, network, and interprocess access. It complements allowlisting by preventing misuse of trusted tools that attackers commonly weaponize, such as scripting engines and archivers. Effective rollout uses a monitoring agent, simulated denies, and phased enforcement to minimize operational disruption. Properly applied, containment reduces lateral movement, blocks mass exfiltration and ransomware encryption while preserving business workflows.

Best-in-Class GenAI Security: CloudGuard WAF Meets Lakera

🔒 The rise of generative AI introduces new attack surfaces that conventional security stacks were never designed to address. This post outlines how pairing CloudGuard WAF with Lakera's AI-risk controls creates layered protection by inspecting prompts, model interactions, and data flows at the application edge. The integrated solution aims to prevent prompt injection, sensitive-data leakage, and harmful content generation while maintaining application availability and performance.

Pixnapping vulnerability: Android screen-snooping risk

🔒 A newly disclosed exploit named Pixnapping (CVE-2025-48561) allows a malicious Android app with no special permissions to read screen pixels from other apps and reconstruct sensitive content. The attack chains intent-based off-screen rendering, translucent overlays, and a GPU compression timing side channel to infer pixel values. Google issued a September patch but researchers bypassed it, and a more robust fix is planned.

Expanding CloudGuard: Securing GenAI Application Platforms

🔒 Check Point expands CloudGuard to protect GenAI applications by extending the ML-driven, open-source CloudGuard WAF that learns from live traffic. The platform moves beyond traditional static WAFs to secure web interactions, APIs (REST, GraphQL) and model-integrated endpoints with continuous learning and high threat-prevention accuracy. This evolution targets modern attack surfaces introduced by generative AI workloads and APIs.

November 2025 Fraud and Scams Advisory — Key Trends

🔔 Google’s Trust & Safety team published a November 2025 advisory describing rising online scam trends, attacker tactics, and recommended defenses. Analysts highlight key categories — online job scams, negative review extortion, AI product impersonation, malicious VPNs, fraud recovery scams, and seasonal holiday lures — and note increased misuse of AI to scale fraud. The advisory outlines impacts including financial theft, identity fraud, and device or network compromise, and recommends protections such as 2‑Step Verification, Gmail phishing defenses, Google Play Protect, and Safe Browsing Enhanced Protection.

Microsoft Teams Vulnerabilities Expose Trust Abuse Today

🔒 Check Point Research identified multiple vulnerabilities in Microsoft Teams that could let attackers impersonate executives, manipulate message content, and spoof in-app notifications. The flaws exploit trust mechanisms built into real-time collaboration features used by more than 320 million monthly active users, turning expectations of authenticity into an attack vector. Researchers emphasize that trust alone isn’t a security strategy and urge rapid remediation by vendors and mitigations by organizations. Administrators should prioritize updates, review messaging policies, and increase user awareness to reduce exposure.

Modern Software Supply-Chain Attacks and Impact Today

🔒 Modern supply-chain incidents like the Chalk and Debug hijacks show that impact goes far beyond direct financial theft. Response teams worldwide paused work, scanned environments, and executed remediation efforts even though researchers at Socket Security traced the attackers' on-chain haul to roughly $600. The larger cost is operational disruption, repeated investigations, and erosion of trust across OSS ecosystems. Organizations must protect people, registries, and CI/CD pipelines to contain downstream contamination.

OpenAI Unveils Aardvark: GPT-5 Agent for Code Security

🔍 OpenAI has introduced Aardvark, an agentic security researcher powered by GPT-5 that autonomously scans source code repositories to identify vulnerabilities, assess exploitability, and propose targeted patches that can be reviewed by humans. Embedded in development pipelines, the agent monitors commits and incoming changes continuously, prioritizes threats by severity and likely impact, and attempts controlled exploit verification in sandboxed environments. Using OpenAI Codex for patch generation, Aardvark is in private beta and has already contributed to the discovery of multiple CVEs in open-source projects.

Dynamic Binary Instrumentation with DynamoRIO on Windows

🛠️ This post introduces dynamic binary instrumentation (DBI) and provides a hands-on guide to building DBI tooling using DynamoRIO on Windows 11. It explains the difference between static and dynamic instrumentation and highlights practical uses such as malware analysis, anti-anti-analysis techniques, runtime de-obfuscation, and automated unpacking. The tutorial includes example clients, build instructions, and a GitHub repository with sample code to help researchers get started.

Detecting CGNAT to Reduce Collateral Damage Globally

🔎Cloudflare describes a supervised approach to detect large-scale IP sharing — especially CGNAT — to reduce collateral damage from IP-based security controls. They build labeled training data using distributed traceroutes (RIPE Atlas), PTR/WHOIS scraping, and lists of known VPN/proxy exit IPs, then extract per-IP and per-/24 behavioral features. An XGBoost model trained on these features achieves high accuracy, enabling operators to tune rate limits and blocklists with less harm to innocent users, particularly in regions with heavy IP sharing.

Improving JavaScript Trustworthiness via WAICT for the Web

🔒 Cloudflare presents an early design for Web Application Integrity, Consistency, and Transparency (WAICT) to address the risks of mutable JavaScript in sensitive web apps. The proposal pairs expanded Subresource Integrity (SRI) and a signed integrity manifest with append-only transparency logs and third-party witnesses to provide verifiable inclusion and consistency proofs. Browser preload lists, proof-of-enrollment, and client-side cooldowns are used to avoid extra round trips and to limit stealthy changes. Cloudflare plans to participate as a service provider and to collaborate on standardization.

AI-Enhanced Reconnaissance: Risks for Web Applications

🛡️ Alex Spivakovsky (VP of Research & Cybersecurity at Pentera) argues that AI is accelerating reconnaissance by extracting actionable insight from external-facing artifacts—site content, JavaScript, error messages, APIs, and public repos. AI enhances credential guessing, context-aware fuzzing, and payload adaptation while reducing false positives by evaluating surrounding context. Defenders must treat exposure as what can be inferred, not just what is directly reachable.

Oracle issues second emergency patch for E-Business Suite

⚠️ Oracle released an emergency security alert on October 11 for CVE-2025-61884, a 7.5 CVSS information-disclosure flaw in the Runtime UI component of E-Business Suite (versions 12.2.3–12.2.14). The vulnerability allows unauthenticated remote attackers with network access to steal sensitive data. The patch arrives one week after an emergency fix for a Cl0p-exploited RCE, and experts urge administrators to apply updates, hunt for prior compromise, and restrict outbound traffic from EBS servers.

Unmonitored JavaScript: The Holiday Shopping Risk 2025

⚠️ The article warns that unmonitored JavaScript on e-commerce sites is the single biggest holiday security risk, enabling attackers to steal payment data while server-side defenses like WAFs and intrusion detection systems remain blind. It reviews major 2024 incidents, including the Polyfill.io and Cisco Magecart campaigns, and highlights a dramatic uptick in attacks during peak shopping windows. Recommended mitigations emphasize closing visibility gaps with real-time client-side monitoring, maintaining strict third-party script inventories, and deploying Content Security Policy (initially in report-only mode) using nonces rather than weakening directives.

How Uber Appears to Know Your Location on iOS Devices

📍 iPhone users have reported receiving airport pickup prompts from Uber even when the app’s location permission is set to Only While Using. The notifications are generated locally by iOS using Apple’s UNLocationNotificationTrigger, which fires preconfigured alerts when a device enters or exits a geofenced area. Uber does not receive location data until you open the app, but the notification’s wording can misleadingly suggest active tracking.

Cloud and Application Security: Awareness Best Practices

🔐 The 2025 State of Cloud Security Report from Fortinet and Cybersecurity Insiders highlights how accelerating cloud adoption and a widespread cybersecurity skills shortage are expanding organizational risk across SaaS, APIs, and hybrid environments. Many incidents result from human error — misconfigurations, exposed APIs, and overprivileged accounts — rather than sophisticated targeted attacks. The post recommends five practical measures, including embracing shared responsibility, enforcing MFA and least privilege, integrating security into CI/CD, automating configuration management, and monitoring SaaS and APIs, and stresses that tools must be paired with user awareness and cultural change.

Study Finds Major Security Flaws in Popular Free VPN Apps

🔍 Zimperium zLabs’ analysis of 800 Android and iOS free VPN apps found widespread privacy and security weaknesses, including outdated libraries, weak encryption, and misleading privacy disclosures. The report highlights concrete failures such as vulnerable OpenSSL builds (including Heartbleed-era versions), roughly 1% of apps permitting Man-in-the-Middle decryption, and about 25% of iOS apps lacking valid privacy manifests. Researchers warn excessive permission requests and private entitlements increase risk, especially in BYOD and remote-work environments, and recommend stronger security models, endpoint visibility and zero-trust approaches.