< ciso
brief />
Tag Banner

All news with #appsec tag

32 articles

AWS launches Continuum to manage code vulnerabilities

🛡️ AWS has introduced Continuum, a new platform that manages code vulnerabilities across discovery, prioritization, validation and remediation. Launched at AWS Summit New York on June 17, Continuum ingests both structured and unstructured data from an organization’s environment and begins in a human-supervised "learn mode." The platform includes the AWS Security Agent and features for pen testing, code scanning and threat modelling, with outputs in STRIDE format.
read more →

AWS Continuum: Machine‑Speed Code Vulnerability Security

🛡️ AWS announces Continuum for code vulnerabilities in gated preview, designed to manage the full lifecycle of code vulnerabilities at machine speed. The service reasons over structured AWS data and unstructured organizational context, is model‑agnostic, and operates in continuous phases from discovery to remediation. It begins in a human‑in‑the‑loop learn mode and can be graduated to enforce mode for automated remediation, and incorporates pen testing, code scanning, and threat modeling capabilities.
read more →

AWS Security Agent adds Kiro and Claude Code support

🔒 AWS Security Agent (now part of AWS Continuum) adds support for Kiro and Claude Code, enabling developers to trigger security scans directly from their development environment. The agent now validates code scanner findings by simulating exploits in a sandbox to provide proof of exploit, reducing false positives and improving prioritization. Integrations include GitLab.com, GitLab Self Managed, GitHub Enterprise, Bitbucket, and Confluence, and features are available in all supported regions.
read more →

AWS introduces continuous modernization for codebases

🔍 AWS Transform today launched a Preview of continuous modernization that autonomously detects, prioritizes, and remediates technical debt across enterprise software portfolios. The capability brings visibility across thousands of repositories, supports assessments like agentic and modernization readiness, and integrates with AWS Security Agent to find and fix source code vulnerabilities. Customers can connect repositories from GitHub, GitLab, Bitbucket, and run analyses via the web console, CLI, Transform Kiro, or coding agents, with job state synchronized across surfaces. The service is available in US East (N. Virginia) and Europe (Frankfurt) regions.
read more →

UK government patches 400+ vulnerabilities via AI

🔎 The UK government's GC3 ran weekly in-person hackathons using frontier AI models to scan public code repositories across nine departments, identifying 407 findings including authentication bypasses, data exposure and remote code execution. Teams built diverse pipelines combining models and traditional tools like Gitleaks, Trivy and Semgrep, and all exploitable critical and high-risk issues were remediated. The initiative highlighted the benefits of tightly scoped model components, the need for human triage, and cost-effective scanning, though export restrictions on some models may affect future work.
read more →

Enterprises Ship Vulnerable AI-Generated Code Despite Risks

🛡️ New research from Checkmarx finds enterprises are increasingly shipping AI-generated code despite widespread vulnerabilities. The survey of 2,350 security leaders shows nearly half of production code is AI-built and organizations that rely heavily on AI introduce far more insecure code. Many firms lack formal AI governance and continue to accept or defer fixing known issues, while tool sprawl and developer pressure compound the problem.
read more →

Most Firms Admit Deploying Vulnerable Production Code

🔍 A new Checkmarx report found that 95% of CISOs have been pressured to deprioritize or delay reporting security issues, and 75% acknowledged their organizations knowingly deployed vulnerable code to production. Respondents cited compensating controls, deadlines, late detection, and difficulty of fixes as reasons. The survey of 2,350 security professionals also flagged limited remediation rates and rising risks from AI-generated code.
read more →

Embed security within agentic AI coding tools

🔒 Ox Security urges that appsec be integrated directly into AI coding tools as agentic development accelerates code changes beyond traditional pipelines. Speaking at Infosecurity Europe, field CTO Boaz Barzel argued that security must become a continuous, contextual property of creation rather than a bolt-on stage. He outlined four agentic attack surfaces—input, tools, execution and output—and advocated autonomous security agents that pentest and validate every commit to reduce MTTR and achieve full coverage.
read more →

Microsoft Build 2026: Securing Code, Agents, Models

🔒 At Microsoft Build 2026, Microsoft announced new security capabilities to integrate protection across the development lifecycle, addressing insecure code, agent proliferation, and model risk. The expanded preview of the multi-model agentic scanning harness (codename MDASH) integrates with Microsoft Defender to orchestrate hundreds of AI agents for exploit discovery. New tools such as Agent 365, MXC SDK, and Purview enhancements provide runtime controls, data protection, and governance to help developers and security teams act earlier and with consistent oversight.
read more →

Google integrates CodeMender into enterprise agent platform

🔒 Google is folding CodeMender into its broader Agent Platform strategy, expanding the AI-powered security agent from standalone vulnerability remediation toward an integrated, governed enterprise agent ecosystem. Launched in October 2025 to autonomously identify and patch vulnerabilities using Gemini models, CodeMender reportedly upstreamed dozens of fixes but lacks published performance metrics on accuracy and regressions. The integration emphasizes governance, observability, and identity, positioning CodeMender as a controlled participant in AI-native development and security pipelines rather than an unsupervised remediation tool.
read more →

Three-Quarters Admit Shipping Vulnerable Code

🛡️ New studies reveal that 75% of organizations often or sometimes deploy code they know is vulnerable, down from 81% last year but still alarmingly high. Checkmarx warns that AI-augmented attackers are dramatically shortening time-to-exploit, while Verizon’s DBIR links increased initial access to vulnerability exploitation aided by AI. A QBE survey found UK firms are worried about suppliers' AI use, yet few audit third-party AI or maintain formal AI governance.
read more →

AWS Security Agent: Full Repository Code Review Launch

🔒 AWS today introduced full repository code review in AWS Security Agent, a capability that performs deep, context-aware security analysis across entire codebases. Unlike traditional static scanners, it reasons about architecture, trust boundaries, and data flows to surface systemic vulnerabilities. When issues are identified, the scanner generates file- and line-specific remediation guidance and exploit proofs-of-concept to accelerate fixes; preview access is available at no extra charge in all Regions.
read more →

OpenAI Daybreak: Secure-by-Design LLMs for Developers

🔒 OpenAI has launched Daybreak, an initiative built on its frontier LLMs and the Codex assistant to help developers embed security throughout the software development lifecycle. Announced on May 12, Daybreak extends the Trusted Access for Cyber (TAC) program and includes GPT‑5.5, TAC-enabled GPT‑5.5, GPT‑5.5‑Cyber and a Codex Security research preview. The initiative supports code scanning, vulnerability triage, automated detection and response while pairing defensive capabilities with verification, proportional safeguards and accountability.
read more →

OpenAI Launches Daybreak: New AI Cyber Defense Platform

🔒 OpenAI has unveiled Daybreak, an enterprise-focused cyber-defense platform that combines its large language models with Codex-style agent capabilities and broad integrations across the security ecosystem. The initiative aims to accelerate vulnerability discovery, generate and test fixes within repositories, and deliver audit-ready evidence back into enterprise workflows. Daybreak will be offered in tiers including GPT-5.5, Trusted Access, and GPT-5.5-Cyber, and is being developed with major vendors and government partners.
read more →

OX Security: Critical Risk Spike in AI-Driven Development

🔍 OX Security analyzed 216 million security findings from 250 organizations over a 90‑day period and found that while raw alert volume rose 52% year‑over‑year, prioritized critical risk increased nearly 400%. The ratio of critical findings to alerts nearly tripled, from 0.035% to 0.092%. The report links the surge to AI-assisted development and stresses that business context now often outweighs traditional technical severity.
read more →

How Google Does It: Inside Look at Cybersecurity Practices

🔐 This collection from Google Cloud offers a behind-the-scenes look at how Google approaches modern cybersecurity challenges, from fundamentals to AI. Across practical essays and expert perspectives, it covers modernizing threat detection, building AI agents for defense, red teaming at scale, vulnerability management and supply chain controls like Binary Authorization. The pieces emphasize operational rigor, the application of SRE to security, and a commitment to Secure by Design principles to help defenders adopt scalable, enterprise-ready practices.
read more →

Researchers Warn of Rising AI-Generated Code Vulnerabilities

⚠️ Georgia Tech researchers warn that AI-assisted 'vibe coding' is producing measurable security flaws in real projects. The Vibe Security Radar traced at least 35 new CVEs in March 2026 and reports 74 confirmed AI-related vulnerabilities to date, while estimating the true count in open source may be five to ten times higher. The team monitors roughly 50 tools and uses metadata and AI agents to map vulnerable commits back to assistants such as Claude Code, noting some tools leave no trace.
read more →

Anthropic Launches Claude Code Security for Codebases

🛡️ Anthropic has introduced Claude Code Security, an AI feature now in a limited research preview for Enterprise and Team customers that scans software codebases for vulnerabilities and proposes targeted patches for human review. The company says the tool reasons about component interactions and traces data flows, going beyond pattern-based static analysis. Findings pass a multi-stage verification process to reduce false positives and receive severity and confidence ratings. Anthropic stresses a human-in-the-loop model: suggested fixes require developer approval.
read more →

Top Dynamic and Static Application Security Testing Tools

🔒 Application security now demands both static code analysis and runtime testing to secure the software supply chain. This article reviews leading SAST and DAST tools that help developers find vulnerabilities early and in running applications, covering deployment models, CI/CD and IDE integrations, and features like secret scanning, IAST, managed services, and compliance checks. Vendors highlighted include Checkmarx, Fortify, Acunetix, Veracode, and others.
read more →

AI-Generated Honeypot Reveals Risks of Overtrusting

🧰 Intruder used AI to draft a honeypot for its Rapid Response service and deployed it as intentionally vulnerable infrastructure. Weeks later logs revealed attacker payloads where IP addresses should be, exposing that the AI trusted client-supplied IP headers. Static tools like Semgrep and Gosec did not flag the issue; the flaw required contextual human judgement. The incident underscores risks of over-relying on AI-generated code and the need to adapt code review and CI/CD practices.
read more →