< ciso
brief />
Tag Banner

All news with #appsec tag

32 articles · page 2 of 2

Ten Key Traits to Empower Your Security Engineering Team

🔐 Security engineering teams are builders who design services, automate processes, and optimize deployments to support central security organizations and their stakeholders. They must pair deep technical fluency — understanding the full IT environment, containers, CI/CD, and operational telemetry — with product ownership to build and operate what they create. Emphasizing developer experience (DevX) reduces friction and increases adoption of security controls. Equally important are collaboration, influence, and soft skills such as prioritization, adaptability, and continuous learning to sustain a resilient practice.
read more →

AWS Security Agent Adds GitHub Enterprise Cloud Support

🔒 AWS now supports connecting AWS Security Agent to GitHub Enterprise Cloud, allowing organizations to apply AI-powered security analysis to private repositories. Customers install the AWS Security Agent GitHub app with required permissions to enable automated code reviews on pull requests, use the agent during penetration testing, and optionally have the agent submit PRs with recommended fixes. This capability is available in US East (N. Virginia).
read more →

Vibe coding tools produce critical security vulnerabilities

🛡️ Tenzai's December 2025 assessment found that five popular vibe coding tools — Claude Code, OpenAI Codex, Cursor, Replit, and Devin — frequently generate insecure code when given common programming prompts. Across 15 generated applications the researchers identified 69 vulnerabilities, many low‑to‑medium but several rated high and six rated critical. The most serious flaws involved API authorization and business‑logic failures; by contrast, the tools avoided classic issues such as SQLi and XSS. Tenzai concluded human oversight, targeted testing, and embedding security into AI development workflows remain essential.
read more →

Embedding Privacy in Development to Prevent Data Leaks

🔒 HoundDog.ai provides a privacy-first static code scanner that embeds detection and governance into development to prevent data leaks before code reaches production. The Rust-based engine performs deep interprocedural analysis across files and functions and can scan millions of lines in under a minute. It traces more than 100 sensitive data types into risky sinks such as logs, LLM prompts, files, local storage, and third-party SDKs, and integrates with IDEs and CI to enforce allowlists and auto-generate RoPA, PIA and DPIA evidence.
read more →

How Staff+ Security Engineers Can Force-Multiply Impact

🔧 Staff+ security engineers should move from being individual problem-solvers to force multipliers by enabling others, automating enforcement, and shaping security strategy. The article recommends practical mechanisms—policy-as-code, paved paths, mentorship trees—and disciplined delegation to scale impact. It urges embedding security via shift-left practices, reusable reference architectures, and cautious AI-assisted tooling. During incidents, act as an orchestrator, set inflection points, and bridge teams with leadership to preserve strategic influence.
read more →

OpenAI Aardvark: GPT-5 Agent to Find and Fix Code Bugs

🛡️ OpenAI has introduced Aardvark, a GPT-5-powered autonomous agent designed to scan, reason about, and patch code with the judgment of a human security researcher. Announced in private beta, Aardvark maps repositories, builds contextual threat models, continuously monitors commits, and validates exploitability in sandboxed environments before reporting findings. When vulnerabilities are confirmed, it proposes fixes via Codex and re-analyzes patches to avoid regressions. OpenAI reports a 92% detection rate in benchmark tests and has already identified real-world flaws in open-source projects, including ten issues assigned CVE identifiers.
read more →

Gemini Code Assist brings AI code reviews to GitHub

🔐 Gemini Code Assist on GitHub for enterprises delivers AI-powered code reviews across GitHub Enterprise Cloud and privately hosted GitHub Enterprise Server. Organization-level controls let platform teams define a central style guide, set comment severity, and enforce baseline checks while preserving repo-level customization. Built on Google Cloud security and privacy commitments, the public preview includes higher pull-request quotas and stateless prompt handling to protect customer code.
read more →

Security Risks of Vibe Coding and LLM Developer Assistants

🛡️AI developer assistants accelerate coding but introduce significant security risks across generated code, configurations, and development tools. Studies show models now compile code far more often yet still produce many OWASP- and MITRE-class vulnerabilities, and real incidents (for example Tea, Enrichlead, and the Nx compromise) highlight practical consequences. Effective defenses include automated SAST, security-aware system prompts, human code review, strict agent access controls, and developer training.
read more →

AI Coding Assistants Elevate Deep Security Risks Now

⚠️ Research and expert interviews indicate that AI coding assistants cut trivial syntax errors but increase more costly architectural and privilege-related flaws. Apiiro found AI-generated code produced fewer shallow bugs yet more misconfigurations, exposed secrets, and larger multi-file pull requests that overwhelm reviewers. Experts urge preserving human judgment, adding integrated security tooling, strict review policies, and traceability for AI outputs to avoid automating risk at scale.
read more →

Cursor autorun flaw lets repos auto-execute code silently

⚠ Cursor's autorun feature can allow repositories to execute code automatically when a folder is opened in Visual Studio Code with Cursor installed. Oasis Security researchers demonstrated that attackers can embed hidden instructions that trigger commands tied to workspace events without a developer's consent. With Workspace Trust disabled by default in Cursor, opening a project can enable token theft, file tampering or persistent malware. Developers should treat unknown repositories cautiously and enable available trust controls.
read more →

Cursor autorun flaw lets repos execute arbitrary code

🔓 Oasis Security disclosed a flaw in Cursor that allows malicious repositories to execute code when a developer opens a folder. The vulnerability stems from Workspace Trust being disabled by default, permitting crafted .vscode/tasks.json entries set to run on folder open to autorun without prompting. Successful exploitation can expose API keys, cloud credentials and local secrets, risking organization-wide compromise.
read more →

Passing the Security Vibe Check for AI-generated Code

🔒 The post warns that modern AI coding assistants enable 'vibe coding'—prompting natural-language requests and accepting generated code without thorough inspection. While tools like Copilot and ChatGPT accelerate development, they can introduce hidden risks such as insecure patterns, leaked credentials, and unvetted dependencies. The author urges embedding security into AI-assisted workflows through automated scanning, provenance checks, policy guardrails, and mandatory human review to prevent supply-chain and runtime compromises.
read more →