All news with #secure by design tag

🛡️ Google has integrated a Rust-based DNS parser into the modem firmware for Pixel 10, marking the first Pixel modem component written in a memory-safe language. The change aims to eliminate a broad class of memory-safety bugs in DNS handling, using the hickory-proto crate adapted for embedded use and a custom cargo-gnaw tool to manage dependencies. The Rust implementation exposes a C API and dispatches existing C functions to update in‑memory structures.

🔒 CrowdStrike explains how Falcon for IT helps enterprises manage the transition from the Windows UEFI CA 2011 certificate to Windows UEFI CA 2023 ahead of Microsoft’s 2026 enforcement. The content pack provides fleet-wide Secure Boot posture assessment, controlled enrollment into Microsoft’s managed rollout, emergency blocking for incompatible hardware, and centralized audit logging. It emphasizes validating virtualization stacks, coordinating endpoint and server teams, and completing staged rollouts before enforcement to avoid inconsistent firmware trust states and compressed remediation windows.

🔐Google announced a new advanced flow for Android sideloading that imposes a mandatory 24-hour wait and biometric or PIN confirmation before permitting installs from unverified developers. The measure complements a developer verification mandate and is intended to make social‑engineering and rapid coercion attacks harder. Google will also offer free limited distribution accounts for hobbyists and students and says the flow does not apply to ADB installs; the changes roll out in August 2026 ahead of verification rules.

🔒 CISOs should treat innovation as a control: enable safe experimentation while reducing exposure across AI, IoT and cloud. The article urges leaders to remove toil, standardize repeatable patterns, and provide golden paths so secure options are also the fastest. It recommends guardrails, mandatory exit criteria for pilots, and measurable outcomes to prevent innovation debt. The goal is to accelerate business velocity while demonstrably reducing risk.

🔐 Android 17 public beta introduces a secure-by-default architecture that tightens app protections and refines developer workflows. The release deprecates the android:usesCleartextTraffic attribute and will block cleartext by default for apps targeting API level 37 without a network security configuration. It also adds a public SPI for HPKE hybrid cryptography, enables certificate transparency by default and introduces install-time permissions for localhost interactions. Large-screen behavior changes, a lock-free MessageQueue and generational garbage collection in ART target performance, while Google replaces the traditional Developer Preview with a continuous Canary channel for earlier feature access and streamlined testing.

🛡️ Microsoft Deputy CISO for Government and Trust Tim Langan outlines a proactive approach to protecting government data, emphasizing collaboration across teams and partners. The post advocates defend forward threat hunting, the Cybersecurity Governance Council for cross-functional decision-making, and embedding security through initiatives like the Secure Future Initiative. Key focus areas include secure-by-design development, paved paths for compliance, and accelerating secure solutions for federal and defense scenarios.

🔐 Tom Curry and Anton Chuvakin from Google Cloud’s Office of the CISO present practical guidance for implementing the Secure AI Framework (SAIF) on Google Cloud. The piece emphasizes three operational principles: treat data as the perimeter, treat prompts like code, and require identity propagation for agentic AI. It maps 15 common AI risks to controls and highlights concrete tools and patterns—IAM, Dataplex, Vertex AI, Model Armor, Gemini, Apigee, and the Agent Development Kit—to operationalize SAIF.

🛡️ CISA announced the retirement of ten Emergency Directives issued between 2019 and 2024 after required mitigations were implemented or their coverage was incorporated into BOD 22‑01 and CISA’s Known Exploited Vulnerabilities catalog. The closures include directives tied to specific CVEs and high‑profile incidents such as SolarWinds and Exchange. CISA said the action reflects strengthened federal remediation, operational collaboration, and continued emphasis on Secure by Design principles.

🔒 The post argues that financial institutions must treat cybersecurity as the foundation for safe AI adoption, centering on three imperatives: understand the AI–cybersecurity nexus, harness AI to accelerate detection and response, and adopt Secure AI by Design. It highlights AI-driven SOCs that distill billions of events into actionable incidents and cites customer outcomes such as dramatic reductions in MTTR and large-scale threat prevention. The author also describes new AI-specific risks to data, models and agents, and calls for enterprise governance, risk-tiered inventories, strict access controls and coordinated policy to enable innovation while managing systemic risk.

🔍 The Cybersecurity and Infrastructure Security Agency (CISA), with MITRE/HSSEDI, released the 2025 CWE Top 25, highlighting the most exploited software weaknesses that enable data theft, system compromise, and service disruption. The list is designed to help developers, security teams, and procurement managers prioritize fixes and adopt Secure by Design practices. CISA urges organizations to integrate the Top 25 into vulnerability management and procurement decisions to reduce risk and downstream costs.

🔒 Google announced cross-platform file sharing between Android and iOS by making Quick Share interoperable with AirDrop, beginning with the Pixel 10 Family. The company emphasizes a "secure by design" approach that included threat modeling, internal security and privacy reviews, and in-house penetration testing. The interoperability layer is implemented in Rust to reduce memory-safety risks in parsing wireless data, and transfers are direct peer‑to‑peer without routing content through servers. Google also engaged third‑party testers and experts who validated the implementation and found no information leakage.

🔒 The article argues that AI-driven digital health initiatives proved essential during COVID-19 but simultaneously exposed critical cybersecurity gaps that threaten pandemic preparedness. It warns that expansive data ecosystems, IoT devices and cloud pipelines multiply attack surfaces and that subtle AI-specific threats — including data poisoning, model inversion and adversarial inputs — can undermine public-health decisions. The author urges security by design, including zero-trust architectures, data provenance, encryption, model governance and cross-disciplinary drills so AI can deliver trustworthy, resilient public health systems.

🔐 The Hacker News is promoting a free webinar that presents a practical framework to secure AI at scale while preserving speed of adoption. Organizers warn of a growing “quiet crisis”: rapid proliferation of unmanaged AI agents and identities that lack lifecycle controls. The session focuses on embedding security by design, governing AI agents that behave like users, and stopping credential sprawl and privilege abuse from Day One. It is aimed at engineers, architects, and CISOs seeking to move from reactive firefighting to proactive enablement.

🛡️ CISA released the Software Acquisition Guide: Supplier Response Web Tool, a free, interactive resource to help IT and procurement professionals assess software assurance and supplier risk across the acquisition lifecycle. The Web Tool converts existing guidance into an adaptive, question-driven interface with exportable summaries for CISOs and CIOs. It emphasizes secure-by-design and secure-by-default practices to strengthen due diligence and procurement outcomes.

🔐 Microsoft announced the launch of the Secure Future Initiative (SFI) patterns and practices, a new library of actionable implementation guidance distilled from the company’s internal security improvements. The initial release includes eight patterns addressing urgent risks such as phishing-resistant MFA, preventing identity lateral movement, removing legacy systems, standardizing secure CI/CD, creating production inventories, rapid anomaly detection and response, log retention standards, and accelerating vulnerability mitigation. Each pattern follows a consistent taxonomy—problem, solution, practical steps, and operational trade-offs—so organizations can adopt modular controls aligned to secure by design, by default, and in operations principles.