All news with #secure sdlc tag

🛠️ AWS announced seven new AWS-managed transformations for Transform custom, designed to accelerate code modernization across multiple languages and frameworks. General availability includes a comprehensive codebase analysis that produces hierarchical, cross-referenced documentation and a Node.js version upgrade with full dependency modernization. Early access transformations target Java performance tuning, Log4j to SLF4J migration, Angular to React conversion, and Angular and Vue version upgrades. All AWS-managed transformations are validated, customizable, and benefit from continual learning; the service is available in US East (N. Virginia) and Europe (Frankfurt).

🔐 The UK NCSC's chief executive Richard Horne told the RSA Conference (March 24) to 'seize the disruptive vibe coding opportunity' while urgently developing safeguards. He warned AI-assisted development can either reduce systemic vulnerability or propagate new flaws depending on model design and controls. NCSC CTO David C published Secure Vibe Coding Commandments advocating secure-by-default models, provable provenance, AI-powered audits, deterministic guardrails and sandboxed hosting.

🔐Betterleaks is a new open-source secrets scanner developed by Zach Rice and supported by Aikido Security as the successor to Gitleaks. It inspects directories, files, and Git repositories using rule-defined validation with CEL and a token-efficiency approach based on BPE tokenization. Implemented in pure Go to avoid CGO/Hyperscan dependencies, Betterleaks adds automatic decoding of doubly/triply encoded secrets, expanded provider rules, and parallelized Git scanning for faster analysis. The project is MIT-licensed and maintained by a small, cross-industry team.

🛡️Fortinet has achieved IEC 62443-4-1 Maturity Level 2 (ML2) certification for its Secure Product Development Lifecycle (SPDL). This independent certification verifies that Fortinet’s secure development processes are formalized, documented, repeatable, and consistently applied across design, development, verification, validation, release, and maintenance of its security products. SPDL embeds threat modeling, secure-by-design engineering, automated and manual testing, supply chain integrity controls, and a transparent FortiGuard Labs PSIRT vulnerability disclosure process to improve product integrity for IT, OT, and critical infrastructure customers.

🔒 As AI-assisted coding reshapes software delivery, security training must move from line-by-line vulnerability spotting to cultivating system-level judgment. Automated tools will increasingly catch common issues, but developers must learn threat modeling, identify unsafe assumptions in AI-generated code, and understand which automated gates require human review. Effective programs are bite-sized, hands-on, and embedded in toolchains, using contextual guardrails and micro-learning to teach in the flow of work.

🛡️ Vibe coding accelerates development but often omits essential security controls, introducing vulnerabilities, data exfiltration, and destructive actions. Unit 42 documents incidents where AI-generated code bypassed authentication, executed arbitrary commands, deleted production databases, or exposed sensitive identifiers. To mitigate these risks, Unit 42 proposes the SHIELD framework—Separation, Human review, Input/output validation, Enforcer helper models, Least agency, and Defensive controls. Implementing these measures restores governance and enables safer AI-assisted development.

✈️ Airbus announced a software rollback after an A320 experienced an unexpected nose‑down maneuver on October 30, 2025, an event that sent multiple passengers to hospital and grounded aircraft for inspection. Airbus said intense solar radiation may have corrupted data critical to flight controls, but operators were able to mitigate many cases by reverting ELAC software from L104 to L103. The episode spotlights SDLC failings — notably test engineering, CI/CD, observability and supply‑chain integration — rather than merely cosmic rays.

🔒 Manufacturers must prioritize a secure software development life cycle (SSDLC) to protect production and supply chains from costly cyberattacks. High-profile incidents, including the Jaguar Land Rover shutdown, show how credential compromise and malicious components can cascade through suppliers and halt operations. The piece outlines SSDLC building blocks — security by design, secure coding, dependency management with SBOMs, hardened release pipelines, and vulnerability management — and recommends requiring verifiable evidence such as IEC 62443-4-1 certification and continuous maturity assessments from vendors.

🔐 Microsoft published a second installment of the Secure Future Initiative (SFI) patterns and practices, delivering six practical, practitioner-built guides that address network isolation, tenant hardening, Entra ID app security, Zero Trust for source code access, software supply chain protection, and centralized log collection. Each article outlines the problem, Microsoft’s internal solution, actionable customer guidance, and trade-offs to help teams apply scalable controls across complex, multi-cloud environments.

🔒 The post warns that modern AI coding assistants enable 'vibe coding'—prompting natural-language requests and accepting generated code without thorough inspection. While tools like Copilot and ChatGPT accelerate development, they can introduce hidden risks such as insecure patterns, leaked credentials, and unvetted dependencies. The author urges embedding security into AI-assisted workflows through automated scanning, provenance checks, policy guardrails, and mandatory human review to prevent supply-chain and runtime compromises.