< ciso
brief />
Tag Banner

All news with #secure sdlc tag

18 articles

Microsoft warns of rising Windows security updates

🛡️ Microsoft says it is deploying AI-driven analysis to uncover more zero-day vulnerabilities across the Windows codebase, warning customers to expect an increased number of security updates. The company described a multi-model agentic scanning harness (MDASH) and a separate prove pipeline to validate findings, aiming to reduce false positives and shorten review windows. Microsoft also plans to update its Secure Development Lifecycle to address AI-enabled attack techniques while retaining human oversight to ensure update quality.
read more →

Google Cloud adopts agentic AI for secure SDLC

🔒 Google Cloud describes how it embeds modular AI agents across the software development lifecycle to create autonomous security guardrails. The approach includes centralized code analysis via the Mantis framework, multi-agent fuzz testing with self-reflection, and an autonomous patching pipeline that validates fixes before human review. Continuous reflection and a programmable posture management system help convert lessons into reusable skills that improve remediation speed and reduce false positives.
read more →

Migrating a CLI from Node to Go in a day

🛠️ This post walks through converting a Node.js TypeScript CLI into a compact Go single-binary tool using Antigravity to automate translation, test generation, and platform mappings. The author set goals for zero dependencies, fast startup, and a zero-trust security posture, then used an agent-driven workflow to audit alternatives, scaffold code, and apply Test-Driven Development. The migration emphasized safety, explicit error handling, thorough testing, and modular subagents to parallelize large feature sets.
read more →

GitHub to disable npm install scripts by default

🔒 GitHub announced breaking changes shipping in npm v12 that disable install-time lifecycle scripts by default to reduce software supply chain risk. The update stops preinstall, install, and postinstall scripts, blocks resolving Git and remote URL dependencies unless explicitly allowed, and changes default allow settings such as --allow-git to "none". Developers are advised to upgrade to npm 11.16.0+, review warnings, and use npm approve-scripts to opt in for trusted packages.
read more →

Enterprises Ship Vulnerable AI-Generated Code Despite Risks

🛡️ New research from Checkmarx finds enterprises are increasingly shipping AI-generated code despite widespread vulnerabilities. The survey of 2,350 security leaders shows nearly half of production code is AI-built and organizations that rely heavily on AI introduce far more insecure code. Many firms lack formal AI governance and continue to accept or defer fixing known issues, while tool sprawl and developer pressure compound the problem.
read more →

Embed security within agentic AI coding tools

🔒 Ox Security urges that appsec be integrated directly into AI coding tools as agentic development accelerates code changes beyond traditional pipelines. Speaking at Infosecurity Europe, field CTO Boaz Barzel argued that security must become a continuous, contextual property of creation rather than a bolt-on stage. He outlined four agentic attack surfaces—input, tools, execution and output—and advocated autonomous security agents that pentest and validate every commit to reduce MTTR and achieve full coverage.
read more →

Well‑Architected Software Supply Chain Best Practices

🔒 This AWS Security blog post outlines best practices for defending against software supply chain attacks, motivated by recent npm incidents like Shai‑Hulud and axios. It emphasizes reducing long‑lived credentials by using temporary credentials (AWS CLI login, IAM Identity Center, OIDC) and centralizing secrets with AWS Secrets Manager or Systems Manager Parameter Store. The article advocates layered defenses including MFA, multi‑approver workflows, artifact signing with AWS Signer, central package repositories using CodeArtifact, image scanning with Amazon Inspector, and provenance attestations for npm packages.
read more →

Microsoft Adds Anthropic Mythos to SDLC, Boosts Security

🔒 Microsoft will integrate Anthropic’s Mythos Preview into its Security Development Lifecycle, using the model alongside other advanced AI to surface vulnerabilities earlier in the software development process. The company says the move aims to strengthen and harden core products including Windows, Azure, and Microsoft 365 by improving automated detection and secure coding. Analysts note the shift signals frontier models moving from experimental tools into standard engineering workflows while raising dual-use concerns.
read more →

AWS Transform Custom Introduces Seven Managed Transformations

🛠️ AWS announced seven new AWS-managed transformations for Transform custom, designed to accelerate code modernization across multiple languages and frameworks. General availability includes a comprehensive codebase analysis that produces hierarchical, cross-referenced documentation and a Node.js version upgrade with full dependency modernization. Early access transformations target Java performance tuning, Log4j to SLF4J migration, Angular to React conversion, and Angular and Vue version upgrades. All AWS-managed transformations are validated, customizable, and benefit from continual learning; the service is available in US East (N. Virginia) and Europe (Frankfurt).
read more →

NCSC Urges Safeguards for AI 'Vibe Coding' Adoption

🔐 The UK NCSC's chief executive Richard Horne told the RSA Conference (March 24) to 'seize the disruptive vibe coding opportunity' while urgently developing safeguards. He warned AI-assisted development can either reduce systemic vulnerability or propagate new flaws depending on model design and controls. NCSC CTO David C published Secure Vibe Coding Commandments advocating secure-by-default models, provable provenance, AI-powered audits, deterministic guardrails and sandboxed hosting.
read more →

Betterleaks: Advanced Open-Source Successor to Gitleaks

🔐Betterleaks is a new open-source secrets scanner developed by Zach Rice and supported by Aikido Security as the successor to Gitleaks. It inspects directories, files, and Git repositories using rule-defined validation with CEL and a token-efficiency approach based on BPE tokenization. Implemented in pure Go to avoid CGO/Hyperscan dependencies, Betterleaks adds automatic decoding of doubly/triply encoded secrets, expanded provider rules, and parallelized Git scanning for faster analysis. The project is MIT-licensed and maintained by a small, cross-industry team.
read more →

Fortinet Achieves IEC 62443-4-1 ML2 Certification for SPDL

🛡️Fortinet has achieved IEC 62443-4-1 Maturity Level 2 (ML2) certification for its Secure Product Development Lifecycle (SPDL). This independent certification verifies that Fortinet’s secure development processes are formalized, documented, repeatable, and consistently applied across design, development, verification, validation, release, and maintenance of its security products. SPDL embeds threat modeling, secure-by-design engineering, automated and manual testing, supply chain integrity controls, and a transparent FortiGuard Labs PSIRT vulnerability disclosure process to improve product integrity for IT, OT, and critical infrastructure customers.
read more →

New Paradigm for Training Secure Software Engineers

🔒 As AI-assisted coding reshapes software delivery, security training must move from line-by-line vulnerability spotting to cultivating system-level judgment. Automated tools will increasingly catch common issues, but developers must learn threat modeling, identify unsafe assumptions in AI-generated code, and understand which automated gates require human review. Effective programs are bite-sized, hands-on, and embedded in toolchains, using contextual guardrails and micro-learning to teach in the flow of work.
read more →

Securing Vibe Coding: Governance for AI Development

🛡️ Vibe coding accelerates development but often omits essential security controls, introducing vulnerabilities, data exfiltration, and destructive actions. Unit 42 documents incidents where AI-generated code bypassed authentication, executed arbitrary commands, deleted production databases, or exposed sensitive identifiers. To mitigate these risks, Unit 42 proposes the SHIELD framework—Separation, Human review, Input/output validation, Enforcer helper models, Least agency, and Defensive controls. Implementing these measures restores governance and enables safer AI-assisted development.
read more →

Airbus A320 Software Rollback After Flight Control Fault

✈️ Airbus announced a software rollback after an A320 experienced an unexpected nose‑down maneuver on October 30, 2025, an event that sent multiple passengers to hospital and grounded aircraft for inspection. Airbus said intense solar radiation may have corrupted data critical to flight controls, but operators were able to mitigate many cases by reverting ELAC software from L104 to L103. The episode spotlights SDLC failings — notably test engineering, CI/CD, observability and supply‑chain integration — rather than merely cosmic rays.
read more →

Secure SDLC Practices Are Critical for Manufacturers

🔒 Manufacturers must prioritize a secure software development life cycle (SSDLC) to protect production and supply chains from costly cyberattacks. High-profile incidents, including the Jaguar Land Rover shutdown, show how credential compromise and malicious components can cascade through suppliers and halt operations. The piece outlines SSDLC building blocks — security by design, secure coding, dependency management with SBOMs, hardened release pipelines, and vulnerability management — and recommends requiring verifiable evidence such as IEC 62443-4-1 certification and continuous maturity assessments from vendors.
read more →

Microsoft SFI Patterns and Practices: New Security Guides

🔐 Microsoft published a second installment of the Secure Future Initiative (SFI) patterns and practices, delivering six practical, practitioner-built guides that address network isolation, tenant hardening, Entra ID app security, Zero Trust for source code access, software supply chain protection, and centralized log collection. Each article outlines the problem, Microsoft’s internal solution, actionable customer guidance, and trade-offs to help teams apply scalable controls across complex, multi-cloud environments.
read more →

Passing the Security Vibe Check for AI-generated Code

🔒 The post warns that modern AI coding assistants enable 'vibe coding'—prompting natural-language requests and accepting generated code without thorough inspection. While tools like Copilot and ChatGPT accelerate development, they can introduce hidden risks such as insecure patterns, leaked credentials, and unvetted dependencies. The author urges embedding security into AI-assisted workflows through automated scanning, provenance checks, policy guardrails, and mandatory human review to prevent supply-chain and runtime compromises.
read more →