< ciso
brief />
Tag Banner

All news with #vulnerability management tag

213 articles · page 6 of 11

NIST Narrows CVE Enrichment Amid Growing Backlog Strain

🔍 NIST will restrict enrichment in its National Vulnerability Database to the most critical CVEs, prioritizing entries in CISA’s Known Exploited Vulnerabilities (KEV), software used by the federal government, and other critical products. All other CVEs will be ingested but marked as not scheduled, and the agency will stop recalculating severity scores when submitters provide their own. The move follows a surge in submissions and a backlog of more than 30,000 CVEs, and NIST says it will adopt automation and delegate tasks to CNAs to stabilize NVD operations.
read more →

Defending Enterprises as AI Finds Vulnerabilities Faster

🔒 Advances in AI are accelerating vulnerability discovery and compressing the window between disclosure and exploitation. Francis deSouza explains why organizations must rapidly harden code, lock down CI/CD and build systems, and automate remediation to avoid being overwhelmed by machine-speed attacks. The article advocates integrating defensive AI—agentic SecOps, continuous asset discovery, and Google Cloud Model Armor—while securing AI agents using frameworks like SAIF to prevent prompt injection and data leakage.
read more →

NIST Shifts NVD Enrichment Strategy Pre-March 2026

📢 NIST announced a major operational change to the National Vulnerability Database (NVD), moving to a risk-based enrichment model and ceasing enrichment for all CVEs reported before March 1, 2026. The NVD will prioritize vulnerabilities in software used by the US federal government, critical software under Executive Order 14028, and entries on the CISA Known Exploited Vulnerabilities (KEV) list. CVEs that don't meet those criteria will be labeled Not Scheduled, though all submissions will still be ingested and users may request enrichment by emailing nvd@nist.gov.
read more →

ENISA Seeks Top-Level Role in CVE Program Governance

🔐 ENISA is pursuing top-level root status in the CVE Program as it is being onboarded by the US Cybersecurity and Infrastructure Security Agency (CISA) to become a TL-Root CNA. Agency leaders told VulnCon26 attendees the move, targeted for 2026 or early 2027, would secure European representation on the CVE Program Board. ENISA plans to onboard EU national CERTs and CSIRTs as CNAs and is expanding its vulnerability team to support this role.
read more →

OX Security: Critical Risk Spike in AI-Driven Development

🔍 OX Security analyzed 216 million security findings from 250 organizations over a 90‑day period and found that while raw alert volume rose 52% year‑over‑year, prioritized critical risk increased nearly 400%. The ratio of critical findings to alerts nearly tripled, from 0.035% to 0.092%. The report links the surge to AI-assisted development and stresses that business context now often outweighs traditional technical severity.
read more →

The Collapse of the Patch Window: Rapid Exploitation

🔍 In this Talos Threat Perspective episode, Hazel Burton explores how vulnerabilities are being converted into working exploits far faster than before. Where remediation once took weeks or months, weaponization now occurs in days, hours, and sometimes immediately after disclosure, helped by proof-of-concept code, automation, and AI-assisted tooling such as demonstrated with React2Shell. Attackers are targeting what is exposed, accessible, and valuable, compressing the defender's patch window and forcing new approaches to risk prioritization.
read more →

Analysis: CISA KEV Data Reveals Limits of Human Security

🔍Analysis of more than one billion CISA KEV remediation records across 10,000 organizations over four years shows defensive operations have hit a human ceiling. Time-to-Exploit averages negative seven days while vulnerability volume rose 6.5× since 2022. Qualys identifies a Manual Tax and recommends shifting to autonomous, closed-loop Risk Operations Centers that measure Risk Mass rather than raw CVE counts.
read more →

Cybersecurity in the Age of Instant Software — AI Risks

🔐 AI is rapidly changing how software is produced, introducing a new class of instant software that is written, deployed, and discarded on demand. This shift alters vulnerability dynamics because AIs can both discover and craft exploits as well as generate patches, empowering attackers and defenders simultaneously. The balance of power will hinge on how quickly AIs learn to write secure code, reliably produce updates, and coordinate defensive sharing.
read more →

Talos Takes: 2025 Ransomware Trends and Vulnerabilities

🔒 Talos analysts Amy Ciminnisi and Pierre Cadieux review the ransomware and vulnerability patterns that shaped 2025. They emphasize persistent campaigns against the manufacturing sector, increased targeting of management infrastructure, and the rise of stealthy living-off-the-land techniques that evade traditional controls. The hosts explain how to spot the difference between a system administrator and a threat actor and outline steps organizations can take to move beyond reactive defenses toward a more resilient, proactive security posture.
read more →

Talos 2025 Review: Rapid Exploits and Legacy Risks

🔍 Talos' 2025 Year in Review highlights a marked shift in attacker behavior driven by both newly disclosed flaws and long-entrenched components. In the final weeks of 2025 React/React2Shell surged to the top of exploit activity, followed by legacy targets such as PHPUnit and Log4j. Agentic AI accelerated the creation and deployment of proofs-of-concept and exploit kits, dramatically reducing attacker time-to-exploit. Talos urges organizations to prioritize identity-adjacent systems and management planes for patching and mitigation.
read more →

Amazon Aurora PostgreSQL: Minor Releases 14–17 Update

🛡️ Amazon Aurora PostgreSQL-Compatible Edition now supports PostgreSQL 17.9, 16.13, 15.17, and 14.22, which include community bug fixes and Aurora-specific enhancements. We recommend upgrading to the latest minor versions to address known security vulnerabilities and improve stability. Use automatic minor version upgrades, scheduled maintenance windows, the AWS Organizations Upgrade Rollout Policy, and Aurora's zero-downtime patching to perform phased, low-impact upgrades at scale.
read more →

Managing Open-Source Vulnerabilities Across the Pipeline

🔒 Modern vulnerability management must go beyond scanning version numbers to encompass download policies, AI guardrails, and build-pipeline controls. Organizations should adopt a trusted internal artifact registry, rigorous component screening, and dependency pinning to reduce supply-chain and malicious-package risks. Complement these controls with enriched vulnerability intelligence, SCA, and developer training. Systematic handling of EOL or abandoned components — via migration, LTS, or compensatory controls — completes the approach.
read more →

Open-Source Vulnerabilities and Supply Chain Risks in AI

🛡️Open-source components are now central to modern development, but their vulnerability data, maintenance status, and supply-chain integrity are increasingly unreliable. Public vulnerability databases often lack CVSS scores, contain inconsistent metadata, and lag behind exploit availability, leaving teams to guess prioritization. Unmaintained, EOL packages persist across projects, and registries have seen sharp rises in malicious packages and automated worm-like campaigns. AI-assisted coding accelerates development but can amplify these risks by suggesting outdated or hallucinated dependencies and cannot fully remediate legacy or deep dependency flaws on its own.
read more →

State of Trusted Open Source: Q1 2026 Insights & Trends

🔍 The State of Trusted Open Source report analyzes Chainguard customer usage and security data from Dec 1, 2025 through Feb 28, 2026, covering 2,200+ container image projects, 33,931 fix instances, and 377 unique CVEs. It shows AI-driven development accelerating adoption of Python and PostgreSQL, broader standardization around language ecosystems, and the rise of chainguard-base as a minimal foundation. Vulnerability discovery and remediation scaled dramatically—unique CVEs rose 145% and fixes tripled—while median remediation time remained about 2.0 days. The report highlights persistent long-tail risk and a notable increase in FIPS-driven adoption.
read more →

Cybersecurity Challenges in an Era of Instant Software

🔐 AI is rapidly reshaping how software is written, deployed, and consumed, pointing toward a future of on-demand "instant software" that is created and discarded as needed. The essay examines how improved AI tools will change the attacker/defender dynamic by automating both vulnerability discovery and, potentially, patch creation. It highlights particularly exposed areas such as IoT and legacy industrial systems and outlines several key unknowns—AI effectiveness on closed-source code, patch reliability, update lag, coordination of defenses, and risks of poisoning or social-engineering attacks. The author sketches optimistic scenarios (self-healing networks, rapid coordinated patching) while warning that attackers will adapt by targeting unpatchable legacy code and human elements.
read more →

AWS Security Agent: On-Demand Penetration Testing GA

🔒 AWS announced general availability of AWS Security Agent for on-demand penetration testing in six AWS Regions. The service runs autonomous, persistent AI agents that discover, validate, and report vulnerabilities using sophisticated multi-step attack scenarios tailored to each application, producing CVSS scores, reproduction steps, and remediation guidance. Previewed at re:Invent 2025, it aims to convert periodic manual testing into a continuous, scalable capability and supports multicloud and on-premises environments. New customers can try a 2-month free trial and review pricing and documentation to get started.
read more →

AI Is Breaking Security Models — Where They Fail First

🤖 AI-assisted triage is changing vulnerability workflows and forcing organizations to redesign ownership and decision-making. By enriching findings with exploitability indicators, ownership metadata and business-impact signals, AI platforms accelerate detection and reduce manual triage. Security teams must shift from routine investigation to governing models, defining owners, and maintaining human checkpoints for high‑risk actions. Treat AI-driven features as first-class risk surfaces and assign clear owners for model behavior, prompt safety and misuse prevention.
read more →

Endpoint Security Fails on One in Five Enterprise Devices

🛡️Research by Absolute Security finds endpoint cybersecurity software fails to protect one in five enterprise devices, creating an equivalent of 76 days per year of increased exposure to attackers. The 2026 Resilience Risk Index, published March 23, ties this gap to patch delays and rising endpoint complexity, with 24% of vulnerability platforms out of compliance. The report urges stronger enforcement of patch and update policies to reduce downtime and remediation costs.
read more →

Google halts AI-generated bug reports for OSS program

🛑 Google will no longer accept AI-generated bug reports for the Open Source Software Vulnerability Reward Program it funds, citing a rising number of low-quality submissions that often contain hallucinated exploit paths or issues with minimal security impact. To reduce triage overhead, some reward tiers will now require higher-quality proof such as an OSS-Fuzz reproduction or a merged patch. Google says this will help teams focus on high-impact, verifiable vulnerabilities. Separately, the company is contributing to programs that use AI constructively to strengthen open-source security.
read more →

Amazon Inspector Adds Agentless Windows EC2 Scanning

🛡️ Amazon Inspector adds agentless Windows EC2 vulnerability scanning, extending detection to Windows OS issues as well as common applications and packages like WordPress, Apache HTTP Server, Python packages, and Ruby gems. Customers receive findings automatically with no configuration changes. Inspector also replaces per‑CVE Windows findings with consolidated Windows Knowledge Base (KB) findings that group CVEs by patch and surface the highest CVSS, EPSS, and exploit availability. These capabilities are available in all AWS Regions.
read more →