All news with #wiz tag

Google Announces Unified Security Recommended Program

🔒 Google Cloud is launching the Google Unified Security Recommended program to validate deep integrations between its security portfolio and third-party vendors. Inaugural partners CrowdStrike, Fortinet, and Wiz bring endpoint, network, and multicloud CNAPP capabilities into Google Security Operations. Partners commit to cross-product technical integration, a collaborative support model, and investment in AI initiatives such as the model context protocol (MCP). Qualified solutions will be available via Google Cloud Marketplace for simplified procurement and consolidated billing.

Data Security Posture Management: Top DSPM Tools Reviewed

🛡️ Data Security Posture Management (DSPM) tools help organizations discover, classify and manage sensitive data across dynamic cloud environments. They focus on locating "shadow data" in known and unknown repositories and typically collect metadata via agentless or API-based scans to avoid moving raw data. DSPM dashboards catalog findings, map lineage and assess compliance, while remediation often integrates with SOAR, SIEM or CNAPP solutions. Many vendors now combine discovery with some automated "fix it" capabilities to streamline response.

AI in Bug Bounties: Efficiency Gains and Practical Risks

🤖 AI is increasingly used to accelerate bug bounty research, automating vulnerability discovery, API reverse engineering, and large-scale code scanning. While platforms and triage services like Intigriti can flag unreliable, AI-generated reports, smaller or open-source programs (for example Curl) are overwhelmed by low-quality submissions that consume significant staff time. Experts stress that AI augments skilled researchers but cannot replace human judgment.

Eclipse Foundation Revokes Leaked Open VSX Tokens Promptly

🔒 The Eclipse Foundation said it revoked a small number of Open VSX access tokens after Wiz reported several VS Code extensions had inadvertently exposed credentials in public repositories. The exposures were attributed to developer error, not an Open VSX infrastructure compromise. Open VSX introduced an ovsxp_ token prefix, removed flagged extensions, reduced default token lifetimes, and plans automated scans to bolster supply‑chain defenses.

Redis 13-Year Use-After-Free Flaw Rated CVSS 10.0 Severity

⚠️ Redis disclosed a maximum-severity vulnerability, CVE-2025-49844 (RediShell), a use-after-free bug in its Lua scripting implementation that has been assigned a CVSS score of 10.0. An authenticated user can submit crafted Lua scripts to manipulate the garbage collector, trigger a use-after-free, and potentially achieve remote code execution on the host. The issue affects all Redis versions with Lua and was fixed in 6.2.20, 7.2.11, 7.4.6, 8.0.4, and 8.2.2 (released Oct 3, 2025). Administrators should immediately restrict EVAL/EVALSHA via ACLs, avoid exposing Redis instances to the internet, enforce strong authentication, and apply the patches without delay.

Application Security Posture Management: Buying Guide

🛡️ Application Security Posture Management (ASPM) consolidates visibility and controls across cloud, container, and on-premises application environments to help organizations manage the growing volume of vulnerabilities. ASPM platforms typically secure the software development lifecycle and supply chain, automate testing, and integrate with existing tools to enable prioritization and remediation. Feature sets vary widely, and vendors take either a code-first or cloud-first approach, so buyers should evaluate integrations, scan capabilities, coverage, analysis teams, and pricing before purchasing.

Malicious npm Code Reached 10% of Cloud Environments

⚠️ Security researchers warn a supply‑chain attack on npm briefly propagated trojanized versions of widely used packages after the developer account qix was hijacked via social engineering. The malicious updates contained crypto‑stealing payloads that could rewrite wallet recipients in browsers if bundled into frontend builds. Vendor Wiz reports the code was present in about 10% of cloud environments during a two‑hour window, and JFrog says additional accounts, including DuckDB, were impacted. Organizations are advised to blocklist affected versions, rebuild from clean caches, invalidate CDN assets, and hunt for affected bundles and anomalous signing activity.

Partner-built AI Security Innovations on Google Cloud

🔒 Google Cloud and its partners announced a range of partner-built AI security solutions now available in the Google Cloud Marketplace. These integrations embed Gemini and Vertex AI into partner products — including CrowdStrike, Palo Alto Networks, Fortinet, and others — to protect models, data, applications, and agents. The collaborations emphasize automated detection, incident response, DLP, identity protection, and agent monitoring to reduce mean time to detect and respond, helping customers adopt AI securely.