Appsec adventures

The Toreon Threat Modeling Tool Directory on GitHub is a curated list of tools that support or automate the design-time threat modeling process . It focuses exclusively on software, code, libraries, or services that help practitioners systematically identify, analyze, and mitigate threats during system design. The directory lists a variety of tools — from classic diagram and risk-analysis applications to newer AI-augmented threat modeling tools — and specifies inclusion criteria that emphasize practical support for threat modeling workflows, excluding operational threat intelligence or purely conceptual frameworks. The repository invites contributions to expand and enhance the list of available tools. https://github.com/Toreon/Threat-Modeling-Tool-Directory

The article explains that the rapid rise of AI-assisted coding and app generation has dramatically expanded the number of applications and the speed of change, outpacing traditional data security and privacy approaches that are largely reactive. It argues that many existing tools only detect issues after data is already in production and miss hidden flows to third-party and AI integrations. To address this, embedding detection and governance controls directly into development is essential. The piece highlights proactive code-level analysis as a way to catch sensitive data exposure, outdated data maps, and unmanaged AI use early, suggesting that prevention at the source is more effective than relying on post-deployment tools. It also profiles a privacy code scanner that traces sensitive data and generates compliance documentation to help maintain privacy as code evolves.  https://thehackernews.com/2025/12/why-data-security-and-privacy-need-to.html

The article argues that insecure code isn’t due to laziness or malice but is rooted in human behavior under pressure and incentives, and that security programs should focus on creating systems that make secure decisions easier. It proposes secure defaults, embedding security practices into the software development lifecycle, and using tools to guide developers toward secure choices. It also emphasizes training that builds habits rather than just knowledge and measuring success by behavior change instead of compliance metrics. https://shehackspurple.ca/2025/12/23/the-psychology-of-bad-code-part-2-building-systems-that-support-secure-developer-behavior/

Docker has made its catalogue of more than 1,000 hardened container images freely available under an open source Apache 2.0 licence, removing previous commercial restrictions and potentially raising the overall security baseline for containers. These Docker Hardened Images are built on Debian and Alpine, strip out unnecessary components to minimize attack surface, include SBOMs and cryptographic provenance, and aim to reduce vulnerabilities by up to 95 percent compared to traditional images. The move responds to escalating supply chain threats and includes additional tooling such as Hardened Helm Charts and hardened servers for AI workloads. Docker will continue to offer enterprise tiers with SLAs for faster CVE remediation and extended lifecycle support, while the free offering enhances accessibility for all developers.  https://www.infoq.com/news/2025/12/docker-hardened-images/

This LinkedIn article examines two recent, credible studies that appear to contradict each other on the security of AI-generated or "vibe coded" applications. The first, SusVibes, found that while AI models like Claude 4 Sonnet achieved 61% functional correctness on complex, real-world coding tasks, over 80% of that working code contained serious security vulnerabilities (e.g., code injection, logic flaws), with only 10.5% of solutions being fully secure. The second study by Invicti, which generated over 20,000 simple web apps, found a more optimistic picture: modern LLMs have dramatically improved at avoiding basic vulnerabilities like SQL injection and XSS but systematically introduced new, predictable risks by replicating hardcoded secrets (like "supersecretkey"), common credentials, and standard endpoints from their training data. The article reconciles these findings by highlighting their different scopes: Invicti's study shows AI is better at basic securit...

This GitHub repository contains a comprehensive scanning toolset designed to detect and remediate two critical, unauthenticated remote code execution (RCE) vulnerabilities—CVE-2025-55182 (React) and CVE-2025-66478 (Next.js)—both rated CVSS 10.0. Dubbed "React2Shell," this flaw in the React Server Components (RSC) Flight protocol allows a single crafted HTTP request to deserialize into server-side code execution on vulnerable systems. The project provides two primary tools: a Software Composition Analysis (SCA) scanner to identify vulnerable dependencies in a codebase, and a web Dynamic Application Security Testing (DAST) scanner to actively probe live endpoints and validate exploitability in production environments. The web scanner includes a full test lab with exploit examples and is capable of scanning targets at scale, generating multiple report formats, and correlating findings with known attack patterns. The repository emphasizes that this is a critical security incident...