Appsec adventures

 The article discusses a pattern for autonomous AI agents called the Ralph Wiggum loop , in which a model repeatedly runs in a stateless loop, feeding instructions into itself until a completion condition is met. This approach avoids context rot by resetting the model’s memory each iteration and relying on file systems or version control instead. While persistent iteration can make an agent tireless and effective on long tasks, it also creates governance risks because the agent may continue indefinitely or take harmful actions without supervision. To address this, the author argues that builders need a Principal Skinner harness , a structural control layer that enforces rules, monitors agent behavior, and prevents destructive actions. This harness intercepts and evaluates each tool call, implements deterministic safety controls, and distinguishes agent activity so that organizations can govern long-running autonomous agents safely. https://securetrajectories.substack.com/p/ralph-wi...

Cybersecurity experts remain divided about the value of software bills of materials (SBOMs) in 2026. In theory, SBOMs are praised for improving transparency and helping defenders understand what components make up software, which could aid vulnerability management. In practice, however, they are often messy, inconsistent, hard to generate accurately, and difficult to use at scale. The rapid evolution of software ecosystems and challenges in creating end-to-end verified component records have led to skepticism among some practitioners, while others still see potential if tooling and standards improve. Overall, the debate reflects mixed sentiments about how useful SBOMs actually are for improving security  https://www.darkreading.com/application-security/sboms-in-2026-some-love-some-hate-much-ambivalence

A report from the World Economic Forum shows that organisations in Latin America and the Caribbean have the lowest confidence in their country’s ability to defend critical infrastructure against cyberattacks , with only about 13% expressing confidence while nearly half lack faith in preparedness. This lack of trust reflects broader challenges including a shortage of cybersecurity skills , limited resources, and gaps in governance and infrastructure as digital ecosystems expand rapidly. The shortage of trained professionals is seen as a major factor weakening regional cyber resilience, and efforts to build talent and capability are needed to improve defences as threats grow.  https://www.darkreading.com/cyber-risk/latin-american-confidence-cyber-defenses-skills

The article explains a high-severity vulnerability tracked as CVE-2025-68428 in the popular jsPDF JavaScript library used to generate PDF files in web applications. The flaw is a path traversal issue that could allow attackers to craft malicious input enabling access to files outside of intended directories when jsPDF is used in certain server-side or file-serving contexts. If exploited, this can lead to unauthorized file access, potential data leakage, or the ability to include unintended local resources in generated PDFs. The article stresses the importance of updating to patched versions of jsPDF, reviewing use of the library in applications, and applying secure coding and input validation practices to mitigate such critical vulnerabilities before they can be abused in the wild.  https://www.endorlabs.com/learn/cve-2025-68428-critical-path-traversal-in-jspdf

The article describes how Astronomer , a data engineering company, improved its application security by adopting Endor Labs’ security platform . Astronomer faced challenges securing complex code pipelines, dependencies, and distributed environments using traditional tools. By integrating Endor Labs into its development processes, Astronomer gained automated detection of vulnerabilities , better visibility into risky software components, and real-time feedback for developers. The solution helped the team catch security issues earlier, reduce manual effort, and streamline secure deployment practices. The article highlights how proactive, integrated security tooling can help modern engineering teams protect software without slowing down development.  https://www.endorlabs.com/learn/astronomer-modernizes-appsec-with-endor-labs

The article explains that traditional code review processes often miss subtle security vulnerabilities, especially as modern applications integrate complex dependencies and AI-generated code. By using AI-aware code review tools that understand security patterns, data flows, and attack techniques, development teams can catch issues earlier and reduce the risk of breaches. These tools analyze code in context, identify risky constructs, and provide guidance that goes beyond simple syntax checks. Integrating AI-driven security analysis into the development lifecycle helps teams improve overall code quality, prevent common coding mistakes that lead to vulnerabilities, and strengthen defenses before software is deployed. Continuous review, training, and automation are highlighted as best practices to make code reviews more effective and reduce the likelihood of security incidents.  https://www.endorlabs.com/learn/ai-aware-code-review-breaches