Appsec adventures

Rich Seiersen, Chief Risk Technology Officer at Qualys, emphasizes that traditional cybersecurity metrics often fail to influence decision-making. In a recent workshop, he advised senior executives and CISOs to focus on risk and resilience rather than accumulating endless threat data. Drawing from his experience at Kaiser Permanente, Seiersen highlighted the overwhelming nature of numerous vulnerability reports and the necessity of prioritizing what truly impacts the business. He advocates for a shift towards metrics that directly inform strategic decisions, ensuring that security efforts align with organizational goals and effectively mitigate risks.  https://www.intelligentciso.com/2025/09/29/the-problem-with-cybersecurity-is-not-just-hackers-its-how-we-measure-risk/

The rise of "vibe coding"—where developers leverage AI to rapidly generate code snippets and features—has introduced both efficiency gains and new security challenges. While AI accelerates development, it can inadvertently introduce vulnerabilities or bypass established security protocols. Experts emphasize the importance of implementing security guardrails, conducting thorough code reviews, and enhancing developer literacy to mitigate risks associated with AI-generated code. By adopting these practices, organizations can harness the benefits of AI in development while maintaining robust security standards.  https://thenewstack.io/vibe-coding-when-ai-writes-the-code-who-secures-it/

In a live webinar held on October 9, 2025, cybersecurity experts Cayla Curtis from Ping Identity and Siddharth Thakkar from Deloitte discussed the escalating challenges organizations face in managing customer identity and access management (CIAM) amidst the rise of AI-driven threats. They emphasized the necessity for unified, adaptable CIAM strategies that not only address compliance and security but also uphold customer trust. The session highlighted the importance of integrating AI into CIAM frameworks to proactively detect and mitigate risks, ensuring a balance between innovation and safeguarding sensitive customer data.  https://www.govinfosecurity.com/webinars/ai-risks-in-ciam-ensuring-compliance-security-trust-w-6558

Banks are increasingly adopting AI to enhance security, moving beyond traditional reactive measures to proactive resilience. By integrating data, implementing responsible AI practices, and ensuring transparency, financial institutions can better detect fraud, comply with regulations, and improve customer trust. AI enables faster fraud detection, reduces false positives, and allows human analysts to focus on strategic decisions. This unified approach helps banks shift from merely managing risk to building long-term security resilience. https://www.govinfosecurity.com/blogs/fraud-to-compliance-how-banks-use-ai-for-resilient-security-p-3938

This article describes how to reduce the risk of npm supply-chain attacks by isolating the local development environment and avoiding storing secrets on disk. The proposed setup uses VS Code DevContainers to run your project inside a container, separating it from the host’s filesystem and credentials. Secrets (API tokens, etc.) are managed via the 1Password CLI and a Connect server so that they are injected just-in-time into the container rather than being kept in .env files or environment variables on the host. Best practices include rotating tokens, locking down permissions, ensuring secret files are ignored by version control, and cleaning up temporary secret files.  https://www.nodejs-security.com/blog/mitigate-supply-chain-security-with-devcontainers-and-1password-for-nodejs-local-development/

Bruce Schneier argues that traditional threat modeling must adapt when governments use techno-authoritarian practices. States combine vast official data with corporate information, enabling mass surveillance and targeted repression. Errors in profiling can have severe consequences in such regimes. He advises using encryption, minimizing stored data, privacy-focused communication, and sometimes sanitized or burner devices. Ultimately, threat modeling in these contexts is about balancing participation in public life with the risks of surveillance and targeting. https://www.schneier.com/blog/archives/2025/09/digital-threat-modeling-under-authoritarianism.html