Appsec adventures

Integrating security tasks into DevOps processes can introduce challenges, notably concerns about potential slowdowns. Some argue that security measures may impede the rapid development cycles characteristic of DevOps by introducing additional steps and scrutiny. However, neglecting security can lead to significant risks, including data breaches and compliance issues. Striking a balance is crucial; incorporating security measures early in the development process, known as DevSecOps, can help identify and address vulnerabilities without significantly hindering development speed. This approach aims to integrate security seamlessly, ensuring that security tasks do not unduly slow down DevOps workflows.  https://www.digit.fyi/are-security-tasks-slowing-down-devops/

SandboxAQ's Hamming Quasi-Cyclic (HQC) algorithm has been selected by the National Institute of Standards and Technology (NIST) as the fifth post-quantum cryptographic (PQC) standard. This selection underscores SandboxAQ's leadership in developing quantum-resistant encryption solutions. HQC is a key encapsulation mechanism designed to secure encryption key exchanges against quantum computing threats. Unlike traditional public-key encryption systems such as RSA and elliptic-curve cryptography, which quantum computers can potentially break, HQC is based on error-correcting codes, offering robust security. Its efficient performance and balanced key size make it suitable for real-world applications. This marks SandboxAQ's second contribution to NIST's PQC standards, following the inclusion of SPHINCS+ in 2022, reinforcing its role in shaping global quantum-safe cybersecurity standards.   https://www.biometricupdate.com/202504/sandboxaq-quantum-resistant-encryption-algorithm...

Ken Huang's "Secure Vibe Coding Guide" emphasizes the importance of integrating security into the software development lifecycle. The guide provides best practices for writing secure code, including input validation, proper authentication mechanisms, and secure data storage techniques. It also highlights the necessity of regular code reviews and staying updated with the latest security vulnerabilities and patches. By following these guidelines, developers can create applications that are resilient against common security threats and contribute to a safer digital environment.  https://kenhuangus.substack.com/p/secure-vibe-coding-guide

Microsoft has announced an expansion of its Security Copilot platform by introducing AI-powered agents designed to autonomously assist with critical security tasks such as phishing detection, data security, and identity management. citeturn0search0 These agents aim to help security teams manage high-volume tasks more efficiently, integrating seamlessly with Microsoft Security solutions. In addition to these agents, Microsoft is enhancing phishing protection in Microsoft Teams by improving defenses against malicious URLs and attachments through Microsoft Defender for Office 365.   https://www.microsoft.com/en-us/security/blog/2025/03/24/microsoft-unveils-microsoft-security-copilot-agents-and-new-protections-for-ai

The ATT&CK Evaluations Library provides adversary emulation plans used in ATT&CK Evaluations, replicating real-world breaches by specific threat actors. These plans outline cyber threat intelligence, detailing an adversary's targets, methods, and objectives. Each plan follows an operational flow illustrating how adversaries achieve their goals within victim environments. Execution content is available in both human and machine-readable formats, supporting manual execution or automation with tools like CALDERA. The library includes emulation plans for groups such as ALPHV BlackCat, APT29, Carbanak, CL0P, DPRK, FIN7, LockBit, menuPass (APT10), OilRig, Sandworm, Turla, Wizard Spider, and Blind Eagle. These plans help organizations better understand and prepare for real-world cyber threats.  https://attackevals.github.io/ael/

Container image signing and runtime verification are essential for securing the software supply chain in containerized environments. By cryptographically signing container images during the build process and verifying them at runtime, organizations can ensure only trusted images are deployed, reducing the risk of supply chain attacks. Image signing involves generating a unique signature using a public key algorithm during continuous integration, which is then verified before deployment to maintain integrity and authenticity. Companies like Google and Datadog use these practices to enhance software supply chain security by establishing cryptographic provenance for container images. Implementing image signing in container runtimes like containerd and CRI-O, or using cloud services like AWS Signer, helps organizations strengthen the security and integrity of their containerized applications.  https://www.datadoghq.com/blog/container-image-signing