Appsec adventures

In this blog post Bruce Schneier explains that large language models (LLMs), including tools like ChatGPT, often produce weak and predictable password suggestions when prompted to generate credentials. Because their outputs are based on patterns learned from common text, the passwords they suggest tend to resemble each other and lack sufficient randomness and entropy, making them easy targets for guessing or brute-force attacks. Schneier argues that relying on LLM-generated passwords weakens security and that truly random password generators or password managers are safer choices for creating strong credentials.  https://www.schneier.com/blog/archives/2026/02/llms-generate-predictable-passwords.html

Anthropic’s launch of Claude Code Security, an AI-driven tool that scans codebases for vulnerabilities and proposes fixes, has rattled the cybersecurity industry and investors, pushing down stocks of major vendors like CrowdStrike and Palo Alto Networks. The capability places Anthropic in direct competition with established application security providers by using reasoning-based analysis rather than traditional static scanning, though experts say it currently covers only a small part of broader security needs. Despite hype and volatility, long-term investment in cybersecurity innovation remains steady. ( govinfosecurity.com )  https://www.govinfosecurity.com/blogs/claude-code-security-has-shaken-cybersecurity-market-p-4056

This talk explains how modern attackers increasingly “log in” rather than break in by abusing OAuth tokens and delegated authorization flows. It reviews OAuth as an authorization framework, common grant flows, and the role of scopes and third-party applications. The speaker highlights how tokens, often lacking MFA and visibility in logs, become powerful yet opaque credentials that security teams struggle to monitor. The session emphasizes the risks of poor scope management, token misuse, and limited oversight, urging stronger visibility, validation, and control over token-based authentication and machine-to-machine access.  https://fosdem.org/2026/schedule/event/DMVVQ9-securing-new-attack-vector-oauth-tokens/

The blog benchmarks CodeThreat’s AI-powered static application security testing (SAST) engine against other tools using a custom dataset of real-world projects seeded with vulnerabilities. The evaluation shows CodeThreat detecting a high percentage of both technical and business-logic flaws with no false positives, outperforming several traditional rule-based scanners. It emphasizes the importance of contextual analysis that understands developer intent, data flow, and project structure, and highlights how reducing noise and catching complex, multi-file issues improves practical security outcomes. ( codethreat.com ) https://www.codethreat.com/blogs/benchmarking-codethreat%E2%80%99s-contextual-ai-sast-engine

TMDD is an open-source Python-based CLI tool for integrating continuous threat modeling into software development workflows. It uses a lightweight, YAML-based framework that lets you define and maintain threat models alongside your code, helping teams identify and document potential security threats early. TMDD supports generating structured threat descriptions, validating models, and producing reports, and can also assist AI coding assistants in writing more secure code by feeding them security-aware prompts based on the threat model. ( github.com )  https://github.com/attasec/tmdd

CycloneDX BOM Studio is an open-source, browser-based visual editor for creating, editing, validating, and exporting CycloneDX Bills of Materials (BOMs) without needing command-line tools or manual JSON editing. It provides structured forms, real-time schema validation, dependency visualization, and support for multiple CycloneDX specification versions, making it easier to build accurate software or supply chain inventory manifests for security and compliance. ( github.com )  https://github.com/CycloneDX/cyclonedx-bom-studio