Appsec adventures

Escape’s security team analyzed more than 5,600 applications built using vibe-coding platforms, identifying over 2,000 vulnerabilities, 400 exposed secrets, and 175 cases of personal data exposure. Their approach combined data collection from public sources, subdomain enumeration, automated attack surface mapping, static scans of frontend bundles, and passive dynamic testing. The methodology emphasized conservative verification to ensure findings were high-confidence and accurately reflected the security risks of low-code and vibe-coding ecosystems.  https://escape.tech/blog/methodology-how-we-discovered-vulnerabilities-apps-built-with-vibe-coding/

In his blog, Tony Zhang argues that large language models (LLMs) paired with formal-methods tools can transform code generation into a provably correct process. He suggests the role of AI is shifting from “assistant” to a compiler-like engine—taking developer intent and rigorously translating it into verified software. This could finally bring formal verification into mainstream software engineering by embedding correctness checks directly into the development pipeline.  https://tonyzhangnd.github.io/2025/10/AI-is-a-compiler.html

Old article, still relevant Organizations now manage an average of 70 to 130 cybersecurity tools, with many planning to add even more despite widespread underuse. Only 10 to 20 percent of these tools are fully utilized, leading to redundancy, poor integration, and operational inefficiency. Experts warn that unchecked expansion and fragmented security stacks are turning investments into liabilities, as companies struggle to manage overlapping capabilities and inconsistent visibility across their environments. https://siliconangle.com/2024/08/05/cybersecurity-tool-sprawl-control-going-get-worse

Island is a Chromium-based enterprise browser built to embed security and governance directly into the browsing environment. It allows organizations to control user actions such as copy, download, and screenshot, enforce conditional access based on identity or device posture, and secure SaaS and internal web apps across managed or unmanaged devices. Positioned as a leader in the enterprise browser market, Island aims to make the browser itself the central control point for security and productivity in hybrid work environments.  https://www.island.io/

The CVE program faced near collapse after funding for the National Vulnerability Database was depleted, disrupting access to essential vulnerability data. In response, several organizations proposed alternatives, including the CVE Foundation, ENISA’s EUVD, and a Global Vulnerability Catalog. CISA outlined a plan to reform vulnerability tracking but faces its own budget and staffing constraints, casting doubt on its ability to lead. The conflict’s outcome will determine the future of global vulnerability coordination. https://cyberscoop.com/cve-program-funding-crisis-nvd-cisa-alternatives

The blog by the NVIDIA AI Red Team outlines three major security risks in large-language-model applications: executing model-generated code without sandboxing (leading to remote code execution), insecure permissions in retrieval-augmented-generation (RAG) stores enabling data leaks or prompt injection, and active content rendering (images/links) in LLM outputs causing inadvertent exfiltration. They recommend replacing exec/eval with safe mappings, enforcing per-user permissions on RAG data, and sanitising or disabling dynamic link/image content  https://developer.nvidia.com/blog/practical-llm-security-advice-from-the-nvidia-ai-red-team

A large 4-terabyte SQL Server backup belonging to Ernst & Young (EY) was found publicly accessible on the internet, likely due to a misconfigured cloud storage bucket. The exposed file contained database schemas, API keys, session and authentication tokens, service-account passwords and other sensitive data. Researchers from Neo Security discovered the leak and reported it; EY confirmed the issue was limited to one acquired entity and stated that no client or personal data were impacted.  https://www.linkedin.com/pulse/ernst-young-ey-exposes-4tb-database-online-what-qypre/

Researchers uncovered a major supply-chain attack (codenamed “PhantomRaven”) affecting at least 126 packages in the npm registry. The malware uses remote dependencies hosted on attacker-controlled servers to bypass detection and, via pre-install hooks, harvests developer credentials including GitHub tokens and CI/CD secrets. The campaign has been active since August 2025 and has amassed over 86,000 downloads, underscoring the urgent need for auditing dependencies and rotating exposed credentials.  https://www.linkedin.com/pulse/malware-found-126-npm-packages-stealing-github-tokens-reversinglabs-llohe/