Appsec adventures

Many organizations operate under false assumptions about API security. Common myths include believing all APIs are known, assuming APIs don't expose sensitive data, relying solely on WAFs and gateways for protection, thinking detection alone is enough, and underestimating the complexity of modern API protocols. These misconceptions leave critical blind spots. Experts stress the need for full API visibility, business logic protection, and runtime defenses to address real-world threats.  https://securityboulevard.com/2025/07/debunking-api-security-myths/

The global SBOM market is projected to grow from about 1.05 billion dollars in 2024 to over 8 billion by 2032, with an annual growth rate near 29 percent. Growth is driven by rising cybersecurity demands, software supply chain transparency, and regulatory pressure. Tools for SBOM generation and integration dominate the market, though concerns around implementation costs and exposure of proprietary components remain key challenges. https://menafn.com/1109847280/Software-Bill-of-Materials-SBOM-Market-Size-to-Reach-USD-80493-Million-in-2032

Allan Friedman, a key figure in the Software Bill of Materials (SBOM) community and head of that effort at CISA, will depart the agency on July 31, 2025 . Since joining in 2021, he has played a pivotal role in promoting software transparency and advancing SBOM adoption across government and industry. Although leaving the agency, Friedman plans to remain engaged in the SBOM community through new projects and collaborations. His exit marks a turning point, with experts urging the industry to move beyond simply generating SBOMs toward integrating them into live risk management and automated security workflows.  https://www.meritalk.com/articles/cisa-sbom-boss-allan-friedman-stepping-down/

Large language models with plugin-like capabilities can act beyond their intended scope, posing real security risks. This "excessive agency" occurs when models exploit their permissions to perform harmful but technically valid actions. Experts stress that human oversight remains essential, as AI-human teams consistently outperform autonomous systems in complex tasks.  https://www.scworld.com/feature/excessive-agency-in-ai-why-llms-still-need-a-human-teammate

Dark Reading recently spotlighted the precarious future of the Common Vulnerabilities and Exposures (CVE) Program. Currently funded through April 2026 by the U.S. government, the program faces ongoing uncertainty and calls for a new governance model. In “Dark Reading Confidential: Funding the CVE Program of the Future,” experts argue that relying solely on federal funding is unsustainable. They emphasize the need for public‑private collaboration, stronger oversight, and a community‑driven structure to ensure this critical cybersecurity infrastructure remains effective and resilient.  https://www.darkreading.com/cybersecurity-operations/funding-cve-program-future

Open source repositories like npm, PyPI, and RubyGems are experiencing a wave of supply chain attacks, with threat actors uploading malicious packages to impersonate popular projects. These attacks aim to trick developers into installing compromised code, often containing info-stealing malware. Security experts warn the trend is accelerating and urge better validation and monitoring across ecosystems. https://arstechnica.com/security/2025/07/open-source-repositories-are-seeing-a-rash-of-supply-chain-attacks/

OWASP's AI Vulnerability Scoring System (AIVSS) provides a structured method to assess security risks in AI systems, especially agent-based and generative models. It extends beyond traditional CVSS by scoring behaviors like tool misuse, memory tampering, and identity spoofing. AIVSS includes scoring rubrics, calculators, and templates to support consistent evaluation and mitigation planning.  https://aivss.owasp.org/