Curated topic

security

Posts tagged with security

Dropbox Tech BlogJun 12, 2026

How Dropbox uses MCP and Dash to close the design-to-code security gap

Why it matters: This approach solves the persistent problem of security requirements getting lost during long development cycles. By using MCP and AI to bridge the gap between documentation and code, engineers ensure critical threat mitigations are implemented without manual overhead or human error.

Dropbox identified a significant design-to-code gap where security threat models are often disconnected from actual implementation in pull requests.
Data analysis revealed that only 12% of PRs link back to original security reviews, with a median delay of five weeks between design and implementation.
The solution leverages the Model Context Protocol (MCP) to allow AI agents to access indexed documentation via Dash, Dropbox's AI-powered search tool.
The system automatically retrieves relevant threat models during code review and evaluates if changes align with previously agreed-upon security mitigations.
By using Dash's MCP server, the agent draws on years of security reviews and engineering docs without requiring manual linking or custom integrations.
This approach helps identify security-sensitive work that might have missed review, providing an early signal during the development lifecycle.

#security #mlp

Read original

Cloudflare BlogJun 12, 2026

Scaling Security Insights: how we achieved a 10x increase in global scanning capacity

Why it matters: This article demonstrates how to scale distributed systems by identifying bottlenecks in message processing, database I/O, and network latency. It provides practical patterns like lane-splitting and batching to handle 10x growth in high-throughput security scanning environments.

Increased scanning throughput 10x by implementing parallel processing in Go microservices to consume Kafka messages in batches via goroutines.
Eliminated head-of-line blocking by splitting consumer groups into 'fast lane' and 'slow lane' paths based on account asset volume.
Optimized database performance by replacing individual row inserts with a hybrid approach using UNNEST and COPY for bulk operations.
Reduced API timeouts and latency by relocating service instances to the same geographic region as the primary Postgres database.
Transitioned from opt-in to automatic scanning for millions of accounts while doubling the frequency of security checks.

#security #dist #sre

Read original

Salesforce EngineeringJun 11, 2026

How MuleSoft Is Raising the Trust Bar for AI-Generated Code

Why it matters: As AI-generated code accelerates development, traditional manual reviews can't keep up. MuleSoft’s Golden Gate provides a scalable model for automated, AI-powered PR governance that maintains high security and trust without slowing down developer velocity or increasing false positives.

MuleSoft launched Golden Gate, an AI-powered PR-time governance system to enforce security and compliance at the merge boundary.
The system addresses the volume and velocity challenges of agentic development by shifting enforcement left into developer workflows.
To minimize false positives, every AI skill undergoes a deterministic validation pipeline involving backtesting against real PR history.
New governance skills are deployed in advisory mode first to build developer trust before becoming mandatory merge-blocking gates.
The platform achieved a false positive rate of under 0.5% across 77,000 executions, demonstrating high-signal reliability at scale.

#security #mlp #culture

Read original

GitHub EngineeringJun 11, 2026

Making secret scanning more trustworthy: Reducing false positives at scale

Why it matters: False positives in security tools cause alert fatigue and erode developer trust. By using LLMs to understand code context, GitHub reduces noise by over 75%, ensuring engineers spend time fixing real vulnerabilities rather than triaging non-sensitive strings.

GitHub integrated LLM-based contextual reasoning into its secret scanning pipeline to significantly reduce false positive alerts.
The system moves beyond simple pattern matching by analyzing how a potential secret is used, such as being passed to an API request or authentication header.
By focusing on 'better context' rather than 'more context,' the verification step analyzes high-signal information within a single file to maintain low latency.
The approach was developed in collaboration with Microsoft Security & AI, leveraging techniques from the Agentic Secret Finder system.
The implementation achieved a 75.76% reduction in customer-confirmed false positives, exceeding the initial target of 65%.
This hybrid model combines pattern-based detection for known formats with AI-powered verification for unstructured secrets like passwords.

#security #mlp #sre

Read original

Cloudflare BlogJun 10, 2026

Route public traffic to private applications with Cloudflare

Why it matters: This feature allows engineers to apply enterprise-grade security and performance tools to internal services without public exposure. It simplifies hybrid cloud networking by treating private IPs as standard origins, reducing operational overhead and the risk of misconfigured firewall rules.

Cloudflare launched Application Services for Private Origins, allowing public traffic to reach private IPs without exposing them to the public internet.
The service enables WAF, bot management, rate limiting, and Workers to protect internal APIs, AI backends, and MCP servers.
It integrates with existing Cloudflare WAN and Mesh connectivity, removing the requirement for running connector software like cloudflared on every origin.
Engineers can toggle private network routing for A/AAAA records, supporting RFC 1918, CGNAT, and Unique Local IPv6 address ranges.
The unified routing model simplifies infrastructure by eliminating the need for parallel stacks like public-facing load balancers or complex VPNs.
This architecture treats security as a property of traffic rather than a result of network location, bridging the gap between public and private infrastructure.

#security #sre #dist

Read original

Cloudflare BlogJun 9, 2026

Defend against frontier cyber models: Cloudflare's architecture as customer zero

Why it matters: AI models now automate exploit generation at scale, making the speed of patching insufficient. Engineers must shift toward resilient architectures that prioritize behavioral scoring and Zero Trust containment over reactive signature-based defenses.

Frontier models like Mythos accelerate vulnerability discovery and exploit chain construction, allowing attackers to move faster than traditional patching cycles.
Cloudflare utilizes its own infrastructure as 'customer zero,' applying its security stack to its own code and employees before external release.
Defense is shifting from static signatures to ML-based scoring, using WAF Attack Score to identify and block mutated, AI-generated payloads in real-time.
Zero Trust principles, including mTLS and microsegmentation, are critical for containing the blast radius when a vulnerability is inevitably exploited.
Visibility across 20% of global web traffic allows Cloudforce One to convert network-wide insights into automated threat intelligence and rapid WAF rule deployment.
The architecture around a vulnerability is more important than the speed of the patch, as AI can bypass signature-based detections through rapid adaptation.

#security #mlp

Read original

GitHub EngineeringJun 8, 2026

GitHub for Beginners: Answers to some common questions

Why it matters: Understanding secure authentication is fundamental for any developer. SSH keys and PATs replace insecure password-based workflows for Git operations, while 2FA protects the account itself. Mastering these tools ensures code integrity and prevents unauthorized access to repositories.

SSH keys use public-key cryptography to authenticate Git operations, requiring a private key on your machine and a public key on GitHub.
The ssh-keygen command generates secure ED25519 key pairs, which should be managed locally using an ssh-agent to avoid repeated passphrase entry.
Personal Access Tokens (PATs) provide a secure alternative to passwords for command-line and API access, allowing for granular permission scopes.
Two-Factor Authentication (2FA) adds a critical security layer by requiring a second verification step via authenticator apps or security keys.
Properly configuring these authentication methods is essential for secure communication between local development environments and remote repositories.

#security #culture

Read original

Cloudflare BlogJun 8, 2026

Turning Cloudflare’s threat indicators into real-time WAF rules

Why it matters: This integration allows engineers to automate security responses using real-time global threat intelligence. By exposing live actor and industry data directly in the WAF, teams can proactively block sophisticated attacks with minimal latency and full Infrastructure as Code support.

Cloudflare now integrates live Threat Events data directly into its WAF engine for proactive, real-time mitigation.
New WAF fields allow filtering by threat actor names, targeted industries, and specific attack types like DDoS or cybercrime.
The always-on detection framework eliminates the log vs. block trade-off by enriching request metadata before action is taken.
Security rules can be managed via UI, API, or Terraform, supporting automated Infrastructure as Code workflows.
Future updates plan to extend matching capabilities beyond IP addresses to include JA3 fingerprints and domain-based indicators.

#security #dist #data

Read original

Cloudflare BlogJun 5, 2026

Your AI bill is out of control. Cloudflare can fix it now.

Why it matters: Uncontrolled AI spend is a major challenge for organizations. These tools provide the observability and governance needed to scale AI usage sustainably by offering granular cost attribution and automated guardrails to prevent unexpected bill shock.

Cloudflare AI Gateway now features dollar-based spend limits to prevent budget overages across multiple AI providers.
A new closed beta introduces identity-driven budgets, integrating with Cloudflare Access to attribute costs to specific users or teams.
Dynamic routing allows for automatic fallback to cheaper models once a primary budget threshold is reached, ensuring service continuity.
The gateway provides unified logging and real-time analytics for token counts and costs across OpenAI, Anthropic, Google, and others.
Administrators can define granular policies based on custom attributes, model types, or identity provider (IdP) groups.

#finops #mlp #security

Read original

GitHub EngineeringJun 4, 2026

GitHub Universe is back: All together now, in the agentic era

Why it matters: GitHub Universe 2026 highlights the shift toward agentic workflows, where AI agents become core collaborators in software development. For engineers, it's a chance to move from AI demos to practical, integrated workflows while networking with peers solving similar scale problems.

GitHub Universe 2026 focuses on the 'agentic era,' exploring how AI agents integrate into unified developer workflows.
The event introduces 'Ship & Tell' lightning talks for community members to showcase real-world builds and technical solutions.
Enhanced peer-to-peer learning via the Discussions Lounge allows for small-group deep dives into specific engineering challenges.
The Source expands the event's open-source footprint, facilitating direct interaction with project maintainers.
Speaker After Parties provide a dedicated space for technical follow-up questions and behind-the-scenes insights from keynote sessions.

#culture #mlp #security

Read original

Page 1 of 22

Prev1 2 3...22 Next