Curated topic

security

Posts tagged with security

GitHub EngineeringApr 28, 2026

Securing the git push pipeline: Responding to a critical remote code execution vulnerability

Why it matters: This incident highlights how minor sanitization failures in internal protocols can lead to critical RCE. It underscores the importance of defense-in-depth, showing how removing unused code paths and robust telemetry can mitigate risks and verify the absence of exploitation.

A critical RCE vulnerability (CVE-2026-3854) was discovered in the GitHub git push pipeline via unsanitized push options.
The flaw allowed attackers to inject metadata into internal protocols by using delimiter characters in user-supplied key-value strings.
By chaining injected values, researchers bypassed sandboxing and executed arbitrary commands on the server handling push operations.
GitHub's telemetry confirmed no exploitation occurred beyond the researchers' testing, as the exploit triggered an anomalous code path.
The primary fix involved strict sanitization of push option values to prevent influence over internal metadata fields.
Defense-in-depth measures included removing unused code paths from production container images that were inadvertently included during deployment model changes.

#security #sre

Read original

Cloudflare BlogApr 28, 2026

Shutdowns, power outages, and conflict: a review of Q1 2026 Internet disruptions

Why it matters: Monitoring global disruptions helps engineers distinguish between application bugs and systemic infrastructure failures. These events underscore the importance of multi-region redundancy and the technical mechanisms, like BGP and filtering, that govern global internet reachability.

Uganda's election-related shutdown reduced domestic traffic from 72 Gbps to 1 Gbps, demonstrating the impact of state-mandated mobile network suspensions.
Iran's first Q1 shutdown involved a massive loss of announced IPv6 address space, specifically impacting ISPs like Asiatech and RASANA.
Technical analysis suggests Iran's second shutdown utilized filtering rather than BGP route withdrawals, as IP space remained announced despite traffic drops.
Physical infrastructure failures, including three grid collapses in Cuba and cable damage in Congo, caused significant regional connectivity gaps.
Military actions in Ukraine and the Middle East directly impacted hyperscaler cloud infrastructure and regional network stability.

#dist #security #data

Read original

Salesforce EngineeringApr 26, 2026

How We Increased Code Coverage by 28% Without Writing a Single Test

Why it matters: Code coverage is often a structural issue rather than a testing one. Refactoring data models to remove boilerplate allows teams to meet CI requirements while improving maintainability and reducing CI runtime, avoiding the trap of writing low-value tests.

Addressed CI-enforced coverage bottlenecks by refactoring data models instead of writing redundant, low-value tests.
Identified that auto-generated boilerplate from annotations like @Data distorted metrics by inflating the code denominator.
Transitioned mutable classes to immutable structures to reduce the volume of non-essential code and simplify the codebase.
Avoided increasing CI runtime and maintenance overhead by focusing on system design rather than test volume.
Prevented the creation of 'false contracts' in tests that could mislead future developers and AI-assisted coding tools.

#sre #security

Read original

Cloudflare BlogApr 21, 2026

Moving past bots vs. humans

Why it matters: As AI agents blur the lines between human and bot traffic, engineers must pivot from binary detection to behavioral security. This shift is crucial for protecting resources, ensuring fair data usage, and maintaining the economic viability of the open web.

Traditional bot detection based on human interaction patterns is becoming obsolete as AI agents and automation tools mimic or bypass standard browser behaviors.
The shift from binary human vs. bot classification to intent-based analysis is necessary to manage resource allocation and content distribution effectively.
AI agents disrupt the historical balance between publishers and users by fetching raw data without rendering pages, bypassing ad monetization and attribution.
Modern web protection must focus on specific outcomes like attack mitigation and crawler load proportionality rather than abstract humanity.
Emerging standards like HTTP message signatures for bot authentication and private rate limiting help identify legitimate automated traffic.

#security #dist #mlp

Read original

Cloudflare BlogApr 20, 2026

Building the agentic cloud: everything we launched during Agents Week 2026

Why it matters: Cloudflare is building 'Cloud 2.0' to support millions of autonomous agents. By providing persistent compute, Git-compatible storage, and zero-trust security for non-human identities, they enable developers to move agentic prototypes into production at global scale.

Cloudflare introduced 'Artifacts,' a Git-compatible versioned storage system designed for agents to manage code and data at scale.
Cloudflare Sandboxes reached GA, providing persistent, isolated environments with full shell and filesystem access for autonomous agents.
New 'Durable Object Facets' enable dynamic instantiation of isolated SQLite databases for AI-generated applications.
Cloudflare Mesh and Managed OAuth for Access provide secure, private networking and identity-aware authentication for non-human agent identities.
The Workflows control plane was rearchitected to support 50,000 concurrency, facilitating high-scale durable execution for background agents.

#mlp #security #dist

Read original

Cloudflare BlogApr 20, 2026

Orchestrating AI Code Review at scale

Why it matters: Scaling AI code reviews requires moving beyond simple prompts to multi-agent orchestration. This architecture demonstrates how to integrate LLMs into CI/CD pipelines reliably, handling large-scale diffs and specialized domain knowledge while maintaining high signal-to-noise ratios.

Cloudflare replaced naive AI summarization with a multi-agent orchestration system built on OpenCode to reduce code review bottlenecks.
The architecture uses a composable plugin system with distinct lifecycle phases to isolate VCS logic from AI provider configurations.
Seven specialized agents cover domains like security and performance, managed by a coordinator that deduplicates findings and judges severity.
To handle massive merge requests, the system passes prompts via stdin to avoid Linux kernel ARG_MAX limits and E2BIG errors.
The implementation leverages the Model Context Protocol (MCP) to allow agents to interact with GitLab APIs for context and commenting.
The system is CI-native and has been deployed across tens of thousands of internal merge requests to improve engineering resiliency.

#mlp #sre #security

Read original

Cloudflare BlogApr 20, 2026

The AI engineering stack we built internally — on the platform we ship

Why it matters: Cloudflare demonstrates how to build a production-grade AI engineering stack using its own infrastructure. It provides a blueprint for using MCP, AI Gateway, and sandboxed execution to boost developer velocity while maintaining security and cost control at scale.

Cloudflare integrated AI into its engineering stack using its own platform, resulting in 93% adoption across R&D and a near doubling of weekly merge requests.
The architecture leverages AI Gateway for centralized LLM routing, cost tracking, and zero-trust security across multiple model providers.
Internal developers use MCP (Model Context Protocol) servers to give AI agents access to internal tools, documentation, and infrastructure.
The stack utilizes Workers AI for low-latency inference on open-weight models, reducing reliance on external frontier model providers.
New tools like the Sandbox SDK and Agents SDK provide isolated environments and stateful sessions for agent-generated code execution.
A Knowledge Layer using Backstage and AGENTS.md files helps agents understand complex internal systems and service dependencies.

#mlp #culture #security

Read original

Cloudflare BlogApr 17, 2026

Shared Dictionaries: compression that keeps up with the agentic web

Why it matters: As web pages grow heavier and deployment cycles shorten, traditional caching fails. Shared dictionaries enable delta compression, sending only file diffs to clients. This drastically reduces bandwidth and improves load times for returning users and bots in an increasingly automated web.

Web page weight is increasing 6-9% annually, while frequent AI-assisted deployments are making traditional caching less effective.
Shared dictionaries allow servers to use previously cached resources as a reference, sending only the differences (delta compression) to the client.
The mechanism utilizes new HTTP headers like Use-As-Dictionary and Available-Dictionary to coordinate diff-based transfers.
This approach can reduce large JavaScript bundle transfers to just a few kilobytes, significantly saving bandwidth and CPU.
Modern implementations aim to solve historical security issues like CRIME and BREACH side-channel attacks that hindered earlier versions.
Cloudflare is introducing support for these dictionaries to handle the rise of agentic web traffic and high-frequency deployment cycles.

#dist #frontend #security

Read original

Salesforce EngineeringApr 16, 2026

Keeping a Deeply Unified Platform Aligned — Inside the Office of the Chief Architect

Why it matters: Maintaining architectural consistency in a massive, multi-cloud ecosystem is vital for security and scale. This approach allows engineers to build on shared abstractions, ensuring that acquisitions and new services integrate seamlessly while supporting advanced AI and agentic workflows.

The Office of the Chief Architect (OCA) establishes architectural frameworks and foundational patterns to ensure long-term platform evolution and alignment across diverse technology stacks.
A unified tenancy model defines how customer data is logically partitioned and isolated, serving as a critical security foundation for AI and agentic experiences.
The OCA focuses on creating shared abstractions for tenancy and identity, allowing heterogeneous systems from acquisitions to integrate without prescribing a single implementation.
A cohesive metadata model provides a platform-wide view of configurations and workflows, enabling personalized agentic experiences grounded in unique business contexts.
Strategic architectural clarity reduces fragmentation and prevents the repeated reinvention of foundational patterns across engineering teams.

#dist #security #data

Read original

GitHub EngineeringApr 16, 2026

How GitHub uses eBPF to improve deployment safety

Why it matters: Circular dependencies can paralyze recovery during outages. By using eBPF and cGroups, engineers can enforce network isolation for deployment scripts without impacting production traffic, ensuring that critical infrastructure remains deployable even when primary services are offline.

GitHub uses eBPF to mitigate circular dependencies where deploying a fix requires access to the service currently experiencing an outage.
They identified three dependency types: direct (explicit script calls), hidden (automatic tool updates), and transient (downstream API dependencies).
The solution utilizes BPF_PROG_TYPE_CGROUP_SKB to hook into network egress specifically for processes within a targeted Linux cGroup.
This approach allows granular network filtering, blocking deployment scripts from accessing github.com while allowing production traffic to continue normally.
The system was implemented using the cilium/ebpf Go library to load and manage custom programs within the Linux kernel.

#sre #dist #security

Read original

Page 1 of 18

Prev1 2 3...18 Next