Curated topic

security

Posts tagged with security

GitHub EngineeringDec 29, 2025

Bugs that survive the heat of continuous fuzzing

Why it matters: Continuous fuzzing isn't a 'set and forget' solution. Engineers must actively monitor coverage, instrument dependencies, and supplement automated testing with manual audits to catch logic-based vulnerabilities that automated tools often miss.

Continuous fuzzing through OSS-Fuzz is not a silver bullet and requires active human oversight to maintain coverage and create new fuzzers.
Low fuzzer counts and poor code coverage, such as GStreamer's 19%, leave significant portions of codebases vulnerable to undetected bugs.
External dependencies often lack instrumentation, creating blind spots where fuzzers cannot receive feedback or explore deep execution paths.
Standard fuzzing techniques excel at finding memory corruption but frequently miss complex logic bugs, such as sandbox escapes in Ghostscript.
Enrollment in automated security tools can create a false sense of security if developers stop performing manual audits and monitoring build health.

#security

Read original

GitHub EngineeringDec 23, 2025

Strengthening supply chain security: Preparing for the next malware campaign

Why it matters: Supply chain attacks like Shai-Hulud exploit trust in package managers to automate credential theft and malware propagation. Understanding these evolving tactics and adopting OIDC-based trusted publishing is critical for protecting organizational secrets and downstream users.

The Shai-Hulud campaign evolved from simple credential theft to sophisticated multi-stage attacks targeting CI/CD environments and self-hosted runners.
Attackers utilize malicious post-install scripts to exfiltrate secrets, including npm tokens and cloud credentials, to enable automated self-replication.
The malware employs environment-aware payloads that change behavior when detecting CI contexts to escalate privileges and bypass detection.
npm is introducing 'staged publishing,' which requires MFA-verified approval before packages go live to prevent unauthorized releases.
Security roadmaps include bulk OIDC onboarding and expanded support for CI providers to replace long-lived secrets with short-lived tokens.
Engineers are advised to use the --ignore-scripts flag during installation and adopt phishing-resistant MFA to mitigate credential-adjacent compromises.

#security #dist

Read original

GitHub EngineeringDec 23, 2025

5 podcast episodes to help you build with confidence in 2026

Why it matters: These insights help engineers navigate the 2026 landscape by focusing on AI standards, sustainable open-source practices, and privacy-centric design. Understanding these trends is crucial for building resilient, future-proof software in an era of rapid technological shifts.

The Model Context Protocol (MCP) provides an open standard for AI systems to interact with tools consistently, improving interoperability and trust.
Modern AI and open-source tools have lowered the barrier for DIY development, enabling engineers to build purpose-built personal tools with less overhead.
Open source sustainability requires more than just funding; it depends on community health, communication, and institutional support like the Sovereign Tech Fund.
Data from the 2025 Octoverse report highlights the dominance of TypeScript and the rapid adoption of AI-assisted workflows across millions of developers.
The Home Assistant project demonstrates the viability of privacy-first, local-control architectures in a cloud-dominated IoT landscape to avoid vendor lock-in.

#culture #security #mlp

Read original

Cloudflare BlogDec 19, 2025

Code Orange: Fail Small — our resilience plan following recent incidents

Why it matters: This initiative highlights the danger of instant global configuration propagation. By treating config as code and implementing gated rollouts, Cloudflare demonstrates how to mitigate blast radius in hyperscale systems, a critical lesson for SRE and platform engineers.

Cloudflare launched 'Code Orange: Fail Small' to prioritize network resilience after two major outages caused by rapid configuration deployments.
The plan mandates controlled, gated rollouts for all configuration changes, mirroring the existing Health Mediated Deployment (HMD) process used for software binaries.
Teams must now define success metrics and automated rollback triggers for configuration updates to prevent global propagation of errors.
Engineers are reviewing failure modes across traffic-handling systems to ensure predictable behavior during unexpected error states.
The initiative aims to eliminate circular dependencies and improve 'break glass' procedures for faster emergency access during incidents.

#sre #dist #security

Read original

Cloudflare BlogDec 19, 2025

Innovating to address streaming abuse — and our latest transparency report

Why it matters: Cloudflare is scaling its abuse mitigation by integrating AI and real-time APIs. For engineers, this demonstrates how to handle high-volume legal and security compliance through automation and service-specific policies while maintaining network performance and reliability.

Cloudflare's H1 2025 transparency report highlights a significant increase in automated abuse detection and response capabilities.
The company is utilizing AI and machine learning to identify sophisticated patterns in unauthorized streaming and phishing campaigns.
A new API-driven reporting system for rightsholders has scaled DMCA processing, increasing actions from 1,000 to 54,000 in six months.
Cloudflare applies service-specific abuse policies, distinguishing between hosted content and CDN/security services.
Technical measures prevent the misconfiguration of free-tier plans for high-bandwidth video streaming to protect network resources.
Collaborative data sharing with rightsholders enables real-time identification and mitigation of domains involved in streaming abuse.

#security #mlp #dist

Read original

Microsoft Azure BlogDec 16, 2025

Azure updates for partners: December 2025

Why it matters: These updates provide engineers with a unified framework for building, governing, and scaling AI agents. By integrating advanced models like Claude and streamlining data retrieval via Foundry IQ, Microsoft is reducing the complexity of deploying enterprise-grade agentic workflows.

Azure Copilot introduces specialized agents to the portal and CLI to automate cloud migration, assessment, and governance tasks.
Foundry Control Plane enters public preview, offering centralized security, lifecycle management, and observability for AI agents.
Foundry IQ and Fabric IQ provide unified endpoints for RAG solutions and real-time analytics grounded in enterprise data.
The Microsoft Agent Pre-Purchase Plan (P3) simplifies AI procurement by providing a single fund for 32 Microsoft services.
Anthropic Claude models are now available in Microsoft Foundry, enabling advanced reasoning within a unified governance framework.
Azure HorizonDB for PostgreSQL has entered private preview to expand database options for cloud-native applications.

#mlp #data #security

Read original

Engineering at MetaDec 15, 2025

How AI Is Transforming the Adoption of Secure-by-Default Mobile Frameworks

Why it matters: This article demonstrates how Meta leverages secure-by-default mobile frameworks and AI to proactively embed security into development workflows. It's crucial for engineers to understand how to balance security with developer velocity and how AI can scale these efforts.

Meta implements secure-by-default mobile frameworks to wrap potentially unsafe OS and third-party functions, ensuring security while maintaining developer speed.
These frameworks are designed to closely mimic existing APIs, utilize public interfaces, and reduce complexity to maximize developer adoption.
Generative AI and automation significantly accelerate the large-scale adoption of these secure frameworks, enabling consistent security enforcement and efficient code migration.
Key design principles include API resemblance to reduce cognitive burden, reliance on stable public APIs, and broad applicability across applications.
SecureLinkLauncher (SLL) for Android is an example, preventing intent hijacking by wrapping native intent launching methods with robust security checks.

#security #mobile

Read original

Cloudflare BlogDec 15, 2025

The 2025 Cloudflare Radar Year in Review: The rise of AI, post-quantum, and record-breaking DDoS attacks

Why it matters: This review offers critical insights into evolving Internet trends, including AI's impact on web traffic, the rise of post-quantum security, and network performance, essential for engineers building and securing online services.

Global Internet traffic grew 19% in 2025, with Starlink traffic doubling and Googlebot leading verified bot activity for search and AI training.
Post-quantum encrypted web traffic reached 52% of human-generated requests, highlighting a significant shift in security adoption.
AI-related crawling surged, with Googlebot's dual-purpose crawls dominating and "user action" crawling increasing 15x. AI bots were also frequently blocked via robots.txt.
Meta's llama-3-8b-instruct was the most popular model on Workers AI, primarily used for text generation tasks.
Mobile traffic saw iOS devices account for 35% globally, while HTTP/2 and HTTP/3 adoption continued to rise.

#security #data #mlp

Read original

Cloudflare BlogDec 11, 2025

React2Shell and related RSC vulnerabilities threat brief: early exploitation activity and threat actor techniques

Why it matters: This critical RCE in React Server Components allows unauthenticated code execution. Engineers must patch immediately and apply WAF rules to protect against active exploitation and prevent severe security breaches.

React2Shell (CVE-2025-55182) is a critical RCE vulnerability (CVSS 10.0) in React Server Components (RSC) Flight protocol.
The flaw stems from unsafe deserialization, enabling unauthenticated attackers to execute arbitrary privileged JavaScript with a single crafted HTTP request.
Cloudflare observed immediate, widespread scanning and exploitation attempts by threat actors within hours of public disclosure.
Threat actors leverage vulnerability scanners (e.g., Nuclei), asset discovery platforms, and tools like Burp Suite for reconnaissance and exploitation.
Two other RSC vulnerabilities, CVE-2025-55183 (Server Function leaking) and CVE-2025-55184 (DoS), were also disclosed.
Cloudflare deployed WAF rules to mitigate these threats, available to all customers.

#security #frontend

Read original

GitHub EngineeringDec 9, 2025

MCP joins the Linux Foundation: What this means for developers building the next era of AI tools and agents

Why it matters: This move provides a stable, open-source foundation for AI agent development, standardizing how LLMs securely interact with external systems. It resolves critical integration challenges, accelerating the creation of robust, production-ready AI tools across industries.

The Model Context Protocol (MCP), an open-source standard for connecting LLMs to external tools, has been donated by Anthropic to the Agentic AI Foundation under the Linux Foundation.
MCP addresses the "n x m integration problem" by providing a vendor-neutral protocol, standardizing how AI models communicate with diverse services like databases and CI pipelines.
Before MCP, developers faced fragmented APIs and brittle, platform-specific integrations, hindering secure and consistent AI agent development.
This transition ensures long-term stewardship and a stable foundation for developers building production AI agents and enterprise systems.
MCP's rapid adoption highlights its critical role in enabling secure, auditable, and cross-platform communication for AI in various industries.

#mlp #dist #security

Read original

Page 13 of 18

Prev 1...11 12 13 14 15...18 Next