Curated topic

security

Posts tagged with security

Cloudflare BlogDec 9, 2025

Shifting left at enterprise scale: how we manage Cloudflare with Infrastructure as Code

Why it matters: This article provides a blueprint for implementing "shift left" security and IaC at enterprise scale, crucial for preventing misconfigurations, enhancing consistency, and improving operational efficiency in large, complex environments.

Cloudflare adopted "shift left" principles and Infrastructure as Code (IaC) to manage its critical platform securely and consistently at enterprise scale.
All production account configurations are managed via IaC using Terraform, integrated with a custom CI/CD pipeline (Atlantis, GitLab, tfstate-butler).
A centralized monorepo holds all configurations, with teams owning their specific sections, promoting accountability and consistency.
Security baselines are enforced through Policy as Code (Open Policy Agent with Rego), shifting validation to the earliest stages of development.
Policies are automatically checked on every merge request, preventing misconfigurations before deployment and minimizing human error.

#security #sre

Read original

Pinterest EngineeringDec 8, 2025

How Pinterest Built a Real‑Time Radar for Violative Content using AI

Why it matters: This system provides real-time, statistically robust insights into content safety, enabling platforms to proactively identify and mitigate harms. It's crucial for maintaining user trust and scaling content moderation efficiently with AI.

Pinterest developed an AI-assisted system to measure "prevalence" of policy-violating content, focusing on the percentage of total views.
This system addresses the shortcomings of report-only metrics, which often miss under-reported harms and lack statistical power.
It utilizes ML-assisted sampling from daily user impressions, leveraging production risk scores for efficiency while ensuring unbiased prevalence estimates.
A multimodal LLM (vision + text) enables bulk labeling of sampled content, significantly reducing latency and cost compared to human review.
Inverse-probability weighting ensures unbiased, design-consistent prevalence metrics, decoupling measurement from enforcement model thresholds.
Continuous calibration, human validation, and periodic checks against SME-labeled gold sets maintain LLM accuracy and detect model drift.
The system provides daily, statistically powered insights for faster interventions and effective content safety tracking.

#mlp #data #security

Read original

Cloudflare BlogDec 5, 2025

Cloudflare outage on December 5, 2025

Why it matters: This incident underscores the critical impact of configuration management in distributed systems. It highlights how rapid, global deployments without gradual rollouts and robust error handling can lead to widespread outages, even from seemingly minor code paths.

A 25-minute Cloudflare outage on Dec 5, 2025, impacted 28% of HTTP traffic due to a configuration change.
The incident stemmed from disabling an internal WAF testing tool, intended to mitigate a React Server Components vulnerability (CVE-2025-55182).
A global configuration system, lacking gradual rollout, propagated a change that triggered a Lua runtime error in the FL1 proxy.
The error was an attempt to access a nil value ('rule_result.execute') when a killswitch skipped an "execute" action rule, a bug undetected for years.
This highlights the need for robust type systems and safe deployment practices, especially for critical infrastructure.
Cloudflare acknowledges similar past incidents and is prioritizing enhanced rollouts and versioning to prevent future widespread impacts.

#sre #dist #security

Read original

GitHub EngineeringDec 4, 2025

How to use GitHub Copilot Spaces to debug issues faster

Why it matters: GitHub Copilot Spaces significantly reduces the time engineers spend hunting for context during debugging by providing AI with project-specific knowledge. This leads to faster, more accurate solutions and streamlined development workflows.

GitHub Copilot Spaces enhances AI debugging by providing project-specific context like files, pull requests, and issues, leading to more accurate suggestions.
Spaces act as dynamic knowledge bundles, automatically syncing with linked content to ensure Copilot always has up-to-date information.
Users create a space, add relevant project assets (e.g., security docs, architecture overviews, specific issues), and define custom instructions for Copilot's behavior.
Copilot leverages this curated context to generate detailed debugging plans and propose code changes, citing its sources for transparency and auditability.
The integrated coding agent can then create pull requests with before/after versions, explanations, and references to the guiding instructions and files.

#mlp #security

Read original

GitHub EngineeringDec 3, 2025

Your stack, your rules: Introducing custom agents in GitHub Copilot for observability, IaC, and security

Why it matters: Custom agents in GitHub Copilot empower engineering teams to embed their unique rules and workflows directly into their AI assistant. This streamlines development, ensures consistency across the SDLC, and automates complex tasks, boosting efficiency and adherence to standards.

GitHub Copilot now supports custom agents, extending its AI assistance across the entire software development lifecycle, not just code generation.
These Markdown-defined agents act as domain experts, integrating team-specific rules, tools, and workflows for areas like observability, security, and IaC.
Custom agents can be deployed at repository, organization, or enterprise levels and are accessible via Copilot CLI, VS Code Chat, and github.com.
They enable engineers to enforce standards, automate multi-step tasks, and integrate third-party tools directly within their development environment.
A growing ecosystem of partner-built agents is available for various domains, including security, databases, DevOps, and incident management.

#sre #security

Read original

Cloudflare BlogDec 3, 2025

Cloudflare WAF proactively protects against React vulnerability

Why it matters: This article is crucial for engineers managing React/Next.js applications, highlighting an RCE vulnerability and Cloudflare's WAF as a critical first line of defense. It emphasizes the importance of both network-level protection and prompt application-level updates.

Cloudflare WAF has deployed new rules to proactively protect against a critical Remote Code Execution (RCE) vulnerability (CVE-2025-55182, CVSS 10.0) in React Server Components.
The vulnerability impacts React versions 19.0-19.2 and Next.js versions 15-16, allowing insecure deserialization leading to RCE.
All Cloudflare customers with traffic proxied through WAF are automatically protected, including free and paid plans, with default block actions.
Cloudflare Workers-based applications are inherently immune to this specific exploit.
Despite WAF protection, users are strongly recommended to update to React 19.2.1 and the latest Next.js versions (16.0.7, 15.5.7, 15.4.8).
Specific WAF rule IDs (e.g., 33aa8a8a948b48b28d40450c5fb92fba) have been deployed across Cloudflare's network.

#security #frontend

Read original

Cloudflare BlogDec 3, 2025

Cloudflare's 2025 Q3 DDoS threat report -- including Aisuru, the apex of botnets

Why it matters: This report highlights the escalating scale and sophistication of DDoS attacks, exemplified by the Aisuru botnet. Engineers must prioritize robust, autonomous defense systems to protect critical infrastructure and services from increasingly powerful and short-lived threats.

The Aisuru botnet dominated Q3 2025, launching hyper-volumetric DDoS attacks up to 29.7 Tbps and 14.1 Bpps, causing significant internet disruption.
Cloudflare mitigated 8.3 million DDoS attacks in Q3 2025, a 15% QoQ and 40% YoY increase, with network-layer attacks surging 87% QoQ.
DDoS attacks against AI companies increased by 347% MoM in September, while attacks on Mining/Metals and Automotive sectors also rose due to geopolitical tensions.
The majority of DDoS attacks are short-lived (under 10 minutes), emphasizing the need for autonomous, real-time mitigation systems.
Aisuru, available as a botnet-for-hire, targeted critical infrastructure, telecommunications, gaming, and financial services, demonstrating its disruptive potential.

#security #dist

Read original

Microsoft Azure BlogDec 1, 2025

Azure networking updates on security, reliability, and high availability

Why it matters: This article highlights Azure's commitment to scaling its network for demanding AI workloads and enhancing resilience. Engineers gain insights into new features like zone-redundant NAT Gateway V2, crucial for building highly available and performant cloud-native applications.

Azure's global network has expanded to 18 Pbps WAN capacity, optimized for hyperscale AI and data workloads across 60+ AI regions.
The network fabric is specifically engineered for AI, integrating InfiniBand and high-speed Ethernet for low-latency, high-bandwidth GPU cluster communication and distributed AI WAN.
Azure is enhancing resiliency with zone-redundant services, including the public preview of Standard NAT Gateway V2.
Standard NAT Gateway V2 provides zone-redundant outbound connectivity, 100 Gbps throughput, 10M packets/sec, IPv6 support, and flow logs.

#sre #dist #security

Read original

Slack EngineeringDec 1, 2025

Streamlining Security Investigations with Agents

Why it matters: This article details how Slack built robust AI agent systems for security investigations by moving from single prompts to chained, structured model invocations, offering a blueprint for reliable AI application development.

Slack's Security Engineering team implemented AI agents to streamline security investigations, processing billions of events daily.
Initial prototypes, relying on a single large prompt, exhibited inconsistent performance despite prompt refinement attempts.
The team's solution involved breaking down complex investigations into a sequence of chained, single-purpose model invocations.
Utilizing structured output, defined by JSON schema, was key to achieving fine-grained control and predictable behavior at each step.
The production system employs a team of 'personas' (agents) for specific tasks, with the application orchestrating their interactions and context propagation.
This method significantly improves consistency and reliability in AI-driven security analysis, moving beyond simple prompt engineering.

#security #mlp

Read original

GitHub EngineeringNov 25, 2025

How GitHub’s agentic security principles make our AI agents as secure as possible

Why it matters: This article provides essential security principles for developing and deploying AI agents, addressing critical risks like data exfiltration and prompt injection. It offers practical guidelines for ensuring human oversight and accountability in agentic systems.

GitHub employs agentic security principles for AI agents like Copilot, balancing usability with security through a human-in-the-loop design.
Key risks for agentic AI include data exfiltration, impersonation/action attribution, and prompt injection.
Security controls ensure all context is visible, agents are firewalled, and access to sensitive data is limited.
Agents are prevented from making irreversible state changes without human approval, such as creating pull requests instead of direct commits.
Actions are clearly attributed to both the initiating user and the agent, ensuring accountability.
Context gathering is restricted to authorized users with appropriate repository permissions.

#security #mlp

Read original

Page 14 of 18

Prev 1...12 13 14 15 16...18 Next