Curated topic

security

Posts tagged with security

Engineering at MetaApr 16, 2026

Post-Quantum Cryptography Migration at Meta: Framework, Lessons, and Takeaways

Why it matters: Quantum computing threats like Store Now, Decrypt Later jeopardize current encryption. Meta’s framework provides a scalable roadmap for organizations to transition to PQC standards, ensuring long-term data security without compromising system performance or incurring excessive costs.

Meta is proactively migrating to Post-Quantum Cryptography (PQC) to defend against Store Now, Decrypt Later (SNDL) attacks.
The migration framework introduces three maturity levels: PQ-Aware (inventory/risk), PQ-Ready (technical capability), and PQ-Enabled (full protection).
Meta utilizes NIST-standardized algorithms including ML-KEM (Kyber) and ML-DSA (Dilithium), while co-authoring the HQC algorithm.
The strategy prioritizes internal infrastructure first, balancing security needs with performance overhead and cost efficiency.
Practical guidance focuses on risk assessment, cryptographic inventory, and establishing guardrails to prevent regression to legacy standards.

#security #dist

Read original

Cloudflare BlogApr 16, 2026

Cloudflare Email Service: now in public beta. Ready for your agents

Why it matters: Email is a universal interface. By providing native sending and routing within Workers, Cloudflare enables engineers to build stateful, secure, and asynchronous AI agents that interact with users via standard email, removing the complexity of SMTP management and external API integrations.

Cloudflare Email Service enters public beta, offering native Email Sending via Workers bindings without the need for API key management.
The service automates SPF, DKIM, and DMARC configurations to ensure high deliverability and low latency via Cloudflare's global network.
Integration with the Agents SDK enables bidirectional, asynchronous email communication for AI agents using the onEmail hook.
Developers can maintain stateful conversations across emails using Durable Objects, allowing agents to remember context without external databases.
Secure reply routing is implemented using HMAC-SHA256 signed headers to prevent unauthorized access to specific agent instances.
New developer tools include an Email MCP server, Wrangler CLI commands, and an open-source agentic inbox reference application.

#mlp #dist #security

Read original

GitHub EngineeringApr 15, 2026

Developer policy update: Intermediary liability, copyright, and transparency

Why it matters: Legal and policy shifts regarding copyright liability and age assurance directly impact how engineers build, share, and secure software. These updates ensure that neutral infrastructure and security research remain protected from broad regulations that could stifle open-source innovation.

The U.S. Supreme Court's Cox v. Sony decision reinforces that service providers are not automatically liable for user copyright infringement without evidence of intent.
DMCA Section 1201 exemptions remain critical for developers performing security research, interoperability work, and AI safety analysis.
GitHub's 2025 Transparency Report recorded the highest number of DMCA circumvention claims to date, reflecting increased copyright enforcement pressure.
Proposed age assurance laws in the US, Brazil, and Europe may unintentionally impact open-source infrastructure like package managers and operating systems.
GitHub is actively seeking developer input for the 2027 DMCA triennial review to address emerging challenges in AI model inspection and safety research.

#culture #security

Read original

Cloudflare BlogApr 15, 2026

Introducing Agent Lee - a new interface to the Cloudflare stack

Why it matters: Agent Lee shifts cloud management from manual navigation to natural language intent. By using TypeScript code generation and secure proxying, it provides a blueprint for building autonomous agents that safely perform complex multi-step infrastructure tasks in production environments.

Agent Lee is an in-dashboard AI assistant that allows users to manage, troubleshoot, and configure Cloudflare resources using natural language.
The system uses 'Codemode' to convert Model Context Protocol (MCP) tools into TypeScript APIs, enabling LLMs to write and chain code for improved accuracy over standard tool calling.
Security is enforced through Durable Objects acting as credentialed proxies, classifying operations as read or write and requiring explicit user approval for any state changes.
The interface features generative UI, dynamically rendering interactive charts and visualizations based on real-time account data and traffic logs.
Built entirely on Cloudflare's public primitives like the Agents SDK and Workers AI, the tool serves 18,000 daily users and executes 250,000 tool calls per day.

#mlp #sre #security

Read original

GitHub EngineeringApr 14, 2026

Hack the AI agent: Build agentic AI security skills with the GitHub Secure Code Game

Why it matters: As AI agents move from prototypes to production, they introduce new attack vectors like goal hijacking and tool misuse. This game provides hands-on experience in identifying and mitigating these risks, helping engineers bridge the gap between AI adoption and security readiness.

GitHub launched Season 4 of the Secure Code Game, focusing on the security of autonomous agentic AI systems.
The game features ProdBot, a deliberately vulnerable AI assistant that uses natural language to execute bash commands and browse the web.
Challenges cover critical risks identified in the OWASP Top 10 for Agentic Applications, including goal hijacking and tool misuse.
Players explore vulnerabilities in the Model Context Protocol (MCP), persistent memory poisoning, and multi-agent orchestration.
The curriculum progresses through five levels, teaching engineers how to exploit and then harden AI agents against malicious prompts.

#security #mlp

Read original

Airbnb EngineeringApr 14, 2026

Privacy-first connections: Empowering social experiences at Airbnb

Why it matters: This architecture demonstrates how to build social features without compromising privacy. By decoupling internal identities from public profiles, engineers can provide granular user control and prevent unintended data leakage across different product contexts.

Airbnb decoupled internal 'User' records from public-facing 'Profiles' to implement privacy by design for new social features.
The system maps a single User ID to multiple context-specific Profile IDs, preventing unauthorized cross-context user tracking.
Experience-specific Guest Profiles allow users to toggle visibility (full profile vs. first name only) for each individual booking.
The architecture ensures co-guests in one Experience cannot link a user to their participation in other unrelated activities.
This granular identity management allows Airbnb to foster community connections while maintaining strict data privacy and user autonomy.

#security #data

Read original

GitHub EngineeringApr 14, 2026

How exposed is your code? Find out in minutes—for free

Why it matters: This tool provides immediate visibility into hidden security risks without financial or setup barriers. By identifying vulnerabilities and AI-driven remediation opportunities, engineers can proactively reduce technical debt and secure their codebase before exploits occur.

GitHub has launched a free Code Security Risk Assessment tool that performs a one-click scan on up to 20 active repositories.
The assessment utilizes the CodeQL static analysis engine to identify vulnerabilities without requiring manual configuration or licenses.
A centralized dashboard summarizes findings by severity, language, and specific security rules to help teams prioritize remediation.
The tool integrates with Secret Risk Assessment to provide a unified view of both code vulnerabilities and credential exposure.
Results highlight vulnerabilities eligible for Copilot Autofix, which GitHub claims can resolve security issues nearly twice as fast as manual efforts.

#security #culture

Read original

Cloudflare BlogApr 14, 2026

Managed OAuth for Access: make internal apps agent-ready in one click

Why it matters: AI agents often fail at human-centric login redirects. Managed OAuth provides a standardized, secure way for agents to access protected internal data using user-scoped tokens rather than risky static credentials, ensuring auditability and fine-grained access control without refactoring code.

Cloudflare Access now supports managed OAuth to enable AI agents to authenticate with internal applications without manual intervention.
The system implements RFC 9728 for discovery and RFC 7591 for Dynamic Client Registration, allowing agents to identify authentication requirements automatically.
Agents use the PKCE (Proof Key for Code Exchange) flow to obtain a JWT, ensuring secure delegation of user permissions.
This approach replaces the need for static service tokens or service accounts, which often lead to 'confused deputy' security risks.
Managed OAuth maintains full auditability by attributing all agent actions to the specific human user who authorized the session.
The feature is designed to work with the Model Context Protocol (MCP) and requires no code changes to legacy internal applications.

#security #sre #mlp

Read original

Cloudflare BlogApr 14, 2026

Scaling MCP adoption: Our reference architecture for simpler, safer and cheaper enterprise deployments of MCP

Why it matters: As AI agents become ubiquitous, securing the connection between LLMs and sensitive data is critical. This architecture provides a blueprint for enterprise-grade MCP deployments that balance developer productivity with robust security, observability, and cost control.

Cloudflare advocates for remote MCP servers over local ones to mitigate supply chain risks and enable centralized governance.
Integrated Cloudflare Access provides SSO and MFA for MCP servers, ensuring only authorized users can access sensitive internal data.
MCP Server Portals centralize discovery and governance, allowing administrators to manage tool access across the organization.
The new Code Mode feature reduces LLM token costs by transmitting tool definitions as code instead of verbose natural language descriptions.
Cloudflare Gateway enables Shadow MCP detection to identify and block unauthorized remote MCP server usage across the network.
AI Gateway provides observability, caching, and rate limiting for all MCP-driven LLM interactions to manage costs and performance.

#security #mlp #dist

Read original

Cloudflare BlogApr 14, 2026

Securing non-human identities: automated revocation, OAuth, and scoped permissions

Why it matters: As AI agents and automation scale, the risk of credential leaks grows. Automated token revocation and granular RBAC ensure non-human identities are secured throughout their lifecycle, preventing unauthorized access and reducing the blast radius of accidental exposures.

Cloudflare is introducing automated revocation for leaked API tokens through a partnership with GitHub's Secret Scanning program.
New API tokens now feature a distinct 'cf' prefix and a checksum to improve detection accuracy and reduce false positives for security scanners.
Cloudflare One customers can use DLP profiles to detect and block tokens across network traffic, email, and SaaS applications.
The platform is enhancing identity management by providing better visibility into OAuth principals and granular, resource-scoped RBAC policies.
These updates specifically target the risks associated with non-human identities, such as AI agents and automated scripts, in modern development workflows.

#security #sre

Read original

Page 2 of 18

Prev 1 2 3 4...18 Next