Curated topic

security

Posts tagged with security

GitHub EngineeringMay 20, 2026

Investigating unauthorized access to GitHub-owned repositories

Why it matters: This incident highlights the supply chain risks associated with developer tools like IDE extensions. It demonstrates the importance of rapid incident response, secret rotation, and endpoint isolation in mitigating the impact of a compromised internal environment.

GitHub detected a compromise on an employee device caused by a poisoned third-party VS Code extension.
Approximately 3,800 internal repositories were exfiltrated during the security incident.
No evidence suggests that customer-owned enterprises, organizations, or repositories were compromised.
Immediate response included isolating the affected endpoint and removing the malicious extension version.
GitHub rotated critical secrets and high-impact credentials to mitigate further risk.
Ongoing efforts include log analysis, secret rotation validation, and infrastructure monitoring.

#security #sre

Read original

GitHub EngineeringMay 20, 2026

Investigating unauthorized access to GitHub’s internal repositories

Why it matters: This incident highlights the growing threat of supply chain attacks targeting developer tools. It underscores the need for robust endpoint security and rapid secret rotation protocols when internal source code is compromised to prevent lateral movement and further exploitation.

GitHub detected a compromise of an employee device triggered by a poisoned third-party VS Code extension.
The attacker exfiltrated approximately 3,800 internal GitHub repositories during the incident.
No evidence suggests that customer-owned enterprises, organizations, or repositories were directly impacted.
GitHub responded by isolating the affected endpoint and removing the malicious extension version.
Critical secrets were rotated immediately, prioritizing high-impact credentials to mitigate further risk.
The investigation continues with log analysis and infrastructure monitoring for any follow-on activity.

#security

Read original

GitHub EngineeringMay 20, 2026

Investigation update: GitHub Enterprise Server signing key rotation

Why it matters: GitHub is rotating its GHES signing key following a cyber-attack to ensure the integrity of future updates. Engineers managing GHES instances must rotate GPG keys immediately to avoid update failures and maintain a secure, verified supply chain for their enterprise infrastructure.

GitHub is rotating the GitHub Enterprise Server (GHES) signing key following a detected cyber-attack.
The signing key is critical for validating the authenticity of GHES binaries during manual update processes.
Administrators must execute a provided GPG rotation script on all GHES nodes to maintain update compatibility.
The rotation process requires running the script as both the admin user and root to ensure all accounts are updated.
Failure to rotate keys will result in future upgrade failures with 'invalid package' verification errors.
GitHub Enterprise Cloud customers are unaffected and do not need to take any action.

#security #sre

Read original

Airbnb EngineeringMay 19, 2026

Scaling Airbnb’s identity graph with a unified knowledge graph infrastructure

Why it matters: Scaling graph databases for real-time applications is difficult. Airbnb's move to an internal JanusGraph platform demonstrates how to decouple storage from logic to achieve high performance, reliability, and operational control for massive identity resolution workloads.

Airbnb migrated its identity graph from a third-party SaaS to an internally managed platform built on JanusGraph and DynamoDB.
The system manages massive scale with 7 billion nodes and 11 billion edges, processing 5 million new edges daily for real-time identity resolution.
By using JanusGraph with a pluggable DynamoDB backend, Airbnb decoupled the graph logic layer from the storage persistence layer.
Technical optimizations include parallelizing high-fanout queries via the getMultiSlices interface and implementing custom transaction strategies.
The platform provides a unified, multi-tenant infrastructure that replaces fragmented relational, offline, and DIY graph implementations.

#data #dist #security

Read original

Salesforce EngineeringMay 19, 2026

How Salesforce Built an AI Security Agent for Autonomous Threat Triage

Why it matters: Scaling security operations manually is impossible in complex cloud environments. SATA demonstrates how AI agents can automate high-volume triage with 95% accuracy, allowing engineers to focus on critical threats while maintaining trust through confidence scoring and orchestration.

Salesforce developed SATA (Security Alerts Triage Agent) to automate the initial triage of hundreds of daily security alerts.
The agent overcomes data fragmentation by using orchestration workflows to pull context from disparate logs and case-management systems.
SATA improves accuracy by evaluating surrounding context and utilizing multiple agents to review cases from different perspectives.
The system achieved a 95% agreement rate with human analysts during benchmarking against historical security data.
A confidence scoring mechanism ensures high-risk or low-certainty cases are automatically routed to human experts for manual review.

#security #mlp #data

Read original

Cloudflare BlogMay 19, 2026

Announcing Claude Managed Agents on Cloudflare

Why it matters: This integration decouples AI logic from execution, allowing engineers to run Claude agents securely on Cloudflare's infrastructure. It provides granular control over sandboxes, enhanced observability, and the ability to scale via V8 isolates while maintaining private service connectivity.

Cloudflare and Anthropic have integrated Claude Managed Agents with Cloudflare Sandboxes to decouple agent logic from execution infrastructure.
Developers can run the agent loop on Anthropic's platform while using Cloudflare to execute code, secure connections, and manage tool calls.
The integration supports two execution environments: full Linux microVMs for complex tasks and lightweight V8 isolates for high-scale, low-latency execution.
Enhanced security features include customizable proxies for credential injection, data exfiltration prevention, and private service connectivity.
Built-in observability provides detailed sandbox metrics, logs, session recordings for browser-based agents, and interactive SSH access.
A Workers-based control plane manages agent sessions, automatically persisting state across session sleeps and providing a built-in management UI.

#mlp #security #sre

Read original

Cloudflare BlogMay 18, 2026

Project Glasswing: what Mythos showed us

Why it matters: This marks a shift from AI as a simple scanner to an autonomous security researcher capable of verifying exploits. It highlights the potential for automated defense and an evolving threat landscape where attackers can autonomously chain minor bugs into major system vulnerabilities.

Mythos Preview enables complex exploit chain construction, linking multiple minor vulnerabilities into severe, functional exploits.
The model automates proof generation by writing and executing code in scratch environments to verify exploitability.
Testing showed that memory-unsafe languages like C/C++ generate higher noise and false positives than memory-safe alternatives.
Model refusals are inconsistent; the same security task may be blocked or allowed based on framing or environment.
Effective AI security research requires specialized infrastructure and harnesses rather than generic coding agents.

#security #mlp

Read original

GitHub EngineeringMay 15, 2026

Raising the bar: Quality, shared responsibility, and the future of GitHub’s bug bounty program

Why it matters: GitHub is raising the bar for bug bounty submissions to combat low-quality AI noise. This matters to engineers as it clarifies the shared responsibility model for platform security and sets a standard for validating AI-assisted security research and vulnerability reporting.

GitHub is raising the quality bar for bug bounty submissions to combat a surge in low-impact reports and AI-generated noise.
Valid submissions must now include a working Proof of Concept (PoC) demonstrating concrete security impact rather than theoretical scenarios.
Researchers are required to manually validate all findings, including those generated by AI or automated scanners, before submission.
The program emphasizes a shared responsibility model where users are accountable for trusting repositories, code, and AI-processed content.
Reports must be concise, featuring a short summary, clear reproduction steps, and a specific impact statement to speed up triage.

#security #culture

Read original

Engineering at MetaMay 11, 2026

Labyrinth 1.1: Making End-to-End Encrypted Backups Even More Reliable

Why it matters: Labyrinth 1.1 solves a critical availability challenge in E2EE systems by ensuring message persistence even when devices are offline. This improves reliability and user experience in secure messaging without compromising the privacy guarantees of end-to-end encryption.

Meta is rolling out Labyrinth 1.1, an updated protocol for end-to-end encrypted (E2EE) message storage on Messenger.
The update introduces a new sub-protocol that allows messages to be backed up immediately as they are sent.
Senders now place a message encryption key directly into the recipient's encrypted backup, ensuring data persistence.
This mechanism removes the dependency on the recipient's device being online to secure the message history.
The protocol protects against data loss during device switches, hardware loss, or extended periods between sign-ins.
Labyrinth 1.1 maintains strict E2EE standards where only the conversation participants can access the message content.

#security #mobile #dist

Read original

Salesforce EngineeringMay 11, 2026

Building Data 360 Clean Rooms: Zero-Copy Architecture for Privacy-Safe Data Collaboration

Why it matters: Data 360 Clean Rooms enable secure data collaboration without moving raw data. This zero-copy, federated architecture solves the conflict between data utility and strict regulatory compliance like GDPR while maintaining performance across distributed environments.

Implemented a zero-copy federation model that executes queries at the data source, preventing the movement of sensitive raw data.
Designed a privacy-first architecture using PII anonymization, hashing, and aggregation thresholds to comply with GDPR and CCPA.
Utilized use case templates to restrict analysis to pre-approved SQL patterns, preventing unauthorized data probing.
Developed a secure integration layer to bridge Data 360 with external platforms like AWS Clean Rooms using uniform contracts.
Maintained immutable audit logs and granular access controls to ensure transparency and governance across cross-org collaborations.

#data #security #dist

Read original

Page 3 of 22

Prev 1 2 3 4 5...22 Next