Curated topic

security

Posts tagged with security

Cloudflare BlogMar 2, 2026

Beyond the blank slate: how Cloudflare accelerates your Zero Trust journey

Why it matters: Project Helix reduces Zero Trust adoption barriers by replacing manual, error-prone configurations with automated best practices. This allows engineers to deploy secure, optimized SASE environments in minutes while ensuring consistency across complex network architectures.

Project Helix automates the configuration of Cloudflare One to eliminate the 'blank slate' problem and reduce deployment friction.
The system codifies best practices from solutions engineers into reusable Terraform templates for consistent, error-free SASE setups.
Automated policies cover DNS protection, TLS inspection, Remote Browser Isolation, and visibility controls for AI applications.
Helix addresses complex networking tasks like configuring CGNAT ranges for private app routing and managing split-tunneling for real-time apps.
The solution leverages a web-based UI hosted on Cloudflare Workers to trigger infrastructure-as-code deployments via API.

#security #sre

Read original

Cloudflare BlogMar 2, 2026

Modernizing with agile SASE: a Cloudflare One blog takeover

Why it matters: Agile SASE moves security from rigid hardware silos to a programmable, single-pass global network. For engineers, this reduces technical debt, eliminates performance bottlenecks caused by service-chaining, and enables custom security logic via native developer platforms like Cloudflare Workers.

Cloudflare One introduces agile SASE, a composable platform designed to replace fragmented legacy hardware and VPNs with a unified connectivity cloud.
The platform utilizes a single-pass architecture across 300+ cities, eliminating service-chaining bottlenecks by running all security checks on every server simultaneously.
Integration with Cloudflare Workers allows developers to write custom code for real-time security event interception, moving beyond static allow/block rules.
Modernization focuses on five key areas: remote access, AI-powered email protection, DNS filtering, safe AI governance, and simplified branch networking.
Upcoming technical deep-dives will cover identity evolution, AI-driven threat detection, and the engineering behind the autonomous edge for performance-centric security.

#security #dist #sre

Read original

Cloudflare BlogMar 2, 2026

The truly programmable SASE platform

Why it matters: Cloudflare's programmable SASE allows engineers to build context-aware security policies using code. By executing logic at the edge, teams can integrate external data into access decisions in real-time, reducing latency and complexity compared to traditional webhook-based automation.

Cloudflare defines true programmability as the ability to intercept security events, enrich them with external context, and act in real-time.
The platform integrates SASE (Cloudflare One) with the Developer Platform (Workers), allowing security logic to run on the same global edge network.
Engineers can move beyond static 'allow/block' rules by using Workers to inject dynamic headers or query external risk APIs inline.
Managed actions provide templates for common IT and compliance workflows, while custom actions allow for bespoke logic via serverless functions.
This architecture eliminates the latency overhead typically associated with routing traffic to separate cloud environments for policy enforcement.
Real-world use cases include automated device session revocation and context-aware access based on external training or certification databases.

#security #dist #sre

Read original

Netflix Tech BlogFeb 28, 2026

Mount Mayhem at Netflix: Scaling Containers on Modern CPUs

Why it matters: Rapidly scaling containers with many layers can trigger kernel VFS lock contention when using idmap mounts for security. Understanding how hardware architecture, like NUMA domains and cache line bouncing, impacts system-level locks is crucial for high-density container orchestration.

Netflix identified a container startup bottleneck where nodes stalled for 30+ seconds due to kernel-level VFS mount lock contention.
The issue was triggered by the new container runtime's use of idmap mounts for unique user namespaces, which significantly increased mount operations.
Container images with many layers (50+) exacerbated the problem, requiring thousands of mount/unmount operations during rapid scale-up events.
Performance analysis using Intel's TMA revealed that 95.5% of pipeline slots were stalled on contested accesses and cache line bouncing.
Older multi-socket hardware (r5.metal) suffered more than newer single-socket instances (m7i, m7a) due to NUMA-related latency in lock acquisition.
The investigation highlights the critical intersection of container runtime security features, kernel lock management, and modern CPU architecture.

#sre #security

Read original

Cloudflare BlogFeb 27, 2026

Toxic combinations: when small signals add up to a security incident

Why it matters: Engineers often overlook minor anomalies, but their convergence signals sophisticated attacks. Understanding toxic combinations helps teams move beyond signature-based defense to intent-based security, identifying breaches that lack obvious exploit payloads.

Toxic combinations are security incidents where attackers exploit multiple minor misconfigurations or anomalies that appear harmless in isolation.
Cloudflare identifies these by intersecting bot traffic data, sensitive application paths (e.g., /wp-admin, /debug), and request anomalies like geo jumps or identity mismatches.
Traditional point defenses like WAFs often focus on individual requests, whereas toxic combination detection analyzes the broader context and intent of multiple signals.
Analysis shows that while only 0.25% of non-WordPress hosts are susceptible, these represent high-risk vulnerabilities to compromise.
Engineers can use tools like Cloudflare Log Explorer to run queries that identify automated probing of administrative endpoints and debug flags.

#security #data

Read original

Cloudflare BlogFeb 27, 2026

ASPA: making Internet routing more secure

Why it matters: BGP route leaks cause major outages and security risks. ASPA extends RPKI to verify the entire routing path, not just the destination. For network engineers, this standard is a critical step toward a more secure and predictable Internet by cryptographically preventing unauthorized traffic detours.

ASPA (Autonomous System Provider Authorization) is a new cryptographic standard designed to prevent BGP route leaks by validating the entire network path.
While RPKI and ROAs verify the destination of traffic, ASPA verifies the sequence of Autonomous Systems (AS_PATH) it traverses.
ASPA allows network operators to publish a list of authorized upstream providers within the existing RPKI infrastructure.
Validation follows valley-free routing principles, ensuring traffic moves up to providers and down to customers without unauthorized lateral or downward-then-upward shifts.
Cloudflare Radar has introduced a monitoring tool to track ASPA adoption trends across Regional Internet Registries and individual Autonomous Systems.

#security #dist

Read original

Cloudflare BlogFeb 27, 2026

Bringing more transparency to post-quantum usage, encrypted messaging, and routing security

Why it matters: As quantum computing threats loom, transitioning to post-quantum cryptography and securing BGP routing are critical for long-term data integrity. These tools provide the transparency needed to audit infrastructure readiness and verify the security of encrypted communication channels.

Cloudflare Radar now monitors post-quantum (PQ) encryption support for origin-facing connections, complementing existing client-side tracking.
A new public tool allows users to verify if specific hostnames support PQ-secure hybrid key exchange algorithms like X25519MLKEM768.
The Key Transparency dashboard provides real-time verification status of logs for encrypted messaging services, ensuring public key integrity.
Routing security insights now include data on ASPA (Autonomous System Provider Authorization) deployment to mitigate BGP route leaks.
Origin-side PQ support has seen a 10x increase over the past year, driven by default enablement in libraries like OpenSSL 3.5.0 and Go 1.24.

#security #data #dist

Read original

Cloudflare BlogFeb 27, 2026

The most-seen UI on the Internet? Redesigning Turnstile and Challenge Pages

Why it matters: Redesigning a UI served billions of times daily requires balancing security, accessibility, and performance. This case study shows how to handle massive-scale deployments while reducing user friction in critical security checkpoints, ensuring a better experience for a global audience.

Cloudflare redesigned its Turnstile and Challenge Pages to improve the user experience for 7.67 billion daily security verifications.
A comprehensive design audit revealed fragmented error states and overly technical messaging that increased user frustration.
The team mapped complex user journeys to identify 'unhappy paths' and replaced technical jargon with actionable, human-readable guidance.
The redesign addresses a 58% year-over-year increase in security challenges driven by the rise of AI-powered bot attacks.
Engineering efforts focused on maintaining performance and accessibility at an unprecedented global scale while ensuring backward compatibility.

#security #frontend #culture

Read original

GitHub EngineeringFeb 26, 2026

What’s new with GitHub Copilot coding agent

Why it matters: These updates transform AI from a simple autocomplete tool into a sophisticated background agent that handles end-to-end tasks. By automating code review and security checks, it reduces manual toil and ensures higher quality PRs with significantly less human intervention.

GitHub Copilot coding agent now allows users to select specific AI models for tasks, choosing faster models for routine work or more robust ones for complex refactoring.
The agent performs automated self-reviews to catch logic errors and improve code style before submitting a pull request.
Integrated security scanning checks for vulnerabilities, secrets, and dependency issues for free within the agent workflow.
Custom agents can be defined in .github/agents/ to enforce team-specific processes, such as mandatory benchmarking.
Seamless handoff between cloud sessions and the local CLI allows developers to move work between environments without losing context.

#mlp #security

Read original

Salesforce EngineeringFeb 23, 2026

Building an AI-Accelerated Compliance Automation Platform for 24x Faster Audits

Why it matters: Automating compliance reduces operational risk and engineering toil. By moving from fragile UI-driven workflows to API-first systems using AI-assisted development, teams can deliver audit-ready evidence 24x faster while maintaining high engineering standards.

Developed FastTrack, an API-first automation platform that replaced manual, screenshot-driven compliance audits for mobile app stores.
Achieved a 24x reduction in audit execution time by moving from fragile UI-based workflows to deterministic API integrations.
Utilized AI-assisted development to accelerate the path from system design to production, enabling rapid prototyping of validation logic.
Addressed data granularity gaps in the Google Play Console API by redefining evidence boundaries in collaboration with compliance stakeholders.
Embedded runtime validation and transparent API query logging to create verifiable, compliance-grade audit trails.

#mobile #security #culture

Read original

Page 4 of 12

Prev 1 2 3 4 5 6...12 Next