Curated topic

security

Posts tagged with security

Cloudflare BlogApr 6, 2026

How we built Organizations to help enterprises manage Cloudflare at scale

Why it matters: Managing large-scale infrastructure across fragmented accounts creates security risks and operational overhead. This update simplifies governance by centralizing identity, policy enforcement, and observability, allowing engineers to maintain the principle of least privilege at scale.

Cloudflare Organizations provides a centralized management layer for enterprises to oversee multiple accounts, users, and configurations.
Introduces the Org Super Administrator role, which grants global permissions across all accounts without requiring individual account memberships.
Enables shared configurations, allowing security teams to centrally manage and deploy WAF and Gateway policies across the entire organization.
Provides a unified analytics dashboard that aggregates HTTP traffic data from all accounts and zones for better visibility.
The backend refactor consolidated authorization checks into a domain-scoped roles system, resulting in a 27% performance improvement for permission enumeration.
Future roadmap items include organization-level audit logs, centralized billing reports, and additional granular user roles.

#security #sre

Read original

Salesforce EngineeringApr 3, 2026

Scaling Trust: How Salesforce’s Security Team Uses Agentforce to Triage Security Reports at Speed

Why it matters: This article demonstrates how AI agents can scale security operations by automating the triage of unstructured vulnerability reports. It highlights the importance of human-in-the-loop systems and structured data collection in maintaining high response standards during rapid growth.

Salesforce implemented an AI-driven triage system using Agentforce to manage a 30% year-over-year increase in vulnerability reports without expanding the security team.
The system utilizes format-agnostic parsing logic to extract signals from unstructured data like PDFs and spreadsheets, correctly identifying products across a diverse portfolio.
A transition from email-based submissions to a structured web interface ensured that reports contain necessary data fields and reproducible steps for immediate analysis.
The architecture employs a human-in-the-loop model where the AI generates recommendations in Slack, but security engineers retain final decision-making authority.
Automated routing and initial triage now occur in seconds, significantly reducing end-to-end response times and eliminating manual bottlenecks.

#security #mlp

Read original

Airbnb EngineeringApr 2, 2026

My Journey to Airbnb — Jonathan Woodard

Why it matters: This story highlights the effectiveness of apprenticeship programs in diversifying engineering talent. It also provides insights into Airbnb's security engineering culture, specifically how they manage permissions platforms and integrate LLMs while maintaining high security standards.

Jonathan Woodard transitioned from a six-year professional football career to software engineering through Airbnb’s Connect Engineering Apprenticeship.
The apprenticeship program utilized a two-phase approach: a structured learning phase followed by a team placement phase with hands-on project work.
Woodard now works on the Secure Development Engineering team, specifically focusing on Identity and Access Management (IAM) and product security.
He contributes to Airbnb’s largest permissions platform, managing the technical balance between security safety and LLM integration.
The transition was supported by a multi-layered mentorship model involving technical mentors, team buddies, and alumni hosts.
The article draws parallels between professional sports and security engineering, emphasizing high-pressure decision-making and team collaboration.

#security #culture

Read original

GitHub EngineeringApr 1, 2026

Securing the open source supply chain across GitHub

Why it matters: Supply chain attacks are evolving to target CI/CD pipelines. By adopting OIDC-based trusted publishing and rigorous workflow scanning, engineers can eliminate long-lived secrets and protect their projects from automated credential exfiltration and malware propagation.

Attackers are increasingly targeting GitHub Actions workflows to exfiltrate secrets and propagate malicious packages across the open source ecosystem.
Engineers should use CodeQL to review workflow implementations and pin third-party Actions to full-length commit SHAs to prevent unauthorized code execution.
Avoid using pull_request_target triggers and implement strict checks against script injection when referencing user-submitted content.
Replace long-lived secrets with OpenID Connect (OIDC) tokens for 'trusted publishing' to cloud providers and package repositories like npm, PyPI, and RubyGems.
GitHub is scaling automated malware detection for npm, scanning over 30,000 daily package versions to identify and remove malicious code before propagation.
A revamped security roadmap for GitHub Actions and npm is underway to accelerate the rollout of mandatory security features and hardened publishing workflows.

#security

Read original

Cloudflare BlogApr 1, 2026

Introducing EmDash — the spiritual successor to WordPress that solves plugin security

Why it matters: EmDash modernizes CMS architecture by replacing insecure PHP-based plugin hooks with isolated serverless environments. This shift to capability-based security and modern TypeScript tooling solves decades-old security vulnerabilities while maintaining the extensibility of the WordPress model.

EmDash is an open-source, MIT-licensed CMS built from scratch using TypeScript and the Astro framework.
It addresses WordPress's fundamental security flaws by sandboxing plugins within isolated Dynamic Workers.
Plugins utilize a capability-based security model, requiring explicit declarations of permissions like database access or network calls in a manifest.
The architecture is serverless-first but portable, allowing deployment on Cloudflare, Node.js, or private hardware.
By using static declarations for plugin needs, administrators can audit and restrict plugin behavior at install time rather than relying on allowlists.

#security #frontend #dist

Read original

Cloudflare BlogApr 1, 2026

Our ongoing commitment to privacy for the 1.1.1.1 public DNS resolver

Why it matters: DNS is a critical internet protocol that can leak significant user behavior data. Cloudflare's independent audit provides a rare, verifiable guarantee of privacy in a space where 'trust us' is the norm, setting a technical and ethical benchmark for infrastructure providers.

Cloudflare completed its second independent privacy examination of the 1.1.1.1 public DNS resolver, conducted by a Big 4 accounting firm.
The review confirms that Cloudflare does not sell personal data, use it for ad targeting, or retain identifying information.
Source IP addresses are anonymized and deleted within 25 hours, maintaining strict user privacy.
The resolver now runs on a new technical platform, which was included in the scope of the latest rigorous audit.
A small fraction of traffic (0.05%) is sampled for network troubleshooting and DDoS mitigation purposes.
Anonymized transaction logs are utilized for research and services like Cloudflare Radar without compromising individual user privacy.

#security #dist #culture

Read original

Cloudflare BlogMar 31, 2026

Introducing Programmable Flow Protection: custom DDoS mitigation logic for Magic Transit customers

Why it matters: Engineers can now extend Cloudflare's DDoS protection with custom eBPF logic. This is crucial for proprietary UDP-based applications like gaming or VoIP, where generic rate limiting causes collateral damage. It provides granular, stateful control over traffic filtering at the network edge.

Cloudflare launched Programmable Flow Protection, allowing Magic Transit customers to deploy custom DDoS mitigation logic via eBPF.
The system addresses the limitations of generic DDoS protection for proprietary or custom UDP protocols used in gaming, VoIP, and streaming.
Customers can write eBPF programs to define precise 'good' versus 'bad' packet logic, which Cloudflare executes across its global edge network.
To ensure security and flexibility, these programs run in a userspace environment rather than the Linux kernel, using a specialized API for stateful mitigation.
The platform includes helper functions for storing client state, performing cryptographic validation, and issuing challenge packets to mitigate attacks without impacting legitimate users.

#security #dist #sre

Read original

GitHub EngineeringMar 30, 2026

GitHub for Beginners: Getting started with GitHub security

Why it matters: Security is a shared responsibility; even small projects inherit risks from third-party dependencies. GitHub's integrated tools automate vulnerability detection and remediation, allowing developers to secure their supply chain without significant manual overhead.

GitHub Advanced Security (GHAS) provides a suite of tools including Dependabot, secret scanning, and CodeQL to automate vulnerability detection.
Secret scanning identifies leaked credentials in commits, prompting developers to revoke compromised keys and secure their infrastructure.
Dependabot monitors third-party libraries for known vulnerabilities and automatically generates pull requests for security updates.
Code scanning with CodeQL analyzes source code to find risky patterns and potential exploits during the development lifecycle.
These features are available by default for public repositories and can be enabled via the repository settings under the Security tab.

#security

Read original

Cloudflare BlogMar 30, 2026

Cloudflare Client-Side Security: smarter detection, now open to everyone

Why it matters: Client-side attacks like skimming are hard to detect because they don't break site functionality. Cloudflare's use of GNNs and LLMs to analyze script intent at scale allows engineers to secure front-end dependencies and meet PCI DSS v4 compliance without manual overhead or performance lag.

Cloudflare has expanded access to Client-Side Security Advanced for self-serve customers and made domain-based threat intelligence free for all users.
The system uses browser reporting and Content Security Policy (CSP) to monitor scripts with zero latency impact on web applications.
Detection logic utilizes Graph Neural Networks (GNN) to analyze Abstract Syntax Trees (AST), identifying malicious intent rather than relying on static signatures.
A new LLM-based triage layer has been integrated to reduce false positives by distinguishing between malicious code and benign but obfuscated scripts like ad-tech bundles.
The platform automates code change monitoring and proactive blocking, assisting organizations in meeting PCI DSS v4 compliance requirements.

#security #frontend #mlp

Read original

Salesforce EngineeringMar 26, 2026

Grounding Enterprise AI with Live Web Retrieval and Verifiable Citations

Why it matters: Enterprise AI requires real-time context and verifiability. This architecture solves hallucination problems by grounding LLMs in live web data with a citation engine, making AI outputs reliable for critical business decisions and ensuring transparency through traceable source metadata.

Salesforce expanded Prompt Builder to include live web retrieval, allowing AI to access real-time external data beyond the LLM's training cutoff.
The architecture integrates external search providers into the prompt resolution pipeline, combining CRM data with live web context.
A dedicated citation service was implemented to map AI-generated snippets to original source metadata, enabling verifiable responses.
The system handles engineering challenges like external provider latency, timeouts, and content safety filtering to ensure enterprise-grade reliability.
Clickable citations are inserted into responses, allowing users to trace claims back to source material and reducing the risk of hallucinations.
The design prioritizes usability, allowing non-technical users to add web retrieval to prompt templates without complex coding.

#mlp #data #security

Read original

Page 4 of 18

Prev 1 2 3 4 5 6...18 Next