Curated topic

security

Posts tagged with security

GitHub EngineeringMar 17, 2026

 Investing in the people shaping open source and securing the future together

Why it matters: Open source maintainers face increasing burnout from automated security reports and AI-driven exploits. This investment provides the funding, AI tools, and reporting infrastructure needed to secure the global software supply chain without overwhelming the people who build it.

GitHub joins a $12.5M industry commitment to the Linux Foundation’s Alpha-Omega initiative to integrate AI into open source security workflows.
The Secure Open Source Fund is expanding with $5.5M in Azure credits and new partnerships to provide maintainers with training and expertise.
Enhancements to Private Vulnerability Reporting (PVR) aim to reduce maintainer burnout by filtering low-quality security reports.
Eligible maintainers get free access to GitHub Copilot Pro and advanced security tools like automated code scanning and secret protection.
GitHub is open-sourcing its AI-powered security research framework to empower maintainers against increasingly sophisticated AI-driven exploits.

#security #culture

Read original

Cloudflare BlogMar 16, 2026

Standing up for the open Internet: why we appealed Italy’s "Piracy Shield" fine

Why it matters: This case highlights the technical and legal risks of IP-based blocking. For engineers, it underscores how blunt regulatory tools can disrupt shared infrastructure, causing widespread outages for innocent services and challenging the fundamental architecture of the open Internet.

Cloudflare is appealing a €14 million fine from Italy's AGCOM over its refusal to participate in the Piracy Shield blocking system.
Piracy Shield allows private rightsholders to mandate IP-level blocking within 30 minutes without judicial oversight or transparency.
The system relies on IP address blocking, which leads to significant collateral damage as thousands of legitimate sites often share a single IP.
Documented failures include the accidental blocking of Google Drive, Ukrainian government sites, and various NGOs for extended periods.
Cloudflare argues the scheme violates the EU Digital Services Act (DSA) by lacking proportionality and procedural safeguards.
A 2025 study by the University of Twente confirmed that the system routinely causes persistent collateral blocking of legitimate web services.

#security #culture #dist

Read original

Engineering at MetaMar 13, 2026

Patch Me If You Can: AI Codemods for Secure-by-Default Android Apps

Why it matters: Scaling security updates across massive codebases is traditionally slow and error-prone. By combining secure-by-default frameworks with AI-powered codemods, Meta demonstrates how to automate large-scale security migrations, reducing developer friction and improving app safety at scale.

Meta utilizes a two-pronged strategy for mobile security: secure-by-default frameworks and AI-driven automated migrations.
Secure-by-default frameworks wrap unsafe Android OS APIs to ensure the secure path is the easiest for developers to follow.
Generative AI is leveraged to automate the migration of legacy code to these secure frameworks at a massive scale.
The system automates the proposal, validation, and submission of security patches across millions of lines of code.
This approach significantly reduces developer friction and manual effort required to maintain security across a sprawling codebase.

#security #mobile #mlp

Read original

Cloudflare BlogMar 13, 2026

From legacy architecture to Cloudflare One

Why it matters: Migrating legacy infrastructure to Zero Trust is notoriously risky. This approach allows engineers to modernize security for old applications without rewriting code, reducing the attack surface via outbound-only tunnels while maintaining session persistence and operational stability.

Adopts a tiered, risk-aware methodology to move applications based on complexity rather than using a risky 'big bang' migration approach.
Utilizes Cloudflare Access to wrap legacy applications in a Zero Trust layer, enabling MFA and SSO without requiring any code changes.
Employs Cloudflare Tunnel to create outbound-only connections, effectively hiding internal services from the public internet by removing public IP addresses.
Conducts pre-migration audits to map backend dependencies and identity providers, ensuring service continuity during the transition.
Leverages Dynamic Path MTU Discovery (PMTUD) to maintain persistent sessions at the edge even when client IP addresses change.

#security #sre

Read original

Cloudflare BlogMar 13, 2026

From legacy architecture to Cloudflare One

Why it matters: Moving from legacy VPNs to Zero Trust is high-risk. This methodology de-risks the process by treating migration as application modernization, allowing engineers to secure legacy systems with MFA and identity-based access without downtime or code changes.

Cloudflare and CDW advocate for a tiered, risk-aware migration strategy to Zero Trust rather than high-risk 'big bang' VPN replacements.
Legacy applications are modernized by 'wrapping' them in Cloudflare Access, adding MFA and SSO capabilities without requiring code rewrites.
Cloudflare Tunnel establishes outbound-only connections, effectively hiding internal applications from the public internet and preventing lateral movement.
Comprehensive pre-migration audits map backend dependencies and identity providers to ensure service continuity during the transition.
Dynamic Path MTU Discovery (PMTUD) is utilized to maintain persistent sessions for legacy architectures even as client IP addresses change.

#security #sre

Read original

Cloudflare BlogMar 12, 2026

Announcing Cloudflare Account Abuse Protection: prevent fraudulent attacks from bots and humans

Why it matters: Modern threats blend human intent with automated scale, making traditional bot detection insufficient. This suite provides privacy-preserving tools like Hashed User IDs and email risk scoring to stop account takeover and promotion abuse without compromising sensitive user data.

Cloudflare introduced Account Abuse Protection to combat hybrid threats involving both automated bots and human-driven fraud.
New features include disposable email checks and email risk scoring to identify throwaway accounts used for promotion abuse.
Hashed User IDs provide a privacy-preserving way to track suspicious activity by cryptographically hashing usernames per domain.
The suite integrates with existing leaked credential detection, which checks passwords against a database of 16 billion compromised records.
Account Takeover (ATO) detection IDs use behavioral anomaly detection to identify suspicious login patterns unique to each customer.
The solution addresses industrialized fraud where attackers use human-powered farms and AI agents to bypass traditional bot defenses.

#security #dist

Read original

GitHub EngineeringMar 12, 2026

GitHub availability report: February 2026

Why it matters: This report highlights how complex dependencies—like telemetry, caching, and security policies—can trigger cascading failures. It provides valuable lessons on the importance of robust monitoring, automated rollbacks, and the need for resilient proxy layers in large-scale distributed systems.

GitHub experienced six major incidents in February 2026, impacting Actions, Codespaces, Dependabot, and Git operations.
A significant outage was caused by telemetry loss that triggered incorrect security policies, blocking access to critical VM metadata.
Cache write amplification and simultaneous rewrites led to cascading failures and connection exhaustion in the Git HTTPS proxy.
Database failovers to read-only instances and authorization claim changes in networking dependencies caused service degradations.
Incorrect network configurations in the LFS service resulted in repository archive download errors for objects using Git LFS.
GitHub is implementing improved monitoring, automated rollbacks, and self-throttling mechanisms to increase system resilience.

#sre #dist #security

Read original

Salesforce EngineeringMar 11, 2026

Beyond CRM: How Salesforce Engineered an Enterprise Agent Platform for Any Workload

Why it matters: It demonstrates how to build a scalable, trust-first AI agent architecture. By integrating deterministic graphs with unstructured data and open standards like MCP, it provides a blueprint for enterprise-grade AI orchestration and governance beyond simple chat interfaces.

Salesforce is evolving its architecture into a general-purpose enterprise agent platform capable of handling non-CRM workloads through Agentforce and Data 360.
The platform uses AgentScript and AgentGraph to provide deterministic structure and orchestration for non-deterministic AI reasoning flows.
Data 360 acts as a unified context system, harmonizing structured and unstructured data with deep metadata enrichment for more accurate agent grounding.
A dedicated trust layer manages identity, credential context, and policy enforcement to protect against prompt injection and unauthorized data access.
The architecture supports open standards like Model Context Protocol (MCP) and Agent-to-Agent (A2A) for cross-platform tool invocation and orchestration.
Agents utilize short-term, long-term, and episodic memory combined with user personalization profiles to improve reasoning reliability.

#data #mlp #security

Read original

Cloudflare BlogMar 11, 2026

AI Security for Apps is now generally available

Why it matters: AI apps introduce probabilistic attack surfaces like prompt injection that traditional WAFs can't stop. Cloudflare's GA release provides automated discovery and specialized guardrails to secure LLM endpoints and agents without requiring model-specific integrations.

Cloudflare's AI Security for Apps is now generally available, providing a reverse proxy layer to protect LLM-powered applications and agents.
AI endpoint discovery is now free for all customers, using behavioral analysis to identify AI-integrated endpoints across web properties.
The platform detects prompt injection, PII exposure, and toxic content, attaching metadata to requests for mitigation via WAF rules.
New custom topic detection allows organizations to define and flag specific off-policy categories relevant to their business domain.
Custom prompt extraction enables security teams to define where LLM inputs reside within non-standard JSON structures for accurate inspection.
The solution addresses risks highlighted in the OWASP Top 10 for LLM Applications, such as sensitive information disclosure and unbounded consumption.

#security #mlp

Read original

Cloudflare BlogMar 10, 2026

Building a security overview dashboard for actionable insights

Why it matters: Security teams are overwhelmed by data noise. This architecture demonstrates how to transform massive telemetry into prioritized, actionable insights using a distributed system of specialized microservices, reducing incident response times and closing critical configuration gaps.

Cloudflare revamped its Security Overview dashboard to prioritize actionable 'Security Action Items' over raw data visibility, reducing noise for security teams.
The system addresses the 'configuration gap' by surfacing the status of security tools, identifying when features are inactive or incorrectly set to 'Log Only' mode.
The backend architecture utilizes specialized microservices called 'checkers' that scale independently to process over 10 million insights daily.
Checkers operate via two mechanisms: scheduled deep-inspection tasks for complex configurations and real-time event handlers for immediate risk detection.
Deep-linking between the overview and analytics dashboards reduces the 'tab switching tax' by automatically applying relevant filters during incident investigation.
Action items are categorized by criticality and type, allowing defenders to move from reactive monitoring to proactive control of their security posture.

#security #dist #data

Read original

Page 6 of 18

Prev 1...4 5 6 7 8...18 Next