Curated topic

security

Posts tagged with security

PlanetScale Tech BlogJan 29, 2026

Why it matters: It bridges the gap between LLMs and live production data, enabling AI tools to provide context-aware debugging and schema optimization while maintaining strict security and safety guardrails like replica routing and destructive query protection.

PlanetScale's new MCP server connects AI tools like Claude and Cursor directly to database metadata and performance metrics.
Authentication is handled via OAuth, allowing granular read/write permissions for both production and development branches.
Safety features include automatic replica routing for reads, ephemeral credentials, and blocking of unsafe UPDATE/DELETE queries.
The server exposes tools for schema inspection, query performance analysis via Insights, and documentation search.
AI assistants can now perform natural language data analysis and suggest schema optimizations based on real production context.

#data #security #sre

Read original

Engineering at MetaJan 27, 2026

Rust at Scale: An Added Layer of Security for WhatsApp

Why it matters: WhatsApp's migration demonstrates that Rust is production-ready for massive-scale, cross-platform applications. It proves memory-safe languages can replace legacy C++ to eliminate vulnerabilities while improving performance and maintainability.

WhatsApp replaced its wamedia C++ library with a Rust implementation to mitigate memory-related vulnerabilities in media file processing.
The migration reduced the codebase from 160,000 lines of C++ to 90,000 lines of Rust while improving performance and memory efficiency.
The Kaleidoscope system performs structural checks on media, detects masquerading file types, and flags high-risk elements like embedded scripts.
WhatsApp utilized differential fuzzing and extensive integration testing to ensure compatibility between the legacy C++ and new Rust versions.
This deployment represents one of the largest global rollouts of Rust, spanning billions of devices across Android, iOS, Web, and wearables.

#security #mobile #dist

Read original

Salesforce EngineeringJan 27, 2026

Inside Salesforce Edge: Automating Global Rollback for 1.5 Trillion Requests in 10 Minutes

Why it matters: For global-scale perimeter services, traditional sequential rollbacks are too slow. This architecture demonstrates how to achieve 10-minute global recovery through warm-standby blue-green deployments and synchronized autoscaling, ensuring high availability for trillions of requests.

Salesforce Edge manages a global perimeter platform handling 1.5 trillion monthly requests across 21+ points of presence.
Transitioned from sequential regional rollbacks taking up to 12 hours to a global blue-green model that recovers in 10 minutes.
Implemented parallel blue and green Kubernetes deployments to maintain a warm standby fleet capable of immediate full-load handling.
Customized Horizontal Pod Autoscalers (HPA) to ensure the inactive fleet scales identically to the active fleet, preventing capacity mismatches.
Automated traffic redirection using native Kubernetes labels and selectors instead of external L7 routing tools like Argo.
Integrated TCP connection draining and controlled traffic cutover to preserve four-nines availability during global rollback events.

#sre #dist #security

Read original

GitHub EngineeringJan 27, 2026

Help shape the future of open source in Europe

Why it matters: This initiative influences how open source projects are funded and regulated in the EU. Developer input ensures policies support both commercial growth and the maintenance of critical non-commercial libraries essential to the global software ecosystem.

The European Commission is developing the "Towards European Open Digital Ecosystems" strategy to provide funding and a strategic framework for the open source sector.
The initiative focuses on strengthening technological sovereignty in critical areas such as AI, cloud computing, and cybersecurity.
GitHub advocates for a European Sovereign Tech Fund to support the maintenance of essential libraries and programming languages.
The strategy aims to improve public procurement and capital access for OSS businesses while ensuring the sustainability of non-commercial projects.
Developers and maintainers are invited to provide feedback to the European Commission by February 3 to shape future digital policy.

#culture #security

Read original

Cloudflare BlogJan 27, 2026

Building a serverless, post-quantum Matrix homeserver

Why it matters: This proof of concept demonstrates how to transform heavy, stateful communication protocols into serverless architectures. It reduces operational overhead and costs to near zero while future-proofing security with post-quantum encryption at the edge.

Ported the Matrix homeserver protocol to Cloudflare Workers using TypeScript and the Hono framework.
Replaced traditional stateful infrastructure with serverless primitives: D1 for SQL, KV for caching, R2 for media, and Durable Objects for state resolution.
Achieved a scale-to-zero cost model, eliminating the fixed overhead of running dedicated virtual private servers.
Integrated post-quantum cryptography by default using hybrid X25519MLKEM768 key agreement for TLS 1.3 connections.
Leveraged Cloudflare's global edge network to reduce latency by executing homeserver logic in over 300 locations.
Maintained end-to-end encryption (Megolm) while adding a quantum-resistant transport layer for defense-in-depth.

#dist #security #finops

Read original

GitHub EngineeringJan 21, 2026

A cheat sheet to slash commands in GitHub Copilot CLI

Why it matters: Slash commands transform the Copilot CLI from a chat interface into a precise developer tool. By providing predictable, keyboard-driven shortcuts for context management and model selection, they minimize context switching and improve the reliability of AI-assisted terminal workflows.

Slash commands provide explicit, repeatable instructions in the GitHub Copilot CLI, reducing the need for complex natural language prompting.
Commands like /clear and /cwd allow developers to manage conversation history and directory scoping to prevent context bleed.
The /model command enables switching between different AI models to optimize for speed or reasoning depth based on the task.
Security and compliance are enhanced through commands like /add-dir and /list-dirs, which define clear boundaries for file access.
Advanced features include /mcp for connecting Model Context Protocol servers and /delegate for offloading tasks to specialized agents.
The CLI supports session management and usage tracking via /session and /usage commands to monitor resource consumption.

#mlp #security #culture

Read original

Salesforce EngineeringJan 21, 2026

How Agentforce Runs Secure AI Agents at 11 Million Calls Per Day

Why it matters: Securing AI agents at scale requires balancing rapid innovation with enterprise-grade protection. This architecture demonstrates how to manage 11M+ daily calls by decoupling security layers, ensuring multi-tenant reliability, and maintaining request integrity across distributed systems.

Salesforce's Developer Access team manages a secure access plane for Agentforce, handling over 11 million daily agent calls across production environments.
The architecture utilizes a layered access-control plane that separates authentication at the edge from authorization within the core platform to reduce latency and operational risk.
A middle-layer API service acts as a technical control point, ensuring all agentic traffic follows consistent security protocols and cannot bypass protection boundaries.
Security invariants include edge-level authentication validation, core-platform-enforced authorization, and end-to-end request integrity using Salesforce-minted tokens.
The system is designed to contain multi-tenant blast radius risks, preventing runaway agents or malformed requests from impacting other customers in a shared environment.
Strict egress traffic filtering and cross-boundary revalidation are employed to maintain the principle of least privilege across the distributed compute layer.

#security #dist #sre

Read original

GitHub EngineeringJan 20, 2026

AI-supported vulnerability triage with the GitHub Security Lab Taskflow Agent

Why it matters: Triaging security alerts is often manual and repetitive. This framework allows engineers to automate human-like reasoning to filter false positives at scale, combining the precision of CodeQL with the pattern-matching flexibility of LLMs to find real vulnerabilities faster.

GitHub Security Lab introduced the Taskflow Agent, an open-source framework for automating security research and vulnerability triage using LLMs.
Taskflows are defined in YAML files, breaking complex audits into smaller, sequential tasks to overcome LLM context window limitations and improve accuracy.
The framework utilizes Model Context Protocol (MCP) servers to perform conventional programming tasks like file fetching and searching alongside AI reasoning.
It supports asynchronous batch processing, allowing engineers to apply templated audit logic across numerous CodeQL alerts simultaneously.
Real-world application of the tool successfully identified approximately 30 vulnerabilities by filtering out false positives that traditional static analysis tools struggle to detect.

#security #mlp

Read original

Cloudflare BlogJan 19, 2026

How we mitigated a vulnerability in Cloudflare’s ACME validation logic

Why it matters: This vulnerability highlights the risks of global security bypasses for protocol-specific paths. Engineers must ensure that 'allow-list' logic for automated services like ACME is strictly scoped to prevent unintended access to origin servers without protection.

Security researchers identified a vulnerability in Cloudflare's ACME HTTP-01 challenge validation logic.
The flaw allowed requests to bypass Web Application Firewall (WAF) rules on specific ACME-related paths.
Cloudflare previously disabled WAF features on these paths to prevent interference with automated certificate issuance.
A logic error allowed unauthenticated requests to reach customer origins without WAF protection if tokens weren't managed by Cloudflare.
The mitigation ensures security features are only disabled when a request matches a valid ACME token for the specific hostname.

#security #dist

Read original

GitHub EngineeringJan 15, 2026

When protections outlive their purpose: A lesson on managing defense systems at scale

Why it matters: Security mitigations added during incidents can become technical debt that degrades user experience. This case study emphasizes the need for lifecycle management and observability in defense systems to ensure temporary protections don't inadvertently block legitimate traffic as patterns evolve.

GitHub identified that emergency defense mechanisms, such as rate limits and traffic controls, were inadvertently blocking legitimate users after outliving their original purpose.
The issue stemmed from composite signals that combined industry-standard fingerprinting with platform-specific business logic, leading to false positives during normal browsing.
While the false-positive rate was low (0.003-0.004% of total traffic), it caused consistent disruption for logged-out users following external links.
The investigation involved tracing requests across a multi-layered infrastructure built on HAProxy to pinpoint which specific defense layer was triggering the blocks.
The incident reinforces that observability and lifecycle management are as critical for security mitigations as they are for core product features.

#sre #security

Read original

Page 6 of 12

Prev 1...4 5 6 7 8...12 Next