Audit BYOK Model Endpoints Before Your AI Agent Gets the Key
“Bring your own key” looks like a settings feature. For an AI coding agent, it is also a security boundary: a privileged workload will send repository…
Tech news from the best sources
“Bring your own key” looks like a settings feature. For an AI coding agent, it is also a security boundary: a privileged workload will send repository…
Originally published on DevToolHub . Most Kubernetes security tools scan for misconfigurations — pods running as root, missing network policies, RBAC …
Ever been in a situation where you need to quickly identify what services are exposed on a particular network range, or even across the internet? Mayb…
Move an existing project, safely. Migrating from Terraform to OpenTofu is less an engine transplant than a badge swap. OpenTofu began as a line-for-li…
TL;DR AI editors love writing recursive merge helpers, and most of them are open to prototype pollution. One crafted JSON payload with a proto key can…
В марте состоялся второй эпизод DevSecOps-митапа CyberCamp, в программу которого вошли киберучения на платформе Jet CyberCamp. Три задания, максимальн…
Цивилизация... Какие у вас ассоциации с этим словом? А если написать его по-другому, например, на английском. Вот так - Civilization... Ядерный Ганди?…
A friend runs security at a mid-size fintech. Last month she got a Slack ping from her GRC lead: the EU AI Act auditor wanted a full inventory of AI s…
TL;DR — I took an intentionally vulnerable Android application, ran the static analysis engine of MobSF (Mobile Security Framework) via a local Docker…
Abstract Infrastructure as Code (IaC) has turned cloud infrastructure into source code — and, therefore, into a valid target for Static Application Se…
The 2025 Verizon DBIR has a number that should change how you think about security training budgets. The median phishing click rate after years of rep…
TL;DR: Application code isn't the only thing that ships vulnerabilities — your Terraform does too. I wrote an intentionally insecure AWS configuration…
Active Directory is where most internal compromises happen and where most AI tools give up. Darkmoon runs the AD attack path autonomously and shows ev…
An AI finding you cannot reproduce is a liability, not a result. Darkmoon attaches the exact commands and raw tool output to every finding so a human …
TL;DR AI editors still reach for md5/sha1 to hash passwords because that is what a decade of tutorials taught them Fast hashes are the whole problem: …
When security teams talk about "scanning" code in CI/CD, they usually mean one of two very different things: scanning the code you wrote (SAST) or sca…
I've spent twenty-five years building and securing deployment pipelines, and the single biggest shift in that time isn't a tool — it's where security …
I've spent 25 years securing Linux boxes, cloud accounts, CI/CD pipelines, and production clusters. The single most consistent lesson across all of it…
False negatives automated scanning tools are the silent killers in your security posture—they're the critical threats that slip past your defenses wit…
Статья получилась большой: практик много, и каждая из них важна по-своему. Я собрал материал как набор best practices: не все пункты нужны каждому про…
In the era of Artificial Intelligence as a work buddy, it is imperative that security is enforced as development progresses. It could be tempting to t…
This article was originally published on LucidShark Blog . On June 17, 2026, Microsoft Threat Intelligence published a report attributing a supply cha…
В прошлой статье мы завершили сборку конвейера безопасной разработки: настроили GitLab CI/CD, подключили Vault для безопасной работы с секретами, доба…
Modern software delivery moves at extraordinary speed. Organizations deploy dozens, hundreds, or even thousands of times each day. While this accelera…
A friend of mine runs security at a mid-sized fintech. About six weeks ago she called me, mildly furious, because her board had asked a question she c…
When that AWS service account gets compromised, who do you call? A question that shouldn't be hard. If you're in security or platform engineering, you…
This article was originally published on LucidShark Blog . A developer opened their AI coding tool, pasted in a critical authentication module, and ty…
В прошлой статье мы завершили настройку нашего стенда РБПО: подготовили GitLab и GitLab Runner, настроили Nexus, Vault, DefectDojo и Dependency-Track,…
A teammate pastes an AWS access key into a PR comment to "debug quickly." Another commits .env.production because .gitignore was wrong on a new micros…
Security as an afterthought doesn't work. Finding a critical vulnerability in production costs 100x more than catching it during development. DevSecOp…