«РБПО для бедных»: настраиваем сервисы безопасной разработки
В прошлой статье цикла мы закончили разворачивать инфраструктуру будущего РБПО: установили GitLab, Nexus, HashiCorp Vault, Dependency-Track и DefectDo…
Testing & QA
⚑ Report a ProblemLatest Testing & QA news from Tech News
All topics
agents
ai
api
architecture
automation
aws
beginners
career
claude
cybersecurity
database
devchallenge
devops
discuss
javascript
llm
machinelearning
mcp
opensource
performance
productivity
programming
python
security
showdev
softwareengineering
testing
tutorial
typescript
webdev
End-to-End GitHub Security Hardening Guide for Organizations
GitHub is not just a source code platform anymore. For most engineering organizations, GitHub is part identity system, part software supply chain, par…
Почему безопасность на этапе релиза обходится в десять раз дороже и как это исправить
Представьте типичный сценарий в средней IT-компании. Команда разработки два месяца писала новый модуль для личного кабинета. Дедлайн горит, бизнес жде…
Applying Checkov to Terraform as Code – A TFSEC Alternative
Static Application Security Testing (SAST) is a critical practice in modern DevSecOps. While tools like SonarQube, Snyk, and Veracode are popular, thi…
AI Security Scanning Tools in 2026: Snyk vs Semgrep vs OX Security — Real False-Positive Rates Tested
AI Security Scanning Tools in 2026: Snyk vs Semgrep vs OX Security — Real False-Positive Rates Tested If you're still manually reviewing security scan…
"It's not a bug, it's spec": a zero-click RCE in AI coding agents that three vendors won''t patch
TL;DR — A prompt injection can rewrite your AI IDE's mcp.json the moment you open a project, with no dialog and no click, and get arbitrary code execu…
Threat Detection in Kubernetes with Falco
Finding out there is "suspicious activity" in your infrastructure is enough to make any DevOps engineer's heart rate spike. If you’re running containe…
Automate Kubernetes Image Vulnerability Scanning
Security in a cloud-native environment is only as strong as its weakest link. A recent security audit revealed a critical gap: container images were b…
Automate LLM Red Team Campaigns with PyRIT
If you're still testing LLM guardrails by hand — retyping variations in a chat tab, logging results in a notebook, eyeballing responses — you're leavi…
Веб vs Мобилка: кто в опасности? Сравниваем безопасность двух миров
Спойлер: оба, но по-разному - и это важно понимать. Каждый раз, когда слышим «у нас все нормально с безопасностью, мы же не банк», что-то внутри сжима…
Digital Signatures: The “Trust Me Bro” Detector for Junior Cybersecurity Engineers
Digital Signatures: The “Trust Me Bro” Detector for Junior Cybersecurity Engineers Subtitle: How digital signatures help prove who signed something, w…
A Practical Terraform Security Review with Codex and Claude Code
A Practical Terraform Security Review with Codex and Claude Code A Terraform repository is not just code. It is a map of your cloud control plane. It …
DevSecOps Pipeline in a Day: Automated Security from Commit to Deploy
Security that happens after deployment is already too late. By the time a quarterly penetration test discovers hardcoded secrets, vulnerable container…
Why Strict "Zero Trust" Breaks Secret Management (And How We Built a Zero-Persistence Vault Instead)
This is a technical deep dive into the cryptography behind Ennote's enterprise architecture. You can read the original full-length post on our enginee…
Утопали в дефектах, пока собирали «единое окно»
«У нас было два пакета findings SAST’а, семьдесят пять CVE с критичностью — Critical, пять дублей одной и той же CVE в разных сервисах, пол солонки fa…
Vulnerability Remediation Prioritization — How to Handle Hundreds of CVEs Without Getting Overwhelmed
You just ran a dependency scan and the report shows 133 vulnerabilities. 34 are Critical. 68 are High. The dashboard is red, the backlog is exploding,…
Auth regression tests for CI: what to assert and why
Most teams I have worked with have one auth test in their suite. It looks like this: test ( ' valid token verifies ' , () => { const token = signSy…
We rotated our JWKS without overlap. Here is the 4-minute window that broke prod.
The on-call alert at 02:14 said auth_5xx_rate spiked from 0.01 to 31.4 . Not a deploy window. Not a traffic spike. Just thirty-one percent of authenti…
Three JWT bugs that ship to prod silently — and the 5-line CI test that catches them
Your auth tests pass. Your token verification works. Then your identity provider rotates a key at 02:47, your service hasn't refreshed its JWKS cache …