November 30, 2023
While the new White House EO is largely focused on foundational AI, security teams reviewing AI initiatives are still in the hot seat.
November 22, 2023
Rather than wasting cycles on vulnerabilities, teams should focus on exploitability, and look for compromises including malware and tampering. Here's why.
November 22, 2023
Legacy development patterns and testing tools are holdovers from a more reactive type of AppSec. Here's why that's a problem — and how to move forward.
November 15, 2023
Is it time for zero trust-based threat modeling for your AppSec? Understand the benefits and challenges.
November 9, 2023
Supply-chain Levels for Software Artifacts (SLSA) and Sigstore are a good first step toward protecting ML models from attack. But they're not a panacea.
November 7, 2023
Generative AI is advancing at a breakneck pace. Here's a full rundown for your development and app sec teams to keep it from breaking your org's back.
November 1, 2023
SBOMs are essential — but making them useful is tricky in continuous integration/continuous deployment environments. Here are the key best practices.
October 31, 2023
RL has highlighted threats in npm, PyPI and RubyGEMS in recent years. This finding shows NuGet is equally exposed to malicious activities by threat actors.
October 26, 2023
OpenSSF's Secure Supply Chain Consumption Framework can help better lay out risk for open-source components — but remediation is left out of the picture.
October 25, 2023
Application security veterans Mark Curphey and John Viega went on a CISO listening tour. Here is what they learned.
October 24, 2023
GitHub extending validity checks to AWS, Slack etc. is welcome, but the risk posed by secrets leaks requires a holistic supply chain security approach.
October 12, 2023
Experts say scan-and-fix will remain for some time. But application security tools are evolving to provide prioritization and automation.