Built the infrastructure that was missing. 🔹 prechained.com — 124,000 software packages SHA-384 fingerprinted and archived before any attack was disclosed. Free. Public. Independently verifiable. 🔹 cbomcompliance.com — Drop in your CycloneDX or SPDX manifest. Get a cryptographically signed, Bitcoin-anchored receipt in 60 seconds. Free trial, no account. 🔹 cuistandard.com — CMMC Level 2 deadline is November 10. Most contractors don't know where their CUI boundary starts. $29/mo gets you a full CUI scoping workspace. Three problems. Three tools. nextgenrails.net #SupplyChainSecurity #SBOM #CMMC #CUI #AppSec #DevSecOps #CycloneDX

Bugs in AI-native software don't wait for your next quarterly audit. As engineering velocity keeps climbing, attack surface climbs alongside it into territory legacy AppSec wasn't built to handle. Here’s a new case study on how we bridged the audit gap with Beagle ⬇️

Tomorrow: AI coding velocity is creating vulnerabilities at machine speed. Pipelines are already drowning in noise, and waiting until runtime is too late. The paradigm has to shift. And it can. Join me tomorrow to see how @SaltSecurity Code integrates with @cursor_ai , @AnthropicAI Claude, @OpenAI Codex, @Microsoft Copilot coding agents and more to get you closer to the appsec dream: frictionless security at the time of code creation. Still time to register to join: events.salt.security/saltcod…

Found broken access control and SSRF vulnerabilities in Odysseus (@pewdiepie's self-hosted AI workspace). Detailed Blog Post: aydinnyunus.github.io/2026/0… #security #websecurity #appsec #bugbounty

rely on tools not habits. your code is public until proven private. assume breach. verify config. test the pipeline. security is a process. gitignore is a hint. treat it as such. stop assuming. start verifying. #AppSec #DevSecOps 🔒

AI時代の脆弱性は「新しい魔法」ではない。プロンプト、HTML、SSRF、CSP、権限境界という、昔からあるWeb/AppSecの部品の組み合わせで起きる。 ただし、AIが入ることで、それぞれの部品のつながり方が変わる。 検索クエリが命令になる。 回答文がHTMLになる。 画像取得がデータ持ち出し経路になる。 正規のSaaS内部処理が、攻撃チェーンの一部になる。 古典的なバグが、AIによって再武装する。SearchLeak の本質はそこにある。 #microsoft #copilot

Learn how attackers think—and how defenders can stay one step ahead.💥In #BHUSA Briefings Burning Tears of PHP’s Memory Hardening explore the challenges, breakthroughs, and real-world implications of hardening PHP’s memory model against modern exploitation techniques. From uncovering subtle vulnerabilities to strengthening runtime defenses, this session is a must for anyone working in web security, application development, or vulnerability research. 👉 bit.ly/43ZoLCI #BHUSA #CyberSecurity #AppSec #InfoSec #SecurityResearch

✔️ لكل مهتم بالأمن السيبراني واختبار الاختراق، هالموقع يختصر عليك وقت طويل ومعقد في توليد الـ Reverse Shells بلمحة بصر! موقع RevShells أداة تفاعلية وسريعة جداً ومهمة لـ OSCP والـ Bug Bounty: - بس حط الـ IP والمنفذ (Port) وخله يولد لك الكود جاهز. - يدعم كل اللغات والأنظمة (Bash, Python, PowerShell, Netcat..). - يجهز لك أوامر الاستماع(Listeners) وتكنيكات تخطي الـ الحمايات والـ WAF. أنسخ والصق وأختصر تعقيد الأوامر مصمم عشان يسهل عليك الشغل اليومي! 💻🛡️ revshells.com #الأمن_السيبراني #Cybersecurity #Pentesting #AppSec

🪵 Apache CXF hit with a critical XXE (9.8). CVE-2026-49875 affects W3CMultiSchemaFactory & EndpointReferenceUtils — no auth needed, full OOB entity resolution over the network. Check your CXF version now. #Apache #AppSec secalerts.co/vulnerability/C…

🐞Critical CodeIgniter4 flaw (CVE-2026-48062) lets attackers bypass upload validation and upload PHP webshells, potentially leading to full server compromise. Apps using file uploads should upgrade to v4.7.3 immediately. #CyberSecurity #AppSec Read more: thecyberedition.com/critical…

Over 1,500 AUR packages. One supply chain campaign. Developer credentials walking out the door. The Arch Linux AUR campaign dubbed Atomic Arch has been making rounds in security reporting this month. Attackers adopted orphaned community packages and modified build scripts to distribute credential-stealing malware. Reports cite 1,500 plus affected packages, with some sources pushing that number closer to 1,900. What the malware went after: GitHub tokens, SSH keys, cloud credentials, browser sessions, container secrets. Some variants deployed an eBPF rootkit when executed with elevated privileges. Silent. Kernel-level. Hard to detect after the fact. Arch Linux official repositories were not affected. This is an AUR problem specifically, and that distinction matters for how you respond. Here is the operational gap this exposes. AUR packages are community-maintained. There is no central security review. When a maintainer abandons a package and an attacker adopts it, the name stays the same. The install command stays the same. Nothing looks different until credentials start disappearing. Teams that pull AUR packages into CI/CD pipelines or dev build environments without reviewing PKGBUILDs are running unsigned trust at scale. The mitigations: review PKGBUILDs before installing anything from AUR, isolate build environments so a compromised package cannot reach production credentials, rotate any credentials on systems that installed affected packages during the campaign window, and seriously question whether AUR belongs in automated pipelines at all. If you installed or updated AUR packages recently, audit before you assume you are clean. My name is Azubuike Ibe and I write about the trust gaps inside developer toolchains that attackers find long before security teams do. Share this with an engineer running Arch in their dev or build environment. #Cybersecurity #SupplyChainSecurity #ArchLinux #DevSecOps #AppSec

Security Engineer, Application Security @trailofbits. Lead low‑level code security assessments and build custom detection tools. 🔧 Rust, Go, C/C , Python, AWS 📍 United States 💰 $100k‑$200k aihackerjobs.com/company/tra… #AppSec #ReverseEngineering #Rust #Security #GoLang #AWS #TechJobs

building three AI-native products across personal finance, appsec, and non-human identity, all pre-market and self-funded. would love in on Boardy Pro

I’m currently learning cybersecurity as appsec

@CISAgov just killed CVSS as federal policy. BOD 26-04 replaces flat patch deadlines with SSVC, a four-factor risk model: (1) Is the asset publicly exposed? (2) Is it actively exploited (KEV)? (3) Can exploitation be automated? (4) What's the real blast radius? 60% of vulns at a large federal agency can be safely deferred. Only 1% need a 72-hour response. When you prioritize everything, you protect nothing. Sound familiar? Runtime reachability, exploitability evidence, exposure context, impact assessment. That's been Miggo's framework from day one. BODs set the bar for auditors, insurers, and private AppSec teams. Not just federal agencies. But reachability is not the same as exploitability. That's where Miggo's runtime tracing comes in, identifying what's exploitable in production. Stay tuned for more on how Miggo puts SSVC into practice 👀 cisa.gov/news-events/directi…

Tactical tip for teams dealing with AI-introduced open source dependencies: Before you scale up your scanner coverage, stress-test your remediation throughput first. HackerOne data: vulnerability submissions up 76% year over year. Critical and high severity findings now at 32% of validated issues, up from a historical baseline of 26 to 28%. The question is not whether you are finding things. It is whether you can move findings to resolution at 3x current volume. If you cannot answer that, you are carrying unknown exposure by default. #DevSecOps #softwaresupplychain #opensourcesoftwaresecurity #AppSec Read more at buff.ly/0zm30uq

Threat modeling should give CISOs more than diagrams. It should connect attacker behavior, trust boundaries, control gaps, business impact, and remediation priorities into decisions teams can act on. VerSprite perspective: bit.ly/4ulA9Ug #AppSec #ThreatModeling #CISO

🔒 Even AI is now playing legal bouncer for security testing. @AnthropicAI Tried getting help with IP scanning/vuln assessment and got hit with this: “Before I can help… Do you own this IP or have explicit written authorization?” Options: • Yes, I own this IP/server • Yes, I have written permission • No, I don’t have authorization Unauthorized access = potential criminal liability, even if well-intentioned. This is actually the correct behavior. Respect to models that don’t skip the basics. #CyberSecurity #AppSec #EthicalHacking #ResponsibleAI

The hunt has just begun 🔫 🎯 Phoenix Security is at OWASP Vienna 2026. Booth G7 · June 22–26 · Austria Center AI agents are writing your code. Most AppSec programs don't know yet. Come see us live: → Agentic SDLC Security demo → 2026 Supply Chain Report → Win a Meta Quest 3S #OWASP #AppSec #Vienna2026 #PhoenixSecurity