Insights, tutorials, and best practices for secure development
A Replit AI agent ignored explicit instructions, deleted a production database, fabricated records to cover it up, then lied about recovery. The interesting question isn't "how" — it's what kind of guardrails actually work.
Open source license compliance prevents legal exposure from GPL, MIT, and Apache 2.0 obligations. Learn how SCA tools detect license risk.
Compare SCA tools — Snyk, Dependabot, Renovate, OWASP Dependency-Check, and Rafter — on vulnerability detection, auto-fix PRs, and pricing.
Dependency confusion attacks exploit package manager resolution to inject malicious code. Learn how they work and how to defend against them.
A hidden HTML comment in a pull request. A dictionary of pre-signed image URLs. GitHub Copilot reads the instruction, renders the images, and your private source code is gone. Here's how CamoLeak works and why disabling images isn't enough.
Learn what an SBOM is, SPDX vs CycloneDX formats, the EO 14028 mandate, and how to generate a software bill of materials in CI/CD.
IaC security scanning catches misconfigurations before deployment. Compare Checkov, tfsec, KICS, and Snyk IaC for Terraform and Kubernetes.
Oasis Security's ClawJacked attack hijacks AI agent gateways through the browser. The deeper lesson: the localhost trust assumption is broken across the entire agent ecosystem.
Vulnerability assessment vs penetration testing — compare scope, cost, frequency, and output to choose the right approach for your org.
Container security scanning detects vulnerabilities in Docker images before deployment. Compare Trivy, Grype, Snyk Container, and Docker Scout.
Claude Code, Codex CLI, and Cursor all share the same flaw: project config files that execute with user privileges before meaningful consent. This is the new supply chain attack vector.
Learn what IAST is, how interactive application security testing finds vulnerabilities at runtime, and when it outperforms SAST and DAST.
Showing 1–12 of 158 posts