Insights, tutorials, and best practices for secure development
A hidden HTML comment in a pull request. A dictionary of pre-signed image URLs. GitHub Copilot reads the instruction, renders the images, and your private source code is gone. Here's how CamoLeak works and why disabling images isn't enough.
Learn what an SBOM is, SPDX vs CycloneDX formats, the EO 14028 mandate, and how to generate a software bill of materials in CI/CD.
IaC security scanning catches misconfigurations before deployment. Compare Checkov, tfsec, KICS, and Snyk IaC for Terraform and Kubernetes.
Oasis Security's ClawJacked attack hijacks AI agent gateways through the browser. The deeper lesson: the localhost trust assumption is broken across the entire agent ecosystem.
Vulnerability assessment vs penetration testing — compare scope, cost, frequency, and output to choose the right approach for your org.
Container security scanning detects vulnerabilities in Docker images before deployment. Compare Trivy, Grype, Snyk Container, and Docker Scout.
Claude Code, Codex CLI, and Cursor all share the same flaw: project config files that execute with user privileges before meaningful consent. This is the new supply chain attack vector.
Learn what IAST is, how interactive application security testing finds vulnerabilities at runtime, and when it outperforms SAST and DAST.
Compare free vulnerability scanning tools — Trivy, ZAP, Semgrep, and more — with a feature matrix, strengths, and when to consider paid alternatives.
The OWASP Testing Guide defines how to test web apps for security flaws. Learn its testing categories, tools like ZAP, and SAST mapping.
Pen test software simulates attacks to find exploitable vulnerabilities. Learn the main tool categories and how continuous scanning complements manual tests.
Threat modeling for web apps identifies security risks before code ships. Learn STRIDE, PASTA, and LINDDUN frameworks for agile teams.
Showing 37–48 of 191 posts