今日已更新 287 条资讯 | 累计 20259 条内容
关于我们

标签:#security

找到 658 篇相关文章

AI 资讯

Cybersecurity Roadmap

Introduction: Cybersecurity is one of the most in-demand fields on the planet - and also one of the most confusing to break into. This roadmap cuts through the noise. No fluff, no overwhelming jargon. Just a clear, step-by-step path from zero knowledge to job-ready skills. Who this is for: ▸ Complete beginners. ▸ Students who want practical skills, not just theory The Big Picture Phase Focus Goal Phase 1 Foundations : Understand how computers & internet actually work Phase 2 Networking : Read network traffic, understand protocols Phase 3 Linux & Windows : Navigate both OS like a professional Phase 4 Programming : Read & write basic scripts Phase 5 Core Security : Learn how attacks & defense work Phase 6 Specialize : Pick a lane: Red, Blue, or Cloud ** Phase 1 - Foundations:** Before learning how to hack or defend anything, you need to understand how computers and the internet actually work. Skip this and you'll be blindly running tools with no idea why they do what they do. What to learn: ▸ How computers store and process data (bits, bytes, binary) ▸ What an operating system does ▸ How the internet works at a basic level (client, server, request, response) ▸ What IP addresses, ports, and protocols are Free resources: ▸ CS50's Introduction to Computer Science : https://pll.harvard.edu/course/cs50-introduction-computer-science ▸ Professor Messer's CompTIA A+ : https://www.professormesser.com/get-a-plus-core-1-certified/ ** Phase 2 - Networking:** Networking is the bloodline of cybersecurity. Every attack and every defense happens over a network. You cannot protect what you don't understand. What to learn: ▸ OSI Model - 7 layers, what each one does ▸ TCP/IP - how data actually travels across the internet ▸ Key protocols: DNS, DHCP, HTTP/HTTPS, FTP, SSH, SMTP ▸ Subnetting - how IP ranges work ▸ How firewalls, routers, and switches fit together Hands-on tools: ▸ Wireshark - capture and read real network traffic ▸ Cisco Packet Tracer - simulate networks for free Free reso

2026-06-26 原文 →
AI 资讯

plugin marketplaces are the new endpoint policy for coding agents

GitHub added an enterprise setting this week that looks like the kind of thing most developers will never read about unless it breaks their editor. Enterprise managed settings now support strictKnownMarketplaces for VS Code and GitHub Copilot CLI. In plain English: an organization can restrict which extension and plugin marketplaces are known and allowed inside the developer tools people actually use. That sounds like desktop management. I think it is more interesting than that. If coding agents can discover tools, install plugins, call commands, read repositories, modify files, and run workflows from the IDE or terminal, then plugin marketplace policy is no longer a minor preference. It is part of the runtime boundary. The agent does not only need permission to think. It needs permission to reach for tools. And the place where those tools come from is now a security surface. the tool catalog moved closer to the developer For a long time, extension marketplaces felt like productivity infrastructure. You installed a formatter, a theme, a language server, a test explorer, a Docker helper, a cloud plugin, a database browser, maybe three things you forgot existed. Some companies cared a lot. Many mostly hoped the endpoint security product would notice anything truly bad. That world was already risky, but the blast radius was usually framed around the human developer. A plugin could read files, run code, exfiltrate data, or weaken the local environment. Bad, but familiar. Agents change the framing. An AI coding assistant sitting in the IDE or CLI may use plugins as capabilities. It may call into developer tooling, use installed extensions as context, or depend on local integrations to perform work. Even when the agent itself does not directly install anything, the available tool environment shapes what it can do. So the question stops being "which extensions are developers allowed to install?" It becomes "which tool supply chains are allowed to become part of our automat

2026-06-26 原文 →
AI 资讯

AI Content Detection, Zig Low-Level Hardening, & Sub-1nm Chip Security Focus

AI Content Detection, Zig Low-Level Hardening, & Sub-1nm Chip Security Focus Today's Highlights This week's highlights include a practical tool for detecting AI-generated content, crucial low-level compiler enhancements impacting code safety, and a look at the future security implications of cutting-edge hardware. tropius: detect AI tropes in prose (Lobste.rs) Source: https://tangled.org/desertthunder.dev/tropius The "tropius" project introduces a tool specifically designed to identify common stylistic patterns or "tropes" often found in AI-generated prose. In an increasingly complex digital landscape, where AI-produced text can be deployed for sophisticated misinformation campaigns, advanced phishing attempts, or large-scale automated content generation, the ability to accurately detect such artificial patterns is becoming a critical defensive technique. This tool could be instrumental for security professionals in a variety of contexts, including verifying the authenticity of critical communications, combating the rapid spread of deepfake text, or ensuring appropriate human oversight in sensitive information flows. For security teams, integrating AI content detection utilities like tropius into their threat intelligence and defense strategies offers a tangible way to enhance information integrity. It helps in proactively identifying and mitigating risks associated with malicious AI-driven content, bolstering resilience against evolving social engineering tactics that leverage artificial intelligence to appear more convincing or credible. Comment: Identifying AI-generated text is increasingly important for verifying content authenticity and combating misinformation. Tools like tropius offer a practical approach to detect AI tropes, which could be vital for security teams monitoring for AI-driven threats and maintaining information integrity. Zig's new bitCast semantics and LLVM back end improvements (Hacker News) Source: https://ziglang.org/devlog/2026/#2026-06-25

2026-06-26 原文 →
AI 资讯

From Root CA to User Authorization in nginx+apache. Part 2: Certificate Revocation, CRL and OCSP

A follow-up to Part 1 ( EN on LinkedIn · RU on Habr ), where we stood up a two-tier PKI: a Root CA and three intermediate CAs — Person, Server and Code. At the end of Part 1 I promised we'd learn to revoke certificates and run OCSP. That's what we'll do here. Like Part 1, this article is meant as a hands-on manual : for every command and extension we touch, there's an extended reference of the parameters you can actually use — with syntax, allowed values, defaults and gotchas. If you don't need a given option right now, just skim past the table; it's there so you don't have to dig through man later. Each section has the same shape: first the working commands for the common case, then the full parameter reference. Tested on versions. Flag names, defaults and extension syntax were verified against the official documentation of OpenSSL master , plus nginx and Apache mod_ssl. OpenSSL evolves per branch: anything marked "OpenSSL 4.0 / master" (for example the nonss qualifier on authorityKeyIdentifier ) is not yet available in the stable 3.x line. If you're on OpenSSL 3.0–3.6, double-check the disputed options with openssl <cmd> --help or your version's man before copy-pasting config. The numeric openssl verify error codes above 40 also shifted between branches — confirm them against your version's header. In this part: How a revoked certificate differs from an expired one, and why we need two mechanisms — CRL and OCSP. Adding the distribution points (CDP) and AIA to the config so issued certificates "tell" verifiers where to check them. Revoking a certificate and working with the CA database. Generating a CRL and inspecting it with openssl crl . Checking revocation with openssl verify . Running an OCSP responder: issuing its certificate, starting the daemon, querying status. Publishing the CRL and OCSP over HTTP (nginx), configuring OCSP stapling and revocation checking on the web server. All paths, file names and config sections are the same as in Part 1. Where you name

2026-06-25 原文 →
AI 资讯

The Missing Check After Your Database Query

We have tools for checking whether a query is injectable. We have linters, scanners, ORMs, parameterized queries, and database policies. But after the database returns rows, most applications simply trust that the result set matches the operation that asked for it. queryguard starts there. The query may be safe. The result may still be wrong. SQL injection taught us to distrust query construction. Parameterized queries answered the question: Did the user control the query structure? That question is well understood. The tooling is mature. But it is a different question from the one queryguard asks: Did this operation receive only the rows and fields it was allowed to receive? Those two questions are not the same. A perfectly safe parameterized query can still return the wrong row — because a predicate was dropped, a join widened the result, a developer selected a column they shouldn't have, or a query was rewritten without updating its scope contract. queryguard is not a database firewall. It is not a SQL injection scanner. It is not an ORM plugin. It is a contract check for observed result sets. Where it sits The hook position is the core design decision. queryguard sits immediately after cursor execution — before any result shaping, filtering, serialization, or response mapping. cursor = conn . execute ( sql , bindings ) rows = [ dict ( row ) for row in cursor . fetchall ()] evidence = queryguard . run_check ( contract , { " contract_id " : " user_profile_lookup " , " contract_version " : " 0.1.0 " , " params " : { " user_id " : user_id }, " session " : { " tenant_id " : tenant_id }, " result " : rows , }) if evidence [ " verdict " ] != " PASS " : raise QueryguardViolation ( evidence ) return rows Not at the HTTP layer. Not inside the ORM. Not at the API gateway. Immediately after the cursor returns rows — while the result is still raw, before anything shapes or discards it. This is intentional. If rows are shaped before queryguard sees them, queryguard cannot det

2026-06-25 原文 →
AI 资讯

The Security Bug Every Node.js Developer Ships to Production

Last year I was doing a code review for a startup. Everything looked fine on the surface, clean code, good structure, tests passing. Then I noticed this: const query = `SELECT * FROM users WHERE email = ' ${ req . body . email } '` That's it. That's the bug. SQL injection, sitting right there in a startup that had been in production for 8 months. Nobody caught it. Not the developer, not the reviewer, not the CTO. Here's the thing, it's not that developers are careless. It's that this kind of bug is invisible until it isn't. The code works perfectly. Tests pass. Users are happy. Until someone types ' OR '1'='1 in the email field and walks straight into your database. The bugs I see most often 1. Raw SQL with user input // 🚨 This is everywhere const query = `SELECT * FROM users WHERE email = ' ${ email } '` // ✅ Use parameterized queries const query = ' SELECT * FROM users WHERE email = $1 ' db . query ( query , [ email ]) 2. Secrets in environment variables... committed to git # .env DATABASE_URL = postgres://user:actualpassword@prod-db.company.com/mydb STRIPE_SECRET = sk_live_... Then .env ends up in the repo because someone forgot to add it to .gitignore . I've seen this more times than I want to admit. GitHub's secret scanning catches some of these, but not always before someone has already cloned the repo. 3. JWT tokens that are never actually verified // 🚨 Decoding is not the same as verifying const user = jwt . decode ( token ) // ✅ Always verify const user = jwt . verify ( token , process . env . JWT_SECRET ) jwt.decode just reads the token. Anyone can forge it. jwt.verify actually checks the signature. The names are confusingly similar and the wrong one silently works in development. 4. No rate limiting on auth endpoints // 🚨 Anyone can try a million passwords app . post ( ' /login ' , async ( req , res ) => { const user = await db . findUser ( req . body . email ) // ... }) // ✅ Add rate limiting const authLimiter = rateLimit ({ windowMs : 15 * 60 * 1000 , m

2026-06-25 原文 →
开发者

Cloudflare Ships Agent Skills for Zero Trust Deployment and Migration

Cloudflare released the Cloudflare One stack, an open-source library of agent skills for planning, deploying, and managing Zero Trust environments. The skills include automated migration logic for Zscaler and Palo Alto Networks, the same logic used in Cloudflare's Descaler program that has moved enterprise customers in hours rather than months. By Steef-Jan Wiggers

2026-06-25 原文 →
AI 资讯

Monorepo Dependency Security — Vulnerability Scanning Across Packages

A monorepo can look like one repository, but security teams should treat it as many applications living under one roof. One repo may contain 10 frontend packages, 5 backend services, 3 shared utility libraries, 2 mobile apps, and one root lockfile that does not tell the full story by itself. Monorepo dependency security means scanning the root dependency graph, every workspace package, shared libraries, lockfiles, and generated SBOMs. If you scan only one file, you may miss the vulnerable package that ships in production. Why Monorepos Create Unique Vulnerability Challenges Monorepos centralize multiple packages, apps, services, and libraries inside one repository. This improves code sharing, dependency alignment, refactoring, CI caching, and cross-team collaboration. It also creates a security problem: one repository can contain many different dependency trees, owners, deployment targets, and risk profiles. A typical JavaScript or TypeScript monorepo may include apps/web , apps/admin , apps/api , packages/ui , packages/auth , packages/logger , and packages/config . Each package may have its own package.json . Some packages are deployed to production. Some are internal libraries. Some are build-only tools. Some are used by every app. A vulnerability in one package can affect one app, many apps, or the whole repo depending on how dependency relationships are structured. The biggest issue is shared code. If packages/auth depends on a vulnerable version of jsonwebtoken , every application that imports packages/auth may be affected. If packages/ui uses a vulnerable utility such as lodash , every frontend app that consumes that UI package may inherit the same risk. If a build tool dependency is compromised, the risk may appear during CI/CD rather than runtime. Real CVEs show why this matters. CVE-2021-23337 affected lodash through command injection in template handling. CVE-2022-31129 affected moment through inefficient parsing that could cause denial of service. CVE-202

2026-06-25 原文 →
AI 资讯

Should Your App Adopt Passkeys?

Someone on your leadership team asked a reasonable question: should we adopt passkeys? You searched for answers and found implementation tutorials - WebAuthn server libraries, credential storage schemas, ceremony diagrams. They assume you've already decided. None of that helps you answer the question you were actually asked. This article is a decision guide. The question isn't how to implement passkey login. It's whether you should, when the timing makes sense, and for which users first. Implementation details matter eventually - but they don't belong at the front of the decision. You've seen Apple's demos and Google's Chrome nudges. Your security team may have sent a memo about phishing-resistant authentication. You know the term. What you don't have is a clear way to evaluate whether passkeys fit your product, your users, and your team's capacity to ship and support them. By the end of this article, you'll have scored your app against a readiness checklist, mapped show-stoppers that can block adoption, and drafted a one-page recommendation for leadership. Plain Terms: Passkeys, Passwords, and MFA Before scoring your app, you and stakeholders need to mean the same thing when you say "passkey", "password", and "MFA". Vendor decks use these loosely. A PM might say "passkeys replace passwords" while security means "phishing-resistant credentials". Both can be true. Passwords are shared secrets the user types; your server checks a hash. They leak via breaches and phishing sites. Users forget them, reuse them, and call support. MFA adds a second factor - app push, SMS, hardware key, or biometric. It cuts credential-stuffing and many phishing attacks, but adds friction, lost-device tickets, and cross-platform complexity. Passkeys are cryptographic key pairs on the user's device. The private key never leaves the device or synced passkey manager. Sign-in means unlocking with biometrics or a PIN; your server stores only the public key and verifies a signature. On web, the b

2026-06-25 原文 →
AI 资讯

Your Database Will Be Breached Someday. The Question Is: Will Passwords Be Inside?

Most developers think password hashing is about authentication. It's not. Authentication is just a side effect. Password hashing exists for a much darker reason: because databases get stolen. Every year, companies invest millions in firewalls, monitoring systems, cloud security, and access controls. Yet breach after breach continues to make headlines. The uncomfortable truth is that security teams don't assume a breach will never happen. They assume it eventually will. And when that day comes, one question determines whether the incident becomes a minor security event or a full-scale disaster: Did you hash the passwords? The Difference Between an Incident and a Catastrophe Imagine an attacker gains read access to your production database. Not a far-fetched scenario. A leaked backup. A vulnerable API. A compromised employee account. A misconfigured cloud bucket. The attacker runs a simple query: SELECT email , password FROM users ; If your system stores passwords in plain text, the breach is over. The attacker already won. No advanced techniques. No brute force. No expensive infrastructure. They now possess something more valuable than your database itself: your users' digital identities. Because users rarely reuse databases. They reuse passwords. The same password protecting an account on your platform might also unlock their Gmail, GitHub, LinkedIn, banking app, or company VPN. What started as your security problem instantly becomes everyone else's. This Is Not Theoretical History has repeatedly shown what happens when passwords are handled incorrectly. The RockYou breach exposed more than 30 million passwords stored in plain text. Attackers didn't need to crack anything. They simply read the data. Years later, those leaked passwords were still appearing in credential stuffing attacks across the internet. A single backend decision survived longer than the company itself. That's the thing about password leaks. They don't expire when the incident report is published.

2026-06-25 原文 →
AI 资讯

Why the Scams Prevention Framework Requires More Than Awareness

For years, scam prevention has leaned heavily on awareness. Be careful. Do not click suspicious links. Check the sender. Call the organisation directly. Do not trust urgent payment requests. Slow down before you act. These messages are useful, and they should not disappear. But awareness is no longer enough to describe what serious scam defence requires. The Scams Prevention Framework, or SPF, moves the conversation from “make users more careful” to “make the scam ecosystem harder to exploit.” That shift is important. Modern scams do not succeed only because a user failed to notice a warning sign. They succeed because scam operators move through gaps between messaging channels, platforms, brand impersonation, payment pressure, fake infrastructure, multilingual persuasion, reporting delays, and weak post-report disruption. Awareness helps at the point of decision. SPF requires capability across the whole chain. In my view, awareness alone covers about 28% of the real scam defence problem. The rest sits in evidence quality, intelligence sharing, infrastructure disruption, multilingual interpretation, safe financial harm context, recurrence monitoring, and operational response. That is why SPF should not be read as an education policy. It should be read as an operating model. The Awareness Ceiling Awareness is a front-line control, not a full defence system. It helps users recognise risk, but it cannot remove the fake page, connect related reports, preserve evidence, disrupt a fake app, identify a phone-linked abuse path, or monitor the next replacement domain. It also assumes the user has enough time, confidence, language support, and emotional distance to make a calm decision. Many scam situations are built specifically to remove those conditions. Scammers do not only trick uninformed people. They create urgency for informed people. They create authority for cautious people. They create routine-looking payment requests for busy people. They create private pressure fo

2026-06-25 原文 →
AI 资讯

Grab Builds Secure Agentic AI Workload Platform

Grab's security team built Palana, a Kubernetes-native secure execution platform, to run autonomous AI agents safely. Unlike deterministic software, model-driven agents exhibit unpredictable tool-use, code-writing, and prompt injection risks. Palana contains these threats at the infrastructure level using isolated namespaces, out-of-process control planes, and proxy-mediated, Vault-backed secrets. By Patrick Farry

2026-06-25 原文 →
AI 资讯

How I built an end-to-end encrypted pastebin (and why the server can’t read your text)

got annoyed that pastebin and similar sites log everything and keep your text forever, so i built one where the server literally cant read what you paste. heres how the encryption actually works and what i learned building it the problem most paste sites work like this: you type something, it goes to their server as plain text, and it sits in their database. they can read it. their employees can read it. anyone who breaches them can read it. and a lot of them keep it forever even after you think its gone. i didnt want to just promise not to look at your stuff. i wanted it so that i cant look even if i wanted to. the idea: encrypt before it leaves the browser the trick is that all the encryption happens on your side, in the browser, before anything gets sent. the server only ever sees scrambled bytes. the key never touches the server at all, it lives in the part of the url after the # , which browsers dont send in requests. so the flow is basically: you paste text browser generates a random key text gets encrypted with that key only the encrypted blob goes to the server the key gets stuck in the link after a # whoever opens the link decrypts it locally the actual code modern browsers have the Web Crypto API built in, so you dont need any library for this. heres the encrypt part, stripped down: \ `js async function encrypt(text) { const key = await crypto.subtle.generateKey( { name: "AES-GCM", length: 256 }, true, ["encrypt", "decrypt"] ); const iv = crypto.getRandomValues(new Uint8Array(12)); const encoded = new TextEncoder().encode(text); const ciphertext = await crypto.subtle.encrypt( { name: "AES-GCM", iv }, key, encoded ); // export the key so we can put it in the url const rawKey = await crypto.subtle.exportKey("raw", key); return { ciphertext, iv, rawKey }; } ` \ the ciphertext and iv go to the server. the rawKey gets base64'd and dropped into the link after the # . decrypting is just the same thing in reverse with crypto.subtle.decrypt . the thing that tripped

2026-06-25 原文 →