今日已更新 328 条资讯 | 累计 20300 条内容
关于我们

标签:#security

找到 665 篇相关文章

AI 资讯

Non-Human Identities: The Silent Attack Surface No One Is Monitoring

Most organizations know exactly how many employees they have. Far fewer know how many non-human identities currently have access to their cloud environment. That blind spot is becoming one of the fastest-growing attack surfaces in modern security. For years, enterprise security focused primarily on protecting human identities. We deployed Single Sign-On (SSO), enforced Multi-Factor Authentication (MFA), and implemented Conditional Access policies. And it worked — human identities have become significantly harder to compromise. Meanwhile, another class of identities has quietly exploded across cloud environments: service principals, workload identities, OAuth applications, CI/CD runners, and AI service roles. Today, these Non-Human Identities (NHIs) often outnumber human users by a factor of 10 to 50. As organizations accelerate cloud adoption and integrate AI into daily operations, this imbalance continues to grow. Defining the Non-Human Identity Landscape Unlike human users, machine identities rarely appear in HR systems or organizational charts. Yet they frequently hold some of the most privileged access in the environment. Common high-risk categories include: OAuth Applications and Third-Party Integrations — Apps granted broad access to Microsoft 365, Salesforce, Google Workspace, or Slack via delegated permissions. Service Principals and Managed Identities — AWS IAM roles, Azure Managed Identities, and GCP service accounts used by Lambda functions, EC2 instances, or Bedrock agents. Workload Identities — Kubernetes Service Accounts (e.g., Amazon EKS) and GitHub Actions OIDC roles. CI/CD Pipeline Identities — Tokens used by automation platforms to deploy infrastructure. AI Service Roles — Dedicated identities for Amazon Bedrock agents, model invocation, vector stores, and retrieval pipelines. Every new AI workflow creates additional machine identities. Why Attackers Are Targeting NHIs Attackers follow the path of least resistance. While human accounts are now heav

2026-06-22 原文 →
AI 资讯

Defender flujos de agentes contra el OWASP LLM Top 10

Corro varios agentes respaldados por Bedrock en producción: análisis de documentos, emparejamiento de contenido, búsqueda en registros, búsqueda semántica. Esta es una pasada honesta sobre el OWASP Top 10 para aplicaciones LLM desde el lado de la implementación : el código de verdad que defiende cada riesgo y, igual de importante, las categorías donde mi respuesta es "parcial" o "todavía no". Primero el modelo de amenazas Un flujo de agentes es un pipeline: entrada no confiable → prompt → modelo → parseo → actuar. Cada flecha es una superficie de ataque. Antes de cualquier control, la pregunta más útil que me hice fue esta: ¿qué puede HACER de verdad un agente si el modelo está completamente manipulado? Mi respuesta dio forma a todo lo de abajo. Los agentes son mayormente-de-lectura : llaman a un modelo, leen filas acotadas de la base de datos, y escriben resultados de análisis con llave del usuario que pide. Sin shell, sin SQL arbitrario, sin llamada a herramientas. El radio de impacto es chico por construcción, que es el control más barato que existe. TL;DR, estatus honesto OWASP LLM Mi estatus El control LLM10 Consumo sin límite Fuerte Límite de tasa + cortacircuitos de costo mensual + topes de tokens por modelo LLM06 Agencia excesiva Fuerte (por diseño) Sin llamada a herramientas; mayormente-de-lectura; escrituras acotadas a quien llama LLM01 Inyección de prompt Parcial Contenido del usuario enmarcado como DATOS (delimitadores + preámbulo anti-inyección) LLM02 Divulgación de info sensible Parcial Limpieza de PII por regex antes del modelo; exclusiones auditadas LLM05 Manejo inadecuado de salida Parcial Validación de esquema + chequeos de fundamentación + sanear-antes-de-renderizar LLM07 Fuga del system prompt Parcial Registro versionado de prompts + regla anti-eco LLM08 Vector/Embedding N/A (todavía no construido) (nada) AuthN/Z + interruptor de apagado Fuerte Llave interna, gateo por cuota/gama, deshabilitado por agente LLM10 Consumo sin límite: empieza aquí, e

2026-06-22 原文 →
AI 资讯

container escape is becoming an agent workload

The scary part of an agent-driven container escape is not the container escape. That sounds wrong, so let me be precise. The primitives in Sysdig's latest threat research are not new magic. A mounted Docker socket has been a bad idea for years. Over-permissioned Kubernetes service accounts have been a bad idea for years. Privileged containers are dangerous. Host namespace tricks are dangerous. Secrets reachable from application pods are dangerous. None of this should surprise anyone who has had to review production Kubernetes setups with a straight face. The new part is the operator. Sysdig observed what it describes as an LLM-harness-driven attacker exploiting a vulnerable marimo notebook, enumerating the container and host environment, using the Docker socket as an escape path, creating privileged containers, reading host credentials, and replaying a Kubernetes service-account token to dump Secrets. That is the part worth sitting with. Not because the agent invented a new class of exploit. Because it made the old mistakes compose faster. the attack surface was already there Most security incidents are not movie plots. They are boring edges left open long enough for someone to connect them. In this case, the edges are familiar. An internet-reachable application had a vulnerability. The workload had access to a Docker socket. The container environment exposed enough information to enumerate possible escape paths. A Kubernetes service-account token was available. The token had enough RBAC to read Secrets. Secrets contained useful downstream credentials. That is not one bug. That is a chain of assumptions. The application team may have thought about the notebook vulnerability. The platform team may have thought about the Docker socket as a convenience for one workflow. The Kubernetes team may have thought the service account was scoped "only" to a namespace. The security team may have had runtime alerts somewhere in the backlog. Each decision can look locally tolerabl

2026-06-22 原文 →
AI 资讯

Stop Pasting Sensitive Data into Random Websites: Meet Parsify 🛡️

Hey DEV community! 👋 How many times a day do you need to format a messy JSON string, convert a CSV file, or parse a timestamp? And how many times do you find yourself pasting that data—which might contain API keys, user emails, or proprietary code—into a random website you found on Google? We’ve all done it, but in an era of constant data leaks, it’s a massive security risk. That’s exactly why I built Parsify . What is Parsify? Parsify is an all-in-one data converter and developer toolset designed to handle your daily formatting, parsing, and data manipulation tasks completely offline and client-side. No servers, no tracking, and absolutely no data leaks. Everything happens right inside your browser sandbox. 🚀 Key Features 100% Secure & Offline: Your data never leaves your local machine. Once the page loads, you can literally pull your internet plug and it will still work perfectly. All-in-One Toolkit: No more bookmarking ten different sites for ten different tasks. From JSON formatting and base64 encoding to data conversions, it’s all under one roof. Built for Speed: A clean, lightning-fast UI with batch-processing support to keep your workflow uninterrupted. Privacy by Design: Zero tracking scripts, zero ads, and zero database logging. Why I Built It Most online utilities are bloated with tracking pixels, pop-up ads, and cookies. Worse, you have no idea what happens to the data you paste into their input fields. As a developer, I wanted a tool that felt like a local desktop app but possessed the accessibility of a web app. Parsify is the bridge. It gives you the convenience of a web utility with the strict security boundaries of local execution. Check It Out (It's Free!) If you’re tired of compromising on data privacy for quick utilities, give it a spin: 👉 parsify.tools I’m actively working on adding more tools and converters to the suite. I would absolutely love to get the DEV community's feedback! What converters or formatting utilities do you use daily that you

2026-06-22 原文 →
AI 资讯

Stop polling: real-time email and calendar webhooks with Nylas

If your integration polls Nylas every minute to check for new email, you're doing too much work and still getting stale data. Polling is a tax: you burn rate limit on requests that mostly return nothing, and a message that arrives at 12:00:05 doesn't reach your app until the next poll. Webhooks flip that around. Nylas pushes a notification to your endpoint the moment something happens — a message arrives, an event changes, a contact is created — and your app reacts in real time. This post walks the webhook surface from both sides: the HTTP API that registers and manages webhooks, and the Nylas CLI , which has genuinely useful tooling for the part everyone gets stuck on — verifying signatures and testing webhooks against local code. I work on the CLI, so the terminal commands below are the ones I run when I'm wiring up a webhook receiver. Triggers and destinations A webhook has two halves: the trigger types it listens for and the destination URL it pushes to. Trigger types are dotted event names like message.created , event.updated , and contact.created , grouped into categories — grant, message, thread, event, contact, calendar, folder, and notetaker. You subscribe one destination to as many triggers as you want. The CLI lists every available trigger so you don't have to guess the names: # All trigger types nylas webhook triggers # Only message-related triggers nylas webhook triggers --category message Webhooks are application-scoped, not grant-scoped: one webhook registered on your application receives notifications for every connected account, identified by the grant_id in each payload. See the notifications overview for the full event model. Before you begin You need a Nylas API key — webhook management is admin-level, so it uses the application's API key rather than a grant. You also need an HTTPS endpoint reachable from the public internet to receive the notifications. The CLI gets the key set up: nylas init # create an account, generate an API key For local de

2026-06-22 原文 →
AI 资讯

Precision Loss and Rounding Exploits in Financial Smart Contracts

A smart contract does not need an overflow, reentrancy bug, or broken access-control check to lose money. Sometimes, the exploit is hidden inside an ordinary division: uint256 result = amount * rate / SCALE; The expression looks harmless. It may even produce the expected answer in every unit test. But financial smart contracts operate with integer arithmetic. Fractions are discarded, rounding direction changes who receives value, and an error of one unit can be repeated across thousands of transactions. In a financial protocol, rounding is not merely a mathematical implementation detail. Rounding is a value-transfer policy. Every division should therefore answer three questions: Which direction does the calculation round? Which party benefits from that direction? Can the rounding advantage be repeated or amplified? This article examines the most dangerous precision problems in Solidity and the engineering patterns used to prevent them. Solidity Does Not Have Native Fixed-Point Arithmetic Most financial formulas use fractions: interest = principal × rate × time fee = amount × fee percentage shares = assets × total shares ÷ total assets collateral value = token amount × oracle price Solidity primarily performs these calculations with integers. For unsigned integers: uint256 result = 5 / 2; The result is: 2 The fractional component is discarded. For positive values, this behaves like rounding down: 2.5 → 2 This appears insignificant until the result represents: vault shares; debt; collateral; protocol fees; interest; rewards; liquidation bonuses; exchange rates; token prices. The lost fraction does not disappear economically. One party receives less value, while another party retains the remainder. Precision Loss Is Not Always Small Consider a protocol calculating a percentage: function calculateFee( uint256 amount, uint256 feeBps ) public pure returns (uint256) { return amount * feeBps / 10_000; } For a 0.3% fee: amount = 100 feeBps = 30 fee = 100 × 30 ÷ 10,000 fee =

2026-06-22 原文 →
AI 资讯

Why your monorepo audits are lying to you (and how to fix the rot)

We’ve all been there: running a dependency audit, seeing a tool report 100 "unused" files, and realizing with horror that half of those files are actually critical architectural hubs. Static analysis tools in the JavaScript ecosystem are historically built to be "safe"—they flag anything they cannot explicitly trace. But in a complex monorepo with circular dependencies, alias-heavy build tools like Vite, and custom workspace configurations, these tools often collapse. They stop auditing and start "pruning"—treating your architecture as a pile of junk to be deleted. Most tools rely on simple pattern matching or basic Abstract Syntax Tree (AST) walks. They struggle to build a true Control Flow Graph (CFG) or identify Strongly Connected Components (SCCs). When an engine encounters a cycle in a monorepo, it doesn't see a complex architectural component; it sees a disconnected node, labels it "orphaned," and suggests a deletion plan that would effectively brick your build. To audit an architecture correctly, you need to move beyond simple string resolution. You need deep AST and CFG parsing, utilizing high-performance parsers (like OXC) to map actual execution paths. You also need SCC analysis to detect circular dependency chains across package boundaries, coupled with worker-pool parallelization, because auditing 10,000 files in a monorepo shouldn't block the main process. By leveraging these core concepts, I developed entkapp to validate the structural integrity of a workspace. Consider this audit log from an intentionally broken repository: [Linker-DEBUG] Attempting to resolve package-a ... Resolved to: C:/.../package-a/index.js 🔄 Detecting circular dependencies... ⚠️ Detected 1 circular dependencies: Cycle #1: packages/package-a/index.js -> packages/package-a/index.js Here, the engine is forced to acknowledge the structural reality, not just the file list. It validates the boundary, identifies the cycle, and reports the smell without blindly nuking the project. The g

2026-06-22 原文 →
开发者

bcrypt and Laravel: 72 Bytes, Not 72 Characters

I expected bcrypt to silently drop characters past 72. I did not expect it to bake in half an emoji. That's what happens with a specific password combination I tested. The original password still works. But strip the emoji (a password manager, a different keyboard, a Unicode normalizer) and you're locked out. Your Laravel validator passed it as valid the whole time. The 72-Byte Rule bcrypt has a hard input limit of 72 bytes. Not characters - bytes. When you call password_hash($password, PASSWORD_BCRYPT) , PHP silently truncates anything past byte 72. Most developers know this in theory. But for ASCII-only apps, it never bites. 72 ASCII characters is already a very long password, and the silent clip is harmless in practice. The trouble starts with multi-byte scripts. How Many Characters Fit? Character set Bytes per char Effective bcrypt limit ASCII 1 72 chars Cyrillic 2 36 chars CJK (Chinese, Japanese, Korean, common block) 3 24 chars Emoji 4 18 chars Past the byte limit, a longer password adds no security at all. A 200-character Cyrillic password hashes identically to its own first 36 characters. Byte 73 and beyond simply do not exist from bcrypt's point of view. So "longer always produces a stronger bcrypt hash" is not true. A Cyrillic user with a 37-character password gets silently truncated at char 36. The hash is still consistent. The user logs in fine, but any variation past character 36 doesn't matter to bcrypt. Annoying from a security standpoint, but it does not break login. The Split-Byte Trap The 72-byte limit cuts at a byte boundary, not a character boundary. If a multi-byte character falls on that cut, bcrypt bakes in an incomplete UTF-8 sequence. // 35 Cyrillic chars = 70 bytes, emoji = 4 bytes, total = 74 bytes $password = str_repeat ( 'А' , 35 ) . '🔑' ; $hash = password_hash ( $password , PASSWORD_BCRYPT ); password_verify ( $password , $hash ); // ? password_verify ( str_repeat ( 'А' , 35 ), $hash ); // ? password_verify ( str_repeat ( 'А' , 36 ), $h

2026-06-22 原文 →
AI 资讯

I Ran Gitleaks Against My Own Repo and Found 12 Real Secrets

Originally published at woitzik.dev I assumed my homelab repo was clean. No one had ever flagged anything in review (there is no one else reviewing it), CI was green, and I generally try to use Vault and ExternalSecrets for anything sensitive. Then I ran a full-history gitleaks detect against it. It found 12 distinct secrets committed in plaintext — including the OIDC private key that signs SSO tokens for half the cluster. This is the scanning setup I put in place afterward, the baseline strategy that let me adopt secret scanning without getting blocked by my own history on every commit, and the remediation plan for the leaks themselves. View the complete homelab infrastructure source on GitHub 🐙 What Gitleaks Found gitleaks detect --no-banner -v Twelve real findings, plus one already-hashed password (lower severity but still shouldn't be hand-committed) and one false positive in ROADMAP.md (documentation text that happened to match a generic API key pattern). The real findings, by severity: File Secret Why It Matters kubernetes/apps/authelia/configmap.yml OIDC issuer private key Signs SSO tokens for ArgoCD, Vault, Grafana — highest blast radius kubernetes/apps/garage/config.yml RPC secret + admin token Storage backend for Velero/Loki/CNPG backups kubernetes/apps/garage/secrets.yml Admin token (duplicate) Same secret committed twice in two files terraform/stacks/network/local_backend.hcl Garage S3 access key This is the Terraform state backend's own credential kubernetes/system/postgres/cnpg-backup-secret.yml Garage S3 secret key Used for WAL archiving kubernetes/apps/paperless/secrets.yml Postgres password + AI API token kubernetes/apps/cloudflared/secrets.yml Cloudflare Tunnel token kubernetes/apps/headscale/config.yml OIDC client secret Must match Authelia's client config kubernetes/system/monitoring/loki.yml Minio/S3 password kubernetes/apps/mikrodash/secrets.yml Dashboard password Lowest priority — internal tool only None of these were exposed by a public repo

2026-06-21 原文 →
AI 资讯

Who actually wrote that commit... you, or your AI agent?

The gap nobody's really tracking Your Git history can tell you that a workstation pushed a commit. What it can't tell you is who or whatactually produced the change. Was it you? An AI agent running inside your IDE? A CI job? Some vendor tool you forgot you'd wired in? For a long time that question was academic. It isn't anymore. The more code we write with AI in the loop, the shakier one quiet assumption gets: that there's a human author behind every commit. Audit trails, incident reviews, compliance workflows; they all lean on it. And it's breaking. Matrix Scroll is a small, open attempt to fix that. It attaches a signed provenance envelope to a commit, and anyone can verify it offline. What it actually does An agent-assisted commit can carry a signed JSON envelope that records: the actor (human or agent) the tool that produced the change an optional bounded scope an Ed25519 signature over a canonicalized version of the manifest The signing input is strict and frankly kind of boring — which is the entire point. It has to be reproducible byte-for-byte across implementations, so: the top-level signature block is stripped before signing object keys are sorted recursively compact separators, ASCII escaping, UTF-8 bytes no NaN, no Infinity The device ID comes from the first eight uppercase hex characters of SHA-256(public_key), formatted as MS-XXXX-XXXX. Verifying is the easy part: take the canonical manifest bytes, check them against the embedded public key and signature. No central service in the middle. Try it without installing anything There's a browser verifier that runs entirely client-side. Nothing gets uploaded: (̿▀̿‿ ̿▀̿ ̿) : https://matrixscroll.com/verify/ Give it ten seconds: Hit Load Commit Envelope → Verify Signature . You'll get VALID, plus the device ID, mode, algorithm, and canonical byte count. Now hit Tamper Sample → Verify Signature again. It flips to INVALID and tells you exactly what broke — e.g. "Device ID mismatch: expected MS-4319-20D5, manifes

2026-06-21 原文 →
AI 资讯

Your AI agent has sudo. I built a tool to take it away.

A few weeks ago I gave an AI agent access to my machine through MCP. It read files, opened PRs, queried a database. It was great — until I looked at what it could have done if a tool description had been poisoned, or a prompt injection had slipped through. The answer was: anything. ~/.ssh/id_rsa . DROP TABLE users . rm -rf / . The agent had sudo, and nobody had voted for that. So I built AgentPerms — a CLI that gives MCP agents least-privilege permissions the same way you'd lock down any other process: figure out the minimum it actually needs, pin it, prove it, and enforce it. pip install agentperms The gap nobody was filling MCP (the Model Context Protocol) is quietly becoming the USB-C of AI tooling. Claude Desktop, Cursor, VS Code, Windsurf, Gemini CLI — they all speak it. Which is wonderful, and also means your agent is one config file away from your filesystem, your repos, your inbox, and prod. The existing tools each do part of the job: Scanners tell you something looks risky. Then they leave. You still have a risky thing. Firewalls / allowlists make you hand-write YAML up front — before you have any idea what the agent will actually use. Neither closes the loop. What I wanted was the boring, proven security workflow we already use for everything else: observe real behavior → derive least privilege → enforce it → keep it honest in CI. That's the whole thesis of AgentPerms, as a pipeline: record → infer → lock → replay → enforce See it in 30 seconds (no setup, no network) AgentPerms ships with a deliberately over-privileged demo MCP server, so you can watch a real policy decision without wiring anything up: # Flag risky config: a ~/.ssh mount and an unpinned npx server agentperms scan --path examples/vulnerable-mcp-demo # Replay a pack of canned attacks against an example policy agentperms replay --policy examples/policies/example.mcp.policy.yaml Output: 8/8 attacks blocked. SSH-key exfiltration, .env reads, rm -rf / , unapproved email, force-push, repo deletio

2026-06-21 原文 →
产品设计

Why UPI and Fintech Apps Need Business Logic Testing (Not Just Security Testing)

Most fintech breaches you read about involve a hacker, a vulnerability, and a headline. Most fintech losses I've actually seen up close involve none of those things. They involve someone who read the terms of a cashback offer more carefully than the product team did, found the one path through the workflow nobody had tested, and quietly walked away with money the system handed over willingly. That's the part standard security testing misses. A penetration test asks: can someone break in? Business logic testing asks a more uncomfortable question: what happens if someone uses every feature exactly as designed, just not exactly as intended ? In a country processing billions of UPI transactions a month, that second question matters just as much as the first — arguably more, because nobody needs a zero-day to abuse a referral program. Here's where that gap shows up most often in Indian fintech apps. Wallet Systems: Built for Speed, Tested for Function, Rarely Tested for Abuse A digital wallet sits at the intersection of multiple money-in paths — UPI, card, net banking, cashback credits — and at least one money-out path. Every intersection like that is a place where timing and assumptions can quietly fall apart. The classic version of this is a race condition: top up the wallet and spend from it in two near-simultaneous requests, and check whether the balance check happens before or after both transactions are committed. Done right, this should be impossible. Done wrong, a user can spend money that, technically, hadn't arrived yet — or spend the same balance twice. There's a quieter version of the same problem around refunds. If a refund is credited back to the wallet on a different timeline than the original debit was finalized, there's often a window where the balance briefly shows more than it should, and a fast enough user can act inside that window before reconciliation catches up. And then there's KYC tiering. Minimum-KYC wallets in India are deliberately capped at

2026-06-21 原文 →
AI 资讯

Securing LLM Agent Teams: Inside NRT-Defense v0.4.0

Securing LLM Agent Teams: Inside NRT-Defense v0.4.0 Multi-turn autonomous LLM agents are expanding rapidly in safety-critical systems. However, a major vulnerability has been exposed by Lee et al. (2026) in the NRT-Bench paper : adaptive multi-turn attacks can exploit disjoint model vulnerabilities, causing a 8.7% to 12.1% loss of Critical Safety Functions (CSFs) . To solve this, I am open-sourcing NRT-Defense , an adaptive multi-turn defense framework designed to monitor agent sessions and reduce the attack success rate to <1% . The Threat: Context Drift and Disjoint Exploits Standard guardrails evaluate prompts in isolation (single-turn). Attackers leverage this by spreading an exploit across multiple conversational turns. Turn by turn, the context drifts until the agent team completely bypasses its safety containment. The NRT-Bench paper demonstrated this in a simulated nuclear power plant control room with 5 operator roles, 4 attack channels, and 6 critical safety functions. The results were alarming: Metric Value Attack success rate 8.7% — 12.1% Sessions analyzed 149 Models tested 4 frontier LLMs Vulnerability overlap Nearly disjoint The key finding: vulnerabilities are nearly disjoint across models . An attack that works against GPT-4 may not work against Claude. This means model diversity is itself a defense — but only if you can detect and respond to attacks in real-time. The Solution: 3-Step CMPE Defense nrt-defense neutralizes this threat through a continuous, multi-component pipeline: Per-Turn Message Analysis: Evaluates channel risk and turn-escalation metrics. Each message is scored for adversarial content using keyword detection, pattern matching, and channel-specific risk weights. Real-Time CSF Monitoring: Tracks 6 operational critical safety functions simultaneously. Risk accumulates over turns and triggers alerts when thresholds are breached. Context-Aware Misdirection Prompt Engineering (CMPE): When an anomaly is detected, instead of a blunt reject

2026-06-21 原文 →