Expert perspectives on application security, compliance, and emerging threats
StandardsYour open-source project just received an email from someone claiming to be a core maintainer, asking for elevated repository access. The writing style matches, and the email domain looks legitimate,
StandardsYour team likely relies on the NVD scores to decide what to patch, with automation pulling CVSS data to prioritize remediation. Now, NIST is shifting its focus, having enriched nearly 42,000 CVEs in 2
StandardsScope - What This Guide Covers This guide defines security responsibilities for teams deploying AI systems from third-party vendors. It addresses: Which security controls belong to your team vs. the v
StandardsYou ve seen the reports. NIST has changed the way it prioritizes software flaws in its CVE framework. The shift is clear: focus on high-impact vulnerabilities, not just volume. This isn t about abando
Get weekly security insights and compliance updates delivered to your inbox.
StandardsThe Challenge Between 2020 and 2023, CVE submissions grew 263%. Last year alone, NIST enriched almost 42,000 CVEs—a 45% year-over-year increase. Then NIST announced it would no longer analyze every vu
StandardsOver the past month, I ve encountered the same set of questions in multiple forums, all centering on Anthropic s Claude Mythos—an AI model that claims to find and weaponize vulnerabilities at an unpre
StandardsA remote code execution vulnerability in protobuf.js (GHSA-xq3m-2v4x-88gg) affecting versions 8.0.0/7.5.4 and lower allows attackers to inject malicious code through unsafe dynamic code generation. If
StandardsCVE-2026-34040 scored 8.8 on the CVSS scale. It s a regression of vulnerabilities patched in 2019 and 2024. The fix is available in Docker Engine 29.3.1 and Docker Desktop 4.66.1. The real question is
StandardsYour vulnerability management program is about to undergo a significant transformation. AI models that autonomously discover vulnerabilities at scale are now production tools. Your team needs a deploy
StandardsScope This guide focuses on detecting and mitigating supply chain attacks that use audio steganography to hide malicious payloads in software packages. Our case study is the March 27, 2026 compromise
StandardsA compromised maintainer account on npm deployed a cross-platform Remote Access Trojan (RAT) through malicious versions of Axios, a widely used JavaScript HTTP client library. If your systems ran npm
StandardsYour team committed 29 million new hardcoded secrets to public repositories in 2025—a 34% increase from the previous year. AI services contributed to 81% more leaks year over year, and internal reposi
StandardsThe Telnyx SDK compromise on PyPI presents your security team with a critical decision: do you restrict package installation at the perimeter, or do you allow flexibility and invest in runtime detecti
StandardsA recent campaign distributing over 300 poisoned packages shows how attackers now use AI to scale supply chain attacks. Your dependency scanning probably caught the known signatures, but it won t catc
StandardsThe Pentagon s 180-day deadline to remove Anthropic technology exposes a fundamental gap: most organizations cannot precisely answer, where do we use AI? Only 31% of organizations report being fully e
StandardsThese questions started showing up in security Slack channels right after StepSecurity flagged two hijacked npm packages in the React Native ecosystem. These packages, with over 30,000 downloads per w
