Mind your typos... It seems clear a bad actor is hiding behind that one.

Alright... That's really bad security practices. Don't do this at home.

Interesting point, fairly logical but didn't sit to think it through before. Indeed, using arenas to get back features of manual memory management won't lead to the same security issues than outside of a memory safe language.

An oldie but a goodie about SQL injection. Does a good job getting the overall picture of this particular security plague.

Still some work to have proper confinement in practice for apps in the Flatpak ecosystem.

Better not trust ZIP files you receive...

The situation around OpenSSL and its fork is rather confusing... And there's no indication this would improve.

If you're behind on your updates, it's time to do it quickly.

And one more... it's clearly driven by an architecture pattern used by all vendors. They need to get their acts together to change this.

OK, this is definitely concerning for the use of tools with so called coding agents. The trust model is really not appropriate at this stage and that opens the door to a wide range of attacks.

Worth trying indeed. I'd love to see at least some of that widely adopted.

Another example of attack vectors emerging with adding more and more LLM agents in the development process.

Looks like it's getting there as a good help for auditing code, especially to find security vulnerabilities.

Or why CAPTCHA might become something of the past. I guess they'll live a bit longer as they become more and more privacy invasive.

As LLM assistants get more and more embedded in the development process, it gets harder to ensure they behave safely. Quite a few interesting attack vectors in that one.

Seriously... Developers should be ashamed to produce such invasive tools.

Unicode in source code can come with unwanted consequences. Tooling might be required.

Security asks for more than a memory safe language. It helps some things for sure, but there are tools for other languages as well, you better start using them.

There's clearly a tension between security and ease of pulling dependencies. In a way, it's "too easy" with cargo and you very quickly end up having to trust a staggering amount of third party code.

Nice docker recipe indeed for small and secure containers when you just want to ship a statically linked binary.