The situation around OpenSSL and its fork is rather confusing... And there's no indication this would improve.

If you're behind on your updates, it's time to do it quickly.

And one more... it's clearly driven by an architecture pattern used by all vendors. They need to get their acts together to change this.

OK, this is definitely concerning for the use of tools with so called coding agents. The trust model is really not appropriate at this stage and that opens the door to a wide range of attacks.

Worth trying indeed. I'd love to see at least some of that widely adopted.

Another example of attack vectors emerging with adding more and more LLM agents in the development process.

Looks like it's getting there as a good help for auditing code, especially to find security vulnerabilities.

Or why CAPTCHA might become something of the past. I guess they'll live a bit longer as they become more and more privacy invasive.

As LLM assistants get more and more embedded in the development process, it gets harder to ensure they behave safely. Quite a few interesting attack vectors in that one.

Seriously... Developers should be ashamed to produce such invasive tools.

Unicode in source code can come with unwanted consequences. Tooling might be required.

Security asks for more than a memory safe language. It helps some things for sure, but there are tools for other languages as well, you better start using them.

There's clearly a tension between security and ease of pulling dependencies. In a way, it's "too easy" with cargo and you very quickly end up having to trust a staggering amount of third party code.

Nice docker recipe indeed for small and secure containers when you just want to ship a statically linked binary.

This also carries privacy concerns indeed even for local models. It all depends how it's inserted in the system.

Need to teach security basics to your family, friends and neighbors? Here is a nice resource to do a good job there. We often approach the task the wrong way.

Of course it helps also against DDoS attacks... tells something about the state of AI scrapers I guess.

They've been warned of this leak by GitGuardian weeks ago... and did nothing. For people manipulating such sensitive data their security practices are preposterous.

Nice little trick to get rid of some malicious bots.

Maybe something good will come out of the political turmoil around the CVE Program. This would be nice to see it more independent indeed.