Application Security | Breaking Cybersecurity News | The Hacker News

Most application security (AppSec) teams know their OWASP Top 10, the industry-standard list of the most critical software security risks. Fewer know which of those categories their organization actually fixes. In conversations with security teams, I hear the same story: "We prioritize criticals, so the important stuff gets handled." The data tells a different story. Fix rates vary dramatically by OWASP vulnerability class, and not in the ways most teams expect. The data comes from Semgrep's Remediation at Scale report , which analyzed anonymized remediation patterns across 50,000+ repositories and hundreds of organizations during 2025. The methodology is straightforward: group organizations into two cohorts by fix rate (top 15% as "leaders," remaining 85% as "field"), then compare what each group actually does differently. The gap between leaders and the field isn't about detection quality or prioritization frameworks. Both cohorts apply the s...

While AI reduces some coding flaws, credential sprawl accelerates, expanding the non-human identity attack surface, and making remediation the new security bottleneck. AI is changing software development faster than most security teams can adapt. As coding assistants and autonomous agents become embedded in daily workflows, many assume traditional application security controls will steadily lose relevance. If machines can scan code, catch flaws, and even suggest safer alternatives in real time, then software risk should start to shrink. But that's not what is happening in the real world, according to GitGuardian's security research. The battle isn't in the code anymore, because AI is shifting where the control point is. It's in the credentials, tokens, service accounts, and machine identities that AI systems need in order to access data and take action. This matters because the attack surface has fundamentally changed. AI-assisted commits grew exponentially in 2025 and leaked secr...

When Shai-Hulud 2.0 hit in late 2025, it was a brutal, expensive wake-up call for DevSecOps teams. It showed that the industry's direction of shifting left, where teams pass security onto developers, wasn't the silver bullet everyone hoped for. Pushing that responsibility was fine in theory, but it crumbled quickly because the foundation it was built on was inherently flimsy. As we move further into 2026, we need a more definitive fix to the structural weakness in the pipelines in light of a potential Shai-Hulud 3.0. A major lesson from 2.0 was that internal CI/CD runners were easily hijacked and turned into attack botnets. Teams need to take that finding and come back with a truly proactive defense. A curated catalog is a way for security teams to control exactly what code and components enter their environment, while still giving engineering teams a fast, secure way to build - it is the key to creating a sustainable solution. More on a curated catalog later. The Anatomy o...

AI-powered coding assistants now play a central role in modern software development. Developers use them to speed up tasks, reduce boilerplate snippets, and automate routine code generation. But with that speed comes a dangerous trade-off. The tools designed to accelerate innovation are degrading application security by embedding subtle yet serious vulnerabilities in software. Nearly  half of the code snippets generated by five AI models contained bugs that attackers could exploit, a study showed. A second study confirmed the risk, with nearly one-third of Python snippets and a quarter of JavaScript  snippets produced by GitHub Copilot having security flaws . The problem goes beyond flawed output. AI tools instill a false sense of confidence. Developers using AI assistance not only  wrote significantly less secure code than those who worked unaided, but they also believed their insecure code was safe, a clear sign of automation bias. The Dangerous Simplicity of AI-...

The Perfect Recipe for Endpoint Security Calls for Privilege Control Today's most effective ransomware attacks don't require malware; they require a login. Modern threat actors don't need to break in. They can leverage legitimate identities and their privileges to gain a foothold, then continue to capitalize on them, moving laterally to probe for more opportunities and manipulate vulnerabilities and exploits to spread ransomware and spyware. A vulnerable identity or account tied to an endpoint can quickly become an attacker's ticket to your most valuable assets and controls.  With legitimate identities being used as the initial foothold in more attacks, we're seeing less 'anomalous' activity and far more seemingly normal actions performed by a trusted, privileged user. And attackers are keenly aware of how easily they can 'hide' behind these legitimate user accounts.  This is why Endpoint Detection and Response (EDR) is really only one piece of the endpoint protection puzz...

Identity-based attacks are the #1 cause of breaches, often exploiting weaknesses in traditional identity platforms. It's time for a proactive approach that addresses these gaps and stops threats before they strike. Identity has become the primary attack surface in cybersecurity. According to Forbes, 75% of cyberattacks leverage identity-based threats. Threat actors gain access using stolen credentials, compromised devices, and deepfake impersonation techniques, often bypassing traditional defenses without detection. Many identity platforms rely on MFA, such as push notifications and one-time passcodes (OTPs), which were once considered secure but are now frequently exploited through phishing, MFA fatigue, and man-in-the-middle attacks. The rise of generative AI has made these threats more effective and more prevalent.  To compensate, organizations have deployed tools like Endpoint Detection and Response (EDR), Network Detection and Response (NDR), and Identity Threat Detection ...

If you're like most people, your inbox overflows daily with a mix of important messages, random ads, and updates you didn't ask for. It's easy to miss what really matters. This inbox-overload mirrors what's happening in AppSec: security teams are overwhelmed with endless alerts and notifications, with only a handful pointing to actual risks. And while infrastructure and development environments have evolved radically in the past decade, AppSec tools haven't kept pace. The result? Outdated tools that can't sift out the noise, leaving teams struggling to focus on real threats amid a flood of alerts. As CEO of Backslash Security , I frequently hear from AppSec professionals who feel like they're stuck in reactive mode, juggling outdated tools that weren't designed for today's complex, cloud-native environments. These tools flood them with alerts, stretching their focus between routine notifications and the critical issues that could genuinely impact their applications. A few years ...

Open-source libraries allow developers to move faster, leveraging existing building blocks instead of diverting resources to building in-house. By leaning on existing open-source packages, engineers can focus on complex or bespoke elements of their products, using package managers and open-source maintainers to make it easy to pull everything together.  However, you can't deny that building software using open source makes your applications more vulnerable to security risks. In an open-source library, attackers have direct access to code, and can search for current and historical vulnerabilities, as well as any issues and tickets managed on websites such as GitHub or GitLab. This helps threat actors to quickly find packages that are vulnerable and launch an attack.  This is where Software Composition Analysis (SCA) comes in, with the purpose of scanning packages and uncovering vulnerabilities. SCA compiles and manages a catalog of software packages, alongside details such ...