Category: DZone Security Zone

In 2024, a staggering 87% of container images were found to have at least one vulnerability, and a measurable fraction of them have been targeted to compromise the production infrastructure. With cloud and container orchestration adoption not slowing down, the…

Read more →

We are living in an era in which data breaches and cyberattacks are growing exponentially and frequently dominate news headlines. The simple and humble password — since its inception — has repeatedly proven to be difficult to secure against modern,…

Read more →

Why Prompt Injection Keeps Winning in Production Most prompt injection incidents follow the same pattern: The model reads untrusted instructions (user text, RAG chunks, web pages, PDFs, emails). Those instructions impersonate authority: “Ignore the rules… call this tool… send this…

Read more →

Three months ago, I watched a senior engineer at a Series B startup ship an authentication bypass to production. Not because he was incompetent — he’d been writing secure code since Django was considered cutting-edge. He shipped it because GitHub…

Read more →

The vulnerability management lifecycle is a continuous process for discovering, addressing, and prioritizing vulnerabilities in an organization’s IT assets A normal round of the lifecycle has five phases: This article has been indexed from DZone Security Zone Read the original…

Read more →

The conference room went silent when the fintech’s CISO pulled up the logs. There, buried in production traffic, sat an endpoint nobody had documented: /api/debug/users. It was leaking customer data with every ping. The engineer who’d committed the module swore…

Read more →

I still remember the Slack message that arrived at 2:47 AM last March. A machine learning engineer at a healthcare AI startup, someone I’d interviewed six months prior about their ambitious diagnostic model, was having what could only be described…

Read more →

Let’s start with a simple fact that cannot be overlooked today: identity is the new perimeter. Following this logic, there exists a simple yet powerful principle of Zero Trust — never trust, always verify. Zero Trust protects architectures by continuously…

Read more →

Instead of building custom integrations for a variety of AI assistants or Large Language Models (LLMs) you interact with — e.g., ChatGPT, Claude, or any custom LLM — you can now, thanks to the Model Context Protocol (MCP), develop a…

Read more →

It took a little while to gain traction after Anthropic released the Model Context Protocol in November 2024, but the protocol has seen a recent boom in adoption, especially after the announcement that both OpenAI and Google will support the…

Read more →

It took a little while to gain traction after Anthropic released the Model Context Protocol in November 2024, but the protocol has seen a recent boom in adoption, especially after the announcement that both OpenAI and Google will support the…

Read more →

It is not an understatement that identity is the new perimeter. With cyberattacks on the rise across industries, from finance and governments to healthcare, the protection of user identities has become more crucial than ever before.  Taking a look at…

Read more →

It is often assumed that encryption is the gold standard method for securing assets in the cloud. Cloud providers give assurances that all their services are “encrypted by default.” Several regulatory and cloud compliance policies mandate that organizations encrypt data…

Read more →

Allowing users to upload files is a staple of modern web applications, from profile pictures to enterprise document management. However, for a security engineer or backend developer, an upload field is essentially an open invitation for an attacker to place…

Read more →

Let’s start with two pillars that modern application security teams rely on: Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST). SAST is a method in which source code is analyzed early in the application development lifecycle to…

Read more →

Modern microservices, payment engines, and event-driven systems are generating massive volumes of logs every second. These logs are critical for debugging, monitoring, observability, and compliance audits. But there is an increasing and hazardous problem: Sensitive data — things like credit…

Read more →

As organizations integrate large language models (LLMs) into analytics, automation, and internal tools, a subtle yet serious shift is occurring within their data platforms. ETL and ELT pipelines that were originally designed for reporting and aggregation are now feeding models…

Read more →

Introduction Artificial intelligence has rapidly moved from research labs into everyday tools. Yet, most users remain locked into vendor‑controlled ecosystems, where the choice of language model (LM) is dictated by the provider. This creates friction for developers, educators, and organizations…

Read more →

In my previous article, I demonstrated how to implement OIDC4VCI (credential issuance) and OIDC4VP (credential presentation) using Spring Boot and an Android wallet. This follow-up focuses on a critical security enhancement now mandated by EUDI standards: DPoP (Demonstrating Proof-of-Possession). The…

Read more →

Testing is one of the final stages of mobile app development before you’re ready for launch. The finish line may seem close, but it might not be. If you encounter mobile app testing challenges unprepared, you may have to push…

Read more →