On December 2, 2024, a security vendor called BeyondTrust noticed something wrong inside its own AWS account. By the time the investigation closed, the story that emerged was almost absurdly simple for something with this much fallout: an attacker —…
Tag: DZone Security Zone
Can Rust Have Zero-Cost Dependency Injection?
Overview This article explores whether dependency injection (DI) can exist in Rust without sacrificing the language’s core philosophy of zero-cost abstractions. We will approach the question from three angles: This article has been indexed from DZone Security Zone Read the…
An Ingredient List Doesn’t Stop the Worm: What SBOMs Can and Can’t Do
On March 28, 2024, a Microsoft engineer named Andres Freund noticed something almost nobody would have bothered chasing: SSH logins on a system he was benchmarking were taking 500 milliseconds instead of the usual 100. He ran a memory profiler…
The New Insider Threat Isn’t Human: Securing AI Agents Before They Secure Themselves
In mid-September 2025, engineers inside Anthropic’s threat intelligence team noticed something that didn’t fit the usual pattern of automated probing on their platform. Ten days of digging later, they had a name for it: GTG-1002, a Chinese state-sponsored group that…
Two Clocks Are Running Out at Once, and Almost Nobody Is Watching Both
Every CISO I talk to right now is juggling two deadlines that feel unrelated and aren’t. One is the slow-motion arrival of quantum computers capable of breaking the public-key cryptography that underpins basically everything — TLS, SSH, JWTs, code-signing. The…
Sharing SBOMs Securely Without Giving Too Much Away
SBOMs Create Transparency, But Not Without Risk The Software Bill of Materials, or SBOM, has changed meaning in recent years. It used to be seen as a technical tool for internal inventory management. It is now required as evidence due…
Your Biggest Identity Problem Isn’t Your Employees Anymore; It’s Everything Else
I used to open identity audits by asking a CISO how many users were on their network. These days, I ask a different question first: how many non-human identities do you have, and when was the last time anyone counted?…
AI, OAuth, and Other Platform APIs in the Core
This is the second follow-up to June 5’s release post. It covers the platform APIs that moved into the framework core this release. There are two headline pieces (AI/LLM and the modern OAuth/OIDC stack) and two smaller pieces (WiFi/connectivity and share-sheet…
Implementing Asynchronous Communication Between Microservices Using Kafka and Spring Boot
In a microservices system, that tight coupling turns a small hiccup into a cascading slowdown. Thread pools fill, retries amplify traffic, and suddenly your simple request is blocked on half the fleet. My executive summary: asynchronous messaging with Kafka helps…
Architectural Collapse: How Extension Poisoning, Node Vulnerabilities, and Infrastructure Fog Enabled the GitHub Repository Breach
Enterprise perimeter defenses are fundamentally built on an obsolete assumption that the developer’s workstation is a secure, trusted anchor point. The massive security breach executed by the threat group TeamPCP, resulting in the exfiltration of 3,800 internal GitHub source code…
Phantom APIs Are Eating Your Attack Surface, and Most Security Teams Are Still Looking the Other Way
I’ve spent the better part of fifteen years staring at API traffic logs for a living, and I can tell you the job has changed twice. The first shift came with microservices, when a handful of monolithic endpoints became thousands…
The Breach Was Never at the Door
I’ve lost count of how many breach disclosures I’ve read where the first sentence is some version of “no evidence the perimeter was compromised.” It used to strike me as corporate hedging. Now I read it as the whole story,…
Data Governance Checklist for AI-Driven Systems
Editor’s Note: The following is an article written for and published in DZone’s 2026 Trend Report, Cognitive Databases, Intelligent Data: Unified Infrastructure for Vector Search, AI-Optimized Queries, and Hybrid Workloads. Many teams find governance gaps only after a retrieval system surfaces…
Testing Strategies for Web Development Code Generated by LLMs
Large Language Models (LLMs) can automate the development process by producing a substantial amount of web application code in just a few minutes. Nonetheless, it is important to bear in mind that these models are pattern-based and not deterministic. Work…
AI Is Finding Bugs Faster Than Enterprises Can Patch — Here’s What Data Security Teams Should Do
I have spent the better part of a decade building data protection products for global enterprises. Cloud DLP, CASB, SSPM, Behavior Threats, AI Access Security, ISPM, etc. The kinds of things that sit between a user, an agent, or an…
Top Java Security Vulnerabilities and How to Prevent Them in Modern Java
With the increasing number of security threats, organizations have invested heavily in cybersecurity initiatives to protect their applications, infrastructure, and sensitive data. Security vulnerabilities are rarely introduced intentionally. Most of them creep into applications through shortcuts, overlooked edge cases, outdated…
OpenAPI, ORM, SVG, and Lottie
This is the third follow-up to Friday’s release post. Saturday’s was about how you iterate; yesterday’s was about new platform APIs in the core; today’s is about a run of pieces that change how you write the structural parts of…
The Real-Time Revolution: Why Blockchain Needs Data Stream Processing
Blockchain is an extremely data-driven technology because its primary function is to store, verify, and coordinate independent records in a secure, distributed data network. Without this information, no transaction, smart contract execution, or network activity would be valid, and it…
The Trust Problem in Modern SaaS: Why Your Authentication Succeeded, and You Still Got Breached
Most SaaS breaches do not happen through failure. They happen through valid authentication being trusted too far, for too long, across systems that were never designed to question each other. That distinction is worth sitting with. Because if authentication failed,…
Conversational Risk Accumulation: Stateful Guardrails Beyond Single-Turn LLM Checks
Why Long Chats Need Session-Level Guardrails (CRA) Who this is for: Anyone building chat features, support bots, internal Q&A, coaching tools, RAG assistants. The Usual Setup (and What It Misses) A typical flow: This article has been indexed from DZone…