7 Powerful Steps: Add an ASVS 5.0 Gate to CI/CD Shipping features is great—shipping evidence-backed security is better. This post turns ASVS 5.0 into executable CI/CD checks using GitHub Actions, Semgrep, Bandit, and DAST in GitHub Actions via ZAP Baseline. You’ll get ready-to-paste workflows, tiny diffs for SSRF/IDOR/token handling, and a way to store “evidence […]
7 Powerful Steps: Add an ASVS 5.0 Gate to CI/CD Read More »
7 Proven Ways to Tame AI-Generated Code Supply-Chain Risk One-sentence angle: As developers and engineering teams increasingly lean on AI-generated code and open-source modules, the attack surface expands—this guide shows how to embed checks for AI-generated code supply chain risk and code provenance directly into modern pipelines. New guide: Turn ASVS 5.0 into CI checks
7 Proven Ways to Tame AI-Generated Code Supply-Chain Risk Read More »
7 Proven Defenses for the Pixnapping Android Exploit TL;DR (for dev & engineering leaders) A new GPU side-channel nicknamed the Pixnapping Android exploit can siphon sensitive on-screen pixels (think OTP/2FA digits, chat previews, balances) without classic runtime permissions. Treat it like a UI data-exfil risk, not just an overlay issue. Your playbook: Throughout this guide,
7 Proven Defenses for the Pixnapping Android Exploit Read More »
7 Proven Steps for CVE-2025-48384 Git Mitigation TL;DR (for dev & SRE leads) CVE-2025-48384 exposes CI/CD and developer laptops to submodule-driven arbitrary file write → code execution. Treat this as a pipeline risk first, repo risk second. This battle-tested CVE-2025-48384 Git mitigation playbook gives you 7 steps you can drop into GitHub Actions, GitLab CI,
7 Proven Steps for CVE-2025-48384 Git Mitigation Read More »
CVE-2025-59489 Unity Mitigation: Secure Your Build Pipeline If you ship Unity-based apps or games, treat CVE-2025-59489 as a supply-chain event. Your priorities are: (1) rebuild/publish with fixed Unity Editor lines, (2) harden the CI/CD path so this class of unsafe file loading (local file inclusion) can’t reappear, and (3) prove your fleet is clean. This
CVE-2025-59489 Unity Mitigation: Secure Your Build Pipeline Read More »
CISA Emergency Directive 25-03: DevOps Tasks for Cisco 0-Day TL;DR (for dev & SRE leads): Turn CISA Emergency Directive 25-03 into a concrete, sprint-ready checklist: discover your Cisco edge, lock management planes, patch & reimage, rotate CI tokens, restrict runner egress, enforce mTLS to artifacts, gate builds on KEV network CVEs, and verify with config/state
CISA Emergency Directive 25-03: DevOps Tasks for Cisco 0-Day Read More »
npm supply chain attack 2025: ‘Shai-Hulud’ CI fixes Developers are on the front line of the npm supply chain attack 2025 (the “Shai-Hulud” worm) that targets CI secrets and account tokens. This developer-first incident-response playbook shows exactly how to contain it in hours—not weeks—by enforcing trusted publishing, granular tokens, provenance checks, and safe build defaults
npm supply chain attack 2025: ‘Shai-Hulud’ CI fixes Read More »
Gate CI with CISA KEV JSON: Ship Safer Builds If you’re already generating SBOMs, you’re a 10-minute script away from turning CISA KEV JSON into a hard gate in CI/CD. The latest KEV additions—like the Chrome V8 type confusion vulnerability (CVE-2025-10585)—show how fast browser/JS engines move. Your pipeline should block risky versions on sight, not
Gate CI with CISA KEV JSON: Ship Safer Builds Read More »
Chrome V8 KEV: CVE-2025-10585 Deep Dive TL;DR (for engineering leaders) What CVE-2025-10585 is—and why it’s in KEV Impact paths to review Mitigation steps (patch, backport, harden) 1) Patch to fixed versions 2) Consider temporary hardening (risk-based) Electron example (main process): (Use only where user experience permits; track crashes/telemetry.) Screenshot of our Free Website Vulnerability Scanner
Chrome V8 KEV: CVE-2025-10585 Deep Dive Read More »
PyTorch Supply Chain Attack: Dev Guardrails Open-source registries remain hot targets. In September 2025, PyPI disclosed an attack campaign abusing GitHub Actions to exfiltrate PyPI tokens, and researchers flagged fresh malicious PyPI packages—reminders that ML stacks (including PyTorch projects) are squarely in scope. Lock everything with hashes, gate installs through a curated mirror, fail builds
PyTorch Supply Chain Attack: Dev Guardrails Read More »