An in‑depth analysis of Codex Security’s scans shows that AI‑assisted code production doesn’t create new bug types but dramatically speeds up the spread of existing flaws, prompting a shift toward automated, engineering‑driven defenses for large‑scale code generation.
OpenAI's new Codex Security agent, codenamed "Aardvark," shifts application security from static scanning to a full‑process AI loop that builds custom threat models, validates exploits in a sandbox, generates patch code, and has already identified hundreds of critical bugs across millions of code commits.
This guide presents a lightweight Spring Boot dependency vulnerability scanner that automatically collects all project JARs, matches them against a CVE database, visualizes risk levels, provides detailed remediation steps and can be integrated into local development, emergency response, and CI/CD pipelines.
The new “Automotive Data Outbound Security Guidelines (2026)” issued by MIIT and other ministries seeks to balance data security with cross‑border flow, defining a two‑layer demand, detailing data categories, assessment, contracts, certification, and protection measures, and signalling a massive market opportunity for data‑security services in the automotive industry.
The article examines how modern military software, built largely from third‑party components, faces supply‑chain attacks, explains the need for SBOMs, and proposes a centralized trusted component repository with automated scanning, compliance checks, and full‑lifecycle auditing to secure defense systems.
This article explains how CVE identifiers serve as a universal naming system for vulnerabilities and compares the roles of NVD, GitHub Advisory Database, and vendor security advisories, showing how to combine these sources into a layered intelligence network for effective risk assessment and remediation.
An in‑depth exploration of a Multi‑Agent AI system that automates SDLC white‑box vulnerability management, detailing industry‑standard processes, the system’s architecture, specialized agents, prompt engineering, tool integration, and real‑world results that boost audit efficiency and accuracy while enabling true security left‑shift.
At Bilibili, the security team adapted Microsoft’s Security Development Lifecycle by establishing capability practices such as training, threat modeling, secure coding, and component scanning, integrating these processes into development pipelines through dedicated business partners, extending protection to the full data lifecycle, and evolving toward automated DevSecOps with in‑pipeline DAST and a custom vulnerability management platform.
Datadog’s 2024 DevSecOps report reveals that 90% of Java services contain at least one severe vulnerability—far higher than other languages—largely due to indirect dependencies, and stresses the need for comprehensive dependency scanning, prioritized remediation, and robust alert triage to manage the flood of low‑impact automated attacks.
This article provides a comprehensive overview of API security, covering authentication and authorization, privacy and encryption, input validation, detection, rate limiting, logging, secure coding, vulnerability management, lifecycle phases, and the importance of education and training to protect modern software ecosystems.
Network port security demands continuous discovery, automated vulnerability scanning, traffic‑baseline anomaly detection, and disciplined governance—including source authentication, first‑packet drop, and lifecycle management—to mitigate DDoS, application‑layer, and exploitation attacks while ensuring minimal‑privilege openings and timely closure.
This article explains how containers work, outlines the challenges of detecting and fixing vulnerabilities throughout the software lifecycle, and presents practical strategies—including CI/CD pipeline, registry, runtime, and host scanning—plus key principles for building a robust container security program.
The June API security report highlights three critical vulnerabilities—MinIO unauthorized data exposure, Joomla Rest API unauthenticated access, and multiple Argo CD API flaws—detailing their impacts and providing concrete remediation steps to protect sensitive data and maintain system integrity.
The online Huolala Security Salon on August 19 featured eight expert sessions covering enterprise security foundations, purple‑team tactics, security training programs, data‑security compliance practices, LLSRC award recognitions, game vulnerability analysis, the evolution of code‑audit techniques, and the design of a flexible security operations platform.
This article explains the security challenges of containerized applications, compares popular image‑scanning tools, and demonstrates how to integrate the Trivy scanner into CI/CD pipelines to achieve shift‑left security and reduce production‑stage vulnerabilities.
Software Composition Analysis (SCA) identifies and tracks open‑source components across languages, matches them to vulnerability databases, and integrates risk detection into CI pipelines, helping organizations mitigate widespread flaws like Log4j2 while addressing challenges of diverse package formats, binary analysis, and accurate vulnerability correlation.
The article explains Maven Central's new "Vulnerabilities" column that highlights known CVEs for each dependency, discusses its relevance to recent Log4j2 risks, and shows how to use the OWASP Dependency‑Check Maven plugin to scan and report vulnerable Java libraries.
The Chinese Ministry of Industry and Information Technology suspended Alibaba Cloud for six months after the company failed to promptly report a critical Log4j2 vulnerability, highlighting the importance of timely disclosure and compliance with national cybersecurity regulations.
The Chinese cybersecurity authority has suspended Alibaba Cloud’s partnership for six months after the company discovered a critical Log4j2 vulnerability but failed to promptly report it, highlighting gaps in vulnerability disclosure and threat‑management processes.
The Log4j2 remote code execution vulnerability (CVE‑2021‑44228, CNVD‑2021‑95914) affects all Java‑based applications from version 2.0 to 2.15.0‑rc1, allowing unauthenticated attackers to execute arbitrary code, and requires immediate inventory, patching, and hardening measures across all affected systems.
This article describes Qunar's end‑to‑end automated workflow for detecting high‑risk Jar component vulnerabilities, collecting asset information, orchestrating remediation with a SOAR platform, and leveraging the TCDEV auto‑upgrade service to reduce manual effort and improve security operations efficiency.
iQiyi Security Incident Response Center Vulnerability Handling Policy version 3.0 outlines scope, principles, reporting process, severity scoring, reward system, user levels, dispute resolution, and prohibitions, emphasizing dedicated handling, point-based rewards, and strict rules for disclosures and malicious activity.
The article examines how open‑source projects can achieve robust security through organized vulnerability management teams, active collaboration with security researchers, and community‑driven initiatives, using Kata Containers and the broader cloud‑native ecosystem as illustrative examples.
The article details Ctrip's DevSecOps challenges and solutions, covering security team structuring, threat modeling, SCA and SAST integration, IAST/DAST architecture, vulnerability management, and the resulting improvements in automated security testing within a high‑frequency CI/CD environment.
Operations security, the intersection of IT operations and security, has become critical as high‑profile vulnerabilities like Struts2, OpenSSL Heartbleed, and massive DDoS attacks expose the costly ROI of ops‑related flaws; this article defines the field, explains its importance, lists common bad practices, typical vulnerabilities, and real‑world case studies.
GitHub’s security alerts, launched in October, have dramatically cut remediation times for Ruby and JavaScript projects—nearly half of alerts are addressed within a week and 98% of actively maintained repositories patch within seven days—identifying over 400 million vulnerabilities across more than 500 thousand repositories, with detailed notifications delivered via the platform, email, and a new weekly summary, and future support planned for Python.
The OWASP Top 10 project ranks the ten most critical web application security risks by analyzing threats, vulnerabilities, technical impact, and business consequences, offering developers, testers, and security teams actionable guidance to improve risk awareness and implement focused protection measures.
The Equifax data breach exposed 143 million Americans' personal information due to unpatched Apache Struts flaws, chiefly CVE‑2017‑5638 and possibly CVE‑2017‑9805, prompting a swift response from the Apache Software Foundation and highlighting the critical need for timely vulnerability management.
This article shares practical insights from a security director at YY Live, detailing the complex Linux security landscape, common vulnerabilities, real‑world attack techniques such as Redis abuse and privilege escalation, and a multi‑layered defense approach that balances rapid business iteration with robust protection.
This article examines the most common operational security vulnerabilities—such as unpatched Struts, server‑status leaks, backup file exposure, SVN leaks, and weak default credentials—explains why they are critical, and offers practical recommendations for enterprises to improve their ops‑security posture.
