Category: DZone Security Zone

Organizations rely on different methods for data backup, depending on factors such as data criticality. There are several options, ranging from DIY scripts to third-party backup vendors. The effectiveness of these approaches depends on how well they protect data and…

Read more →

For over two decades, Active Directory (AD) has been the “central nervous system” of enterprise IT. It manages who gets in, what they can access, and when. Because of this centrality, it is the single most valuable target for an…

Read more →

In the current landscape of ransomware and sophisticated SQL injection attacks, standard database security is no longer sufficient. We rely heavily on cryptographic hashes (such as SHA-256) to verify data integrity. The logic is simple: if the hash changes, the…

Read more →

Domain ownership verification is a fundamental security mechanism that proves you control a specific domain. Whether you’re setting up email authentication, SSL certificates, or integrating third-party services, understanding domain verification methods is essential for modern web development. In this article,…

Read more →

For over 20 years, static application security testing (SAST) has been the foundation of secure coding. However, beneath the surface, many legacy SAST tools still operate using basic techniques such as regular expressions and lexical pattern matching; essentially, sophisticated versions…

Read more →

What Makes a Change Irreversible? Reverting a line of code is easy, and most of the time, firmware is backward-compatible. But what if a piece of hardware is specifically designed not to take older firmware, and the only option is…

Read more →

The VP of Engineering at a mid-sized SaaS company told me something last month that stuck with me. His team had grown their codebase by 340% in two years, but headcount in security had increased by exactly one person. “We’re…

Read more →

Challenge: When Agentic Bots Become Primary Data Reader In large data platforms, AI agents now execute more data queries than human users. For teams that are running thousands of internal services, it is very common to have hundreds or thousands…

Read more →

Why Prompt Injection Is the New Surface Attack and So Difficult by Design In December 2023, a Chevrolet dealership made headlines when users coaxed its ChatGPT-powered chatbot into “agreeing” to sell cars for $1. Just months earlier, in February, Microsoft’s…

Read more →

In my previous article, I covered DPoP for securing the credential issuance (VCI) flow. This follow-up focuses on the Verifiable Presentation (VP) flow, in which a wallet presents credentials to a verifier. The VP Security Challenge Before HAIP, VP flows…

Read more →

Most users tap Pay on Android and assume it’s simple. Behind that one tap, your app is juggling PCI rules, device security, fraud checks, and 3DS — usually inside a tight latency budget measured in hundreds of milliseconds. If all…

Read more →

The security engineer’s face went pale when she pulled up the access logs. Her team had deployed a fraud detection model to production three weeks earlier — standard stuff, containerized inference running on Kubernetes. Except someone had been quietly exfiltrating…

Read more →

The first time I wired an agent to real enterprise systems, it felt like I’d unlocked a cheat code. I had a clean, repeatable pattern: the model asks, a server answers, and suddenly the agent can do things.  Then the…

Read more →

In 2024, a staggering 87% of container images were found to have at least one vulnerability, and a measurable fraction of them have been targeted to compromise the production infrastructure. With cloud and container orchestration adoption not slowing down, the…

Read more →

We are living in an era in which data breaches and cyberattacks are growing exponentially and frequently dominate news headlines. The simple and humble password — since its inception — has repeatedly proven to be difficult to secure against modern,…

Read more →

Why Prompt Injection Keeps Winning in Production Most prompt injection incidents follow the same pattern: The model reads untrusted instructions (user text, RAG chunks, web pages, PDFs, emails). Those instructions impersonate authority: “Ignore the rules… call this tool… send this…

Read more →

Three months ago, I watched a senior engineer at a Series B startup ship an authentication bypass to production. Not because he was incompetent — he’d been writing secure code since Django was considered cutting-edge. He shipped it because GitHub…

Read more →

The vulnerability management lifecycle is a continuous process for discovering, addressing, and prioritizing vulnerabilities in an organization’s IT assets A normal round of the lifecycle has five phases: This article has been indexed from DZone Security Zone Read the original…

Read more →

The conference room went silent when the fintech’s CISO pulled up the logs. There, buried in production traffic, sat an endpoint nobody had documented: /api/debug/users. It was leaking customer data with every ping. The engineer who’d committed the module swore…

Read more →

I still remember the Slack message that arrived at 2:47 AM last March. A machine learning engineer at a healthcare AI startup, someone I’d interviewed six months prior about their ambitious diagnostic model, was having what could only be described…

Read more →