Tag: least-privilege
-
Adaptive Security Leadership in an Expanding Threat Surface
Tags: access, attack, automation, control, cyber, data, identity, least-privilege, resilience, risk, saas, service, technology, threat, zero-trustLast week I joined fellow security leaders at CISO Inspire Summit North for a panel discussion on The Expanding Threat Surface: Adaptive Security Leadership for 2026 and Beyond. It was a timely discussion, because the challenge facing security leaders today is not simply more threats. It is more connections, more dependencies, and more complexity. Suppliers, SaaS, identities, automation…
-
What CISOs need to get right as identity enters the agentic era
Tags: access, ai, ciso, conference, control, credentials, cybersecurity, defense, governance, identity, jobs, least-privilege, malicious, mfa, monitoring, phishing, risk, technology, toolWilcox and Adams are speaking at the CSO Cybersecurity Awards & Conference, May 1113. Reserve your place.As a result, Adams says CISOs will increasingly need to adopt an identity-centric security architecture and there are several key tenets to consider.Build a strong foundation before layering on complexity. The instinct when modernizing an identity program, says Adams, is…
-
Best Zero Trust Security Solutions in 2026
Zero trust continues to gain traction in 2026 as organizations adopt continuous verification, least-privilege access, and comprehensive monitoring. First seen on esecurityplanet.com Jump to article: www.esecurityplanet.com/products/zero-trust-security-solutions/
-
AI is reshaping DevSecOps to bring security closer to the code
Tags: access, ai, api, application-security, attack, authentication, automation, breach, business, cloud, communications, compliance, container, control, data, data-breach, detection, exploit, governance, infrastructure, injection, least-privilege, risk, service, skills, software, sql, strategy, supply-chain, threat, tool, training, vulnerabilityExplicit security requirements elevate AI benefits: While deploying AI with DevSecOps is helping to shift the emphasis on security to earlier in the development lifecycle, this requires “explicit instruction to do it right,” says Noe Ramos, vice president of AI operations at business software provider Agiloft.”AI coding assistants accelerate development meaningfully, but they optimize for…
-
Why AI Agents Need Least Privilege Too, and How to Enforce It Automatically
AI agents are cloud identities. They don’t get a badge or a login. They get a service account, an IAM role, or an API key, just like any other non-human identity running in your environment. Mechanically, there’s nothing new. What’s new is how many of them are being deployed, how fast, and with how much……
-
Malicious pgserve, automagik developer tools found in npm registry
Advice to victimized developers: Developers who have downloaded the malicious versions of pgserver and automagik need to act fast, says Tanya Janca, head of Canadian secure coding consultancy SheHacksPurple.”Rotate every credential you can think of, right now, before you do anything else,” she said. “Then harden your CI/CD network egress controls so your build runners…
-
Copilot & Agentforce offen für PromptTricks
Tags: access, ai, bug, cvss, cyberattack, injection, least-privilege, mail, microsoft, update, vulnerabilityKI-Agenten sind populär und anfällig dafür, missbraucht zu werden.KI-Agenten fürs Enterprise können bekanntlich Arbeitsabläufe optimieren. Aber auch die Datenexfiltration wie Sicherheitsforscher von Capsule Security herausgefunden haben. Sie haben sowohl in Microsoft Copilot Studio als auch Salesforce Agentforce Prompt-Injection-Schwachstellen entdeckt.Diese ermöglichen Angreifern in beiden Fällen schadhafte Befehle über scheinbar harmlose Prompts einzuschleusen mit potenziell verheerenden Folgen.…
-
Copilot and Agentforce fall to form-based prompt injection tricks
PipeLeak: Salesforce Agentforce hijacked by a simple lead: In the Salesforce Agentforce case, attackers embed malicious instructions inside a public-facing lead form. When an internal user later asks the agent to review or process that lead, the agent executes the embedded instructions as if they were part of its task.According to a Capsule demonstration, the…
-
Copilot and Agentforce fall to form-based prompt injection tricks
PipeLeak: Salesforce Agentforce hijacked by a simple lead: In the Salesforce Agentforce case, attackers embed malicious instructions inside a public-facing lead form. When an internal user later asks the agent to review or process that lead, the agent executes the embedded instructions as if they were part of its task.According to a Capsule demonstration, the…
-
The zero-day timeline just collapsed. Here’s what security leaders do next
Tags: access, ai, api, attack, authentication, breach, cio, ciso, control, cyber, cybersecurity, data, data-breach, defense, endpoint, exploit, google, Internet, Intruder, leak, least-privilege, open-source, penetration-testing, resilience, service, strategy, tactics, update, vulnerability, zero-dayScaling vulnerability discovery to machine speed: Agentic AI is AI that can act, not just advise. Give it an objective, and it will plan steps, run them, learn from what happens and adjust until it succeeds or hits a hard stop. In cybersecurity, that looks like an automated operator. It can probe an application, test…
-
How to Validate Microsegmentation Policies Before Enforcement
Microsegmentation is easy to define and hard to implement. On paper, the goal is straightforward: Restrict access to only what is required Eliminate unnecessary lateral movement Enforce least privilege across… First seen on securityboulevard.com Jump to article: securityboulevard.com/2026/04/how-to-validate-microsegmentation-policies-before-enforcement/
-
Supply Chain Attacks Surge in March 2026
Tags: access, ai, api, attack, authentication, awareness, cloud, container, control, corporate, credentials, crypto, data-breach, github, group, hacking, identity, infrastructure, Internet, kubernetes, least-privilege, linux, LLM, macOS, malicious, malware, mfa, network, north-korea, open-source, openai, phishing, pypi, software, startup, supply-chain, threat, tool, update, vulnerability, windowsIntroductionThere was a significant increase in software supply chain attacks in March 2026. There were five major software supply-chain attacks that occurred including the Axios NPM package compromise, which has been attributed to a North Korean threat actor. In addition, a hacking group known as TeamPCP was able to compromise Trivy (a vulnerability scanner), KICS…
-
Cloudflare’s new CMS is not a WordPress killer, it’s a WordPress alternative
The next wave of web development: In an interview with Computerworld, Cloudflare senior product manager Matt Taylor said his team sees the project as the next wave of web development platforms.”There is a whole new generation of developers, and WordPress is old news to them. If you are starting today, there is no way you…
-
Field workers don’t need more access, they need better security
In this Help Net Security interview, Chris Thompson, CISO at West Shore Home, discusses least privilege and credential hygiene for a field-based workforce. He covers access … First seen on helpnetsecurity.com Jump to article: www.helpnetsecurity.com/2026/03/20/chris-thompson-west-shore-home-field-worker-cybersecurity/
-
Can you prove the person on the other side is real?
Tags: access, ai, business, control, credentials, exploit, governance, identity, least-privilege, risk, threat, tool, updateExploiting the deceased and the dormant: Attackers follow leverage. Dormant, legacy and deceased identities create leverage because they already come with history, which serves as scaffolding for a synthetic persona to climb.I have seen how quickly a subdued record can become an entry point. An adversary pairs an older account or identity footprint with newly…
-
Don’t confuse asset inventory with exposure management
Tags: access, ai, api, attack, breach, business, chatgpt, cloud, compliance, control, credentials, cyber, cybersecurity, data, data-breach, detection, endpoint, flaw, framework, governance, government, identity, infrastructure, intelligence, Internet, leak, least-privilege, metric, mfa, monitoring, network, regulation, risk, saas, service, software, threat, tool, update, vulnerability, vulnerability-managementAsset discovery tells you what IT exists in your environment. Exposure management tells you what will get you breached. If your platform can’t connect vulnerabilities, identities, misconfigurations, and AI systems into real attack paths, you don’t have exposure management. You have inventory. Key takeaways True exposure management requires more than asset inventory. It’s about merging…
-
Don’t confuse asset inventory with exposure management
Tags: access, ai, api, attack, breach, business, chatgpt, cloud, compliance, control, credentials, cyber, cybersecurity, data, data-breach, detection, endpoint, flaw, framework, governance, government, identity, infrastructure, intelligence, Internet, leak, least-privilege, metric, mfa, monitoring, network, regulation, risk, saas, service, software, threat, tool, update, vulnerability, vulnerability-managementAsset discovery tells you what IT exists in your environment. Exposure management tells you what will get you breached. If your platform can’t connect vulnerabilities, identities, misconfigurations, and AI systems into real attack paths, you don’t have exposure management. You have inventory. Key takeaways True exposure management requires more than asset inventory. It’s about merging…
-
Don’t confuse asset inventory with exposure management
Tags: access, ai, api, attack, breach, business, chatgpt, cloud, compliance, control, credentials, cyber, cybersecurity, data, data-breach, detection, endpoint, flaw, framework, governance, government, identity, infrastructure, intelligence, Internet, leak, least-privilege, metric, mfa, monitoring, network, regulation, risk, saas, service, software, threat, tool, update, vulnerability, vulnerability-managementAsset discovery tells you what IT exists in your environment. Exposure management tells you what will get you breached. If your platform can’t connect vulnerabilities, identities, misconfigurations, and AI systems into real attack paths, you don’t have exposure management. You have inventory. Key takeaways True exposure management requires more than asset inventory. It’s about merging…