CIRCLE WITH A DOT

While we're happy for our prize and that our exploit targeting OpenAI's Codex in the Coding Agent category was successful at #PWN2OWN, this was a collision as the bug was previously known to the vendor. Back to the research! #P2OBerlin #doyensec #appsec #security #ai #openai

I wrote up how I think AppSec teams can adapt to and benefit from agentic engineering and its effects on the SDLC: Move from detection to mitigation. Become engineers, not gatekeepers. Partner with SRE and platform engineering.https://www.janbrennenstuhl.eu/appsec-agentic-engineering/#sdlc #appsec #agenticengineering

Blog: Automating OWASP PTK with ZAP (Phase 1)You can now automate OWASP Pentestkit using ZAPhttps://www.zaproxy.org/blog/2026-05-06-automating-owasp-ptk-with-zap-phase-1/#zaproxy #owasp-ptk #appsec

What’s trending in cybersecurity today? Find out with the latest YouTube playlist we’ve curated. https://www.youtube.com/playlist?list=PLXqx05yil_mfZioOOXxtIbrFO95MsYapW#Malware #Phishing #IncidentResponse #CyberAwareness #AppSec

I just published a write-up on prototype pollution and how it leads to XSS.The key idea: you’re not injecting into the sink—you’re controlling the property lookup that eventually reaches it.Pollute → Gadget → Sink → ExecutionIncludes examples and common vulnerable patterns (merge functions, __proto__, etc.)https://medium.com/@marduk.i.am/prototype-pollution-15f47d9e5c6a#Cybersecurity #WebSecurity #AppSec #Infosec #BugBounty

Defender zero-day added to KEV. FortiClient EMS SQLi is now in KEV with active exploitation. 🟡 Bitwarden CLI npm hijack may have exposed GitHub, npm, and cloud secrets. Patch immediately, review exposed EMS, and rotate creds if @bitwarden/cli 2026.4.0 was used. solomonneas.dev/intel#CyberSecurity #VulnerabilityManagement #ThreatIntel #AppSec

Join #Doyensec at #DEFCON Singapore - Demo Labs!Our Mohamed Ouad and Francesco Lacerenza present CloudSec Tidbits: Breaking “Secure-Looking” Cloud ArchitecturesSee real-world cloud/AppSec bugs & labsDetails - https://defcon.org/html/defcon-singapore/dc-singapore-demolabs.html Tue 14:00 | Wed 12:00 | Thu 13:00#cloudsec #appsec #security

Hello infosec.exchange. Fob is a 2FA app from Cleargate Labs, currently pre-launch, Android first.Three things we're doing differently:- Multi-tag accounts. One login can be "crypto" and "exchange" and "high-value" at the same time. No other authenticator does this.- Zero-knowledge sync. Vault encrypted on-device with Argon2id + AES-256-GCM. The server can't read your codes.- Export always. Your data is yours, regardless of what happens to us.fob.codes#2FA #infosec #authenticator #appsec

@cigitalgem The timing of your measurement work syncing with this article feels like a great example of the adage-proper measurement is what separates a standard from a myth.

At OWASP Global AppSec Vienna, there will be sessions, coffee runs, vendor chats… BUT what if you left with more than swag?Meet The Mentor 25 June 2026, 10:30–11:45 CEST — speed-dating for mentors & mentees. Real convos and real connections.#appsec #owasp #OWASPVienna26 #mentors #conference

What’s trending in cybersecurity today? Find out with the latest YouTube playlist we’ve curated. https://www.youtube.com/playlist?list=PLXqx05yil_menB9CzGYR3VeV9TtRT_H1s#Malware #Phishing #IncidentResponse #CyberAwareness #AppSec

New research from Matei "Mal" Bădănoiu (Pentest-Tools.com):Stored XSS to RCE in DNN Platform (DotNetNuke), CVE-2026-40321.SVG upload with javascript: in an <a href> bypasses the filter. The /API/personaBar/ConfigConsole/UpdateConfigFile endpoint writes an ASPX backdoor to the web root. whoami → iis apppool, Potato your way to SYSTEM.Delivery: DNN's own internal messaging. No external infra.https://pentest-tools.com/blog/dotnetnuke-xss-to-rce#RedTeam #InfoSec #CVE #AppSec

I don't use it myself, but I hear anyone still running OpenClaw versions prior to 2026.3.31 should patch ASAP. Your sandbox is currently looking more like a leaky sieve. Due to missing context validation in the heartbeat, an attacker can completely break out of the sandbox in the worst case and grab full access rights via privilege escalation. The only reliable fix is a direct version bump to the latest release.TL;DR:CVE-2026-41329 (don't panic, it's only a 9.9 crit) > OpenClaw users should update now, before someone involuntarily helps with your "pen-testing" #OpenClaw #CyberSecurity #AppSec #PatchDay

The security implications of "Tokenmaxxing" cannot be ignored. As code churn increases by 800%+, the window for technical debt - and potential vulnerabilities - widens. If 10-30% of AI code is being rewritten within weeks, what does that say about the initial security audit of that code?Source: https://techcrunch.com/2026/04/17/tokenmaxxing-is-making-developers-less-productive-than-they-think/Are you seeing more insecure patterns creeping into codebases via AI agents? Let’s discuss the risk-to-reward ratio of AI-accelerated development. Follow us for more technical analysis of the AI landscape.#InfoSec #AppSec #CyberSecurity #SecureCoding #DevSecOps #Technadu

Big News, OWASP Community! The Global #AppSec USA CFP is OPEN! Got insights or real-world stories? Take the stage in San Francisco and inspire the AppSec community. https://sessionize.com/owasp-global-appsec-us-2026-cfp-SF/#Cybersecurity #DevSecOps #Infosec #opensource #community #conference

Added to the BSides Luxembourg 2026 Lineup️ 𝗢𝗨𝗧 𝗢𝗙 𝗦𝗘𝗖𝗨𝗥𝗜𝗧𝗬 𝗘𝗫𝗖𝗘𝗣𝗧𝗜𝗢𝗡: 𝗪𝗛𝗔𝗧 𝗧𝗢 𝗗𝗢 𝗪𝗜𝗧𝗛𝗢𝗨𝗧 𝗔𝗡 𝗘𝗫𝗣𝗘𝗥𝗧 𝗧𝗢 𝗦𝗘𝗖𝗨𝗥𝗘 𝗬𝗢𝗨𝗥 𝗦𝗢𝗙𝗧𝗪𝗔𝗥𝗘 — Lisi Hocke ( @lisihocke ) Take control in this Talk (40 min) and learn how development teams can build secure software even without dedicated security experts.Security shouldn’t be a blocker waiting on experts. This session shows how everyday engineering activities—like planning features, collaborating across teams, and maintaining code—can be leveraged to significantly improve your product’s security posture without slowing down delivery.Discover how to integrate threat modeling into regular workflows, catch vulnerabilities earlier through collaboration, and use production insights to detect malicious behavior. This talk empowers teams to shift from dependency on security teams to building “secure enough” systems through practical, developer-driven approaches.Lisi Hocke (@lisihocke ) is a security engineer focused on product security, with a passion for quality, collaboration, and continuous learning. A strong advocate for whole-team approaches, she shares her experiences to help teams build resilient and secure software while delivering real value. Conference Dates: 6–8 May 2026 | 09:00–18:00 14, Porte de France, Esch-sur-Alzette, Luxembourg️ Tickets: https://2026.bsides.lu/tickets/ Schedule Link: https://pretalx.com/bsidesluxembourg-2026/schedule/ View full schedule & build your agenda: https://hackertracker.app/schedule?conf=BSIDESLUX2026 #BSidesLuxembourg2026 #SecureDevelopment #AppSec #DevSecOps #SoftwareSecurity #CyberSecurity

New Talk Dropped for BSides Luxembourg 2026!️ 𝗪𝗛𝗔𝗧’𝗦 𝗢𝗟𝗗 𝗜𝗦 𝗡𝗘𝗪: 𝗘𝗫𝗣𝗟𝗢𝗜𝗧𝗜𝗡𝗚 𝗖𝗟𝗔𝗦𝗦𝗜𝗖 𝗩𝗨𝗟𝗡𝗘𝗥𝗔𝗕𝗜𝗟𝗜𝗘𝗦 𝗜𝗡 𝗚𝗥𝗔𝗣𝗛𝗤𝗟 𝗔𝗣𝗜𝗦 – Aleksa ZatezaloModern tech doesn’t mean modern security. This session walks through a real-world penetration test where a production GraphQL API backed by PostgreSQL was compromised using classic attack techniques—from schema enumeration to identifying vulnerable resolvers and injection points.Follow the full exploitation chain from blind SQL injection to database superuser access, and uncover how broken authentication logic in GraphQL can expose sensitive data. With a live demo of GrapeQL, attendees will gain practical testing workflows and defensive strategies to properly secure GraphQL APIs.Aleksa Zatezalo is a security engineer and offensive security researcher with experience in cloud security, penetration testing, and exploit development. A contributor to projects like Metasploit and an active member of the security community, he focuses on building practical tools and techniques to uncover and fix real-world vulnerabilities. Conference Dates: 6–8 May 2026 | 09:00–18:00 14, Porte de France, Esch-sur-Alzette, Luxembourg️ Tickets: [https://2026.bsides.lu/tickets/](https://2026.bsides.lu/tickets/) Schedule Link: [https://pretalx.com/bsidesluxembourg-2026/schedule/](https://pretalx.com/bsidesluxembourg-2026/schedule/) View full schedule & build your agenda: [https://hackertracker.app/schedule?conf=BSIDESLUX2026](https://hackertracker.app/schedule?conf=BSIDESLUX2026) #BSidesLuxembourg2026 #GraphQL #AppSec #WebSecurity #SQLInjection #CyberSecurity

AI supply chain risk is just 3rd-party risk at terrifying speeds. How do we trust code we did not write? Join Daniel Stenberg, Allan Friedman, Zach Hill, and Josh Bressers on April 21 to discuss securing modern software. Register: https://go.anchore.com/the-challenges-of-third-party-software.html #CyberSecurity #SBOM #AppSec

OpenClaw Security Audit is a security audit capability for OpenClaw-like AI agent deployment environments.It is designed to answer a different question than a checklist. A checklist explains what teams should watch for. OpenClaw Security Audit helps determine what issues already exist in the environment they are actually running.Current scope includes:12 attack surfaces80 deterministic checks27 threat mappingsno LLM dependencyfully reproducible resultsIt currently supports local instances, Docker containers, and remote port checks, with outputs in terminal, Markdown, and JSON formats.Examples include checks for gateway exposure, token handling, remote port visibility, and execution-boundary settings.OpenClaw Security Audit is now available.Try it here: https://github.com/zast-ai/openclaw-security-audit#AgentSecurity #AppSec #AISecurity #OpenClaw

Got this angle into the NYTimes today (unlocked article) https://www.nytimes.com/2026/05/12/technology/anthropic-claude-mythos.html?unlocked_article_code=1.h1A.aXHQ.35ofMK-FbSLN&smid=nytcore-android-share