Sakura Sky4h ago

The EU AI Act says you must verify. OWASP's AISVS tells you what to verify across 14 categories. Neither tells you how to enforce.

That gap is where most agentic deployments fail. Part 1 of our new Regulatory Stack series maps the 14 AISVS categories onto a working 16-control enforcement architecture, with the architectural read on what's actually missing in production.

https://www.sakurasky.com/blog/regulatory-stack-part-1/

#AISVS #AgenticAI #AppSec #AIAct

The Regulatory Stack, Part 1: AISVS Has 14 Categories. GATE Has 16 Controls. Here Is the Map.

AISVS tells you what to verify. The AI Act tells you that you must. Neither tells you how to enforce. This is the engineering map between OWASP's verification standard and a working agentic-AI control plane.

anchore5h ago

The manual "security tax" of proving compliance is becoming unsustainable. Juggling a multitude of disconnected tools to satisfy external audits and meet industry regulations creates massive operational friction.

This week we announced a major release that fundamentally changes how organizations manage risk and SBOM compliance. We are transforming the static SBOM into a dynamic, automated compliance solution.

Join Alex Rybak ... https://go.anchore.com/anchore-enterprise-6.html

#CyberSecurity #SBOM #AppSec #Compliance

Doyensec6h ago

After uncovering memory bugs in NASA’s CFITSIO, we looked at turning its *documented* features into attack primitives.

Check out the blog post for details & a newly released Docker playground to reproduce the demos locally.

#AppSec #doyensec #security

https://blog.doyensec.com/2026/05/19/cfitsio-weaponized-filenames.html

Gary McGraw9h ago

More on mythos. #swsec #appsec #MLsec #ML #AI

"What changed with Mythos Preview is that a model can now take those low-severity bugs (which would traditionally sit invisible in a backlog) and chain them into a single, more severe exploit."

https://blog.cloudflare.com/cyber-frontier-models/

Project Glasswing: what Mythos showed us

In recent weeks, we pointed Mythos and other security-focused LLMs at live code across critical parts of our infrastructure. We share what we observed, the models’ strengths and weaknesses, and what the work around them needs to look like before any of it can scale.

The Cloudflare Blog
Vulnlog9h ago

Vulnlog 0.14.0 has been released. Highlights:

- Vulnlog now supports Cargo Audit native suppression file format.
- Install Vulnlog with a simple install script

https://vulnlog.dev/

#infosec #appsec #opensource

OffSequence14h ago
🚨 CRITICAL: CVE-2026-41947 in langgenius Dify ≤1.14.1 lets editor users bypass tenant checks, redirecting app messages to attacker LLMs. Free self-registration increases risk. Restrict editor roles & monitor configs. https://radar.offseq.com/threat/cve-2026-41947-authorization-bypass-through-user-c-da35e5dc #OffSeq #CVE202641947 #AppSec
Gary McGraw1d ago

The one good thing about the mythos nonsense is at least broken software is finally being fixed. If that's what it takes, so be it. #swsec #appsec #MLsec

https://www.theguardian.com/technology/2026/may/18/anthropic-ai-claude-mythos-cyber-financial-stability-board-fsb

Anthropic to share Mythos cyber flaw findings with global finance watchdog

Startup has declined to release Claude Mythos AI model publicly amid fears it could be used by hackers

The Guardian
AppSec Village1d ago

At AppSec Village, we're proud to have Finite State on board as a Silver Sponsor this year 💀💙

If connected device security is your world — they're worth knowing!

⬇️
https://buff.ly/I99VSjM

#AppSec #IoT #ProductSecurity

anchore1d ago

BIG NEWS! Anchore Enterprise v6 is officially here!

This major update is designed to help organizations finally eliminate the manual "security tax" through a unified, SBOM-powered compliance solution.

With over 15k new vulnerabilities reported in Q1 2026 alone and strict new cybersecurity regulations taking effect, organizations are facing a perfect storm of security risk. Juggling disconnected tools to keep up is no longer ... https://anchore.com/blog/anchore-enterprise-v6-announcement/

#CyberSecurity #SBOM #AppSec #DevSecOps

OffSequence1d ago
🔎 CVE-2026-8786: Tencent WeKnora 0.3.0 – 0.3.6 has a MEDIUM severity auth bypass in the Config API (kbId manipulation). No patch yet — restrict access & monitor updates. https://radar.offseq.com/threat/cve-2026-8786-authorization-bypass-in-tencent-wekn-4ef018b6 #OffSeq #Vulnerability #Tencent #AppSec