A new article is live on Cyfinoid Research:

AppSec in the New Security Cost Model

https://cyfinoid.com/appsec-in-the-new-security-cost-model/

The core argument is simple. AppSec is still reacting to AI by improving the vulnerability queue. Better reachability, exploitability scoring, CVE enrichment, and prioritization help, but they were designed around an older cost model.

AI changes attacker iteration cost. The defender bottleneck is increasingly verification capacity.

Can we safely validate, fix, test, deploy, and monitor changes at the required pace?

That changes how we should think about AppSec programs. Smaller stacks matter. Attack surface reduction matters. Bug-class elimination matters. Compensating controls need expiry and replacement plans. Test coverage becomes a security capability. Safe remediation throughput becomes a useful metric.

I also connect this to Goldratt’s Theory of Constraints and the SaaS vs in-house ownership tradeoff, especially for SMBs.

The question is no longer only which vulnerability should be fixed first. The question is how much verified remediation an organization can safely produce.

#AI #appsec #softwaresupplychainsecurity

#Checkmarx is breached again via its Jenkins plugin GitHub repo compromised in a software suply chain hack:
#SoftwareSupplyChainSecurity
👇

https://www.bleepingcomputer.com/news/security/official-checkmarx-jenkins-package-compromised-with-infostealer/

#npm: TanStack npm packages (84 in total) compromised in a supply chain hack utilising a malicious payload designed to destroy files on developer machines if a stolen GitHub token is revoked ("dead-man's swithch"):
#SoftwareSupplyChainSecurity
👇

https://snyk.io/blog/tanstack-npm-packages-compromised/

Precision Container Security with Docker and Black Duck
#Docker #Partnerships #Products #DockerHardenedImages #Scanner #Softwaresupplychainsecurity #VEX

https://www.docker.com/blog/precision-container-security-with-docker-and-black-duck/

Everyone's suddenly calling dependency cooldown the grand solution to software supply chain attacks. It isn't.

Cooldown helps only if the malicious payload is discovered, reported, and fixed during your cooldown window. Its success depends on someone else getting hit first, investigating first, reporting first, and cleaning up before your timer expires.

I'd call that outsourced blast absorption.

There's a flip side. If the update contains a security fix, cooldown keeps you vulnerable longer. The same control that might protect you from a fresh malicious release can delay exposure reduction for a known CVE.

A bigger problem: most dependency ecosystems don't give consumers a security-fix-only path. You can't say "just give me the patch, leave the rest unchanged." You get a new version - fix plus feature changes, dependency changes, build changes, maintainer changes, behavior changes. The security fix is bundled into a broader trust decision.

We already had discipline for this:

• Use latest minus one
• Let the world test first
• Adopt stabilized releases
• Maintain stable and current branches
• Stage rollouts
• Avoid blind auto-upgrades

Debian is the example I keep coming back to. Maintainers separate security fixes from feature changes. "Newer" isn't automatically "better." There's a security update path, gatekeeping, human review - someone actively separating urgent fixes from feature churn before anything ships into stable.

Modern registry automation treats the package version as the unit of trust. Debian-style maintenance treats the fix, the package, the branch, and the stability promise as separate concerns.

Whenever I bring up Debian, all I hear is: ancient, slow-moving, dinosaurs, unsuitable for modern software velocity.

We threw that discipline away because we wanted faster shipping, less maintenance overhead, fewer release branches, and more automation pretending to be engineering judgment. Now the same industry has rediscovered delayed adoption, cooldown windows, stable channels, and staged rollouts - as if it were a brave new supply chain insight.

The missing part: delayed adoption without review is still automation all the way down. A timer does not replace a maintainer. A cooldown window does not replace a security team. Waiting does not magically convert an unsafe package into a safe one.

Sometimes the delay exists because someone is looking. That human gatekeeping is itself a deterrent. Attackers prefer ecosystems where publishing is instant, adoption is automatic, and nobody has to justify why a change should enter stable systems.

Dependency cooldown is useful as one control in a broader system. You still need package review, lockfiles, internal mirrors, emergency bypasses for security fixes, runtime detection, registry monitoring, dependency inventory, and actual thinking.

Used alone, dependency cooldown is delayed trust.

And delayed trust is still trust.

#softwaresupplychainsecurity #trust

#PyPI: PyTorch Lightning and Intercom-client Packages Hit in Supply Chain Attacks to Steal Credentials.

This attack is linked with Mini Shai-Hulud supply chain attack that targeted SAP-related npm packages on Wednesday.

#SoftwareSupplyChainSecurity
👇
https://thehackernews.com/2026/04/pytorch-lightning-compromised-in-pypi.html

#Bitwarden CLI was compromised in a supply chain attack!

@bitwarden/[email protected] included malicious code:

#SoftwareSupplyChainSecurity
👇
https://thehackernews.com/2026/04/bitwarden-cli-compromised-in-ongoing.html

Reclaim Developer Hours through Smarter Vulnerability Prioritization with Docker and Mend.io
#Docker #Partnerships #Products #DockerHardenedImages #Softwaresupplychainsecurity #VEX

https://www.docker.com/blog/reclaim-developer-hours-through-smarter-vulnerability-prioritization-with-docker-and-mend-io/