security controls

Two Different Attackers Poisoned Popular Open Source Tools

By / Blog / ,

In March 2026, two separate supply chain attacks targeted popular open source tools—Trivy, a vulnerability scanner used by over 100,000 users, and Axios, a widely used JavaScript library—infecting them with malware to steal credentials from thousands of organizations. These attacks, attributed to distinct groups including a North Korean-linked threat actor and a cybercrime collective called TeamPCP, demonstrate a growing trend of sophisticated supply chain compromises that leverage social engineering and AI to exploit developer environments, underscoring the urgent need for improved software bill-of-materials (SBOMs) and enhanced security measures.

https://www.theregister.com/2026/04/11/trivy_axios_supply_chain_attacks/

How to Protect Your Organization From AirSnitch Wi-Fi Vulnerabilities

By / Blog / , ,

The AirSnitch family of vulnerabilities exposes critical flaws in Wi-Fi client isolation features, allowing attackers connected to a guest network to access or inject traffic into other devices on the same access point, even across different SSIDs protected by WPA2 or WPA3. This attack exploits how access points handle group keys and packet routing, undermining the security of guest networks by enabling traffic injection and potential man-in-the-middle attacks without breaking encryption.

https://www.kaspersky.com/blog/airsnitch-wi-fi-client-isolation-guest-network-vulnerability-and-mitigation/55597/

12 AWS Cloud Security Best Practices for 2026: Cloud Security Guide

By / Blog / ,

The article outlines 12 best practices for securing AWS cloud environments in 2026, emphasizing continuous, risk-based governance tailored to dynamic cloud workloads. Key recommendations include enforcing least-privilege identity access, continuous asset discovery, default encryption, API security, network segmentation, automated vulnerability management, container security, and securing AI workloads, all within the context of the AWS shared responsibility model where customers manage identity and configuration security. These practices, supported by unified platforms like Qualys TotalCloud™, aim to reduce exposures, accelerate threat detection and remediation, and maintain continuous compliance in complex cloud environments.

https://blog.qualys.com/product-tech/2026/04/09/1aws-cloud-security-best-practices-guide

14 Risk Oversight Principles You Haven’t Heard Before

By / Blog / , ,

Protiviti’s Jim DeLoach presents 14 lesser-known principles of risk oversight aimed at enhancing enterprise risk management (ERM) effectiveness, emphasizing continuous improvement in risk reporting, integration of risk processes into business operations, and adapting to digital transformation. He stresses the importance of balancing risk and opportunity, fostering collaboration across organizational levels, making timely decisions with imperfect information, and cultivating a culture of open risk discussions, all to better prepare organizations for uncertainty and align risk management with strategic goals.

https://www.corporatecomplianceinsights.com/14-risk-oversight-principles-you-have-not-heard-before/

Back to Basics: 14 Risk Oversight Rules You Know (But May Be Ignoring)

By / Blog / , ,

Jim DeLoach outlines 14 fundamental risk oversight principles that remain crucial despite advances in digital tools, emphasizing that risk management must be aligned with strategy and adapt continuously to a rapidly changing environment. He highlights the importance of understanding calculated risks, vigilance against cognitive biases, preparation for contingencies, and maintaining strong culture and communication to effectively manage critical enterprise risks and ensure organizational resilience.

https://www.corporatecomplianceinsights.com/risk-oversight-rules-you-know/

The Dark Side of DDoS: Why DDoS Downtime Is Harder to Prevent

By / Blog / ,

Cloudflare's 2026 data reveals that DDoS attacks are increasingly sophisticated, AI-driven, and strategically timed to cause maximum disruption, often targeting critical services with low-volume Layer 7 attacks. Organizations face challenges maintaining resilience due to evolving network environments and configuration drift, highlighting the necessity for continuous, automated DDoS validation and proactive defense strategies to ensure service availability amid rapid changes and growing threats.

https://securityboulevard.com/2026/03/the-dark-side-of-ddos-why-ddos-downtime-is-harder-to-prevent/

Shadow AI Has Already Moved Into Your Organization

By / Blog / , , ,

The article explains that “shadow AI” is already widespread in organizations, as employees use public or unapproved AI tools to speed up work without going through IT or security review. Because these tools can be accessed instantly in a browser, blocking them is often ineffective, resulting in lost visibility into how company data is used. The article concludes that organizations must shift from trying to prohibit AI use to creating governance frameworks, approved tools, and clear policies that enable productivity while maintaining security and compliance. 

https://www.forbes.com/sites/tonybradley/2026/03/19/shadow-ai-has-already-moved-into-your-organization/

Stop Building Security Goals Around Controls

By / Blog / , , ,

Devin Rudnicki, CISO at Fitch Group, emphasizes that security goals should be aligned with business outcomes rather than focused solely on controls, advocating for strategies anchored in corporate objectives, real cyber threats, and industry standards. She highlights three key metrics for security programs—value, risk, and maturity—and stresses the importance of presenting risk in actionable terms for leadership, balancing innovation speed with measured risk, and using automation to free human resources for higher-value work.

https://www.helpnetsecurity.com/2026/03/18/devin-rudnicki-fitch-group-ciso-business-alignment/

Shadow AI Risk: How SaaS Apps Are Quietly Enabling Massive Breaches

By / Blog / , , ,

A report from Grip Security reveals that all analyzed companies operate SaaS environments embedded with AI, with a 490% year-over-year increase in public SaaS attacks, 80% involving sensitive data. The article highlights how “shadow AI”—agentic AI within SaaS apps often implemented without IT oversight—enables attackers to use stolen OAuth tokens to cascade breaches across multiple organizations, exemplified by the widespread 2025 Salesloft Drift breach, emphasizing the urgent need for better visibility, continuous governance, and risk-based controls of AI in SaaS to prevent massive cascading cybersecurity incidents.

https://www.securityweek.com/the-shadow-ai-problem-how-saas-apps-are-quietly-enabling-massive-breaches/

Top 5 Things CISOs Need to Do Today to Secure AI Agents

By / Blog / ,

The article emphasizes the critical need for Chief Information Security Officers (CISOs) to secure autonomous AI agents by treating them as first-class digital identities and shifting focus from traditional AI guardrails to strict identity-based access controls. It outlines five key actions: managing AI agents as distinct identities with clear ownership and permissions, eliminating shadow AI through continuous identity visibility, securing agents based on their intent, and implementing full lifecycle governance to prevent risk accumulation, highlighting that identity is the foundational and scalable control plane essential for safe AI deployment.

https://www.bleepingcomputer.com/news/security/top-5-things-cisos-need-to-do-today-to-secure-ai-agents/

Scroll to Top