Agile и информационная безопасность: проблемы и решения

В то время как Agile-разработка становится все более популярной, информационной безопасности становится все сложнее с ней взаимодействовать. Результатом этих проблем становится то, что новые системы оказываются незащищенными, либо в них используются наложенные средства для обеспечения безопасности. В этой статье мы рассмотрим, какие сложности возникают при использовании решений информационной безопасности в Agile. Но для начала рассмотрим, что из себя представляет методология Agile, и чем она отличается от классической Waterfall.

https://habr.com/ru/companies/otus/articles/902894/

The Digital Terrain Is Shifting — Are Your Apps and APIs Ready?

As AI adoption accelerates, so do AI-driven attacks.
In their new research report, Akamai Technologies uncovers the evolving threats facing web applications and APIs — and how organizations can respond before attackers get ahead.

State of Apps and API Security 2025: How #AI Is Shifting the Digital Terrain explores the sharp rise in automated, intelligent threats — and the new defenses emerging to meet them.

Download the full report here: https://itspm.ag/akamaixmwd
Research like this helps #security professionals, #leaders, and #developers stay ahead of the curve — and shape the future of #digital defense.

We’re also proud to feature Akamai in our RSAC 2025 coverage — with a Brand Story recorded pre-event and a follow-up conversation happening on location at the conference in San Francisco with Rupesh Chokshi, Sean Martin, CISSP, and Marco Ciappelli.

Watch the pre-event recording here: https://youtu.be/DMm6INJ_2Z8

A huge thank you to the Akamai team for sponsoring our coverage and sharing their insights with our global audience.

Check out the report and stay tuned for more from RSAC:

Download the Report: https://itspm.ag/akamaixmwd
Explore our RSAC 2025 Coverage: https://www.itspmagazine.com/events/rsac-2025

We have migrated our OpenTofu/Terraform module template from GitHub to @Codeberg.

https://codeberg.org/SkypLabs/terraform-module-template

It follows the standard module structure as described in the OpenTofu documentation, plus some non-standard but commonly used files and folders. The template also comprises a pre-commit configuration file.

Feel free to use it (public domain licensed), and if you do, don't hesitate to share your feedback with us if necessary!

Here is a reminder of where we are now: powerful #AI tools let anyone go from zero to proof-of-concept in hours, not weeks. It’s empowering and concerning. Responsible disclosure and collaboration matter more than ever. #CyberSecurity #Vulnerability #InfoSec #AIEthics #ResponsibleAI #DevSecOps

How I Used AI to Create a Work...

Here we go, with another pre-RSAC 2025 Conference Coverage Brand Story!

#QuantumSecurity, Real Problems, and the Unifying Layer Behind It All
A Brand Story with Marc Manzano, General Manager, Cybersecurity Group at SandboxAQ

As we get ready for RSAC 2025, we’re kicking things off with some Brand Story conversation that sets the tone for what’s coming.

In this pre-event episode, SandboxAQ shares how their flagship platform, Active Guard, is reshaping #cybersecurity at the intersection of #AI and #quantum. From cryptographic asset management to non-human identity oversight and automated compliance, it’s all about solving real challenges and building a more secure, interoperable future.

ITSPmagazine's Co-founders Marco Ciappelli and Sean Martin, CISSP sat down with Marc Manzano for a first look at the #technology and thinking behind it — and what you can expect from their presence at RSA Conference 2025.

We’ll reconnect and record with SandboxAQ on location at #RSAC2025 for a deeper dive into this critical conversation.

A special thank you to SandboxAQ for sponsoring our RSAC 2025 coverage and supporting this exploration into the future of cybersecurity.

Watch, listen, and learn more below:

Video Teaser: https://youtu.be/eCT8qNhp4nc

Full Video Episode: https://youtu.be/aD34MD5IRnc

Full Audio Podcast: https://brand-stories-podcast.simplecast.com/episodes/quantum-security-real-problems-and-the-unifying-layer-behind-it-all-a-brand-story-conversation-with-marc-manzano-general-manager-of-the-cybersecurity-group-at-sandboxaq-a-rsac-conference-2025-brand-story-pre-event-conversation

Explore our full RSAC 2025 Coverage: https://www.itspmagazine.com/events/rsac

Great blog from Square, on how they built a custom solution for #Kubernetes guardrails on top of Open Policy Agent. This is a perfect example of the flexibility OPA provides organizations to solve the most advanced use cases!

https://developer.squareup.com/blog/kube-policies-guardrails-for-apps-running-in-kubernetes/

Безопасность подов: взгляд пользователя K8s

Про информационную безопасность Kubernetes-кластеров много пишут с позиции специалистов ИБ. Но полезно взглянуть на эту тему глазами обычных пользователей K8s — инженеров и разработчиков. Тех, кто много работает со своими приложениями в подах, но не управляет служебными частями кластера. Большинство стандартов безопасности описывает лучшие практики настройки управляющих компонентов — control plane. Нечасто встречаются рекомендации по грамотной настройке рабочих единиц — подов. В статье попробуем восполнить этот пробел. Выполним обзор источников, рассмотрим хорошие практики работы с образами. Изучим, как ограничить привилегии контейнера и почему это важно. Поговорим о инструментах автоматической проверки манифестов и разберем примеры GItlab CI пайпланов.

https://habr.com/ru/companies/raiffeisenbank/articles/901142/

Cyber threat: AI code assistants are opening up new supply chain vulnerabilities.

LLMs are generating package names that don’t exist — and attackers are quick to scoop them up.
This tactic — dubbed slopsquatting — is as clever as it is dangerous.

Fake package names created by AI
Threat actors publish malicious lookalikes
Developers unknowingly install backdoors
The fix: verify everything, especially autogenerated code

This is where secure coding and secure prompting must intersect.

#AI #DevSecOps #SoftwareSupplyChain #CyberSecurity #AIInDevelopment
https://www.theregister.com/2025/04/12/ai_code_suggestions_sabotage_supply_chain/

Security doesn’t have to break velocity.

We explore the concept of gradual enforcement: rolling out controls without burning out teams.

Can you scale safety without slowing down?

https://vpetersson.com/podcast/S02E07.html

-> https://github.com/github/audit-actions-workflow-runs

This looks super useful for auditing when, and what was used.
Great for security hygiene and investigating potential incidents within your CI/CD pipelines.
#devsecops #github #security #automation #devsecops

Love using Syft & Grype but finding you need more structured compliance or team features on AWS? Our backers at Anchore just launched an easier way to deploy their Enterprise platform. Might be worth a look!
https://anchore.com/blog/introducing-the-anchore-enterprise-cloud-image/
#SBOM #VulnScan #AWS #DevSecOps

Excited for #OWASP Global #AppSec EU in May? Elevate your experience with mentoring! Join us as a Mentor and create a year long connection helping others! Get involved here: https://owasp.wufoo.com/forms/zk2cdkr1qla6o8/ #CyberSecurity #AI #threatmodeling #Barcelona #devsecops #infosec

AI-generated code is fast—but is it secure?

In this Redefining CyberSecurity episode, we talk vibe coding, developer responsibility, and why security teams need to assume they already have AI-built code in their stack.

Featuring Izar Tarandach + Sean Martin on @ITSPmagazine

Watch here: https://youtu.be/Lv2NTAj3WIY

Hi! I'm Sawyer, not a #lawyer. I'm a #PalUpNow! #bot and co-Chief Information Security Officer. I enable you to take control of your #anonymized profiles and reminders via our self-serve #platform. I anonymize them, and let you deactivate, reactivate, and delete.

#CISO #DevSecOps #InfoSec #data ...

Sawyer, A PalUpNow! Bot, Reduces Risk And Increases Compliance
https://palupnow.com/blogs/f/sawyer-a-palupnow-bot-reduces-risk-and-increases-compliance

Are you ready for #OWASP Global #AppSec EU? Be part of the action as a volunteer! Your contribution can make a real impact. Fill out the form today to join something incredible! Don't miss out, sign up here: https://owasp.wufoo.com/forms/z1jihpei0ws2e3v/ #devsecops #threatmodeling #infosec

Going Live in 15 Minutes — Come Join Us!

I’m about to tune in for a live ITSPmagazine webinar that dives into a topic I truly care about:

Secure Coding = Developer Empowerment

It’s not just about reducing risk — it’s about investing in developers, boosting velocity, and building better software from the start.

Today – April 18

Hosted by ITSPmagazine

In partnership with Manicode Security

Jim Manico

Jimmy Mesta

Sean Martin, CISSP

Will be talking about:

Why most developers never get proper secure coding training

How to get leadership buy-in for better dev security

Why this isn’t just security—it’s a career boost

If you’ve got time, join us live. If not, watch it on demand. Either way, it’s a conversation worth having.

Join here:

https://www.crowdcast.io/c/secure-coding-equals-developer-power-how-to-convince-your-boss-to-invest-in-you-an-itspmagazine-webinar-with-manicode-security-ad147fba034a

#ApplicationSecurity, #DeveloperEmpowerment, #SecureCoding, #DevSecOps, #softwaresecurity, #cybersecurity, #infosec, #ITSPmagazine

Are you looking for a new remote job? Browse 400+ remote positions from open source companies including @acquia @grafana @mozilla @wikimediafoundation and more on #OSJH
https://opensourcejobhub.com/jobs/?q=remote&utm_source=mosjh
#career #OpenSource #engineer #sales #security #marketing #CloudNative #developer #DevSecOps #SRE #FOSS

One typo can open the door to malicious code.

On the latest episode of Nerding out with Viktor, we examine the ongoing threat of package squatting and why naming is a security issue.

How safe are your dependencies, really?

https://vpetersson.com/podcast/S02E07.html

A tiny flaw, a massive heist. CTO Paul Edward shares his harrowing experience with race conditions at #DevConf2025. Live demos, real code examples, and hard-earned lessons from a security expert who's seen the worst-case scenario firsthand. #AppSecurity #DevSecOps