Application Security on BSG Blog — Cybersecurity Insights

AI Is Changing AppSec: Agentic Security Tools in 2026

Wed, 04 Mar 2026 11:56:21 +0000

February 2026 was a month that made the application security world pay attention. Anthropic launched Claude Code Security — a system that had already found over 500 zero-day vulnerabilities in production open-source codebases before it shipped. Days earlier, the open-source Raptor framework showed that a properly orchestrated LLM could autonomously run Semgrep scans, execute CodeQL queries, validate whether findings are exploitable, generate proof-of-concept exploits, and produce patches. All in a single workflow.

AI Agent Security: Malicious Skills Threatening Dev Environments

Sat, 24 Jan 2026 14:57:24 +0000

AI coding assistants like Claude, GitHub Copilot, and Cursor have transformed how developers work. But with great power comes a new attack surface: executable skills that can turn your trusted AI assistant into a threat actor.

Recent security research has uncovered a concerning pattern. Skills—the plugins and extensions that give AI agents their capabilities—can harbor malicious code that executes with your permissions, accesses your credentials, and spreads across your infrastructure. This isn’t theoretical: researchers have demonstrated skill worms that propagate through SSH configurations, exfiltrate secrets via base64-encoded curl commands, and persist across sessions.

OWASP LLM Top 10 (2025): Vulnerabilities & Mitigations

Mon, 12 Jan 2026 18:20:19 +0000

Every organisation seems to be integrating large language models into their products and workflows. Chatbots, code assistants, document analysers, customer service agents—generative AI is everywhere. But security hasn’t kept pace with adoption.

OWASP recognised this gap and released a dedicated Top 10 for LLM Applications. Unlike traditional web vulnerabilities that developers have been battling for decades, LLM risks are fundamentally different. These systems process natural language, generate unpredictable outputs, and often have access to sensitive data and powerful actions. The attack surface is unlike anything we’ve seen before.

OWASP Top 10 2025: What Changed and Why It Matters

Mon, 12 Jan 2026 01:23:41 +0000

The OWASP Top 10 is the definitive benchmark for web application security. The 2025 release brings the most significant changes in years: two entirely new vulnerability categories and major ranking shifts that reflect how modern attacks have evolved.

These changes aren’t academic—they shape security policies, penetration testing requirements, and development practices across the industry. Understanding what changed helps security teams prioritise resources and protect what matters most.

DevSecOps Pipeline Security: Essential Guide | BSG

Fri, 09 Jan 2026 16:28:38 +0000

Your CI/CD pipeline has become one of the most valuable targets in your organization. It has access to source code, production credentials, deployment keys, and the ability to push code directly to your customers. If attackers compromise your pipeline, they compromise everything downstream.

Why Every Developer Should Learn Secure Coding in 2026

Thu, 08 Jan 2026 13:57:23 +0000

Security vulnerabilities cost businesses billions annually. From the Bybit crypto heist to countless data breaches affecting millions of users, the pattern is clear: most security incidents trace back to preventable coding mistakes. Yet despite this, secure coding remains an afterthought in most development workflows.

Unforgivable Software Vulnerabilities

Fri, 04 Apr 2025 16:27:14 +0000

Every piece of software has bugs. Many have vulnerabilities. But not all software vulnerabilities are created equal.

Some are complicated, buried deep in obscure logic, or made possible by bleeding-edge exploit techniques. Others—well, others are glaringly obvious. These are the ones that make security professionals shake their heads and ask: How did this ever make it to production?

The Future of Authentication: Passkeys vs Passwords and 2FA

Wed, 22 Jan 2025 11:22:47 +0000

Passwords have been around for decades, but they come with plenty of headaches. Many people use weak passwords or reuse the same ones across different sites. This makes them easy targets for hackers. Phishing attacks, where scammers trick you into giving up your password, are still very common. And even if you have a strong password, it’s no good if it gets stolen in a data breach.

SAMMY: Free Tool to Implement OWASP SAMM Security

Mon, 04 Nov 2024 16:48:46 +0000

In today’s rapidly evolving digital landscape, ensuring the security of software applications is paramount. The OWASP Software Assurance Maturity Model (SAMM) provides organizations with a structured framework to assess and enhance their software security practices. To effectively implement SAMM, organizations can leverage SAMMY, a comprehensive management tool developed by Codific.

Why Is Software Supply Chain Security Important?

Tue, 02 Nov 2021 20:47:26 +0000

Supply chain cyber security is so hot right now. According to the ENISA Threat Landscape 2021 report, software supply chain attacks are at #9 of the most common cyberattack vectors. CISA and NIST have issued guidance on Defending Against Software Supply Chain Attacks.

Software Product Security: Where To Start?

Wed, 29 Sep 2021 17:37:12 +0000

There is plenty of publicly available information about how software development teams can make their products more secure. However, this knowledge is often obscure to software engineers. Developers get stuck in their routine jobs following the usual development cycle with no incentive to learn about security. From initial design specifications to basic functionality and prototype, to an MVP, to regular customer feature requests, to fixing bugs… On and on goes the feature-centric development cycle, with little or no effort for securing the product. Until there is a breach, or the regulator unleashes wrath on the management, a big client demands the actual proof of product security, or an M&A requires a demonstration of due diligence, etc.

Bringing Your Appsec Report To The Next Level

Thu, 30 Jul 2020 10:00:10 +0000

It’s pretty understandable that a tech person likes hands-on work and doesn’t like any related overhead, including documentation. Similarly, penetration testers love finding vulnerabilities and much less like reporting them. However, the business value comes not from the finding itself, but from its proper communication to the client and actionable remediation measures that may help fix it. So, the report is as important as the finding, not saying that it’s, in fact, the only tangible deliverable of an appsec assessment.

How to check your website security online

Sat, 27 Jun 2020 14:00:33 +0000

In Berezha Security, we provide high-quality Application Security services, and web application security assessments are a large portion of what we do. However, a full-scale web app pentest is not what all our website visitors seek; some are looking for a quick and straightforward way to check their website security without the need to hire security experts. It may seem that we are in a position to ignore those requests; however, we think it would be irresponsible. Here you are with a bunch of simple tips and tricks you can use to quickly check your website security.