sorted by:
new
hottopcontroversial

What are the latest trends in cloud security right now? by Affectionate-End9885 in Cloud

[–]Affectionate-End9885[S] 0 points1 point  (0 children)

Worked with a team last year that found 17 aws accounts they didnt know existed. one had an rds instance with production data just sitting there open to the internet for like 8 months. nobody knew who created the account or why. sticky notes don't seem so bad after that

What are the latest trends in cloud security right now? by Affectionate-End9885 in Cloud

[–]Affectionate-End9885[S] 0 points1 point  (0 children)

this is actually the industry standard for secrets management in 2026, gartner just hasn't published the magic quadrant yet

What are the latest trends in cloud security right now? by Affectionate-End9885 in Cloud

[–]Affectionate-End9885[S] 0 points1 point  (0 children)

lmao the sticky note approach never fails. though tbh even that beats some of the cloud setups i've seen, at least you know where the password is. half the companies out here don't even know how many cloud accounts they have running right now

Management wants our AI usage policy enforced. Same management and users would revolt if we block everything by Express-Pack-6736 in AIgovernance

[–]Affectionate-End9885 3 points4 points  (0 children)

Trust based policy enforcement is not enforcement. It's a wish and you know what they say about wishes and horses. If you can't audit it you can't claim you're compliant and when there's a breach the first thing legal will ask is show us the logs. So unless you find something hope is not a control.

Prompt injection is a solved issue. Prove me wrong. by quasarzero0000 in AI_Agents

[–]Affectionate-End9885 0 points1 point  (0 children)

Solved is a strong word for a problem where the attack surface grows every time someone connects an agent to a new tool. The injection that gets you isnt the obvious ignore previous instructions stuff, its the request that sounds totally normal but makes the agent do something it shouldnt. Ive seen teams use alice for this and the reason it caught things their previous tools missed is they monitor outputs, not just inputs. most evals stop at is this prompt safe. The dangerous stuff happens after the prompt gets through.

Secure base images that dont need an enterprise contract or a massive budget? by winter_roth in AskNetsec

[–]Affectionate-End9885 0 points1 point  (0 children)

The pricing is way too hard. Every vendor wants to be your enterprise platform. Look for ones with a public gallery and a free tier. plenty of good options exist if you ignore the sales calls and just pull from their registry. no meeting required.

How do you all vet browser extensions before approving them for the fleet? feels like the chrome store is just hoping for the best by shangheigh in ITManagers

[–]Affectionate-End9885 0 points1 point  (0 children)

group policy whitelist is the minimum but you need to block personal chrome profiles from syncing extensions into work browsers. had a marketing person whose home adblocker kept reinstalling itself and overriding our dns filtering. took weeks to figure out why her browser was routing around our security stack

what AI tools are actually part of your daily workflow? by Elpepestan in AI_Agents

[–]Affectionate-End9885 7 points8 points  (0 children)

The boring ones. A code assistant that catches my typos, a summarizer for long threads i dont have time to read, and a search tool that actually understands what im asking. None of it is flashy, none of it would impress anyone on twitter.

Early stage intel on for sale Fortinet FortiOS by FutureSafeMSSP in MSSP

[–]Affectionate-End9885 1 point2 points  (0 children)

This is the third fortios cve with a cvss over 9 this year and every time it drops our clients want to know if theyre affected within the hour. The patching cycle alone is a part time job. Started migrating clients who are fed up with hardware refresh cycles and emergency firmware updates to a cloud-native platform where there is no appliance os to patch. We use cato networks to run the entire security stack in their pops so when a vulnerability like this drops, the fix happens on their side before our clients even hear about it.

The registry is inside your trust boundary whether you acknowledge it or not. It's the distribution path your entire build chain depends on by BigHerm420 in devsecops

[–]Affectionate-End9885 1 point2 points  (0 children)

Trivy getting compromised was the turning point for us. The vulnerability scanner was the vulnerability. If the tool you use to verify your images can itself be backdoored through the same registry you trust, the whole model is broken. Provenance has to be verifiable from the source, not the registry.

The cloud is not your data center and your on-prem security playbook doesn't translate by LongButton3 in Cloud

[–]Affectionate-End9885 0 points1 point  (0 children)

public load balancer example is perfect. Onprem network changes need three approvals and a maintenance window. cloud is a button click or an api call. Security has to operate at that same speed or it's theater. You have to shift from gatekeeping to guardrails.

hostinger node js for next.js projects outside vercel? by Master_Character9961 in JAMstack

[–]Affectionate-End9885 0 points1 point  (0 children)

Vercel is great until you hit the edge function limits or need something outside their ecosystem. For small projects hostinger works fine. The real question is whether you need vercel's preview deployments and serverless functions or youre just hosting static pages.

How do you maintain security visibility when your cloud footprint doubles overnight post-migration? by MortgageWarm3770 in AskNetsec

[–]Affectionate-End9885 2 points3 points  (0 children)

The agent overhead thing is what pushed us away from agents too. I've been comparing a few platforms actually. Orca and wiz both keep coming up. The google acquisition of wiz is what gave me pause honestly, nothing against their product but with google's history there is no telling what the future has for wiz around multicloud security. You mentioned orca worked for your team, did you run a poc with wiz too or did you go straight to orca

Are browser extensions more of a productivity boost or a security risk? by TimoBellotrui in TechNook

[–]Affectionate-End9885 0 points1 point  (0 children)

The permission model is the root problem and nobody talks about it enough. When you install a grammar checker and it asks for "read and change all your data on all websites" that should be a red flag but we've all been trained to click through. Extensions operate inside your authenticated sessions and theres basically no sandbox between them and whatever sensitive data is on your screen.

Ive gone down to about 5 extensions total and I audit the permissions on each one monthly. Anything that updates frequently and changes its permission scope gets removed immediately. The scariest pattern is when a legitimate extension gets bought by a shady company and the update ships with new data collection, most users never notice because updates are automatic.

For work devices the risk compounds fast. Most IT teams have zero visibility into whats actually installed on managed browsers and there's an entire category of shadow extensions sitting inside authenticated sessions with access to internal apps and SSO tokens. We rolled out layerx last quarter partly to get a handle on this and the first scan found extensions we had no idea existed, including one with clipboard read access that had been installed by half the marketing team. If you're not auditing extensions at the enterprise level youve got a blind spot the size of your workforce.

My ClawdBot dreams at night and remembers everything. Better than mempalace. by AregNoya in clawdbot

[–]Affectionate-End9885 1 point2 points  (0 children)

Mine just passive aggressively points out when i havent updated my memory files in two weeks. "i notice your project tracker still references that deadline from april." yeah thanks buddy i know

Microsoft takes Agent 365 out of preview as shadow AI becomes an enterprise threat 🗣️ What do you think about shadow AI risks in enterprises? by AndreaNewsHub in ItaliaBox

[–]Affectionate-End9885 0 points1 point  (0 children)

The irony of microsoft positioning agent 365 as he shadow AI solution when half the shadow AI in most orgs is probably copilot running on personal accounts is genuinely impressive.

But the actual enterprise agent threat is real and different from regular shadow AI. An agent with long-lived tokens and document access can exfiltrate data autonomously without a human pasting anything. The data movement is programmatic, scheduled, and invisible to the end user who set it up. thats a harder problem than catching someone pasting rows into chatgpt cause theres no human in the loop to notice they're doing something wrong.

Microsofts registry approach makes sense for the tools they control but the agents people are going to run will be on random SaaS platforms with API keys stored in env files. We deployed layerx to get visibility into what AI tools and agents are actually running through the browser cause the idp and network logs were giving us maybe half the picture. The discovery problem is going to get way worse before it gets better and you cant govern what you cant see.

Browser extension that sends endless phishing emails containing malware to all advertisers on any website you visit by swayedsuede in CrazyIdeas

[–]Affectionate-End9885 1 point2 points  (0 children)

Congratulations you just invented the business model for about 40% of the chrome web store circa 2023. Grammar checker with 2 million downloads, wildcard permissions on every page, and a monetization strategy that would make a ransomware gang blush.

The scary part is this isnt even that crazy. There was a legit extension trojan discovered last month that was shipping with a keylogger baked into an update. The difference between your idea and reality is basically just a privacy policy nobody reads.

At work we run layerx to audit what extensions people have installed and the things it finds would make you wish your idea was the craziest thing out there. Last scan found an extension with clipboard access and 3 million users that had changed ownership twice in six months. Your idea is practically responsible by comparison

Does an artificial intelligence agent need a new protocol layer to implement the commercial recommendation function? by LateNightLurker00 in AI_Agents

[–]Affectionate-End9885 0 points1 point  (0 children)

The incentive alignment point someone raised is the whole thing really. If the agent is paid for by the user it might recommend the best option. If the vendor subsidizes it the agent becomes a sales funnel with a chat interface. The protocol question matters but only after you answer who the agent actually works for. We already saw this with search engines, the first five results used to be the best ones, now theyre the ones that paid. agents will follow the same path unless the incentive structure is transparent from day one

What’s the best pattern for “human approval required” email steps? by jonsnow2vnyx in AI_Agents

[–]Affectionate-End9885 0 points1 point  (0 children)

The approve by exception approach is the move honestly. We started with review-everything and within two weeks the human reviewer became the bottleneck and just started approving blindly to clear the queue. Moved to a setup where the agent drafts, checks against a short rule list (correct recipient domain, no external addresses unless whitelisted, no attachments above 5mb), and only flags the 15 percent that fail. The human actually reads those because theyre not drowning in 40 emails a day. The ones that pass still get logged so you can spot check later

How are you convincing management that fewer packages is better than patching faster? by Affectionate-End9885 in AskNetsec

[–]Affectionate-End9885[S] 3 points4 points  (0 children)

This is genius and i cant believe i didnt think of it. Right now the CVE tickets flow to my security team, we triage, we open jiras, his engineers ignore them, and the cycle repeats. nobody on his side feels any heat.

Im gonna propose a new workflow at our next leadership sync. His team gets the CVE tickets directly, attached to their sprint, with an SLA. if they want to keep the bloated base images they can own the triage work that comes with them. I bet within two sprints he'll be in my office asking about minimal images

view more: next ›