惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

M
MIT News - Artificial intelligence
有赞技术团队
有赞技术团队
S
Schneier on Security
aimingoo的专栏
aimingoo的专栏
T
Troy Hunt's Blog
U
Unit 42
Hacker News - Newest:
Hacker News - Newest: "LLM"
V2EX - 技术
V2EX - 技术
T
The Blog of Author Tim Ferriss
V
Visual Studio Blog
H
Heimdal Security Blog
H
Hacker News: Front Page
Blog — PlanetScale
Blog — PlanetScale
博客园 - 司徒正美
Cloudbric
Cloudbric
Google DeepMind News
Google DeepMind News
C
Cisco Blogs
The Cloudflare Blog
C
Cybersecurity and Infrastructure Security Agency CISA
Microsoft Security Blog
Microsoft Security Blog
MyScale Blog
MyScale Blog
F
Fortinet All Blogs
N
News | PayPal Newsroom
Attack and Defense Labs
Attack and Defense Labs
D
DataBreaches.Net
N
News and Events Feed by Topic
Security Archives - TechRepublic
Security Archives - TechRepublic
Forbes - Security
Forbes - Security
Simon Willison's Weblog
Simon Willison's Weblog
F
Full Disclosure
The Register - Security
The Register - Security
L
LINUX DO - 热门话题
Webroot Blog
Webroot Blog
Google Online Security Blog
Google Online Security Blog
AI
AI
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
I
Intezer
S
Security Affairs
阮一峰的网络日志
阮一峰的网络日志
K
Kaspersky official blog
云风的 BLOG
云风的 BLOG
博客园 - 叶小钗
T
Threatpost
Spread Privacy
Spread Privacy
小众软件
小众软件
AWS News Blog
AWS News Blog
S
Secure Thoughts
S
Security @ Cisco Blogs
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
J
Java Code Geeks

Help Net Security

Police arrest 10 suspected members of Black Axe cybercrime gang ShinyHunters claims it stole 1.4 million records from Udemy Sevii unveils Cyber Swarm Defense Mode to stop AI-driven attacks at scale Alleged Chinese hacker extradited to US over cyberattacks targeting COVID-19 research Cequence Agent Personas bring granular control and governance to enterprise AI agents NowSecure MARI gives enterprises evidence-based visibility into third-party mobile app risk The metrics killing your SOC, and what to use instead US state privacy fines reached $3.425 billion in 2025 Canada’s first SMS blaster case leads to three arrests Linux storage management tool Stratis 3.9.0 adds online encryption and cache-less pool startup TLS Connect gives SMBs a right-sized automated tool to manage TLS certificates Aptori expands its platform with autonomous offensive testing to reduce security bottlenecks Your IAM was built for humans, AI agents don’t care The AI criminal mastermind is already hiring on gig platforms 25 open-source cybersecurity tools that don’t care about your budget Product showcase: LuLu reveals unauthorized outbound connections from Mac apps Week in review: Claude Mythos finds 271 Firefox flaws, Vercel breach Users advised to drop passwords and make room for passkeys - Help Net Security Indirect prompt injection is taking hold in the wild - Help Net Security Compromised everyday devices power Chinese cyber espionage operations - Help Net Security New Cisco firewall malware can only be killed by pulling the plug - Help Net Security Meta is overhauling how you sign in, manage settings, and protect your accounts - Help Net Security Ubuntu 26.04 LTS delivers memory-safe system tools and live patching for Arm servers - Help Net Security OpenAI’s GPT-5.5 is out with expanded cybersecurity safeguards - Help Net Security AI is speeding up nation-state cyber programs - Help Net Security A study of 1,000 Android apps finds a privacy policy logging gap - Help Net Security IT spending to hit $6.31 trillion record, thanks to AI - Help Net Security Where AI in CI/CD is working for engineering teams - Help Net Security With AI's help, North Korean hackers stumbled into a near-undetectable attack - Help Net Security Hacker with a special interest in breaching sports institutions ends behind bars - Help Net Security IP Fabric MCP server adds governance and control to enterprise AIOps workflows - Help Net Security Aqua Compass MCP server enables real-time investigation and containment of runtime threats - Help Net Security Google brings instant email verification to Android, no OTP needed - Help Net Security If cyber espionage via HDMI worries you, NCSC built a device to stop it - Help Net Security Apple fixes iPhone bug that let FBI retrieve deleted Signal messages(CVE-2026-28950) - Help Net Security GopherWhisper APT group hides command and control traffic in Slack and Discord - Help Net Security OpenAI tackles a bad habit people have when interacting with AI - Help Net Security A year in, Zoom's CISO reflects on balancing security and business - Help Net Security Scenario: Open-source framework for automated AI app red-teaming - Help Net Security GDPR works, but only where someone enforces it - Help Net Security Ransomware, fraud, and lawsuits drive cyber insurance claims to new peaks - Help Net Security Google’s Workspace Intelligence promises privacy while running on your data - Help Net Security Cyberattack on French government agency triggers phishing alert - Help Net Security Claude Mythos finds 271 Firefox flaws, Mozilla believes zero-days are numbered - Help Net Security Prove Identity Platform connects verification, authentication, and fraud prevention - Help Net Security New Mirai variants target routers and DVRs in parallel campaigns - Help Net Security Acronis GenAI Protection gives MSPs control over AI usage and data risks - Help Net Security Elastic MCP Apps bring security and observability workflows into AI tools - Help Net Security Progress Software fixes sneaky WAF bypass vulnerability (CVE-2026-21876) - Help Net Security Tencent's QClaw AI agent app arrives on Windows and macOS - Help Net Security Phishing reclaims the top initial access spot, attackers experiment with AI tools - Help Net Security OneDrive updates focus on AI, access control, and compliance - Help Net Security PentAGI: Open-source autonomous AI penetration testing system - Help Net Security Apple Intelligence flaw kept stolen tokens reusable on another device - Help Net Security Shadow AI, deepfakes, and supply chain compromise are rewriting the financial sector threat playbook - Help Net Security Thunderbird 150 arrives with encrypted message search and OpenPGP improvements - Help Net Security VirtualBox 7.2.8 is out with Linux kernel 7.0 support and crash fixes - Help Net Security Ransomware negotiator admits role in attacks he was hired to resolve - Help Net Security Scattered Spider hacker pleads guilty to stealing $8 million in cryptocurrency Meta and PortSwigger drive offensive security further to find what others miss - Help Net Security EU pushes for stronger cloud sovereignty, awards €180 million to four providers - Help Net Security SmokedMeat: Open-source tool shows what attackers do inside CI/CD pipelines - Help Net Security How to spot a North Korean fake in a job interview - Help Net Security Product showcase: Syncthing for secure, private file synchronization - Help Net Security Week in review: Acrobat Reader flaw exploited, Claude Mythos offensive capabilities and limits Google wipes out 602 million scam ads with Gemini on duty Researcher drops two more Microsoft Defender zero-days, all three now exploited in the wild GitLab 18.11 brings agentic AI to security fixes, CI pipelines, and delivery analytics Liongard upgrades LiongardIQ with AI access, live asset data, and deeper discovery Mozilla challenges enterprise AI providers with Thunderbolt, open-source AI client under your control Codex can now operate between apps. Where are the boundaries? Android 17 Beta 4 arrives with post-quantum cryptography and new memory limits Apple AirTag tracking can be misled by replayed Bluetooth signals Social media bans might steer kids into riskier corners of the internet Workplace stress in 2026 is still worse than before the pandemic New infosec products of the week: April 17, 2026 - Help Net Security ImmuniWeb brings AI upgrades, post-quantum detection and more in Q1 2026 NIST admits defeat on NVD backlog, will enrich only highest-risk CVEs going forward Anthropic releases Claude Opus 4.7 with automated cybersecurity safeguards - Help Net Security Fortinet fixes critical FortiSandbox vulnerabilities (CVE-2026-39813, CVE-2026-39808) - Help Net Security Google Play is changing how Android apps access your contacts and location Tails 7.6.2 patches vulnerability that could expose saved files Cargo theft malware actor spent a month inside a decoy network before researchers pulled the plug OpenAI updates Agents SDK, adds sandbox for safer code execution Anthropic tests user trust with ID and selfie checks for Claude GitHub lays out copyright liability changes and upcoming DMCA review for developers EU cybersecurity standards are at risk if supplier ban passes Command integrity breaks in the LLM routing layer The fully free Linux OS Trisquel gets a major update with version 12.0 Ecne Week in review: Windows zero-day exploit leaked, Patch Tuesday forecast ClickFix campaign delivers Mac malware via fake Apple page Poisoned “Office 365” search results lead to stolen paychecks Gmail’s end-to-end encryption comes to mobile, no extra apps required To counter cookie theft, Chrome ships device-bound session credentials Product showcase: Session, a messenger without phone numbers or metadata Little Snitch for Linux shows what your apps are connecting to - Help Net Security Apiiro CLI turns AI coding assistants into full-stack security engineers - Help Net Security April 2026 Patch Tuesday forecast: Spring-cleaning of a preview - Help Net Security What vibe hunting gets right about AI threat hunting, and where it breaks down - Help Net Security Health insurance lead sites sell personal data within seconds of form submission - Help Net Security
Reachability makes AI threat modeling worth the trust - Help Net Security
Mirko Zorz · 2026-06-16 · via Help Net Security

In this interview with Help Net Security, Oscar Andersson, CTO at Oplane, explains why most scanning tools fail. They cry wolf, flagging threats that cannot run in real code. The argument centers on reachability. A finding counts only when someone walks the path to impact on a working build. He shows how a chain of small design choices led to account takeover in a popular open-source project, then covers how to test a vendor’s claims, handle attacks aimed at the AI itself, and why reviewing every code change beats one yearly audit.

AI threat modeling

Security tooling tends to die not from missing real bugs but from crying wolf too often. When a system flags an architectural threat, what convinces you it found something exploitable rather than something that merely sounds dangerous in the abstract?

Triage fatigue is the single biggest killer of security tooling. SCA is the textbook case: a CVSS 9 alert lands, you drop everything, and the vulnerable function turns out never to be reachable from your code. The score was real; the risk was zero. Do that a dozen times and you have trained a good engineer to close the next 9.8 on sight.

The bar is whether the finding ties to a reachable path in the actual code. Reachability is the whole game, and it cuts both ways: the CVSS-9 that cannot execute fails from the scary side, and the genuinely exploitable bug usually looks boring from the other.

A recent case makes it tangible: an open-source project with more than 35,000 GitHub stars. Every scanner emits the abstract version – “you accept arbitrary file uploads.” On its own it looks contained: a Content-Security-Policy pins scripts to ‘self’, so an inline <script> or a foreign URL dies on arrival. Easy to close on sight. A checkbox reviewer either files the alert anyway or waves it through, and both fail, because nobody walked the path. The real finding was a chain, each link pinned to a line: uploads accept any type, the /uploads/* route needs no auth, the directory is listable so filenames enumerate, files serve inline with their content-type, and the CSP trusts the same origin the uploads sit on. No bypass needed: a .js file holds the code, an SVG pulls it in with <script src>, same origin – exactly what ‘self’ permits. The CSP was never defeated; it was satisfied. And it ran to the end – the payload mints a personal access token under the victim’s account, one that outlives the victim’s password reset, outlives session revocation, and even outlives kicking the attacker out of the workspace, because the key was never cut from the attacker’s account in the first place. Full account takeover, verified against a real build over curl.

“Sounds dangerous” dies the moment you ask for the line. “Exploitable” is a path that holds when you walk it. Thirty-five thousand stars did not find it. Walking the path did.

Code scanners have a workable notion of “this line is or isn’t vulnerable.” What is the equivalent ground truth for an architecture-level threat, and who or what gets to be the arbiter of correct?

SAST asks whether a line is written wrong. Threat modeling asks whether the design is wrong even when every line is written right. One looks for bad syntax. The other looks for bad ideas.

Ground truth does not vanish at the architecture level, it moves up one: the flaw lives in the relationship between components, so the unit of truth becomes the path – does this path reach impact on a real build. The upload case from the first answer has not one vulnerable line in it: uploads accept any type, files get served back, there is a CSP, every line correct on its own. The idea is the bug.

Which answers the second half: who is the arbiter. Not the threat modeler, not the model, not the most senior person in the room. A bad idea is a hypothesis until someone walks it to impact. The arbiter is the build, not an opinion.

I will be honest about the limit: not every architectural flaw is cheap to reproduce. Where a proof is buildable it is the gold standard; where it is not, the bar does not drop to “trust me,” it becomes a concrete attacker path with named preconditions, every step a skeptic can dispute. The line between rigor and opinion was never “did we run curl,” it is whether someone can dispute a specific step.

Every vendor claims low false positives. If you were sitting in this audience as a skeptic, what one question would you ask a CTO to separate a reliable system from one that has only tuned its demo?

The trap is the word “rate.” Every false-positive number you are shown was measured on a corpus the vendor chose, with thresholds the vendor tuned, the week before the demo. I would not ask for the rate. I would ask the system to show its work: the specific checks it ran, and the exact line of my own code each one passed or failed against.

A demo-tuned system is a single pass: code in, a verdict and a score out, and the score is the product. A system I would trust runs separate passes, each leaving an artifact you can hold: what could go wrong at all; what “done correctly” looks like, as discrete checks; then each check graded against the actual code – this one holds, here is the file and line; this one does not, here is what is missing. You cannot fake that chain, because the artifacts either exist or they do not.

Then one tell: which way does it break when it is wrong? Flagging a control as missing when it is present costs you ten minutes at the file it cites. Saying you are fine when you are not costs you the breach. A system I trust fails toward the first. A CTO who has never worked out which of his two errors is the expensive one is selling you a number, not a system.

An attacker who knows an AI is reviewing the work can write code, or structure an architecture, to slip past it, or try to manipulate the model’s reasoning directly. How seriously do you take adversarial pressure aimed at the analysis layer itself?

As seriously as it is possible to take it, and I show that by assuming the attacker wins. The model cannot be made injection-proof; it is a probabilistic reasoner reading attacker-supplied text. The question is what that manipulation buys the attacker – which moves the problem from prompting, where it cannot be solved, to architecture, where it can.

Split the attacker’s goal in two. The first is to suppress a finding, shaping the code so the reviewer calls the backdoor clean. I will not pretend that is solved, but the bar is “does the path reproduce,” and code that is both exploitable and reproduces as benign is hard to write. When the system cannot confirm a control it says “go check this,” not “you’re covered,” and it sits on top of human review, not in place of it.

The second goal has real blast radius, and almost nobody asks about it: owning the process running the model and pivoting, because that process holds credentials. The part that reads untrusted code is treated as already compromised – it holds exactly one credential, an ephemeral key scoped to the single job it is already doing, reviewing the attacker’s own work. It cannot reach another tenant, another job, or the platform’s keys; provider calls are brokered by the trusted side, so raw credentials never touch the box reading hostile input. And this is enforced: a build check fails if a credential-bearing variable ever appears there. An attacker can sometimes win the argument with the model; he cannot turn that win into access to anything that was not already his.

Some argue any probabilistic system is unfit for security decisions and that determinism is non-negotiable. Make the opposite case: why might a system that is right most of the time still beat the deterministic tools people lean on now?

Let me concede the hard part: a probabilistic system will not make you bulletproof, and I doubt any ever will. But the demand for determinism assumes the deterministic tools we lean on now deliver the security the probabilistic ones cannot. They do not. No one was ever made bulletproof by an annual pen test, a design-time threat model, or a SAST run; those fail the same bar, just on a schedule everyone got used to.

And the determinism is about the wrong axis: a scanner is certain about whether a pattern is present, not whether it is reachable – certainty about a proxy for the thing you actually care about.

Deep reasoning about what could go wrong with a design used to live only in the annual pen test and the threat model, both photographs: true the day they are taken, drifting with every merge after. Bringing that reasoning to every pull request, even right most of the time rather than all of the time, turns “unexamined until next year” into “examined before it merges.”

And you do not have to choose. The per-PR check covers the 364 days the pen tester is not there, and you are not betting on a coin flip inside it: discovery is probabilistic, confirmation is not – the path reproduces on a real build or it does not. A team that moves from one architectural review a year to one on every change it ships has improved its posture in a way no added accuracy on the yearly review could match. That is the trade, and it is not close.

Guide: What automated pentesting alone cannot see