惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

博客园 - 聂微东
S
Schneier on Security
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Latest news
Latest news
Cyberwarzone
Cyberwarzone
Cisco Talos Blog
Cisco Talos Blog
T
The Exploit Database - CXSecurity.com
T
Tenable Blog
I
Intezer
T
Threat Research - Cisco Blogs
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
C
Cybersecurity and Infrastructure Security Agency CISA
P
Privacy International News Feed
P
Palo Alto Networks Blog
The Register - Security
The Register - Security
IT之家
IT之家
Google DeepMind News
Google DeepMind News
C
Cyber Attacks, Cyber Crime and Cyber Security
L
LINUX DO - 最新话题
S
Securelist
WordPress大学
WordPress大学
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
Hugging Face - Blog
Hugging Face - Blog
N
News and Events Feed by Topic
H
Help Net Security
Project Zero
Project Zero
K
Kaspersky official blog
博客园 - 三生石上(FineUI控件)
L
LINUX DO - 热门话题
大猫的无限游戏
大猫的无限游戏
G
GRAHAM CLULEY
F
Full Disclosure
博客园 - 叶小钗
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
TaoSecurity Blog
TaoSecurity Blog
N
News | PayPal Newsroom
Forbes - Security
Forbes - Security
博客园 - 司徒正美
I
InfoQ
Recent Announcements
Recent Announcements
Attack and Defense Labs
Attack and Defense Labs
P
Privacy & Cybersecurity Law Blog
S
Security @ Cisco Blogs
人人都是产品经理
人人都是产品经理
The GitHub Blog
The GitHub Blog
Simon Willison's Weblog
Simon Willison's Weblog
G
Google Developers Blog
N
Netflix TechBlog - Medium
U
Unit 42
阮一峰的网络日志
阮一峰的网络日志

DEV Community

Authentication Security Deep Dive: From Brute Force to Salted Hashing (With Java Examples) Why AI Systems Don’t Fail — They Drift Spilling beans for how i learn for exam😁"Reinforcement Learning Cheat Sheet" I Replaced Chrome with Safari for AI Browser Automation. Here's What Broke (and What Finally Worked) How Python Borrows Other People's Work The $40 Architecture: Processing 1 Billion API Requests with 99.99% Uptime Vibe Coding: A Workflow Guide (From Zero to SaaS) Most webhook security guides protect the wrong side. The scary part is delivery. Headless CMS for TanStack Start: Build a Blog with Cosmic EU Age Verification App "Hacked in 2 Minutes" — What Actually Happened Comfy Cloud’s delete function does not actually remove files Running AI Models on GPU Cloud Servers: A Beginner Guide Event-driven media intelligence with AWS Step Functions and Bedrock I scored 500 AI prompts across 8 quality dimensions — here's what broke How to Call Google Gemini API from Next.js (Free Tier, No Backend Needed) The Portal Protocol: Reclaiming Human Connection in the Age of AI How to Fix Your Team's Scattered Knowledge Problem With a Self-Hosted Forum Intro to tc Cloud Functors: A Graph-First Mental Model for the Modern Cloud Designing Multi-Tenant Backends With Both Ownership and Team Access I Built a Neumorphic CSS Library with 77+ Components — Here's What I Learned PostgreSQL Performance Optimization: Why Connection Pooling Is Critical at Scale Cómo construí un SaaS multi-rubro para gestionar expensas en Argentina con FastAPI + Vue 3 🚀 I Built an Ethical Hacking Scanner Tool – Open Source Project I Replaced /usage and /context in Claude Code With a Single Statusline A Pythonic Way to Handle Emails (IMAP/SMTP) with Auto-Discovery and AI-Ready Design I Collected 8.9 Million Polymarket Price Points — Here's What I Found About How Markets Really Move EcoTrack AI — Carbon Footprint Tracker & Dashboard Everyone's Using AI. No One Agrees How. 5 self-hosted ebook managers worth trying in 2026 Building Your First AI Agent with LangChain: From Chatbot to Autonomous Assistant Common SOC 2 Failures (Real World) Stop Vibe-Checking Your AI App: A Practical Guide to Evals How to Use SonarQube and SonarScanner Locally to Level Up Your Code Quality Your Next To-Do App Is Dead — I Replaced Mine with an OpenClaw AI Sign a Nostr event in 60 lines of Python using coincurve — no nostr-sdk, no nbxplorer, no rust toolchain ITGC Audit Explained Like You’re in Big 4 Patch Tuesday abril 2026: Microsoft parcha 163 vulnerabilidades y un zero-day en SharePoint Stop scraping everything: a better way to track competitor price changes Listing on MCPize + the Official MCP Registry while routing payments OUTSIDE the marketplace — how I kept 100% of my x402 revenue Building an AI-Powered Risk Intelligence System Using Serverless Architecture Why We Ripped Function Overloading Out of Our AI Toolchain Testing AI-Generated Code: How to Actually Know If It Works SaaS Churn Is Killing Your Business. Here Is What to Do About It (Without a Support Team) The Speed of AI Is No Longer Linear - And Self-Improving Models Are Why How to Implement RBAC for MCP Tools: A Practical Guide for Engineering Teams From Standard Quote to Persuasive Proposal: AI Automation for Arborists I built a CLI that scaffolds complete multi-tenant SaaS apps Axios CVE-2025–62718: The Silent SSRF Bug That Could Be Hiding in Your Node.js App Right Now The dashboard that ended our friendship Data Pipelines Explained Simply (and How to Build Them with Python) The Hidden Cost of AI Systems Nobody Talks About. undefined vs undeclared, and how typeof behaves Switching from file-based jobs to NATS/Kafka in Rust without changing code io_uring Adventures: Rust Servers That Love Syscalls Why Agentic AI is Killing the Traditional Database The POUR principles of web accessibility for developers and designers Quantum Neural Network 3D — A Deep Dive into Interactive WebGL Visualization How To Install Caveman In Codex On macOS And Windows Automation Pipeline Reliability: Why Your Workflow Breaks When Nobody Is Watching I Built an 'Open World' AI Coding Agent — It Works From ANY Folder From Freelancing to Product: A Tech Service Company's SaaS Transformation China's AI Giants: Adding Tencent Hunyuan & ByteDance Doubao to AI University (74 Providers) On the Vibe Coders and Their Lies clerk: Auto-Summarize Your Claude Code Sessions AI Weekly — 2026/04/10–04/17 | The Model Lockdown Is Here, but the Toolchain Is the Real Battleground AI 週報 — 2026/04/10–2026/04/17 模型封鎖潮來了,但工具鏈才是真戰場 Maybe this is how Open-Source apps are born... 🚀 Fine-Tune LLMs with LoRA and QLoRA: 2026 Guide tRPC v11 + Next.js App Router: End-to-End Type Safety Without the Boilerplate ShadCN UI in 2026: Why I Stopped Installing Component Libraries and Started Owning My Components SaaS Billing in React Server Components: Stripe + Supabase Without a Single `useEffect` Join our DEV Weekend Challenge — $1,000 in Prizes Across TEN winners! Submissions Due April 20 at 6:59 AM UTC. Implementing FSRS Spaced Repetition in Flutter + Supabase — Adding Memory Science to an AI Learning App "I Texted My Localhost From the Train — Claude Code Fixed the Bug Before I Got Home" I Built a Sales Prep AI and It Went Deeper Than Expected Design to Code #2: One JSON, Eleven Outputs Solving the 100M-Row Problem: A Summary Table Pattern for High-Volume Push Notification Logs Flutter Web With Wasm: What Actually Changes For Developers I Built 50 Royalty-Free Soundtracks for My Side Project in a Weekend Using AI Music Generation The Vibe Coding Security Checklist: 7 Things to Check Before You Ship Stop Letting Googlebot Guess Fix Your React App's SEO Right Desconstruindo o Streaming do LinkedIn: Como Criar um Engine de Extração de Vídeo de Alta Performance com HLS e FFmpeg (EDA Part-1) EDA (Exploratory Data Analysis) Explained With Real Life — Why Looking at Your Data Is the Most Important Step in Machine Learning Brand Relationship Management at Scale: Our 4-Touch Outreach System for 200+ Brands Why String.fromEnvironment() Might Return an Empty String in Dart JGuardrails 1.0.0 — Hardening Java LLM Apps Against Jailbreaks, Toxicity, and Prompt Injection Plan and Schedule a Full Week of Threads Content From One Claude Conversation Coding Cat Oran Ep3, Five Tables Changed Everything Updated: BFF Pattern I'm done watching freelancers get buried by 200 proposals. So I'm building the alternative. This is my first post BFS Algorithm in Java Step by Step Tutorial with Examples Tracking LLM Pricing Monthly: An Open Dataset for 22 AI Models How We Measure Content ROI on a Comparison Site: Revenue Attribution Without Perfect Data Introducing Nova AI Ops: The AI-Native Operating System for SRE Teams I built a free desktop video downloader for Windows — Grabbit How Talkie OCR Helps Vision-Impaired & Dyslexic Users Read the World Around Them VRCFaceTracking安装和iPhone面捕配置教程,有bug Even CrowdStrike Can't See Your Agents The Automation Gold Rush: What n8n Workflows and Claude Are Opening Up for Developers Right Now
JPMorgan Just Published a Cyber To-Do List and Snyk Covers 8 of the 10 Items. How do you stack up?
SnykSec · 2026-04-24 · via DEV Community

Key takeaway

JPMorganChase's Global Technology Leadership published "Fortifying the enterprise: 10 actions to take now for AI-ready cyber resilience" on April 17, 2026. It's a CISO mandate for every large enterprise. Snyk directly addresses 8 of those 10 actions — out of the box, in the developer workflow, with one platform.

Why this directive landed with a thud

When JPMorgan's global technology leadership publishes a public cyber checklist, security teams at large enterprises take notice. JPMorgan spends roughly $15 billion a year on technology and runs one of the most battle-tested security programs on the planet. When they say "do these 10 things," it lands less like advice and more like a preview of what regulators and boards will soon require.

The timing is no accident. AI is rapidly narrowing the window between a vulnerability's discovery and exploitation. Processes designed for quarterly release cycles are now a liability. The JPMC directive acknowledges this directly — as does Anthropic's companion security post from April 10, which describes AI models as increasingly effective at chaining known bugs into working exploits.

"Adversaries are scaling attacks, compressing the time from vulnerability discovery to exploitation, and increasing the volume of threats that enterprises face each day."

— JPMorganChase Global Technology Leadership, April 17, 2026

All 10 actions, explained simply

Here's what JPMorgan said, what it means in practice, and where Snyk fits.

1. Run the latest software versions

✅ Snyk helps

JPMC requirements: Stop using outdated open source packages and end-of-life libraries. Only use current, well-maintained releases from trusted repositories.

How Snyk helps: Snyk SCA continuously scans every open source dependency, flags outdated or vulnerable packages, and opens automated fix pull requests — at every commit, before anything ships.

2. Manage assets and software components

✅ Snyk helps

JPMC requirements: Know exactly what's in every application. Build a Software Bill of Materials (SBOM) for each one, enriched with who owns it and how critical it is.

How Snyk helps: Snyk generates SPDX and CycloneDX SBOMs for every application and container, maps all open source dependencies, and integrates with tools like ServiceNow and Jira for ownership tracking.

3. Build a robust vulnerability management program

✅ Snyk helps

JPMC requirements: Fix known vulnerabilities in priority order — internet-facing systems first. Scan continuously, not quarterly. Factor in real-world exploit availability and CISA's Known Exploited Vulnerabilities (KEV) list.

How Snyk helps: Snyk scans every PR and build, prioritizes based on reachability and exploit maturity, natively ingests CISA KEV data, and uses Agent Fix to auto-generate remediation PRs that developers can accept with one click.

4. Stress-test incident response plans

⚠️ Foundational

JPMC requirements: Run tabletop exercises and live simulations. Test backup and recovery. Include legal, comms, and business leaders — and close the gaps you find.

How Snyk helps: IR planning is a program function, not a code scanner's job. Snyk supports post-incident reviews through audit trails, exception tracking, SBOM lineage, and compliance reporting. Pair with a dedicated IR platform for the exercises themselves.

5. Know your SaaS and outsourced dependencies

✅ Snyk helps

JPMC requirements: Maintain a current register of every third-party service your critical systems depend on. Assess their security posture. Have an exit plan.

How Snyk helps: Snyk Evo AI-SPM inventories AI models, third-party AI services, agent frameworks, and MCP servers, extending supply chain visibility into the AI layer that most security teams still can't see. Discovery data shows 28% of enterprises already run agentic AI in production, most of it invisible to their security teams.

6. Speed up change management

✅ Snyk helps

JPMC requirements: Know how long it takes a patch to reach production. Automate testing and staged rollouts. Make security scanning a built-in quality gate — not a separate bottleneck.

How Snyk helps: This is the core Snyk use case. Native integrations with GitHub, GitLab, Bitbucket, Azure DevOps, Jenkins, CircleCI, and more. Security gates run automatically at PR, build, and deploy. JPMC is describing, in their own words, the category Snyk created.

7. Aggressively filter outbound traffic

⚠️ Foundational

JPMC requirements: Default-deny outbound traffic from production environments. Only allow approved endpoints. JPMC notes that this single control would have substantially mitigated both Log4Shell and SolarWinds.

How Snyk helps: Network egress is enforced by firewalls and cloud network policy — not code scanners. However, Snyk IaC catches misconfigurations that silently weaken those controls: overly broad NAT gateways, unrestricted 0.0.0.0/0 rules in Terraform, and Kubernetes NetworkPolicy drift.

8. Remove standing privileges

✅ Snyk helps

JPMC requirements: Eliminate persistent admin access. Use just-in-time entitlement. Require MFA and session recording. Pay special attention to service accounts — they're the most targeted.

How Snyk helps: PAM tools handle the identity plane. Snyk handles the upstream of the problem: Snyk Secrets detection finds embedded credentials, API keys, cloud tokens, and SSH keys in code and containers before they ever merge — removing the most common source of standing privilege leakage.

9. Manage remote access and segment networks

✅ Snyk helps

JPMC requirements: Require MFA for all remote access. Segment environments by trust level. Authenticate every system-to-system connection. Test with red team exercises.

How Snyk helps: Snyk IaC validates zero-trust and segmentation controls as code — VPC peering, private endpoints, service mesh mTLS, network ACLs, and firewall rules. Drift between your policy-as-code and the deployed network is caught at merge time, not after a red team finds it.

10. Embed security into AI development and deployment

✅ Snyk helps

JPMC requirements: Threat-model AI systems. Treat AI models and training data as high-value assets. Validate AI-generated code the same way you'd validate human-written code. Red-team for prompt injection and data poisoning.

How Snyk helps: Snyk Evo delivers the full AI security lifecycle: Agent Scan (scan AI-generated code), Snyk Studio (secure-by-default guardrails for coding agents like Cursor, Claude Code, Copilot), AI-SPM (model and agent inventory), Agent Red Teaming (adversarial testing for prompt injection), and MCP/agent supply chain security.

Why this is more urgent than it looks

The JPMC directive wasn't written in a vacuum. It's a direct response to AI changing the economics of cyberattacks. “We need to know that we can release it safely, and it’s not exactly clear how we can do that with full confidence,” said Logan Graham, the head of Anthropic’s Frontier Red Team, which evaluates AI for risks.

Both documents land on the same conclusion: defenders must use AI at the code level, continuously, at the speed of change. Quarterly scans and manual triage simply won't keep pace with automated exploitation at scale.

External research reinforces the stakes: BaxBench (ETH Zurich, UC Berkeley, 2025) found that 62% of frontier LLM-generated backend code is incorrect or insecure. As teams lean more heavily on coding agents, the volume of security issues entering codebases is rising — without automated scanning designed to detect AI-generated patterns.

How to operationalize this in 90 days

If you're a security team that needs to demonstrate progress against the JPMC 10, here's a practical phased approach:

Days 1–30 Close the most urgent code gapsDeploy Snyk Open Source, Snyk Code, and Snyk Secrets across your top 25 revenue-critical applications. Covers Actions 1, 2, 3, and the secrets portion of Action 8.
Days 31–60 Extend to cloud infrastructure Roll out Snyk IaC across production cloud accounts. Covers Actions 6, 7 (adjacent), and 9 — catching misconfigurations before they reach runtime.
Days 61–90 Secure the AI development layer Deploy Evo AI-SPM, Agent Scan, and Snyk Studio guardrails across active coding-agent deployments. Covers Actions 5 and 10. By day 90, 8 of 10 Actions are instrumented on one control plane.

JPMorganChase published the mandate, and Anthropic published the mechanics behind why it's urgent. Snyk is the platform that operationalizes both — natively in the developer workflow, across 8 of the 10 actions — at the speed AI is now generating code.

If you're a CISO, AppSec lead, or procurement owner mapping vendors to the JPMC 10, the table above is your RFP foundation. If you're a security team preparing for an order-of-magnitude increase in vulnerability volume, Snyk is the platform already instrumented for it.