惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Scott Helme
Scott Helme
N
Netflix TechBlog - Medium
AI
AI
Security Latest
Security Latest
GbyAI
GbyAI
P
Proofpoint News Feed
Y
Y Combinator Blog
A
Arctic Wolf
G
Google Developers Blog
U
Unit 42
爱范儿
爱范儿
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
V
Vulnerabilities – Threatpost
Know Your Adversary
Know Your Adversary
Cisco Talos Blog
Cisco Talos Blog
T
Tor Project blog
C
CXSECURITY Database RSS Feed - CXSecurity.com
T
Threatpost
L
Lohrmann on Cybersecurity
C
CERT Recently Published Vulnerability Notes
C
Check Point Blog
B
Blog RSS Feed
The GitHub Blog
The GitHub Blog
Microsoft Azure Blog
Microsoft Azure Blog
博客园 - 【当耐特】
博客园 - Franky
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
C
Cisco Blogs
云风的 BLOG
云风的 BLOG
NISL@THU
NISL@THU
D
Darknet – Hacking Tools, Hacker News & Cyber Security
Microsoft Security Blog
Microsoft Security Blog
T
The Blog of Author Tim Ferriss
阮一峰的网络日志
阮一峰的网络日志
Latest news
Latest news
L
LINUX DO - 最新话题
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
美团技术团队
WordPress大学
WordPress大学
L
LangChain Blog
Stack Overflow Blog
Stack Overflow Blog
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
酷 壳 – CoolShell
酷 壳 – CoolShell
大猫的无限游戏
大猫的无限游戏
The Hacker News
The Hacker News
Simon Willison's Weblog
Simon Willison's Weblog
V
V2EX
Project Zero
Project Zero
博客园_首页

Blog | Orca Security

Langflow RCE Actively Exploited to Deploy Cryptominers on AI Infrastructure Orca MCP: When Text Stops Scaling Kubernetes Compliance Tools: Automating CIS Benchmarks Risk-Based Vulnerability Management for the Cloud: A 2026 Guide Private Cloud Security: Top Risks and Best Practices (2026) What Is Generative AI in Cybersecurity? Best Vulnerability Management Tools and Software in 2026 2026 State of Application Security Report Recap: What the Data Says and What Security Teams Should Do About It AI Security for Sensitive Data: Best Practices and Guidelines Best AI Code Security Solutions 2026: How to Secure AI-Generated Code From Platform to Program: How to Ensure Your Cloud Security Solution Delivers Best AI Cybersecurity Providers 2026: A Buyer's Guide to AI-Powered Security Platforms Join Orca Security at Black Hat USA 2026 CNAPP Tools That Reduce Security Tool Sprawl: CNAPP vs. Dedicated Solutions What Is Container Runtime Security? A Practical Guide 2026 What Is Application Security Testing? Tools and Types What Is Managed Cloud Security? A Practical Guide What Is SaaS Security Posture Management? SSPM Guide Top 10 Cloud Security Standards for Compliance What is the MIT License? Compliance and Comparisons AI Agents vs. Agentless Security vs. Agent-based Security 144 Mastra npm Packages Compromised via Supply Chain Attack The Complete Guide to LLM Security: Risks, Best Practices, and Solutions Cloud Security LIVE 2026: Top 10 Takeaways Practitioners Can Use Now Cloud Security LIVE 2026: Top 10 Takeaways CISOs Can Use Now (and What to Do Next) How Orca Traced an nginx Flaw to 1.45 Million Tengine Servers All Running Vulnerable Code What to Look for in Container Security Tools Cloud Application Security Best Practices for DevSecOps Cloud Security Tools: 10 Types Explained for Teams What Is NIST CSF? Framework 2.0 Explained 7 Open Source Incident Response Tools by Category Critical Langflow Path Traversal Flaw Exploited for Unauthenticated RCE Critical PhpSpreadsheet RCE Patch Bypass Puts Millions at Risk Critical Splunk Enterprise Vulnerabilities Allow Unauthenticated File Operations and Remote Code Execution 16 Best Open Source Application Security Tools 2026 What Is Containerization? Security and Best Practices 8 Container Security Best Practices for 2026 Close the Cloud Identity Gap with Orca and AWS IAM Access Analyzer The 5-Step Context-Aware Cloud Vulnerability Prioritization Framework Critical Jupyter Enterprise Gateway Vulnerabilities Enable Full Kubernetes Cluster Takeover AI Security Best Practices for Regulated Industries Massive PyPI Supply Chain Attack Harvests Cloud Credentials via Python Startup Hooks SAST vs SCA: Key Differences for AppSec Teams What Is Cloud Security Architecture? Principles, Layers, and Frameworks What Is ASPM? A Guide to Application Security Posture Management What Is SaaS Security? A Practical Guide 2026 What Is a Man-in-the-Middle Attack? A Cloud Security Guide What Is Open Policy Agent? Best Practices and Use Cases 11 Best Open-Source DevSecOps Tools for 2026 How to Secure AI Workloads in Multi-Cloud Environments: A Complete Framework Critical WordPress Plugin Vulnerability Allows Unauthenticated Admin Takeover on 150K Sites What Is Kubernetes as a Service? KaaS Explained Critical Netlogon RCE Flaw Actively Exploited Against Windows Domain Controllers Your FedRAMP Continuous Monitoring Strategy Has a Gap. We Built Something to Fix It. How to Simplify Multi-Cloud Compliance Reporting: The 2026 Checklist Red Hat npm Packages Compromised in Supply-Chain Attack Spreading Credential-Stealing Worm Critical RCE in LiquidJS Lets Attackers Execute Arbitrary Commands on Unpatched Hosts Securing Shadow AI: How to Detect Unapproved LLMs in Your Cloud Data Security Posture Management (DSPM) for AI Gitea Container Registry Exposes Private Images to Unauthenticated Attackers Critical Unauthenticated RCE in Kopia Backup via SSH ProxyCommand Injection Best Palo Alto Networks Cortex (Prisma Cloud) Alternatives in 2026 7 Enterprise AI Security Risks to Manage Critical Pre-Auth RCE in ChromaDB Threatens AI Infrastructure Critical Coder Signature Bypass Exposes Developer Keys and Tokens New “PoolSlip” NGINX Exploit Revives Unpatched Remote Code Execution Risk Critical Drupal SQL Injection Exposes PostgreSQL-Backed Sites to Remote Code Execution AI Security Tools: How to Evaluate Them Across Every ML Attack Phase Massive npm Supply Chain Attack Compromises AntV Ecosystem, Steals CI/CD Secrets at Scale NIST AI Risk Management Framework (AI RMF) Explained: What It Is and How Organizations Use It The AI Data You Forgot to Lock: How Exposed Vector Databases Put Organizations at Risk GenAI Risks in Cloud Environments: What Security Teams Are Actually Missing in 2026 What Is Multi-Cloud Security? What Is Cloud Detection and Response (CDR)? Linux kernel vulnerability enables local theft of SSH host keys and /etc/shadow 18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated DoS and Potential RCE Announcing Cloud Security Agent Skills for Orca’s MCP Server TanStack and 160+ npm/PyPI Packages Compromised in Supply Chain Worm Attack Dirty Frag: Linux Kernel Vulnerability Chain Enables Local Privilege Escalation to Root Critical Apache HTTP Server HTTP/2 Vulnerability Could Enable Remote Code Execution Skill Issues: How We Discovered Supply Chain Attack Vectors in an AI Agent Skills Marketplace What Is an Incident Response Plan? What Is Cloud Data Security? Risks, Challenges, and 12 Best Practices Remote Code Execution in GitHub Enterprise Server via Git Push Injection (CVE-2026-3854) Linux Kernel Bug (Copy.Fail) Enables Local Privilege Escalation to Root (CVE-2026-31431) Xinference PyPI package compromise leads to full environment takeover What is Application Security? When AI Accelerates the Offense, Coverage Gaps Become Catastrophic Orca Security Recognized in the 2026 TAG Enterprise AI Security Handbook Navigating Cloud Security in 2026: Join Cloud Security LIVE Anthropic’s Project Glasswing Is a Positive Step Toward Cleaner, Safer Production Kyverno SSRF: Breaking Kubernetes Namespace Isolation (CVE-2026-4789) Streamline Compliance Reporting with Orca and Drata’s Integrated Vulnerability Management CVE-2026-23226: How a Missing Lock in ksmbd’s Channel List Exposes Your Linux SMB3 Server AI Is Entering Your Infrastructure. Now what? Orca Security Featured in SACR’s 2026 Unified Agentic Defense Platforms Report Supply Chain Attack on Axios Delivers Cross-Platform RAT via Compromised npm Account Credential‑Stealing Malware in LiteLLM Supply Chain Attack Mission Accomplished: Orchestrate Your Remediation Strategy With Orca Missions The Orca Approach to Runtime AI Security
2026 State of AppSec: When Development Velocity Outpaces Security
2026-04-07 · via Blog | Orca Security

Today, we’re excited to release the 2026 State of Application Security Report, which reveals deep insights uncovered by the Orca Cloud Security Platform across real production environments and modern software delivery pipelines. This year’s report highlights the most prevalent and consequential application security risk trends that organizations face today.

This research is based on data compiled by the Orca Research Pod, analyzing data from more than 1,000 production organizations, spanning billions of cloud assets, CI/CD workflows, infrastructure-as-code deployments, containers, and source code repositories across AWS, Azure, Google Cloud, Oracle Cloud, and Alibaba Cloud environments. 

In this blog, we provide an overview of the key findings, explore the trends shaping application risk, and share practical recommendations for reducing exposure across the modern software supply chain.

Report

2026 State of Application Security Report

The Orca Research Pod’s report presents several critical findings, including:

  • 78% of organizations run packages with critical vulnerabilities in production
  • 77% retain high or critical container vulnerabilities for more than 90 days
  • 31% expose valid secrets in source code and 30% retain them in Git history
  • 43% have exposed AI/ML credentials
  • 11% run publicly known malicious packages in production
  • 75% deploy infrastructure via code, but 84% use unencrypted storage and 80% lack logging

Below, we break down what these trends mean for modern application risk and how to reduce exposure.

“Application security has fundamentally changed, but many programs still operate as if it hasn’t. Software is built on open-source dependencies, automated pipelines, and infrastructure as code, while AI is increasing both scale and risk.

This report helps organizations understand where traditional approaches fall short and how to focus on the changes that materially reduce risk.”

Gil Geron, CEO and Co-founder of Orca Security

Rapid AI Adoption: Why 43% of Organizations Have Exposed AI/ML Credentials

AI-assisted development is increasing code generation, dependency usage, and service integration at a pace that traditional security controls were not designed to govern. It is also introducing a new class of high-impact exposures across modern application environments.

Our research found that 43% of organizations have exposed AI or machine learning credentials, including tokens for model hosting, inference APIs, and MLOps platforms. These credentials often grant access to proprietary models, sensitive datasets, and usage-based services, creating both security and financial risk through intellectual property theft, model manipulation, and large-scale GPU abuse.

The primary challenge in application security is no longer discovery. It is prioritization and action. Organizations are identifying vulnerabilities early in the lifecycle, but without production context they struggle to determine which issues are truly exploitable.

As a result, 77% of organizations retain high or critical container vulnerabilities for more than 90 days, and those that remain unpatched for 30 days are unlikely to be remediated at all. Over time, vulnerability backlogs become accepted operational risk rather than actionable remediation work.

Software Supply Chain Security: Defending the Primary Attack Surface

Modern applications inherit risk from the dependencies, build systems, and automation workflows they rely on. Attackers increasingly target these trust relationships to achieve broad downstream impact across multiple services and environments.

The report found that 11% of organizations are running publicly known malicious packages in production. Combined with the continued presence of Log4Shell in nearly half of environments, this shows that supply chain risk is widespread and slow to remediate. A single compromised dependency can propagate across environments, making supply chain attacks a scalable path from one intrusion to widespread compromise.

Infrastructure as Code (IaC) Security: Preventing Misconfiguration at Scale

Infrastructure is defined and replicated through code, which enables speed and consistency across cloud environments. However, when security controls are missing, this same automation replicates misconfigurations at scale.

75% of organizations manage infrastructure through code, yet 84% deploy unencrypted storage and 80% lack logging in IaC-managed environments. Overly permissive IAM roles and open network rules are frequently embedded in templates, allowing insecure configurations to be deployed repeatedly across production systems.

Secrets Detection: Closing the Direct Path to Cloud Compromise

Secrets remain one of the most reliable entry points for attackers because they grant immediate authenticated access to cloud services and internal systems. Hardcoded credentials, tokens in Git history, and secrets embedded in CI/CD workflows are routinely found in production code.

31% of organizations expose valid secrets in repositories, and 30% retain recoverable secrets in commit history, even after they appear to be removed. Because many of these credentials remain active, they create persistent and low-effort access paths into critical environments.

2026 AppSec Roadmap: Tactical Recommendations for Reducing Risk

The report outlines a clear, practical roadmap for reducing risk:

Immediate Security Actions: Priority Tasks for Days 0–30

  • Rotate exposed secrets
  • Patch actively exploitable CVSS 10 vulnerabilities
  • Restrict CI/CD token permissions

Short-Term Hardening: Security Controls for Days 30–90

  • Enforce dependency and malicious package controls
  • Harden repositories with branch protection, MFA, and signed commits
  • Add IaC security gates in CI/CD

Strategic Governance: Long-Term Initiatives for 90+ Days

  • Standardize container base images and rebuild pipelines
  • Adopt ephemeral credentials and Zero Trust for CI/CD
  • Implement continuous runtime monitoring 

These controls are not theoretical, they are the most direct ways to reduce real-world exposure across the software supply chain.

Application security must become a development competency

The data makes one thing clear: application security can no longer operate as a separate, downstream function. Every commit, dependency, and configuration change shapes risk across the software delivery lifecycle.

Organizations that succeed embed security directly into development workflows, prioritize issues based on real production context, and treat remediation as an operational process rather than a static backlog. In practice, this makes application security a core component of software quality owned jointly by development, security, and platform teams.

Unifying AppSec, CNAPP, and AI with the Orca Platform

The findings in the 2026 State of Application Security Report are based on data from the Orca Platform, which enables organizations to identify, prioritize, and remediate application risks across the software delivery lifecycle, from source code and dependencies to CI/CD pipelines, containers, and infrastructure as code. By unifying SCA, SAST, secrets detection, SCM and CI/CD security with runtime context, Orca helps teams focus on the vulnerabilities and exposures that actually matter. Orca’s agentless SideScanning™ technology delivers this coverage across AWS, Azure, Google Cloud, Oracle Cloud, Alibaba Cloud, and Kubernetes.

Read the full 2026 State of Application Security Report to explore the complete data, trends, and recommended roadmap for reducing real production exposure.