惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Cyberwarzone
Cyberwarzone
C
CXSECURITY Database RSS Feed - CXSecurity.com
C
CERT Recently Published Vulnerability Notes
The Hacker News
The Hacker News
Recent Commits to openclaw:main
Recent Commits to openclaw:main
Security Archives - TechRepublic
Security Archives - TechRepublic
Google Online Security Blog
Google Online Security Blog
D
Docker
H
Hacker News: Front Page
Recent Announcements
Recent Announcements
GbyAI
GbyAI
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
P
Proofpoint News Feed
Security Latest
Security Latest
AI
AI
I
InfoQ
Google DeepMind News
Google DeepMind News
阮一峰的网络日志
阮一峰的网络日志
S
Secure Thoughts
Attack and Defense Labs
Attack and Defense Labs
P
Proofpoint News Feed
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
Scott Helme
Scott Helme
N
News | PayPal Newsroom
Y
Y Combinator Blog
V
Visual Studio Blog
Latest news
Latest news
大猫的无限游戏
大猫的无限游戏
Microsoft Security Blog
Microsoft Security Blog
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
WordPress大学
WordPress大学
V
Vulnerabilities – Threatpost
C
Cyber Attacks, Cyber Crime and Cyber Security
TaoSecurity Blog
TaoSecurity Blog
S
Security @ Cisco Blogs
D
DataBreaches.Net
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
N
Netflix TechBlog - Medium
T
Troy Hunt's Blog
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
H
Heimdal Security Blog
美团技术团队
S
Securelist
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
S
Security Affairs
T
Threat Research - Cisco Blogs
Webroot Blog
Webroot Blog
G
Google Developers Blog
aimingoo的专栏
aimingoo的专栏

Blog | Orca Security

Langflow RCE Actively Exploited to Deploy Cryptominers on AI Infrastructure Orca MCP: When Text Stops Scaling Kubernetes Compliance Tools: Automating CIS Benchmarks Risk-Based Vulnerability Management for the Cloud: A 2026 Guide Private Cloud Security: Top Risks and Best Practices (2026) What Is Generative AI in Cybersecurity? Best Vulnerability Management Tools and Software in 2026 AI Security for Sensitive Data: Best Practices and Guidelines Best AI Code Security Solutions 2026: How to Secure AI-Generated Code From Platform to Program: How to Ensure Your Cloud Security Solution Delivers Best AI Cybersecurity Providers 2026: A Buyer's Guide to AI-Powered Security Platforms Join Orca Security at Black Hat USA 2026 CNAPP Tools That Reduce Security Tool Sprawl: CNAPP vs. Dedicated Solutions What Is Container Runtime Security? A Practical Guide 2026 What Is Application Security Testing? Tools and Types What Is Managed Cloud Security? A Practical Guide What Is SaaS Security Posture Management? SSPM Guide Top 10 Cloud Security Standards for Compliance What is the MIT License? Compliance and Comparisons AI Agents vs. Agentless Security vs. Agent-based Security 144 Mastra npm Packages Compromised via Supply Chain Attack The Complete Guide to LLM Security: Risks, Best Practices, and Solutions Cloud Security LIVE 2026: Top 10 Takeaways Practitioners Can Use Now Cloud Security LIVE 2026: Top 10 Takeaways CISOs Can Use Now (and What to Do Next) How Orca Traced an nginx Flaw to 1.45 Million Tengine Servers All Running Vulnerable Code What to Look for in Container Security Tools Cloud Application Security Best Practices for DevSecOps Cloud Security Tools: 10 Types Explained for Teams What Is NIST CSF? Framework 2.0 Explained 7 Open Source Incident Response Tools by Category Critical Langflow Path Traversal Flaw Exploited for Unauthenticated RCE Critical PhpSpreadsheet RCE Patch Bypass Puts Millions at Risk Critical Splunk Enterprise Vulnerabilities Allow Unauthenticated File Operations and Remote Code Execution 16 Best Open Source Application Security Tools 2026 What Is Containerization? Security and Best Practices 8 Container Security Best Practices for 2026 Close the Cloud Identity Gap with Orca and AWS IAM Access Analyzer The 5-Step Context-Aware Cloud Vulnerability Prioritization Framework Critical Jupyter Enterprise Gateway Vulnerabilities Enable Full Kubernetes Cluster Takeover AI Security Best Practices for Regulated Industries Massive PyPI Supply Chain Attack Harvests Cloud Credentials via Python Startup Hooks SAST vs SCA: Key Differences for AppSec Teams What Is Cloud Security Architecture? Principles, Layers, and Frameworks What Is ASPM? A Guide to Application Security Posture Management What Is SaaS Security? A Practical Guide 2026 What Is a Man-in-the-Middle Attack? A Cloud Security Guide What Is Open Policy Agent? Best Practices and Use Cases 11 Best Open-Source DevSecOps Tools for 2026 How to Secure AI Workloads in Multi-Cloud Environments: A Complete Framework Critical WordPress Plugin Vulnerability Allows Unauthenticated Admin Takeover on 150K Sites What Is Kubernetes as a Service? KaaS Explained Critical Netlogon RCE Flaw Actively Exploited Against Windows Domain Controllers Your FedRAMP Continuous Monitoring Strategy Has a Gap. We Built Something to Fix It. How to Simplify Multi-Cloud Compliance Reporting: The 2026 Checklist Red Hat npm Packages Compromised in Supply-Chain Attack Spreading Credential-Stealing Worm Critical RCE in LiquidJS Lets Attackers Execute Arbitrary Commands on Unpatched Hosts Securing Shadow AI: How to Detect Unapproved LLMs in Your Cloud Data Security Posture Management (DSPM) for AI Gitea Container Registry Exposes Private Images to Unauthenticated Attackers Critical Unauthenticated RCE in Kopia Backup via SSH ProxyCommand Injection Best Palo Alto Networks Cortex (Prisma Cloud) Alternatives in 2026 7 Enterprise AI Security Risks to Manage Critical Pre-Auth RCE in ChromaDB Threatens AI Infrastructure Critical Coder Signature Bypass Exposes Developer Keys and Tokens New “PoolSlip” NGINX Exploit Revives Unpatched Remote Code Execution Risk Critical Drupal SQL Injection Exposes PostgreSQL-Backed Sites to Remote Code Execution AI Security Tools: How to Evaluate Them Across Every ML Attack Phase Massive npm Supply Chain Attack Compromises AntV Ecosystem, Steals CI/CD Secrets at Scale NIST AI Risk Management Framework (AI RMF) Explained: What It Is and How Organizations Use It The AI Data You Forgot to Lock: How Exposed Vector Databases Put Organizations at Risk GenAI Risks in Cloud Environments: What Security Teams Are Actually Missing in 2026 What Is Multi-Cloud Security? What Is Cloud Detection and Response (CDR)? Linux kernel vulnerability enables local theft of SSH host keys and /etc/shadow 18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated DoS and Potential RCE Announcing Cloud Security Agent Skills for Orca’s MCP Server TanStack and 160+ npm/PyPI Packages Compromised in Supply Chain Worm Attack Dirty Frag: Linux Kernel Vulnerability Chain Enables Local Privilege Escalation to Root Critical Apache HTTP Server HTTP/2 Vulnerability Could Enable Remote Code Execution Skill Issues: How We Discovered Supply Chain Attack Vectors in an AI Agent Skills Marketplace What Is an Incident Response Plan? What Is Cloud Data Security? Risks, Challenges, and 12 Best Practices Remote Code Execution in GitHub Enterprise Server via Git Push Injection (CVE-2026-3854) Linux Kernel Bug (Copy.Fail) Enables Local Privilege Escalation to Root (CVE-2026-31431) Xinference PyPI package compromise leads to full environment takeover What is Application Security? When AI Accelerates the Offense, Coverage Gaps Become Catastrophic Orca Security Recognized in the 2026 TAG Enterprise AI Security Handbook Navigating Cloud Security in 2026: Join Cloud Security LIVE Anthropic’s Project Glasswing Is a Positive Step Toward Cleaner, Safer Production Kyverno SSRF: Breaking Kubernetes Namespace Isolation (CVE-2026-4789) Streamline Compliance Reporting with Orca and Drata’s Integrated Vulnerability Management CVE-2026-23226: How a Missing Lock in ksmbd’s Channel List Exposes Your Linux SMB3 Server 2026 State of AppSec: When Development Velocity Outpaces Security AI Is Entering Your Infrastructure. Now what? Orca Security Featured in SACR’s 2026 Unified Agentic Defense Platforms Report Supply Chain Attack on Axios Delivers Cross-Platform RAT via Compromised npm Account Credential‑Stealing Malware in LiteLLM Supply Chain Attack Mission Accomplished: Orchestrate Your Remediation Strategy With Orca Missions The Orca Approach to Runtime AI Security
2026 State of Application Security Report Recap: What the Data Says and What Security Teams Should Do About It
Jake Kramber · 2026-06-25 · via Blog | Orca Security

Table of contents

  • 1. Velocity is the variable that changed everything, not AI itself
  • 2. Why Do Critical Vulnerabilities Stay Open for 90 Days After Discovery?
  • 3. Most Secrets Detection Programs Weren’t Built for AI Credentials
  • 4. One Malicious Package Can Cascade Across Your Entire Environment
  • 5. What Separates Security Teams That Reduce Risk From Teams That Just Generate Alerts
  • Where Does This Leave Security Teams?
  • How Orca Security Helps
  • Watch the full conversation

We put the 2026 State of Application Security Report in front of Jake Bernardes, CISO at Anecdotes and a former penetration tester, and Roi Nisimi, Principal Security Researcher at Orca Security for real-world perspectives on the key findings.

Here’s the breakdown of the major themes covered and what they mean for teams on the ground and security leaders:

1. Velocity is the variable that changed everything, not AI itself

The 2026 report shows 78% of organizations running production applications with critical vulnerabilities, and nearly 50% are still harboring Log4Shell-vulnerable systems. The instinctive reaction is to blame AI-assisted development. But that’s not quite the right diagnosis.

From Roi Nisimi’s researcher perspective, the underlying vulnerability classes haven’t changed. What has changed is how fast code moves from a developer’s prompt to a production environment, sometimes bypassing code review, branch protection, and CI/CD gates entirely. The report found that roughly 26% of organizations aren’t enforcing code reviews at all, and some allow GitHub Actions to auto-approve pull requests.

For security leaders, that reframes the problem. The question isn’t how to slow AI development down. It’s how to ensure that the hygiene controls that existed before AI, the ones that were already inconsistently applied, don’t get abandoned entirely in the race to ship faster.

It feels like in the age of AI, we’re saying: I want the fastest car you can sell me. I don’t really care if it’s got seatbelts. I just want fast. And that’s terrifying.

2. Why Do Critical Vulnerabilities Stay Open for 90 Days After Discovery?  

Over 77% of organizations have unpatched high or critical vulnerabilities after 90 days of discovery. Detection is no longer the hard part. The breakdown happens between identifying an issue and actually fixing it.

On the technical side, the challenge is context. Modern applications are deeply modular, built on layers of third-party dependencies, containerised components, and IaC templates. Fixing one thing without knowing what depends on it is a genuine risk. Most teams don’t have a complete picture of what composes their application, which means every remediation decision carries uncertainty about what else it might break.

From Jake’s perspective as a security leader, developer churn compounds this. Institutional knowledge, which components are load-bearing, which third-party packages are business-critical, how services are actually strung together, walks out the door constantly. Without documented remediation playbooks for common scenarios, teams default to deferring.

Your vulnerability list gets longer and longer and longer. But the reality is they never really go down. We are taking an approach which wasn’t fit for purpose twenty years ago and applying it to a world where people are vibe coding and pushing to prod at a speed we never thought possible.

3. Most Secrets Detection Programs Weren’t Built for AI Credentials

One of the sharper findings in the report: 43% of organizations have exposed AI/ML credentials like API keys and tokens for model hosting, inference APIs, and ML platforms. This is a relatively new attack surface that many security programmes haven’t caught up with.

The technical risk is specific. AI credentials typically grant access to proprietary models, sensitive training data, and usage-based services. Unlike a compromised database credential, an exposed AI API key can enable model manipulation, data exfiltration, and significant unexpected billing charges, all without triggering conventional security alerts.

For CISOs, this is a prioritization signal. Secrets detection programs that were built around database credentials and cloud access keys need to be updated to treat AI tokens with the same urgency. The exposure rate suggests most programs haven’t made that adjustment yet.

4. One Malicious Package Can Cascade Across Your Entire Environment 

11% of organizations are running publicly known malicious packages in production. The supply chain attack surface like NPM packages, containerised base images, IaC modules, and increasingly, AI-generated code and marketplace skills, is where a single compromise becomes a wide-blast-radius incident.

Roi’s researcher perspective here is grounded in how attackers actually think. A malicious package doesn’t need to be in wide use to be effective. It needs to be in the right place, such as inside a CI/CD pipeline, embedded in a base image that gets replicated across an environment, or sitting in an IaC template that gets instantiated hundreds of times. The cascading risk from a single compromised dependency is exponential, not linear.

The governance gap is in how teams treat third-party components. Star counts and credible authors are the primary trust signals most developers use, and sophisticated attackers have learned to game both. Treating supply chain security as an ongoing operational discipline, not just a periodic audit, is the shift that separates teams who catch these issues from teams who don’t.

The issues are the same issues. They just get different names. Hygiene is the main part — but you should always be reactive to what’s going on in the world, because hackers read the same news you do. It all comes down to who reacts faster.

5. What Separates Security Teams That Reduce Risk From Teams That Just Generate Alerts 

What actually separates the security teams that are reducing real risk from the ones that are generating more alerts? The answer that emerged from both perspectives came down to three things working together.

Continuous, real-time visibility into the production environment, not point-in-time snapshots. The context to understand which vulnerabilities are actually reachable and exploitable versus theoretical. And human expertise with an offensive mindset capable of looking at the data and knowing when the numbers are understating or overstating the risk.

The talent dimension is where Jake says CISOs have the most direct lever to pull. Security teams built primarily from generalists struggle with the technical depth needed to reason about modern application architecture. Bringing in people with engineering or red team backgrounds, or investing in developing that capability internally, changes what a security program can actually see and act on.

Ensure you have capable engineering and ex-hacking resources in your team so they can think like a hacker, think like an engineer. Think about the things that are the crown jewels — the things attackers are going to replicate into your environment the most — and protect those first.

Where Does This Leave Security Teams?

Neither Jake nor Roi was optimistic about a step-change improvement in the overall AppSec landscape over the next five years. The honest assessment: the industry will get better at remediation, better at prioritization, and smarter about how AI-generated code gets reviewed. But the attack surface will grow faster than those improvements, and the democratization of AI-powered offensive tooling means the barrier to entry for attackers is collapsing.

What that means practically is that the gap between organizations with mature security programs and those without is going to widen. The fundamentals, such as secrets hygiene, dependency management, enforced code review, and continuous runtime visibility haven’t changed. What’s changed is the cost of not doing them.

How Orca Security Helps

The findings in the 2026 State of Application Security Report reinforce a challenge many security teams already feel: visibility alone is not enough. Organizations need the ability to understand which risks are truly exploitable, how they connect across applications and cloud environments, and what should be fixed first.

Orca Security helps security teams cut through the noise by providing unified visibility across cloud, application, and AI environments, enriched with context and risk prioritization. By connecting vulnerabilities, secrets, dependencies, misconfigurations, and attack paths to real-world business impact, Orca helps organizations focus resources where they will reduce risk the most and accelerate remediation before attackers can take advantage.

Watch the full conversation

The webinar covers more ground than we could capture here, including how Jake used Xbox prizes to build a security culture without a compliance mandate, Roi’s live walkthrough of how non-internet-facing vulnerabilities still get exploited, and a debate between the two on whether traditional AppSec tools are broken or just behind.

Watch the full webinar for a deeper dive into the conversation.