#jobs #incident #vulnerability #patch-management #security-tools #ai #detection-engineering #exploit #breach #malware #ransomware #phishing #cloud #zero-day #authentication
Articles tagged with: #sast Clear filter
My experience with LLM Code Review vs Deterministic SAST Security Tools

My experience with LLM Code Review vs Deterministic SAST Security Tools

Technical Information Security Content & Discussion www.reddit.com

TLDR: LLMs generally perform better than existing SAST tools when you need to answer a subjective question that requires context (ie lots of ways to define one thing), but only as good (or worse) when looking for an objective, deterministic output. AI is all the hype commercially, but at the same time has a pretty negative sentiment from practitioners (at least in my experience). It's true there are lots of reason NOT to use AI but I wrote a blog post that tries to summarize what AI is actually...

#ai #sast
Security Evaluation of Android apps in budget African Mobile Devices

Security Evaluation of Android apps in budget African Mobile Devices

cs.CR updates on arXiv.org arxiv.org

arXiv:2509.18800v1 Announce Type: new Abstract: Android's open-source nature facilitates widespread smartphone accessibility, particularly in price-sensitive markets. System and vendor applications that come pre-installed on budget Android devices frequently operate with elevated privileges, yet they receive limited independent examination. To address this gap, we developed a framework that extracts APKs from physical devices and applies static analysis to identify privacy and security issues...

#security-tools #sast
Detection of security smells in IaC scripts through semantics-aware code and language processing

Detection of security smells in IaC scripts through semantics-aware code and language processing

cs.CR updates on arXiv.org arxiv.org

arXiv:2509.18790v1 Announce Type: new Abstract: Infrastructure as Code (IaC) automates the provisioning and management of IT infrastructure through scripts and tools, streamlining software deployment. Prior studies have shown that IaC scripts often contain recurring security misconfigurations, and several detection and mitigation approaches have been proposed. Most of these rely on static analysis, using statistical code representations or Machine Learning (ML) classifiers to distinguish...

#detection-engineering #sast
SecureFixAgent: A Hybrid LLM Agent for Automated Python Static Vulnerability Repair

SecureFixAgent: A Hybrid LLM Agent for Automated Python Static Vulnerability Repair

cs.CR updates on arXiv.org arxiv.org

arXiv:2509.16275v1 Announce Type: new Abstract: Modern software development pipelines face growing challenges in securing large codebases with extensive dependencies. Static analysis tools like Bandit are effective at vulnerability detection but suffer from high false positives and lack repair capabilities. Large Language Models (LLMs), in contrast, can suggest fixes but often hallucinate changes and lack self-validation. We present SecureFixAgent, a hybrid repair framework integrating Bandit...

#security-tools #vulnerability #detection-engineering #ai #sast
Which compliance frameworks best represent secure coding, IaC controls, and developer skills on OWASP Top 10?

Which compliance frameworks best represent secure coding, IaC controls, and developer skills on OWASP Top 10?

cybersecurity www.reddit.com

I'm currently exploring how to map and measure security practices across three areas: Secure code controls (static analysis, secure coding guidelines, etc.) Infrastructure-as-Code security (Terraform, Kubernetes, cloud-native IaC scanning) Developer skills and awareness around the OWASP Top 10 My goal is to identify which compliance or maturity frameworks are most relevant for representing these domains in a structured way. For example, should I look at NIST SSDF, ISO 27001, SOC 2, CIS...

#cloud #nist #sast #k8s #iso-27001
Synergizing Static Analysis with Large Language Models for Vulnerability Discovery and beyond

Synergizing Static Analysis with Large Language Models for Vulnerability Discovery and beyond

cs.CR updates on arXiv.org arxiv.org

arXiv:2509.15433v1 Announce Type: new Abstract: This report examines the synergy between Large Language Models (LLMs) and Static Application Security Testing (SAST) to improve vulnerability discovery. Traditional SAST tools, while effective for proactive security, are limited by high false-positive rates and a lack of contextual understanding. Conversely, LLMs excel at code analysis and pattern recognition but can be prone to inconsistencies and hallucinations. By integrating these two...

#security-tools #vulnerability #ai #sast #security-testing
BEACON: Behavioral Malware Classification with Large Language Model Embeddings and Deep Learning

BEACON: Behavioral Malware Classification with Large Language Model Embeddings and Deep Learning

cs.CR updates on arXiv.org arxiv.org

arXiv:2509.14519v1 Announce Type: cross Abstract: Malware is becoming increasingly complex and widespread, making it essential to develop more effective and timely detection methods. Traditional static analysis often fails to defend against modern threats that employ code obfuscation, polymorphism, and other evasion techniques. In contrast, behavioral malware detection, which monitors runtime activities, provides a more reliable and context-aware solution. In this work, we propose BEACON, a...

#malware #detection-engineering #ai #sast
The Cybersecurity of a Humanoid Robot

The Cybersecurity of a Humanoid Robot

cs.CR updates on arXiv.org arxiv.org

arXiv:2509.14096v1 Announce Type: new Abstract: The rapid advancement of humanoid robotics presents unprecedented cybersecurity challenges that existing theoretical frameworks fail to adequately address. This report presents a comprehensive security assessment of a production humanoid robot platform, bridging the gap between abstract security models and operational vulnerabilities. Through systematic static analysis, runtime observation, and cryptographic examination, we uncovered a complex...

#security-tools #vulnerability #sast
Can LLM Prompting Serve as a Proxy for Static Analysis in Vulnerability Detection

Can LLM Prompting Serve as a Proxy for Static Analysis in Vulnerability Detection

cs.CR updates on arXiv.org arxiv.org

arXiv:2412.12039v3 Announce Type: replace Abstract: Despite their remarkable success, large language models (LLMs) have shown limited ability on safety-critical code tasks such as vulnerability detection. Typically, static analysis (SA) tools, like CodeQL, CodeGuru Security, etc., are used for vulnerability detection. SA relies on predefined, manually-crafted rules for flagging various vulnerabilities. Thus, effectiveness of SA in detecting vulnerabilities depends on human experts and is known...

#vulnerability #patch-management #detection-engineering #ai #sast
How would you filter out false positives from SAST DAST tools (been asked a lot times during appsec interviews)?

How would you filter out false positives from SAST DAST tools (been asked a lot times during appsec interviews)?

cybersecurity www.reddit.com

My generic answer is that I will start from the tools themselves and how much noise they create. Choosing a tool that generates least false positives should be the 1st step. Next step is to ensure how customizable each tool is in making rules. But seriously, what's the right answer to it? submitted by /u/Horror_Business1862 [link] [comments]

#security-tools #sast #dast
Signal-Based Malware Classification Using 1D CNNs

Signal-Based Malware Classification Using 1D CNNs

cs.CR updates on arXiv.org arxiv.org

arXiv:2509.06548v2 Announce Type: replace Abstract: Malware classification is a contemporary and ongoing challenge in cyber-security: modern obfuscation techniques are able to evade traditional static analysis, while dynamic analysis is too resource intensive to be deployed at a large scale. One prominent line of research addresses these limitations by converting malware binaries into 2D images by heuristically reshaping them into a 2D grid before resizing using Lanczos resampling. These images...

#malware #sast #dast
My take on LLMs in SAST: good for PRs, not yet for full repos

My take on LLMs in SAST: good for PRs, not yet for full repos

cybersecurity www.reddit.com

I am fairly new to Reddit but curious to hear thoughts on Semgrep's latest analysis of LLMs for finding code vulnerabilities: https://semgrep.dev/blog/2025/finding-vulnerabilities-in-modern-web-apps-using-claude-code-and-openai-codex/ I know AI in SAST has come up before, but I wanted to share my take and hear what others think. From my perspective, there are four key parameters to consider: accuracy, coverage, context size, and cost. Accuracy and coverage : Current LLMs seem far from...

#vulnerability #ai #sast
Why is Sonarqube considered a major SAST tool?

Why is Sonarqube considered a major SAST tool?

cybersecurity www.reddit.com

In most of the documents I read about SAST, when they give a few exemples they list Sonarqube but in my opinion it is not really a SAST tool. It's more a code quality tool that detect a few security issues along the way. So I usually don't talk about it when I am listing SAST tools but I'm starting to wonder if I'm missing something submitted by /u/Beneficial-War5423 [link] [comments]

#security-tools #sast
KubeGuard: LLM-Assisted Kubernetes Hardening via Configuration Files and Runtime Logs Analysis

KubeGuard: LLM-Assisted Kubernetes Hardening via Configuration Files and Runtime Logs Analysis

cs.CR updates on arXiv.org arxiv.org

arXiv:2509.04191v1 Announce Type: new Abstract: The widespread adoption of Kubernetes (K8s) for orchestrating cloud-native applications has introduced significant security challenges, such as misconfigured resources and overly permissive configurations. Failing to address these issues can result in unauthorized access, privilege escalation, and lateral movement within clusters. Most existing K8s security solutions focus on detecting misconfigurations, typically through static analysis or...

#cloud #ai #sast #privilege-escalation #k8s
Kusto Detective Agency: Echoes of Deception - 0-8 Solves

Kusto Detective Agency: Echoes of Deception - 0-8 Solves

Hackerman's Hacking Tutorials parsiya.net

Kusto is kinda important at my current employer and one of my work besties does SecOps. So, I've decided to for Kusto Detective Agency challenge Echoes of Deception. It turns out Kusto is not just a better looking SQL, it does a lot more. E.g., it can make a graph and find paths (yes, as I've just searched, T-SQL can also do this). It makes me wonder if we can do some esoteric data flow static analysis by converting the AST into rows of data and finding paths from sources to sinks (or am I...

#sast
SIExVulTS: Sensitive Information Exposure Vulnerability Detection System using Transformer Models and Static Analysis

SIExVulTS: Sensitive Information Exposure Vulnerability Detection System using Transformer Models and Static Analysis

cs.CR updates on arXiv.org arxiv.org

arXiv:2508.19472v1 Announce Type: new Abstract: Sensitive Information Exposure (SIEx) vulnerabilities (CWE-200) remain a persistent and under-addressed threat across software systems, often leading to serious security breaches. Existing detection tools rarely target the diverse subcategories of CWE-200 or provide context-aware analysis of code-level data flows. Aims: This paper aims to present SIExVulTS, a novel vulnerability detection system that integrates transformer-based models with static...

#vulnerability #patch-management #detection-engineering #sast
SaMOSA: Sandbox for Malware Orchestration and Side-Channel Analysis

SaMOSA: Sandbox for Malware Orchestration and Side-Channel Analysis

cs.CR updates on arXiv.org arxiv.org

arXiv:2508.14261v1 Announce Type: new Abstract: Cyber-attacks on operational technology (OT) and cyber-physical systems (CPS) have increased tremendously in recent years with the proliferation of malware targeting Linux-based embedded devices of OT and CPS systems. Comprehensive malware detection requires dynamic analysis of execution behavior in addition to static analysis of binaries. Safe execution of malware in a manner that captures relevant behaviors via side-channels requires a sandbox...

#malware #detection-engineering #sast #dast
CodeRabbit's Production Servers RCE Vulnerability Enables Write Access on 1M Repositories

CodeRabbit's Production Servers RCE Vulnerability Enables Write Access on 1M Repositories

Cyber Security News cybersecuritynews.com

A critical remote code execution (RCE) vulnerability in CodeRabbit's production infrastructure that provided unauthorized access to over one million code repositories, including private ones. The vulnerability, discovered in December 2024 and responsibly disclosed in January 2025, exploited the platform's static analysis tool integration to leak sensitive API credentials and gain write access to GitHub repositories

#security-tools #rce #vulnerability #patch-management #sast