38 posts tagged with "Security"

Somewhere a team is shipping a product that uses passkey credentials as data-encryption keys, and they are genuinely proud of the elegance. They will be less proud the first time a user switches phones and watches their data evaporate. The passkeys critique made this failure mode impossible to ignore — so here are the guardrails I would enforce in any architecture review before that elegant design reaches production.

February 2026 felt like the month where everyone agreed AI coding is "real now," then immediately discovered the bill: secrets sprawl, shaky governance, fragile tests, and communities trying to stay relevant without becoming AI-themed marketing departments.

I reviewed Drupal advisories SA-CONTRIB-2026-011 through SA-CONTRIB-2026-019 (published on 2026-02-25) and mapped them against active drupal-* projects. Nine advisories, nine modules, one triage session.

Gemini API keys are now under stricter governance: leaked keys can be disabled by Google, and API terms and cloud key controls are evolving. Agent workflows that chain multiple jobs and providers are the most exposed. A single leaked key in logs, prompts, or commits can halt automation and trigger incident response.

I reviewed the policy changes and built a concrete key management update plan.

If AI agents can open pull requests, secret scanning must become a hard merge gate, not a best-effort report. The practical baseline is: pre-commit scanning for fast feedback, CI blocking checks for enforceability, and policy-controlled break-glass paths with audit logs.

I reviewed the GitGuardian MCP integration pattern and tested it against agent-generated PRs.

Wordfence's February 9-15, 2026 report is a reminder that WordPress security is not a reading hobby. It is an operations loop. Sites that treat it like newsletter content are volunteering for downtime.

If you maintain a Drupal 10/11 contrib module, the biggest security misses are still predictable: missing access checks, weak route protection, unsafe output, and incomplete release hygiene. The fastest hardening path is to enforce explicit access decisions, protect state-changing routes with CSRF requirements, ban unsafe rendering patterns, and ship every release with a repeatable security gate.

A recent report from Security Boulevard, based on a Gravitee study, puts a number on the AI agent security gap: approximately 1.5 million AI agents operating in large US and UK organizations with zero active oversight. That is not a theoretical risk. That is a ticking time bomb with a billing address.

I read the full report. The findings are worse than the headline.

I built a WordPress plugin that adds wp wordfence-audit plugins and flags installed plugins that match vulnerability signals from the current Wordfence blog RSS feed. The goal is quick triage from existing RSS workflows, not replacing full vulnerability databases.

WowRevenue versions up to 2.1.3 can expose a high-risk path when authenticated low-privilege users can reach plugin installation or activation logic through AJAX handlers without strict capability checks. The practical fix is to enforce current_user_can('install_plugins') or current_user_can('activate_plugins') at handler entry and keep nonce checks as anti-CSRF only.

I shipped a release-audit tool for security_advisories_nl because release news, vulnerability records, and platform status pages are noisy unless you convert them into a clear adopt-or-wait decision.

Dries Buytaert, the founder of Drupal, recently addressed a growing problem: AI-generated contributions are flooding open-source projects with low-value reports and patches that lack expertise. The human bottleneck — the reviewer — becomes the point of failure for the entire ecosystem.

WordPress malware campaigns share a pattern. Attackers exploit one vulnerable plugin, drop a backdoor, then pivot across the entire installation. Most site owners discover the breach weeks later, after search engines have already flagged the domain.

AI is making vulnerability discovery faster and cheaper. That is the easy part. The hard part is what happens next: an open-source maintainer with limited hours receives a flood of security reports and must decide which ones deserve immediate attention, which are false positives, and which can wait.

The honeymoon phase of "generate everything with AI" is officially over, as major platforms like WordPress and Cloudflare are now forced to build guardrails against the resulting tide of low-quality "slop."

I tore apart CVE-2025-9318 — a critical SQL injection in the Quiz and Survey Master WordPress plugin affecting every version up to 10.3.1. Classic $wpdb concatenation, trivially exploitable by any authenticated subscriber.

The Cloudflare 2025 Q4 DDoS threat report just dropped, and the numbers are brutal. A record-breaking 31.4 Tbps attack mitigated in November 2025, and hyper-volumetric attacks up 700%. For Drupal site owners, these are not just statistics — they represent a fundamental shift in the scale of threats your infrastructure must handle.

If you install "skills" from a public marketplace, you are installing trust. I built a static scanner that scores a skill bundle before it touches my machine.