<?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet type="text/xsl" media="screen" href="/~files/feed-premium.xsl"?>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             
<rss xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:media="http://search.yahoo.com/mrss/" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:feedpress="https://feed.press/xmlns" xmlns:podcast="https://podcastindex.org/namespace/1.0" version="2.0">
  <channel>
    <feedpress:locale>en</feedpress:locale>
    <atom:link rel="self" href="https://feeds.dzone.com/security"/>
    <atom:link rel="hub" href="https://feedpress.superfeedr.com/"/>
    <title>DZone Security Zone</title>
    <link>https://dzone.com/security</link>
    <description>Recent posts in Security on DZone.com</description>
    <item>
      <title>12 Factor Framework for Building Secure and Compliant Cloud Applications</title>
      <link>https://feeds.dzone.com/link/16357/17380342/factor-secure-cloud-apps</link>
      <description><![CDATA[<p style="text-align: left;">It began with a late-night alert.</p>
<p style="text-align: left;">A critical cloud application, serving thousands of users, had just been flagged for a security violation. No “hack” had occurred; nothing obviously was broken. What appeared to be a minor misconfiguration had quietly exposed sensitive data. The system was still running. The business was still operating. But compliance? Already compromised.</p><img src="https://feeds.dzone.com/link/16357/17380342.gif" height="1" width="1"/>]]></description>
      <pubDate>Tue, 14 Jul 2026 19:00:00 GMT</pubDate>
      <guid isPermaLink="false">https://dzone.com/articles/3655835</guid>
      <media:thumbnail url="https://dz2cdn1.dzone.com/thumbnail?fid=19088523&amp;w=600"/>
      <dc:creator>Josephine Eskaline Joyce</dc:creator>
      <dc:creator>Prashanth Bhat</dc:creator>
      <dc:creator>Ajay Chebbi</dc:creator>
    </item>
    <item>
      <title>Implementing Zero-Trust Networking and Identity for Microsoft Foundry Agents</title>
      <link>https://feeds.dzone.com/link/16357/17379701/zero-trust-foundry-agents</link>
      <description><![CDATA[<p>Once your multi-agent system (Parts 6-8) is functionally solid, the question that comes up in every enterprise security review is the same: how do you know an agent is only doing what it's authorized to do, over a network path you actually trust, with an audit trail that holds up when someone asks "what did this agent do and why" six months later? This post covers private networking, Entra Agent ID, and audit trail design.</p>
<h2><a name="zerotrust-network-boundary" href="https://dev.to/jubinsoni/implementing-zero-trust-networking-and-identity-for-microsoft-foundry-agents-562d#zerotrust-network-boundary"></a>Zero-Trust Network Boundary</h2>
<p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Faz5wi5t3vbdbggks6yam.png"><img alt="Zero-trust network boundary" width="800" class="fr-fic fr-dib lazyload" data-image="true" data-new="false" data-sizeformatted="79.7 kB" data-mimetype="image/png" data-creationdate="1783201618367" data-creationdateformatted="07/04/2026 09:46 PM" data-type="temp" data-url="https://dz2cdn1.dzone.com/storage/temp/19082876-1783201617742.png" data-modificationdate="null" data-size="79682" data-name="1783201617742.png" data-id="19082876" data-src="https://dz2cdn1.dzone.com/storage/temp/19082876-1783201617742.png" style="width: 649px; height: 387.777px;"><br></a></p><img src="https://feeds.dzone.com/link/16357/17379701.gif" height="1" width="1"/>]]></description>
      <pubDate>Mon, 13 Jul 2026 18:00:00 GMT</pubDate>
      <guid isPermaLink="false">https://dzone.com/articles/3664906</guid>
      <media:thumbnail url="https://dz2cdn1.dzone.com/thumbnail?fid=19082880&amp;w=600"/>
      <dc:creator>Jubin Abhishek Soni</dc:creator>
    </item>
    <item>
      <title>Machine Identity Debt: Why Human Identity Is No Longer Cloud Security's Primary Boundary</title>
      <link>https://feeds.dzone.com/link/16357/17379672/machine-identity-debt</link>
      <description><![CDATA[<p><em>Cloud-native systems now create far more machine identities than human ones. Security strategies built around workforce identity are no longer sufficient. Here's what engineering leaders should build instead.</em></p>
<h2>The Breach That Didn't Need a Password</h2>
<p>On August 8, 2025, a threat actor now tracked by Google's Threat Intelligence Group as UNC6395 began quietly moving through the Salesforce instances of hundreds of companies. No phishing email landed in an inbox that day. No password was cracked. No multi-factor prompt was bypassed with a fatigue attack. The attacker simply had something better than a password: a valid OAuth token, stolen months earlier from Salesloft's GitHub account, that let it impersonate the Drift chatbot integration and act with all the trust that integration had been granted.</p><img src="https://feeds.dzone.com/link/16357/17379672.gif" height="1" width="1"/>]]></description>
      <pubDate>Mon, 13 Jul 2026 17:00:00 GMT</pubDate>
      <guid isPermaLink="false">https://dzone.com/articles/3664970</guid>
      <media:thumbnail url="https://dz2cdn1.dzone.com/thumbnail?fid=19088875&amp;w=600"/>
      <dc:creator>Igboanugo David Ugochukwu</dc:creator>
    </item>
    <item>
      <title>Goodbye, Skeleton Keys: Why Machine Identity Broke IAM, and What SPIFFE Is Doing About It</title>
      <link>https://feeds.dzone.com/link/16357/17379512/goodbye-skeleton-keys-why-machine-identity-broke-i</link>
      <description><![CDATA[<p>Cloudflare published its own forensic timeline of the Salesloft Drift breach down to the minute, and it's worth sitting with the detail for a second.&nbsp;</p>
<p>At 11:51 on August 9, 2025, an actor researchers track as GRUB1 tried to validate a stolen Cloudflare API token against the Salesforce API using TruffleHog's user-agent string — a tool built for finding leaked secrets, repurposed here to confirm one actually worked. That attempt failed. At 22:14, it didn't.&nbsp;</p><img src="https://feeds.dzone.com/link/16357/17379512.gif" height="1" width="1"/>]]></description>
      <pubDate>Mon, 13 Jul 2026 12:00:11 GMT</pubDate>
      <guid isPermaLink="false">https://dzone.com/articles/3659904</guid>
      <media:thumbnail url="https://dz2cdn1.dzone.com/thumbnail?fid=19087983&amp;w=600"/>
      <dc:creator>Igboanugo David Ugochukwu</dc:creator>
    </item>
    <item>
      <title>AI Can't Defend What It Can't See</title>
      <link>https://feeds.dzone.com/link/16357/17374497/ai-cant-defend-what-it-cant-see</link>
      <description><![CDATA[<p>Most of what AI promises in security rides on something duller than the model itself: whether it can see the environment it's defending. When it can't, a stronger model doesn't help. It makes the gaps harder to spot, and it brings a few new ones of its own.</p>
<p>Two figures from the past year carry most of the story.</p><img src="https://feeds.dzone.com/link/16357/17374497.gif" height="1" width="1"/>]]></description>
      <pubDate>Tue, 07 Jul 2026 15:00:00 GMT</pubDate>
      <guid isPermaLink="false">https://dzone.com/articles/3661919</guid>
      <media:thumbnail url="https://dz2cdn1.dzone.com/thumbnail?fid=19080232&amp;w=600"/>
      <dc:creator>Jithu Paulose</dc:creator>
    </item>
    <item>
      <title>Prompt Injection Attacks and Hidden Security Risks in LLM Applications</title>
      <link>https://feeds.dzone.com/link/16357/17372361/prompt-injection-attacks-and-hidden-security-risks</link>
      <description><![CDATA[<h2>Where the Problem Sits</h2>
<p>Everyone talks about model safety. Not enough people talk about what happens when the input itself is the weapon.</p>
<p>Prompt injection is not a niche edge case. It is the most direct way to compromise an LLM application. And most teams are not ready for it. The model works exactly as designed. The attacker just rewrites the instructions. That is the gap. Not in the model. In how people build around it.</p><img src="https://feeds.dzone.com/link/16357/17372361.gif" height="1" width="1"/>]]></description>
      <pubDate>Fri, 03 Jul 2026 17:00:00 GMT</pubDate>
      <guid isPermaLink="false">https://dzone.com/articles/3663761</guid>
      <media:thumbnail url="https://dz2cdn1.dzone.com/thumbnail?fid=19077402&amp;w=600"/>
      <dc:creator>Karini Kapoor</dc:creator>
    </item>
    <item>
      <title>Identity Was Never the Real Problem. Intent Is — and Almost Nobody Is Building For It Yet</title>
      <link>https://feeds.dzone.com/link/16357/17371866/intent-based-authorization</link>
      <description><![CDATA[<p>Go back through every machine-identity breach from the past eighteen months and look for the one thing they all have in common. Not the attacker. Not the industry. Not even the dollar figure. Look for what happened at the authentication step — the moment a system checked "is this credential real?"</p>
<p>In every single case, the answer was yes.</p><img src="https://feeds.dzone.com/link/16357/17371866.gif" height="1" width="1"/>]]></description>
      <pubDate>Thu, 02 Jul 2026 17:00:00 GMT</pubDate>
      <guid isPermaLink="false">https://dzone.com/articles/3659907</guid>
      <media:thumbnail url="https://dz2cdn1.dzone.com/thumbnail?fid=19077365&amp;w=600"/>
      <dc:creator>Igboanugo David Ugochukwu</dc:creator>
    </item>
    <item>
      <title>One Stolen Key, One Stolen Token: Why Machine Identity Is Cloud-Native's Quietest Crisis — and the Only Fix That Actually Holds</title>
      <link>https://feeds.dzone.com/link/16357/17371231/machine-identity-cloud-security</link>
      <description><![CDATA[<p>On December 2, 2024, a security vendor called BeyondTrust noticed something wrong inside its own AWS account. By the time the investigation closed, the story that emerged was almost absurdly simple for something with this much fallout: an attacker — later attributed to the Chinese state-sponsored group Silk Typhoon — had used a software flaw to reach into a BeyondTrust cloud account and pull out an API key. Not a password. Not a phishing victim's login. A string of characters that a piece of software used to talk to another piece of software.&nbsp;</p>
<p>With that one key, the attacker walked straight into the U.S. Department of the Treasury, reset internal passwords, accessed workstations inside the Office of Foreign Assets Control, and read unclassified documents before anyone noticed. The Treasury disclosed it to Congress on December 30. The Department of Justice indicted the alleged operators in March 2025.</p><img src="https://feeds.dzone.com/link/16357/17371231.gif" height="1" width="1"/>]]></description>
      <pubDate>Wed, 01 Jul 2026 17:00:00 GMT</pubDate>
      <guid isPermaLink="false">https://dzone.com/articles/3659906</guid>
      <media:thumbnail url="https://dz2cdn1.dzone.com/thumbnail?fid=19075934&amp;w=600"/>
      <dc:creator>Igboanugo David Ugochukwu</dc:creator>
    </item>
    <item>
      <title>Can Rust Have Zero-Cost Dependency Injection?</title>
      <link>https://feeds.dzone.com/link/16357/17371189/can-rust-have-zero-cost-dependency-injection</link>
      <description><![CDATA[<h2 data-selectable-paragraph="">Overview</h2>
<p data-selectable-paragraph="">This article explores whether dependency injection (DI) can exist in Rust without sacrificing the language’s core philosophy of <a href="https://dzone.com/articles/why-rust-modern-software-development">zero-cost abstractions</a>.</p>
<figure>
 <div tabindex="0">
  <source srcset="https://miro.medium.com/v2/resize:fit:640/format:webp/1*fzJUsScDyenThNfOenhVGQ.png 640w, https://miro.medium.com/v2/resize:fit:720/format:webp/1*fzJUsScDyenThNfOenhVGQ.png 720w, https://miro.medium.com/v2/resize:fit:750/format:webp/1*fzJUsScDyenThNfOenhVGQ.png 750w, https://miro.medium.com/v2/resize:fit:786/format:webp/1*fzJUsScDyenThNfOenhVGQ.png 786w, https://miro.medium.com/v2/resize:fit:828/format:webp/1*fzJUsScDyenThNfOenhVGQ.png 828w, https://miro.medium.com/v2/resize:fit:1100/format:webp/1*fzJUsScDyenThNfOenhVGQ.png 1100w, https://miro.medium.com/v2/resize:fit:1400/format:webp/1*fzJUsScDyenThNfOenhVGQ.png 1400w" sizes="(min-resolution: 4dppx) and (max-width: 700px) 50vw, (-webkit-min-device-pixel-ratio: 4) and (max-width: 700px) 50vw, (min-resolution: 3dppx) and (max-width: 700px) 67vw, (-webkit-min-device-pixel-ratio: 3) and (max-width: 700px) 65vw, (min-resolution: 2.5dppx) and (max-width: 700px) 80vw, (-webkit-min-device-pixel-ratio: 2.5) and (max-width: 700px) 80vw, (min-resolution: 2dppx) and (max-width: 700px) 100vw, (-webkit-min-device-pixel-ratio: 2) and (max-width: 700px) 100vw, 700px" type="image/webp"><source data-testid="og" srcset="https://miro.medium.com/v2/resize:fit:640/1*fzJUsScDyenThNfOenhVGQ.png 640w, https://miro.medium.com/v2/resize:fit:720/1*fzJUsScDyenThNfOenhVGQ.png 720w, https://miro.medium.com/v2/resize:fit:750/1*fzJUsScDyenThNfOenhVGQ.png 750w, https://miro.medium.com/v2/resize:fit:786/1*fzJUsScDyenThNfOenhVGQ.png 786w, https://miro.medium.com/v2/resize:fit:828/1*fzJUsScDyenThNfOenhVGQ.png 828w, https://miro.medium.com/v2/resize:fit:1100/1*fzJUsScDyenThNfOenhVGQ.png 1100w, https://miro.medium.com/v2/resize:fit:1400/1*fzJUsScDyenThNfOenhVGQ.png 1400w" sizes="(min-resolution: 4dppx) and (max-width: 700px) 50vw, (-webkit-min-device-pixel-ratio: 4) and (max-width: 700px) 50vw, (min-resolution: 3dppx) and (max-width: 700px) 67vw, (-webkit-min-device-pixel-ratio: 3) and (max-width: 700px) 65vw, (min-resolution: 2.5dppx) and (max-width: 700px) 80vw, (-webkit-min-device-pixel-ratio: 2.5) and (max-width: 700px) 80vw, (min-resolution: 2dppx) and (max-width: 700px) 100vw, (-webkit-min-device-pixel-ratio: 2) and (max-width: 700px) 100vw, 700px">
 </div>
</figure>
<p data-selectable-paragraph="">We will approach the question from three angles:</p><img src="https://feeds.dzone.com/link/16357/17371189.gif" height="1" width="1"/>]]></description>
      <pubDate>Wed, 01 Jul 2026 15:00:04 GMT</pubDate>
      <guid isPermaLink="false">https://dzone.com/articles/3646831</guid>
      <media:thumbnail url="https://dz2cdn1.dzone.com/thumbnail?fid=19074789&amp;w=600"/>
      <dc:creator>Dmytro Brazhnyk</dc:creator>
    </item>
    <item>
      <title>An Ingredient List Doesn't Stop the Worm: What SBOMs Can and Can't Do</title>
      <link>https://feeds.dzone.com/link/16357/17370399/an-ingredient-list-doesnt-stop-the-worm-what-sboms</link>
      <description><![CDATA[<p>On March 28, 2024, a Microsoft engineer named Andres Freund noticed something almost nobody would have bothered chasing: SSH logins on a system he was benchmarking were taking 500 milliseconds instead of the usual 100. He ran a memory profiler out of irritation more than suspicion, traced the slowdown to liblzma, the compression library bundled with <code>xz-utils</code>, and within a day had uncovered a backdoor planted by a maintainer who'd spent roughly two years earning the trust required to slip it in. The resulting CVE, 2024-3094, drew a perfect CVSS score of 10.0. It also handed the software security world an uncomfortable case study, one I still bring up whenever someone tells me their SBOM program has supply-chain risk handled.</p>
<p>Here's why it's uncomfortable: an SBOM generated against the compromised <code>xz-utils</code> 5.6.1 release would have listed exactly that — <code>xz-utils</code>, version 5.6.1 — and it would have been completely accurate. The component was real, the version was real, and the entry would have sailed through every automated check looking for known-bad packages, because nobody knew it was bad yet. The malicious code wasn't an undisclosed dependency. It was hidden inside the build instructions of a package everyone already trusted, smuggled in through doctored upstream release tarballs rather than the public git history reviewers were actually watching. The ingredient list was correct. The ingredient was poisoned. Those are different problems, and conflating them is how organizations end up with a false sense of coverage.</p><img src="https://feeds.dzone.com/link/16357/17370399.gif" height="1" width="1"/>]]></description>
      <pubDate>Tue, 30 Jun 2026 15:00:00 GMT</pubDate>
      <guid isPermaLink="false">https://dzone.com/articles/3659905</guid>
      <media:thumbnail url="https://dz2cdn1.dzone.com/thumbnail?fid=19073094&amp;w=600"/>
      <dc:creator>Igboanugo David Ugochukwu</dc:creator>
    </item>
    <item>
      <title>The New Insider Threat Isn't Human: Securing AI Agents Before They Secure Themselves</title>
      <link>https://feeds.dzone.com/link/16357/17368763/ai-agent-identity-security</link>
      <description><![CDATA[<p>In mid-September 2025, engineers inside Anthropic's threat intelligence team noticed something that didn't fit the usual pattern of automated probing on their platform. Ten days of digging later, they had a name for it: GTG-1002, a Chinese state-sponsored group that had turned Claude Code into the operational core of a cyber-espionage campaign against roughly thirty organizations — banks, chemical manufacturers, tech firms, government agencies.&nbsp;</p>
<p>When Anthropic published its account of the intrusion on November 14, the detail that made security teams sit up wasn't the target list. It was the autonomy ratio: by the company's own estimate, the AI agent executed somewhere between 80 and 90 percent of the operation — reconnaissance, vulnerability discovery, exploit development, lateral movement, exfiltration — with humans stepping in only at a handful of strategic checkpoints. Jacob Klein, who heads threat intelligence at Anthropic, called it an escalation that lowers the bar for who can run a sophisticated intrusion at all.</p><img src="https://feeds.dzone.com/link/16357/17368763.gif" height="1" width="1"/>]]></description>
      <pubDate>Fri, 26 Jun 2026 19:00:00 GMT</pubDate>
      <guid isPermaLink="false">https://dzone.com/articles/3659903</guid>
      <media:thumbnail url="https://dz2cdn1.dzone.com/thumbnail?fid=19065207&amp;w=600"/>
      <dc:creator>Igboanugo David Ugochukwu</dc:creator>
    </item>
    <item>
      <title>Two Clocks Are Running Out at Once, and Almost Nobody Is Watching Both</title>
      <link>https://feeds.dzone.com/link/16357/17368616/two-security-clocks-running-out</link>
      <description><![CDATA[<p>Every CISO I talk to right now is juggling two deadlines that feel unrelated and aren't. One is the slow-motion arrival of quantum computers capable of breaking the public-key cryptography that underpins basically everything — TLS, SSH, JWTs, code-signing. The other is the much faster arrival of AI-assisted coding tools that are shipping security-critical code nobody has fully reviewed. I used to think of these as separate beats. I don't anymore, because the same root failure shows up in both: organizations adopting powerful new capability faster than they're building the visibility and discipline to govern it.</p>
<h2>Post-Quantum Planning: The Inventory Problem Comes First</h2>
<p>NIST finalized its first three post-quantum cryptography standards on August 13, 2024, after an eight-year, multi-round public competition: FIPS 203 (ML-KEM, the lattice-based key encapsulation mechanism formerly known as Kyber), FIPS 204 (ML-DSA, the signature scheme formerly known as Dilithium), and FIPS 205 (SLH-DSA, the hash-based fallback formerly known as SPHINCS+). In March 2025, NIST added a fourth algorithm, HQC, specifically chosen because it rests on a different mathematical hardness assumption than the lattice problems underneath ML-KEM and ML-DSA — a deliberate hedge in case lattice-based cryptography turns out to have a weakness nobody's found yet. The NSA's CNSA 2.0 guidance sets 2030 as the mandatory PQC migration deadline for national security systems, and NIST's broader timeline calls for deprecating RSA and ECDSA entirely by 2035.</p><img src="https://feeds.dzone.com/link/16357/17368616.gif" height="1" width="1"/>]]></description>
      <pubDate>Fri, 26 Jun 2026 14:00:05 GMT</pubDate>
      <guid isPermaLink="false">https://dzone.com/articles/3661914</guid>
      <media:thumbnail url="https://dz2cdn1.dzone.com/thumbnail?fid=19059071&amp;w=600"/>
      <dc:creator>Igboanugo David Ugochukwu</dc:creator>
    </item>
    <item>
      <title>Sharing SBOMs Securely Without Giving Too Much Away</title>
      <link>https://feeds.dzone.com/link/16357/17367936/secure-sbom-sharing</link>
      <description><![CDATA[<h2>SBOMs Create Transparency, But Not Without Risk</h2>
<p>The Software Bill of Materials, or SBOM, has changed meaning in recent years. It used to be seen as a technical tool for internal inventory management. It is now required as evidence due to regulations. The European Cyber Resilience Act will require digital product manufacturers to reliably document the composition of their software. The NIS 2 Directive increases pressure on operators of essential entities to secure their supply chains in a traceable way. The United States Executive Order 14028 made the SBOM a requirement in government procurement as early as 2021. As a result, the bill of materials evolved from a voluntary artifact to a mandatory disclosure.</p>
<p>This rise in importance exposes a conflict of objectives that cannot be resolved, only managed. The bill of materials is designed to establish trust, enable verifiability, and allow quick response to vulnerabilities. Yet it also reveals how a software product is built. It lists third-party components, their versions, and potential vulnerability points. It lets people guess architectural choices and competitively relevant strategies. A complete bill of materials acts as both evidence and blueprint. Publishing it carelessly confuses transparency with surrender. This article argues that the way sharing is controlled, not just the act of sharing, determines whether it helps or harms.</p><img src="https://feeds.dzone.com/link/16357/17367936.gif" height="1" width="1"/>]]></description>
      <pubDate>Thu, 25 Jun 2026 16:00:09 GMT</pubDate>
      <guid isPermaLink="false">https://dzone.com/articles/3659949</guid>
      <media:thumbnail url="https://dz2cdn1.dzone.com/thumbnail?fid=19059857&amp;w=600"/>
      <dc:creator>Sven Ruppert</dc:creator>
    </item>
    <item>
      <title>Your Biggest Identity Problem Isn't Your Employees Anymore; It's Everything Else</title>
      <link>https://feeds.dzone.com/link/16357/17367495/machine-identity-security</link>
      <description><![CDATA[<p>I used to open identity audits by asking a CISO how many users were on their network. These days, I ask a different question first: how many <em>non-human</em> identities do you have, and when was the last time anyone counted? Most of the time, the answer is a long pause, followed by a number that's wrong, followed by an admission that it's wrong. That pause is the whole story of identity security in 2026.</p>
<p>CyberArk's 2025 Identity Security Landscape report, based on a survey of 2,600 security decision-makers across 20 countries, put a hard number on what I'd been seeing anecdotally for two years: machine identities now outnumber human identities by more than 80 to 1 in the average enterprise. Service accounts, API keys, certificates, container workloads, CI/CD pipeline tokens, and now <a href="https://dzone.com/articles/why-ai-agents-are-the-new-backbone-of-software-qua">AI agents</a> acting on behalf of users — all of it stacking up faster than anyone is governing it. Clarence Hinton, CyberArk's Chief Strategy Officer, said it plainly when the report came out: the privileged access of AI agents represents an entirely new threat vector. He's not wrong, and the part that should bother you is that "new" undersells how fast it's already arrived.</p><img src="https://feeds.dzone.com/link/16357/17367495.gif" height="1" width="1"/>]]></description>
      <pubDate>Wed, 24 Jun 2026 19:00:08 GMT</pubDate>
      <guid isPermaLink="false">https://dzone.com/articles/3659888</guid>
      <media:thumbnail url="https://dz2cdn1.dzone.com/thumbnail?fid=19059456&amp;w=600"/>
      <dc:creator>Igboanugo David Ugochukwu</dc:creator>
    </item>
    <item>
      <title>AI, OAuth, and Other Platform APIs in the Core</title>
      <link>https://feeds.dzone.com/link/16357/17366675/ai-oauth-platform-apis</link>
      <description><![CDATA[<p>This is the second follow-up to June 5's<a href="https://www.codenameone.com/blog/metal-default-new-build-cloud-and-a-new-format/" rel="noopener noreferrer" target="_blank">&nbsp;release post</a>. It covers the platform APIs that moved into the framework core this release. There are two headline pieces (AI/LLM and the modern OAuth/OIDC stack) and two smaller pieces (WiFi/connectivity and share-sheet result callbacks).&nbsp;</p>
<p>This continues the direction the previous release set when we moved NFC, biometrics, and cryptography into the framework core. The full background on that earlier set is in <a href="https://www.codenameone.com/blog/nfc-crypto-biometrics-and-build-cloud/" rel="noopener noreferrer" target="_blank">NFC, Crypto, Biometrics, And A New Build Cloud</a>.</p><img src="https://feeds.dzone.com/link/16357/17366675.gif" height="1" width="1"/>]]></description>
      <pubDate>Wed, 24 Jun 2026 18:00:10 GMT</pubDate>
      <guid isPermaLink="false">https://dzone.com/articles/3656699</guid>
      <media:thumbnail url="https://dz2cdn1.dzone.com/thumbnail?fid=19059398&amp;w=600"/>
      <dc:creator>Shai Almog</dc:creator>
    </item>
    <item>
      <title>Implementing Asynchronous Communication Between Microservices Using Kafka and Spring Boot</title>
      <link>https://feeds.dzone.com/link/16357/17366605/asynchronous-microservices-communication-kafka-spring-boot</link>
      <description><![CDATA[<p>In a microservices system, that tight coupling turns a small hiccup into a cascading slowdown. Thread pools fill, retries amplify traffic, and suddenly your simple request is blocked on half the fleet. My executive summary: asynchronous messaging with Kafka helps systems keep moving when individual components inevitably slow down or fail. It does this by decoupling producers from consumers, absorbing traffic spikes, and allowing services to evolve without tying their availability directly to one another.</p>
<h2>Code Patterns in Spring Boot With Kafka</h2>
<p>Spring for Apache Kafka gives me two primitives that feel pleasantly old Spring <code>KafkaTemplate</code> for sending and <code>@KafkaListener</code> for receiving. That template/listener model is intentionally similar to other Spring integration tech, which keeps application code focused on domain logic instead of raw client plumbing.&nbsp;</p><img src="https://feeds.dzone.com/link/16357/17366605.gif" height="1" width="1"/>]]></description>
      <pubDate>Wed, 24 Jun 2026 13:00:05 GMT</pubDate>
      <guid isPermaLink="false">https://dzone.com/articles/3643443</guid>
      <media:thumbnail url="https://dz2cdn1.dzone.com/thumbnail?fid=19056287&amp;w=600"/>
      <dc:creator>Mallikharjuna Manepalli</dc:creator>
    </item>
    <item>
      <title>Architectural Collapse: How Extension Poisoning, Node Vulnerabilities, and Infrastructure Fog Enabled the GitHub Repository Breach</title>
      <link>https://feeds.dzone.com/link/16357/17366160/extension-poisoning-github-breach</link>
      <description><![CDATA[<p data-selectable-paragraph="">Enterprise perimeter defenses are fundamentally built on an obsolete assumption that the developer’s workstation is a secure, trusted anchor point. The massive security breach executed by the threat group <strong>TeamPCP</strong>, resulting in the exfiltration of <strong>3,800 internal GitHub source code repositories</strong>, completely shattered this illusion.</p>
<p data-selectable-paragraph="">This was not a standalone exploit. It was a multi-vector convergence where vulnerabilities in the Node/NPM ecosystem, the systemic ungoverned architecture of the Visual Studio Code Marketplace, and the tactical “fog of war” caused by a period of historic GitHub infrastructure instability came together to create the perfect attack.</p><img src="https://feeds.dzone.com/link/16357/17366160.gif" height="1" width="1"/>]]></description>
      <pubDate>Tue, 23 Jun 2026 19:00:00 GMT</pubDate>
      <guid isPermaLink="false">https://dzone.com/articles/3655846</guid>
      <media:thumbnail url="https://dz2cdn1.dzone.com/thumbnail?fid=19032602&amp;w=600"/>
      <dc:creator>Akash Lomas</dc:creator>
      <dc:creator>Akash Lomas</dc:creator>
    </item>
    <item>
      <title>Phantom APIs Are Eating Your Attack Surface, and Most Security Teams Are Still Looking the Other Way</title>
      <link>https://feeds.dzone.com/link/16357/17366137/phantom-apis-attack-surface</link>
      <description><![CDATA[<p>I've spent the better part of fifteen years staring at API traffic logs for a living, and I can tell you the job has changed twice. The first shift came with microservices, when a handful of monolithic endpoints became thousands of small, chatty interfaces, and nobody could agree on who owned the inventory. The second shift is happening right now, and it's worse because this time the endpoints aren't even being written by people who can explain why they exist.</p>
<p>Call them phantom APIs: routes, handlers, and parameters that show up in production but never appear in a spec, a ticket, or a design review. Some get hand-built by a developer in a hurry and are forgotten. Increasingly, though, they're a byproduct of AI code generation — Copilot, Cursor, an internal fine-tuned assistant, whatever your shop has standardized on — quietly scaffolding an admin route, a debug handler, or a permissive query path because that pattern showed up often enough in training data to feel "normal." Nobody asked for it. Nobody reviewed it with fresh eyes, because by the time a human glances at the diff, the suggestion already looks plausible. That's the part that should worry you more than any single CVE: plausibility, not malice, is now the main vector.</p><img src="https://feeds.dzone.com/link/16357/17366137.gif" height="1" width="1"/>]]></description>
      <pubDate>Tue, 23 Jun 2026 18:00:00 GMT</pubDate>
      <guid isPermaLink="false">https://dzone.com/articles/3661903</guid>
      <media:thumbnail url="https://dz2cdn1.dzone.com/thumbnail?fid=19056532&amp;w=600"/>
      <dc:creator>Igboanugo David Ugochukwu</dc:creator>
    </item>
    <item>
      <title>The Breach Was Never at the Door</title>
      <link>https://feeds.dzone.com/link/16357/17366056/breach-was-never-at-the-door</link>
      <description><![CDATA[<p>I've lost count of how many breach disclosures I've read where the first sentence is some version of "no evidence the perimeter was compromised." It used to strike me as corporate hedging. Now I read it as the whole story, hiding in plain sight. The perimeter wasn't compromised because, increasingly, nobody bothers attacking it. Why would they, when the back door is propped open by a token nobody's looked at since the engineer who set it up left the company?</p>
<p>That's the pattern I want to walk through here — not as a hypothetical, but as something that's now happened, in public, with named victims and dated timelines, twice in the last eighteen months at a scale too big to wave away.</p><img src="https://feeds.dzone.com/link/16357/17366056.gif" height="1" width="1"/>]]></description>
      <pubDate>Tue, 23 Jun 2026 15:00:00 GMT</pubDate>
      <guid isPermaLink="false">https://dzone.com/articles/3659848</guid>
      <media:thumbnail url="https://dz2cdn1.dzone.com/thumbnail?fid=19054825&amp;w=600"/>
      <dc:creator>Igboanugo David Ugochukwu</dc:creator>
    </item>
    <item>
      <title>Data Governance Checklist for AI-Driven Systems</title>
      <link>https://feeds.dzone.com/link/16357/17365997/ai-data-governance-checklist</link>
      <description><![CDATA[<p style="font-size: 17px;"><em>Editor’s Note: The following is an article written for and published in DZone’s 2026 Trend Report,&nbsp;</em><a href="https://dzone.com/link/2026-tr-databases-data-contributor-article" rel="noopener noreferrer" target="_blank"><em>Cognitive Databases, Intelligent Data: Unified Infrastructure for Vector Search, AI-Optimized Queries, and Hybrid Workloads</em></a>.</p>
<hr>
<p dir="ltr">Many teams find governance gaps only after a retrieval system surfaces stale or unauthorized content in production. Models, agents, and retrieval workflows all depend on enterprise data. Before any of that data reaches an AI system, teams need to know where it originates, how it’s integrated, whether it meets quality expectations, what context enriches it, who can access it, and how it changes over time.</p><img src="https://feeds.dzone.com/link/16357/17365997.gif" height="1" width="1"/>]]></description>
      <pubDate>Tue, 23 Jun 2026 12:00:00 GMT</pubDate>
      <guid isPermaLink="false">https://dzone.com/articles/3660855</guid>
      <media:thumbnail url="https://dz2cdn1.dzone.com/thumbnail?fid=19052925&amp;w=600"/>
      <dc:creator>Abhishek Gupta</dc:creator>
    </item>
  </channel>
</rss>
