Security Research & Insights

Security Blog

Cybersecurity stories, threat analysis, and practical guidance from the Deva security team.

Featured
AppSec2026-05-168 min read

Shift-Left Pentesting: Why Offensive Security Belongs in Your IDE

Traditional penetration testing happens after deployment. A new generation of tools moves attack-surface analysis into the IDE, where the cost of a fix is measured in developer-minutes rather than incident reports.

Read article
AppSec2026-05-218 min read

OWASP Top 10:2025 Is Live. SSRF Is Gone, Supply Chain Is #3.

OWASP published the 2025 revision of the Top 10 in May 2026. Three structural changes deserve real attention from anyone writing or auditing application code.

Read more
Threat Intelligence2026-05-179 min read

Mini Shai-Hulud: The TanStack Supply Chain Attack That Hit OpenAI, Mistral, and 160+ Packages

A self-propagating supply chain worm compromised TanStack npm packages through GitHub Actions cache poisoning. No credentials stolen, just OIDC tokens extracted from runner memory.

Read more
Vulnerability Analysis2026-05-168 min read

Copy Fail: 732 Bytes to Root on Every Linux Distribution Since 2017

CVE-2026-31431 is a local privilege escalation in the Linux kernel cryptographic subsystem. A 732-byte Python script can edit a setuid binary in memory and obtain root. CISA added it to KEV on May 7.

Read more
Vulnerability Analysis2026-05-165 min read

Exchange Server XSS-to-Spoofing: CVE-2026-42897 Added to CISA KEV

A cross-site scripting flaw in on-premises Microsoft Exchange Server enables email spoofing via crafted messages. CISA added it to KEV on May 15 with a May 29 federal deadline.

Read more
Vulnerability Analysis2026-05-157 min read

NGINX Rift: An 18-Year-Old Heap Buffer Overflow Just Got a CVE and a PoC

CVE-2026-42945 is a critical heap buffer overflow in NGINX rewrite module that has existed since 2008. CVSS 9.2, public PoC, zero authentication required.

Read more
Threat Intelligence2026-05-156 min read

Cisco SD-WAN Authentication Bypass: CVSS 10.0 and the Sixth Zero-Day of 2026

CVE-2026-20182 is a maximum-severity authentication bypass in Cisco Catalyst SD-WAN Controller. CISA added it to KEV with a May 17 federal remediation deadline.

Read more
Threat Intelligence2026-05-128 min read

Salt Typhoon and the Telecom Backbone: Why Application-Layer Encryption Just Became Non-Negotiable

The Salt Typhoon intrusions into major US telecom carriers exposed lawful intercept systems and call metadata at unprecedented scale. The takeaway for software teams: assume the transport layer is hostile.

Read more
Threat Intelligence2026-05-107 min read

CISA KEV in 2025: What the Five-Day Exploitation Window Means for Developers

CISA's Known Exploited Vulnerabilities catalog added 187 entries in the past 12 months. The median time from CVE disclosure to active exploitation has dropped to 5 days. Here's what that means for development teams.

Read more
AppSec2026-05-069 min read

Prompt Injection in Agentic AI: The 2026 Vulnerability Class That Acts Like Remote Code Execution

Agentic AI systems combining LLMs with tool use and persistent memory have created a new vulnerability class. When the agent has shell or API access, prompt injection behaves like RCE.

Read more
Compliance2026-05-049 min read

HHS Wants Annual Pentests in the HIPAA Security Rule. Here's What That Looks Like.

HHS proposed updates to the HIPAA Security Rule in early 2025 that would make penetration testing an explicit requirement for covered entities. Here's what the proposed rule says and how to prepare.

Read more
Compliance2026-04-257 min read

NIST CSF 2.0: Govern Got the Headlines, ID.AM-07 Will Cost You the Audit

NIST released Cybersecurity Framework 2.0 with a new Govern function and expanded scope beyond critical infrastructure. Here's what the update means at the code level.

Read more
Compliance2026-04-228 min read

PCI-DSS v4.0 Requirements That Live in Your Code, Not Your Network

PCI-DSS v4.0 has been the only valid revision since March 2025. Requirements 6.2 and 6.3 are the ones developers own, and they are stricter than v3.2.1 in ways most teams have not yet absorbed.

Read more
Compliance2026-04-2010 min read

The HIPAA Breach Report 2025: The Code Patterns Behind Healthcare's Biggest Incidents

HHS recorded 725 healthcare data breaches in 2024 affecting more than 180 million records. Their disclosed technical causes cluster around a small set of CWEs, and every one of them is detectable at write time.

Read more
Supply Chain2026-04-159 min read

XZ Utils One Year Later: The Supply Chain Attack Surface Hiding in Developer Environments

The XZ Utils backdoor (CVE-2024-3094) demonstrated that supply chain attacks target developer environments as much as production systems. Here's what changed and what hasn't.

Read more
Compliance2026-04-128 min read

FedRAMP Rev 5: The 80 New Controls Your Code Has to Pass

FedRAMP updated its baselines to align with NIST 800-53 Rev 5. For developers building cloud services targeting government customers, here's which controls live in code.

Read more
AppSec2026-04-107 min read

Tuning Your Scanner to the 2024 CWE Top 25 Without Drowning in False Positives

MITRE published the 2024 CWE Top 25. Several rankings shifted meaningfully. Here's how to configure your scanner for maximum coverage of the current threat landscape.

Read more
AppSec2026-04-087 min read

The Vulnerability Class That Arrived With AI Coding Assistants

LLM-generated code passes syntax checks, passes type checks, and fails security checks at higher rates than hand-written code. Here's why and what to do about it.

Read more
Threat Intelligence2026-04-058 min read

Zero-Trust for Developer Environments: What Air-Gapped AI Actually Means

Zero-trust architecture applied to developer environments means more than network segmentation. It means the AI tools developers use can't exfiltrate code they weren't meant to see.

Read more
Compliance2026-04-037 min read

SOC 2 Type II and the Code Controls Auditors Are Now Testing

SOC 2 Type II auditors are moving beyond policy documentation to code-level evidence. Here's which Trust Services Criteria map directly to your application code and what auditors want to see.

Read more
Compliance2026-03-307 min read

GDPR Article 25 Is a Code-Level Requirement, Not an Architecture Diagram

Article 25 of the GDPR requires 'data protection by design and by default.' Most organizations implement this at the architecture level. Here's what it means at the code level.

Read more
Supply Chain2026-03-276 min read

Log4Shell Three Years Later: Why Unpatched Dependencies Still Dominate Enterprise Risk

CVE-2021-44228 (Log4Shell) was disclosed in December 2021 and is still being actively exploited four years on. The cause is not ignorance. It is dependency graph blindness.

Read more
AppSec2026-03-247 min read

CISA Secure by Design: The Shift from Compliance to Structural Safety

CISA's Secure by Design initiative argues that meeting a compliance checklist is not the same as building safe software. The alternative is structural: design that makes whole vulnerability classes impossible rather than rare.

Read more
Compliance2026-03-216 min read

The SOX ITGCs Auditors Actually Sample (And Where They Live in Your Code)

SOX IT General Controls (ITGCs) are designed for auditors, but many of them directly affect how software is written, reviewed, and deployed. Here's the developer's translation.

Read more