#software security

A critical security vulnerability in Gogs, the self-hosted Git service, went publicly disclosed after repeated attempts to contact the project's maintainers reportedly received no response. The flaw could allow remote code execution on default installations, creating a serious risk for organizations running exposed Gogs instances.

The situation has drawn attention not only because of the vulnerability itself, but because it highlights a broader issue in open-source software. Many widely used projects depend on a very small number of maintainers, and when development slows down or communication breaks down, security fixes can stall even if the software remains in active use. Researchers noted that other reported vulnerabilities had also remained unresolved due to a lack of maintainer engagement.

Security experts have recommended that Gogs users restrict public access, disable open registration where possible, strengthen authentication, and consider migrating to more actively maintained alternatives. The episode has also renewed discussion around how companies and organizations rely on open-source infrastructure without always contributing resources back to the projects they depend on.

My Feedback:

On the one hand, I like that Tumblr seems to never expire its OAuth tokens. This is convenient for me.

On the other hand, I don't see any UI to revoke tokens that have been issued to an instance of an "app". Like, you create a new set of tokens in the "console", and then those keys seemingly work for years.

Can I list them somewhere? Does OAuth have a standard way to do client-initiated revocation?

If not, this becomes a gaping security risk.

Long-lived unrevocable keys are far more valuable to attackers, precisely because you might as well steal them and then hold them until you think of some attack, or find a buyer who has one in mind.

Long-lived keys also enable ransomware, long cons, and entirely new forms of targetted attacks (like editing the victim's old posts as part of gaslighting, or ruining their reputation and trying to rile up a mob). But if you can revoke them, that's at least a decent middle ground of security and convenience -- you make a new key for each new device, and revoke keys per-device as-needed.

I guess the workaround would be to register a new app for each device, and then you can go to your app list and... oh. oh god. you can't delete apps either.

"In France, civil servants will ditch Zoom and Teams for a homegrown video conference system. Soldiers in Austria are using open source office software to write reports after the military dropped Microsoft Office. Bureaucrats in a German state have also turned to free software for their administrative work.

...

The French city of Lyon said last year that it’s deploying free office software to replace Microsoft. Denmark’s government and the cities of Copenhagen and Aarhus have also been trying out open-source software.

...

The promise of AI-assisted development, or “vibe coding,” is undeniable: unprecedented speed and productivity for development teams. In a landscape defined by complex cloud-native architectures and intense demand for new software, this force multiplier is rapidly becoming standard practice. However, this speed comes at a severe, often unaddressed cost. As AI agents generate functional code in…

Aviation’s Latest Software Wake-Up Call Isn’t About Code — It’s About Trust

Software security has always depended on predictable code, fixed logic, and well defined system behavior. That foundation begins to shift once organizations incorporate AI systems into their applications. Instead of relying on hard coded decision paths, these new architectures depend on models that learn, adapt, and respond to user inputs in real time. This creates gaps that traditional AppSec tools and methods were never built to detect or defend against.

AI-driven architectures introduce new forms of risk that cannot be solved by simply placing security scanners or firewalls around the application. Models interact with users, interpret language, and influence downstream systems, which means they consume and produce information in ways standard AppSec controls cannot evaluate. As a result, teams are starting to understand why traditional security practices fall short and what is needed to protect these environments effectively.

Where Traditional AppSec Falls Short

Static Code Assumptions Do Not Apply

Traditional AppSec works well when applications behave in a fixed and predictable way. AI systems do not operate like this. A model can change its output based on subtle differences in user prompts or data. There is no single code path to follow, and there is no guaranteed repeatability. Standard scanners and code analysis tools cannot interpret learned behavior, so they often miss problems that stem from the model’s reasoning process.

Data Becomes the New Attack Surface

In AI-driven systems, data is no longer just an input. It is part of the logic. If an attacker poisons training data or manipulates live inputs, they can influence how the model behaves. Traditional AppSec rarely examines data sources, data lineage, or how unsafe inputs can alter a model’s output. This oversight creates one of the largest vulnerabilities for AI based systems.

Business Logic Is No Longer Fully Deterministic

Classic AppSec relies on testing business logic paths. AI, however, introduces outcomes that may not be consistent from one interaction to the next. Small changes in phrasing or context can produce significantly different results. This unpredictability makes it difficult to confirm that a system behaves safely under all conditions using traditional testing methods.

Unique Threats Introduced By AI-Driven Architectures

Prompt Manipulation and Model Misuse

Models can be influenced through crafted inputs that alter how they respond. Attackers use linguistic tricks, rapid experimentation, or misleading context to push the model into unsafe behavior. These types of attacks do not resemble vulnerabilities that traditional AppSec tools are designed to identify.

Model Extraction and Intellectual Property Theft

Attackers may try to replicate or steal a model by repeatedly querying it and analyzing the responses. Traditional AppSec tools do not monitor for patterns that indicate a slow and methodical extraction attempt. Since models often represent significant business value, this risk is hard to ignore.

Adversarial Inputs and Hidden Manipulations

Some attacks involve subtle modifications to inputs that confuse the model. These adversarial examples are intentionally designed to look harmless to humans but cause models to make incorrect decisions. Standard validation rules cannot detect these microscopic changes.

Automation Expansion Increases Blast Radius

AI systems often control automated workflows, which means a manipulated output can trigger actions far beyond the model itself. A flawed or coerced decision might change settings, approve transactions, or send commands to other applications. This increases the impact of a successful attack.

Operational Factors That Traditional AppSec Overlooks

Monitoring Gaps in Model Behavior

Once deployed, models need continuous observation. Traditional tools monitor system performance but rarely examine whether a model’s output looks safe or consistent. This leaves a significant blind spot because abuse often reveals itself through abnormal responses rather than system errors.

Limited Visibility Into Model Pipelines

Most legacy security tools cannot inspect training pipelines, inference layers, or model dependencies. Without visibility into these components, it becomes difficult to detect when data integrity is compromised or internal processes are misused.

Difficulty Tracking Changes Over Time

Models drift as new data influences their performance. Traditional AppSec processes assume applications remain stable unless code changes. AI systems evolve even when the code does not, which means teams must track changes in behavior, not just code updates.

What Effective Security Looks Like For AI Systems

Continuous Behavioral Monitoring

Security teams need visibility into how models behave over time. Detecting abnormal output patterns, unusual reasoning steps, or significant deviations from expected responses helps teams find the earliest signs of misuse or manipulation.

Data Validation and Provenance Enforcement

Securing data sources, verifying their integrity, and enforcing strict validation rules is essential. Since data now shapes decisions, ensuring its authenticity becomes a primary security requirement rather than a supporting task.

Guardrails, Policy Enforcement, and Restricted Capabilities

Models should operate within clearly defined boundaries. Guardrails prevent the model from taking actions outside its intended purpose, and policy enforcement adds another level of protection when interacting with sensitive systems.

Red Teaming and Adversarial Testing

Testing AI systems against realistic attack scenarios helps uncover weaknesses that traditional testing misses. Because threats evolve quickly, adversarial testing needs to be ongoing rather than a one time exercise.

Build Skills to Secure AI-Driven Systems

Teams that work with AI need practical training in modern risk management approaches. For organizations looking to develop stronger expertise, the AI security certification offered by Modern Security provides structured guidance, hands on learning, and real world examples.

Conclusion

Traditional AppSec practices were built for systems that follow predictable rules. AI-driven architectures break that pattern, introducing behavior shaped by data, context, and model reasoning. This shift brings new attack surfaces and new challenges that legacy tools cannot identify or prevent. Protecting AI systems requires continuous monitoring, stronger data controls, model specific testing, and collaborative security practices across teams.