A single tool, suite or framework to manage all aspects for security aspects is in practice impossible. There are far too many aspects that require specialist tools and expertise that creating and maintaining such a tool is impossible. Also the code-base will be insecure by design, since security maintenance of large complex code bases is in practice impossible.
1 The SSO Wall of Shame
Good cyber security is still a cost factor for companies. Still too often security is an extra paid feature.
But mind: SSO is too often a cost sink for vendors. So do not be surprised that if you ask a vendor for integration with your SSO product you need to pay. Nobody will do the work for free. So this article is biased and very opinionated. Of course we all agree on the fact that security should not be a feature. But this does not mean that you can aspect that every product vendor is able to integrate his product with your SSO solution. Most SSO apis are not great and require time and knowledge to work. There is often a hidden revenue for large vendors (MS, Google etc) for small vendors to be able to integrate with their often not perfect SSO solution. For the large Cloud providers SSO seems to be a easy way to earn extra revenue by offering SSO APIs.
(Link)
2 Remote Prompt Injection in GitLab Duo Leads to Source Code Theft
Security and privacy and using AI solutions is a real challenge. So do not use AI solutions for security and think if you want to use AI agents on your company network.
(Link)
3 You too can run malware from NPM (I mean without consequences)
Not only NPM, but all public repositories that are used for redistribution of software are vulnerable. So always check and verify. If possible only use packages that can be validated using Reproducible builds.
(link)
4 Data Security and AI Report – September 2025
A nice report with references to some slide decks for more background info. Interesting if you want to known more about AI, security and Microsoft in the Netherlands. Or a good read to learn more on common security incidents in AI!
(link)
5 Google Dorking in Cybersecurity
Google was, is and will never be transparent on how you can retrieve information using their search engine. But knowing and using collective knowledge helps in searching. Also to search for open security solutions!
(link)
6 Guidance on End-to-End Email Security
Great informational RFC to polish up your knowledge on the email E2E encryption things.
(Link)
7 HybridPetya: More proof that Secure Boot bypasses are not just an urban legend
Never think: This will not happen to me. Ransomware malware threats are real for everyone!So maybe time for simple measurements to soften the pain?
(Link)
8 The Rise of SBOM Requirements In Cybersecurity Guidelines and Laws
SBOMs are and will never be a solution for cyber security problems. Recently I investigated some new tools and guides for SBOMs since the CRA (Cyber Resilience Act) requires information on software used and dependencies. SBOMs are becoming an new cash cow for security companies. It will costs you money, but in the end you are not more secure. There are many reasons why SBOMs never worked in practice in the past!
(Link)
9 Code does not lie
Security by obscurity is generally a bad security practice. When audit results of cyber processes and used software products are not fully transparent all you can do is have trust. However trust is good but for good security control is needed.
(Link)
Our partners:
The Open Security newsletter is an overview of cyber security news with a core focus on openness. Pointing out what went wrong after a cyber security breach is easy. Designing good and simple measurements is hard. So join the open Security Reference Architecture collaboration project to create better solutions together. Or become a partner to support this project. Use our RSS or ATOM feed to follow Open Security News.