Aggregator

从我过往的实践来看，大多数都是测试人员在担任SDL安全对接人，少数是研发骨干、产品经理和安全研究员。他们负责：提安全需求、安全测试、组织开发修复漏洞、组织复盘分析等工作。 回顾最开始设置“产品安全专员”机制时，人选的确定交由业务部门负责人来定，同时建议承担这个角色的人须有一定话语权、熟悉产品及研发过程、最好是对安全感兴趣。其次是在确定人选之后，尽量从组织上来说要正式化、正规化运营，比如召开相关安全培训、持证上岗、发内部IM徽章、轮替也要学习和考试，定期组织开会等。 ------------更多内容，请访问------------- 1、SDL 100问 SDL100问：我与SDL的故事 SAST误报太高，如何解决？ SDL需要哪些人参与？ 大家都有哪些SDL运营指标？ 业务系统是否可以带漏洞上线？ 日常的漏洞运营，也应该是SDL团队来做吗？ 关于开发安全BP，对开展SDL有哪些帮助？ 上传图片的API，除了常见web漏洞外，是否还会有风险？ SDL 84/100问：国内是否有做安全基线的厂商或这个方向的专家？ 2、SDL创新实践 首发！“ 研发安全运营 ” 架构研究与实践 DevSecOps实施关键：研发安全团队 DevSecOps实施关键：研发安全流程 DevSecOps实施关键：研发安全规范 DevSecOps实施关键：研发安全工具 从安全视角，看研发安全 数字化转型下研发安全痛点 一个思考：安全测试驱动产品安全？ 3、SDL最初实践 【SDL最初实践】开篇 【SDL最初实践】安全培训 【SDL最初实践】安全需求 【SDL最初实践】安全设计 【SDL最初实践】安全开发 【SDL最初实践】安全测试 【SDL最初实践】安全审核 【SDL最初实践】安全响应 4、安全运营实践 基于实践的安全事件简述 安全事件运营SOP：钓鱼邮件 安全事件运营SOP：网络攻击 安全事件运营SOP：蜜罐告警 安全事件运营SOP：webshell事件 安全事件运营SOP：接收漏洞事件 应急能力提升：实战应急困境与突破 应急能力提升：挖矿权限维持攻击模拟

How Autonomous AI Systems Are Moving Beyond Hype and Why CIOs Can't Ignore Them
Agentic AI is moving from concept to capability, bridging the gap between reactive tools and enterprise-scale autonomy. With the stack maturing fast, CIOs face a choice: lead the shift or risk being left behind.

Maximum Validity of Public TLS Certificates Will Drop From 398 Days to Just 47 Days
The future of managing digital certificates is already here - it's just not evenly distributed yet. With the public TLS certificate validity period set to drop to just 47 days, as well as the need to migrate to quantum-safe encryption, experts see automation as key to achieving crypto agility.

Common Weaknesses Healthcare Providers Must Overcome to Avoid Regulators' Wrath
Regulators have long pushed HIPAA-regulated providers to ensure their enterprise-wide security risk analysis is comprehensive and timely, so they can identify security issues before they become data breaches. Why do so many organizations struggle with this top HIPAA priority?

CEO Matthew Prince: Unchecked Scraping Could Undermine the Internet's Economic Model
With 20% of the web behind its platform, Cloudflare will now block AI web crawlers from scraping monetized content by default. CEO Matthew Prince says the company's policy gives all users, even on the free plan, control over AI bot access and protects the incentives for content creation.

A vulnerability identified as problematic has been detected in Linux Kernel up to f133819e24e78f3aaaa00e9fa2b816d5f73fd172. This affects the function pnfs_update_layout of the component NFSv4/pNFS. The manipulation leads to race condition. This vulnerability is uniquely identified as CVE-2025-38393. The attack can only be initiated within the local network. No exploit exists. You should upgrade the affected component.

A vulnerability was found in Linux Kernel up to 6.12.36/6.15.5/6.16-rc4. It has been classified as critical. The impacted element is the function in_atomic of the file kernel/locking/mutex.c of the component idpf. This manipulation causes stack-based buffer overflow. This vulnerability is registered as CVE-2025-38392. The physical device can be targeted for the attack. No exploit is available. Upgrading the affected component is recommended.

A vulnerability, which was classified as critical, has been found in Linux Kernel up to 6.12.36/6.15.5/6.16-rc4. This affects an unknown function of the component arm_ffa. The manipulation leads to memory leak. This vulnerability is listed as CVE-2025-38390. The attack must be carried out from within the local network. There is no available exploit. It is advisable to upgrade the affected component.

A vulnerability labeled as problematic has been found in Linux Kernel up to 6.16-rc4. This impacts the function pin_assignments of the component displayport. Executing manipulation can lead to out-of-bounds read. This vulnerability is handled as CVE-2025-38391. The attack can only be done within the local network. There is not any exploit available. The affected component should be upgraded.

A vulnerability was found in Linux Kernel up to 6.16-rc4. It has been rated as problematic. This impacts the function __kmem_cache_shutdown of the component i915. Performing manipulation results in allocation of resources. This vulnerability is reported as CVE-2025-38389. The attacker must have access to the local network to execute the attack. No exploit exists. Upgrading the affected component is advised.

A vulnerability was found in Linux Kernel up to 6.16-rc4. It has been classified as critical. Affected by this issue is the function obj_event. Performing manipulation results in null pointer dereference. This vulnerability is reported as CVE-2025-38387. The attacker must have access to the local network to execute the attack. No exploit exists. Upgrading the affected component is recommended.

A vulnerability identified as critical has been detected in Linux Kernel up to 6.16-rc2. This affects an unknown function of the component ACPICA. Performing manipulation of the argument method results in use after free. This vulnerability is known as CVE-2025-38386. Access to the local network is required for this attack. No exploit is available. You should upgrade the affected component.

A vulnerability marked as critical has been reported in Linux Kernel up to 6.12.36/6.15.5/6.16-rc4. Affected is the function in_atomic of the file kernel/locking/mutex.c of the component firmware. The manipulation leads to deadlock. This vulnerability is uniquely identified as CVE-2025-38388. The attack can only be initiated within the local network. No exploit exists. It is suggested to upgrade the affected component.

A vulnerability, which was classified as problematic, was found in Linux Kernel up to 6.1.143/6.6.96/6.12.36/6.15.5/6.16-rc4. The affected element is the function netif_napi_del of the file net/core/dev.c of the component net. Executing manipulation can lead to state issue. This vulnerability is registered as CVE-2025-38385. The attack requires access to the local network. No exploit is available. You should upgrade the affected component.

A vulnerability was found in HCL Digital Experience 8.5/9.0/9.5. It has been classified as problematic. The affected element is an unknown function of the component Administrative UI. This manipulation causes cross site scripting. The identification of this vulnerability is CVE-2025-31988. It is possible to initiate the attack remotely. There is no exploit available.

A vulnerability was found in Mozilla Firefox up to 140 on Android and classified as critical. Impacted is an unknown function of the component iFrame Handler. The manipulation results in improper access controls. This vulnerability was named CVE-2025-8042. The attack may be performed from a remote location. There is no available exploit. It is suggested to upgrade the affected component.