Best of Security — July 2025

1. 1
   Article

   AWS Fundamentals·46w

   How to Get Started with AWS in 2025

   A comprehensive guide covering AWS account setup, security configuration, and best practices for beginners. Covers creating AWS accounts, setting up multi-factor authentication, creating IAM users, configuring billing alerts, installing AWS CLI, and implementing security measures. Also introduces Infrastructure as Code tools like Terraform and AWS CDK, AWS Organizations for multi-account management, and helpful tools for cloud development workflow.

   126

   1
2. 2
   Article

   Descope·46w

   What is Multi-Tenancy and How Does It Work?

   Multi-tenancy is an architectural model where a single application serves multiple discrete user groups (tenants) with shared infrastructure but logically separated data and configurations. The guide covers three main models: single-tenant (dedicated resources, highest isolation, most expensive), multi-tenant (shared resources, lowest cost, potential performance impacts), and hybrid (mixed approach balancing cost and isolation). Key considerations include regulatory compliance requirements, performance expectations, security implications like cross-tenant data leakage, and database design patterns ranging from shared schemas to separate databases. The choice depends on factors like compliance needs, performance requirements, operational overhead, and growth potential.

   84
3. 3
   Article

   InfoSec Write-ups·43w

   One Tool to Rule JWTs — Easy JWT Pentesting with JWTAuditor

   JWTAuditor is an open-source, privacy-focused JWT security testing tool that performs all analysis locally in the browser without sending tokens to external servers. It automatically detects over 15 types of JWT vulnerabilities, includes built-in brute force testing with 10,000+ common secrets, and features a visual token editor with syntax highlighting. The tool addresses privacy concerns with online JWT analyzers by keeping all data client-side while providing comprehensive security analysis including algorithm validation, sensitive data detection, and security claim verification.

   76

   1
4. 4
   Article

   Mouad Dadda·43w

   Awesome Node.js Security resources

   A curated collection of Node.js security resources available on GitHub, providing developers with tools, guides, and best practices for securing Node.js applications.

   49

   3
5. 5
   Article

   CSO Online·45w

   7 obsolete security practices that should be terminated immediately

   Seven outdated security practices are identified that organizations should abandon: relying solely on perimeter security, taking compliance-driven approaches, using legacy VPNs, depending only on EDR protection, using SMS for two-factor authentication, maintaining on-premises SIEMs, and treating users as passive security participants. Modern alternatives include zero trust architecture, risk-based security approaches, SASE solutions, comprehensive threat detection beyond endpoints, app-based authentication, cloud-native SIEMs, and active security awareness training.

   49

   4
6. 6
   Article

   scottstuff.net·46w

   Passwordless SSH and sudo with 1Password on Mac and Linux

   A comprehensive guide to setting up passwordless SSH and sudo authentication using 1Password for SSH key management. The tutorial covers configuring 1Password's SSH agent, setting up SSH client configuration with agent forwarding, implementing pam_rssh for sudo authentication, and adding biometric authentication on Linux using Yubikey Bio. The approach eliminates the need to manually manage SSH keys across multiple systems while providing secure authentication through fingerprints or system biometrics.

   43
7. 7
   Article

   The Hacker News·45w

   Over 600 Laravel Apps Exposed to Remote Code Execution Due to Leaked APP_KEYs on GitHub

   Security researchers discovered over 260,000 leaked Laravel APP_KEYs on GitHub, with 600+ applications vulnerable to remote code execution attacks. The vulnerability stems from Laravel's decrypt() function automatically deserializing data, allowing attackers with exposed APP_KEYs to execute arbitrary code. The issue affects both older Laravel versions (CVE-2018-15133) and newer versions with specific session configurations (CVE-2024-55556). Researchers found 63% of exposures come from .env files containing additional sensitive data, and 28,000 APP_KEY/APP_URL pairs were exposed together, making attacks trivial. Proper mitigation requires immediate key rotation, system updates, and continuous secret monitoring rather than simply deleting exposed keys.

   41

   1
8. 8
   Article

   Programming Digest·46w

   OWASP Top 10 for LLMs

   Snyk is hosting a webinar covering the OWASP Top 10 for LLMs, focusing on key vulnerabilities like prompt injection and model poisoning. The session will provide practical defense strategies for securing AI-assisted development, demonstrate real-world security implementations, and share best practices for handling AI-generated code safely. The webinar targets application security professionals, developers using GenAI tools, and security leaders building AI development policies.

   31
9. 9
   Video

   Programmers are also human·46w

   *The guy* working from office.

   A humorous day-in-the-life narrative following an unproductive office developer who commits security mistakes, outsources work inappropriately, spends excessive time eating, and demonstrates poor coding practices while colleagues express frustration with their lack of contribution and questionable decisions.

   29

   1
10. 10
    Article

    freeCodeCamp·46w

    What Are JSON Web Tokens (JWT)?

    JSON Web Tokens (JWT) are digitally signed, self-contained tokens used for secure authentication between systems. JWTs consist of three parts: header (metadata), payload (claims/data), and signature (verification). They can be signed using symmetric algorithms like HS256 with shared secrets or asymmetric algorithms like RS256 with public/private key pairs. The signature ensures authenticity and integrity without requiring server-side session storage. Key security practices include using HTTPS, keeping tokens short-lived, implementing refresh tokens, protecting signing keys, and never storing sensitive data in the payload.

    22
11. 11
    Article

    Claudette·44w

    GhostEyes - Ethical Hacking

    GhostEyes is a beginner-friendly Python port scanner tool designed for ethical hacking and penetration testing. It offers fast threaded scanning capabilities, banner grabbing, operating system detection, and web technology fingerprinting for network diagnostics and security assessments.

    21

    3
12. 12
    Article

    HashiCorp·45w

    AI is making developers faster, but at a cost

    Google's 2024 DORA report reveals that AI coding tools increase code review speed by 3.1% and quality by 3.4%, but cause a 7.2% reduction in delivery stability. The instability stems from AI's limited understanding of broader system context, reinforcement of outdated patterns, and security vulnerabilities like hardcoded secrets. Organizations can mitigate these issues through platform engineering practices including secure infrastructure modules, centralized secrets management, unified visibility systems, and golden images with pre-approved workflows.

    21

    4
13. 13
    Article

    The Register·47w

    Let's Encrypt rolls out free IP address certificates

    Let's Encrypt now offers free TLS/SSL certificates for IP addresses, joining other certificate authorities that charge $40-90 annually for this service. While most websites use domain names, IP certificates can be useful for hosting providers creating default landing pages, publishers avoiding domain costs, or securing DNS over HTTPS servers. The certificates have a six-day lifespan as part of the industry trend toward short-lived certificates for enhanced security, requiring automated renewal through ACME clients.

    21
14. 14
    Video

    Let's Get Rusty·47w

    The Industries Adopting Rust

    Rust is being rapidly adopted across multiple industries including security, backend infrastructure, embedded systems, and blockchain. Major companies like Microsoft, Google, AWS, and Cloudflare are using Rust for memory safety and performance benefits. The security industry particularly values Rust's compile-time safety guarantees, while cloud providers use it for critical infrastructure components. Embedded systems and robotics companies are adopting Rust for safety-critical applications, and the blockchain ecosystem has made Rust foundational for many protocols. Career opportunities exist across these sectors, with companies actively hiring Rust developers for both low-level systems work and surrounding infrastructure.

    19

    1
15. 15
    Article

    Astro·47w

    Astro 5.11

    Astro 5.11 introduces enhanced Content Security Policy support for static pages through official adapters (Node.js, Netlify, Vercel), allowing CSP headers to be served properly instead of relying on meta tags. The update also adds an option to disable HTML streaming in the Node.js adapter for specific hosting requirements, plus various bug fixes and community contributions.

    20
16. 16
    Article

    Socket·43w

    Introducing Rust Support in Socket

    Socket has launched Rust and Cargo support, providing free package search functionality for all users and experimental SBOM generation for enterprise customers. The platform uses AI-powered analysis to detect supply chain threats specific to Rust, including malicious build scripts, unsafe code patterns, and FFI vulnerabilities. While package search is immediately available, enterprise SBOM generation requires both Cargo.toml and Cargo.lock files and currently only supports crates.io packages.

    18
17. 17
    Video

    HuXn WebDev·44w

    GitHub Was Almost Destroyed - The Untold Story of the Biggest Attack in Cybersecurity.

    In 2018, GitHub faced the largest DDoS attack in cybersecurity history, reaching 1.35 terabytes per second using memcached amplification techniques. Attackers exploited misconfigured memcached servers worldwide to amplify small requests into massive responses, overwhelming GitHub's infrastructure. The company successfully defended against the attack by partnering with Akamai Prolexis for traffic scrubbing and rerouting. This incident exposed thousands of vulnerable servers globally and prompted widespread security improvements across hosting providers.

    17

    2
18. 18
    Article

    Kamruzzaman Kamrul·46w

    A Security Checklist for Your Laravel App Before You Hit Deploy

    A comprehensive security checklist for Laravel applications before production deployment, covering essential practices like disabling debug mode, setting proper file permissions, input validation, securing debug tools, protecting environment variables, hardening file uploads, enforcing HTTPS with security headers, route protection, safe logging configuration, and queue security. Includes practical code examples and recommendations for monitoring tools to detect potential security threats.

    15

    4
19. 19
    Article

    Claudette·44w

    Uncover Online Identities with GoSearch: A Powerful OSINT Tool

    GoSearch is an open-source OSINT tool that searches for usernames across 300+ websites, categorizing results as 'Exists', 'Not Found', or 'Unknown'. The tool is useful for username enumeration, security research, OSINT investigations, bug bounty hunting, and privacy monitoring. It provides a simple interface where users enter a username and receive categorized results from supported platforms.

    14

    8
20. 20
    Article

    The Register·46w

    How to trick ChatGPT into revealing Windows keys? I give up

    A security researcher discovered a method to bypass ChatGPT's safety guardrails by framing queries as a guessing game, successfully extracting real Windows product keys including one owned by Wells Fargo. The technique exploits the AI's logic flow by using the phrase 'I give up' as a trigger to reveal sensitive information that was inadvertently included in the training data. This highlights broader security concerns about sensitive data accidentally being incorporated into AI models through sources like GitHub repositories.

    12

    1
21. 21
    Article

    Awesome Go·44w

    Golang - How to zip and unzip a directory in Go

    Learn how to zip and unzip directories in Go using the standard library. The tutorial demonstrates using AddFS to easily compress entire directories and provides a complete unzip function with security protections against directory traversal attacks. Includes working code examples for both operations.

    11
22. 22
    Video

    Deno·46w

    Deno's NPM integration just got better

    Deno's native NPM support through npm: specifiers offers significant advantages over HTTP imports, including proper dependency resolution that prevents duplicate modules, support for install hooks and native add-ons, better handling of package assets, enhanced security with explicit permissions, and cleaner project structure without node_modules folders. This approach eliminates common issues like version conflicts and silent failures while maintaining Deno's security-first philosophy.

    11

    1
23. 23
    Article

    Spacelift·43w

    Top 15 Kubernetes Security Tools and Solutions for 2025

    A comprehensive guide covering 15 essential Kubernetes security tools for 2025, including static analysis tools like Kubescape and Checkov, runtime security solutions like Falco, and policy engines like OPA and Kyverno. The article categorizes tools based on the 4C security model (cloud, cluster, containers, code) and covers both open-source and commercial solutions for vulnerability scanning, compliance checking, network security, and threat detection in Kubernetes environments.

    10