ai-security
Safeguard articles tagged "ai-security" — guides, analysis, and best practices for software supply chain and application security.
532 articles
The emerging role of the AI security engineer
OWASP's 2025 LLM Top 10 ranks prompt injection #1 and calls it structurally unfixable by parameterization — a signal that AppSec skills alone no longer cover the job.
A risk framework for enterprise AI coding and agent tool rollouts
Samsung banned ChatGPT company-wide after three leaks in 20 days. A working framework for data exposure, model supply chain, and access control risk.
Why traditional AppSec still catches most enterprise AI agent bugs
OWASP's LLM Top 10 names new categories, but most enterprise agent breaches trace back to broken access control and unvalidated input — the classics.
Concrete guardrails for AI coding assistants
40% of Copilot-generated code contained CWE Top 25 flaws in a 2022 study. Here are the prompt, scanning, and review gates that actually stop AI-written risk.
The guardrail gap in low-code agentic AI platforms
Low-code AI builders let business users wire agents to live connectors in minutes — but most ship without per-tool scoping, approval gates, or audit trails.
Least-Privilege Tool Scoping for AI Coding Agents
One overprivileged GitHub token let researchers hijack an AI agent into leaking private repo data via a public issue. Scoping tool access closes that gap.
MCP server security for AI coding agents
A critical RCE in Anthropic's own MCP Inspector (CVSS 9.4) and two Cursor CVEs show that giving AI agents tool access creates a new, largely unvetted attack surface.
A Reproducible Rubric for Measuring Prompt-Injection Risk in Agent Skills
OWASP has ranked prompt injection the #1 LLM risk for two straight editions, yet almost no one scores agent skill packages for it consistently. Here's a rubric.
Scanning AI-Generated Code Before It Merges: Wiring Scanners into Coding Assistants with MCP
Research found ~40% of Copilot suggestions were vulnerable, and devs using AI assistants trusted their code more. MCP lets you scan before merge.
Auditing AI agent skill registries for hardcoded keys
29M new hardcoded secrets hit public GitHub in 2025, up 34% YoY — and 3% of MCP servers in production carry hardcoded credentials as theft traps.
Securing MCP Servers for AI Agents
Five CVEs in 2025 alone trace MCP tool compromise back to one root cause: unsanitized strings piped into exec(). Here's how to expose and consume MCP safely.
Signing and provenance standards for AI agent skill registries
Shai-Hulud infected 500+ npm packages via stolen tokens in 2025. Agent skill registries are repeating the same unsigned-artifact mistake — here's the fix.