The Qwiet Blog

The rise of AI-generated code has indeed been a productivity breakthrough. However, it has also ushered in a new class of threat that most security teams are not adequately prepared for: the urgent and looming danger of slopsquatting. What Is Slopsquatting? Slopsquatting is a novel and unprecedented supply chain attack that exploits a flaw in […]

Developers build. It’s what they do best. But when security enters the equation, teams face a pivotal question: Should we develop our security tooling or buy something purpose-built? Let’s be honest. Building your tools can feel empowering. You know your stack, your risks, your workflow. But internal security systems aren’t just hard, they’re risky. And […]

Key Takeaways As a software developer, security professional, or technical decision-maker, it is essential to recognize that internal code is not inherently secure; it is often unscanned. Custom frameworks and in-house libraries frequently do not appear in public CVE databases and typically do not match known patterns, making them invisible to most rule-based application security […]

Key Takeaways While promising immediate feedback, real-time scanning often creates ‘noise’ without context. This ‘noise’ refers to the excessive and irrelevant alerts that tools running in the IDE or pre-save phase can generate. These tools may flag unreachable or non-exploitable code, leading to alert fatigue and dev pushback. CI/CD scanning, with its promise of higher […]

Key Takeaways All-in-one platforms trade depth for surface-level coverage: Bundling SAST, DAST, IAST, RAST, and ASPM into a single tool often leads to overlap in low-risk areas (e.g., basic code vulnerabilities) and blind spots in high-risk ones (e.g., complex business logic vulnerabilities). Context-aware tools, which understand an application’s specific context, outperform general-purpose scanners: These tools […]

After years of uncovering investment and retail banking fraud, I’ve developed a finely tuned radar for risk disguised as innovation. So when security vendors market “community rules” as a revolutionary leap forward, my fraud-detection instincts go haywire. It’s a wolf in sheep’s clothing, a potential threat masquerading as transparency. Let’s be clear: regulated financial institutions […]

Did you miss the first post? Check out: AppSec House of Cards: Legacy Scanners vs. Agentic Workflows Modern applications aren’t monoliths. They’re sprawling, service-based systems built in multiple languages and stitched with queues, APIs, and serialization layers. In this environment, user input doesn’t just move it migrates across boundaries. The Business Risk: When One Missed […]

Security engineers know that some critical vulnerabilities don’t appear in simple scans. They cross language boundaries, involve dynamic behavior, or emerge from patterns that don’t exist in any public rule set. Traditional SAST tools, especially those built on static rules or syntax matching, weren’t designed to catch these risks. Graph-based analysis changes that. It enables […]

Recent breaches at GitLab and GitHub and new research into AI-driven coding expose a troubling pattern in software security: developers have built unified pipelines of tightly integrated tools. While these boost efficiency, they introduce new risks if attackers breach the platform: GitLab disclosed an actively exploited vulnerability tied to how CI/CD job tokens were handled […]