Weekly Security Roundup: Access Controls, Scanning, and Tool Risk
Security updates this week address new data access controls, developer automation, and tool vulnerabilities, with a clear focus on managed access, code and secret scanning, and evolving policy for AI-augmented coding environments.
Data Access Control and Perimeter Security in Cloud Platforms
Microsoft Fabric’s OneLake now offers unified management for RBAC and fine-grained row/column security, supporting consistent analytics enforcement and up to 4x faster queries. Upgrades are automatic, with management via UI or API for easier governance. Azure Storage introduces network security perimeters for PaaS resources, centralizing boundary and access management with default public access denial and integrated auditing—no extra cost. This improves risk assessment and compliance for larger deployments. These new features expand unified access control highlighted last week and address compliance for analytics and storage.
- Announcing OneLake Security (Preview): Fine-Grained Data Access Control in Microsoft Fabric
- Protect Azure Storage Accounts with Network Security Perimeter: General Availability
DevSecOps, Vulnerability Scanning, and Supply Chain Threats
Fast DevSecOps pipelines now use context-aware vulnerability scanning, integrating with pull requests and ticketing to provide targeted alerts and reduce signal overload—optimizing for reduced time-to-fix and fewer false positives. Coverage includes APIs, infrastructure-as-code, dependencies, and runtime. Feedback links security and development for quicker mitigation. GitHub’s “The Download” covers an npm ecosystem attack, emphasizing ongoing supply chain risks and best practices for dependency auditing. These developments reinforce the need for prompt, actionable security and supply chain vigilance.
- What Makes Vulnerability Scanning Effective in Fast-Moving DevSecOps Pipelines Today?
- The Download: npm Supply Chain Attack, NVIDIA Rubin Platform, VS Code Dev Days & More
Automated Code and Secrets Security for Developers
GitHub’s CodeQL 2.23.0 now detects Rust log/path injection, broadens data modelling, and enhances detection across C/C++, C#, Java, and Python. Updates auto-deploy with code scanning to all supported languages. GitHub Enterprise Cloud introduces secret scanning validity checks for new tokens, helping teams spot exposed active secrets. Hush Security’s platform replaces persistent application secrets with dynamic, just-in-time identity validation (using CNCF SPIFFE), supporting policy migration and automated secret management—helpful for teams running microservices or AI workloads under zero trust. Following recent expansions in automated scanning, these updates improve detection, clarify secret validity, and reinforce best practices for secure deployment.
- CodeQL 2.23.0: New Rust Log Injection Detection and Security Improvements
- Secret Scanning Validity Checks Now Available for GitHub Enterprise Cloud with Data Residency
- Hush Security Unveils Platform to Eliminate Application Secrets
Security Vulnerabilities in Developer Tools and AI Coding Workflows
A vulnerability in Cursor AI lets "runOn": "folderOpen" tasks execute shell commands from untrusted repos due to Workspace Trust being disabled by default. Recommended practices: enable Workspace Trust, update configurations, check for auto-execution risks, and work with unfamiliar projects only in isolated environments. The incident highlights increased risk in AI-powered developer tools and the need for careful policy updating.
This maintains last week’s focus on reviewing AI and CI tool security policies as automation use increases.