Browse Security News (209)

David Sanchez lays out a practical DevOps playbook for teams adopting AI coding agents (including GitHub Copilot Cloud Agent), focusing on readiness prerequisites, human–agent collaboration patterns, pipeline changes, governance, and security controls needed to keep quality and accountability intact as non-human contributors scale up.

Allison announces that Dependabot and code scanning can now use OpenID Connect (OIDC) for organization-level access to private registries, reducing reliance on long-lived secrets and enabling short-lived, dynamically issued credentials.

Allison announces new GitHub features that surface deployment and runtime context in repository properties and security alert pages, helping teams automate policy enforcement and prioritize Dependabot and code scanning alerts based on real production risk.

Rahul Bhandari (MSFT) and Tara Overfield summarize the April 2026 .NET and .NET Framework servicing releases, including the updated versions, links to release notes and installers, and the list of security CVEs addressed across supported .NET and .NET Framework versions.

Gloridel Morales announces April patches for Azure DevOps Server, summarizing key fixes (pull request completion reliability, safer sign-out redirect validation, and GitHub Enterprise Server PAT connection) and showing how to verify the patch is installed.

Allison announces a public preview feature that lets teams link GitHub code scanning alerts to GitHub Issues, making it easier to track and prioritize security remediation work in existing planning workflows.

Joseph Katsioloudes introduces Season 4 of GitHub’s Secure Code Game, a hands-on set of challenges where you exploit and fix vulnerabilities in an agentic AI assistant (ProdBot) to learn real-world AI-agent security risks like prompt-based tool misuse, memory poisoning, and sandbox escape.

Allison summarizes GitHub Secret Scanning updates that expand push protection defaults, improve enterprise fork coverage, and add new API capabilities for alert validity, provider filtering, scan history, and enterprise-wide dismissal request reporting.

Allison explains how GitHub’s SBOM export flow moved to an asynchronous model in the Dependency Graph UI and REST API, removing hard timeouts and adding a generate/fetch pattern for reliably downloading SBOM reports from large repositories.

Dorothy Pearce introduces GitHub’s free Code Security Risk Assessment, a one-click scan that uses CodeQL to surface vulnerabilities across up to 20 active repositories, and explains how the results help teams prioritize remediation (including where Copilot Autofix may apply).

Allison announces updates to GitHub Code Quality standard findings (public preview), including faster triage features like file-path search, bulk dismiss/reopen, and richer per-finding context, with fix suggestions generated by GitHub Copilot Autofix.

Allison announces GitHub Copilot data residency for US and EU regions plus FedRAMP Moderate support, outlining what features are covered, which models are available, the pricing uplift for compliant endpoints, and how enterprise/org admins can enable the policies.

Sandeep Sen announces Azure MCP Server 2.0’s stable release, focusing on self-hosted remote MCP servers, authentication options (managed identity and OBO), security hardening, and operational improvements to support agentic workflows that automate and manage Azure resources.

Allison shares a GitHub update: Copilot cloud agent now runs its built-in security and quality validation tools in parallel, cutting validation time by about 20%, while keeping the same checks (CodeQL, secret scanning, Advisory Database, and Copilot code review).

Nick Brady’s March 2026 digest for Microsoft Foundry (Azure AI Foundry) covers major GA releases like Foundry Agent Service, GPT-5.4 family models, evaluations with continuous monitoring into Azure Monitor, private networking, and SDK 2.0 updates across Python, JS/TS, Java, and .NET—plus guardrails and third-party runtime security integrations.

Dylan Birtolo announces that organization admins and security managers can now open a GitHub Copilot experience from Code Security and secret risk assessment results to get contextual explanations and guided next steps.

Rob Lefferts and David Weston outline what an “agentic SOC” could look like over the next decade, combining autonomous, policy-bound defenses with AI agents that assemble context and orchestrate investigations so humans can focus on judgment, governance, and risk-driven security outcomes.

Alistair Speirs summarizes why Microsoft was named a Leader in Forrester’s Sovereign Cloud Platforms Wave (Q2 2026), and outlines how Microsoft Sovereign Cloud aims to deliver consistent controls across public, private, and partner-operated environments using tools like Azure Arc and Azure Local.

Microsoft Incident Response (DART) analyzes Storm-2755 “payroll pirate” attacks targeting Canadian users, detailing how adversary-in-the-middle session hijacking bypasses MFA, what signals to hunt for in Entra and Defender, and practical remediation steps including token revocation, Conditional Access hardening, and inbox-rule cleanup.

The Microsoft Defender Security Research Team analyzes a severe Android intent-redirection flaw in the EngageSDK that could let a malicious app abuse another app’s identity to reach protected components and data, and explains what developers should update and review to avoid similar SDK-driven risks.