Community Pulse
NIST Rethinks the Future of the NVD
Eric Geller published a piece in Cybersecurity Dive on how NIST is rethinking its role in managing software vulnerability data. Geller explains that NIST is prioritizing vulnerabilities (not all CVEs will be enriched) and considering shifting enrichment duties to CVE Numbering Authorities (CNAs).
Why this matters for AppSec leaders? The NVD’s backlog and resource constraints highlight the fragility of a critical source of vulnerability intelligence. AppSec teams should follow NIST’s review process closely, engage with CNAs that supply their critical vendors, and prepare for a possible “reset” in how vulnerability metadata is provided. If you’re planning to attend VulCon 2026 (April 13–16, Scottsdale), DevArmor will be sponsoring the event and we’ll be discussing this topic there.
Threat‑Modeling Framework for Open‑Source: Highlights from Ken Huang
In a recent article on his “Agentic AI” substack, security expert Ken Huang argues that open‑source projects cannot afford to skip threat modelling. Huang notes that most AI developers depend on open‑source code and large language model (LLM) integrations, yet few projects document their assumptions and attack surfaces. The post introduces the OpenClaw Threat Model Maestro Framework, a structured method Huang devised for evaluating risks in AI‑centric software. He encourages maintainers to publish their models publicly so that the broader community can learn from—and improve upon—them, turning threat models into living documents rather than static artifacts.
Why this matters for AppSec leaders
Threat modeling is non‑negotiable: Huang stresses that relying on unvetted packages or models exposes products to logic flaws, prompt‑injection paths and data‑exfiltration risks. Proactively mapping threats helps teams make informed design choices, not just fix bugs later.
Shared models benefit everyone: Publishing models invites feedback, encourages transparency and creates a knowledge base that others can leverage. Huang contends that open‑source thrives when its risks are as openly documented as its code.
A curated library exists: The OWASP Threat Model Library has already begun collecting vetted, peer‑reviewed models for widely used projects . Led by DevArmor’s Petra Vukmirovic and Julian Mehnle, the project aims to democratize threat modeling and improve open‑source security. AppSec practitioners can contribute or reference existing models to kick‑start their own assessments.
OWASP 25th Anniversary Virtual Conference (Feb 24)
To celebrate 25 years of volunteer‑driven software security, OWASP is hosting a six‑hour virtual conference on Feb 24, featuring training sessions and talks on program maturity models, automated scanning and supply‑chain security. The event is open to the public and includes “Ask the Experts” sessions with OWASP project leaders.
Nike (January 2026)
What happened: On January 22, Nike appeared on WorldLeaks’ dark web leak site with a warning that stolen data would be published by January 24 unless a ransom was paid. As of now, the hackers haven’t publicly disclosed what types or volume of data they obtained. Nike also declined to comment on ransom demands.
Why it matters A high-profile extortion attempt against a household-name brand underscores that no company is off-limits. Notably, the WorldLeaks group has shifted away from encrypting files to purely stealing data and threatening leaks; a tactic that renders traditional ransomware defenses (like backups) less effective. The case highlights the sheer scale of business impact such breaches can have: recent cyberattacks on peers like MGM Resorts and Clorox each led to nine-figure losses and operational chaos.
AppSec Takeaway:
Data-theft extortion is on the rise. Modern ransomware crews often skip encryption entirely, so preventing breaches isn’t just about backups anymore. AppSec and IT teams must focus on preventing data exfiltration (through network segmentation, monitoring, DLP, etc.) because attackers now leverage the threat of leaks as their payday.
Breaches at a major enterprise can trigger cascading damage. In Nike’s case, the worry is whether supplier or customer information was swept up. This reminds security leaders to account for partner integrations and third-party data in their threat models. Your security is only as strong as the weakest link in the data supply chain.
Cyber incidents are business crises, not just IT issues. A single breach can shatter customer trust and derail operations overnight (For perspective, MGM’s 2023 hack cost at least $100 million, and a 2024 Clorox breach wiped out $350 million in sales.) AppSec decision-makers should communicate this business impact to the C-suite regularly, ensuring resources and incident response plans are in place to protect both data and brand reputation.
AppSec News
SolarWinds Web Help Desk Exploit Highlights Update Lag
Researchers observed active exploitation of an unauthenticated remote‑code‑execution vulnerability in SolarWinds Web Help Desk. Attackers enumerated vulnerable instances and targeted unpatched systems prior to the 2026.1 release. SolarWinds urged customers to upgrade immediately and remove public access to the application.
Why it matters & AppSec takeaway: Even after patches are published, exposed systems remain vulnerable if organizations delay updates. Inventory all public‑facing tools and enforce timely patching for third‑party IT‑support software.
Fortinet SSO Flaw Enables Cross‑Tenant Authentication
Fortinet disclosed a critical authentication‑bypass flaw (CVE‑2026‑24858, CVSS 9.8) in FortiOS, FortiManager, FortiAnalyzer, FortiProxy and FortiWeb. The vulnerability allowed an attacker to abuse FortiCloud SSO to log into other customers’ devices. Researchers warned that edge devices exposed to the internet were at risk. Fortinet temporarily disabled FortiCloud SSO and released updates; customers were urged to upgrade before re‑enabling SSO .
Why it matters & AppSec takeaway: Identity‑provider integration is a single point of failure. Review all third‑party SSO configurations, ensure administrative interfaces are not publicly accessible and monitor for unusual logins. Apply Fortinet’s patches immediately.
Microsoft Office Zero‑Day Exploited; CISA Orders Rapid Patch
A remote‑code‑execution flaw (CVE‑2026‑21509) in Microsoft Office was actively exploited in late January. Attackers could craft malicious documents to execute arbitrary code when opened. Microsoft released a patch but noted that exploitation “has been detected in the wild”. The U.S. Cybersecurity & Infrastructure Security Agency (CISA) added the bug to its Known Exploited Vulnerabilities catalog and directed federal agencies to update by Feb 16.
Why it matters & AppSec takeaway: Office macros and document‑based exploits remain an easy path into corporate networks. Patch this CVE immediately and enforce macro‑blocking rules. Consider sandboxing or disabling Office document execution for untrusted sources.
Thanks for reading The AppSec Signal, DevArmor’s newsletter for security professionals. Have feedback or ideas for what we should cover next? Feel free to reach out - [email protected]
