Farath’s Bi‑Weekly Code Security Brief
Jan 1–19, 2026
The past two weeks were all about patching core platforms (Windows, SAP, Drupal, n8n) and tightening how SAST/SCA/DAST/IAST plug into everyday delivery. In this issue, Farath breaks down the key vulns, how they would surface in your scans, and what to do about them in real pipelines.
Microsoft & Patch Tuesday: Core OS Still The Biggest Attack Surface
Microsoft’s January Patch Tuesday fixed 114 vulnerabilities across Windows, Office, and server components, including one actively exploited Desktop Window Manager (DWM) zero‑day and multiple high‑severity RRAS and SharePoint issues. Farath’s take: the bulk of risk is still privilege escalation and remote code execution paths that attackers chain post‑initial access.
How this shows up in SAST/SCA/DAST/IAST
DAST: External tests against internet‑facing SharePoint, RRAS, and Office web components can flag exposed endpoints and misconfigurations, but won’t “see” local privilege escalation chains by itself.
IAST: Instrumented QA runs on SharePoint or web‑facing components can reveal insecure behaviors, dangerous workflows, or weak access control around endpoints later abused with these CVEs.
SCA: Dependency mapping of Windows‑bound components (for example .NET, Office add‑ins, management agents) lets you quickly identify which internal apps are actually affected by these CVEs.
What Farath recommends for the next 2 weeks
Prioritise rapid rollout of January Patch Tuesday updates for internet‑facing servers, remote access (RRAS), and collaboration platforms (SharePoint, Office web services).
Wire your SCA into CMDB/asset inventory so you can answer “which service is running the vulnerable component” in minutes, not days.
SAP: Critical SQLi, RFC “Backdoors”, And XSS In The Enterprise Core
SAP’s January security notes fix critical issues in S/4HANA Finance, Data Transformation for Analytics, Landscape Transformation, HANA DB, and multiple XSS issues in NetWeaver and Business Connector. From Farath’s DevSecOps lens, the nastiest ones combine RFC‑exposed code injection and SQL injection, exactly the paths used for lateral movement in large SAP landscapes.
How this shows up in SAST/SCA/DAST/IAST
SAST: ABAP code scanning should flag unsafe dynamic SQL construction and insecure RFC‑exposed function modules that enable injection or arbitrary code execution.
IAST: Instrumented SAP web apps and services during QA can expose dangerous data flows through RFC calls or analytics services that get hit indirectly.
DAST: For SAP web‑facing portals (NetWeaver Enterprise Portal, Business Connector), DAST can detect reflected XSS in navigation and link‑based flows.
Farath’s remediation moves
Patch per SAP’s January notes, prioritising the critical S/4HANA Finance SQLi, RFC‑exposed analytics/landscape transformation defects, and HANA privilege escalation.
Tighten RFC trust and connectivity: reduce broadly trusted RFC destinations, enforce least privilege, and ensure scanning of RFC‑exposed modules with ABAP‑aware SAST.
n8n Remote Code Execution: Workflow Automation As An Attack Vector
Recent research highlights a remote code execution vulnerability in n8n where a public PoC exists and mass scanning is ongoing, affecting all versions prior to 1.121.0. For Farath, this is the classic example of “low‑friction automation node” quietly becoming high‑impact infrastructure because it sits in the middle of CI/CD and data flows.
How this shows up in SAST/SCA/DAST/IAST
SCA: Node.js dependency analysis and container image scanning should reveal vulnerable n8n versions and related libraries in your stack.
DAST: External scans of your n8n endpoints can detect characteristic behaviors and dangerous unauthenticated or weakly protected routes.
IAST: If you run IAST agents inside n8n‑fronted services in QA, you can monitor which workflows touch sensitive secrets or invoke high‑risk actions.
Immediate actions from Farath
Upgrade n8n to at least 1.121.0 and rotate any credentials, tokens, and webhooks accessible from exposed instances, assuming potential compromise.
Put n8n behind proper authentication and network segmentation, and include it as a first‑class target in your SCA and container scanning policies.
Drupal 7 CVE‑2026‑0749: Old CMS, New Pain
Drupal 7 picked up a fresh CVE (CVE‑2026‑0749) that enables session hijacking, data theft, and privilege escalation across all versions. As Farath would tell any platform team, this is a reminder that legacy CMS risk does not fade just because the stack feels “stable”.
How this shows up in SAST/SCA/DAST/IAST
SCA: Any PHP stacks or containers embedding Drupal 7 should be automatically flagged via dependency and SBOM scanning.
DAST: Auth workflows, session cookies, and access‑control checks should already be in your DAST test suites; this CVE is a reminder to verify secure session handling.
IAST: Instrumented functional tests over Drupal‑based apps can show how session data and auth flows behave in real runtime, especially across plug‑ins and custom modules.
Pragmatic next steps (Farath’s view)
Apply the Drupal 7 security update for CVE‑2026‑0749, but also start planning migration off Drupal 7 if it is still in your primary attack surface.
Extend SCA policies: treat unsupported frameworks and CMS versions as policy violations, not just “warnings,” in CI pipelines.
How SAST, SCA, DAST, IAST Fit Together (Farath’s Playbook For This Fortnight)
The last two weeks underline that no single tool sees the whole attack chain; instead, each surfaces a different slice of risk across build, deploy, and run. Farath’s playbook is to map SAST/SCA/DAST/IAST to specific phases and wire them into CI/CD with clear owners and SLAs.
Where Farath would focus for the next sprint
Build:
Crank up SAST rules for injection (SQL/command), auth/authorization, and secrets, aligning with the injection patterns still dominating 2025–2026 (XSS, SQLi).
Enforce SCA gating for known‑exploited CVEs and end‑of‑life components like legacy Drupal and outdated automation platforms.
Deploy:
Run targeted DAST against updated Microsoft/SAP/Drupal/n8n surfaces after patching to catch exposed endpoints, misconfigured auth, and XSS.
Use IAST agents in pre‑prod to trace real data flows through high‑risk paths like SAP RFCs, Office/SharePoint workflows, and automation nodes.
Operate:
Tie your vulnerability data into asset inventory and ticketing so ownership is clear for each CVE and each app team.
Use trend metrics (for example mean time to remediate exploited CVEs, percentage of builds blocked by SCA) as your core AppSec KPIs for 2026.
That’s your action plan for the next sprint. Got SAP teams, Salesforce scanners, or n8n workflows in your stack? Hit reply – I’ll dig into specifics for your setup.
Catch the next brief Jan 29 (Jan 19-30 vulns). Share if this cut through the noise.
Stay secure, ship fast. 🚀
With ❤️,
farath at code security briefs
