InfoQ Homepage Security Content on InfoQ
-
Cloudflare Releases 2024 API Security and Management Report
Cloudflare recently released its 2024 API Security and Management Report, providing insights, predictions, and recommendations for safeguarding APIs in the new year. The report analyses the growing risk of shadow APIs, the most common API errors, and global API usage across different industries.
-
LLMs May Learn Deceptive Behavior and Act as Persistent Sleeper Agents
AI researchers at OpenAI competitor Anthropic trained proof-of-concept LLMs showing deceptive behavior triggered by specific hints in the prompts. Furthermore, they say, once deceptive behavior was trained into the model, there was no way to circumvent it using standard techniques.
-
Regionally-Scoped Google’s Cloud Armor Security Policies
Google announced the general availability of regionally-scoped security policies for Google Cloud Armor: Google's premier DDoS defense and Web Application Firewall (WAF) solution.
-
Custom GPTs from OpenAI May Leak Sensitive Information
After it was reported that OpenAI has started rolling out its new GPT Store, it was also discovered that some of the data they’re built on is easily exposed. Multiple groups have begun finding that the system has the potential to leak otherwise sensitive information.
-
OpenSSF Adds Attestations to SBOMs to Validate How Software is Built
The Open Source Security Foundation (OpenSSF) has recently announced SBOMit, a tool designed to bolster Software Bills of Materials (SBOMs) with in-toto attestations. This development, announced under the OpenSSF Security Tooling Working Group, increases transparency and security in the software development process.
-
Styra's Policy as Code Report: Identity and Access Management Drives Adoption
The State of Policy as Code report from Styra, based on a survey of 285 U.S. developers and technical decision-makers, highlighted that 97% of respondents believe policy as code is crucial for efficient software building in cloud environments. The report's key findings highlight policy as the code's role in enhancing development efficiency, security, and simplicity.
-
Amazon Route 53 Resolver Introduces DNS over HTTPS Support for Enhanced Security and Compliance
AWS recently announced that Amazon Route 53 Resolver will support using the Domain Name System (DNS) over HTTPS (DoH) protocol for both inbound and outbound Resolver endpoints.
-
The Upsides and Downsides of Open Source Adoption
Benefits of open source projects are supporting rapid innovation, the flexibility provided to customize and adapt tools, and transparency of the code which can enhance security efforts. The downsides are that security by obscurity doesn’t apply, open source is potentially prone to abuse, and when open source tools are not backed up by companies, it might result in a lower level of maintainability.
-
GitLab Launches Browser-Based Dynamic Application Security Testing (DAST) Scan
GitLab has recently introduced a browser-based Dynamic Application Security Testing (DAST) feature in version 16.4 (or DAST 4.0.9). This development is part of GitLab's ongoing efforts to enhance browser-based DAST by integrating passive checks. The release includes active check-in capabilities.
-
Zoom Open-sources New Vulnerability Impact Scoring System VISS
Zoom Vulnerability Impact Scoring System, or VISS for short, aims to help organizations enforce security measures based on a new approach to vulnerability scoring that prioritizes actual demonstrated impact over theoretical security impact possibilities.
-
Privacy Engineering at Scale: DoorDash’s Journey in Geomasking and Data Protection
DoorDash recently published how it proactively embeds privacy into its products. It explains the importance of Privacy Engineering, an often overlooked software architecture practice, and provides an example of geomasking users' address data to protect their privacy better.
-
AWS Adds Automated Detection of Unused IAM Roles, Users, and Permissions
AWS recently added support for detecting unused access granted to IAM roles and users within their AWS IAM Access Analyzer tool. The new analyzer can identify unused roles, unused IAM user access keys and passwords, and unused permissions within a defined usage window. This analysis can be done across accounts within the organization and be controlled from a delegated administrator account.
-
Intuitive Application Resource Management with myApplications in the AWS Management Console
AWS recently announced at its re:Invent conference the general availability of myApplications. myApplications in the AWS Management Console can help customers manage and monitor the cost, health, security posture, and performance of their applications on AWS more effectively.
-
OpenSSL 3.2 Brings Support for QUIC, Windows Certificate Store, and More
The latest version of OpenSSL, OpenSSL 3.2.0, brings significant new features, including client support for QUIC, new digital signature algorithms, new certificate compression options, SSL/TLS security level increase, and more.
-
Canonical Takes a Chisel to Ubuntu with Ultra-Small Container Images
Canonical has officially released chiselled Ubuntu containers, offering production-ready, secure, and ultra-small container images with a focus on efficiency and security. These container images allow users to build images that only contain their application and its runtime dependencies, excluding unnecessary operating system-level packages, utilities, or libraries.