InfoQ Homepage Security Content on InfoQ
-
A Ruthless Approach for Better Security by Identifying Key Risks and Ignoring Others
Risk management techniques can be used to decide which security and privacy aspects are important. You can simplify the risk impact calculations by identifying low, medium and high and critical losses, and by taking likelihoods from the industry to do likelihood calculations. This helps you to identify a few key risks, and ruthlessly ignore the rest.
-
New Downfall Attack Could Lead to Sensitive Data Leakage on Intel Processors
Security researcher Daniel Moghimi discovered a new side-channel vulnerability affecting Intel processors that could be exploited to steal data from other users or apps running on the same computer. Dubbed Downfall, the vulnerability has been patched by Intel and mitigated by most major OS vendors.
-
Chrome Supports Key Pinning on Android to Improve Security
Key pinning, a technique used to prevent an attacker from tricking a vulnerable certificate authority (CA) into issuing an apparently valid certificate for a server, is now used in Chrome for Android, version 106, to help prevent man-in-the-middle attacks against Google services.
-
Enhancing Security with Google Cloud's Service Account Key Expiry Feature
Google Cloud has recently introduced service account key expiry to address security challenges associated with long-lived service account keys. With this capability, the company states that "customers can now configure an Organization Policy at the organization, folder, and project level to limit the usable duration of new service account keys”.
-
Introduction of Auth0 Templates for .NET
Auth0 Templates for .NET offers pre-built project templates with integrated Auth0 support for authentication and authorization. The development process is simplified, enabling the creation of Auth0-integrated .NET projects through familiar approaches from built-in templates. The project is open-source.
-
Microsoft Announces Preview of Azure Application Gateway for Containers
Microsoft recently announced the preview of Azure Application Gateway for Containers - a new application (layer 7) load balancing and dynamic traffic management product for workloads running in a Kubernetes cluster. It extends Azure's Application Load Balancing portfolio and is a new offering under the Application Gateway product family.
-
Building Cyber-Physical Systems with Agile: Learnings from QCon New York
In her QCon New York 2023 talk Success Patterns for building Cyber-Physical Systems with Agile, Robin Yeman explored how we can use agile practices at scale for large initiatives with multiple teams, building cyber-physical safety-critical systems with a scope that includes software, firmware, and hardware development.
-
Implementing Application Level Encryption at Scale: Insights from Atlassian’s Use of AWS and Cryptor
Atlassian recently published how it performs Application Level Encryption at scale on AWS while utilising high cache hit rates and maintaining low costs. Atlassian's solution runs over 12,500 instances and manages over 1,540 KMS keys. It performs over 11 billion decryptions and 811 million encryptions daily, costing $2,500 per month versus a potential $1,000,000 per month using a naive solution.
-
Google Announces Graph for Understanding Artifact (GUAC) v0.1
The Open Source Security Team at Google has recently introduced GUAC (Graph for Understanding Artifact) v0.1, a tool designed for security professionals. GUAC focuses on metadata synthesis and aggregation, addressing the requirement outlined in the U.S. Executive Order on Cybersecurity. This tool aims to assist security professionals in assessing the security posture of the supply chain.
-
Modern Cryptography in OpenJDK: Introduction of Key Encapsulation Mechanisms API
JEP 452, Key Encapsulation Mechanism API, has been marked as completed for JDK 21. This JEP introduces a modern encryption technique for securing symmetric keys using public key cryptography. The API supports various KEM algorithms, including RSA-KEM, ECIES, and those under NIST's Post-Quantum Cryptography standardization.
-
Manifest Confusion Paves the Way to New npm Supply Chain Threats
A recent report by former npm engineering manager Darcy Clarke found that the npm registry does not validate manifest information against the contents of its corresponding package tarball. This creates a double source of truth that attackers can exploit to hide scripts or dependencies, says Clarke.
-
Sysdig Announces Cloud Native Application Protection Platform
Sysdig recently unveiled the industry's first Cloud Native Application Protection Platform (CNAPP) with end-to-end detection and response capabilities. This platform combines cloud detection and response (CDR) with CNAPP, integrating the power of open-source Falco for both agent and agentless deployment models.
-
AWS AppFabric Launched with Goal to Make SaaS Apps and Security Tooling Integration Easier
Recently AWS announced the general availability (GA) of AWS AppFabric. This no-code service enhances companies’ existing investment in software-as-a-service (SaaS) applications with improved security, management, and productivity.
-
Google Announces General Availability of New Features for Cloud Firewall
Google announced the expansion of the offer for Google Cloud Firewall. Cloud Firewall is the GCP firewall service that is cloud native and distributed. The new features now in general availability are threat intelligence for Cloud Firewall, geo-location objects, address groups and local IP ranges.
-
EC2 Instance Connect Endpoint Enables Secure Connectivity between Public and Private Networks
AWS recently announced Amazon EC2 Instance Connect (EIC) Endpoint, a new feature that allows users to connect securely to their instances and other Amazon Virtual Private Cloud (Amazon VPC) resources from the Internet.