A remote exploit (CVE-2014-6271) has been in bash discovered that potentially affects any application that uses environment variables to pass data from unsanitised content, such as CGI scripts. After the release went public, other exploits were discovered (CVE-2014-7169). Official patches have been released to fix them. (Originally posted 24 September, updated 25, 26 and 29 September)
The recent vulnerabilities in the Bash shell initially stemmed from a remote execution exploit, which was patched and made available through responsible disclosure before being announced. However, since the initial release there have been other flaws detected which became zero day threats. What exactly was the problem with Shellshock, and is it truly fixed? InfoQ explains what happened.
Teams can become so focused that they forget the world around them and risk losing contact with stakeholders. This makes it difficult for them to know what their customers need and how end users will use their products. At the ASAS2014 conference Daisy Rasing-de Joode will show how successful agile teams create synergy by being interdependent and highly collaborative with their environment.
Google's Chrome web browser team has announced a schedule to deprecate support for how the browser handles HTTPS certificates using SHA-1 signatures. Over the next 6 months the browser will utilize increasingly noticeable warnings for sites that still use SHA-1.
AWS has recently integrated the AWS Trusted Advisor into the AWS Management Console and made four security and service limit checks available at no charge. Additional checks from the security, performance, fault tolerance and cost optimization categories remain part of their Business and Enterprise support tiers.
Cloudera recently released an update over Project Rhino and data at-rest encryption in Apache Hadoop. Project Rhino is an effort of Cloudera, Intel and Hadoop community to bring a comprehensive security framework for data protection. InfoQ recently talked to Steven Ross from Cloudera team to learn more about the project.
Visual Studio Update 3 was released last week and includes some framework and tooling improvements relevant to web and mobile developers. We go through some of these, including the ASP.NET identity update supporting two-factor authentication, new Visual Studio-Azure integrations as well as several updates to the Apache Cordova Tooling preview.
AWS Identity and Access Management (IAM) recently expanded available password policy rules to enable self-service password rotation. A new credential report provides visibility into the AWS credentials security status. AWS also added logging of AWS Management Console sign-in events to AWS CloudTrail.
GitHub, BitBucket, Twitter and other Secure Services Affected on Mac OS X By Expired SSL Certificate
On Saturday July 26th, an intermediate certificate issued by DigiCert that was used by online services like GitHub, BitBucket, etc expired. Since this certificate was widely cached in the keychains of many Mac OS X users, this expiration caused any connection via browser or API to raise certificate chain errors.
Continuous learning supports agile adoption in enterprises. A culture change can be needed to enable and support continuous learning. There are several things that managers and agile coaches can do to establish and nurture a continuous learning culture.
Hadoop distributor Cloudera pursued its strategy of securing the Hadoop ecosystem by acquiring last month the big data encryption and key management startup Gazzang. The deal will strengthen Cloudera's security offering and lead to the creation of a center of excellence for Hadoop security that will initially be fueled by Gazzang’s engineering team.
Katana 3, now close to GA, comes with new security components providing OpenIDConnect and WSFederation support.
AWS has considerably increased the number of services supported by AWS CloudTrail to cover the majority of the extensive AWS service portfolio. This now includes most compute and networking and all deployment and management services, thereby providing comprehensive end to end auditing of almost any changes to customer’s infrastructure.
Node Security Project has been quietly working at improving Node.js security for a few months now. The project has the goal of auditing Node.js existing module base to help "improve Node landscape and provide confidence to developers and enterprises about the state of security in Node.js land."
Hortonworks recently acquired the data security company XA Secure to help the organization in providing comprehensive security to Hortonworks Data Platform (HDP). Security features would be available across all Hadoop workloads from batch, interactive SQL and real–time.