InfoQ Homepage Cloud Security Content on InfoQ
-
HashiCorp's Boundary Now Generally Available on HCP
Following a successful beta trial, HashiCorp has announced the general availability of Boundary on their cloud platform HCP. This adds a key new aspect to HashiCorp's managed solution for zero-trust security.
-
OpenSSL Hit by Two High Severity Vulnerabilities, Recently Patched
Introduced in OpenSSL 3.0 in September 2021 and affecting all successive versions up to and including OpenSSL 3.0.6, the two recently patched vulnerabilities are caused by buffer overruns in X.509 certificate verification.
-
AWS Adds Container Lens to Well-Architected Framework
AWS has added a new container lens to its Well-Architected Framework. This new technical paper outlines best practices sourced from the community, AWS partners, and AWS's internal container technology specialists. These best practices provide guidance for running high-performance, reliable, and secure container workloads. The paper also includes reference architectures for a few common use cases.
-
AWS Introduces AWS Parameters and Secrets Lambda Extension to Improve Performances and Security
AWS recently announced the Parameters and Secrets Lambda Extension, a new way for developers to retrieve parameters from Systems Manager Parameter Store and secrets from Secrets Manager. The Lambda extension caches parameters and secrets, reducing latency and costs.
-
Orca Security Report Finds Critical Assets Vulnerable within Three Steps
A report from Orca Security found security gaps within the assessed cloud environments. These include unencrypted sensitive data, S3 buckets with public READ access, root accounts without multi-factor authentication enabled, and publically accessible Kubernetes API servers. In addition, they found that the average attack path only requires three steps to reach business-critical data or assets.
-
HashiCorp Vault Enhances Plugin Framework, Adds New Secrets Engines
HashiCorp has released a number of new features and improved core workflows for Vault, their secrets and identity management platform. The improvements include a new PKCS#11 provider, support for Redis and Amazon ElasticCache as secrets engines, improvements to the Transform secrets engine, and a better user experience for working with plugins.
-
DataDog Publishes AWS Security Report
DataDog has published their State of AWS Security report, an overview of practices based on data analysis from over 600 organizations. The report compares intersection and divergence between actual usage against industry best practices and the cause of breaches/data leaks.
-
Threat Operations and Research Team Cloudforce One Generally Available
Cloudflare recently announced that the threat operations and research team Cloudforce One began conducting briefings and is now generally available. Available as an add-on subscription, Cloudforce One includes threat data and briefings, security tools, and the ability to make requests for information (RFIs) to the team.
-
Microsoft Previews Azure Firewall Basic for Small-Medium Businesses
Microsoft recently released the public preview of Azure Firewall Basic for small-medium businesses (SMBs), providing enterprise-grade security at an affordable price. The company offers the Basic SKU as it sees SMBs as particularly vulnerable to budget constraints and gaps in specialized security skills.
-
Google Distroless Images Achieve SLSA Level 2
Google announced that their distroless builds meet level 2 of the Supply chain Levels for Software Artifacts (SLSA). Level 2 requires that the build process for these images is tamper resistant. This improves on their previous release which saw all images being signed with cosign.
-
Google 2022 Accelerate State of DevOps Report Finds Strong Culture Predictive of Strong Performance
Google has released their findings from the 2022 Accelerate State of DevOps Report. This year's report focused on security with a specific emphasis on the software supply chain. The report found a broad adoption of the inspected practices with organizations that have a high-trust, low-blame culture leading the way in both security and operational practices.
-
NPM Package Masquerading as Popular Material Tailwind Library To Install Malicious Code
Researchers at ReversingLabs discovered a malicious npm package masquerading as the Material Tailwind library. Their finding highlights a new trend for threat actors to install malicious code, dubbed impostor packages, say the researchers.
-
Undistro Wolfi Designed to Mitigate Software Supply Chain Risk
Chainguard has announced the general availability of Wolfi, a new Linux distribution designed for container environments and built to ensure a secure software supply chain. Wolfi is designed to be a minimal distribution that provides a build-time SBOM for all included packages.
-
Google Cloud Spanner Introduces Free Trial Instances and Fine-Grained Access Control
Google Cloud recently announced different improvements to their managed databases. The cloud provider introduced free trial instances and fine-grained access control for Spanner to let developers try the managed service and configure access to data at the table and column level.
-
Production Identity Framework SPIRE Graduates from CNCF
The Cloud Native Computing Foundation has announced the graduation of SPIFFE and SPIRE. SPIFFE defines a standard to authenticate software services through the use of platform-agnostic, cryptographic identities. SPIRE is an implementation of the SPIFFE API that is production ready. Recent improvements to the project include adding experimental Windows support.