InfoQ Homepage Security Assessment Content on InfoQ
-
Slack Security: inside the New Anomaly Event Response Architecture
Slack has launched Anomaly Event Response (AER), a real-time security system that autonomously detects suspicious activity, terminates risky sessions, and reduces response time from days to minutes. The system’s architecture includes a detection engine, decision framework, and response orchestrator to help organizations prevent breaches efficiently.
-
When Unchecked Autoscaling Generates a $120K Cloud Spend
In the wake of a staggering $120K bill due to unchecked autoscaling during a DDoS attack, industry experts stress the necessity of robust FinOps strategies. Key recommendations include capping resource limits and utilizing real-time alerts to prevent financial disasters. Balancing cost control with system availability is crucial to safeguard modern cloud environments.
-
GitHub Announces Code Scanning and Security Advisory Support for Swift
GitHub has launched code scanning support for Swift in beta and announced it will include Swift security advisories in its Advisory Database to extend the capabilities of its Dependabot vulnerability monitor.
-
New Microsoft Defender Products: Threat Intelligence and External Attack Surface Management
Microsoft recently announced two security products: Microsoft Defender Threat Intelligence and Microsoft Defender External Attack Surface Management. These new products are driven by their acquisition of RiskIQ just over a year ago.
-
Microsoft Rebrands its Data Governance Service to Microsoft Purview
Recently, Microsoft announced Microsoft Purview, a new product branding bringing together the Azure Purview data governance service with various Microsoft 365 compliance solutions.
-
Google Cloud Introduces Community Security Analytics
Google Cloud recently released Community Security Analytics (CSA), a set of open-sourced queries and rules for security analytics designed to help detect common cloud-based threats.
-
How Security by Design Helped to Manage Risks in a Cloud Migration
When a company migrated to the cloud, security issues arose due to difficulties in getting stakeholders on board and involving security from the start. Embedding security assessments as part of the continuous cloud DevOps process and adopting an agile strategy for security risk management throughout the lifecycle of the project helped to increase the governance of security during the migration.
-
New CodeGuru Reviewer Features Detector Library and Security Detectors for Log-Injection Flaws
Amazon CodeGuru Reviewer is a developer tool that leverages machine learning to detect security defects in code (Java and Python) and offers suggestions for code quality improvement. Recently, AWS introduced two new features for the tool, with a new Detector Library and security detectors for Log-Injection Flaws.
-
Google and GitHub Announce OpenSSF Scorecards v4 with New GitHub Actions Workflow
GitHub and Google have announced the version 4 release of the Open Source Security Foundation (OpenSSF)'s Scorecards project. Scorecards is an automated security tool that identifies risky supply chain practices in open source projects. This release includes a new Scorecards GitHub Action, new security checks, and a large increase in the repositories included in the foundations weekly scans.
-
AWS Re-Launches Amazon Inspector with New Architecture and Features
Amazon Inspector is an automated vulnerability management service that continually scans AWS workloads for software vulnerabilities and unintended network exposure. It was first launched in 2015, and during the recent re:Invent 2021, AWS re-launched it with brand new architecture and a host of new features such as container-based workloads, integration with Amazon Event Bridge, and Security Hub.
-
Microsoft Releases Azure Attestation into General Availability
Microsoft recently announced the general availability of Azure Attestation, a unified solution for remotely verifying the trustworthiness of a platform and the integrity of the binaries running inside it.
-
CNCF Fund a Bug Bounty Program for Kubernetes
The Kubernetes Product Security Committee has launched a new bug bounty program, funded by the The Cloud Native Computing Foundation (CNCF), to reward security researchers for finding vulnerabilities in the Kubernetes' codebase, as well as the build and release processes, with bounties ranging from $100 to $10,000.
-
GitHub to Integrate Semmle Code Analysis for Continuous Vulnerability Detection
With the acquisition of startup Semmle, GitHub aims to make continuous vulnerability detection part of their continuous integration/continuous deployment service.
-
Simplifying Blockchain Security Using Hyperledger Ursa
In a recent blog post, the Hyperledger project announced that their latest project, Hyperledger Ursa, has been accepted by the Technical Steering Committee (TSC). Ursa’s primary objective is to simplify and consolidate cryptographic libraries in a trusted, consumable manner for use in distributed ledger technology projects in an interoperable way.
-
DevSecOps Grows Up and Finds Itself a Community
On June 28th, the first DevSecOps Days event came to London following a similar event in San Francisco in April. It kicked off with a welcome address from event founders, Mark Miller and John Willis, who explained that the intention is to replicate the DevOpsDays model and empower communities worldwide to stand up their own events.