Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage Security Code Reviews Content on InfoQ


RSS Feed
  • New CodeGuru Reviewer Features Detector Library and Security Detectors for Log-Injection Flaws

    Amazon CodeGuru Reviewer is a developer tool that leverages machine learning to detect security defects in code (Java and Python) and offers suggestions for code quality improvement. Recently, AWS introduced two new features for the tool, with a new Detector Library and security detectors for Log-Injection Flaws.

  • Google and GitHub Announce OpenSSF Scorecards v4 with New GitHub Actions Workflow

    GitHub and Google have announced the version 4 release of the Open Source Security Foundation (OpenSSF)'s Scorecards project. Scorecards is an automated security tool that identifies risky supply chain practices in open source projects. This release includes a new Scorecards GitHub Action, new security checks, and a large increase in the repositories included in the foundations weekly scans.

  • Microsoft Releases Application Inspector, a Tool for Examining Code Security

    In a recent blog post, Microsoft announced an open source tool that developers can use to detect security vulnerabilities in their software solutions. The tool is called Microsoft Application Inspector and is available on GitHub. As organizations try to reduce their time to market, oversights may occur. Application Inspector can be used to identify malicious code used in third-party libraries.

  • GitHub to Integrate Semmle Code Analysis for Continuous Vulnerability Detection

    With the acquisition of startup Semmle, GitHub aims to make continuous vulnerability detection part of their continuous integration/continuous deployment service.

  • Design and Security in Agile: QCon London Q&A

    Reviews of design diagrams by domain experts can detect potential security breaches not found by vulnerability scans or security automation. Such reviews should focus on critical functions like issuing and managing access tokens, transferring data to external services, and running untrusted code, said Kevin Gilpin, enterprise software engineer and co-founder of AppLand, at QCon London 2019.

  • DevSecOps Grows Up and Finds Itself a Community

    On June 28th, the first DevSecOps Days event came to London following a similar event in San Francisco in April. It kicked off with a welcome address from event founders, Mark Miller and John Willis, who explained that the intention is to replicate the DevOpsDays model and empower communities worldwide to stand up their own events.

  • GitLab Web IDE Goes GA and Open-Source in GitLab 10.7

    GitLab Web IDE, aimed to simplify the workflow of accepting merge requests, is generally available in GitLab 10.7, along with other features aimed to improve C++ and Go code security and improve Kubernets integration.

  • A Look Back at the Linux Kernel Backdoor

    With all of the recent concern over the US government’s National Security Agency (NSA) some of the attention has turn to the possibility of backdoors. Back in 2003 someone attempted to insert a backdoor into the Linux kernel. Though caught, it illustrates how seemingly innocuous changes can introduce vulnerabilities and the importance of tractability in source control.

  • Security Assessment Techniques: Code Review v Pen Testing

    Web application security testing and assessment should include both security code review and penetration testing techniques. Dave Wichers, an OWASP Board Member, spoke at the recent AppSec DC 2010 Conference about the pros and cons of code reviews and penetration testing approaches in finding security vulnerabilities in web applications.