InfoQ Homepage Security Development Lifecycle Content on InfoQ

News

RSS Feed

Java

Do Gen AI and OSS Regulation Bring Us Further Away from Exiting the Dependency Hell?

“The security of the software supply chain problem” still persists according to the yearly State Of Supply Chain report. It improved, but there is still a long way to go, given that 96% of all vulnerable downloads were avoidable. Besides the usual insights of how far from exiting the "dependency hell" we are, the novel challenges of 2023 include the legislative adoption of Gen AI-associated risks.

Olimpiu Pop
on Nov 06, 2023
DevOps

PyTorch-Nightly Struck by Supply Chain Attack Exfiltrating Data and Files

Developers who installed the nightly builds of PyTorch between December 25 and December 30, 2022, are recommended to uninstall it and purge their pip cache to get rid of a malicious package, say PyTorch maintainers. The new attack highlights a recent trend.

Sergio De Simone
on Jan 07, 2023
Culture & Methods

Adding Security to Testing to Enable Continuous Security Testing

Teams can be trained by security experts to become able to identify areas to add security testing in the test process and add security checks as part of functional test automation. This can lead to continuous security testing where security defects can be spotted at an early stage with higher security testing coverage in every release.

Ben Linders
on May 13, 2021
Cloud

Infosec Teams Expand Use of Security Tools to Address Cloud Complexity, Survey Finds

The Cloud Security Alliance (CSA), a non-profit organization, recently published its findings on the state of cloud security practices which shows accelerating cloud adoption, but a need for more sophisticated security approaches.

Jared Ruckle
on Apr 20, 2021
DevOps

Yelp Open-Sources Fuzz-Lightyear, A Swagger-Based IDOR Vulnerability Detector

Business directory and crowd-sourced review service, Yelp, has open-sourced their in-house security testing framework, fuzz-lightyear, that identifies Insecure Direct Object Reference (IDOR) vulnerabilities.

Helen Beal
on Jan 31, 2020
DevOps

GitHub to Integrate Semmle Code Analysis for Continuous Vulnerability Detection

With the acquisition of startup Semmle, GitHub aims to make continuous vulnerability detection part of their continuous integration/continuous deployment service.

Sergio De Simone
on Sep 19, 2019
Cloud

Security Architecture Anti-Patterns by UK Government National Cyber Security Centre

The National Cyber Security Centre of the UK Government recently published a white paper on the six design anti-patterns that we should avoid when designing computer systems.

Alex Giamas
on Sep 04, 2019
DevOps

DevSecOps Grows Up and Finds Itself a Community

On June 28th, the first DevSecOps Days event came to London following a similar event in San Francisco in April. It kicked off with a welcome address from event founders, Mark Miller and John Willis, who explained that the intention is to replicate the DevOpsDays model and empower communities worldwide to stand up their own events.

Helen Beal
on Jul 06, 2018
DevOps

Managing the Software Supply Chain with the "Grafeas" Metadata API and "Kritis" Deploy Authorization

In a recent Google Cloud Platform (GCP) blog series exploring container security, the GCP team has presented further details of Grafeas -- a common API and language to store, query and retrieve metadata about software components -- and Kritis -- a proposed framework that enables the use of metadata stored in Grafeas to build and enforce real-time deployment policies with Kubernetes.

Daniel Bryant
on May 06, 2018
DevOps

Chef Enhances Cloud Security Automation in InSpec 2.0

Continuous automation vendor, Chef, has announced the availability of InSpec 2.0, a new version of Chef’s free open source tool that enables DevOps and cross-functional application, infrastructure and security teams to express security and compliance rules as code and assess and remediate compliance issues through the entire software delivery life cycle.

Helen Beal
on Feb 27, 2018
Architecture & Design

Microservices and Security

When it comes to application security, we often include it as an afterthought. We have learnt how to add test into the development workflows, but with security we often assume someone else will come and fix it later on, Sam Newman claimed in his keynote at this year’s Microservices Conference in London.

Jan Stenberg
on Nov 15, 2016
Security in the Software Development Lifecycle

Application security must be integrated into software development process. Late stage penetration testing is not sufficient because it will be too late and too expensive to fix mistakes. Steve Lipner from Microsoft spoke during the application security seminar at RSA conference last week about security in the software development lifecycle.

Srini Penchikala
on Feb 21, 2011
US Government: Proposed Assessment and Authorization for Cloud Computing

Two weeks back the US CIO's office released a 90 page proposal entitled, Proposed Security Assessment and Authorization for US Government Cloud Computing. The document is the result of 18 months of work among the NIST, GSA, ISIMC and the CIO Council to evaluate security controls and multiple Assessment and Authorization models for US Government Cloud Computing.

James Vastbinder
on Nov 25, 2010
AppSec DC: Neal Ziring on Application Assurance

Neal Ziring said that the role for developers is changing where they have become the first line of defense for applications. Neal presented the keynote session at AppSec DC 2010 conference last week. He also talked about application assurance process with focus on aspects like resilience and visibility.

Srini Penchikala
on Nov 20, 2010

Topics

The Many Facets of “Identity”

InfoQ Java Trends Report 2023 - Discussing Insights with Mike Redlich

Introducing the Hendrix ML Platform: an Evolution of Spotify’s ML Infrastructure

Kanban is a Tool for Continuous Improvement

From Monitoring to Observability: eBPF Chaos

Helpful links

Choose your language

News

Do Gen AI and OSS Regulation Bring Us Further Away from Exiting the Dependency Hell?

PyTorch-Nightly Struck by Supply Chain Attack Exfiltrating Data and Files

Adding Security to Testing to Enable Continuous Security Testing

Infosec Teams Expand Use of Security Tools to Address Cloud Complexity, Survey Finds

Yelp Open-Sources Fuzz-Lightyear, A Swagger-Based IDOR Vulnerability Detector

GitHub to Integrate Semmle Code Analysis for Continuous Vulnerability Detection

Security Architecture Anti-Patterns by UK Government National Cyber Security Centre

DevSecOps Grows Up and Finds Itself a Community

Managing the Software Supply Chain with the "Grafeas" Metadata API and "Kritis" Deploy Authorization

Chef Enhances Cloud Security Automation in InSpec 2.0

Microservices and Security

Security in the Software Development Lifecycle

US Government: Proposed Assessment and Authorization for Cloud Computing

AppSec DC: Neal Ziring on Application Assurance

Git-for-Data, Version-Controlled Database Dolt Gets PostgreSQL-Flavor

The Many Facets of “Identity”

Security Checks Simplified: How to Implement Best Practices with Ease

Revolutionizing Digital Identity: How Verifiable Credentials Offer a New Era of Privacy and Control

InfoQ Java Trends Report 2023 - Discussing Insights with Mike Redlich

Principled API Design at the Heart of Canva’s Apps SDK

Kanban is a Tool for Continuous Improvement

How to Become a High-Performing Software Team

How to work with Your Auditors to Influence a Better Audit Experience

Meta Announces Generative AI Models Emu Video and Emu Edit

Anthropic Announces Claude 2.1 LLM with Wider Context Window and Support for AI Tools

KubeCon NA 2023: Ishan Sharma on Real-Time Generative AI for Gaming Apps Running on Kubernetes

From Monitoring to Observability: eBPF Chaos

OpenTelemetry Logging Marked Stable: Morgan McClean at KubeCon NA

Grafana Cloud Kubernetes Monitoring with Machine Learning Predictions

QCon London

QCon San Francisco

InfoQ Software Architects' Newsletter

Login with:

Don't have an InfoQ account?

News