BT
DevOps Follow 822 Followers

WhiteSource Launches Free Open Source Vulnerability Checking

by Helen Beal Follow 6 Followers on  Aug 10, 2018

WhiteSource, an open source security and license compliance management solution provider, has launched Vulnerability Checker; a new, free and standalone CLI tool that provides alerts on critical open source vulnerabilities.

Development Follow 608 Followers

NetBSD 8.0 Brings Spectre V2/V4, Meltdown, and Lazy FPU Mitigations, and More

by Sergio De Simone Follow 14 Followers on  Jul 24, 2018

NetBSD 8.0, a major release of the BSD-based OS providing portability across many architectures, brings mitigations for the Spectre V2/V4, Meltdown, and Lazy FPU vulnerabilities, along with many new features and bug fixes.

Development Follow 608 Followers

Spectre 1.1 and 1.2 Vulnerabilities Disclosed

by Sergio De Simone Follow 14 Followers on  Jul 15, 2018

Two new vulnerabilities exploiting flaws in CPUs speculative execution have been recently disclosed. Dubbed Spectre 1.1 and 1.2, both are variants of the original Spectre (Spectre-v1) vulnerability and leverage speculative stores to create speculative buffer overflows which can escape Spectre-v1 mitigations.

DevOps Follow 822 Followers

DevSecOps Grows Up and Finds Itself a Community

by Helen Beal Follow 6 Followers on  Jul 06, 2018

On June 28th, the first DevSecOps Days event came to London following a similar event in San Francisco in April. It kicked off with a welcome address from event founders, Mark Miller and John Willis, who explained that the intention is to replicate the DevOpsDays model and empower communities worldwide to stand up their own events.

Development Follow 608 Followers

TLBleed Can Leak Cryptographic Keys from CPUs Snooping on TLBs

by Sergio De Simone Follow 14 Followers on  Jun 26, 2018

A new side-channel vulnerability affecting Intel processors, known as TLBleed, can leak information by snooping on Translation Look-aside Buffers (TLBs), writes VUsec security researcher Ben Gras.

Development Follow 608 Followers

Lazy FP State Restore Vulnerability Affects Most Intel Core CPUs

by Sergio De Simone Follow 14 Followers on  Jun 18, 2018

Intel has disclosed a new vulnerability affecting most of its Core processors and making them targets for side-channel attacks similar to Spectre and Meltdown. The vulnerability, dubbed Lazy FP state restore (CVE–2018–3665), allows a process to infer the contents of FPU/MMX/SSE/AVX registers belonging to other processes.

Architecture & Design Follow 2112 Followers

Zip Slip Directory Traversal Vulnerability Impacts Multiple Java Projects

by Charles Humble Follow 870 Followers on  Jun 05, 2018

Security monitoring company Snyk has disclosed Zip Slip, an arbitrary file overwrite vulnerability exploited using a specially crafted ZIP archive that holds path traversal filenames. The vulnerability affects thousands of projects including AWS CodePipeline, Spring Integration, LinkedIn's Pinot, Apache/Twitter Heron, Alibaba JStorm, Jenkins, Gradle, and Google Cloud Platform.

Development Follow 608 Followers

Git Vulnerability May Lead to Arbitrary Code Execution

by Sergio De Simone Follow 14 Followers on  Jun 03, 2018

A flaw in Git submodule name validation makes it possible for a remote attacker to execute arbitrary code on developer machines. Additionally, an attacker could get access to portion of system memory. Both vulnerabilities have been already patched in Git 2.17.1, 2.16.4, 2.15.2, and other versions.

Development Follow 608 Followers

VPNFilter Has Infected over 500,000 Routers Worldwide

by Sergio De Simone Follow 14 Followers on  May 30, 2018

Cisco security researchers have issued an advisory describing a sophisticated malware system, VPNFilter, that has targeted at least 500,000 networking devices in 54 countries.

Development Follow 608 Followers

PGP and S/MIME Encrypted Email Vulnerable to Efail Attack

by Sergio De Simone Follow 14 Followers on  May 18, 2018

A group of German and Belgian researchers found that PGP and S/MIME are vulnerable to an attack that leaks the plaintext of encrypted emails. The Electronic Frontier Foundation confirmed the vulnerability and suggested to use alternative means to exchange secure messages. Yet, the vulnerability is not in PGP itself, according to GnuPG creator Werner Koch, who also said EFF comments were overblown.

Development Follow 608 Followers

Intel Starts to Use GPUs for Malware Scanning

by Sergio De Simone Follow 14 Followers on  Apr 20, 2018

Intel has announced its new Thread Detection Technology (TDT), a set of silicon-based capabilities which use the processor GPU to scan memory for malware. This will free the CPU from that task and help mitigate the impact of defending against Spectre and Meltdown.

Development Follow 608 Followers

GitHub Security Alerts Detected over Four Million Vulnerabilities

by Sergio De Simone Follow 14 Followers on  Mar 21, 2018

Launched last October, GitHub security alerts significantly reduced the time it takes for developers to remove vulnerabilities from their Ruby and JavaScript projects, says GitHub.

JavaScript Follow 382 Followers

Last Npm Incident Uncovers Security Vulnerability

by Sergio De Simone Follow 14 Followers on  Jan 15, 2018

Last week, the npm registry had an operations incident that caused a number of highly depended on packages, such as require-from-string, to become unavailable. While the incident was relatively straightforward to solve, it uncovered a major security vulnerability that could have been exploited to inject malicious code in projects using npm.

DevOps Follow 822 Followers

NIST Publishes Guidelines on Application Container Security

by Hrishikesh Barua Follow 14 Followers on  Dec 04, 2017

The National Institute of Standards and Technology (NIST) published a bulletin on application container technology and its most notable security challenges. The report is a summary of two previous bulletins outlining vulnerability areas including image, registry, orchestrator, container, host OS, and hardware, and their countermeasures.

.NET Follow 375 Followers

String Interpolation in Entity Framework Raises Concerns

by Jonathan Allen Follow 576 Followers on  Sep 18, 2017 1

One of the new features in Entity Framework Core 2 is the ability to automatically convert interpolated strings into parameterized SQL. Though designed to avoid problems with poorly written SQL, it is feared that it may actually lead to more SQL injection attacks.

Login to InfoQ to interact with what matters most to you.


Recover your password...

Follow

Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.

Like

More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.

Notifications

Stay up-to-date

Set up your notifications and don't miss out on content that matters to you

BT