InfoQ Homepage Security Vulnerabilities Content on InfoQ
-
Intel Starts to Use GPUs for Malware Scanning
Intel has announced its new Thread Detection Technology (TDT), a set of silicon-based capabilities which use the processor GPU to scan memory for malware. This will free the CPU from that task and help mitigate the impact of defending against Spectre and Meltdown.
-
GitHub Security Alerts Detected over Four Million Vulnerabilities
Launched last October, GitHub security alerts significantly reduced the time it takes for developers to remove vulnerabilities from their Ruby and JavaScript projects, says GitHub.
-
Last Npm Incident Uncovers Security Vulnerability
Last week, the npm registry had an operations incident that caused a number of highly depended on packages, such as require-from-string, to become unavailable. While the incident was relatively straightforward to solve, it uncovered a major security vulnerability that could have been exploited to inject malicious code in projects using npm.
-
NIST Publishes Guidelines on Application Container Security
The National Institute of Standards and Technology (NIST) published a bulletin on application container technology and its most notable security challenges. The report is a summary of two previous bulletins outlining vulnerability areas including image, registry, orchestrator, container, host OS, and hardware, and their countermeasures.
-
String Interpolation in Entity Framework Raises Concerns
One of the new features in Entity Framework Core 2 is the ability to automatically convert interpolated strings into parameterized SQL. Though designed to avoid problems with poorly written SQL, it is feared that it may actually lead to more SQL injection attacks.
-
Twistlock 2.1 Container Security Suite Released
Twistlock announced the general availability of version 2.1 of their container security product. Highlights of the release include an integrated firewall that understands application traffic, vulnerability detection, secrets management via integration with third party tools, and compliance alerting and enforcement.
-
Git Continues to Improve Security and UI in Version 2.13
The latest release of Git introduces many changes aimed to improve its user interface, while also fixing two significant vulnerabilities.
-
Object Deserialisation Filters Backported from Java 9
JEP 290, which allows filtering of incoming data when deserialising an object, and was initially targeted to Java 9, has been backported to Java 6, 7, and 8. The feature provides a mechanism to filter incoming data in an object input stream as it is being processed, and can help prevent deserialisation vulnerabilities like the one that affected Apache Commons and other libraries a while back.
-
Study Shows the Web is Crowded with Outdated, Vulnerable JavaScript Libraries
A recent study has found that 37% of Alexa top 75K websites has at least one vulnerability and almost 10% at least two. Maybe even more shockingly, 26% of Alexa top 500 websites use vulnerable libraries.
-
Cloudbleed - Cloudflare Proxies Memory Leak
A buffer overflow bug has caused a small number of requests to Cloudflare proxies to leak data from unrelated requests, including potentially sensitive data such as passwords and other secrets. The issue, which has been named ‘Cloudbleed’, was discovered by Google Project Zero vulnerability researcher Tavis Ormandy.
-
Microservices and Security
When it comes to application security, we often include it as an afterthought. We have learnt how to add test into the development workflows, but with security we often assume someone else will come and fix it later on, Sam Newman claimed in his keynote at this year’s Microservices Conference in London.
-
Major Windows Vulnerability Disclosed by Google before Patch Available
A major, currently exploited vulnerability in the Microsoft Windows kernel has recently been disclosed by Google’s Threat Analysis Group, before Microsoft made public a patch or any mitigation advice. Microsoft has stated a fully tested patch will be available in a week.
-
Angular 1.X Usage Banned in Firefox Extensions
A developer found out the hard way that they had built their Firefox browser extension on banned technology. Angular 1.X has been banned for use in Firefox extensions as long as a security vulnerability exists in the way Angular interacts with the extension and the displayed web page.
-
Docker Security Scanning
Docker Inc have announced general availability of Docker Security Scanning, which was previously known as Project Nautilus. The release comes alongside an update to the CIS Docker Security Benchmark to bring it in line with Docker 1.11.0, and an updated Docker Bench tool for checking that host and daemon configuration match security benchmark recommendations.
-
GitLab Discloses Critical Vulnerability, Provides Patch
GitLab has just announced a fix for a number of important security fixes, including a critical privilege escalation, and strongly recommends that all GitLab installations from version 8.2 onwards be upgraded immediately. InfoQ has spoken with GitLab’s Stan Hu, VP of Engineering.