InfoQ Homepage Security Content on InfoQ
-
AWS Open-Sources CloudFormation Compliance Analyzer
AWS has announced the preview release of CloudFormation Guard, an open-source CLI tool to enforce compliance policies against CloudFormation templates. cfn-guard provides a lightweight, declarative syntax for defining rules. It supports lists, wildcards, regex,and declaration of variables, and can work with CloudFormation intrinsic functions.
-
Disabling Google 2FA Doesn't Need 2FA
A developer's machine, compromised by attackers, was able to use Safari auto-fill to log into passwords.google.com, disable 2FA and extract passwords without notification. InfoQ spoke to Amos (@fasterthanlime) on Twitter about his experience and advice for others who might find themselves in the same situation. Read on to find out what happened, and what you should do to protect your assets.
-
Security as a Product - a Coordination Game between DevOps and InfoSec
Kelly Shortridge, a product and strategy expert in information security, has described how security should be treated as a product. Analyzing the "we mindset" and game theory she puts forth DevOps and InfoSec as a coordination game.
-
Production Identity Framework SPIRE Graduates to CNCF Incubator
The Cloud Native Computing Foundation has accepted SPIFFE and SPIRE as incubation level projects. SPIFFE defines a standard to authenticate software services through the use of platform-agnostic, cryptographic identities. SPIRE is an implementation of the SPIFFE APIs that is production ready.
-
DevOps Dojo Provides Online, Interactive DevOps Training
DXC Technology has recently open-sourced their DevOps Dojo, a collection of learning modules that covers both the technical and cultural aspects of DevOps. The modules are built on the Katacoda platform and hosted on GitHub.
-
The Defense Department's Journey with DevSecOps
Cloud Native Computing Foundation (CNCF) has released a new case study of the DoD's approach to DevSecOps that looks at how they used Kubernetes clusters and other open-source technologies to speed up the releases. While most of the information was already available from the DoD and in their presentations, the CNCF has summarized the venture in one place.
-
Facilitating Threat Modelling Remotely
ThoughtWorks' Jim Gumbley recently published a guide to Threat Modelling on Martinfowler.com with a template for facilitating remote and onsite sessions. He makes a case for continuous threat modelling within each iteration, alongside business stake-holders. Derek Handova has also written about removing friction from security through automation and a greater security focus in the SDLC.
-
IBM Fully Homomorphic Encryption Toolkit Now Available for MacOS and iOS
IBM's Fully Homomorphic Encryption (FHE) Toolkit aims to allow developers to start using FHE in their solutions. According to IBM, FHE can have a dramatic impact on data security and privacy in highly regulated industries by enabling computing directly on encrypted data.
-
0-Day Vulnerability in Sign In with Apple Rewarded with $100,000
Earlier this year, security researcher Bhavuk Jain disclosed a 0-day vulnerability in Sign In with Apple that could easily allow an attacker to get full control of a victim's account by only knowing their email address. Apple patched the vulnerability and stated they could find no evidence of exploitation.
-
Elasticsearch 7.7 Brings Asynchronous Search, Secure Keystore and More
Elastic, the search company, has released Elasticsearch 7.7.0. This release introduces asynchronous search, password protected keystore, performance improvement on time sorted queries, two new aggregates and first release of packaging for ARM(non x86) platform.
-
Secure Multiparty Computation May Enable Privacy-Protecting Contact Tracing Solutions
The current COVID-19 pandemic has fueled several efforts to implement contact tracing apps, based on a number of different cryptographic approaches. InfoQ has spoken with HashiCorp principal product manager for cryptography and security Andy Manoske to learn more about Secure Multiparty Computation and how it can enable privacy-protecting analysis on private data from different sources.
-
GitLab Annual DevOps Survey Shows Emerging Trends and Changing Roles
Completed by over 3500 developers from 21 countries, GitLab's DevOps survey encompasses three major areas, development and release, security, and testing. The survey hints at faster release cycles and improved quality, with the more recent DevSecOps area requiring more organizational fine-tuning. InfoQ has taken the chance to speak with GitLab's senior developer evangelist, Brendan O'Leary.
-
WebAssembly: Building a Secure-by-Default Ecosystem - Lin Clark at WebAssembly Summit
Lin Clark, principal research engineer at Mozilla focusing on WebAssembly and Rust, discussed at the WebAssembly Summit the security challenges WebAssembly must address. Clark explained how the nano-process proposal strives to provide portable, secure-by-default WebAssembly modules.
-
Microsoft Announces the General Availability of DCsv2-VM from Azure Confidential Computing
Recently, Microsoft announced the general availability of DCsv2-series virtual machines (VMs). With these VMs, customers can deliver applications that protect data while in use.
-
55th Anniversary of Moore's Law
April 2020 marks 55 years since Intel co-founder Gordon Moore published ‘Cramming more components onto integrated circuits’. For over 50 years Intel and its competitors kept making Moore’s law come true, but more recently efforts to push down chip feature size have been hitting trouble with limitations in economics and physics that force us to consider what happens in a post Moore’s law world.