BT

Cloudbleed - Cloudflare Proxies Memory Leak

by Chris Swan on  Feb 26, 2017

A buffer overflow bug has caused a small number of requests to Cloudflare proxies to leak data from unrelated requests, including potentially sensitive data such as passwords and other secrets. The issue, which has been named ‘Cloudbleed’, was discovered by Google Project Zero vulnerability researcher Tavis Ormandy.

NIST Guidelines Require Second Auth Factor When Using Biometrics

by Thomas Betts on  Feb 13, 2017

NIST has released a public draft of new Digital Identity Guidelines, described as “a significant update from past revisions.” The guidelines describe acceptable use of multi-factor authentication (MFA). Furthermore, when using biometric data as one authentication factor, it must be combined with something you have, and not something you know, such as a password.

Practical Tips for Automated Acceptance Tests

by Ben Linders on  Feb 10, 2017

Testing techniques like Equivalence Partitioning, Boundary Value Analysis, and Risk-based Testing can help you decide what to test and when to automate a test. InfoQ spoke with Adrian Bolboacă about different types of tests, writing sufficient and good acceptance tests, criteria to decide to automate a test, and how to apply test automation to create executable specifications.

Google Expands Audit Logging Capability to Majority of Cloud Services

by Richard Seroter on  Jan 30, 2017 2

Tracking "who did what" in a self-service public cloud can be challenging. With Google Cloud Audit Logging, Google captures log streams for seventeen services in Google Cloud Platform (GCP) .

Apache Eagle, Originally from eBay, Graduates to top-level project

by Alexandre Rodrigues on  Jan 24, 2017

Apache Eagle, an open-source solution for identifying security and performance issues on big data platforms, graduates to Apache top level project on January 10, 2017. Firstly open-sourced by eBay on October 2015, Eagle was created to instantly detect access to sensitive data or malicious activities and, to take actions in a timely fashion.

Google Introduces Cloud-Based Encryption Key Management Service

by Sergio De Simone on  Jan 16, 2017 2

Google has announced a new service for its Google Cloud Platform (GCP) that allows to create, use, rotate, and destroy symmetric encryption keys. Although the new Cloud Key Management Service (KMS) is integrated with Google's Cloud Identity Access Management and Cloud Audit Logging, keys managed using KMS can be also used independently.

Intel Open-Sources BigDL, Distributed Deep Learning Library for Apache Spark

by Alexandre Rodrigues on  Jan 13, 2017

Intel open-sources BigDL, a distributed deep learning library that runs on Apache Spark. It leverages existing Spark clusters to run deep learning computations and simplifies the data loading from big datasets stored in Hadoop.

Neo4j 3.1 Supports Causal Clustering and Security Enhancements

by Srini Penchikala on  Dec 31, 2016

The latest version of Graph NoSQL database Neo4j introduces causal clustering and new security architecture. Neo4j team recently released version 3.1 of the graph database. Other new features include database kernel improvements and a Schema Viewer.

Running Docker Containers Securely in Production

by Hrishikesh Barua on  Dec 17, 2016

Hardening Docker containers in production involves a combination of techniques including making them immutable, minimizing the attack surface and applying both standard Linux hardening procedures as well as ones that are specific to a container environment.

Google Pushing for HTTPS

by Manuel Pais on  Dec 11, 2016

Google wants to push for HTTPS everywhere with a combination of deprecating existing Chrome features in non-secure sites, as well as new features only supported in HTTPS.

Authentication Strategies in Microservices Systems

by Jan Stenberg on  Dec 08, 2016 1

Software security is a complex problem, and is becoming even more complex using Microservices where each service has to deal with security, David Borsos explained at the recent Microservices Conference in London, during his presentation evaluating four end-user authentication options within a microservice based systems.

Amazon Announces AWS Shield for DDoS Protection

by Kent Weare on  Dec 03, 2016

At the recent re:Invent 2016 event, Amazon announced a new service called AWS Shield, which provides customers with protection from Distributed Denial of Service (DDoS) attacks. This announcement comes just over a month after Amazon was impacted by a DDoS attack on a DNS provider that Amazon used, Dynamic Network Services (Dyn).

Lawyer.com: Early Adopter of HTTP/2, Speaks to InfoQ

by Michael Redlich on  Nov 30, 2016

Lawyer.com recently announced that they are adopting the HTTP/2 protocol. Gerald Gorman, tech entrepreneur, CEO, and co-founder of Lawyer.com, spoke to InfoQ about their technology implementation, their position on microservices and lightweight containers, their unique search engine, and their use of social media.

Google, Microsoft, and Mozilla Urge Site Operators to Replace SHA–1 Certificates

by Sergio De Simone on  Nov 20, 2016 1

Following their SHA–1 deprecation plans announced last year, Google, Microsoft, and Mozilla detailed recently their timelines to remove support for SHA–1 certificates from their flagship browsers. Researchers at security firm Venafi found however, that 35% of analyzed websites are still using SHA–1 certificates.

Microservices and Security

by Jan Stenberg on  Nov 15, 2016

When it comes to application security, we often include it as an afterthought. We have learnt how to add test into the development workflows, but with security we often assume someone else will come and fix it later on, Sam Newman claimed in his keynote at this year’s Microservices Conference in London.

BT