InfoQ Homepage Security Content on InfoQ
-
Hardware Mitigation on Intel, Arm, and AMD CPUs Shown Ineffective against Spectre v2
Security researchers from Vrije Universiteit Amsterdam showed the hardware mitigations to Spectre v2 attacks implemented in both Intel and Arm processors have fundamental flaws that make them vulnerable to branch history injection.
-
Meta Open-Sources Browser Extension to Establish Web Code Authenticity
Originally created to help WhatsApp users verify the authenticity of the WhatsApp code being served to their browsers, Code Verify is a new open-source extension for Chrome, Edge, and Firefox enabling to provide the same level of security for other Web services, says Meta.
-
Software Supply Chain Security Project in-toto Accepted into CNCF Incubator
The CNCF Technical Oversight Committee (TOC) has accepted the in-toto project as a CNCF incubating project. The in-toto project aims to cryptographically protect the entire software build and delivery process - the “supply chain” - from malicious actors.
-
How Security by Design Helped to Manage Risks in a Cloud Migration
When a company migrated to the cloud, security issues arose due to difficulties in getting stakeholders on board and involving security from the start. Embedding security assessments as part of the continuous cloud DevOps process and adopting an agile strategy for security risk management throughout the lifecycle of the project helped to increase the governance of security during the migration.
-
New CodeGuru Reviewer Features Detector Library and Security Detectors for Log-Injection Flaws
Amazon CodeGuru Reviewer is a developer tool that leverages machine learning to detect security defects in code (Java and Python) and offers suggestions for code quality improvement. Recently, AWS introduced two new features for the tool, with a new Detector Library and security detectors for Log-Injection Flaws.
-
ValidKube Aims to Help Enforce Kubernetes YAML Best Practices
ValidKube is a new open-source tool that combines several tools to make it easier to validate, clean, and secure Kubernetes YAML configuration files. InfoQ has spoken with Itiel Shwartz, CTO and co-founder of Komodor, creator of ValidKube.
-
Report Finds 75% of Cloud Runtimes Contain High or Critical Vulnerabilities
Sysdig’s latest cloud-native and security-usage report finds that shipping containers with vulnerabilities has become standard practice - with the report finding that 75% of containers have high severity vulnerabilities which could have been patched. The report stresses that many organisations find this to be an acceptable risk, in order to move and release quickly.
-
Log4Shell Defenses: Java Agents in Conversation with Contrast Security’s Arshan Dabirsiaghi
Due to the critical nature of the systems and to the severe and critical nature of the log4shell vulnerability, an alternative approach to fixing it was required. Java Agents played a crucial role in this defense strategy. InfoQ reached out to Arshan Dabirsianghi, chief scientist and founder of Contrast Security, for a better understanding of their approach.
-
Runtime Security Project Falco Adds Extensible Plugin Framework
Falco, a cloud-native runtime security project, has released version 0.31.0. This release introduces a new plugin system for defining additional event sources and event extractors to Falco. The plugin system includes SDKs to simplify development and this release ships with a new AWS CloudTrail plugin.
-
Microsoft Releases Azure Payment HSM in Public Preview for the Payment Card Industry
Recently, Microsoft announced the public preview of a bare-metal infrastructure as a service (IaaS) Azure Payment HSM that provides cryptographic key operations for real-time payment transactions in Azure. It uses the Thales payShield 10K payment HSMs, which delivers a suite of payment security functionality proven in critical environments.
-
AWS Re-Launches Amazon Inspector with New Architecture and Features
Amazon Inspector is an automated vulnerability management service that continually scans AWS workloads for software vulnerabilities and unintended network exposure. It was first launched in 2015, and during the recent re:Invent 2021, AWS re-launched it with brand new architecture and a host of new features such as container-based workloads, integration with Amazon Event Bridge, and Security Hub.
-
An Overview of Twitter's Security Key Implementation
Recently, Twitter migrated their internal workforce accounts from legacy two-factor authentication (2FA) to physical security keys. Aimed at preventing phishing attacks, the security keys can identify malicious sites by leveraging the FIDO and WebAuthn security standards.
-
GitHub Release Improved Developer Flow at Universe Event
At their annual industry event, GitHub released new functionality with a focus on flow, better developer experience, and security. GitHub Universe is an annual conference -- which ran virtually this year -- bringing a raft of announcements relating to new functionality in GitHub - Microsoft’s developer source code repo and software integration tool.
-
Google's Network-Based Threat Detection Service Cloud IDS is Now Generally Available
Recently, Google announced the general availability of its Cloud IDS for network-based threat detection. This core network security offering helps detect network-based threats and helps organizations meet compliance standards that call for an intrusion detection system.
-
HashiCorp Vault 1.8 Adds Diagnose Command, Key Management Secrets Engine, and Expiration Manager
HashiCorp Vault 1.8 brings notable features and improvements to the secrecy and privacy product including Vault Diagnose, integrated-storage autopilot, Key Management secrets engine for AWS, expiration manager improvements, and control-group triggers. Vault helps users to manage secrets and protect sensitive data using UI, CLI, or HTTP API.