InfoQ Homepage Security Content on InfoQ
-
Log4Shell Defenses: Java Agents in Conversation with Contrast Security’s Arshan Dabirsiaghi
Due to the critical nature of the systems and to the severe and critical nature of the log4shell vulnerability, an alternative approach to fixing it was required. Java Agents played a crucial role in this defense strategy. InfoQ reached out to Arshan Dabirsianghi, chief scientist and founder of Contrast Security, for a better understanding of their approach.
-
Runtime Security Project Falco Adds Extensible Plugin Framework
Falco, a cloud-native runtime security project, has released version 0.31.0. This release introduces a new plugin system for defining additional event sources and event extractors to Falco. The plugin system includes SDKs to simplify development and this release ships with a new AWS CloudTrail plugin.
-
Microsoft Releases Azure Payment HSM in Public Preview for the Payment Card Industry
Recently, Microsoft announced the public preview of a bare-metal infrastructure as a service (IaaS) Azure Payment HSM that provides cryptographic key operations for real-time payment transactions in Azure. It uses the Thales payShield 10K payment HSMs, which delivers a suite of payment security functionality proven in critical environments.
-
AWS Re-Launches Amazon Inspector with New Architecture and Features
Amazon Inspector is an automated vulnerability management service that continually scans AWS workloads for software vulnerabilities and unintended network exposure. It was first launched in 2015, and during the recent re:Invent 2021, AWS re-launched it with brand new architecture and a host of new features such as container-based workloads, integration with Amazon Event Bridge, and Security Hub.
-
An Overview of Twitter's Security Key Implementation
Recently, Twitter migrated their internal workforce accounts from legacy two-factor authentication (2FA) to physical security keys. Aimed at preventing phishing attacks, the security keys can identify malicious sites by leveraging the FIDO and WebAuthn security standards.
-
GitHub Release Improved Developer Flow at Universe Event
At their annual industry event, GitHub released new functionality with a focus on flow, better developer experience, and security. GitHub Universe is an annual conference -- which ran virtually this year -- bringing a raft of announcements relating to new functionality in GitHub - Microsoft’s developer source code repo and software integration tool.
-
Google's Network-Based Threat Detection Service Cloud IDS is Now Generally Available
Recently, Google announced the general availability of its Cloud IDS for network-based threat detection. This core network security offering helps detect network-based threats and helps organizations meet compliance standards that call for an intrusion detection system.
-
HashiCorp Vault 1.8 Adds Diagnose Command, Key Management Secrets Engine, and Expiration Manager
HashiCorp Vault 1.8 brings notable features and improvements to the secrecy and privacy product including Vault Diagnose, integrated-storage autopilot, Key Management secrets engine for AWS, expiration manager improvements, and control-group triggers. Vault helps users to manage secrets and protect sensitive data using UI, CLI, or HTTP API.
-
What Machine Learning Can Do for Security
Machine learning can be applied in various ways in security, for instance, in malware analysis, to make predictions, and for clustering security events. It can also be used to detect previously unknown attacks with no established signature.
-
Airbnb Open Sources Ottr: a Serverless Public Key Infrastructure Framework
Airbnb announced that it has open-sourced Ottr, a serverless public key infrastructure framework developed in-house. Ottr handles end-to-end certificate rotations without the use of an agent. Ottr's primary design goal is to be a scalable and configurable serverless framework on AWS with little operational overhead or reliance on enrollment protocols.
-
WICG Publishes New HTML Sanitizer API Proposal against mXSS Attacks
The Web Platform Incubator Community Group recently published the Draft Community Group Report for the HTML Sanitizer API. The HTML Sanitizer API lets developers take untrusted strings of HTML and sanitize those strings for safe insertion into a document’s DOM. The most common use case of HTML string sanitization is to prevent cross-site scripting (XSS) attacks.
-
GitHub to Phase out Support for Git Protocol, DSA Keys and Legacy SSH Algorithms
With a strong focus on having customer data as secure as possible, GitHub has decided to remove support for the unencrypted Git protocol, DSA keys and some legacy SSH algorithms. Also, it is adding requirements for newly added RSA keys and providing support for ECDSA and Ed25519 host keys SSH. These changes might affect only SSH and git:// users, while the https:// users will be unaffected.
-
Moving from Self-Doubt and Imposter Syndrome toward Seeing the Benefits of Diversity in Technology
As someone with a non technical background, Charu Bansal, has navigated the imposter syndrome in her career, often wondering what value she could bring to security. In her talk at The Diana Initiative 2021, she showed how having a diverse perspective helped her to solve challenging security problems as she pivoted from a non-technical career into information security.
-
Announcing General Availability of CIS Service Catalog and Reference Architecture 2.0
Gruntwork, an organization focused on creating reusable infrastructure code, announced the general availability of CIS Service Catalog and CIS Reference Architecture 2.0. Existing and future users of Gruntwork can now rapidly get started with a production-ready AWS technology stack and AWS services.
-
How Quantifying Information Leakage Helps to Protect Systems
Information leakage happens when observable information can be correlated with a secret. Secrets such as passwords, medical diagnosis, locations, or financial data uphold a lot of our world, and there are many types of information, like error messages or electrical consumption patterns, that can give hints to these secrets.