InfoQ Homepage Security Content on InfoQ
-
Pandemic Shines Security Spotlight on Zoom Collaboration Risks
COVID-19 self-isolation has resulted in Zoom growing from 10m to 200m daily users. This has highlighted issues with Zoom's data privacy, security practices and meeting configurations. Bruce Schneier and other security commentators have provided insights into these issues. While governments and major companies have banned it, Zoom started a 90-day security hardening stint with former Facebook CSO.
-
AWS Announces the General Availability of New Security Service: Amazon Detective
Recently, Amazon announced the general availability of Amazon Detective. This new security service in AWS allows customers to analyze, investigate, and quickly identify the root cause of potential security issues or suspicious activities.
-
Let's Encrypt is Revoking Three Million Certificates on March 4
Non-profit certificate authority Let's Encrypt, which provides X.509 certificates for TLS encryption at no charge, has announced it will revoke customer certificates today due to a bug in their Boulder CA software.
-
Microsoft Releases Application Inspector, a Tool for Examining Code Security
In a recent blog post, Microsoft announced an open source tool that developers can use to detect security vulnerabilities in their software solutions. The tool is called Microsoft Application Inspector and is available on GitHub. As organizations try to reduce their time to market, oversights may occur. Application Inspector can be used to identify malicious code used in third-party libraries.
-
Keeping Credentials Safe, Google Introduces Cloud Secret Manager
In a recent blog post, Google announced a new service, called Secret Manager, for managing credentials, API keys and certificates when using Google Cloud Platform. The service is currently in beta and the intent of this service is to reduce secret sprawl within an organization’s cloud deployment and ensure there is a single source of truth for managing credentials.
-
Can We Build Trustable Hardware? Andrew Huang at 36C3
Andrew “bunnie” Huang recently presented at 36C3 on ‘Open Source is Insufficient to Solve Trust Problems in Hardware’ with an accompanying blog post ‘Can We Build Trustable Hardware?’ His central point is that Time-of-Check to Time-of-Use is very different for hardware versus software, and so open source is less helpful in mitigating the array of potential attacks in the threat model.
-
Kubernetes the Very Hard Way with Large Clusters at Datadog
Laurent Bernaille from Datadog talked at the Velocity conference in Berlin about the challenges of operating large self-managed Kubernetes clusters. Bernaille focused on how to configure resilient and scalable control planes, why and how to rotate certificates frequently, and the need for using networking plugins for efficient communication in Kubernetes.
-
How to Integrate Infosec and DevOps Using Chaos Engineering
Kelly Shortridge from Capsule8 talked at the Velocity conference in Berlin about how using chaos engineering can help to integrate Infosec within a DevOps culture. Shortridge discussed how distributed, immutable, and ephemeral infrastructure, or the D.I.E. model, is an organizationally friendly way to building security by design. With this model, users can continuously raise the cost of the attack
-
Microsoft Extends Azure Security Center Capabilities to Partners, Adds Automation
At the recent Ignite conference, Microsoft announced several updates to their Azure Security Center offerings. These updates include enhanced cloud resource threat protection, Customer Lockbox extensions, the release of a Secure Code Analysis toolkit, additional support for Azure Disk Encryption, certificate management extensions, API automation and partner integrations.
-
CloudFlare Releases Open Source Implementation of Network Time Security Protocol
CloudFlare announced the first major release of their implementation of the Network Time Security (NTS) protocol. This builds on their previous release of time.cloudflare.com, their free time service that supports both Network Time Protocol (NTP) and NTS.
-
Secrets at Planet-Scale: Engineering the Internal Google KMS
At QCon San Francisco 2019, Anvita Pandit, senior developer at Google, explained Google’s Internal Key Management System (KMS), which supports various Google services. This internal KMS not only manages the generation, distribution and rotation of cryptographic keys, but also handles other secret data.
-
New Bytecode Alliance Announces WebAssembly Nanoprocesses Proposal for Safe Use of Untrusted Modules
Mozilla’s Lin Clark recently announced the creation of the Bytecode Alliance. The Bytecode Alliance is an industry partnership aiming at proposing and implementing standards to enable the growth of a secure-by-default WebAssembly ecosystem, inside and outside the browser. The Bytecode Alliance introduced nanoprocesses to provide isolation and safety when running third-party Wasm packages.
-
Recent Study Estimates That 50% of Websites Using WebAssembly Apply It for Malicious Purposes
A study published in June 2019 reveals that in the Alexa Top 1 million websites, one out of 600 sites execute WebAssembly (Wasm) code. The study moreover finds that over 50% of those sites using WebAssembly apply it for malicious deeds, such as cryptocurrency mining and malware code obfuscation.
-
CircleCI Adds Security Integrations to Streamline Securing CI/CD Pipelines
CircleCI announced the addition of new orbs that address common use cases and needs with securing your CI/CD pipelines. The orbs added to the repository with this release cover vulnerability scanning, secrets management, license scanning, and digital scanning. It includes integrations with AWS and Google Cloud.
-
PARSEC Is a New Platform-Agnostic API for Secure Systems
Backed by Arm and Docker, Platform AbstRaction for SECurity aims to define a universal software standard to handle secure object storage and cryptography services. It focuses on modern system architectures made of containerized services and strives to make security technology easy to access. InfoQ has spoken with Justin Cormack, security lead at Docker and PARSEC maintainer, to learn more.