InfoQ Homepage Security Content on InfoQ
-
How to Integrate Infosec and DevOps Using Chaos Engineering
Kelly Shortridge from Capsule8 talked at the Velocity conference in Berlin about how using chaos engineering can help to integrate Infosec within a DevOps culture. Shortridge discussed how distributed, immutable, and ephemeral infrastructure, or the D.I.E. model, is an organizationally friendly way to building security by design. With this model, users can continuously raise the cost of the attack
-
Microsoft Extends Azure Security Center Capabilities to Partners, Adds Automation
At the recent Ignite conference, Microsoft announced several updates to their Azure Security Center offerings. These updates include enhanced cloud resource threat protection, Customer Lockbox extensions, the release of a Secure Code Analysis toolkit, additional support for Azure Disk Encryption, certificate management extensions, API automation and partner integrations.
-
CloudFlare Releases Open Source Implementation of Network Time Security Protocol
CloudFlare announced the first major release of their implementation of the Network Time Security (NTS) protocol. This builds on their previous release of time.cloudflare.com, their free time service that supports both Network Time Protocol (NTP) and NTS.
-
Secrets at Planet-Scale: Engineering the Internal Google KMS
At QCon San Francisco 2019, Anvita Pandit, senior developer at Google, explained Google’s Internal Key Management System (KMS), which supports various Google services. This internal KMS not only manages the generation, distribution and rotation of cryptographic keys, but also handles other secret data.
-
New Bytecode Alliance Announces WebAssembly Nanoprocesses Proposal for Safe Use of Untrusted Modules
Mozilla’s Lin Clark recently announced the creation of the Bytecode Alliance. The Bytecode Alliance is an industry partnership aiming at proposing and implementing standards to enable the growth of a secure-by-default WebAssembly ecosystem, inside and outside the browser. The Bytecode Alliance introduced nanoprocesses to provide isolation and safety when running third-party Wasm packages.
-
Recent Study Estimates That 50% of Websites Using WebAssembly Apply It for Malicious Purposes
A study published in June 2019 reveals that in the Alexa Top 1 million websites, one out of 600 sites execute WebAssembly (Wasm) code. The study moreover finds that over 50% of those sites using WebAssembly apply it for malicious deeds, such as cryptocurrency mining and malware code obfuscation.
-
CircleCI Adds Security Integrations to Streamline Securing CI/CD Pipelines
CircleCI announced the addition of new orbs that address common use cases and needs with securing your CI/CD pipelines. The orbs added to the repository with this release cover vulnerability scanning, secrets management, license scanning, and digital scanning. It includes integrations with AWS and Google Cloud.
-
PARSEC Is a New Platform-Agnostic API for Secure Systems
Backed by Arm and Docker, Platform AbstRaction for SECurity aims to define a universal software standard to handle secure object storage and cryptography services. It focuses on modern system architectures made of containerized services and strives to make security technology easy to access. InfoQ has spoken with Justin Cormack, security lead at Docker and PARSEC maintainer, to learn more.
-
GitHub Improves Vulnerability Workflows and Becomes CVE Numbering Authority
Along with Semmle acquisition, GitHub has disclosed a number of improvements aimed to make it easier for maintainers and developers to fix and protect against vulnerabilities. This includes the possibility of creating a security advisory and assigning it a CVE number directly from GitHub UI.
-
Microsoft Launches Azure Active Directory-Based Access Control for Service Bus
In a recent statement, Microsoft has announced the general availability of Azure Active Directory (AD) based access control for Service Bus, enabling the option to use identities in combination with Role Based Access Control (RBAC) to authenticate against the service’s data endpoints. Moreover, they have also introduced accompanying RBAC roles, providing granular control over granted permissions.
-
Google Releases a Managed Service for Microsoft Active Directory (AD) in Beta
In a recent blog post, Google announced the beta release of the Managed Service for Microsoft Active Directory (AD). With this service, Google acts as a managed service provider for any customer requiring Microsoft AD, and will the cloud provider will take care of the patching and maintenance of Microsoft's identity and access management service.
-
Five 0-Day iOS Vulnerability Chains Have Been Exploited for Years
A collection of fourteen vulnerabilities affecting almost every iOS versions from iOS 10 to iOS 12 enabled a number of hacked Websites to gain control of their visitors' devices and steal a wealth of private data aver at least two years, Google Threat Analysis Group (TAG) engineer Ian Beer wrote. These vulnerabilities are not new. What is new is the discovery of their active exploit in the wild.
-
Google Announces General Availability of Cloud Security Scanner for GKE and Compute Engine
Recently, Google announced the general availability of Cloud Security Scanner for Google Kubernetes Engine and Compute Engine. This service allows scanning for vulnerabilities and threats of web apps possibly introduced during development, and act before anyone can abuse them.
-
Implementing Continuous Security for Microservices and Kubernetes
Security needs to adapt to increasingly fast continuous delivery in the container/Kubernetes world, and that means security as code, argued Mateo Burillo. At RebelCon.io 2019 he presented how to implement a DevSecOps process with continuous security.
-
A Single Pane of Glass for Compliance and Security with AWS Security Hub GA
Recently, Amazon announced the general availability (GA) of AWS Security Hub, a new security service that provides customers with a central place to manage security and compliance across their AWS environment.