InfoQ Homepage Security Content on InfoQ
-
GitHub Improves Vulnerability Workflows and Becomes CVE Numbering Authority
Along with Semmle acquisition, GitHub has disclosed a number of improvements aimed to make it easier for maintainers and developers to fix and protect against vulnerabilities. This includes the possibility of creating a security advisory and assigning it a CVE number directly from GitHub UI.
-
Microsoft Launches Azure Active Directory-Based Access Control for Service Bus
In a recent statement, Microsoft has announced the general availability of Azure Active Directory (AD) based access control for Service Bus, enabling the option to use identities in combination with Role Based Access Control (RBAC) to authenticate against the service’s data endpoints. Moreover, they have also introduced accompanying RBAC roles, providing granular control over granted permissions.
-
Google Releases a Managed Service for Microsoft Active Directory (AD) in Beta
In a recent blog post, Google announced the beta release of the Managed Service for Microsoft Active Directory (AD). With this service, Google acts as a managed service provider for any customer requiring Microsoft AD, and will the cloud provider will take care of the patching and maintenance of Microsoft's identity and access management service.
-
Five 0-Day iOS Vulnerability Chains Have Been Exploited for Years
A collection of fourteen vulnerabilities affecting almost every iOS versions from iOS 10 to iOS 12 enabled a number of hacked Websites to gain control of their visitors' devices and steal a wealth of private data aver at least two years, Google Threat Analysis Group (TAG) engineer Ian Beer wrote. These vulnerabilities are not new. What is new is the discovery of their active exploit in the wild.
-
Google Announces General Availability of Cloud Security Scanner for GKE and Compute Engine
Recently, Google announced the general availability of Cloud Security Scanner for Google Kubernetes Engine and Compute Engine. This service allows scanning for vulnerabilities and threats of web apps possibly introduced during development, and act before anyone can abuse them.
-
Implementing Continuous Security for Microservices and Kubernetes
Security needs to adapt to increasingly fast continuous delivery in the container/Kubernetes world, and that means security as code, argued Mateo Burillo. At RebelCon.io 2019 he presented how to implement a DevSecOps process with continuous security.
-
A Single Pane of Glass for Compliance and Security with AWS Security Hub GA
Recently, Amazon announced the general availability (GA) of AWS Security Hub, a new security service that provides customers with a central place to manage security and compliance across their AWS environment.
-
Making 'npm install' Safe
At QCon New York 2019, Kate Sills, a software engineer at Agoric, discussed some of the security challenges in building composable smart contract components with JavaScript. Two emerging TC39 JavaScript proposals, realms and Secure ECMAScript (SES) were presented as solutions to security risks with the npm installation process.
-
W3C and FIDO Alliance Finalized WebAuthn, Web Standard for Secure, Passwordless Logins
The World Wide Web Consortium (W3C) and the Fast IDentity Online (FIDO) Alliance recently announced that the Web Authentication (WebAuthn) specification is now an official web standard. WebAuthn allows users to log in via biometrics, mobile devices and/or FIDO security keys, with higher security over passwords alone.
-
Google Cloud Scheduler is Now Generally Available
In a recent blog, Google announced that customers can now securely invoke HTTP targets on a schedule using Cloud Scheduler – a fully managed cron job service that allows any application to invoke batch, big data, and cloud infrastructure operations.
-
Critical Remotely Exploitable Vulnerability Discovered in Oracle WebLogic Server
Security researchers have discovered a new remotely exploitable vulnerability in Oracle Weblogic Server (WLS). CVE-2019-2725 is remotely exploitable without user authentication and has an overall CVSS score of 9.3 out of 10, making it a critical vulnerability. Oracle released a security alert noting that versions of the server affected by this flaw include 10.3.6.0 and 12.1.3.0.
-
DockerHub Breach Exposes Usernames, Hashed Passwords, and GitHub Tokens of 5% of Hub Users
Docker disclosed one of their Hub databases was hacked and a subset of non-financial data, including usernames, hashed passwords, and GitHub and BitBucket tokens, was stolen.
-
Security Landscape of the Docker Ecosystem and Best Practices
As part of its annual State of Open Source Security Report, security firm Snyk issued a specific report focusing on Docker security that shows vulnerabilities in container images are widespread. InfoQ has spoken with Liran Tal, Snyk developer advocate.
-
Google's New Cloud Security Services for Better Threat Detection and Protection in Enterprises
Google announced three new services for better threat detection and protection in enterprises: Web Risk API, Cloud Armor, and Cloud HSM. All these security services will offer Google Cloud Platform (GCP) customers advanced security functionalities.
-
Experimental Trusted Types API to Combat Cross-Site Scripting Vulnerabilities
The Google Chrome team announces an experimental Trusted Types API to help combat DOM Cross-Site Scripting (XSS) security vulnerabilities. Google's Vulnerability Reward Program reports that DOM XSS is the most common XSS security variant.