InfoQ Homepage Security Content on InfoQ
-
W3C and FIDO Alliance Finalized WebAuthn, Web Standard for Secure, Passwordless Logins
The World Wide Web Consortium (W3C) and the Fast IDentity Online (FIDO) Alliance recently announced that the Web Authentication (WebAuthn) specification is now an official web standard. WebAuthn allows users to log in via biometrics, mobile devices and/or FIDO security keys, with higher security over passwords alone.
-
Google Cloud Scheduler is Now Generally Available
In a recent blog, Google announced that customers can now securely invoke HTTP targets on a schedule using Cloud Scheduler – a fully managed cron job service that allows any application to invoke batch, big data, and cloud infrastructure operations.
-
Critical Remotely Exploitable Vulnerability Discovered in Oracle WebLogic Server
Security researchers have discovered a new remotely exploitable vulnerability in Oracle Weblogic Server (WLS). CVE-2019-2725 is remotely exploitable without user authentication and has an overall CVSS score of 9.3 out of 10, making it a critical vulnerability. Oracle released a security alert noting that versions of the server affected by this flaw include 10.3.6.0 and 12.1.3.0.
-
DockerHub Breach Exposes Usernames, Hashed Passwords, and GitHub Tokens of 5% of Hub Users
Docker disclosed one of their Hub databases was hacked and a subset of non-financial data, including usernames, hashed passwords, and GitHub and BitBucket tokens, was stolen.
-
Security Landscape of the Docker Ecosystem and Best Practices
As part of its annual State of Open Source Security Report, security firm Snyk issued a specific report focusing on Docker security that shows vulnerabilities in container images are widespread. InfoQ has spoken with Liran Tal, Snyk developer advocate.
-
Google's New Cloud Security Services for Better Threat Detection and Protection in Enterprises
Google announced three new services for better threat detection and protection in enterprises: Web Risk API, Cloud Armor, and Cloud HSM. All these security services will offer Google Cloud Platform (GCP) customers advanced security functionalities.
-
Experimental Trusted Types API to Combat Cross-Site Scripting Vulnerabilities
The Google Chrome team announces an experimental Trusted Types API to help combat DOM Cross-Site Scripting (XSS) security vulnerabilities. Google's Vulnerability Reward Program reports that DOM XSS is the most common XSS security variant.
-
Design and Security in Agile: QCon London Q&A
Reviews of design diagrams by domain experts can detect potential security breaches not found by vulnerability scans or security automation. Such reviews should focus on critical functions like issuing and managing access tokens, transferring data to external services, and running untrusted code, said Kevin Gilpin, enterprise software engineer and co-founder of AppLand, at QCon London 2019.
-
Microsoft Announces New Capabilities in Azure Firewall: Threat Intelligence and Service Tags Filters
Recently Microsoft announced two new capabilities for Azure Firewall, a cloud-native firewall-as-a-service offering, enabling customers to govern all their traffic flows using a DevOps approach centrally. The firewall service supports both application (such as *.github.com), and network level filtering rules.
-
Google Researchers Say Spectre Will Haunt Us for Years
According to a paper by several Google researchers, speculative vulnerabilities currently defeat all programming-language-level means of enforcing information confidentiality. This would not be just an incidental property of how we build our systems, but rather the result of wrong mental models that led us to trade security for performance without knowing it.
-
Mitigating Software Vulnerabilities at Microsoft over the Last 20+ Years
At BlueHat IL 2019, Microsoft engineer Matt Miller described how the software vulnerability landscape has evolved over the last 20+ years and the approach Microsoft has been taking to mitigate threats. Interestingly, among the major culprits of security bugs, says Miller, are memory safety issues, which account for 70% of total security bugs Microsoft has patched.
-
RunC Bug Enables Malicious Containers to Gain Root Access on Hosts
Security researchers have discovered a critical bug in runC - a lightweight CLI tool for spawning containers according to the OCI specification - which allows the attackers to escape the container and gain administrative privileges on the host, rendering it vulnerable.
-
A Conversation about ZipSlip, NodeJS Security, and BBS Hacking
Earlier this year, the popular Bower package manager was found vulnerable to archive extraction, allowing attackers to write arbitrary files on a user's disk. As it turns out, the vector attacks used by this exploit have been known since the early days of BBS. InfoQ has taken the chance to speak with Liran Tal to learn more about software security, and NodeJS security in particular.
-
Protecting Artificial Intelligence from Itself
Applications using artificial intelligence can be fooled by adversarial examples, creating confusion in the model decisions. Input sanitization can help by filtering out improbable inputs before they are given to the model, argued Katharine Jarmul at Goto Berlin 2018. We need to start thinking of the models and the training data we put into them as potential security breaches, she said.
-
HashiCorp Vault 1.0 Open Sources Auto-Unseal, Adds Batch Tokens
HashiCorp has released version 1.0 of Vault, their secrets management tool that open-sources the auto-unseal feature needed to continue using Vault server after a failure or a restart. In this version, a new type of token called batch is now available for ephemeral workloads. Another new feature is that service account tokens are now supported in Kubernetes auth to inject tokens into a pod.