InfoQ Homepage Security Content on InfoQ
-
Security Landscape of the Docker Ecosystem and Best Practices
As part of its annual State of Open Source Security Report, security firm Snyk issued a specific report focusing on Docker security that shows vulnerabilities in container images are widespread. InfoQ has spoken with Liran Tal, Snyk developer advocate.
-
Google's New Cloud Security Services for Better Threat Detection and Protection in Enterprises
Google announced three new services for better threat detection and protection in enterprises: Web Risk API, Cloud Armor, and Cloud HSM. All these security services will offer Google Cloud Platform (GCP) customers advanced security functionalities.
-
Experimental Trusted Types API to Combat Cross-Site Scripting Vulnerabilities
The Google Chrome team announces an experimental Trusted Types API to help combat DOM Cross-Site Scripting (XSS) security vulnerabilities. Google's Vulnerability Reward Program reports that DOM XSS is the most common XSS security variant.
-
Design and Security in Agile: QCon London Q&A
Reviews of design diagrams by domain experts can detect potential security breaches not found by vulnerability scans or security automation. Such reviews should focus on critical functions like issuing and managing access tokens, transferring data to external services, and running untrusted code, said Kevin Gilpin, enterprise software engineer and co-founder of AppLand, at QCon London 2019.
-
Microsoft Announces New Capabilities in Azure Firewall: Threat Intelligence and Service Tags Filters
Recently Microsoft announced two new capabilities for Azure Firewall, a cloud-native firewall-as-a-service offering, enabling customers to govern all their traffic flows using a DevOps approach centrally. The firewall service supports both application (such as *.github.com), and network level filtering rules.
-
Google Researchers Say Spectre Will Haunt Us for Years
According to a paper by several Google researchers, speculative vulnerabilities currently defeat all programming-language-level means of enforcing information confidentiality. This would not be just an incidental property of how we build our systems, but rather the result of wrong mental models that led us to trade security for performance without knowing it.
-
Mitigating Software Vulnerabilities at Microsoft over the Last 20+ Years
At BlueHat IL 2019, Microsoft engineer Matt Miller described how the software vulnerability landscape has evolved over the last 20+ years and the approach Microsoft has been taking to mitigate threats. Interestingly, among the major culprits of security bugs, says Miller, are memory safety issues, which account for 70% of total security bugs Microsoft has patched.
-
RunC Bug Enables Malicious Containers to Gain Root Access on Hosts
Security researchers have discovered a critical bug in runC - a lightweight CLI tool for spawning containers according to the OCI specification - which allows the attackers to escape the container and gain administrative privileges on the host, rendering it vulnerable.
-
A Conversation about ZipSlip, NodeJS Security, and BBS Hacking
Earlier this year, the popular Bower package manager was found vulnerable to archive extraction, allowing attackers to write arbitrary files on a user's disk. As it turns out, the vector attacks used by this exploit have been known since the early days of BBS. InfoQ has taken the chance to speak with Liran Tal to learn more about software security, and NodeJS security in particular.
-
Protecting Artificial Intelligence from Itself
Applications using artificial intelligence can be fooled by adversarial examples, creating confusion in the model decisions. Input sanitization can help by filtering out improbable inputs before they are given to the model, argued Katharine Jarmul at Goto Berlin 2018. We need to start thinking of the models and the training data we put into them as potential security breaches, she said.
-
HashiCorp Vault 1.0 Open Sources Auto-Unseal, Adds Batch Tokens
HashiCorp has released version 1.0 of Vault, their secrets management tool that open-sources the auto-unseal feature needed to continue using Vault server after a failure or a restart. In this version, a new type of token called batch is now available for ephemeral workloads. Another new feature is that service account tokens are now supported in Kubernetes auth to inject tokens into a pod.
-
Building Human Interfaces with Artificial Intelligence
AI helps us to build human interfaces based on speaking and writing, instead of using a keyboard or mouse; it allows humans to stay human. The biggest challenges are finding ways to tell systems what answers are unsatisfactory to help them learn, be transparent in what data is recorded and retained, and ensure that diversity and inclusion is part of our training data to prevent bias in AI systems.
-
Implementing Privacy by Design in Hyperledger Indy
Centralized identity providers, such as social media sites and consumer email services, provide convenience to users. But this approach creates data privacy and security risks. Hyperledger Indy, an open source blockchain project, is being built to address the current issues that exist in centralized identity providers by taking a 'Privacy by Design' approach to deal with these risks.
-
Hyperledger Releases New Version of Burrow Featuring Improved Integration and Developer Experience
In a recent blog post, the Hyperledger open source project announced the next version of Burrow v.0.21.0. Within this release, organizations can expect improved integration, key-signing, helm charts for Kubernetes and developer experience.
-
Confluent Platform 5.0 Supports LDAP Authorization and MQTT Proxy for IoT Integration
Confluent Platform 5.0, the enterprise streaming platform built on Apache Kafka, supports LDAP authorization, Kafka topic inspection, and Confluent MQTT Proxy for Internet of Things (IoT) integration.