InfoQ Homepage Security Content on InfoQ
-
Zip Slip Directory Traversal Vulnerability Impacts Multiple Java Projects
Security monitoring company Snyk has disclosed Zip Slip, an arbitrary file overwrite vulnerability exploited using a specially crafted ZIP archive that holds path traversal filenames. The vulnerability affects thousands of projects including AWS CodePipeline, Spring Integration, LinkedIn's Pinot, Apache/Twitter Heron, Alibaba JStorm, Jenkins, Gradle, and Google Cloud Platform.
-
Package Containing Malicious Backdoor Makes its Way into NPM
The NPM security team removed a package masquerading as a cookie parser that actually contained a malicious backdoor, along with three other packages depending on it. The backdoor allowed attackers to inject arbitrary code into a running server and execute it.
-
Twitter Passwords May Be Compromised, Could Be One of the Largest Data Breaches in History
On May 3 Twitter announced that they had uncovered and fixed a bug that had resulted in users' passwords being stored in plaintext. No information has been released on how many users were affected, and all users are being recommended to change their passwords. If all users were in fact compromised, this would be the one of the largest known data breaches in history.
-
Securing IoT Devices with Microsoft's Azure Sphere
To improve security of IoT devices, Microsoft announced Azure Sphere, an end-to-end solution for Internet-connected microcontrollers (MCUs). Azure Sphere has a three-layer architecture based on hybrid microcontrollers running a new IoT-optimized Linux kernel and leveraging a cloud-based security service. The first Azure Sphere chip, the MT3620, is developed by MediaTek Inc.
-
Google’s New Cloud Security Tools Increase DDOS Protection, Transparency and Usability
Recently, Google introduced several new cloud-focused security enhancements for the Google Cloud Platform (GCP). These enhancements include new services like Cloud Security Command Center (Cloud SCC), Google Cloud Armor, VPC Service Controls, and a few new features for G Suite administrators. Furthermore, these enhancements are a part of Google’s investment in their cloud platform.
-
Q&A with Marisa Fagan on Security Championship
Security lead Marisa Fagan recently spoke at QConLondon 2018 about upskilling and elevating engineering team members into the role of Security Champions. We catch up with Fagen and report on her efforts to address contention caused by a scarcity of security professionals.
-
Intel Found That Spectre and Meltdown Fix Has a Performance Hit of 0-21%
Microsoft, Red Hat and Intel have published their performance evaluation of the impact Meltdown and Spectre mitigation has on various systems.
-
Redpoint Games Launch NPM Package Signing Tool
Redpoint has launched pkgsign, a package signing and verification tool for NPM. It aims to improve security by helping ensure the authenticity of packages which are uploaded and downloaded from the NPM registry.
-
Apple Releases New Security Updates to Protect Safari against the Spectre Attack
Apple has released a trio of security updates aimed at protecting Safari and WebKit against the Spectre attack.
-
A Deeper Dive into Spectre and Meltdown
A deeper look at Spectre/Meltdown characteristics and potential attacks, why it's necessary to patch cloud VMs even though the cloud service providers have already applied patches, the nature of the performance impact and how it’s affecting real world applications, the need for threat modelling, the role of anti virus, how hardware is affected, and what’s likely to change in the long term.
-
Meltdown and Spectre: What They Are and How to Deal with Them
This article discusses the latest CPU vulnerabilities – Meltdown and Spectre – and the current solutions to fix them.
-
The Hottest Tech Trends in 2018 According to GitHub
Data, workflow integration, and open source tools are among the trends that Jason Warner, GitHub senior vice-president of technology, identifies as key for company success in 2018.
-
Amazon GuardDuty: A Zero-Footprint Managed Threat Detection Service for AWS Accounts and Resources
At the AWS re:invent conference, the release of Amazon GuardDuty was announced - a managed threat detection service that continuously monitors for malicious or unauthorised behaviour. The service can be centrally managed, is “zero footprint”, and remediation scripts or AWS Lambda functions can be configured to trigger automatically based on GuardDuty findings.
-
Kubernetes 1.8 Improves Security, Stability and Workloads
The Kubernetes team has released version 1.8, which focuses on improved security and better stability, and has moved the Workloads API to beta. New mature features include role-based access control (RBAC), support for volume mount options, allowing privilege escalation, and support for high-level volume operation metrics.
-
GitHub Launches Security Alerts
GitHub has launched a new security alerts feature which will scan a project's dependencies for known vulnerabilities. Once found, users will be automatically alerted and presented with more information about the vulnerability, including its severity level and resolution steps.