InfoQ Homepage Security Content on InfoQ
-
Cloudbleed - Cloudflare Proxies Memory Leak
A buffer overflow bug has caused a small number of requests to Cloudflare proxies to leak data from unrelated requests, including potentially sensitive data such as passwords and other secrets. The issue, which has been named ‘Cloudbleed’, was discovered by Google Project Zero vulnerability researcher Tavis Ormandy.
-
NIST Guidelines Require Second Auth Factor When Using Biometrics
NIST has released a public draft of new Digital Identity Guidelines, described as “a significant update from past revisions.” The guidelines describe acceptable use of multi-factor authentication (MFA). Furthermore, when using biometric data as one authentication factor, it must be combined with something you have, and not something you know, such as a password.
-
Apache Eagle, Originally from eBay, Graduates to top-level project
Apache Eagle, an open-source solution for identifying security and performance issues on big data platforms, graduates to Apache top level project on January 10, 2017. Firstly open-sourced by eBay on October 2015, Eagle was created to instantly detect access to sensitive data or malicious activities and, to take actions in a timely fashion.
-
Neo4j 3.1 Supports Causal Clustering and Security Enhancements
The latest version of Graph NoSQL database Neo4j introduces causal clustering and new security architecture. Neo4j team recently released version 3.1 of the graph database. Other new features include database kernel improvements and a Schema Viewer.
-
Google Pushing for HTTPS
Google wants to push for HTTPS everywhere with a combination of deprecating existing Chrome features in non-secure sites, as well as new features only supported in HTTPS.
-
Major Windows Vulnerability Disclosed by Google before Patch Available
A major, currently exploited vulnerability in the Microsoft Windows kernel has recently been disclosed by Google’s Threat Analysis Group, before Microsoft made public a patch or any mitigation advice. Microsoft has stated a fully tested patch will be available in a week.
-
All Android Versions May Be Affected by Dirty COW Linux Vulnerability
Recently disclosed Dirty COW Linux privilege escalation vulnerability is likely to affect all Android versions, say security researchers.
-
Box Introduces Four New Security and Governance APIs
The content management company Box recently announced the arrival of four security and governance APIs. These APIs are aimed at helping companies handle legal, security, and compliance needs better.
-
Ethereum Security Alert Issued, Ethereum Foundation Responds with “From Shanghai, With Love”
On September 18th, hours before the Ethereum Foundation devcon 2 conference was about to start, a DOS security alert was posted on the Ethereum blog. The alert was related to a vulnerability discovered on the Ethereum blockchain, in block 2283416, and was considered to have a high likelihood and severity.
-
Stormpath's Java SDK 1.0 Released
This week Stormpath released version 1.0 of their user management and authentication Java SDK. Stormpath generally provides APIs for implementing authentication, authorization and user management in web and mobile applications, including open source implementations, targeting a range of languages and frameworks.
-
Mozilla's Observatory Website Security Analysis Tool Available
Mozilla has launched their website security analysis tool. Dubbed Observatory, the tool helps to spread information on best security practices to developers and sys admins in need of guidance.
-
Docker and High Security Microservices: A Summary of Aaron Grattafiori's DockerCon 2016 Talk
At DockerCon 2016, held in Seattle, USA, Aaron Grattafiori presented “The Golden Ticket: Docker and High Security Microservices”. Core recommendations for running secure container-based microservices included enabling User Namespaces, configuring application-specific AppArmor or SELinux and seccomp whitelist, hardening the host system, restricting host access and considering network security.
-
Modern iOS Application Security
At QCon New York 2016, Trail of Bits CEO and security expert Dan Guido explained how to keep iOS apps secure. This includes correctly using all iOS security provisions, without forgetting that your app might be running on a jailbroken phone.
-
DevOps Survival in the Highly Regulated Financial Industry
Robert Scherrer, head of application engineering at SIX, on how the company leveraged DevOps principles and benefits in the highly regulated Swiss financial industry. Engaging with compliance auditors to collaboratively agree on solutions early before it's too costly to change and avoiding legacy internal directives (not actually required by external regulations) are the main takeaways.
-
Microsoft Launches Azure Information Protection for Documents
Microsoft launched Azure Information Protection (AIP) in early June 2016. The service aims to enable easy classification of documents both for security and taxonomy.