InfoQ Homepage Security Content on InfoQ
-
Mixing Agile with Waterfall for Code Quality
The 2014 CAST Research on Application Software Health (CRASH) report states that enterprise software built using a mixture of agile and waterfall methods will result in more robust and secure applications than those built using either agile or waterfall methods alone. InfoQ interviewed Bill Curtis about structural quality factors, and mixing agile and waterfall methods.
-
Using Logs to Detect User-Based Threats
A common theme at the Splunk user conference is the idea that the users are the greatest threat. Even in a well-regulated enterprise where no one has more privileges than what’s needed to do their job, a typical user has more than enough ability to steal massive amounts of data or cause widespread problems. Fortscale seeks to address this issue by using the data that you are already collecting.
-
Proactively Monitor Configuration Changes with Tripwire
Most companies still manually track configuration changes using a wiki or spreadsheet. Only the most basic information such as IP addresses are included, as recording everything is just too tedious. Even knowing basic information such as who made the change is difficult and time consuming. Tripwire seeks to eliminate this problem by proactively monitoring configuration changes.
-
Discover What Malware is Really Doing with FireEye
Traditional signature based anti-virus/malware software is suitable for home users, but not for corporations. As seen repeatedly in the news, targeted attacks against specific companies are becoming more and more common. To combat this threat, advanced threat detection techniques are needed.
-
CloudFlare Universal SSL - Free Web Security for All
CloudFlare have made SSL available to all free subscribers to its content delivery network (CDN) with Universal SSL. The move addresses both cost and complexity issues that have previously confronted web site and application owners wanting to deploy SSL. CloudFlare takes care of issuing a certificate at no cost to the end user, and enabling SSL becomes a selection from a dropdown menu.
-
Remote Code Exploitation through Bash
A remote exploit (CVE-2014-6271) has been in bash discovered that potentially affects any application that uses environment variables to pass data from unsanitised content, such as CGI scripts. After the release went public, other exploits were discovered (CVE-2014-7169). Official patches have been released to fix them. (Originally posted 24 September, updated 25, 26 and 29 September)
-
ShellShocked - Behind the Bug
The recent vulnerabilities in the Bash shell initially stemmed from a remote execution exploit, which was patched and made available through responsible disclosure before being announced. However, since the initial release there have been other flaws detected which became zero day threats. What exactly was the problem with Shellshock, and is it truly fixed? InfoQ explains what happened.
-
Refreshed AWS Trusted Advisor Offers Several Free Checks
Amazon Web Services (AWS) has recently integrated the AWS Trusted Advisor into the AWS Management Console and made four security and service limit checks available at no charge. Additional checks from the security, performance, fault tolerance and cost optimization categories remain part of their Business and Enterprise support tiers.
-
Data Encryption in Apache Hadoop with Project Rhino - Q&A with Steven Ross
Cloudera recently released an update over Project Rhino and data at-rest encryption in Apache Hadoop. Project Rhino is an effort of Cloudera, Intel and Hadoop community to bring a comprehensive security framework for data protection. InfoQ recently talked to Steven Ross from Cloudera team to learn more about the project.
-
ASP.NET Two-Factor Authentication, Web And Mobile Tooling Improvements
Visual Studio Update 3 was released last week and includes some framework and tooling improvements relevant to web and mobile developers. We go through some of these, including the ASP.NET identity update supporting two-factor authentication, new Visual Studio-Azure integrations as well as several updates to the Apache Cordova Tooling preview.
-
AWS Expands Credential Lifecycle Management and Monitoring
AWS Identity and Access Management (IAM) recently expanded available password policy rules to enable self-service password rotation. A new credential report provides visibility into the AWS credentials security status. AWS also added logging of AWS Management Console sign-in events to AWS CloudTrail.
-
Cloudera Acquires Big Data Encryption Startup Gazzang
Hadoop distributor Cloudera pursued its strategy of securing the Hadoop ecosystem by acquiring last month the big data encryption and key management startup Gazzang. The deal will strengthen Cloudera's security offering and lead to the creation of a center of excellence for Hadoop security that will initially be fueled by Gazzang’s engineering team.
-
AWS CloudTrail Expands Auditing of API Calls
Amazon Web Services (AWS) has considerably increased the number of services supported by AWS CloudTrail to cover the majority of the extensive AWS service portfolio. This now includes most compute and networking and all deployment and management services, thereby providing comprehensive end to end auditing of almost any changes to customer’s infrastructure.
-
Node Security Project Aims at Making Node.js More Secure
Node Security Project has been quietly working at improving Node.js security for a few months now. The project has the goal of auditing Node.js existing module base to help "improve Node landscape and provide confidence to developers and enterprises about the state of security in Node.js land."
-
Hortonworks Acquires XA Secure to Strengthen Security in Enterprise Hadoop
Hortonworks recently acquired the data security company XA Secure to help the organization in providing comprehensive security to Hortonworks Data Platform (HDP). Security features would be available across all Hadoop workloads from batch, interactive SQL and real–time.