InfoQ Homepage Security Content on InfoQ
-
Cloudflare Introduces Support for ASPA, an Emerging Internet Routing Security Standard
Cloudflare recently announced support for ASPA (Autonomous System Provider Authorization). The new cryptographic standard helps make Internet routing safer by verifying the path data takes across networks to reach its destination and preventing traffic from traversing unreliable or untrusted networks.
-
AI-Powered Bot Compromises GitHub Actions Workflows across Microsoft, DataDog, and CNCF Projects
AI-powered bot hackerbot-claw exploited GitHub Actions workflows across Microsoft, DataDog, and CNCF projects over 7 days using 5 attack techniques. Bot achieved RCE in 5 of 7 targets, stole GitHub token from awesome-go (140k stars), and fully compromised Aqua Security's Trivy. Campaign included first documented AI-on-AI attack where bot attempted prompt injection against Claude Code.
-
Standardizing Post-Quantum IPsec: Cloudflare Adopts Hybrid ML-KEM to Replace Ciphersuite Bloat
Cloudflare has extended hybrid post-quantum encryption to IPsec and WAN traffic, standardizing its SASE stack ahead of the NIST 2030 deadline. By adopting a streamlined ML-KEM key exchange, the move addresses long-standing "ciphersuite bloat" in quantum-resistant IPsec. The update aims to neutralize "harvest now, decrypt later" threats without requiring specialized hardware upgrades.
-
Agoda’s API Agent Converts Any API to MCP with Zero Code and Deployments
Agoda engineers developed API Agent, enabling a single MCP server to access any internal REST or GraphQL API with zero code and zero deployments. The system reduces overhead from multiple APIs, supports AI-assisted queries, and uses in-memory SQL post-processing for safe, scalable data handling across internal services.
-
WhatsApp Deploys Rust-Based Media Parser to Block Malware on 3 Billion Devices
WhatsApp has rewritten its media handling library in Rust, replacing 160,000 lines of C++ with 90,000 lines of memory-safe code for 3 billion devices. The rollout, part of a system called Kaleidoscope, uses differential fuzzing to ensure bug-for-bug compatibility. The move mirrors a decade-long industry shift toward memory safety, tracing back to Mozilla's first Rust MP4 parser deployment in 2016.
-
BellSoft Survey Finds Container Security Practices Are Undermining Developers’ Own Goals
Container security incidents are becoming a routine reality for software teams, and the tools meant to protect them may be making the problem worse.
-
LinkedIn Leverages GitHub Actions, CodeQL, and Semgrep for Code Scanning
LinkedIn has rebuilt its static application security testing (SAST) pipeline using GitHub Actions and custom workflows, enabling consistent, enforceable code scanning across thousands of repositories. The redesign improves security coverage, developer workflow, and observability while supporting the company’s shift-left strategy.
-
Cedar Joins CNCF as a Sandbox Project
Cedar, an open-source policy language architected by AWS, has joined the CNCF as a Sandbox project. Designed for fine-grained application permissions, it decouples access control from code using a verifiable, high-performance policy engine. Cedar supports RBAC, ABAC, and ReBAC, offering a secure, analyzable alternative to general-purpose tools like OPA.
-
Microsoft Releases Azure Functions Support for Model Context Protocol Servers
Microsoft has launched its Model Context Protocol (MCP) for Azure Functions, ensuring secure, standardized workflows for AI agents. With built-in OBO authentication and streamable HTTP transport, it addresses key security concerns. Now supporting multiple languages and self-hosting, MCP empowers developers to deploy with ease while safeguarding sensitive data.
-
What Testers Can Do to Ensure Software Security
A secure software development life cycle means baking security into plan, design, build, test, and maintenance, rather than sprinkling it on at the end, Sara Martinez said in her talk Ensuring Software Security. Testers aren’t bug finders but early defenders, building security and quality in from the first sprint. Culture first, automation second, continuous testing and monitoring all the way.
-
AWS Expands Well‑Architected Guidance with Data Residency and Hybrid Cloud Lens
Earlier this year, AWS launched the Well-Architected Data Residency with Hybrid Cloud Services Lens, providing guidance for hybrid cloud workloads. The lens covers data classification, operational practices, automation, and compliance, helping organizations manage data location while optimizing security, cost, and resilience.
-
Magika 1.0: Smarter, Faster File Detection with Rust and AI
Google has just released version 1.0 of Magika, a substantial rewrite of its open-source file type detection system. The new version leverages AI to support a broader range of file types and is built in Rust for maximum speed and security.
-
Five AI Security Myths Debunked at InfoQ Dev Summit Munich
Katharine Jarmul challenged five common AI security and privacy myths in her InfoQ Dev Summit Munich 2025 keynote: that guardrails will protect us, better model performance improves security, risk taxonomies solve problems, one-time red teaming suffices, and the next model version will fix current issues. She said that current approaches to AI safety rely too heavily on technical solutions.
-
JFrog Unveils “Shadow AI Detection” to Tackle Hidden AI Risks in Enterprise Software Supply Chains
JFrog today expanded its Software Supply Chain Platform with a new feature called Shadow AI Detection, designed to give enterprises visibility and control over the often-unmanaged AI models and API calls creeping into their development pipelines.
-
GitHub Rolls out Post-Quantum SSH Security to Protect Code from Future Threats
GitHub has deployed a hybrid post-quantum key-exchange algorithm for SSH access, strengthening protection against future quantum decryption threats. The rollout, now live across most regions, pairs classical and quantum-resistant methods to counter “store now, decrypt later” attacks and marks a major step toward quantum-safe software development.