BT

Running Docker Containers Securely in Production

by Hrishikesh Barua on  Dec 17, 2016

Hardening Docker containers in production involves a combination of techniques including making them immutable, minimizing the attack surface and applying both standard Linux hardening procedures as well as ones that are specific to a container environment.

Google Pushing for HTTPS

by Manuel Pais on  Dec 11, 2016

Google wants to push for HTTPS everywhere with a combination of deprecating existing Chrome features in non-secure sites, as well as new features only supported in HTTPS.

Authentication Strategies in Microservices Systems

by Jan Stenberg on  Dec 08, 2016 1

Software security is a complex problem, and is becoming even more complex using Microservices where each service has to deal with security, David Borsos explained at the recent Microservices Conference in London, during his presentation evaluating four end-user authentication options within a microservice based systems.

Amazon Announces AWS Shield for DDoS Protection

by Kent Weare on  Dec 03, 2016

At the recent re:Invent 2016 event, Amazon announced a new service called AWS Shield, which provides customers with protection from Distributed Denial of Service (DDoS) attacks. This announcement comes just over a month after Amazon was impacted by a DDoS attack on a DNS provider that Amazon used, Dynamic Network Services (Dyn).

Lawyer.com: Early Adopter of HTTP/2, Speaks to InfoQ

by Michael Redlich on  Nov 30, 2016

Lawyer.com recently announced that they are adopting the HTTP/2 protocol. Gerald Gorman, tech entrepreneur, CEO, and co-founder of Lawyer.com, spoke to InfoQ about their technology implementation, their position on microservices and lightweight containers, their unique search engine, and their use of social media.

Google, Microsoft, and Mozilla Urge Site Operators to Replace SHA–1 Certificates

by Sergio De Simone on  Nov 20, 2016 1

Following their SHA–1 deprecation plans announced last year, Google, Microsoft, and Mozilla detailed recently their timelines to remove support for SHA–1 certificates from their flagship browsers. Researchers at security firm Venafi found however, that 35% of analyzed websites are still using SHA–1 certificates.

Microservices and Security

by Jan Stenberg on  Nov 15, 2016

When it comes to application security, we often include it as an afterthought. We have learnt how to add test into the development workflows, but with security we often assume someone else will come and fix it later on, Sam Newman claimed in his keynote at this year’s Microservices Conference in London.

Major Windows Vulnerability Disclosed by Google before Patch Available

by Sergio De Simone on  Nov 02, 2016

A major, currently exploited vulnerability in the Microsoft Windows kernel has recently been disclosed by Google’s Threat Analysis Group, before Microsoft made public a patch or any mitigation advice. Microsoft has stated a fully tested patch will be available in a week.

All Android Versions May Be Affected by Dirty COW Linux Vulnerability

by Sergio De Simone on  Oct 26, 2016

Recently disclosed Dirty COW Linux privilege escalation vulnerability is likely to affect all Android versions, say security researchers.

Angular 1.X Usage Banned in Firefox Extensions

by David Iffland on  Oct 24, 2016

A developer found out the hard way that they had built their Firefox browser extension on banned technology. Angular 1.X has been banned for use in Firefox extensions as long as a security vulnerability exists in the way Angular interacts with the extension and the displayed web page.

Box Introduces Four New Security and Governance APIs

by Margot Krouwer on  Oct 02, 2016

The content management company Box recently announced the arrival of four security and governance APIs. These APIs are aimed at helping companies handle legal, security, and compliance needs better.

Ethereum Security Alert Issued, Ethereum Foundation Responds with “From Shanghai, With Love”

by Kent Weare on  Sep 19, 2016

On September 18th, hours before the Ethereum Foundation devcon 2 conference was about to start, a DOS security alert was posted on the Ethereum blog. The alert was related to a vulnerability discovered on the Ethereum blockchain, in block 2283416, and was considered to have a high likelihood and severity.

Stormpath's Java SDK 1.0 Released

by Matt Raible on  Aug 31, 2016

This week Stormpath released version 1.0 of their user management and authentication Java SDK. Stormpath generally provides APIs for implementing authentication, authorization and user management in web and mobile applications, including open source implementations, targeting a range of languages and frameworks.

Mozilla's Observatory Website Security Analysis Tool Available

by David Iffland on  Aug 31, 2016

Mozilla has launched their website security analysis tool. Dubbed Observatory, the tool helps to spread information on best security practices to developers and sys admins in need of guidance.

Docker and High Security Microservices: A Summary of Aaron Grattafiori's DockerCon 2016 Talk

by Daniel Bryant on  Aug 14, 2016

At DockerCon 2016, held in Seattle, USA, Aaron Grattafiori presented “The Golden Ticket: Docker and High Security Microservices”. Core recommendations for running secure container-based microservices included enabling User Namespaces, configuring application-specific AppArmor or SELinux and seccomp whitelist, hardening the host system, restricting host access and considering network security.

BT