InfoQ Homepage Security Content on InfoQ
-
Terraform Cloud Supports Ephemeral Workspaces in Public Beta
Ephemeral workspaces allows their users to set timeouts to automatically destroy unused resources, reducing infrastructure costs and the effort required for manual resource clean-up. Ephemeral workspaces are now available in public beta on Terraform Cloud Plus.
-
OpenSSF New Manifesto Urges the Software Industry to Take Responsibility for Open Source Security
The Open Source Consumption Manifesto from OpenSSF aims to make the software industry more aware of its responsibility when it comes to ensuring the software supply chain remains secure and healthy.
-
A Ruthless Approach for Better Security by Identifying Key Risks and Ignoring Others
Risk management techniques can be used to decide which security and privacy aspects are important. You can simplify the risk impact calculations by identifying low, medium and high and critical losses, and by taking likelihoods from the industry to do likelihood calculations. This helps you to identify a few key risks, and ruthlessly ignore the rest.
-
Enhancing Security with Google Cloud's Service Account Key Expiry Feature
Google Cloud has recently introduced service account key expiry to address security challenges associated with long-lived service account keys. With this capability, the company states that "customers can now configure an Organization Policy at the organization, folder, and project level to limit the usable duration of new service account keys”.
-
Building Cyber-Physical Systems with Agile: Learnings from QCon New York
In her QCon New York 2023 talk Success Patterns for building Cyber-Physical Systems with Agile, Robin Yeman explored how we can use agile practices at scale for large initiatives with multiple teams, building cyber-physical safety-critical systems with a scope that includes software, firmware, and hardware development.
-
Implementing Application Level Encryption at Scale: Insights from Atlassian’s Use of AWS and Cryptor
Atlassian recently published how it performs Application Level Encryption at scale on AWS while utilising high cache hit rates and maintaining low costs. Atlassian's solution runs over 12,500 instances and manages over 1,540 KMS keys. It performs over 11 billion decryptions and 811 million encryptions daily, costing $2,500 per month versus a potential $1,000,000 per month using a naive solution.
-
Manifest Confusion Paves the Way to New npm Supply Chain Threats
A recent report by former npm engineering manager Darcy Clarke found that the npm registry does not validate manifest information against the contents of its corresponding package tarball. This creates a double source of truth that attackers can exploit to hide scripts or dependencies, says Clarke.
-
AWS AppFabric Launched with Goal to Make SaaS Apps and Security Tooling Integration Easier
Recently AWS announced the general availability (GA) of AWS AppFabric. This no-code service enhances companies’ existing investment in software-as-a-service (SaaS) applications with improved security, management, and productivity.
-
Google Announces General Availability of New Features for Cloud Firewall
Google announced the expansion of the offer for Google Cloud Firewall. Cloud Firewall is the GCP firewall service that is cloud native and distributed. The new features now in general availability are threat intelligence for Cloud Firewall, geo-location objects, address groups and local IP ranges.
-
Google Open Sources Bazel Plugin to Automate Secure Distroless Image Creation
Google and Bazel consulting firm Aspect announced version 1.0 of Bazel plugin rules_oci. Aimed to simplify secure container image creation using Bazel with special emphasis on Distroless images, the new plugin obsoletes rules_docker and improves it on a number of counts.
-
AWS Announces the General Availability of Private Access to the Management Console
AWS recently announced the general availability (GA) of private access to the AWS management console. Private access is a new security feature that allows customers to limit access to the AWS Management Console from their Virtual Private Cloud (VPC) or connected networks to a set of trusted AWS accounts and organizations.
-
Google is Rolling out Passkeys to Make Passwords a Relic of the Past
Google has begun rolling out support for passkeys across Google Accounts on all major platforms. Passkeys will be available as an additional authentication option alongside pre-existing mechanisms, including passwords, 2-step verification, and so on.
-
Google Announces Machine Learning Powered API Abuse Detection
Google recently announced an API abuse detection dashboard powered by machine learning algorithms.
-
Node.js 20 Released, Features Experimental Permission Model for Improved Security
The Node.js team recently released Node v20 (Current release). Node v20 will be ready for full production deployments after entering the long-term support (LTS) stage in October. Key features include an experimental permission model for improved security and building Node applications into standalone executables.
-
Docker 4.18 Extends Scout, Adds Container File Explorer, Docker Init, and More
Docker Desktop's latest 4.18 release, brings a wealth of new features, including vulnerability quickview, recommendations, and image diffing for Docker Scout, stable Container File Explorer, an init command to quickly add Docker to a project, and experimental Compose File Watch to monitor changes inside a project.