InfoQ Homepage Security Content on InfoQ
-
Manifest Confusion Paves the Way to New npm Supply Chain Threats
A recent report by former npm engineering manager Darcy Clarke found that the npm registry does not validate manifest information against the contents of its corresponding package tarball. This creates a double source of truth that attackers can exploit to hide scripts or dependencies, says Clarke.
-
AWS AppFabric Launched with Goal to Make SaaS Apps and Security Tooling Integration Easier
Recently AWS announced the general availability (GA) of AWS AppFabric. This no-code service enhances companies’ existing investment in software-as-a-service (SaaS) applications with improved security, management, and productivity.
-
Google Announces General Availability of New Features for Cloud Firewall
Google announced the expansion of the offer for Google Cloud Firewall. Cloud Firewall is the GCP firewall service that is cloud native and distributed. The new features now in general availability are threat intelligence for Cloud Firewall, geo-location objects, address groups and local IP ranges.
-
Google Open Sources Bazel Plugin to Automate Secure Distroless Image Creation
Google and Bazel consulting firm Aspect announced version 1.0 of Bazel plugin rules_oci. Aimed to simplify secure container image creation using Bazel with special emphasis on Distroless images, the new plugin obsoletes rules_docker and improves it on a number of counts.
-
AWS Announces the General Availability of Private Access to the Management Console
AWS recently announced the general availability (GA) of private access to the AWS management console. Private access is a new security feature that allows customers to limit access to the AWS Management Console from their Virtual Private Cloud (VPC) or connected networks to a set of trusted AWS accounts and organizations.
-
Google is Rolling out Passkeys to Make Passwords a Relic of the Past
Google has begun rolling out support for passkeys across Google Accounts on all major platforms. Passkeys will be available as an additional authentication option alongside pre-existing mechanisms, including passwords, 2-step verification, and so on.
-
Google Announces Machine Learning Powered API Abuse Detection
Google recently announced an API abuse detection dashboard powered by machine learning algorithms.
-
Node.js 20 Released, Features Experimental Permission Model for Improved Security
The Node.js team recently released Node v20 (Current release). Node v20 will be ready for full production deployments after entering the long-term support (LTS) stage in October. Key features include an experimental permission model for improved security and building Node applications into standalone executables.
-
Docker 4.18 Extends Scout, Adds Container File Explorer, Docker Init, and More
Docker Desktop's latest 4.18 release, brings a wealth of new features, including vulnerability quickview, recommendations, and image diffing for Docker Scout, stable Container File Explorer, an init command to quickly add Docker to a project, and experimental Compose File Watch to monitor changes inside a project.
-
Computer Networks: Myths, Missteps, and Mysteries - Radia Perlman at QCon London
Radia Perlman, EMC Fellow and one of the pioneers of early network design, presented a keynote at QCon London that explored how networking protocols and technologies have evolved to become today’s Internet. In her talk, she responded to some of the common questions (e.g. Why do we need both Ethernet and IP?) and explored how things might have looked if they were designed today.
-
GitHub Adds SBOM Export to Make it Easier to Comply with Security Requirements
GitHub has announced a new SBOM export feature meant to be used as part of security compliance workflows and tools. The new feature allows you to export NTIA-compliant SBOM easily, says GitHub.
-
Celebrity Vulnerabilities: Effective Response to Critical Production Threats
Alyssa Miller, chief information security officer of EpiqGlobal, presented at QCon London about the lessons learned from three major open-source security events, the Equifax breach via Struts, the Log4j vulnerabilities, and the Spring4Shell exploit.
-
Google Distributed Cloud Hosted Now Generally Available
Google recently announced the general availability of Google Distributed Cloud (GDC) Hosted, an offering for customers with the most stringent requirements, including classified, restricted, and top-secret data. It complements Google Distributed Cloud Edge and Google Distributed Cloud Virtual, which became generally available in 2022.
-
Cross-Industry Report Identifies Top 10 Open-Source Software Risks
Promoted by Endor Labs and featuring contributions from over 20 industry experts, the new Endor Labs Station 9 report identifies the top operational and security risks in open-source software.
-
Developing Software to Manage Distributed Energy Systems at Scale
Functional programming techniques can make software more composable, reliable, and testable. For systems at scale, trade-offs in edge vs. cloud computing can impact speed and security.