InfoQ Homepage Application Security Content on InfoQ
-
/articles/dealing-with-java-cves/en/smallimage/dealing-with-Java-CVEs-discovery-detection-analysis-and-resolution-small-1694161273156.jpg)
Dealing with Java CVEs: Discovery, Detection, Analysis, and Resolution
This article delves into the importance of integrating Software Composition Analysis (SCA) in CI/CD pipelines for security. It highlights the need for human oversight to accurately assess vulnerability impact and cautions against "alert fatigue." The article also recommends specialized tools for effective vulnerability management.
-
/articles/devops-security-best-practices/en/smallimage/when-DevOps-meets-security-to-protect-software-small-1680083278523.jpg)
When DevOps Meets Security to Protect Software
Security can no longer be an afterthought in the software development process. Collaboration between security and development needs to happen early to be effective.
-
/articles/secure-software-development-gitops/en/smallimage/accelerating-secure-software-delivery-lifecycle-with-GitOps-small-1679658720410.jpg)
Accelerating the Secure Software Delivery Lifecycle with GitOps
Building secure software can be complicated and time-consuming. By employing a GitOps model, security can be safely separated from development, simplifying the delivery process and increasing velocity.
-
/articles/data-protection-federal/en/smallimage/logo-1673874259012.jpg)
Data Protection Methods for Federal Organizations and beyond
The Federal Data Strategy describes a plan to “accelerate the use of data to deliver on mission, serve the public, and steward resources while protecting security, privacy, and confidentiality." This article covers what it is and how it can be applied to any organization.
-
/articles/api-security-zero-trust/en/smallimage/logo-1669651461014.jpg)
API Security: from Defense-in-Depth (DiD) to Zero Trust
Nearly all companies have experienced security incidents but few have an API security policy that includes dedicated API testing and protection. A defense-in-depth approach that includes boundary defense, observability, and authentication is recommended.
-
/articles/anatomy-code-obfuscation/en/smallimage/logo-1667849003893.jpg)
Who Moved My Code? An Anatomy of Code Obfuscation
In this article, we introduce the topic of code obfuscation, with emphasis on string obfuscation. Obfuscation is an important practice to protect source code by making it unintelligible. Obfuscation is often mistaken with encryption, but they are different concepts. In the article we will present a number of techniques and approaches used to obfuscate data in a program.
-
/articles/integrating-dast-ci-cd/en/smallimage/logo-1666174011486.jpg)
Successfully Integrating Dynamic Security Testing into Your CI/CD Pipeline
Dynamic security testing tools don’t require advanced cybersecurity knowledge to operate. Integrating DAST into your CI/CD pipeline should be done in stages by focusing on the riskiest areas first.
-
/articles/zero-trust-developer-guide/en/smallimage/logo-1659560035351.jpg)
What Developers Must Know about Zero Trust
Zero trust solves the problem of open network access by allowing access only to the resources a user should be allowed to access. This article covers how to start working with zero trust principles and ideas.
-
/articles/k8s-external-secrets-operator/en/smallimage/logo-1659173750849.jpg)
Managing Kubernetes Secrets with the External Secrets Operator
Kubernetes doesn’t yet have the capabilities to manage the lifecycle of secrets, so sometimes we need external systems to manage this sensitive information. Once the amount of secret information we need to manage increases, we may need additional tools to simplify and better manage the process. In this article, we’ll take a detailed look at one of these tools, the External Secrets Operator.
-
/articles/secure-mobile-apps-parity-problem/en/smallimage/logo-1657020856056.jpg)
The Parity Problem: Ensuring Mobile Apps are Secure across Platforms
The problem of security parity is a big one, but it’s part of a larger problem: a general lack of security in mobile apps. By embracing automation for security implementation to the same or greater degree than it has been adopted for feature development, developers can ensure that every app they release for every platform will be protected from hackers, fraudsters, and cybercriminals.
-
/articles/devops-cloud-security/en/smallimage/iLukXSvI-1650439607166.jpg)
The Role of DevOps in Cloud Security Management
Different areas of cloud security must be examined to strengthen security in the cloud versus security of the cloud. This includes identifying requirements, defining the architecture, analyzing controls, and identifying gaps. Security must be both proactive and reactive, so it needs to be considered in every step of development.
-
/articles/assessing-security-risks/en/smallimage/logo-1648281937034.jpg)
Strategies for Assessing and Prioritizing Security Risks Such as Log4j
The evolving threat landscape requires a comprehensive approach to mitigation. An effective strategy is built on visibility, assessing vulnerabilities in context, effective use of filtering technologies, and monitoring for evidence of intrusion.