InfoQ Homepage Application Security Content on InfoQ
-
OpenJDK Proposes SecurityManager Deprecation
The OpenJDK project has proposed JEP-411 as a means of deprecating the SecurityManager. If accepted, this would be the first step in a multi-year process in which the OpenJDK Quality Outreach Campaign can guide affected projects towards alternatives before anything is removed.
-
HashiCorp Announces the General Availability of HCP Vault on AWS
Recently, HashiCorp announced the general availability of their fully-managed Vault service for AWS environments on the HashiCorp Cloud Platform (HCP). With Vault, customers can leverage a SaaS service with secret management and encryption capabilities.
-
GitLab Protocol Fuzzer CE Now Open-Source
GitLab has open-sourced the core protocol fuzz testing engine it has been using since its 13.4 release. Fuzz testing aims to more effectively find security issues and flaws in business logic by passing randomly generated inputs to an app. InfoQ has spoken with GitLab principal product manager Sam Kerr to learn more.
-
Linux Foundation Sigstore Aims to Be the Let's Encrypt of Code Signing
Backed by the Linux Foundation, Sigstore aims to provide a non-profit service to foster the adoption of cryptographic signing by open source projects to make the software supply chain more secure.
-
Google Extends Tsunami Security Scanner's Capabilities
Open-sourced last year, Google's Tsunami security scanner has received a significant update, extending its detection capabilities and adding support for Web application fingerprinting, among other things.
-
The Attacker Defender Divide
Kenna Security and Cyentia analyzed over 18,000 CVEs to determine the paths between when a vulnerability is known, exploited, patchable, and patched. The result demonstrates that attackers have the upper hand for most issues.
-
HashiCorp Announces Public Beta of HCP Vault
In a recent blog post, HashiCorp announced the public beta of HashiCorp Vault on its Cloud Platform (HCP). With Vault, customers can leverage a managed cloud service to provide them with secret management and encryption capabilities.
-
A Dozen Cisco Vulnerabilities at Once
A security researcher has identified 12 vulnerabilities that exploit Cisco Security Manager. The flaws include deserialization, remote code execution, and arbitrary file access.
-
AWS Introduces Nitro Enclaves, Isolated EC2 Environments for Confidential Computing
AWS has recently made available Nitro Enclaves, isolated EC2 environments to process confidential data. Based on a lightweight Linux OS, a Nitro Enclave is a hardened, attested and highly constrained virtual machine.
-
Snyk Releases Enhanced Vulnerability Prioritization Features
Snyk has announced the release of a number of new features to simplify prioritizing security vulnerabilities. This includes a new, proprietary algorithm to assess and provide a score for each identified issue. This approach takes into account the maturity of the exploit and can analyze if the affected code is reachable through application execution.
-
Security Concerns for Peripheral APIs on the Web
Google has been promoting the inclusion of peripheral connectivity using Bluetooth and USB on web browsers for several years. Yet, it's meeting heavy resistance from other browser vendors such as Apple and Mozilla.
-
Production Identity Framework SPIRE Graduates to CNCF Incubator
The Cloud Native Computing Foundation has accepted SPIFFE and SPIRE as incubation level projects. SPIFFE defines a standard to authenticate software services through the use of platform-agnostic, cryptographic identities. SPIRE is an implementation of the SPIFFE APIs that is production ready.
-
DevOps Dojo Provides Online, Interactive DevOps Training
DXC Technology has recently open-sourced their DevOps Dojo, a collection of learning modules that covers both the technical and cultural aspects of DevOps. The modules are built on the Katacoda platform and hosted on GitHub.
-
Facilitating Threat Modelling Remotely
ThoughtWorks' Jim Gumbley recently published a guide to Threat Modelling on Martinfowler.com with a template for facilitating remote and onsite sessions. He makes a case for continuous threat modelling within each iteration, alongside business stake-holders. Derek Handova has also written about removing friction from security through automation and a greater security focus in the SDLC.
-
GitLab Annual DevOps Survey Shows Emerging Trends and Changing Roles
Completed by over 3500 developers from 21 countries, GitLab's DevOps survey encompasses three major areas, development and release, security, and testing. The survey hints at faster release cycles and improved quality, with the more recent DevSecOps area requiring more organizational fine-tuning. InfoQ has taken the chance to speak with GitLab's senior developer evangelist, Brendan O'Leary.