InfoQ Homepage Application Security Content on InfoQ
-
Security Experts Exploit Airport Security Loophole with SQL Injection
In the article "Bypassing airport security via SQL injection," two security researchers recently demonstrated how they executed a simple SQL injection attack on a service that enables pilots and flight attendants to bypass airport security screening.
-
Cloudflare Application Security Report Highlights Surge in DDoS Attacks and CVE Exploits
Cloudflare recently released its 2024 Application Security Report, offering recommendations and insights on addressing many raised concerns. A key finding of the report is the increase in malicious traffic, driven by geopolitical events and voting seasons.
-
Microsoft Entra Suite Now Generally Available: Identity and Security Based Upon Zero-Trust Models
Microsoft has announced the general availability of its Entra Suite. According to the company, the suite provides a solution that integrates identity and security, facilitating a more unified approach to security operations.
-
Non-Production Endpoints as an Attack Surface in AWS
The security team at Datadog recently disclosed a security issue on AWS where non-production endpoints were used as an attack surface to silently perform permission enumeration. AWS has since remediated these specific bypasses.
-
OpenSSF Launches Siren for Open Source Threat Intelligence
The Open Source Security Foundation (OpenSSF) has announced Siren, “a collaborative effort to aggregate and disseminate threat intelligence specific to open source projects”. The initiative comes in the wake of the XZ Utils compromise where it became clear that open source projects needed better ways to disseminate and receive relevant threat intelligence.
-
Microsoft Launches Trusted Signing in Public Preview: an End-to-End Signing Solution for Developers
Microsoft recently launched Trusted Signing in Public Preview, a fully-managed end-to-end signing solution for developers backed by a Microsoft-managed certification authority.
-
GitHub Enables Dependabot via GitHub Actions, Improves Supply Chain Security
GitHub has released two features to improve the security and resilience of repositories. The first feature allows Dependabot to run as a GitHub Actions workflow using hosted and self-hosted runners. The second release introduces the public beta of Artifact Attestations, simplifying how repository maintainers can generate provenance for their build artifacts.
-
API Access with Amazon Verified Permissions and Amazon Cognito
AWS recently announced that Amazon API Gateway requests can now be authorized with Amazon Verified Permissions. With this feature, HTTP requests containing tokens issued by Amazon Cognito can be used to perform authorization decisions against API resources.
-
Application Security Optimised for Engineering Productivity
Laura Bell Main presented a webinar on 2024 trends in application security. She called out a shift from siloed DevSecOps initiatives to building an understanding of dev friction, and presenting solutions which optimise engineering productivity. Nikki Robinson also recently spoke about the importance of taking a developer experience targeted approach to security platform engineering.
-
Microsoft AI-Driven Security Tool Copilot for Security is Now GA
Microsoft recently announced the general availability of Copilot for Security, a generative Artificial Intelligence (AI) security product designed to help security and IT teams with the capabilities to protect their digital assets.
-
GUAC Joins OpenSSF as Incubating Project
The Graph for Understanding Artifact Composition (GUAC) has joined the Open Source Security Foundation (OpenSSF) as an incubating project. GUAC provides a tool and underlying API to analyse and visualise software bill of materials (SBOM) along with threat intelligence feeds to determine whether vulnerabilities impact an application.
-
AI and FinOps Predicted to Lead Observability Innovation in 2024
In recently published articles, three large observability companies have made predictions for the trends we will see in the observability area in 2024 and beyond. These contributions suggest that the fields of AI Integration, FinOps, OpenTelemetry and Security and Governance will impact observability significantly in the year ahead.
-
OpenSSF Adds Attestations to SBOMs to Validate How Software is Built
The Open Source Security Foundation (OpenSSF) has recently announced SBOMit, a tool designed to bolster Software Bills of Materials (SBOMs) with in-toto attestations. This development, announced under the OpenSSF Security Tooling Working Group, increases transparency and security in the software development process.
-
GitLab Launches Browser-Based Dynamic Application Security Testing (DAST) Scan
GitLab has recently introduced a browser-based Dynamic Application Security Testing (DAST) feature in version 16.4 (or DAST 4.0.9). This development is part of GitLab's ongoing efforts to enhance browser-based DAST by integrating passive checks. The release includes active check-in capabilities.
-
Privacy Engineering at Scale: DoorDash’s Journey in Geomasking and Data Protection
DoorDash recently published how it proactively embeds privacy into its products. It explains the importance of Privacy Engineering, an often overlooked software architecture practice, and provides an example of geomasking users' address data to protect their privacy better.