InfoQ Homepage Application Security Content on InfoQ
-
Veracode Report Shows Signs of Progress in Securing Software Supply Chain
Veracode's recently released State of Software Security report found a general decline in the number of known security vulnerabilities found in third-party libraries along with a trend towards smaller applications being scanned more regularly for issues. It also finds that the industry still has a long way to go.
-
Meta Open-Sources Browser Extension to Establish Web Code Authenticity
Originally created to help WhatsApp users verify the authenticity of the WhatsApp code being served to their browsers, Code Verify is a new open-source extension for Chrome, Edge, and Firefox enabling to provide the same level of security for other Web services, says Meta.
-
Dynatrace Application Security Gates Catalyze Secure Automated Releases
Dynatrace recently announced the availability of “security gates” on its software intelligence platform. Organizations can now use Dynatrace Application Security gates to check security vulnerabilities early in the software development lifecycle and trigger required remediation actions.
-
Google Cloud Introduces Certificate Manager
Google Cloud recently introduced the public preview of Certificate Manager, a service that integrates with External HTTPS Load Balancing to manage multiple certificates and domains.
-
OpenSSF Announces the Alpha-Omega Project to Improve Software Supply Chain Security
The Open Source Security Foundation (OpenSSF) in partnership with Google and Microsoft have announced the Alpha-Omega Project to improve supply chain security across open source software (OSS) projects. The project will focus on improving the security posture of the most widely deployed and critical OSS projects.
-
Google and GitHub Announce OpenSSF Scorecards v4 with New GitHub Actions Workflow
GitHub and Google have announced the version 4 release of the Open Source Security Foundation (OpenSSF)'s Scorecards project. Scorecards is an automated security tool that identifies risky supply chain practices in open source projects. This release includes a new Scorecards GitHub Action, new security checks, and a large increase in the repositories included in the foundations weekly scans.
-
Aqua Security Reports Large Increase in Supply Chain Attacks
Aqua Security's recent report highlights the increasing threat of supply chain attacks. According to the report, supply chain attacks grew by 300% from 2020 to 2021 while the level of security across software development environments remained low. Google and the CNCF have recently released papers detailing approaches to improving the security of the supply chain.
-
CNCF Publishes Latest Technology Radar Focused on DevSecOps
CNCF published the sixth edition of the end-user Technology Radar. The theme for this edition was DevSecOps, the integration of security at every step of the software development lifecycle. The radar highlighted there are many DevSecOps tools today and the space is growing and changing rapidly.
-
Airbnb Open Sources Ottr: a Serverless Public Key Infrastructure Framework
Airbnb announced that it has open-sourced Ottr, a serverless public key infrastructure framework developed in-house. Ottr handles end-to-end certificate rotations without the use of an agent. Ottr's primary design goal is to be a scalable and configurable serverless framework on AWS with little operational overhead or reliance on enrollment protocols.
-
Cloud Providers Publish Ransomware Mitigation Strategies
In the last few weeks AWS, Azure and Google Cloud have posted articles and documentation with suggestions on ransomware mitigation techniques on the cloud, highlighting the main protections and recovery preparation actions.
-
Google Releases Its Certificate Authority Service into General Availability
The Google Cloud Certificate Authority Service (CAS) is a scalable service for managing and deploying private certificates via automation and managing public key infrastructure (PKI). And last month, Google announced the general availability (GA) of this service.
-
AWS Key Management Service Introduces Multi-Region Keys
AWS has recently announced the availability of KMS multi-region keys, a new feature for client-side applications that makes encrypted data portable across regions.
-
Slack Details Its New Role Management Architecture
Slack recently posted a detailed description of the software architecture of its new role management system. Slack needed to build a system that was more flexible than the one it previously had. It created a custom containerized Go-based permission service that integrates with its existing systems over gRPC. As a result, its customers' admins now have granular control over what their users can do.
-
OpenJDK Discusses Post-SecurityManager Practices
Following the introduction of JEP-411 to deprecate Java’s SecurityManager, several projects have spoken up to discuss the impact and expected outcome of this change and how it is implemented in early-release builds of Java 17 (a Long-Term Support release). In particular, Oracle has published a technical paper, "Security and Sandboxing Post SecurityManager."
-
OpenJDK Proposes SecurityManager Deprecation
The OpenJDK project has proposed JEP-411 as a means of deprecating the SecurityManager. If accepted, this would be the first step in a multi-year process in which the OpenJDK Quality Outreach Campaign can guide affected projects towards alternatives before anything is removed.