InfoQ Homepage Application Security Content on InfoQ
-
Production Identity Framework SPIRE Graduates to CNCF Incubator
The Cloud Native Computing Foundation has accepted SPIFFE and SPIRE as incubation level projects. SPIFFE defines a standard to authenticate software services through the use of platform-agnostic, cryptographic identities. SPIRE is an implementation of the SPIFFE APIs that is production ready.
-
DevOps Dojo Provides Online, Interactive DevOps Training
DXC Technology has recently open-sourced their DevOps Dojo, a collection of learning modules that covers both the technical and cultural aspects of DevOps. The modules are built on the Katacoda platform and hosted on GitHub.
-
Facilitating Threat Modelling Remotely
ThoughtWorks' Jim Gumbley recently published a guide to Threat Modelling on Martinfowler.com with a template for facilitating remote and onsite sessions. He makes a case for continuous threat modelling within each iteration, alongside business stake-holders. Derek Handova has also written about removing friction from security through automation and a greater security focus in the SDLC.
-
GitLab Annual DevOps Survey Shows Emerging Trends and Changing Roles
Completed by over 3500 developers from 21 countries, GitLab's DevOps survey encompasses three major areas, development and release, security, and testing. The survey hints at faster release cycles and improved quality, with the more recent DevSecOps area requiring more organizational fine-tuning. InfoQ has taken the chance to speak with GitLab's senior developer evangelist, Brendan O'Leary.
-
Vulnerability Scanner Trivy Now Available as Integrated Option within Harbor
Aqua Security has announced that Trivy, their open source vulnerability scanner, is now available as an integrated option within a number of platforms. Trivy is able to scan for vulnerabilities within operating systems and a number of common application dependencies.
-
Equifax Hackers Charged with Crime
The United States has charged four members of the Chinese military with hacking Equifax. The attack on Struts2 Deserialization can be detected by a suite of tools.
-
Security Predicted by Gartner to Improve in DevOps Teams
DevOps teams have improved software velocity by incorporating development, testing, and operations into a unified team. In the coming years, many teams are set to incorporate security testing as part of this process, rather then delegating verification to unpredictable gates of experts.
-
Sonatype Disables Unencrypted Access to Maven
Sonatype has disabled unencrypted HTTP access to Maven Central, improving security for build systems such as Maven, Gradle, SBT, and other dependency systems.
-
Microsoft Exploring Rust as the Solution for Safe Software
Microsoft has been recently experimenting with Rust to improve the safety of their software. In a talk at RustFest Barcelona, Microsoft engineers Ryan Levick and Sebastian Fernandez explained the challenges they faced in using Rust at Microsoft. Part of Microsoft's journey with Rust included rewriting a low-level Windows component, as Adam Burch explained.
-
CloudFlare Releases Open Source Implementation of Network Time Security Protocol
CloudFlare announced the first major release of their implementation of the Network Time Security (NTS) protocol. This builds on their previous release of time.cloudflare.com, their free time service that supports both Network Time Protocol (NTP) and NTS.
-
New Bytecode Alliance Announces WebAssembly Nanoprocesses Proposal for Safe Use of Untrusted Modules
Mozilla’s Lin Clark recently announced the creation of the Bytecode Alliance. The Bytecode Alliance is an industry partnership aiming at proposing and implementing standards to enable the growth of a secure-by-default WebAssembly ecosystem, inside and outside the browser. The Bytecode Alliance introduced nanoprocesses to provide isolation and safety when running third-party Wasm packages.
-
Elastic Releases New Security Suite Integrating SIEM with Endpoint Protection
Elastic recently released Elastic Endpoint Protection, a new feature for integrated security built upon Elastic’s acquisition of Endgame. With Endpoint, Elastic is combining their SIEM product and endpoint security into a single solution built on the Elastic stack.
-
CircleCI Adds Security Integrations to Streamline Securing CI/CD Pipelines
CircleCI announced the addition of new orbs that address common use cases and needs with securing your CI/CD pipelines. The orbs added to the repository with this release cover vulnerability scanning, secrets management, license scanning, and digital scanning. It includes integrations with AWS and Google Cloud.
-
PARSEC Is a New Platform-Agnostic API for Secure Systems
Backed by Arm and Docker, Platform AbstRaction for SECurity aims to define a universal software standard to handle secure object storage and cryptography services. It focuses on modern system architectures made of containerized services and strives to make security technology easy to access. InfoQ has spoken with Justin Cormack, security lead at Docker and PARSEC maintainer, to learn more.
-
Eclipse Foundation Proposes Vulnerability Assessment Tool
The Eclipse Foundation is evaluating a proposal to incorporate a Vulnerability Assessment Tool that would help identify libraries with known security issues. The possible result would help inform developers when their application faces a downstream risk from using vulnerable components.