InfoQ Homepage Application Security Content on InfoQ
-
Kubernetes Policy Enforcement with Open Policy Agent Gatekeeper
The latest release of the Kubernetes Policy Controller Gatekeeper takes greater advantage of the CNCF project Open Policy Agent to offer users the ability to declare policies, share constraint templates, and audit resources for policy violations.
-
Security Architecture Anti-Patterns by UK Government National Cyber Security Centre
The National Cyber Security Centre of the UK Government recently published a white paper on the six design anti-patterns that we should avoid when designing computer systems.
-
Huawei Firmware Analysis Reveals Security Problems
Finite State located significant security issues in Huawei firmware images, including memory corruption, hardcoded encryption keys, and unsafe functions used in place of the secure alternatives.
-
Cloudflare Releases Free Time Service That Supports NTP and NTS
Cloudflare released time.cloudflare.com, their free time service that supports both NTP (Network Time Protocol) and the emerging NTS (Network Time Security). NTP is an Internet protocol for synchronizing time between remote computer systems. Cloudflare’s new service provides NTP services over their anycast network of over 180 locations worldwide.
-
Web Application Firewall Causes Outage
The CloudFlare outage from June 2nd was caused by high CPU consumption of a backtracking regular expression, defending against a Sharepoint CVE.
-
W3C and FIDO Alliance Finalized WebAuthn, Web Standard for Secure, Passwordless Logins
The World Wide Web Consortium (W3C) and the Fast IDentity Online (FIDO) Alliance recently announced that the Web Authentication (WebAuthn) specification is now an official web standard. WebAuthn allows users to log in via biometrics, mobile devices and/or FIDO security keys, with higher security over passwords alone.
-
OpenJDK Docker Image Served Mis-Labeled Vulnerable JDK
The official Docker Image for OpenJDK contained a mis-attributed version number, indicating that the JRE contained security patches that were not actually present. The issue was resolved with cross-community collaboration between OpenJDK and Debian.
-
NSA Ghidra, a Reverse Engineering Tool, Runs on Java 11
Ghidra is a reverse-engineering tool written in Java, to help application security engineers understand application flow. It automates decompilation and analysis across many system architectures.
-
SAP Open Sources Java SCA Tool
SAP open sources a tool to detect known vulnerabilities in Java/Python applications through software composition analysis.
-
Tomcat and Kafka Selected for EU Bug Bounty Programme
The European Union recently launched a bug bounty program for critical infrastructure projects, offering financial compensation to anyone who finds and reports a new security flaw. The bug bounty is offered as part of FOSSA, the “Free and Open Source Software Audit” project. The FOSSA list includes two notable Java projects: Apache Tomcat and Kafka.
-
British Airways Data Breach Conducted via Malicious JavaScript Injection
British Airways reports two substantial data breaches this year, initially reporting in September the compromise of 244,000 credit card transactions in August and September, and further disclosing in October another 185,000 transactions from April through July.
-
IT Operations Is the Most Predictable DevOps Differentiator Says Damon Edwards at DOES18 London
InfoQ spoke to Damon Edwards, co-founder and chief product officer, at Rundeck at DevOps Enterprise Summit London about his talk ‘Operations - The Last Mile Problem for DevOps in the Enterprise’ and the sneak preview of the new version of RunDeck, V3.0.
-
DevSecOps Grows Up and Finds Itself a Community
On June 28th, the first DevSecOps Days event came to London following a similar event in San Francisco in April. It kicked off with a welcome address from event founders, Mark Miller and John Willis, who explained that the intention is to replicate the DevOpsDays model and empower communities worldwide to stand up their own events.
-
PGP and S/MIME Encrypted Email Vulnerable to Efail Attack
A group of German and Belgian researchers found that PGP and S/MIME are vulnerable to an attack that leaks the plaintext of encrypted emails. The Electronic Frontier Foundation confirmed the vulnerability and suggested to use alternative means to exchange secure messages. Yet, the vulnerability is not in PGP itself, according to GnuPG creator Werner Koch, who also said EFF comments were overblown.
-
Q&A with Laura Bell on Continuous Security at QCon London
Q&A with Laura Bell at QCon London. We discuss her keynote, continuous security and her own professional security journey.