InfoQ Homepage Application Security Content on InfoQ
-
CloudFlare Releases Open Source Implementation of Network Time Security Protocol
CloudFlare announced the first major release of their implementation of the Network Time Security (NTS) protocol. This builds on their previous release of time.cloudflare.com, their free time service that supports both Network Time Protocol (NTP) and NTS.
-
New Bytecode Alliance Announces WebAssembly Nanoprocesses Proposal for Safe Use of Untrusted Modules
Mozilla’s Lin Clark recently announced the creation of the Bytecode Alliance. The Bytecode Alliance is an industry partnership aiming at proposing and implementing standards to enable the growth of a secure-by-default WebAssembly ecosystem, inside and outside the browser. The Bytecode Alliance introduced nanoprocesses to provide isolation and safety when running third-party Wasm packages.
-
Elastic Releases New Security Suite Integrating SIEM with Endpoint Protection
Elastic recently released Elastic Endpoint Protection, a new feature for integrated security built upon Elastic’s acquisition of Endgame. With Endpoint, Elastic is combining their SIEM product and endpoint security into a single solution built on the Elastic stack.
-
CircleCI Adds Security Integrations to Streamline Securing CI/CD Pipelines
CircleCI announced the addition of new orbs that address common use cases and needs with securing your CI/CD pipelines. The orbs added to the repository with this release cover vulnerability scanning, secrets management, license scanning, and digital scanning. It includes integrations with AWS and Google Cloud.
-
PARSEC Is a New Platform-Agnostic API for Secure Systems
Backed by Arm and Docker, Platform AbstRaction for SECurity aims to define a universal software standard to handle secure object storage and cryptography services. It focuses on modern system architectures made of containerized services and strives to make security technology easy to access. InfoQ has spoken with Justin Cormack, security lead at Docker and PARSEC maintainer, to learn more.
-
Eclipse Foundation Proposes Vulnerability Assessment Tool
The Eclipse Foundation is evaluating a proposal to incorporate a Vulnerability Assessment Tool that would help identify libraries with known security issues. The possible result would help inform developers when their application faces a downstream risk from using vulnerable components.
-
Kubernetes Policy Enforcement with Open Policy Agent Gatekeeper
The latest release of the Kubernetes Policy Controller Gatekeeper takes greater advantage of the CNCF project Open Policy Agent to offer users the ability to declare policies, share constraint templates, and audit resources for policy violations.
-
Security Architecture Anti-Patterns by UK Government National Cyber Security Centre
The National Cyber Security Centre of the UK Government recently published a white paper on the six design anti-patterns that we should avoid when designing computer systems.
-
Huawei Firmware Analysis Reveals Security Problems
Finite State located significant security issues in Huawei firmware images, including memory corruption, hardcoded encryption keys, and unsafe functions used in place of the secure alternatives.
-
Cloudflare Releases Free Time Service That Supports NTP and NTS
Cloudflare released time.cloudflare.com, their free time service that supports both NTP (Network Time Protocol) and the emerging NTS (Network Time Security). NTP is an Internet protocol for synchronizing time between remote computer systems. Cloudflare’s new service provides NTP services over their anycast network of over 180 locations worldwide.
-
Web Application Firewall Causes Outage
The CloudFlare outage from June 2nd was caused by high CPU consumption of a backtracking regular expression, defending against a Sharepoint CVE.
-
W3C and FIDO Alliance Finalized WebAuthn, Web Standard for Secure, Passwordless Logins
The World Wide Web Consortium (W3C) and the Fast IDentity Online (FIDO) Alliance recently announced that the Web Authentication (WebAuthn) specification is now an official web standard. WebAuthn allows users to log in via biometrics, mobile devices and/or FIDO security keys, with higher security over passwords alone.
-
OpenJDK Docker Image Served Mis-Labeled Vulnerable JDK
The official Docker Image for OpenJDK contained a mis-attributed version number, indicating that the JRE contained security patches that were not actually present. The issue was resolved with cross-community collaboration between OpenJDK and Debian.
-
NSA Ghidra, a Reverse Engineering Tool, Runs on Java 11
Ghidra is a reverse-engineering tool written in Java, to help application security engineers understand application flow. It automates decompilation and analysis across many system architectures.
-
SAP Open Sources Java SCA Tool
SAP open sources a tool to detect known vulnerabilities in Java/Python applications through software composition analysis.