InfoQ Homepage Application Security Content on InfoQ
-
Chef Enhances Cloud Security Automation in InSpec 2.0
Continuous automation vendor, Chef, has announced the availability of InSpec 2.0, a new version of Chef’s free open source tool that enables DevOps and cross-functional application, infrastructure and security teams to express security and compliance rules as code and assess and remediate compliance issues through the entire software delivery life cycle.
-
NIST Publishes Guidelines on Application Container Security
The National Institute of Standards and Technology (NIST) published a bulletin on application container technology and its most notable security challenges. The report is a summary of two previous bulletins outlining vulnerability areas including image, registry, orchestrator, container, host OS, and hardware, and their countermeasures.
-
Serverless Challenges in Hybrid Environments
Sam Newman, independent consultant and author of the book "Building Microservices", talked at the Velocity conference in London on the challenges faced when hybrid systems rely on both serverless architectures and traditional infrastructure. In particular, Newman discussed how serverless changes our notion of resiliency and how the two paradigms clash at times of high load in the system.
-
Java EE Security API (JSR-375) Approved
The Java EE Security API, JSR 375, was approved in early August. All members of the JCP Executive Committee voted “Yes”, with zero “No” votes. Intel Corp. did not vote on the JSR.
-
Active Management of Open Source Components Delivers Measurable Improvements Claims Sonatype Report
When organisations actively manage the quality of open source components in software applications they see a 28% improvement in developer productivity (through reduction in manual governance), a 30% reduction in overall development costs, and a 48% increase in application quality (as application vulnerabilities are removed early reducing their incidence in production).
-
AWS Web Application Firewall: Bolt-on Security for Insecure Websites
AWS Web Application Firewall inspects traffic coming into your web application, looking for suspicious activity. It can pass good requests onto your application and block requests that match common attack vectors - like SQL injection. WAF can add a layer of security onto an existing application without changing the app.
-
Microsoft Previews Bug and Security Risk Detection on Windows and Linux
Microsoft has made available Project Springfield as an Azure service preview called Microsoft Security Risk Detection (MSRD) for detecting code bugs and security vulnerabilities in Windows and Linux applications.
-
Sonatype Acquires Vor Security to Expand Nexus Open-Source Component Support
Sonatype announced the acquisition of Vor Security to extend their open-source component intelligence solutions’ coverage to include Ruby, PHP, CocoaPods, Swift, Golang, C, and C++.
-
Apache Metron Graduates to Top-Level Project
Hortonworks and Apache announce graduation of Metron, a realtime big data security platform to top-level project at the ASF.
-
Authentication Strategies in Microservices Systems
Software security is a complex problem, and is becoming even more complex using Microservices where each service has to deal with security, David Borsos explained at the recent Microservices Conference in London, during his presentation evaluating four end-user authentication options within a microservice based systems.
-
Microservices and Security
When it comes to application security, we often include it as an afterthought. We have learnt how to add test into the development workflows, but with security we often assume someone else will come and fix it later on, Sam Newman claimed in his keynote at this year’s Microservices Conference in London.
-
Stormpath's Java SDK 1.0 Released
This week Stormpath released version 1.0 of their user management and authentication Java SDK. Stormpath generally provides APIs for implementing authentication, authorization and user management in web and mobile applications, including open source implementations, targeting a range of languages and frameworks.
-
Mozilla's Observatory Website Security Analysis Tool Available
Mozilla has launched their website security analysis tool. Dubbed Observatory, the tool helps to spread information on best security practices to developers and sys admins in need of guidance.
-
Dan Guido: Modern iOS Application Security
As mobile applications increase in popularity and as more transactions are carried out via mobile devices, security is a topic of growing concern. In his talk "Modern iOS Application Security" at QCon New York 2016, Dan Guido takes a closer look at iOS security. While Apple already provides the means to create highly secured applications, there are still threads that may render them useless.
-
Vulnerability in Java Reflection Library Fixed after 30 Months
In July 2013 Security Explorations discovered a vulnerability in Java by which attackers could elevate their access privileges. Oracle released a patch, but a simple modification was discovered that still makes the attack effective. Once known, Oracle released a patch as part of 8u77. In this article we investigate the little understood class loading process at the heart of the problem.