InfoQ Homepage Application Security Content on InfoQ
-
AWS Shield Network Security Director: Network Topology Visibility and Remediation Guidance
Introducing AWS Shield Network Security Director: a game-changer in DDoS protection and network security visibility. This innovative feature automates resource discovery, evaluates configurations against best practices, and prioritizes security findings. With actionable remediation steps and natural language queries via Amazon Q Developer, organizations can enhance their security posture.
-
Docker Launches Hardened Base Images
Docker has launched its Docker Hardened Images (DHI), a security-focused range of base images that reduce vulnerabilities by up to 95%. Built using a distroless approach, these minimal images eliminate unnecessary components, offering automatic patching and compatibility with existing Dockerfiles. Ideal for regulated environments, DHI enhances software supply chain security and transparency.
-
Goodbye CVE? European Vulnerability Database EUVD Now Live
The European Union Agency for Cybersecurity (ENISA) has recently launched the beta of the European Vulnerability Database (EUVD), a new public platform operating alongside, but independently from, the widely used Common Vulnerabilities and Exposures (CVE) system. The new platform aims to improve coordination and transparency in vulnerability handling within the EU.
-
Have I Been Pwned 2.0 Adds New Tools for Data Breach Monitoring
Have I Been Pwned (HIBP) - the widely used data breach notification service created by security expert Troy Hunt, has launched a major front-end redesign in version 2.0, introducing several new features aimed at improving how individuals and organizations monitor breach exposure.
-
Docker Introduces Hardened Images to Strengthen Container Security
Docker has launched Docker Hardened Images, a catalog of enterprise-grade, security-hardened container images designed to protect against software supply chain threats. By relieving DevOps teams from the chore of securing their containers on their own, hardened images provide an easier way to meet enterprise-grade security and compliance standards, Docker says.
-
QCon London 2025 Day 3: AMQP Politics, Serverless Databases, Betrayal in Security and Architecture
The 19th annual QCon London conference took place at The Queen Elizabeth II Conference Centre in London, England. This three-day event, organized by C4Media, consists of presentations by expert practitioners. Day Three, scheduled on April 9th, 2025, included two keynote addresses by John O'Hara and Hannah Foxwell and presentations from five conference tracks.
-
QCon London: a Three-Step Blueprint for Managing Open Source Risk
At QCon London 2025, Johnson Matthey's vulnerability manager, Celine Pypaert, discussed managing open-source dependency risks while maintaining momentum in innovation. She described a three-part blueprint for handling the security challenges that arise with the now widespread use of open-source dependencies.
-
How GitHub Leverages CodeQL for Security
GitHub’s Product Security Engineering team secures the code behind GitHub by developing tools like CodeQL to detect and fix vulnerabilities at scale. They’ve shared insights into their approach so other organizations can learn how to use CodeQL to better protect their own codebases.
-
OpenSSF Publishes Security Baseline for Open-Source Projects
To help open-source maintainers keep their projects secure, the Open Source Security Foundation (OpenSSF) has published a set of guidelines based on international cybersecurity frameworks, standards, and regulations, the Open Source Project Security Baseline.
-
Security Experts Exploit Airport Security Loophole with SQL Injection
In the article "Bypassing airport security via SQL injection," two security researchers recently demonstrated how they executed a simple SQL injection attack on a service that enables pilots and flight attendants to bypass airport security screening.
-
Cloudflare Application Security Report Highlights Surge in DDoS Attacks and CVE Exploits
Cloudflare recently released its 2024 Application Security Report, offering recommendations and insights on addressing many raised concerns. A key finding of the report is the increase in malicious traffic, driven by geopolitical events and voting seasons.
-
Microsoft Entra Suite Now Generally Available: Identity and Security Based Upon Zero-Trust Models
Microsoft has announced the general availability of its Entra Suite. According to the company, the suite provides a solution that integrates identity and security, facilitating a more unified approach to security operations.
-
Non-Production Endpoints as an Attack Surface in AWS
The security team at Datadog recently disclosed a security issue on AWS where non-production endpoints were used as an attack surface to silently perform permission enumeration. AWS has since remediated these specific bypasses.
-
OpenSSF Launches Siren for Open Source Threat Intelligence
The Open Source Security Foundation (OpenSSF) has announced Siren, “a collaborative effort to aggregate and disseminate threat intelligence specific to open source projects”. The initiative comes in the wake of the XZ Utils compromise where it became clear that open source projects needed better ways to disseminate and receive relevant threat intelligence.
-
Microsoft Launches Trusted Signing in Public Preview: an End-to-End Signing Solution for Developers
Microsoft recently launched Trusted Signing in Public Preview, a fully-managed end-to-end signing solution for developers backed by a Microsoft-managed certification authority.