InfoQ Homepage Application Security Content on InfoQ
-
AWS Adds Automated Detection of Unused IAM Roles, Users, and Permissions
AWS recently added support for detecting unused access granted to IAM roles and users within their AWS IAM Access Analyzer tool. The new analyzer can identify unused roles, unused IAM user access keys and passwords, and unused permissions within a defined usage window. This analysis can be done across accounts within the organization and be controlled from a delegated administrator account.
-
Revolutionizing Digital Identity: How Verifiable Credentials Offer a New Era of Privacy and Control
Auth0 recently published an in-depth explanation of Verifiable Credentials (VCs). The article emphasizes the potential of VCs to transform how identities are managed online. It highlights the limitations of current identity systems and how VCs can address these gaps, particularly in allowing identity claims to be disclosed without issuers knowing, thereby enhancing privacy and control for users.
-
AppDeveloperCon Offers Deep Dives into Developer-Focused CNCF Projects
Monday the 6th of November in Chicago Illinois, Application Developer Con was held during the co-located events at KubeCon North America 2023. The full day event focused on cloud native developers and featured talks on CNCF projects (such as OpenFGA, Dapr, TestContainers, and OpenFeature), eventing, patterns like choreography/orchestration, and ways of working in today’s cloud native environments.
-
Cloudflare Turnstile: CAPTCHA Replacement Now GA and Available for Free
Cloudflare recently announced that Turnstile is now generally available and free for everyone. Designed as an alternative to traditional challenge-response tests, Turnstile is a checkbox designed to preserve user privacy, stop bots, and enhance the user experience.
-
AI a “Must-Have” in GitLab’s 2023 Global DevSecOps Report
GitLab has released their 2023 Global DevSecOps AI report, with the key finding that AI and ML use is evolving from a "nice-to-have" to a "must-have". The report shows that 23% of organizations are already using AI in software development, and of those, 60% are using it daily. Furthermore, 65% of respondents said they are using AI and ML for testing now, or would be within the next three years.
-
HashiCorp Vault Secrets Operator for Kubernetes Moves into General Availability
HashiCorp has moved the HashiCorp Vault Secrets Operator for Kubernetes into general availability. This Kubernetes Operator combines Vault's secret management tooling with the Kubernetes Secrets cache. The operator also handles secret rotation and has controllers for the various secret-specific custom resources.
-
NuGet 6.7 Announced with Enhanced Security Features
The NuGet team announced NuGet 6.7, an update that introduces a set of advanced security features. These enhancements span from updated package source mapping to the integration of vulnerability APIs, updated package version dropdowns, and the addition of warning messages to tackle trust chain issues.
-
KSOC Labs Release the First Kubernetes Bill of Materials (KBOMs)
KSOC labs recently announced the release of the first Kubernetes Bill of Materials(KBOMs). KBOM is an open source standard and command-line tool that helps security teams quickly analyze cluster configurations and respond to CVEs. The project includes an initial specification and implementation that works across cloud providers, on-prem, and DIY environments.
-
AWS Signer Simplifies Signing and Verifying Container Images
AWS has released AWS Signer Container Image Signing (AWS Signer) to provide native AWS support for signing and verifying container images in registries such as Amazon Elastic Container Registry (Amazon ECR). AWS Signer manages code signing certificates, public and private keys, and provides lifecycle management tooling.
-
GitHub Push Protection Moved to General Availability
GitHub has moved push protection into general availability and made it free for all public repositories. Push protection helps detect secrets in code as changes are pushed. As part of the GA release, push protection is also available to all private repositories with a GitHub Advanced Security (GHAS) license.
-
QCon New York 2023: Day Two Recap
Day Two of the 9th annual QCon New York conference was held on June 14th, 2023, at the New York Marriott at the Brooklyn Bridge in Brooklyn, New York. This three-day event, organized by C4Media, included a keynote address by Alicia Dwyer Cianciolo and presentations from four conference tracks and one sponsored track.
-
Celebrity Vulnerabilities: Effective Response to Critical Production Threats
Alyssa Miller, chief information security officer of EpiqGlobal, presented at QCon London about the lessons learned from three major open-source security events, the Equifax breach via Struts, the Log4j vulnerabilities, and the Spring4Shell exploit.
-
Survey on Supply Chain Practices Finds Perceived Usefulness of Practice Correlates with Adoption
A recent survey on supply chain security practices found that some practices are widely adopted but key practices are lagging behind. Key practices, such as generating provenance, were noted for lagging behind in adoption. The survey also found that the perceived usefulness of a practice is highly correlated with the adoption of that practice.
-
Azure Application Gateway Now Supports mTLS and OCSP
Microsoft has announced that its Azure Application Gateway, a cloud-based solution that provides secure, scalable, and reliable access to web applications, now supports mutual Transport Layer Security (mTLS) and Online Certificate Status Protocol (OCSP).
-
Sonatype BOM Doctor Evaluates and Helps Patch Java Software Bills of Materials
BOM Doctor is a free, GitHub-hosted tool created by Sonatype to scan software bills of materials (SBOMs) and identify vulnerabilities and legal issues.