InfoQ Homepage Application Security Content on InfoQ
-
Bootable Apps for Immutable Infrastructure and Security
Axel Fontaine on the "Bootable App" pattern, a bare bones machine image for deploying immutable infrastructure to the cloud. This minimal image covers all layers of the stack, including OS kernel, libraries and runtime environment but still has a small footprint, reducing both image upload time and storage costs while also significantly reducing the attack surface on running instances.
-
Remotely Exploitable GlibC DNS Bug Discovered
A recently discovered buffer overflow in the DNS resolution of GLibC, which has been present since 2008, has the potential to be remotely exploitable and crash a significant number of Linux applications. InfoQ investigates.
-
Secrets Management with Chef-Vault
Secret management is a difficult problem in a distributed and scalable environment. Chef-vault is a Chef tool built on top of encrypted data bags that eliminates the need to share the decryption key with all users and nodes of an infrastructure.
-
Oracle to Deprecate Java Browser Plugin in 2017
Oracle has announced that it will deprecate the Java browser plugin as part of the JDK 9 release now expected in 2017. The deprecated technology will be completely removed from the Oracle Java Development Kit (JDK) and Java Runtime Environment (JRE) in a future Java release, but Oracle is yet to indicate which one.
-
Docker Boosts Security on Containers
Docker Inc. has announced a new set of security enhancements at DockerCon EU, celebrated in Barcelona on 16-17th/Nov. These enhancements includes hardware signing of container images, content auditing through image scanning and vulnerability detection and granular access control policies with user namespaces.
-
Splunk .conf 2015 Keynote
Splunk opened their big data conference with an emphasis on “making machine data accessible, usable, and valuable to everyone”. This is a shift from their original focus: indexing arbitrary big data sources. Reasonably happy with their ability to process data, they want to ensure that developers, IT staff, and normal people have a way to actually use all of the data their company is collecting.
-
Storing Secrets at Scale with HashiCorp's Vault: Q&A with Armon Dadgar
After an informative presentation by Armon Dadgar at QCon New York that explored security requirements within modern production systems, InfoQ sat down with Dadgar and asked questions about HashiCorp’s Vault, an open source tool for managing secrets at scale.
-
Twitter Unveils Digits Login for Web
Twitter has officially released Digits Login for Web, the latest interaction of Digits that extends the SMS-based login system to mobile app's sites powered by Digits.
-
Serial Key Generating for .NET
While many applications are now being sold through app stores, mid-sized and big-ticket software is still offered directly to customers via web sites. For these kinds of projects, out-of-band licensing is still a major concern. One way to manage licenses is via serial keys using libraries such as SKGL.
-
Google to remove support for SSL 3.0
Google have announced that they will remove support for the obsolete SSL 3.0 after discovering vulnerabilities that may be exploitable by forcing clients or servers to downgrade. Removing SSL 3.0 may also unlock stalled negotiations with HTTP2. Read on for more details.
-
Waratek Release Early Version of their Application Security
Waratek released an early adopter version of Waratek Application Security for Java, to protect older Java applications from vulnerabilities in legacy Java versions.
-
Heartbleed allows dumping client and server memory remotely
The recently disclosed Heartbleed bug allows a remote client to query the contents of a remote SSL server's memory when using vulnerable versions of OpenSSL, disclosing passwords and other secure credentials to eavesdroppers. Application sites like Yahoo! Mail and Amazon Web Services have been affected. Read on to find out more about what the bug entails,and what you should do.
-
Continuous Security Testing With Gauntlt
James Wickett, from Gauntlt core team, gave a tutorial at Velocity Conf London about integrating security testing in the continuous integration cycle for early feedback on application security level. James stressed the importance of regularly checking for security as release delivery rates increase with continuous delivery.
-
DevOps Days Amsterdam Day 1 Focused on Continuous Delivery and DevOps Culture
The first day of DevOps Days Amsterdam had its focus split between continuous delivery and promoting a DevOps culture. Talks focused on how to automate the deployment pipeline but also system recovery in case of failure. On the culture side leveraging distinct personality types to successfully introduce changes and the positive impact of strong company culture on hiring were some of the takeaways.
-
RSA Panelists Reinforce that DevOps Boosts Application Security
Smaller releases, automated testing, and a culture that embraces security are the reasons why panelists at the RSA 2013 conference say that Devops can be a huge boon for application security.