InfoQ Homepage Application Security Content on InfoQ
-
Dan Guido: Modern iOS Application Security
As mobile applications increase in popularity and as more transactions are carried out via mobile devices, security is a topic of growing concern. In his talk "Modern iOS Application Security" at QCon New York 2016, Dan Guido takes a closer look at iOS security. While Apple already provides the means to create highly secured applications, there are still threads that may render them useless.
-
Vulnerability in Java Reflection Library Fixed after 30 Months
In July 2013 Security Explorations discovered a vulnerability in Java by which attackers could elevate their access privileges. Oracle released a patch, but a simple modification was discovered that still makes the attack effective. Once known, Oracle released a patch as part of 8u77. In this article we investigate the little understood class loading process at the heart of the problem.
-
Bootable Apps for Immutable Infrastructure and Security
Axel Fontaine on the "Bootable App" pattern, a bare bones machine image for deploying immutable infrastructure to the cloud. This minimal image covers all layers of the stack, including OS kernel, libraries and runtime environment but still has a small footprint, reducing both image upload time and storage costs while also significantly reducing the attack surface on running instances.
-
Remotely Exploitable GlibC DNS Bug Discovered
A recently discovered buffer overflow in the DNS resolution of GLibC, which has been present since 2008, has the potential to be remotely exploitable and crash a significant number of Linux applications. InfoQ investigates.
-
Secrets Management with Chef-Vault
Secret management is a difficult problem in a distributed and scalable environment. Chef-vault is a Chef tool built on top of encrypted data bags that eliminates the need to share the decryption key with all users and nodes of an infrastructure.
-
Oracle to Deprecate Java Browser Plugin in 2017
Oracle has announced that it will deprecate the Java browser plugin as part of the JDK 9 release now expected in 2017. The deprecated technology will be completely removed from the Oracle Java Development Kit (JDK) and Java Runtime Environment (JRE) in a future Java release, but Oracle is yet to indicate which one.
-
Docker Boosts Security on Containers
Docker Inc. has announced a new set of security enhancements at DockerCon EU, celebrated in Barcelona on 16-17th/Nov. These enhancements includes hardware signing of container images, content auditing through image scanning and vulnerability detection and granular access control policies with user namespaces.
-
Splunk .conf 2015 Keynote
Splunk opened their big data conference with an emphasis on “making machine data accessible, usable, and valuable to everyone”. This is a shift from their original focus: indexing arbitrary big data sources. Reasonably happy with their ability to process data, they want to ensure that developers, IT staff, and normal people have a way to actually use all of the data their company is collecting.
-
Storing Secrets at Scale with HashiCorp's Vault: Q&A with Armon Dadgar
After an informative presentation by Armon Dadgar at QCon New York that explored security requirements within modern production systems, InfoQ sat down with Dadgar and asked questions about HashiCorp’s Vault, an open source tool for managing secrets at scale.
-
Twitter Unveils Digits Login for Web
Twitter has officially released Digits Login for Web, the latest interaction of Digits that extends the SMS-based login system to mobile app's sites powered by Digits.
-
Serial Key Generating for .NET
While many applications are now being sold through app stores, mid-sized and big-ticket software is still offered directly to customers via web sites. For these kinds of projects, out-of-band licensing is still a major concern. One way to manage licenses is via serial keys using libraries such as SKGL.
-
Google to remove support for SSL 3.0
Google have announced that they will remove support for the obsolete SSL 3.0 after discovering vulnerabilities that may be exploitable by forcing clients or servers to downgrade. Removing SSL 3.0 may also unlock stalled negotiations with HTTP2. Read on for more details.
-
Waratek Release Early Version of their Application Security
Waratek released an early adopter version of Waratek Application Security for Java, to protect older Java applications from vulnerabilities in legacy Java versions.
-
Heartbleed allows dumping client and server memory remotely
The recently disclosed Heartbleed bug allows a remote client to query the contents of a remote SSL server's memory when using vulnerable versions of OpenSSL, disclosing passwords and other secure credentials to eavesdroppers. Application sites like Yahoo! Mail and Amazon Web Services have been affected. Read on to find out more about what the bug entails,and what you should do.
-
Continuous Security Testing With Gauntlt
James Wickett, from Gauntlt core team, gave a tutorial at Velocity Conf London about integrating security testing in the continuous integration cycle for early feedback on application security level. James stressed the importance of regularly checking for security as release delivery rates increase with continuous delivery.