InfoQ Homepage Application Security Content on InfoQ
-
Threat Operations and Research Team Cloudforce One Generally Available
Cloudflare recently announced that the threat operations and research team Cloudforce One began conducting briefings and is now generally available. Available as an add-on subscription, Cloudforce One includes threat data and briefings, security tools, and the ability to make requests for information (RFIs) to the team.
-
Google 2022 Accelerate State of DevOps Report Finds Strong Culture Predictive of Strong Performance
Google has released their findings from the 2022 Accelerate State of DevOps Report. This year's report focused on security with a specific emphasis on the software supply chain. The report found a broad adoption of the inspected practices with organizations that have a high-trust, low-blame culture leading the way in both security and operational practices.
-
Production Identity Framework SPIRE Graduates from CNCF
The Cloud Native Computing Foundation has announced the graduation of SPIFFE and SPIRE. SPIFFE defines a standard to authenticate software services through the use of platform-agnostic, cryptographic identities. SPIRE is an implementation of the SPIFFE API that is production ready. Recent improvements to the project include adding experimental Windows support.
-
Amazon SNS Introduces Message Data Protection to Discover Sensitive Data in Motion
Amazon SNS recently announced the public preview of message data protection. Identifying PII data and other sensitive information in flight, the new SNS feature leverages pattern matching, machine learning models, and data protection policies to simplify data protection and compliance in applications that exchange high volumes of data.
-
CNCF Publishes the Kubernetes Policy Management Whitepaper
The CNCF recently published a new whitepaper about Kubernetes Policy Management. The whitepaper highlights the importance of Kubernetes policy management when it comes to the security and automation of clusters as well as workloads. Also, it goes in-depth into the problems Kubernetes policies solve and the proper implementation of such policies.
-
OpenSSF Releases Fuzz Introspector to Improve C/C++ Fuzz Testing Coverage
The Open Source Security Foundation (OpenSSF) has just released a tool to improve fuzzing coverage by providing actionable insights to developers and helping them identify coverage blockers.
-
Veracode Report Shows Signs of Progress in Securing Software Supply Chain
Veracode's recently released State of Software Security report found a general decline in the number of known security vulnerabilities found in third-party libraries along with a trend towards smaller applications being scanned more regularly for issues. It also finds that the industry still has a long way to go.
-
Meta Open-Sources Browser Extension to Establish Web Code Authenticity
Originally created to help WhatsApp users verify the authenticity of the WhatsApp code being served to their browsers, Code Verify is a new open-source extension for Chrome, Edge, and Firefox enabling to provide the same level of security for other Web services, says Meta.
-
Dynatrace Application Security Gates Catalyze Secure Automated Releases
Dynatrace recently announced the availability of “security gates” on its software intelligence platform. Organizations can now use Dynatrace Application Security gates to check security vulnerabilities early in the software development lifecycle and trigger required remediation actions.
-
Google Cloud Introduces Certificate Manager
Google Cloud recently introduced the public preview of Certificate Manager, a service that integrates with External HTTPS Load Balancing to manage multiple certificates and domains.
-
OpenSSF Announces the Alpha-Omega Project to Improve Software Supply Chain Security
The Open Source Security Foundation (OpenSSF) in partnership with Google and Microsoft have announced the Alpha-Omega Project to improve supply chain security across open source software (OSS) projects. The project will focus on improving the security posture of the most widely deployed and critical OSS projects.
-
Google and GitHub Announce OpenSSF Scorecards v4 with New GitHub Actions Workflow
GitHub and Google have announced the version 4 release of the Open Source Security Foundation (OpenSSF)'s Scorecards project. Scorecards is an automated security tool that identifies risky supply chain practices in open source projects. This release includes a new Scorecards GitHub Action, new security checks, and a large increase in the repositories included in the foundations weekly scans.
-
Aqua Security Reports Large Increase in Supply Chain Attacks
Aqua Security's recent report highlights the increasing threat of supply chain attacks. According to the report, supply chain attacks grew by 300% from 2020 to 2021 while the level of security across software development environments remained low. Google and the CNCF have recently released papers detailing approaches to improving the security of the supply chain.
-
CNCF Publishes Latest Technology Radar Focused on DevSecOps
CNCF published the sixth edition of the end-user Technology Radar. The theme for this edition was DevSecOps, the integration of security at every step of the software development lifecycle. The radar highlighted there are many DevSecOps tools today and the space is growing and changing rapidly.
-
Airbnb Open Sources Ottr: a Serverless Public Key Infrastructure Framework
Airbnb announced that it has open-sourced Ottr, a serverless public key infrastructure framework developed in-house. Ottr handles end-to-end certificate rotations without the use of an agent. Ottr's primary design goal is to be a scalable and configurable serverless framework on AWS with little operational overhead or reliance on enrollment protocols.