InfoQ Homepage Application Security Content on InfoQ
-
Heuristic Static Analysis Tool GuardDog Used to Detect Several Malicious PyPi Packages
GuardDog is new open source tool aimed at identifying malicious Python Packages using Sempreg and package metadata analysis. Thanks to a set of source code heuristics, GuardDog can detect malicious packages never seen before and has been used to identify several malicious PyPi packages in the wild.
-
Docker Desktop 4.14 Adds Resource Usage Monitor and Vulnerability Discovery
The latest version of Docker Desktop introduces a number of new features, including resource usage monitor and vulnerability discovery. Additionally, Docker Desktop 4.14 adopts the latest Docker Engine, Docker Compose, and Containerd releases.
-
Sigstore Moves to GA with Enhanced Stability and Reliability
The Open Source Security Foundation (OpenSSF) has moved Sigstore, an artifact signing, and verification technology, into general availability. This announcement sees the Sigstore certificate authority, Fulcio, and transparency log, Rekor, also move into GA with their 1.0 releases. The release brings improved stability and reliability to the services for use within production workloads.
-
Orca Security Report Finds Critical Assets Vulnerable within Three Steps
A report from Orca Security found security gaps within the assessed cloud environments. These include unencrypted sensitive data, S3 buckets with public READ access, root accounts without multi-factor authentication enabled, and publically accessible Kubernetes API servers. In addition, they found that the average attack path only requires three steps to reach business-critical data or assets.
-
Quarkus Defends REST APIs against Attack
Quarkus has released a new release that integrates RESTEasy APIs with an integrated control against CSRF attacks, making web applications more resilient against certain types of fraud.
-
Threat Operations and Research Team Cloudforce One Generally Available
Cloudflare recently announced that the threat operations and research team Cloudforce One began conducting briefings and is now generally available. Available as an add-on subscription, Cloudforce One includes threat data and briefings, security tools, and the ability to make requests for information (RFIs) to the team.
-
Google 2022 Accelerate State of DevOps Report Finds Strong Culture Predictive of Strong Performance
Google has released their findings from the 2022 Accelerate State of DevOps Report. This year's report focused on security with a specific emphasis on the software supply chain. The report found a broad adoption of the inspected practices with organizations that have a high-trust, low-blame culture leading the way in both security and operational practices.
-
Production Identity Framework SPIRE Graduates from CNCF
The Cloud Native Computing Foundation has announced the graduation of SPIFFE and SPIRE. SPIFFE defines a standard to authenticate software services through the use of platform-agnostic, cryptographic identities. SPIRE is an implementation of the SPIFFE API that is production ready. Recent improvements to the project include adding experimental Windows support.
-
Amazon SNS Introduces Message Data Protection to Discover Sensitive Data in Motion
Amazon SNS recently announced the public preview of message data protection. Identifying PII data and other sensitive information in flight, the new SNS feature leverages pattern matching, machine learning models, and data protection policies to simplify data protection and compliance in applications that exchange high volumes of data.
-
CNCF Publishes the Kubernetes Policy Management Whitepaper
The CNCF recently published a new whitepaper about Kubernetes Policy Management. The whitepaper highlights the importance of Kubernetes policy management when it comes to the security and automation of clusters as well as workloads. Also, it goes in-depth into the problems Kubernetes policies solve and the proper implementation of such policies.
-
OpenSSF Releases Fuzz Introspector to Improve C/C++ Fuzz Testing Coverage
The Open Source Security Foundation (OpenSSF) has just released a tool to improve fuzzing coverage by providing actionable insights to developers and helping them identify coverage blockers.
-
Veracode Report Shows Signs of Progress in Securing Software Supply Chain
Veracode's recently released State of Software Security report found a general decline in the number of known security vulnerabilities found in third-party libraries along with a trend towards smaller applications being scanned more regularly for issues. It also finds that the industry still has a long way to go.
-
Meta Open-Sources Browser Extension to Establish Web Code Authenticity
Originally created to help WhatsApp users verify the authenticity of the WhatsApp code being served to their browsers, Code Verify is a new open-source extension for Chrome, Edge, and Firefox enabling to provide the same level of security for other Web services, says Meta.
-
Dynatrace Application Security Gates Catalyze Secure Automated Releases
Dynatrace recently announced the availability of “security gates” on its software intelligence platform. Organizations can now use Dynatrace Application Security gates to check security vulnerabilities early in the software development lifecycle and trigger required remediation actions.
-
Google Cloud Introduces Certificate Manager
Google Cloud recently introduced the public preview of Certificate Manager, a service that integrates with External HTTPS Load Balancing to manage multiple certificates and domains.