InfoQ Homepage DevSecOps Content on InfoQ
News
RSS Feed-
GitLab 13.9 Introduces Security Alerts Dashboard, Maintenance Mode, and More
The latest release of GitLab introduces over 60 new features, mostly aimed at improving support for DevSecOps at scale and better handling the complexity of automation at scale.
-
Attackers Found Building Malicious Container Images Directly on Host
Aqua’s cyber security research team, ‘Nautilus,’ has found a new attack technique targeting misconfigured Docker Daemon API ports to build an image directly on the target host container infrastructure, in order to mine cryptocurrency. Further investigation by the team uncovered an associated 330k malicious image pulls from an infrastructure of 23 container images stored in Docker Hub.
-
Security as a Product - a Coordination Game between DevOps and InfoSec
Kelly Shortridge, a product and strategy expert in information security, has described how security should be treated as a product. Analyzing the "we mindset" and game theory she puts forth DevOps and InfoSec as a coordination game.
-
The Defense Department's Journey with DevSecOps
Cloud Native Computing Foundation (CNCF) has released a new case study of the DoD's approach to DevSecOps that looks at how they used Kubernetes clusters and other open-source technologies to speed up the releases. While most of the information was already available from the DoD and in their presentations, the CNCF has summarized the venture in one place.
-
Facilitating Threat Modelling Remotely
ThoughtWorks' Jim Gumbley recently published a guide to Threat Modelling on Martinfowler.com with a template for facilitating remote and onsite sessions. He makes a case for continuous threat modelling within each iteration, alongside business stake-holders. Derek Handova has also written about removing friction from security through automation and a greater security focus in the SDLC.
-
CNCF Fund a Bug Bounty Program for Kubernetes
The Kubernetes Product Security Committee has launched a new bug bounty program, funded by the The Cloud Native Computing Foundation (CNCF), to reward security researchers for finding vulnerabilities in the Kubernetes' codebase, as well as the build and release processes, with bounties ranging from $100 to $10,000.
-
Yelp Open-Sources Fuzz-Lightyear, A Swagger-Based IDOR Vulnerability Detector
Business directory and crowd-sourced review service, Yelp, has open-sourced their in-house security testing framework, fuzz-lightyear, that identifies Insecure Direct Object Reference (IDOR) vulnerabilities.
-
How to Integrate Infosec and DevOps Using Chaos Engineering
Kelly Shortridge from Capsule8 talked at the Velocity conference in Berlin about how using chaos engineering can help to integrate Infosec within a DevOps culture. Shortridge discussed how distributed, immutable, and ephemeral infrastructure, or the D.I.E. model, is an organizationally friendly way to building security by design. With this model, users can continuously raise the cost of the attack
-
CircleCI Adds Security Integrations to Streamline Securing CI/CD Pipelines
CircleCI announced the addition of new orbs that address common use cases and needs with securing your CI/CD pipelines. The orbs added to the repository with this release cover vulnerability scanning, secrets management, license scanning, and digital scanning. It includes integrations with AWS and Google Cloud.
-
XebiaLabs DevOps Platform Provides New Risk and Compliance Capability for Software Releases
XebiaLabs, a provider of DevOps and continuous delivery software tools, has launched new capabilities for custody, security and compliance risk assessment tracking for software releases via their DevOps Platform.
-
WhiteSource Launches Free Open Source Vulnerability Checking
WhiteSource, an open source security and license compliance management solution provider, has launched Vulnerability Checker; a new, free and standalone CLI tool that provides alerts on critical open source vulnerabilities.
-
DevSecOps Grows Up and Finds Itself a Community
On June 28th, the first DevSecOps Days event came to London following a similar event in San Francisco in April. It kicked off with a welcome address from event founders, Mark Miller and John Willis, who explained that the intention is to replicate the DevOpsDays model and empower communities worldwide to stand up their own events.