InfoQ Homepage DevSecOps Content on InfoQ
-
CloudNativeSecurityCon 2023: SBOMs, VEX, and Kubernetes
At CloudNativeSecrityCon 2023 in Seattle, WA, Kiran Kamity, founder and CEO of Deepfactor, led a panel discussion on software supply chain security, the practical side of SBOMs, and VEX.
-
Software Supply Chain Framework OSC&R Created to Help Mitigate Security Threats
In collaboration with companies including Google, Microsoft, and GitLab, OX Security has released a security framework for assessing and evaluating software supply chain security risks. The Open Software Supply Chain Attack Reference (OSC&R) is a MITRE-like framework covering containers, open-source software, secrets hygiene, and CI/CD posture.
-
Permit Elements Enables Low-Code User-Managed Access Control
Permit.io has released Permit Elements, a low-code end-user authentication interface builder. Permit Elements allows developers to embed interfaces enabling their end-users to decide which roles have permission to perform actions. At the time of release, there are elements available for user management and audit logs.
-
Report Finds Heavy Use of Open-Source Solutions for Kubernetes Security
A recent survey by Armo on the use of security software solutions with Kubernetes found that over half of respondents leverage open-source tooling. Companies using open-source tooling use on average 3.6 different tools. These open-source tools were predominately used for service mesh, network policy and micro-segmentation, and misconfiguration scanning.
-
Snyk Announces General Availability of Snyk Cloud and Enhancements to its Platform
Snyk, a developer security platform, recently announced the general availability of their cloud security tool, Snyk Cloud, and improvements to their platform. Extending support for software bill of materials (SBOM), the improvements include new reporting capabilities and self-service resources.
-
CNCF Publishes the Kubernetes Policy Management Whitepaper
The CNCF recently published a new whitepaper about Kubernetes Policy Management. The whitepaper highlights the importance of Kubernetes policy management when it comes to the security and automation of clusters as well as workloads. Also, it goes in-depth into the problems Kubernetes policies solve and the proper implementation of such policies.
-
Securing the Open-Source Software Supply Chain
Recent findings by security researchers at SonarSource showed multiple security vulnerabilities in popular package managers, including Pip, Yarn, Composer, and others. Package managers, though, are not the only weak link in the open source security chain. InfoQ has spoken with Sonatype CTO Brian Fox.
-
Qovery: a Heroku for Almost Any Cloud Provider?
Qovery started on a journey to build a developer’s productivity tool which would allow scaling companies to keep up the rapid pace of delivery, without sacrificing quality or stability. One way is by combining the simplicity and “magic” of a PaaS, like Heroku, with IaaS’ flexibility. In a conversation with InfoQ, the CEO and founder, Romaric Philogene, provided more insights into their journey.
-
CNCF Publishes Latest Technology Radar Focused on DevSecOps
CNCF published the sixth edition of the end-user Technology Radar. The theme for this edition was DevSecOps, the integration of security at every step of the software development lifecycle. The radar highlighted there are many DevSecOps tools today and the space is growing and changing rapidly.
-
Armo Releases Kubescape K8s Security Testing Tool: Q&A with VP Jonathan Kaftzan
Armo announced the release of Kubescape last month, a tool for testing if a Kubernetes environment is secure according to the Kubernetes hardening guidance published by the National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency(CISA).
-
Improve Your Software Quality and Speed of Delivery. Learn How at InfoQ Live on July 20th
Learn how automation, continuous testing, and supply management techniques can improve software quality and speed of delivery. Get valuable insights from world-class domain experts at InfoQ Live on July 20th.
-
Overcome Cloud & Serverless Security Challenges. Join Security Experts at InfoQ Live - June 22
What is DevSecOps? How does it relate to DevOps? And what does it solve? Learn practical advice from world-class DevSecOps and application security professionals at InfoQ Live on Tuesday, June 22nd, about how you can overcome security challenges in the Cloud, especially in serverless architectures.
-
GitLab 13.9 Introduces Security Alerts Dashboard, Maintenance Mode, and More
The latest release of GitLab introduces over 60 new features, mostly aimed at improving support for DevSecOps at scale and better handling the complexity of automation at scale.
-
Attackers Found Building Malicious Container Images Directly on Host
Aqua’s cyber security research team, ‘Nautilus,’ has found a new attack technique targeting misconfigured Docker Daemon API ports to build an image directly on the target host container infrastructure, in order to mine cryptocurrency. Further investigation by the team uncovered an associated 330k malicious image pulls from an infrastructure of 23 container images stored in Docker Hub.
-
Security as a Product - a Coordination Game between DevOps and InfoSec
Kelly Shortridge, a product and strategy expert in information security, has described how security should be treated as a product. Analyzing the "we mindset" and game theory she puts forth DevOps and InfoSec as a coordination game.