InfoQ Homepage DevSecOps Content on InfoQ
-
Securing the Open-Source Software Supply Chain
Recent findings by security researchers at SonarSource showed multiple security vulnerabilities in popular package managers, including Pip, Yarn, Composer, and others. Package managers, though, are not the only weak link in the open source security chain. InfoQ has spoken with Sonatype CTO Brian Fox.
-
Qovery: a Heroku for Almost Any Cloud Provider?
Qovery started on a journey to build a developer’s productivity tool which would allow scaling companies to keep up the rapid pace of delivery, without sacrificing quality or stability. One way is by combining the simplicity and “magic” of a PaaS, like Heroku, with IaaS’ flexibility. In a conversation with InfoQ, the CEO and founder, Romaric Philogene, provided more insights into their journey.
-
CNCF Publishes Latest Technology Radar Focused on DevSecOps
CNCF published the sixth edition of the end-user Technology Radar. The theme for this edition was DevSecOps, the integration of security at every step of the software development lifecycle. The radar highlighted there are many DevSecOps tools today and the space is growing and changing rapidly.
-
Armo Releases Kubescape K8s Security Testing Tool: Q&A with VP Jonathan Kaftzan
Armo announced the release of Kubescape last month, a tool for testing if a Kubernetes environment is secure according to the Kubernetes hardening guidance published by the National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency(CISA).
-
Improve Your Software Quality and Speed of Delivery. Learn How at InfoQ Live on July 20th
Learn how automation, continuous testing, and supply management techniques can improve software quality and speed of delivery. Get valuable insights from world-class domain experts at InfoQ Live on July 20th.
-
Overcome Cloud & Serverless Security Challenges. Join Security Experts at InfoQ Live - June 22
What is DevSecOps? How does it relate to DevOps? And what does it solve? Learn practical advice from world-class DevSecOps and application security professionals at InfoQ Live on Tuesday, June 22nd, about how you can overcome security challenges in the Cloud, especially in serverless architectures.
-
GitLab 13.9 Introduces Security Alerts Dashboard, Maintenance Mode, and More
The latest release of GitLab introduces over 60 new features, mostly aimed at improving support for DevSecOps at scale and better handling the complexity of automation at scale.
-
Attackers Found Building Malicious Container Images Directly on Host
Aqua’s cyber security research team, ‘Nautilus,’ has found a new attack technique targeting misconfigured Docker Daemon API ports to build an image directly on the target host container infrastructure, in order to mine cryptocurrency. Further investigation by the team uncovered an associated 330k malicious image pulls from an infrastructure of 23 container images stored in Docker Hub.
-
Security as a Product - a Coordination Game between DevOps and InfoSec
Kelly Shortridge, a product and strategy expert in information security, has described how security should be treated as a product. Analyzing the "we mindset" and game theory she puts forth DevOps and InfoSec as a coordination game.
-
The Defense Department's Journey with DevSecOps
Cloud Native Computing Foundation (CNCF) has released a new case study of the DoD's approach to DevSecOps that looks at how they used Kubernetes clusters and other open-source technologies to speed up the releases. While most of the information was already available from the DoD and in their presentations, the CNCF has summarized the venture in one place.
-
Facilitating Threat Modelling Remotely
ThoughtWorks' Jim Gumbley recently published a guide to Threat Modelling on Martinfowler.com with a template for facilitating remote and onsite sessions. He makes a case for continuous threat modelling within each iteration, alongside business stake-holders. Derek Handova has also written about removing friction from security through automation and a greater security focus in the SDLC.
-
CNCF Fund a Bug Bounty Program for Kubernetes
The Kubernetes Product Security Committee has launched a new bug bounty program, funded by the The Cloud Native Computing Foundation (CNCF), to reward security researchers for finding vulnerabilities in the Kubernetes' codebase, as well as the build and release processes, with bounties ranging from $100 to $10,000.
-
Yelp Open-Sources Fuzz-Lightyear, A Swagger-Based IDOR Vulnerability Detector
Business directory and crowd-sourced review service, Yelp, has open-sourced their in-house security testing framework, fuzz-lightyear, that identifies Insecure Direct Object Reference (IDOR) vulnerabilities.
-
How to Integrate Infosec and DevOps Using Chaos Engineering
Kelly Shortridge from Capsule8 talked at the Velocity conference in Berlin about how using chaos engineering can help to integrate Infosec within a DevOps culture. Shortridge discussed how distributed, immutable, and ephemeral infrastructure, or the D.I.E. model, is an organizationally friendly way to building security by design. With this model, users can continuously raise the cost of the attack
-
CircleCI Adds Security Integrations to Streamline Securing CI/CD Pipelines
CircleCI announced the addition of new orbs that address common use cases and needs with securing your CI/CD pipelines. The orbs added to the repository with this release cover vulnerability scanning, secrets management, license scanning, and digital scanning. It includes integrations with AWS and Google Cloud.
Sponsored Content
Report: The State of Cloud Native Security 2022
3,000 cloud security and DevOps pros explain their cloud adoption and expansion strategies. Get the report now.
Gartner Innovation Insight for Cloud Native Application Protection Platforms
Securing cloud native applications starts with smarter insights. Get the Gartner CNAAP report here.
The DevSecGuide to Infrastructure as Code
See how Prisma Cloud Infrastructure as Code (IaC) Security can help you unify security, development, and DevOps teams.
Prisma Cloud 3.0 Meet the Expert Demo Series
Prisma Cloud 3.0 is the industry's first integrated platform for delivering security from code to cloud. Get a demo now.