InfoQ Homepage Application Security Content on InfoQ
-
HashiCorp Vault Secrets Operator for Kubernetes Moves into General Availability
HashiCorp has moved the HashiCorp Vault Secrets Operator for Kubernetes into general availability. This Kubernetes Operator combines Vault's secret management tooling with the Kubernetes Secrets cache. The operator also handles secret rotation and has controllers for the various secret-specific custom resources.
-
NuGet 6.7 Announced with Enhanced Security Features
The NuGet team announced NuGet 6.7, an update that introduces a set of advanced security features. These enhancements span from updated package source mapping to the integration of vulnerability APIs, updated package version dropdowns, and the addition of warning messages to tackle trust chain issues.
-
KSOC Labs Release the First Kubernetes Bill of Materials (KBOMs)
KSOC labs recently announced the release of the first Kubernetes Bill of Materials(KBOMs). KBOM is an open source standard and command-line tool that helps security teams quickly analyze cluster configurations and respond to CVEs. The project includes an initial specification and implementation that works across cloud providers, on-prem, and DIY environments.
-
AWS Signer Simplifies Signing and Verifying Container Images
AWS has released AWS Signer Container Image Signing (AWS Signer) to provide native AWS support for signing and verifying container images in registries such as Amazon Elastic Container Registry (Amazon ECR). AWS Signer manages code signing certificates, public and private keys, and provides lifecycle management tooling.
-
GitHub Push Protection Moved to General Availability
GitHub has moved push protection into general availability and made it free for all public repositories. Push protection helps detect secrets in code as changes are pushed. As part of the GA release, push protection is also available to all private repositories with a GitHub Advanced Security (GHAS) license.
-
QCon New York 2023: Day Two Recap
Day Two of the 9th annual QCon New York conference was held on June 14th, 2023, at the New York Marriott at the Brooklyn Bridge in Brooklyn, New York. This three-day event, organized by C4Media, included a keynote address by Alicia Dwyer Cianciolo and presentations from four conference tracks and one sponsored track.
-
Celebrity Vulnerabilities: Effective Response to Critical Production Threats
Alyssa Miller, chief information security officer of EpiqGlobal, presented at QCon London about the lessons learned from three major open-source security events, the Equifax breach via Struts, the Log4j vulnerabilities, and the Spring4Shell exploit.
-
Survey on Supply Chain Practices Finds Perceived Usefulness of Practice Correlates with Adoption
A recent survey on supply chain security practices found that some practices are widely adopted but key practices are lagging behind. Key practices, such as generating provenance, were noted for lagging behind in adoption. The survey also found that the perceived usefulness of a practice is highly correlated with the adoption of that practice.
-
Azure Application Gateway Now Supports mTLS and OCSP
Microsoft has announced that its Azure Application Gateway, a cloud-based solution that provides secure, scalable, and reliable access to web applications, now supports mutual Transport Layer Security (mTLS) and Online Certificate Status Protocol (OCSP).
-
Sonatype BOM Doctor Evaluates and Helps Patch Java Software Bills of Materials
BOM Doctor is a free, GitHub-hosted tool created by Sonatype to scan software bills of materials (SBOMs) and identify vulnerabilities and legal issues.
-
Software Supply Chain Framework OSC&R Created to Help Mitigate Security Threats
In collaboration with companies including Google, Microsoft, and GitLab, OX Security has released a security framework for assessing and evaluating software supply chain security risks. The Open Software Supply Chain Attack Reference (OSC&R) is a MITRE-like framework covering containers, open-source software, secrets hygiene, and CI/CD posture.
-
Service Mesh Kuma Improves Policy Handling and Debugging Experience
Kuma, a service mesh technology, released version 2.1 with improved policies and an updated UI. The improved policies build upon the 2.0 release and move the remaining policies over to the new targetRef system. The targetRef system provides an improved matching system for defining policies.
-
Software Security Report Finds JavaScript Applications Have Fewer Flaws Than Java and .NET
Veracode's State of Software Security report for 2023 found that there is a 27% chance within a given month that security flaws will be introduced into an application. The report also found that JavaScript applications on average have fewer flaws and faster flaw resolution than Java and .NET applications.
-
CNCF Kicks off CloudNativeSecurityCon NA 2023
The Cloud Native SecurityCon North America 2023 kicked off this week in Seattle. The first dedicated event focused on Cloud Native Security with over 800 attendees, 70 sessions, 50 sponsors, and vendors organized by the Cloud Native Computing Foundation (CNCF).
-
Docker BuildKit Adds Support for Supply Chain Security Practices and Cache Backends
Docker has released version 0.11 of BuildKit, the Docker backend for building images. The release adds a number of new features including attestation creation, reproducible build improvements, and cloud cache backend support.