InfoQ Homepage Cloud Security Content on InfoQ
-
Terraform Fork OpenTofu 1.7.0 Brings State Encryption and More
OpenTofu 1.7.0 has been released. OpenTofu is an open-source infrastructure-as-code tool for declarative cloud infrastructure creation using various APIs. It was forked last year from HashiCorp's Terraform after changes to the latter's license. The new version introduces several significant features and improvements.
-
Over 100K+ Sites Hit by Polyfill.io Supply Chain Attack
E-Commerce security firm Sansec unveiled a new supply chain attack affecting the Polyfill JS service when accessed through a number of CDNs hosting it. According to Sansec, over 100K sites were hit. The original author of the service, Andrew Betts, suggested removing Polyfill from any sites using it.
-
Non-Production Endpoints as an Attack Surface in AWS
The security team at Datadog recently disclosed a security issue on AWS where non-production endpoints were used as an attack surface to silently perform permission enumeration. AWS has since remediated these specific bypasses.
-
Introducing New SKUs for Microsoft Azure Bastion: Developer and Premium Options Now Available
Microsoft recently announced new SKUs for its Azure Bastion service: a Developer SKU that is now generally available (GA) after its public preview last year and a premium SKU being rolled out in a public preview.
-
Falco 0.38.0 Released with Enhanced Driver Selection, Configurations and Real-Time Monitoring
The maintainers of Falco announced its latest version: 0.38.0. This is the first release since its graduation within CNCF.
-
HashiCorp Boundary Adds Aliases, MinIO Storage and Better Search
HashiCorp has released Boundary 0.16, an update enhancing user experience and governance in privileged access management (PAM).
-
Enhanced Security for Enterprises: Google Launches Google Threat Intelligence
At the recent RSA Conference in San Francisco, Google Cloud introduced Google Threat Intelligence, a new security offering for large organizations. The new solution provides users with actionable insights, external threat monitoring, attack surface management, digital risk protection, and in-depth analysis of Indicators of Compromise (IOC).
-
Microsoft Launches Trusted Signing in Public Preview: an End-to-End Signing Solution for Developers
Microsoft recently launched Trusted Signing in Public Preview, a fully-managed end-to-end signing solution for developers backed by a Microsoft-managed certification authority.
-
GitHub Enables Dependabot via GitHub Actions, Improves Supply Chain Security
GitHub has released two features to improve the security and resilience of repositories. The first feature allows Dependabot to run as a GitHub Actions workflow using hosted and self-hosted runners. The second release introduces the public beta of Artifact Attestations, simplifying how repository maintainers can generate provenance for their build artifacts.
-
Amazon S3 Unauthorized Request Billing Issue: an Empty S3 Bucket Can Dramatically Increase the Costs
Maciej Pocwierz, a senior software engineer, recently revealed a significant issue—an empty S3 bucket can unexpectedly result in a substantial AWS bill. In his case, nearly 100,000,000 S3 PUT requests were executed within a single day, leading to a bill that was far from negligible.
-
Azure Virtual Network Flow Logs for Enhanced Network Monitoring and Security Analysis
Microsoft recently announced the general availability (GA) of Virtual Network flow logs, a new capability of the Network Watcher service in Azure.
-
KubeCon EU: Mercedes-Benz’s Migration From Pod Security Policies to Validation Admission Policies
During KubeCon EU the Mercedes Benz team presented their migration journey from Pod Security Policies to Validation Admission Policies to secure their 1000+ Kubernetes clusters. The solution was chosen in favour of Kyverno due to its improved performance.
-
Shadow API Detection for Google Cloud Environments in Preview
During Google Cloud Next, Google announced the preview release of shadow API detection in Advanced API Security, part of the Apigee API Management solution. This managed API Broker service in the Google Cloud allows users to design, secure, deploy, monitor, and analyze APIs.
-
Borderless Cloud at QCon London: Q&A with Adora Nwodo
At QCon London, Adora Nkowno, senior software engineer at NexaScale, discussed the complexities of seamlessly integrating multiple clouds into application architecture, deployment processes, and CI/CD pipelines. Her session was part of the Cloud-Native Engineering track on the first day of the conference, and InfoQ did an interview.
-
Efficient DevSecOps Workflows with a Little Help from AI: Q&A with Michael Friedrich
At QCon London, Michael Friedrich, senior developer advocate at GitLab, discussed how AI can help in DevSecOps workflows. His session was part of the Cloud-Native Engineering track on the first day of the conference. InfoQ interviewed Friedrich after the session.