InfoQ Homepage Security Code Reviews Content on InfoQ

News

RSS Feed

Development

SSH Backdoor from Compromised XZ Utils Library

When Microsoft engineer Andres Freund noticed SSH was taking longer than usual, he discovered a backdoor in xz utils, one of the underlying libraries for systemd, that had taken years to be put in place. The backdoor had found its way into testing releases of Linux distributions like Debian Sid, Fedora 41 and Fedora Rawhide but was caught before propagating into more highly used stable releases.

Chris Swan
on Apr 25, 2024
Cloud

Efficient DevSecOps Workflows with a Little Help from AI: Q&A with Michael Friedrich

At QCon London, Michael Friedrich, senior developer advocate at GitLab, discussed how AI can help in DevSecOps workflows. His session was part of the Cloud-Native Engineering track on the first day of the conference. InfoQ interviewed Friedrich after the session.

Steef-Jan Wiggers
on Apr 08, 2024
DevOps

JetBrains Adds Taint Analysis for PHP to Qodana Code Quality Platform

Qodana, JetBrains' code quality platform, now provides support for PHP taint analysis in early preview. The feature aims to allow developers to detect taints in their programs, i.e. spots that are vulnerable to malicious inputs.

Sergio De Simone
on Mar 10, 2023
DevOps

GitLab Improves Merge Requests, GitOps Functionality and More

GitLab has released further point versions of their DevOps software package. Versions 15.3 through 15.9 been released on a monthly cadence. GitLab's first machine-learning powered feature improves merge request approvals, with other significant improvements and fixes ranging from GitOps enhancements, through improvements to IdP, to new functionality for DAST.

Matt Saunders
on Feb 15, 2023
Cloud

New CodeGuru Reviewer Features Detector Library and Security Detectors for Log-Injection Flaws

Amazon CodeGuru Reviewer is a developer tool that leverages machine learning to detect security defects in code (Java and Python) and offers suggestions for code quality improvement. Recently, AWS introduced two new features for the tool, with a new Detector Library and security detectors for Log-Injection Flaws.

Steef-Jan Wiggers
on Feb 25, 2022
DevOps

Google and GitHub Announce OpenSSF Scorecards v4 with New GitHub Actions Workflow

GitHub and Google have announced the version 4 release of the Open Source Security Foundation (OpenSSF)'s Scorecards project. Scorecards is an automated security tool that identifies risky supply chain practices in open source projects. This release includes a new Scorecards GitHub Action, new security checks, and a large increase in the repositories included in the foundations weekly scans.

Matt Campbell
on Jan 26, 2022
Cloud

Microsoft Releases Application Inspector, a Tool for Examining Code Security

In a recent blog post, Microsoft announced an open source tool that developers can use to detect security vulnerabilities in their software solutions. The tool is called Microsoft Application Inspector and is available on GitHub. As organizations try to reduce their time to market, oversights may occur. Application Inspector can be used to identify malicious code used in third-party libraries.

Kent Weare
on Feb 10, 2020
DevOps

GitHub to Integrate Semmle Code Analysis for Continuous Vulnerability Detection

With the acquisition of startup Semmle, GitHub aims to make continuous vulnerability detection part of their continuous integration/continuous deployment service.

Sergio De Simone
on Sep 19, 2019
Culture & Methods

Design and Security in Agile: QCon London Q&A

Reviews of design diagrams by domain experts can detect potential security breaches not found by vulnerability scans or security automation. Such reviews should focus on critical functions like issuing and managing access tokens, transferring data to external services, and running untrusted code, said Kevin Gilpin, enterprise software engineer and co-founder of AppLand, at QCon London 2019.

Ben Linders
on Mar 19, 2019
DevOps

DevSecOps Grows Up and Finds Itself a Community

On June 28th, the first DevSecOps Days event came to London following a similar event in San Francisco in April. It kicked off with a welcome address from event founders, Mark Miller and John Willis, who explained that the intention is to replicate the DevOpsDays model and empower communities worldwide to stand up their own events.

Helen Beal
on Jul 06, 2018
Development

GitLab Web IDE Goes GA and Open-Source in GitLab 10.7

GitLab Web IDE, aimed to simplify the workflow of accepting merge requests, is generally available in GitLab 10.7, along with other features aimed to improve C++ and Go code security and improve Kubernets integration.

Sergio De Simone
on Apr 23, 2018
A Look Back at the Linux Kernel Backdoor

With all of the recent concern over the US government’s National Security Agency (NSA) some of the attention has turn to the possibility of backdoors. Back in 2003 someone attempted to insert a backdoor into the Linux kernel. Though caught, it illustrates how seemingly innocuous changes can introduce vulnerabilities and the importance of tractability in source control.

Jonathan Allen
on Oct 14, 2013
Security Assessment Techniques: Code Review v Pen Testing

Web application security testing and assessment should include both security code review and penetration testing techniques. Dave Wichers, an OWASP Board Member, spoke at the recent AppSec DC 2010 Conference about the pros and cons of code reviews and penetration testing approaches in finding security vulnerabilities in web applications.

Srini Penchikala
on Dec 06, 2010

Topics

Beyond the Breach: Proactive Defense in the Age of Advanced Threats

Think, Architect, and Sustain Your Serverless Applications As [Set] Pieces!

Navigating Responsible AI in the FinTech Landscape

Spies, Lies, and Cybercrime: Insider Perspectives from a Former FBI Agent

From Local to Production: a Modern Developer’s Journey towards Kubernetes

Helpful links

Choose your language

News

SSH Backdoor from Compromised XZ Utils Library

Efficient DevSecOps Workflows with a Little Help from AI: Q&A with Michael Friedrich

JetBrains Adds Taint Analysis for PHP to Qodana Code Quality Platform

GitLab Improves Merge Requests, GitOps Functionality and More

New CodeGuru Reviewer Features Detector Library and Security Detectors for Log-Injection Flaws

Google and GitHub Announce OpenSSF Scorecards v4 with New GitHub Actions Workflow

Microsoft Releases Application Inspector, a Tool for Examining Code Security

GitHub to Integrate Semmle Code Analysis for Continuous Vulnerability Detection

Design and Security in Agile: QCon London Q&A

DevSecOps Grows Up and Finds Itself a Community

GitLab Web IDE Goes GA and Open-Source in GitLab 10.7

A Look Back at the Linux Kernel Backdoor

Security Assessment Techniques: Code Review v Pen Testing

Carle Lerche Talking at QCon SF about Rust: a Productive Language for Writing Database Applications

Google Introduces Gemini AI Features to Android Studio

GitHub Universe 2024 Unveils AI Innovations and Developer-Centric Tools

Stream All the Things: Patterns of Effective Data Stream Processing Explored by Adi Polak at QCon SF

Stripe Rearchitects Its Observability Platform with Managed Prometheus and Grafana on AWS

Think, Architect, and Sustain Your Serverless Applications As [Set] Pieces!

Spies, Lies, and Cybercrime: Insider Perspectives from a Former FBI Agent

How to Use Programming Rules and Guidelines

Participatory Leadership and Developing a Culture of Psychological Safety

QCon SF 2024 - Ten Reasons Your Multi-Agent Workflows Fail

Epoch AI Unveils FrontierMath: A New Frontier in Testing AI's Mathematical Reasoning Capabilities

Mistral AI Releases Two Small Language Model Les Ministraux

KubeCon + CloudNativeCon NA 2024: Yahoo’s Kubernetes Journey On-Prem to Multi-Cloud

2024 Accelerate State of DevOps Report Shows Pros and Cons of AI

Rise of Python, Generative AI, and Global Developer Communities: Insights from GitHub Octoverse 2024

QCon London

InfoQ Dev Summit Boston

InfoQ Software Architects' Newsletter

Login with:

Don't have an InfoQ account?

News