InfoQ Homepage DevSecOps Content on InfoQ
-
Google’s Cybersecurity Model Sec-Gemini Enables SecOps Workflows for Root Cause and Threat Analysis
Google’s new cybersecurity model Sec-Gemini focuses on cybersecurity AI to enable SecOps workflows for root cause analysis (RCA) and threat analysis, and vulnerability impact understanding.
-
QCon London: a Three-Step Blueprint for Managing Open Source Risk
At QCon London 2025, Johnson Matthey's vulnerability manager, Celine Pypaert, discussed managing open-source dependency risks while maintaining momentum in innovation. She described a three-part blueprint for handling the security challenges that arise with the now widespread use of open-source dependencies.
-
How GitLab Automated ECR Image Migration and Pull Delays
GitLab recently discussed a solution to automate the migration of container images from Amazon Elastic Container Registry (ECR) to GitLab's Container Registry. The team created a CI/CD pipeline to automate the process of discovering, retagging, and transferring container images from Amazon ECR to GitLab's Container Registry.
-
Opengrep Forks Semgrep to Liberate Rulesets After License Change
A consortium of software companies, including JIT and Orca Security, has launched Opengrep, a fork of Semgrep's open-source software, in response to licensing changes for rules provided in the OSS version. Semgrep CE (formerly Semgrep OSS) is a Static Application Security Testing (SAST) tool for analysing source code or compiled code to find security flaws, with over 11,000 stars on GitHub.
-
JFrog Integrates Runtime Security for Enhanced DevSecOps Platform
JFrog has introduced JFrog Runtime to its suite of security capabilities, adding real-time vulnerability detection to its software supply chain platform. This update is aimed at developers and DevSecOps teams working with Kubernetes clusters and cloud-native applications.
-
Google Cloud Launches Security Command Center Enterprise
Google Cloud has launched Security Command Center (SSC) Enterprise, a cloud risk management solution that offers proactive cloud security with enterprise security operations. The solution helps customers manage and mitigate risk across multi-cloud environments and is enhanced by Mandiant expertise.
-
OpenSSF Adds Attestations to SBOMs to Validate How Software is Built
The Open Source Security Foundation (OpenSSF) has recently announced SBOMit, a tool designed to bolster Software Bills of Materials (SBOMs) with in-toto attestations. This development, announced under the OpenSSF Security Tooling Working Group, increases transparency and security in the software development process.
-
Cloudflare, Google and AWS Disclose HTTP/2 Zero-Day Vulnerability
On October 10th, Cloudflare, Google, and AWS disclosed a novel zero-day vulnerability attack known as the "HTTP/2 Rapid Reset." This attack exploits a weakness in the HTTP/2 protocol to generate enormous Distributed Denial of Service (DDoS) attacks, up to almost 400 million requests per second (rps).
-
AI a “Must-Have” in GitLab’s 2023 Global DevSecOps Report
GitLab has released their 2023 Global DevSecOps AI report, with the key finding that AI and ML use is evolving from a "nice-to-have" to a "must-have". The report shows that 23% of organizations are already using AI in software development, and of those, 60% are using it daily. Furthermore, 65% of respondents said they are using AI and ML for testing now, or would be within the next three years.
-
CloudNativeSecurityCon 2023: SBOMs, VEX, and Kubernetes
At CloudNativeSecrityCon 2023 in Seattle, WA, Kiran Kamity, founder and CEO of Deepfactor, led a panel discussion on software supply chain security, the practical side of SBOMs, and VEX.
-
Software Supply Chain Framework OSC&R Created to Help Mitigate Security Threats
In collaboration with companies including Google, Microsoft, and GitLab, OX Security has released a security framework for assessing and evaluating software supply chain security risks. The Open Software Supply Chain Attack Reference (OSC&R) is a MITRE-like framework covering containers, open-source software, secrets hygiene, and CI/CD posture.
-
Permit Elements Enables Low-Code User-Managed Access Control
Permit.io has released Permit Elements, a low-code end-user authentication interface builder. Permit Elements allows developers to embed interfaces enabling their end-users to decide which roles have permission to perform actions. At the time of release, there are elements available for user management and audit logs.
-
Report Finds Heavy Use of Open-Source Solutions for Kubernetes Security
A recent survey by Armo on the use of security software solutions with Kubernetes found that over half of respondents leverage open-source tooling. Companies using open-source tooling use on average 3.6 different tools. These open-source tools were predominately used for service mesh, network policy and micro-segmentation, and misconfiguration scanning.
-
Snyk Announces General Availability of Snyk Cloud and Enhancements to its Platform
Snyk, a developer security platform, recently announced the general availability of their cloud security tool, Snyk Cloud, and improvements to their platform. Extending support for software bill of materials (SBOM), the improvements include new reporting capabilities and self-service resources.
-
CNCF Publishes the Kubernetes Policy Management Whitepaper
The CNCF recently published a new whitepaper about Kubernetes Policy Management. The whitepaper highlights the importance of Kubernetes policy management when it comes to the security and automation of clusters as well as workloads. Also, it goes in-depth into the problems Kubernetes policies solve and the proper implementation of such policies.