In a highly-anticipated federal ruling on July 3, US District Court Judge Ada Brown determined that the US Federal Trade Commission (FTC) did not have the authority to issue a nationwide ban of non-compete agreements. Although the judge’s decision was…
Category: InfoWorld Security
How evolving AI regulations impact cybersecurity
While their business and tech colleagues are busy experimenting and developing new applications, cybersecurity leaders are looking for ways to anticipate and counter new, AI-driven threats. It’s always been clear that AI impacts cybersecurity, but it’s a two-way street. Where…
GitHub Artifact Attestations sign and verify software artifacts
GitHub’s Artfact Attestations, for guaranteeing the integrity of artifacts built inside the GitHub Actions CI/CD platform, is now generally available. General availability was announced June 25. By using Artifact Attestations in GitHub Actions workflows, developers can improve security and protect…
GitHub Artifact Attestations now generally available
GitHub’s Artfact Attestations, for guaranteeing the integrity of artifacts built inside the GitHub Actions CI/CD platform, is now generally available. General availability was announced June 25. By using Artifact Attestations in GitHub Actions workflows, developers can improve security and protect…
GitHub Artifact Attestions now generally available
GitHub’s Artfact Attestations, for guaranteeing the integrity of artifacts built inside the GitHub Actions CI/CD platform, is now generally available. General availability was announced June 25. By using Artifact Attestations in GitHub Actions workflows, developers can improve security and protect…
GitLab devsecops survey finds progress, new priorities
GitLab’s recent survey of 5,315 devsecops professionals worldwide found that organizations are prioritizing investments in AI, security, and automation. But specific areas such as software supply chain security warrant particular attention, the company said. Results of the survey, conducted in…
A CISO game plan for cloud security
As businesses increasingly migrate to the cloud, chief information security officers (CISOs) face numerous critical challenges in ensuring robust cloud security. Don’t believe me? Experts highlighted this at the recent Gartner Security & Risk Management Summit. Gartner projects a significant…
Advanced CI/CD: 6 steps to better CI/CD pipelines
Configuring basic continuous integration and continuous delivery (CI/CD) pipelines that automate packaging, compiling, and pushing code to application delivery environments is considered a fundamental devsecops practice. By automating a path to production, devsecops teams can reduce errors, increase deployment frequency,…
GitLab unveils GitLab 17, AI for devsecops
GitLab has unveiled GitLab 17, a major update of its devsecops platform that brings a CI/CD catalog of reusable pipeline components and an AI impact dashboard. The company also announced GitLab Duo Enterprise, an AI-powered assistant that helps detect vulnerabilities…
12 principles for improving devsecops
I once transitioned from a SaaS CTO role to become a business unit CIO at a Fortune 100 enterprise that aimed to bring startup development processes, technology, and culture into the organization. The executives recognized the importance of developing customer-facing…
7 application security startups at RSAC 2024
The innovation hub of RSAC 2024, the RSAC Early Stage Expo was specifically designed to showcase emerging players in the information security industry. Among the 50 exhibitors crammed into the second floor booth space, seven VC-backed up-and-comers in application security…
7 application security startups at RSAC 2024
The innovation hub of RSAC 2024, the RSAC Early Stage Expo was specifically designed to showcase emerging players in the information security industry. Among the 50 exhibitors crammed into the second floor booth space, seven VC-backed up-and-comers in application security…
GitHub takes aim at software supply chain security
GitHub has introduced Artifact Attestations, a software signing and verification feature based on Sigstore that protects the integrity of software builds in GitHub Actions workflows. Artifiact Attestations is now available in a public beta. Announced May 2, Artifact Attestations allows…
Does cloud security have a bad reputation?
The recent discourse around the security of cloud computing in the banking sector, highlighted by Nicholas Fearn’s piece in the Financial Times, paints a somewhat grim picture of the cybersecurity landscape when it comes to banks moving to cloud computing.…
Understanding Microsoft’s Trusted Signing service
How do we ensure that the code we’re installing is, at the very least, the code that a vendor shipped? The generally accepted solution is code signing, adding a digital signature to binaries that can be used to ensure authorship.…
Java services hit hardest by third-party vulnerabilities, report says
Java services are the most-impacted by third-party vulnerabilities, according to the “State of DevSecOps 2024” report just released by cloud security provider Datadog. Released on April 17, the report found that 90% of Java services were susceptible to one or…
Most developers have adopted devops, survey says
As of the first quarter of 2024, 83% of developers were involved in devops-related activities such as performance monitoring, security testing, or CI/CD, according to the State of CI/CD Report 2024, published by the Continuous Delivery (CD) Foundation, a part…
Better application networking and security with CAKES
Modern software applications are underpinned by a large and growing web of APIs, microservices, and cloud services that must be highly available, fault tolerant, and secure. The underlying networking technology must support all of these requirements, of course, but also…
Rust gets security fix for Windows vulnerability
The Rust language team has published a point release of Rust to fix a critical vulnerability to the standard library that could benefit an attacker when using Windows. Rust 1.77.2, published on April 9, includes a fix for CVE-2024-24576. Before…
Synopsys takes aim at software supply chain risks
Synopsys has introduced Black Duck Supply Chain Edition, a software composition analysis (SCA) package that helps organizations mitigate upstream risk in software supply chains, including from AI code. Announced April 9, Black Duck Supply Chain Edition is intended to address…
Synopsys aims to mitigate software supply chain risks
Synopsys has introduced Black Duck Supply Chain Edition, a software composition analysis (SCA) package that helps organizations mitigate upstream risk in software supply chains, including from AI code. Announced April 9, Black Duck Supply Chain Edition is intended to address…
Parasoft unveils safety testing tool for C and C++ apps
Eclipse joins with industry groups to secure open source
Rust memory safety explained
Over the past decade, Rust has emerged as a language of choice for people who want to write fast, machine-native software that also has strong guarantees for memory safety. Other languages, like C, may run fast and close to the…
Avoiding the dangers of AI-generated code
2023 has been a breakout year for developers and generative AI. GitHub Copilot graduated from its technical preview stage in June 2022, and OpenAI released ChatGPT in November 2022. Just 18 months later, according to a survey by Sourcegraph, 95%…
Puppet’s devops report plumbs the benefits of platform engineering
The key benefits of platform engineering are increased developer productivity, better quality of software, reduced lead time for deployment, and more stable applications, according to Puppet by Perforce’s 2024 State of Devops Report: The Evolution of Platform Engineering. The report…
10 cloud development gotchas to watch out for
The benefits of developing software in the cloud include increased flexibility and reliability, greater efficiency, and reduced costs. But cloud-based development also presents a host of challenges. Knowing what to watch out for is the first step to protecting your applications…
Java 22 brings security enhancements
Java Development Kit (JDK) 22, released by Oracle March 19 as the latest version of standard Java, offers a number of security enhancements, covering areas ranging from an asymmetric key interface to a new security option for -XshowSettings that allows…
GitHub previews AI-powered code scanning autofix
GitHub is previewing code scanning autofix, a feature that combines its GitHub Copilot AI assistant with its CodeQL code scanner to provide suggested fixes to discovered vulnerabilities. Code scanning autofix is available in a public beta to GitHub Advanced Security…
AI used extensively for security but not coding, JFrog survey finds
In JFrog’s just-released Software Supply Chain State of the Union 2024 report, the software supply chain platform provider found extensive use of AI and machine learning tools for security. However, only one in three software developers the company surveyed use…
How to deploy software to Linux-based IoT devices at scale
The internet of things (IoT) has transformed the way we interact with the world, connecting a myriad of devices to the internet, from smart thermostats in our homes to industrial sensors in manufacturing plants. A significant portion of these IoT…
C++ creator rebuts White House warning
C++ creator Bjarne Stroustrup has defended the widely used programming language in response to a Biden administration report that calls on developers to use memory-safe languages and avoid using vulnerable ones such as C++ and C. In a March 15…
Open source is not insecure
Frank Crane wasn’t talking about open source when he famously said, “You may be deceived if you trust too much, but you will live in torment if you don’t trust enough.” But that’s a great way to summarize today’s gap…
Feds seek attestation on secure software
The US federal government has released a software attestation form intended to ensure that software producers partnering with the government leverage minimum secure development techniques and tool sets. The form was announced March 11 by the Department of Homeland Security’s…
JetBrains releases security fixes for TeamCity CI/CD system
JetBrains has released fixes for two critical security vulnerabilities in its TeamCity On-Premises CI/CD system discovered by cybersecurity company Rapid7. The two vulnerabilities reported in late-February by Rapid7 would enable an authenticated attacker with HTTP(S) access to a TeamCity On-Premises…
Cloudflare announces Firewall for AI
Cloudflare has announced the development of Firewall for AI, a protection layer that can be deployed in front of large language models (LLMs) that promises to identify abuses before they reach the models. Unveiled March 4, Firewall for AI is…
Biden executive order protects personal data
President Joseph Biden has issued an executive order intended to protect Americans’ sensitive personal data from exploitation from countries of concern including China, Russa, Iran, and North Korea. Issued February 28, the order authorizes the attorney general to prevent the…
GitHub rolls out push protection on public repos
GitHub has begun rolling out push protection for all of its users, a secrets scanning feature that gives users the option to remove secrets from commits or bypass a block. The policy, announced February 29, affects supported secrets. It might…
Why passkeys will replace passwords
With the growth of sophisticated attacks against critical software and infrastructure systems, multi-factor authentication (MFA) has emerged as a critical layer of defense against unauthorized access. An increasing number of enterprise and developer-facing technology applications and platforms, from GitHub to…
High-risk open source vulnerabilities on the rise, Synopsys reports
Nearly three-quarters of codebases assessed for risk by Synopsis in 2023 contained open source components with high-risk vulnerabilities, according to a just-released report from the company, a provider of application security testing tools. While the number of codebases with at…
White House urges developers to dump C and C++
US President Joe Biden’s administration wants software developers to use memory-safe programming languages and ditch vulnerable ones like C and C++. The White House Office of the National Cyber Director (ONCD), in a report released Monday, called on developers to…
GitHub Copilot makes insecure code even less secure, Snyk says
GitHub’s AI-powered coding assistant, GitHub Copilot, may suggest insecure code when the user’s existing codebase contains security issues, according to developer security company Snyk. GitHub Copilot can replicate existing security issues in code, Snyk said in a blog post published…
Martin Hellman: We’re playing Russian roulette
Martin Hellman achieved legendary status as co-inventor of the Diffie-Hellman public key exchange algorithm, a breakthrough in software and computer cryptography. That invention and his ongoing work in cryptography and digital signatures earned him a Turing award in 2015. He has since…
MuleSoft unveils policy development kit for API gateway
Salesforce-owned MuleSoft has released the Anypoint Flex Gateway Policy Development Kit (PDK). The PDK allows developers of every skill level to quickly build policies to detect and protect sensitive data sent to APIs, the company said. Now a feature of…
Protecting against software supply chain attacks
Last year’s MOVEit and 3CX vulnerabilities offered a stark reminder of the risk software supply chain attacks pose today. Threat actors exploit vulnerabilities to infiltrate a software provider’s network and modify the software’s original functionality with malicious code. Once the…
Mobb unveils vulnerability fixer for GitHub users
Application security company Mobb has released an automatic vulnerability fixer for GitHub users. The tool monitors GitHub pull requests and offers code fixes within software development workflows. Unveiled January 23, Mobb Fixer provides developers with code fixes for security alerts…
A guide to implementing fine-grained authorization
Authentication and authorization rank among the top priorities for application developers today. While they’re often used interchangeably, they actually represent two very different things. Yet in order to ensure a secure and seamless experience for users, both must work in concert. To illustrate the distinction…
JFrog, AWS team up for machine learning in the cloud
Software supply chain provider JFrog is integrating with the Amazon SageMaker cloud-based machine learning platform to incorporate machine learning models into the software development lifecycle. The JFrog platform integration with Amazon SageMaker, available now, ensures artifacts produced by data scientists…
How finops can make the cloud more secure
Cloud finops is the discipline of accounting for and optimizing cloud computing spending. It’s a reaction to years of undisciplined cloud spending or a way to bring order back to using cloud resources. Overall, it is a step in the…
4 key devsecops skills for the generative AI era
When cloud computing became enterprise-ready, and tools such as continuous integration and continuous delivery, infrastructure as code, and Kubernetes became mainstream, it marked a clear paradigm shift in dev and ops. The work separating dev and ops became devops responsibilities,…
You should be worried about cloud squatting
Most security issues in the cloud can be traced back to someone doing something stupid. Sorry to be that blunt, but I don’t see ingenious hackers out there. I do see misconfigured cloud resources, such as storage and databases, that…
How software engineering will evolve in 2024
Software development is currently undergoing a profound transformation, marked by a quiet yet remarkable surge in advanced automation. This impending shift promises to streamline the creation and deployment of high-quality applications on an unprecedented scale. Rather than a single technology…
3 ways to reduce stress on the DevSecOps team
I recently moderated a session for the CSO Cybersecurity Summit on building resilience and addressing employee anxiety amid organizational transformation. My session focused on the stresses and burnout experienced by security teams, including recent data showing that 94% of chief…
InfoWorld’s 2023 Technology of the Year Award winners
The arrival of ChatGPT in late 2022 and the ensuing cascade of large language models ensured that 2023 will forever be known as the year of generative AI (GenAI). With amazing speed, generative AI has rippled across the entire information…
Fortifying confidential computing in Microsoft Azure
One of the biggest challenges facing any enterprise using the public cloud is the fact that it’s public. Yes, your applications run in isolated virtual machines and your data sits in its own virtual storage appliances, but there’s still a…
3 security best practices for all DevSecOps teams
It’s been over 10 years since Shannon Lietz introduced the term DevSecOps, aiming to get security a seat at the table with IT developers and operators. The question is, how far has security come since then? Do DevSecOps teams have…
Cloud security and devops have work to do
If there is anything that keeps cloud development leaders up at night, it’s the fact that the risk of an impending security breach is scarily high. If I go around the room at any enterprise development meeting, devops engineers, cloud…
6 security best practices for cloud-native applications
The emergence of cloud-native architectures has dramatically changed the ways applications are developed, deployed, and managed. While cloud-native architectures offer significant benefits in terms of scalability, elasticity, and flexibility, they also introduce unique security challenges. These challenges often diverge from…
Security, privacy, and generative AI
Since the proliferation of large language models (LLMs), like OpenAI’s GPT-4, Meta’s Llama 2, and Google’s PaLM 2, we have seen an explosion of generative AI applications in almost every industry, cybersecurity included. However, for a majority of LLM applications,…
Oracle open-sources Jipher for FIPS-compliant SSL
Oracle is open-sourcing Jipher, a Java Cryptography Architecture (JCA) provider built for security and performance that has been used by the company’s cloud platform, the company said on November 7. Jipher was developed for environments with FIPS (Federal Information Processing…
Microsoft .NET 8 enhances ID management
.NET 8, a planned upgrade to Microsoft’s cross-platform, open source development platform, is set to improve identity management, authentication, and authorization thanks to enhancements in the security vein delivered by the ASP.NET Core team. Identity features in .NET 8 are…
Is ChatGPT writing your code? Watch out for malware
Developers have long used sites like Stack Overflow as forums where they could get code examples and assistance. That community is rapidly being replaced by generative AI tools such as ChatGPT. Today, developers ask AI chatbots to help create sample code, translate…
KubeCon points to the future of enterprise IT
Cloud has become synonymous with enterprise IT, but let’s not get ahead of ourselves. Though enterprises now spend roughly $545 billion annually on cloud infrastructure, according to IDC, and 41% of that spend goes to the top five cloud providers,…
The state of API security in 2023
In today’s rapidly transforming digital world, APIs have become the linchpin for quick delivery of business functionality. These digital connectors underpin much of the enterprise innovation we witness today, from seamless customer experiences to integrated partner ecosystems. Yet, as the…
Splunk cuts 7% of workforce ahead of Cisco acquisition
The layoffs are happening in the wake of a market retraction, Splunk CEO Gary Steele said. This article has been indexed from InfoWorld Security Read the original article: Splunk cuts 7% of workforce ahead of Cisco acquisition
3 things for your 2024 cloud to-do list
It’s budget time for many enterprises, and the question that I get most this time of year is: What should we work on in 2024 to improve our cloud computing deployments? I came up with my top three, with the…
How to have encryption, computation, and compliance all at once
For years, data teams worked with simple data pipelines. These generally consisted of a few applications or data feeds that converged into a standard extract, transform, and load (ETL) tool that fed data into a centralized data warehouse. From that…
CloudBees readies cloud-native devsecops platform
CloudBees soon will release a new cloud-native devsecops platform based on open-source Tekton, an open-source framework for building continuous integration and continuous delivery (CI/CD) pipelines on Kubernetes. Called simply CloudBees, the new devsecops platform will be available in single-tenant and…
Learning from Let’s Encrypt’s 10 years of success
Foundations have a hit-or-miss success rate in software, generally, and open source, specifically. I’m on the record with 908 words of eyeroll for the Open Enterprise Linux Association and OpenTofu, given the conspicuous absence of cloud vendor support. Yet I’ve also…
Linux distros need to take more responsibility for security
Open source is everywhere; a Synopsys study found that 96% of all software code bases analyzed included open source software. That’s the good news. Ironically, it’s also the bad news, as the very pervasiveness of open source introduces risk. Decades ago, proprietary…
How generative AI changes cybersecurity
In the technology world, the latter half of the 2010s was mostly about slight tweaks, not sweeping changes: Smartphones got slightly better, and computer processing somewhat improved. Then OpenAI unveiled its ChatGPT in 2022 to the public, and—seemingly all at once—we were…
What ChatGPT doesn’t say about Kubernetes in production
Like many technology organizations, when ChatGPT was publicly released, we wanted to compare its answers to those of a regular web search. We experimented by asking technical questions and requesting specific content. Not all answers were efficient or correct, but…
JFrog adds ML model management to devsecops platform
Devsecops company JFrog on September 13 introduced ML Model Management, a set of capabilities for the JFrog Software Supply Chain Platform designed to streamline the management and security of machine learning models. Using ML Model Management and the JFrog Software…
How to get a handle on shadow AI
CIOs and CISOs have long grappled with the challenge of shadow IT—technology that is being used within an enterprise but that is not officially sanctioned by the IT or security department. According to Gartner research, 41% of employees acquired, modified,…
Centralized cloud security is now a must-have
The 2023 Cloud Security Report, sponsored by Fortinet, surveyed 752 cybersecurity professionals from around the globe and across all industries. Most respondents (90%) say having a single cloud security platform to configure and manage security consistently across their cloud deployments would…
The lost art of cloud application engineering
AI is changing the programming world, which has been evolving for several years. I could talk about how the emerging practice of using AI-driven coders increases speed and reduces costs, but there are some downsides that many fail to see.…
A new hope for software security
The Log4j vulnerability in December 2021 spotlighted the software supply chain as a massively neglected security surface area. It revealed just how interconnected our software artifacts are, and how our systems are only as secure as their weakest links. It…
JFrog Curation blocks malicious open source software packages
JFrog has unveiled JFrog Curation, a devsecops system designed to prevent malicious or risky open source or third-party software packages from entering an organization’s software development pipeline. JFrog Curation blocks the use of risky open source software packages without compromising…
Golang vulnerability checker flags Go vulnerabilities
Govulncheck, a command-line tool to help users of Google’s Go programming language find known vulnerabilities in project dependencies, has reached 1.0.0 status, the Go security team said. Unveiled July 13, Govulncheck can analyze both binaries and source code. It reduces…
The unhappy reality of cloud security in 2023
The studies are coming fast these days. Thales Global Cloud Security Study for 2022 found that during the past 12 months, 45% of businesses have experienced a cloud data breach or failed to perform audits. (It would have been nice for this…
Millions of GitHub repositories vulnerable to RepoJacking: Report
AquaSec analyzed a sample of 1% of GitHub repositories and found that about 37,000 of them are vulnerable to RepoJacking, including the repositories of companies such as Google and Lyft. This article has been indexed from InfoWorld Security Read the…
GitLab Dedicated offers single-tenant, SaaS-based devsecops
GitLab Dedicated, a fully isolated, single-tenant SaaS edition of the GitLab devsecops platform, is now generally available. The service is hosted and managed by GitLab and deployed on Amazon Web Services. Launched June 15, GitLab Dedicated is geared to users…
Malicious hackers are weaponizing generative AI
Although I’m swearing off studies as blog fodder, it did come to my attention that Vulcan Cyber’s Voyager18 research team recently issued an advisory validating that generative AI, such as ChatGPT, would be turned into a weapon quickly, ready to attack…
7 key features for Kubernetes and container security
Many organizations are starting out on their Kubernetes and container journey, while others are encountering complexity issues as they scale out their deployments. Containerized applications bring many benefits, but also introduce new types of security challenges. Uptycs reduces risk for…
Frontegg launches entitlements engine to streamline access authorization
Frontegg’s new entitlement engine will be powered by context-aware logic controls (CALC) technology to effect context-based, fine-grained authorization controls. This article has been indexed from InfoWorld Security Read the original article: Frontegg launches entitlements engine to streamline access authorization
Disaster recovery in the cloud
It’s late on a Friday. You get a call from your CIO that data has been removed from XYZ public cloud server, and they need it back ASAP. It gets worse. First, there is no current backup copy of the…
AppMap: A map to reduce developer toil
Software developers are the engine of growth and innovation that powers the products on which everyone relies. Developers are a company’s most valuable resource. The demand for software engineers worldwide will rise by 22% between 2020 and 2030, even with…
How to reduce your devops tool sprawl
After spending the last decade investing in devops, many companies are experiencing a hangover of sorts: tool sprawl. While their software delivery processes have become more streamlined, more efficient, and more reliable, they also have many more tools to license,…
Don’t overlook attack surface management
When it comes to securing cloud computing environments, one key aspect often goes overlooked: attack surface management (ASM). Why? Many cloud security training programs, including specific cloud provider certifications, don’t focus on it. Instead, they focus on specific tools and…
Sigstore: Roots of trust for software artifacts
For the roughly five billion people who use the internet, only a tiny fraction have any knowledge of how Transport Layer Security (TLS), digital certificates, or public keys work. Say what you will about the security perils that users still…
A practical guide to React Native authentication
Authentication is a crucial aspect of any app or service today, as it allows the app to determine who the user is and which actions they are authorized to perform. React Native authentication refers to the process of verifying the…
Designing user management for machine-to-machine interactions
If a user lacks human traits and doesn’t have much of a personality, there might be a good reason for this. The user might be a machine. Today, more than 90% of internet traffic is between machines. In reality, machines…
Google launches dependency API and curated package repository with security metadata
With the two new services, Google aims to help minimize risk from malicious code in the software supply chain. This article has been indexed from InfoWorld Security Read the original article: Google launches dependency API and curated package repository with…
OpenAI starts bug bounty program with cash rewards up to $20,000
Based on the severity and impact of the reported vulnerability, OpenAI will hand out cash rewards ranging from $200 for low-severity findings to up to $20,000 for exceptional discoveries. This article has been indexed from InfoWorld Security Read the original…
GitGuardian’s honeytokens in codebase to fish out DevOps intrusion
GitGuardian honeytokens are decoy scripts designed to lure out attackers looking to target critical DevOps environments and enterprise secrets. This article has been indexed from InfoWorld Security Read the original article: GitGuardian’s honeytokens in codebase to fish out DevOps intrusion
3 overlooked cloud security attack vectors
A 2022 Thales Cloud Security study revealed that 88% of enterprises store a significant amount (at least 21%) of their sensitive data in the cloud. No surprise there. Indeed, I thought the percentage would be much higher. The same report showed that…
Snyk bolsters developer security with fresh devsecop, cloud capabilities
Snyk aims to bolster security support for developers across their software supply chain with coding, cloud and devsecops enhancements. This article has been indexed from InfoWorld Security Read the original article: Snyk bolsters developer security with fresh devsecop, cloud capabilities
UK data regulator issues warning over generative AI data protection concerns
The UK’s Information Commission’s Office reminds organizations that data protection laws still apply to unfiltered data used to train large language models. This article has been indexed from InfoWorld Security Read the original article: UK data regulator issues warning over…
Splunk adds new security and observability features
Splunk is adding new security and observability features to its Observability Cloud and Mission Control to identify threats and incidents more efficiently. The company’s Observability Cloud, which offers AIops-based infrastructure monitoring, application performance monitoring (APM) and intelligence, will get new…
Observability will transform cloud security
Security observability is the ability to gain visibility into an organization’s security posture, including its ability to detect and respond to security threats and vulnerabilities. It involves collecting, analyzing, and visualizing security data to identify potential hazards and take proactive…