Category: InfoWorld Security

How evolving AI regulations impact cybersecurity

While their business and tech colleagues are busy experimenting and developing new applications, cybersecurity leaders are looking for ways to anticipate and counter new, AI-driven threats. It’s always been clear that AI impacts cybersecurity, but it’s a two-way street. Where…

GitHub Artifact Attestations sign and verify software artifacts

GitHub’s Artfact Attestations, for guaranteeing the integrity of artifacts built inside the GitHub Actions CI/CD platform, is now generally available. General availability was announced June 25. By using Artifact Attestations in GitHub Actions workflows, developers can improve security and protect…

GitHub Artifact Attestations now generally available

GitHub’s Artfact Attestations, for guaranteeing the integrity of artifacts built inside the GitHub Actions CI/CD platform, is now generally available. General availability was announced June 25. By using Artifact Attestations in GitHub Actions workflows, developers can improve security and protect…

GitHub Artifact Attestions now generally available

GitHub’s Artfact Attestations, for guaranteeing the integrity of artifacts built inside the GitHub Actions CI/CD platform, is now generally available. General availability was announced June 25. By using Artifact Attestations in GitHub Actions workflows, developers can improve security and protect…

GitLab devsecops survey finds progress, new priorities

GitLab’s recent survey of 5,315 devsecops professionals worldwide found that organizations are prioritizing investments in AI, security, and automation. But specific areas such as software supply chain security warrant particular attention, the company said. Results of the survey, conducted in…

A CISO game plan for cloud security

As businesses increasingly migrate to the cloud, chief information security officers (CISOs) face numerous critical challenges in ensuring robust cloud security. Don’t believe me? Experts highlighted this at the recent Gartner Security & Risk Management Summit. Gartner projects a significant…

Advanced CI/CD: 6 steps to better CI/CD pipelines

Configuring basic continuous integration and continuous delivery (CI/CD) pipelines that automate packaging, compiling, and pushing code to application delivery environments is considered a fundamental devsecops practice. By automating a path to production, devsecops teams can reduce errors, increase deployment frequency,…

GitLab unveils GitLab 17, AI for devsecops

GitLab has unveiled GitLab 17, a major update of its devsecops platform that brings a CI/CD catalog of reusable pipeline components and an AI impact dashboard. The company also announced GitLab Duo Enterprise, an AI-powered assistant that helps detect vulnerabilities…

12 principles for improving devsecops

I once transitioned from a SaaS CTO role to become a business unit CIO at a Fortune 100 enterprise that aimed to bring startup development processes, technology, and culture into the organization. The executives recognized the importance of developing customer-facing…

7 application security startups at RSAC 2024

The innovation hub of RSAC 2024, the RSAC Early Stage Expo was specifically designed to showcase emerging players in the information security industry. Among the 50 exhibitors crammed into the second floor booth space, seven VC-backed up-and-comers in application security…

7 application security startups at RSAC 2024

The innovation hub of RSAC 2024, the RSAC Early Stage Expo was specifically designed to showcase emerging players in the information security industry. Among the 50 exhibitors crammed into the second floor booth space, seven VC-backed up-and-comers in application security…

GitHub takes aim at software supply chain security

GitHub has introduced Artifact Attestations, a software signing and verification feature based on Sigstore that protects the integrity of software builds in GitHub Actions workflows. Artifiact Attestations is now available in a public beta. Announced May 2, Artifact Attestations allows…

Does cloud security have a bad reputation?

The recent discourse around the security of cloud computing in the banking sector, highlighted by Nicholas Fearn’s piece in the Financial Times, paints a somewhat grim picture of the cybersecurity landscape when it comes to banks moving to cloud computing.…

Most developers have adopted devops, survey says

As of the first quarter of 2024, 83% of developers were involved in devops-related activities such as performance monitoring, security testing, or CI/CD, according to the State of CI/CD Report 2024, published by the Continuous Delivery (CD) Foundation, a part…

Better application networking and security with CAKES

Modern software applications are underpinned by a large and growing web of APIs, microservices, and cloud services that must be highly available, fault tolerant, and secure. The underlying networking technology must support all of these requirements, of course, but also…

Rust gets security fix for Windows vulnerability

The Rust language team has published a point release of Rust to fix a critical vulnerability to the standard library that could benefit an attacker when using Windows. Rust 1.77.2, published on April 9, includes a fix for CVE-2024-24576. Before…

Synopsys takes aim at software supply chain risks

Synopsys has introduced Black Duck Supply Chain Edition, a software composition analysis (SCA) package that helps organizations mitigate upstream risk in software supply chains, including from AI code. Announced April 9, Black Duck Supply Chain Edition is intended to address…

Synopsys aims to mitigate software supply chain risks

Synopsys has introduced Black Duck Supply Chain Edition, a software composition analysis (SCA) package that helps organizations mitigate upstream risk in software supply chains, including from AI code. Announced April 9, Black Duck Supply Chain Edition is intended to address…

Eclipse joins with industry groups to secure open source

The Eclipse Foundation announced that it is partnering with the Apache Software Foundation and other open source foundations to establish common specifications for secure software development based on existing open source best practices. In an April 2 blog post, Eclipse…

Rust memory safety explained

Over the past decade, Rust has emerged as a language of choice for people who want to write fast, machine-native software that also has strong guarantees for memory safety. Other languages, like C, may run fast and close to the…

Avoiding the dangers of AI-generated code

2023 has been a breakout year for developers and generative AI. GitHub Copilot graduated from its technical preview stage in June 2022, and OpenAI released ChatGPT in November 2022. Just 18 months later, according to a survey by Sourcegraph, 95%…

10 cloud development gotchas to watch out for

The benefits of developing software in the cloud include increased flexibility and reliability, greater efficiency, and reduced costs. But cloud-based development also presents a host of challenges. Knowing what to watch out for is the first step to protecting your applications…

Java 22 brings security enhancements

Java Development Kit (JDK) 22, released by Oracle March 19 as the latest version of standard Java, offers a number of security enhancements, covering areas ranging from an asymmetric key interface to a new security option for -XshowSettings that allows…

GitHub previews AI-powered code scanning autofix

GitHub is previewing code scanning autofix, a feature that combines its GitHub Copilot AI assistant with its CodeQL code scanner to provide suggested fixes to discovered vulnerabilities. Code scanning autofix is available in a public beta to GitHub Advanced Security…

C++ creator rebuts White House warning

C++ creator Bjarne Stroustrup has defended the widely used programming language in response to a Biden administration report that calls on developers to use memory-safe languages and avoid using vulnerable ones such as C++ and C. In a March 15…

Open source is not insecure

Frank Crane wasn’t talking about open source when he famously said, “You may be deceived if you trust too much, but you will live in torment if you don’t trust enough.” But that’s a great way to summarize today’s gap…

Feds seek attestation on secure software

The US federal government has released a software attestation form intended to ensure that software producers partnering with the government leverage minimum secure development techniques and tool sets. The form was announced March 11 by the Department of Homeland Security’s…

JetBrains releases security fixes for TeamCity CI/CD system

JetBrains has released fixes for two critical security vulnerabilities in its TeamCity On-Premises CI/CD system discovered by cybersecurity company Rapid7. The two vulnerabilities reported in late-February by Rapid7 would enable an authenticated attacker with HTTP(S) access to a TeamCity On-Premises…

Cloudflare announces Firewall for AI

Cloudflare has announced the development of Firewall for AI, a protection layer that can be deployed in front of large language models (LLMs) that promises to identify abuses before they reach the models. Unveiled March 4, Firewall for AI is…

Biden executive order protects personal data

President Joseph Biden has issued an executive order intended to protect Americans’ sensitive personal data from exploitation from countries of concern including China, Russa, Iran, and North Korea. Issued February 28, the order authorizes the attorney general to prevent the…

GitHub rolls out push protection on public repos

GitHub has begun rolling out push protection for all of its users, a secrets scanning feature that gives users the option to remove secrets from commits or bypass a block. The policy, announced February 29, affects supported secrets. It might…

Why passkeys will replace passwords

With the growth of sophisticated attacks against critical software and infrastructure systems, multi-factor authentication (MFA) has emerged as a critical layer of defense against unauthorized access. An increasing number of enterprise and developer-facing technology applications and platforms, from GitHub to…

White House urges developers to dump C and C++

US President Joe Biden’s administration wants software developers to use memory-safe programming languages and ditch vulnerable ones like C and C++. The White House Office of the National Cyber Director (ONCD), in a report released Monday, called on developers to…

GitHub Copilot makes insecure code even less secure, Snyk says

GitHub’s AI-powered coding assistant, GitHub Copilot, may suggest insecure code when the user’s existing codebase contains security issues, according to developer security company Snyk. GitHub Copilot can replicate existing security issues in code, Snyk said in a blog post published…

Martin Hellman: We’re playing Russian roulette

Martin Hellman achieved legendary status as co-inventor of the Diffie-Hellman public key exchange algorithm, a breakthrough in software and computer cryptography. That invention and his ongoing work in cryptography and digital signatures earned him a Turing award in 2015. He has since…

MuleSoft unveils policy development kit for API gateway

Salesforce-owned MuleSoft has released the Anypoint Flex Gateway Policy Development Kit (PDK). The PDK allows developers of every skill level to quickly build policies to detect and protect sensitive data sent to APIs, the company said. Now a feature of…

Protecting against software supply chain attacks

Last year’s MOVEit and 3CX vulnerabilities offered a stark reminder of the risk software supply chain attacks pose today. Threat actors exploit vulnerabilities to infiltrate a software provider’s network and modify the software’s original functionality with malicious code. Once the…

Mobb unveils vulnerability fixer for GitHub users

Application security company Mobb has released an automatic vulnerability fixer for GitHub users. The tool monitors GitHub pull requests and offers code fixes within software development workflows. Unveiled January 23, Mobb Fixer provides developers with code fixes for security alerts…

A guide to implementing fine-grained authorization

Authentication and authorization rank among the top priorities for application developers today. While they’re often used interchangeably, they actually represent two very different things. Yet in order to ensure a secure and seamless experience for users, both must work in concert. To illustrate the distinction…

JFrog, AWS team up for machine learning in the cloud

Software supply chain provider JFrog is integrating with the Amazon SageMaker cloud-based machine learning platform to incorporate machine learning models into the software development lifecycle. The JFrog platform integration with Amazon SageMaker, available now, ensures artifacts produced by data scientists…

How finops can make the cloud more secure

Cloud finops is the discipline of accounting for and optimizing cloud computing spending. It’s a reaction to years of undisciplined cloud spending or a way to bring order back to using cloud resources. Overall, it is a step in the…

4 key devsecops skills for the generative AI era

When cloud computing became enterprise-ready, and tools such as continuous integration and continuous delivery, infrastructure as code, and Kubernetes became mainstream, it marked a clear paradigm shift in dev and ops. The work separating dev and ops became devops responsibilities,…

You should be worried about cloud squatting

Most security issues in the cloud can be traced back to someone doing something stupid. Sorry to be that blunt, but I don’t see ingenious hackers out there. I do see misconfigured cloud resources, such as storage and databases, that…

How software engineering will evolve in 2024

Software development is currently undergoing a profound transformation, marked by a quiet yet remarkable surge in advanced automation. This impending shift promises to streamline the creation and deployment of high-quality applications on an unprecedented scale. Rather than a single technology…

3 ways to reduce stress on the DevSecOps team

I recently moderated a session for the CSO Cybersecurity Summit on building resilience and addressing employee anxiety amid organizational transformation. My session focused on the stresses and burnout experienced by security teams, including recent data showing that 94% of chief…

Fortifying confidential computing in Microsoft Azure

One of the biggest challenges facing any enterprise using the public cloud is the fact that it’s public. Yes, your applications run in isolated virtual machines and your data sits in its own virtual storage appliances, but there’s still a…

3 security best practices for all DevSecOps teams

It’s been over 10 years since Shannon Lietz introduced the term DevSecOps, aiming to get security a seat at the table with IT developers and operators. The question is, how far has security come since then? Do DevSecOps teams have…

Cloud security and devops have work to do

If there is anything that keeps cloud development leaders up at night, it’s the fact that the risk of an impending security breach is scarily high. If I go around the room at any enterprise development meeting, devops engineers, cloud…

6 security best practices for cloud-native applications

The emergence of cloud-native architectures has dramatically changed the ways applications are developed, deployed, and managed. While cloud-native architectures offer significant benefits in terms of scalability, elasticity, and flexibility, they also introduce unique security challenges. These challenges often diverge from…

Security, privacy, and generative AI

Since the proliferation of large language models (LLMs), like OpenAI’s GPT-4, Meta’s Llama 2, and Google’s PaLM 2, we have seen an explosion of generative AI applications in almost every industry, cybersecurity included. However, for a majority of LLM applications,…

Oracle open-sources Jipher for FIPS-compliant SSL

Oracle is open-sourcing Jipher, a Java Cryptography Architecture (JCA) provider built for security and performance that has been used by the company’s cloud platform, the company said on November 7. Jipher was developed for environments with FIPS (Federal Information Processing…

Microsoft .NET 8 enhances ID management

.NET 8, a planned upgrade to Microsoft’s cross-platform, open source development platform, is set to improve identity management, authentication, and authorization thanks to enhancements in the security vein delivered by the ASP.NET Core team. Identity features in .NET 8 are…

Is ChatGPT writing your code? Watch out for malware

Developers have long used sites like Stack Overflow as forums where they could get code examples and assistance. That community is rapidly being replaced by generative AI tools such as ChatGPT. Today, developers ask AI chatbots to help create sample code, translate…

KubeCon points to the future of enterprise IT

Cloud has become synonymous with enterprise IT, but let’s not get ahead of ourselves. Though enterprises now spend roughly $545 billion annually on cloud infrastructure, according to IDC, and 41% of that spend goes to the top five cloud providers,…

The state of API security in 2023

In today’s rapidly transforming digital world, APIs have become the linchpin for quick delivery of business functionality. These digital connectors underpin much of the enterprise innovation we witness today, from seamless customer experiences to integrated partner ecosystems. Yet, as the…

3 things for your 2024 cloud to-do list

It’s budget time for many enterprises, and the question that I get most this time of year is: What should we work on in 2024 to improve our cloud computing deployments? I came up with my top three, with the…

CloudBees readies cloud-native devsecops platform

CloudBees soon will release a new cloud-native devsecops platform based on open-source Tekton, an open-source framework for building continuous integration and continuous delivery (CI/CD) pipelines on Kubernetes. Called simply CloudBees, the new devsecops platform will be available in single-tenant and…

Learning from Let’s Encrypt’s 10 years of success

Foundations have a hit-or-miss success rate in software, generally, and open source, specifically. I’m on the record with 908 words of eyeroll for the Open Enterprise Linux  Association and OpenTofu, given the conspicuous absence of cloud vendor support. Yet I’ve also…

Linux distros need to take more responsibility for security

Open source is everywhere; a Synopsys study found that 96% of all software code bases analyzed included open source software. That’s the good news. Ironically, it’s also the bad news, as the very pervasiveness of open source introduces risk. Decades ago, proprietary…

How generative AI changes cybersecurity

In the technology world, the latter half of the 2010s was mostly about slight tweaks, not sweeping changes: Smartphones got slightly better, and computer processing somewhat improved. Then OpenAI unveiled its ChatGPT in 2022 to the public, and—seemingly all at once—we were…

What ChatGPT doesn’t say about Kubernetes in production

Like many technology organizations, when ChatGPT was publicly released, we wanted to compare its answers to those of a regular web search. We experimented by asking technical questions and requesting specific content. Not all answers were efficient or correct, but…

JFrog adds ML model management to devsecops platform

Devsecops company JFrog on September 13 introduced ML Model Management, a set of capabilities for the JFrog Software Supply Chain Platform designed to streamline the management and security of machine learning models. Using ML Model Management and the JFrog Software…

How to get a handle on shadow AI

CIOs and CISOs have long grappled with the challenge of shadow IT—technology that is being used within an enterprise but that is not officially sanctioned by the IT or security department. According to Gartner research, 41% of employees acquired, modified,…

Centralized cloud security is now a must-have

The 2023 Cloud Security Report, sponsored by Fortinet, surveyed 752 cybersecurity professionals from around the globe and across all industries. Most respondents (90%) say having a single cloud security platform to configure and manage security consistently across their cloud deployments would…

The lost art of cloud application engineering

AI is changing the programming world, which has been evolving for several years. I could talk about how the emerging practice of using AI-driven coders increases speed and reduces costs, but there are some downsides that many fail to see.…

A new hope for software security

The Log4j vulnerability in December 2021 spotlighted the software supply chain as a massively neglected security surface area. It revealed just how interconnected our software artifacts are, and how our systems are only as secure as their weakest links. It…

JFrog Curation blocks malicious open source software packages

JFrog has unveiled JFrog Curation, a devsecops system designed to prevent malicious or risky open source or third-party software packages from entering an organization’s software development pipeline. JFrog Curation blocks the use of risky open source software packages without compromising…

Golang vulnerability checker flags Go vulnerabilities

Govulncheck, a command-line tool to help users of Google’s Go programming language find known vulnerabilities in project dependencies, has reached 1.0.0 status, the Go security team said. Unveiled July 13, Govulncheck can analyze both binaries and source code. It reduces…

The unhappy reality of cloud security in 2023

The studies are coming fast these days. Thales Global Cloud Security Study for 2022 found that during the past 12 months, 45% of businesses have experienced a cloud data breach or failed to perform audits. (It would have been nice for this…

Malicious hackers are weaponizing generative AI

Although I’m swearing off studies as blog fodder, it did come to my attention that Vulcan Cyber’s Voyager18 research team recently issued an advisory validating that generative AI, such as ChatGPT, would be turned into a weapon quickly, ready to attack…

7 key features for Kubernetes and container security

Many organizations are starting out on their Kubernetes and container journey, while others are encountering complexity issues as they scale out their deployments. Containerized applications bring many benefits, but also introduce new types of security challenges. Uptycs reduces risk for…

Disaster recovery in the cloud

It’s late on a Friday. You get a call from your CIO that data has been removed from XYZ public cloud server, and they need it back ASAP. It gets worse. First, there is no current backup copy of the…

AppMap: A map to reduce developer toil

Software developers are the engine of growth and innovation that powers the products on which everyone relies. Developers are a company’s most valuable resource. The demand for software engineers worldwide will rise by 22% between 2020 and 2030, even with…

How to reduce your devops tool sprawl

After spending the last decade investing in devops, many companies are experiencing a hangover of sorts: tool sprawl. While their software delivery processes have become more streamlined, more efficient, and more reliable, they also have many more tools to license,…

Don’t overlook attack surface management

When it comes to securing cloud computing environments, one key aspect often goes overlooked: attack surface management (ASM). Why? Many cloud security training programs, including specific cloud provider certifications, don’t focus on it. Instead, they focus on specific tools and…

Sigstore: Roots of trust for software artifacts

For the roughly five billion people who use the internet, only a tiny fraction have any knowledge of how Transport Layer Security (TLS), digital certificates, or public keys work. Say what you will about the security perils that users still…

A practical guide to React Native authentication

Authentication is a crucial aspect of any app or service today, as it allows the app to determine who the user is and which actions they are authorized to perform. React Native authentication refers to the process of verifying the…

3 overlooked cloud security attack vectors

A 2022 Thales Cloud Security study revealed that 88% of enterprises store a significant amount (at least 21%) of their sensitive data in the cloud. No surprise there. Indeed, I thought the percentage would be much higher. The same report showed that…

Splunk adds new security and observability features

Splunk is adding new security and observability features to its Observability Cloud and Mission Control to identify threats and incidents more efficiently. The company’s Observability Cloud, which offers AIops-based infrastructure monitoring, application performance monitoring (APM) and intelligence, will get new…

Observability will transform cloud security

Security observability is the ability to gain visibility into an organization’s security posture, including its ability to detect and respond to security threats and vulnerabilities. It involves collecting, analyzing, and visualizing security data to identify potential hazards and take proactive…