Category: InfoWorld Security

Bringing observability to cloud security

Security observability is the ability to gain visibility into an organization’s security posture, including its ability to detect and respond to security threats and vulnerabilities. It involves collecting, analyzing, and visualizing security data to identify potential hazards and take proactive…

Tailscale: Fast and easy VPNs for developers

Networking can be an annoying problem for software developers. I’m not talking about local area networking or browsing the web, but the much harder problem of ad hoc, inbound, wide area networking. Suppose you create a dazzling website on your…

ReversingLabs adds new context-based secret detection capabilities

The software supply chain security tool will host new secret detection capabilities through the command-line interface to help developers prioritize remediation efforts. This article has been indexed from InfoWorld Security Read the original article: ReversingLabs adds new context-based secret detection…

GitHub 2FA campaign begins

Following through on a pledge made last year, GitHub on March 13 will begin phasing in two-factor authentication (2FA) requirements for developers contributing code to the popular code sharing site. All developers will be required to comply by the end…

Top 10 open source software risks for 2023

While open source software is the bedrock of modern software development, it is also the weakest link in the software supply chain, according to a report by Endor Labs. This article has been indexed from InfoWorld Security Read the original…

The tech leader’s guide to 2023

Recently, I had the opportunity to ask over a dozen leading technologists for their hopes, predictions, and guidance for the year 2023. This article distills the far-ranging conversation and wealth of insight that came back to me. The year ahead looks…

How multicloud changes devops

Devops or devsecops (I’ll use devops for this post) is more than just a fast way to build and deploy software within the cloud and on traditional systems. It’s now a solid standard, with best practices, processes, and widely accepted…

C++ creator Bjarne Stroustrup defends its safety

The creator of C++, Bjarne Stroustrup, is defending the venerable programming language after the US National Security Agency (NSA) recently recommended against using it. NSA advises organizations to use memory safe languages instead. Responding to the agency’s November 2022 bulletin…

C++ creator Bjarne Stroustrup defends its safety

The creator of C++, Bjarne Stroustrup, is defending the venerable programming language after the US National Security Agency (NSA) recently recommended against using it. NSA advises organizations to use memory safe languages instead. Responding to the agency’s November 2022 bulletin…

Ubuntu Pro security subscriptions for Linux now available

Canonical’s Ubuntu Pro, a Linux security maintenance subscription service covering thousands of applications and toolchains in the open-source ecosystem, is generally available as of January 26. Released in beta in October, Ubuntu Pro helps users of Linux desktops and servers…

Researchers warn of malicious Visual Studio Code extensions

Can developers trust extensions downloaded for Microsoft’s popular Visual Studio Code editor? Researchers at Aqua Nautilus say they have found that attackers could easily impersonate popular extensions and trick unknowing developers into downloading them. Some extensions may already have taken…

Informatica to lay off 7% of its workforce to cut costs

The decision to lay off 450 staffers globally is expected to better align the company’s workforce to its cloud-focused strategic priorities and cut costs to suit current business needs, Informatica said in a statement. This article has been indexed from…

Why zero knowledge matters

The information age continues to unfold in fits and starts, and the rise of blockchain is among the most compelling current trends. It turns out that public key cryptography, a long stable technology, was latent with undiscovered possibilities. Blockchain is a reimagining…

How Steampipe enables KPIs as code

Ciaran Finnegan is the cybersecurity practice lead at CMD Solutions Australia and Phil Massyn is a senior security consultant there. About a year ago they began using Steampipe and its CrowdStrike plugin to scan their customers’ AWS environments. Now Finnegan…

Open source security fought back in 2022

Early December marked the one-year anniversary of the Log4j security meltdown. Ever since, the software world has been on a dead sprint to ensure it would never happen again. We’re finally seeing some traction as the missing links in software…

Complexity is the enemy of cloud security

It’s a fact that most enterprises put security teams and tools in a silo. It drives me nuts when I see these bad habits carried over to cloud computing security. I covered this topic three years ago, and for the…

Complexity is the enemy of security

It’s a fact that most enterprises put security teams and tools in a silo. It drives me nuts when I see these bad habits carried over to cloud computing security. I covered this topic three years ago, and for the…

What is DevSecOps? Securing devops pipelines

Software runs our businesses today. It powers operations, transactions, communications—just about every facet of the digital organization. It follows that ensuring the security of applications and operating systems is a major priority for development and security teams. This is where…

Cloud computing gets back to basics

There seems to be a clear trend in the world of cloud computing to return to IT fundamentals—the core problems that IT was set up to solve, such as data management, security, operations, governance, and development. All these things have…

What observability means for cloud operations

Observability is one of those concepts being tossed about these days in the tech press and at cloud computing conferences. Everyone has a definition of what it is and how it’s used. No two are the same. Observability seems to…

Cloud architects are afraid of automation

Automation is not new, but its use in cloud computing is recent. The idea is to automate tasks that have been traditionally carried out by humans; for example, self-healing a saturated compute server by automatically restarting it on a cloud…

Azul detects Java vulnerabilities in production apps

Java services company Azul has unveiled Azul Vulnerability Detection, a SaaS product that leverages the Azul JVM to continuously monitor Java applications for security vulnerabilities. Azul Vulnerability Detection, introduced November 2, is an agentless cloud service designed for production use.…

3 primo cloud gigs in 2023

The question I get asked most often besides, “What is cloud computing?” is “What career path should I take in cloud computing?” I get it. Like almost everyone in the world, you know that the cloud job market is on…

Why you’re getting cloud security wrong

The Cloud Security Alliance, in partnership with security company BigID, released the results of a survey of 1,500 IT and security professionals. They all weighed in on the state of cloud data security in 2022 and had some not-so-surprising data points: Organizations are…

Why you’re getting cloud security wrong

The Cloud Security Alliance, in partnership with security company BigID, released the results of a survey of 1,500 IT and security professionals. They all weighed in on the state of cloud data security in 2022 and had some not-so-surprising data points: Organizations are…

Most reported CVEs for Docker Hub images are harmless

During the development of JFrog Xray’s Secrets Detection, we tested its capabilities by scanning more than eight million artifacts in popular open-source package registries. Similarly, for JFrog Xray’s new Container Contextual Analysis feature, we again tested our detection in a…

Why you’re getting cloud security wrong

The Cloud Security Alliance, in partnership with security company BigID, released the results of a survey of 1,500 IT and security professionals. They all weighed in on the state of cloud data security in 2022 and had some not-so-surprising data points: Organizations are…

Most reported CVEs for Docker Hub images are harmless

During the development of JFrog Xray’s Secrets Detection, we tested its capabilities by scanning more than eight million artifacts in popular open-source package registries. Similarly, for JFrog Xray’s new Container Contextual Analysis feature, we again tested our detection in a…

It’s time to prioritize SaaS security

We’ve made a point of shoring up security for infrastructure-as-a-service clouds since they are so complex and have so many moving parts. Unfortunately, the many software-as-a-service systems in use for more than 20 years now have fallen down the cloud…

Cloud security is the new battle zone

Don’t look now. More than 80% of organizations have experienced a security incident on a cloud platform during the past 12 months according to research from Venafi. Most concerning, almost half of those organizations reported at least four incidents during the…

Cloud security is the new battle zone

Don’t look now. More than 80% of organizations have experienced a security incident on a cloud platform during the past 12 months according to research from Venafi. Most concerning, almost half of those organizations reported at least four incidents during the…

Why developers hold the key to cloud security

In the days of the on-premises data center and early cloud adoption, the roles of application developers, infrastructure operations, and security were largely siloed. In the cloud, this division of labor increases the time-to-market for innovation, reduces productivity, and invites…

Cloud’s key role in the emerging hybrid workforce

Now that things seem to be getting back to normal—traffic, delayed flights, and all those things we didn’t miss during the stay-home phase of the pandemic—it’s time to look at what work is going to be like post-pandemic. I found…

Cloud’s key role in the emerging hybrid workforce

Now that things seem to be getting back to normal—traffic, delayed flights, and all those things we didn’t miss during the stay-home phase of the pandemic—it’s time to look at what work is going to be like post-pandemic. I found…

3 wins and 3 losses for cloud computing

I often go through my old presentations from 2008 and before to review talks about the promise of cloud computing. Keep in mind, I’ve worked in the cloud computing field in one way or another since 1999, and I’ve seen…

3 wins and 3 losses for cloud computing

I often go through my old presentations from 2008 and before to review talks about the promise of cloud computing. Keep in mind, I’ve worked in the cloud computing field in one way or another since 1999, and I’ve seen…

AutoRabit launches devsecops tool for Salesforce environments

CodeScan Shield comes with a new module, OrgScan, which governs organizational policies by enforcing the security and compliance rules mandated for Salesforce environments. This article has been indexed from InfoWorld Security Read the original article: AutoRabit launches devsecops tool for…

Rust programming language gains dedicated security team

The Rust Foundation, the non-profit shepherd of the Rust programming language, has formed a dedicated security team to assess and advance the security of the language. The team is intended to support the broader Rust community with the highest level…

Golang adds vulnerability management tooling

Google’s Go programming language has added support for vulnerability management, which project developers said was an initial step toward helping Go developers learn about known vulnerabilities that could impact them. In a blog post on September 6, the Go security…

3 multicloud lessons for cloud architects

Many cloud architect friends of mine see multicloud on the horizon, but they don’t think they’re prepared for its extra complexities. Most of them initially pushed back on the concept of multicloud much like they pushed back on cloud computing…

Intro to blockchain consensus mechanisms

Blockchain networks combine groups of transactions into collections (blocks) that are appended to each other (chains). The blocks employ a function to ensure that values are not re-used in transactions, thus avoiding the problem of double spending. The network then uses a…

Automation is the ultimate cloud security tip

I’ve written about cloud security many times, including this post from 2021. The report I referenced found that misconfigured cloud servers caused 19% of data breaches. Corroborative data is available from public cloud providers that fight this daily. Microsoft analyzed the anonymized data…

Security is hard and won’t get much easier

Security is one of the few things that will survive the budget axe should the world plunge into recession, but it’s increasingly clear that we can’t simply spend our way to a secure future. Indeed, SLSA (Supply-chain Levels for Software…

Kubescape boosts Kubernetes scanning capabilities

ARMO, developer of Kubescape, an open source security platform for Kubernetes, has added two new vulnerability scanning functions to the platform. Code repository scanning and container image registry scanning are the first fruits of an effort to cover more aspects…

Zero-knowledge proof finds new life in the blockchain

A zero-knowledge proof, also known as ZKP protocol, attempts to establish a fact between parties with a minimum amount of information exchange. In cryptography, it is intended to limit the transfer of information during authentication activities. ZKP’s originators explicitly studied the movement…

How Cloudflare emerged to take on AWS, Azure, and GCP

Cloudflare is in the midst of a significant transformation, as it continues to build out the tools developers need to run their applications across a global network of edge locations. Recent moves put the 18-year-old internet security and performance company…

It’s past time to figure out cross-cloud security

I’ve addressed concerns with multicloud security many times before. Here’s the essence of what I and others assert: Multicloud complexity causes systemic security issues. That’s a fact. Today let’s talk about how we can mediate this complexity to deal with…

Build SBOMs with Microsoft’s internal tool

The compromise of SolarWinds’ system management tool raised a lot of interesting issues for anyone using a CI/CD (continuous integration and continuous delivery) build process for their software. How can we ensure that the software we distribute to our users…

7 biggest Kubernetes security mistakes

Today, if you’re creating or working with cloud-native applications, you’re almost certainly working with Kubernetes. According to a recent CNCF report, 96% of organizations are either using or evaluating Kubernetes. Kubernetes already has 5.6 million users worldwide, representing 31% of…

How we’ll solve software supply chain security

Who owns software supply chain security? Developers? Or the platform and security engineering teams supporting them? In the past, the CIO, CISO, or CTO and their security team would decide which Linux distribution, operating system, and infrastructure platform the company…

Securing data at rest and data in motion

Creating a secure application requires many safeguards, but by far the most important are those that secure the data in the application. These are also the most difficult to implement. When it comes to securing application data, there are two…

Software developers have a supply chain security problem

Log4j was the bucket of cold water that woke up most developers to their software supply chain security problem.  We’ve spent decades in software building things and obsessing over our production environment. But we’re building on unpatched Jenkins boxes sitting…

Software developers have a supply chain security problem

Log4j was the bucket of cold water that woke up most developers to their software supply chain security problem.  We’ve spent decades in software building things and obsessing over our production environment. But we’re building on unpatched Jenkins boxes sitting…

Identity, trust, and their role in modern applications

In the software world, identity is the mapping of a person, place, or thing in a verifiable manner to a software resource. Whenever you interact with nearly anything on the internet, you are dealing with identities: Facebook identity Email address…

Cloud security risks remain very human

Talk about cloud security and you’re likely to discuss provider-focused issues: not enough security, not enough auditing, not enough planning. However, the biggest cloud security risks continue to be the people who walk beside you in the hallways. According to…

7 devops practices to improve application performance

Devops is primarily associated with the collaboration between developers and operations to improve the delivery and reliability of applications in production. The most common best practices aim to replace manual, error-prone procedures managed at the boundaries between dev and ops…

Security survives the budget axe

The good news is that recession or no, security remains a somewhat uncuttable expense for CIOs, according to new data from Morgan Stanley Research. The bad news is that none of it will work if those same CIOs don’t patch…

Are you ready to automate continuous deployment in CI/CD?

Many companies have rushed to implement continuous integration and continuous delivery (CI/CD) pipelines to streamline their software development workflows. Far fewer have taken the additional step to automate continuous deployment, a practice of using CI/CD pipelines to push changes into…

Okta’s Matt Raible: How I became a Java hipster

This article has been indexed from InfoWorld Security Matt Raible is a well-known Java and JavaScript educator with several books to his credit and broad experience in the industry. He is currently developer advocate at Okta, where he focuses on…

Kubernetes users struggle with security, Red Hat survey says

This article has been indexed from InfoWorld Security Security is a significant concern for Kubernetes and container-based development, according to Red Hat’s State of Kubernetes Security report for 2022. In fact, 93% of survey respondents experienced at least one security…

Detect cloud native security threats with Tracee

This article has been indexed from InfoWorld Security The cloud native threat landscape is constantly evolving. Research from Aqua’s Team Nautilus in 2021 revealed higher levels of sophistication in attacks and an increase in volume of attacks targeting container infrastructure.…

MongoDB: From jokes to juggernaut

This article has been indexed from InfoWorld Security When I rejoined MongoDB in 2021, I got to hear all the old jokes rehashed. You know, about MongoDB being “web scale,” about losing data, about only being eventually consistent, and so…

MongoDB grows up

This article has been indexed from InfoWorld Security When I rejoined MongoDB in 2021, I got to hear all the old jokes rehashed. You know, about MongoDB being “web scale,” about losing data, about only being eventually consistent, and so…

GitHub adds supply chain security tools for Rust language

This article has been indexed from InfoWorld Security Aiming to help Rust developers discover and prevent security vulnerabilities, GitHub has made its suite of supply chain security features available for the fast-growing Rust language. These features include the GitHub Advisory…

Maximize your cloud security with isolation zones

This article has been indexed from InfoWorld Security Keeping your application safe and secure is critical to a successful enterprise. Whether you use cloud-native application architectures or on-premises systems—or anything in between—it’s generally considered that splitting your infrastructure into security…

The quantum menace: Quantum computing and cryptography

This article has been indexed from InfoWorld Security Quantum computing continues to inhabit the nebulous space between practical application and theoretical speculation, but it is edging closer toward real-world use. One of the more interesting use cases for quantum computers is…

Add security to Azure applications with Azure WAF

This article has been indexed from InfoWorld Security As much as we might like to think otherwise, cloud-native applications are web applications. We may build services, but their APIs are often RESTful, and where we may have used various remote…

Only DevSecOps can save the metaverse

This article has been indexed from InfoWorld Security Defined as a network of 3D virtual worlds focused on enhancing social connections through conventional personal computing and virtual reality and augmented reality headsets, the metaverse was once a fringe concept that…

More money for open source security won’t work

This article has been indexed from InfoWorld Security Here’s the good news. According to the Open Source Security Foundation (OpenSSF), it will cost less than $150 million to secure open source software. More good news, industry giants Amazon, Intel, Google, and…

9 questions you should ask about your cloud security

This article has been indexed from InfoWorld Security In order for cybersecurity professionals to gain the knowledge they need to thwart the hackers constantly targeting their cloud infrastructure and applications, they need to think like General George S. Patton (or…

The new Elastic CEO puts cloud front and center

This article has been indexed from InfoWorld Security The new CEO of the enterprise search software company Elastic has one priority: cloud. “Cloud is front and center,” he told InfoWorld during a recent interview. “That is really where you should…

7 ways to avoid a cloud misconfiguration attack

This article has been indexed from InfoWorld Security Cloud engineering and security teams need to ask some important questions about the security of their cloud environments, and they must go well beyond whether or not environments are passing compliance audits.…

Mozilla unveils vision for web evolution

This article has been indexed from InfoWorld Security Preaching the mantra that “the web is for everyone,” Mozilla has published a vision for the evolution of the web that stresses openness and safety, with the company aiming to address shortfalls…

Mozilla unveils vision for web evolution

This article has been indexed from InfoWorld Security Preaching the mantra that “the web is for everyone,” Mozilla has published a vision for the evolution of the web that stresses openness and safety, with the company aiming to address shortfalls…

Is low-code safe and secure?

This article has been indexed from InfoWorld Security I was intrigued by an article I read the other day in CSO Online titled “4 security concerns for low-code and no-code development”. The premise of the article was, essentially, that enterprises…

Is low-code safe and secure?

This article has been indexed from InfoWorld Security I was intrigued by an article I read the other day in CSO Online titled “4 security concerns for low-code and no-code development”. The premise of the article was, essentially, that enterprises…