Security observability is the ability to gain visibility into an organization’s security posture, including its ability to detect and respond to security threats and vulnerabilities. It involves collecting, analyzing, and visualizing security data to identify potential hazards and take proactive…
Category: InfoWorld Security
ForgeRock, Double Secret Octopus offer passwordless authentication for enterprises
ForgeRock is adding Enterprise Connect Passwordless to its Identity Platform to provide no-code and low-code approaches for enterprises to add passwordless authentication to their IT infrastructure. This article has been indexed from InfoWorld Security Read the original article: ForgeRock, Double…
Tailscale: Fast and easy VPNs for developers
Networking can be an annoying problem for software developers. I’m not talking about local area networking or browsing the web, but the much harder problem of ad hoc, inbound, wide area networking. Suppose you create a dazzling website on your…
ReversingLabs adds new context-based secret detection capabilities
The software supply chain security tool will host new secret detection capabilities through the command-line interface to help developers prioritize remediation efforts. This article has been indexed from InfoWorld Security Read the original article: ReversingLabs adds new context-based secret detection…
GitHub 2FA campaign begins
Following through on a pledge made last year, GitHub on March 13 will begin phasing in two-factor authentication (2FA) requirements for developers contributing code to the popular code sharing site. All developers will be required to comply by the end…
Cloud trends 2023: Cost management surpasses security as top priority
As cloud usage grew over the past decade, one trend among cloud users remained constant: Security held steady as the top challenge for users. That focus is shifting. For the first time, since Flexera began its annual survey of cloud…
Top 10 open source software risks for 2023
While open source software is the bedrock of modern software development, it is also the weakest link in the software supply chain, according to a report by Endor Labs. This article has been indexed from InfoWorld Security Read the original…
At least one open source vulnerability found in 84% of code bases: Report
Almost all applications contain at least some open source code, and 48% of code bases examined by Synopsys researchers contained high-risk vulnerabilities. This article has been indexed from InfoWorld Security Read the original article: At least one open source vulnerability…
Cybersecurity startup Oligo debuts with new application security tech
An Israeli startup targets software code vulnerabilities with advanced agentless filtering technology. This article has been indexed from InfoWorld Security Read the original article: Cybersecurity startup Oligo debuts with new application security tech
EnterpriseDB adds Transparent Data Encryption to PostgreSQL
Relational database provider EnterpriseDB on Tuesday said that it was adding Transparent Data Encryption (TDE) to its databases, which are based on open-source PostgreSQL. TDE, which is used by both Oracle and Microsoft, is a method of encrypting database…
3 reasons not to repatriate cloud-based apps and data sets
Repatriation seems to be a hot topic these days as some applications and data sets return to where they came from. I’ve even been tagged in some circles as an advocate for repatriation, mostly because of this recent post. Once…
The tech leader’s guide to 2023
Recently, I had the opportunity to ask over a dozen leading technologists for their hopes, predictions, and guidance for the year 2023. This article distills the far-ranging conversation and wealth of insight that came back to me. The year ahead looks…
How multicloud changes devops
Devops or devsecops (I’ll use devops for this post) is more than just a fast way to build and deploy software within the cloud and on traditional systems. It’s now a solid standard, with best practices, processes, and widely accepted…
C++ creator Bjarne Stroustrup defends its safety
The creator of C++, Bjarne Stroustrup, is defending the venerable programming language after the US National Security Agency (NSA) recently recommended against using it. NSA advises organizations to use memory safe languages instead. Responding to the agency’s November 2022 bulletin…
C++ creator Bjarne Stroustrup defends its safety
The creator of C++, Bjarne Stroustrup, is defending the venerable programming language after the US National Security Agency (NSA) recently recommended against using it. NSA advises organizations to use memory safe languages instead. Responding to the agency’s November 2022 bulletin…
Canonical security subscriptions for Ubuntu Linux now available
Canonical’s Ubuntu Pro, a Linux security maintenance subscription service covering thousands of applications and toolchains in the open-source ecosystem, is generally available as of January 26. Released in beta in October, Ubuntu Pro helps users of Linux desktops and servers…
Ubuntu Pro security subscriptions for Linux now available
Canonical’s Ubuntu Pro, a Linux security maintenance subscription service covering thousands of applications and toolchains in the open-source ecosystem, is generally available as of January 26. Released in beta in October, Ubuntu Pro helps users of Linux desktops and servers…
Researchers warn of malicious Visual Studio Code extensions
Can developers trust extensions downloaded for Microsoft’s popular Visual Studio Code editor? Researchers at Aqua Nautilus say they have found that attackers could easily impersonate popular extensions and trick unknowing developers into downloading them. Some extensions may already have taken…
Informatica to lay off 7% of its workforce to cut costs
The decision to lay off 450 staffers globally is expected to better align the company’s workforce to its cloud-focused strategic priorities and cut costs to suit current business needs, Informatica said in a statement. This article has been indexed from…
Why zero knowledge matters
The information age continues to unfold in fits and starts, and the rise of blockchain is among the most compelling current trends. It turns out that public key cryptography, a long stable technology, was latent with undiscovered possibilities. Blockchain is a reimagining…
How Steampipe enables KPIs as code
Ciaran Finnegan is the cybersecurity practice lead at CMD Solutions Australia and Phil Massyn is a senior security consultant there. About a year ago they began using Steampipe and its CrowdStrike plugin to scan their customers’ AWS environments. Now Finnegan…
Open source security fought back in 2022
Early December marked the one-year anniversary of the Log4j security meltdown. Ever since, the software world has been on a dead sprint to ensure it would never happen again. We’re finally seeing some traction as the missing links in software…
Complexity is the enemy of cloud security
It’s a fact that most enterprises put security teams and tools in a silo. It drives me nuts when I see these bad habits carried over to cloud computing security. I covered this topic three years ago, and for the…
Complexity is the enemy of security
It’s a fact that most enterprises put security teams and tools in a silo. It drives me nuts when I see these bad habits carried over to cloud computing security. I covered this topic three years ago, and for the…
What is DevSecOps? Securing devops pipelines
Software runs our businesses today. It powers operations, transactions, communications—just about every facet of the digital organization. It follows that ensuring the security of applications and operating systems is a major priority for development and security teams. This is where…
Cloud computing gets back to basics
There seems to be a clear trend in the world of cloud computing to return to IT fundamentals—the core problems that IT was set up to solve, such as data management, security, operations, governance, and development. All these things have…
AWS’ Inspector offers vulnerability management for Lambda serverless functions
AWS announces new cybersecurity features in Amazon Inspector and Amazon Macie at AWS Re:Invent 2022 in Las Vegas. This article has been indexed from InfoWorld Security Read the original article: AWS’ Inspector offers vulnerability management for Lambda serverless functions
AWS releases Wickr, its encrypted messaging service for enterprises
The release of the enterprise version of the encrypted messaging service, announced at AWS re:Invent, is designed to allow secure collaboration across messaging, voice, video and file sharing. This article has been indexed from InfoWorld Security Read the original article:…
What observability means for cloud operations
Observability is one of those concepts being tossed about these days in the tech press and at cloud computing conferences. Everyone has a definition of what it is and how it’s used. No two are the same. Observability seems to…
Cloud architects are afraid of automation
Automation is not new, but its use in cloud computing is recent. The idea is to automate tasks that have been traditionally carried out by humans; for example, self-healing a saturated compute server by automatically restarting it on a cloud…
Qualys previews TotalCloud FlexScan for multicloud security management
Agentless security management system aims to simplify vulnerability management for security teams and developers in cloud and hybrid cloud environments. This article has been indexed from InfoWorld Security Read the original article: Qualys previews TotalCloud FlexScan for multicloud security management
Azul detects Java vulnerabilities in production apps
Java services company Azul has unveiled Azul Vulnerability Detection, a SaaS product that leverages the Azul JVM to continuously monitor Java applications for security vulnerabilities. Azul Vulnerability Detection, introduced November 2, is an agentless cloud service designed for production use.…
3 primo cloud gigs in 2023
The question I get asked most often besides, “What is cloud computing?” is “What career path should I take in cloud computing?” I get it. Like almost everyone in the world, you know that the cloud job market is on…
Why you’re getting cloud security wrong
The Cloud Security Alliance, in partnership with security company BigID, released the results of a survey of 1,500 IT and security professionals. They all weighed in on the state of cloud data security in 2022 and had some not-so-surprising data points: Organizations are…
Why you’re getting cloud security wrong
The Cloud Security Alliance, in partnership with security company BigID, released the results of a survey of 1,500 IT and security professionals. They all weighed in on the state of cloud data security in 2022 and had some not-so-surprising data points: Organizations are…
Most reported CVEs for Docker Hub images are harmless
During the development of JFrog Xray’s Secrets Detection, we tested its capabilities by scanning more than eight million artifacts in popular open-source package registries. Similarly, for JFrog Xray’s new Container Contextual Analysis feature, we again tested our detection in a…
Why you’re getting cloud security wrong
The Cloud Security Alliance, in partnership with security company BigID, released the results of a survey of 1,500 IT and security professionals. They all weighed in on the state of cloud data security in 2022 and had some not-so-surprising data points: Organizations are…
Most reported CVEs for Docker Hub images are harmless
During the development of JFrog Xray’s Secrets Detection, we tested its capabilities by scanning more than eight million artifacts in popular open-source package registries. Similarly, for JFrog Xray’s new Container Contextual Analysis feature, we again tested our detection in a…
It’s time to prioritize SaaS security
We’ve made a point of shoring up security for infrastructure-as-a-service clouds since they are so complex and have so many moving parts. Unfortunately, the many software-as-a-service systems in use for more than 20 years now have fallen down the cloud…
Public package repos expose thousands of API security tokens—and they’re active
As part of the development of JFrog Xray’s new Secrets Detection feature, we wanted to test our detection capabilities on as much real world data as possible, both to make sure we eliminate false positives and to catch any errant…
Public package repos expose thousands of API security tokens—and they’re active
As part of the development of JFrog Xray’s new Secrets Detection feature, we wanted to test our detection capabilities on as much real world data as possible, both to make sure we eliminate false positives and to catch any errant…
Public package repos expose thousands of API security tokens—and they’re active
As part of the development of JFrog Xray’s new Secrets Detection feature, we wanted to test our detection capabilities on as much real world data as possible, both to make sure we eliminate false positives and to catch any errant…
Cloud security is the new battle zone
Don’t look now. More than 80% of organizations have experienced a security incident on a cloud platform during the past 12 months according to research from Venafi. Most concerning, almost half of those organizations reported at least four incidents during the…
Endor Labs offers dependency management platform for open source software
Startup Endor Labs comes out of stealth with an end-to-end platform to help CSOs understand and catalogue everything developers are using from the internet. This article has been indexed from InfoWorld Security Read the original article: Endor Labs offers dependency…
Cloud security is the new battle zone
Don’t look now. More than 80% of organizations have experienced a security incident on a cloud platform during the past 12 months according to research from Venafi. Most concerning, almost half of those organizations reported at least four incidents during the…
Endor Labs offers dependency management platform for open source software
Startup Endor Labs comes out of stealth with an end-to-end platform to help CSOs understand and catalogue everything developers are using from the internet. This article has been indexed from InfoWorld Security Read the original article: Endor Labs offers dependency…
Enterprises embrace devsecops practices against supply chain attacks
Healthy developer-team culture and adherence to devsecops best practices to protect against supply chain attacks are surprisingly commonplace in today’s security environment, according to a report from Google and Chainguard This article has been indexed from InfoWorld Security Read the…
Cryptojacking, DDoS attacks increase in container-based cloud systems
Victims lose $53 for every $1 cryptojackers gain, according to a new report from Sysdig. This article has been indexed from InfoWorld Security Read the original article: Cryptojacking, DDoS attacks increase in container-based cloud systems
Why developers hold the key to cloud security
In the days of the on-premises data center and early cloud adoption, the roles of application developers, infrastructure operations, and security were largely siloed. In the cloud, this division of labor increases the time-to-market for innovation, reduces productivity, and invites…
Cloud’s key role in the emerging hybrid workforce
Now that things seem to be getting back to normal—traffic, delayed flights, and all those things we didn’t miss during the stay-home phase of the pandemic—it’s time to look at what work is going to be like post-pandemic. I found…
Cryptojacking, DDoS attacks increase in container-based cloud systems
Victims lose $53 for every $1 cryptojackers gain, according to a new report from Sysdig. This article has been indexed from InfoWorld Security Read the original article: Cryptojacking, DDoS attacks increase in container-based cloud systems
Cloud’s key role in the emerging hybrid workforce
Now that things seem to be getting back to normal—traffic, delayed flights, and all those things we didn’t miss during the stay-home phase of the pandemic—it’s time to look at what work is going to be like post-pandemic. I found…
3 wins and 3 losses for cloud computing
I often go through my old presentations from 2008 and before to review talks about the promise of cloud computing. Keep in mind, I’ve worked in the cloud computing field in one way or another since 1999, and I’ve seen…
3 wins and 3 losses for cloud computing
I often go through my old presentations from 2008 and before to review talks about the promise of cloud computing. Keep in mind, I’ve worked in the cloud computing field in one way or another since 1999, and I’ve seen…
AutoRabit launches devsecops tool for Salesforce environments
CodeScan Shield comes with a new module, OrgScan, which governs organizational policies by enforcing the security and compliance rules mandated for Salesforce environments. This article has been indexed from InfoWorld Security Read the original article: AutoRabit launches devsecops tool for…
Rust programming language gains dedicated security team
The Rust Foundation, the non-profit shepherd of the Rust programming language, has formed a dedicated security team to assess and advance the security of the language. The team is intended to support the broader Rust community with the highest level…
Golang adds vulnerability management tooling
Google’s Go programming language has added support for vulnerability management, which project developers said was an initial step toward helping Go developers learn about known vulnerabilities that could impact them. In a blog post on September 6, the Go security…
3 multicloud lessons for cloud architects
Many cloud architect friends of mine see multicloud on the horizon, but they don’t think they’re prepared for its extra complexities. Most of them initially pushed back on the concept of multicloud much like they pushed back on cloud computing…
Intro to blockchain consensus mechanisms
Blockchain networks combine groups of transactions into collections (blocks) that are appended to each other (chains). The blocks employ a function to ensure that values are not re-used in transactions, thus avoiding the problem of double spending. The network then uses a…
Automation is the ultimate cloud security tip
I’ve written about cloud security many times, including this post from 2021. The report I referenced found that misconfigured cloud servers caused 19% of data breaches. Corroborative data is available from public cloud providers that fight this daily. Microsoft analyzed the anonymized data…
Security is hard and won’t get much easier
Security is one of the few things that will survive the budget axe should the world plunge into recession, but it’s increasingly clear that we can’t simply spend our way to a secure future. Indeed, SLSA (Supply-chain Levels for Software…
Kubescape boosts Kubernetes scanning capabilities
ARMO, developer of Kubescape, an open source security platform for Kubernetes, has added two new vulnerability scanning functions to the platform. Code repository scanning and container image registry scanning are the first fruits of an effort to cover more aspects…
Zero-knowledge proof finds new life in the blockchain
A zero-knowledge proof, also known as ZKP protocol, attempts to establish a fact between parties with a minimum amount of information exchange. In cryptography, it is intended to limit the transfer of information during authentication activities. ZKP’s originators explicitly studied the movement…
How Cloudflare emerged to take on AWS, Azure, and GCP
Cloudflare is in the midst of a significant transformation, as it continues to build out the tools developers need to run their applications across a global network of edge locations. Recent moves put the 18-year-old internet security and performance company…
It’s past time to figure out cross-cloud security
I’ve addressed concerns with multicloud security many times before. Here’s the essence of what I and others assert: Multicloud complexity causes systemic security issues. That’s a fact. Today let’s talk about how we can mediate this complexity to deal with…
Build SBOMs with Microsoft’s internal tool
The compromise of SolarWinds’ system management tool raised a lot of interesting issues for anyone using a CI/CD (continuous integration and continuous delivery) build process for their software. How can we ensure that the software we distribute to our users…
CrowdStrike enhances container visibility and threat hunting capabilities
The cloud-native security provider wants to help customers gain visibility into all of their containers, as well as uncover a growing array of threats across multicloud environments. This article has been indexed from InfoWorld Security Read the original article: CrowdStrike…
7 biggest Kubernetes security mistakes
Today, if you’re creating or working with cloud-native applications, you’re almost certainly working with Kubernetes. According to a recent CNCF report, 96% of organizations are either using or evaluating Kubernetes. Kubernetes already has 5.6 million users worldwide, representing 31% of…
How we’ll solve software supply chain security
Who owns software supply chain security? Developers? Or the platform and security engineering teams supporting them? In the past, the CIO, CISO, or CTO and their security team would decide which Linux distribution, operating system, and infrastructure platform the company…
Securing data at rest and data in motion
Creating a secure application requires many safeguards, but by far the most important are those that secure the data in the application. These are also the most difficult to implement. When it comes to securing application data, there are two…
Software developers have a supply chain security problem
Log4j was the bucket of cold water that woke up most developers to their software supply chain security problem. We’ve spent decades in software building things and obsessing over our production environment. But we’re building on unpatched Jenkins boxes sitting…
Software developers have a supply chain security problem
Log4j was the bucket of cold water that woke up most developers to their software supply chain security problem. We’ve spent decades in software building things and obsessing over our production environment. But we’re building on unpatched Jenkins boxes sitting…
Identity, trust, and their role in modern applications
In the software world, identity is the mapping of a person, place, or thing in a verifiable manner to a software resource. Whenever you interact with nearly anything on the internet, you are dealing with identities: Facebook identity Email address…
Sysdig Secure update adds ability to stop container attacks at runtime
Sysdig’s Drift Control detects and stops attempts to run packages or binary files that were added or modified at runtime. This article has been indexed from InfoWorld Security Read the original article: Sysdig Secure update adds ability to stop container…
Cloud security risks remain very human
Talk about cloud security and you’re likely to discuss provider-focused issues: not enough security, not enough auditing, not enough planning. However, the biggest cloud security risks continue to be the people who walk beside you in the hallways. According to…
7 devops practices to improve application performance
Devops is primarily associated with the collaboration between developers and operations to improve the delivery and reliability of applications in production. The most common best practices aim to replace manual, error-prone procedures managed at the boundaries between dev and ops…
Security survives the budget axe
The good news is that recession or no, security remains a somewhat uncuttable expense for CIOs, according to new data from Morgan Stanley Research. The bad news is that none of it will work if those same CIOs don’t patch…
Legacy systems are the new attack vectors for hackers
Have you ever heard the saying “Locking the door but leaving the window unlatched”? It means that your security is only as good as the weakest link. This applies to IT as well. How does legacy system security compare to…
Are you ready to automate continuous deployment in CI/CD?
Many companies have rushed to implement continuous integration and continuous delivery (CI/CD) pipelines to streamline their software development workflows. Far fewer have taken the additional step to automate continuous deployment, a practice of using CI/CD pipelines to push changes into…
Okta’s Matt Raible: How I became a Java hipster
This article has been indexed from InfoWorld Security Matt Raible is a well-known Java and JavaScript educator with several books to his credit and broad experience in the industry. He is currently developer advocate at Okta, where he focuses on…
Kubernetes users struggle with security, Red Hat survey says
This article has been indexed from InfoWorld Security Security is a significant concern for Kubernetes and container-based development, according to Red Hat’s State of Kubernetes Security report for 2022. In fact, 93% of survey respondents experienced at least one security…
Detect cloud native security threats with Tracee
This article has been indexed from InfoWorld Security The cloud native threat landscape is constantly evolving. Research from Aqua’s Team Nautilus in 2021 revealed higher levels of sophistication in attacks and an increase in volume of attacks targeting container infrastructure.…
MongoDB: From jokes to juggernaut
This article has been indexed from InfoWorld Security When I rejoined MongoDB in 2021, I got to hear all the old jokes rehashed. You know, about MongoDB being “web scale,” about losing data, about only being eventually consistent, and so…
MongoDB grows up
This article has been indexed from InfoWorld Security When I rejoined MongoDB in 2021, I got to hear all the old jokes rehashed. You know, about MongoDB being “web scale,” about losing data, about only being eventually consistent, and so…
GitHub adds supply chain security tools for Rust language
This article has been indexed from InfoWorld Security Aiming to help Rust developers discover and prevent security vulnerabilities, GitHub has made its suite of supply chain security features available for the fast-growing Rust language. These features include the GitHub Advisory…
Maximize your cloud security with isolation zones
This article has been indexed from InfoWorld Security Keeping your application safe and secure is critical to a successful enterprise. Whether you use cloud-native application architectures or on-premises systems—or anything in between—it’s generally considered that splitting your infrastructure into security…
The quantum menace: Quantum computing and cryptography
This article has been indexed from InfoWorld Security Quantum computing continues to inhabit the nebulous space between practical application and theoretical speculation, but it is edging closer toward real-world use. One of the more interesting use cases for quantum computers is…
Add security to Azure applications with Azure WAF
This article has been indexed from InfoWorld Security As much as we might like to think otherwise, cloud-native applications are web applications. We may build services, but their APIs are often RESTful, and where we may have used various remote…
Google Cloud launches services to bolster open-source security, simplify zero-trust rollouts
This article has been indexed from InfoWorld Security New Google Cloud security services aim to strengthen open-source security, simplify zero-trust adoption, and improve cloud governance. Read the original article: Google Cloud launches services to bolster open-source security, simplify zero-trust rollouts
Only DevSecOps can save the metaverse
This article has been indexed from InfoWorld Security Defined as a network of 3D virtual worlds focused on enhancing social connections through conventional personal computing and virtual reality and augmented reality headsets, the metaverse was once a fringe concept that…
More money for open source security won’t work
This article has been indexed from InfoWorld Security Here’s the good news. According to the Open Source Security Foundation (OpenSSF), it will cost less than $150 million to secure open source software. More good news, industry giants Amazon, Intel, Google, and…
9 questions you should ask about your cloud security
This article has been indexed from InfoWorld Security In order for cybersecurity professionals to gain the knowledge they need to thwart the hackers constantly targeting their cloud infrastructure and applications, they need to think like General George S. Patton (or…
Progress launches Chef Cloud Security to extend DevSecOps to cloud-native assets
This article has been indexed from InfoWorld Security The software provider has also enhanced its underlying security and compliance mechanism Chef InSpec with new features. Read the original article: Progress launches Chef Cloud Security to extend DevSecOps to cloud-native assets
The new Elastic CEO puts cloud front and center
This article has been indexed from InfoWorld Security The new CEO of the enterprise search software company Elastic has one priority: cloud. “Cloud is front and center,” he told InfoWorld during a recent interview. “That is really where you should…
7 ways to avoid a cloud misconfiguration attack
This article has been indexed from InfoWorld Security Cloud engineering and security teams need to ask some important questions about the security of their cloud environments, and they must go well beyond whether or not environments are passing compliance audits.…
Mozilla unveils vision for web evolution
This article has been indexed from InfoWorld Security Preaching the mantra that “the web is for everyone,” Mozilla has published a vision for the evolution of the web that stresses openness and safety, with the company aiming to address shortfalls…
Mozilla unveils vision for web evolution
This article has been indexed from InfoWorld Security Preaching the mantra that “the web is for everyone,” Mozilla has published a vision for the evolution of the web that stresses openness and safety, with the company aiming to address shortfalls…
Is low-code safe and secure?
This article has been indexed from InfoWorld Security I was intrigued by an article I read the other day in CSO Online titled “4 security concerns for low-code and no-code development”. The premise of the article was, essentially, that enterprises…
Is low-code safe and secure?
This article has been indexed from InfoWorld Security I was intrigued by an article I read the other day in CSO Online titled “4 security concerns for low-code and no-code development”. The premise of the article was, essentially, that enterprises…
Pulumi launches Business Critical edition for enterprise customers
This article has been indexed from InfoWorld Security Infrastructure as code specialist Pulumi has tweaked its enterprise pricing tiers by launching a new premium Business Critical version, as it looks to support larger organizations as they modernize their infrastructure provisioning…