Category: InfoWorld Security

The truth about VDI and cloud computing

This article has been indexed from InfoWorld Security Want to know who has the most stressful job in the enterprise these days? It’s the CISO, or chief information security officer. This is typically a senior-level executive responsible for developing and implementing…

Understand the RSA encryption algorithm

This article has been indexed from InfoWorld Security Hot on the heels of Diffie-Hellman upending the cryptography applecart in 1976 came three more crypto newcomers that further revolutionized the field: Ron Rivest, Adi Shamir, and Leonard Adleman. The trio devised…

WhiteSource report warns of NPM registry risks

This article has been indexed from InfoWorld Security The popular NPM registry of JavaScript packages was described as a playground for malicious actors by software scanning services provider WhiteSource Software, which has published a report of its vulnerability analysis of…

Of hacks and patches

This article has been indexed from InfoWorld Security Outside the insurance industry, few people likely noticed that Lloyd’s of London “will no longer cover the fallout of cyberattacks exchanged between nation-states.” It would be easy to overlook, except that Lloyd’s is a…

Rust 1.58.1 fixes dangerous race condition

This article has been indexed from InfoWorld Security This point release arriving January 20, 2022, just days after Rust 1.58, fixes a race condition in the std::fs::remove_dir_all standard library function. This vulnerability is tracked at CVE-2022-21658 and there was an…

Understand Diffie-Hellman key exchange

This article has been indexed from InfoWorld Security Whitfield Diffie and Martin Hellman were outsiders in the field of cryptography when they devised a scheme hitherto unknown: The ability to establish secure communications over public channels between two parties that…

Suse open sources NeuVector container security platform

This article has been indexed from InfoWorld Security Suse has open sourced the code for the NeuVector container runtime security platform under an Apache 2.0 license on GitHub, less than three months after acquiring the company. Container runtime security is…

2022: The year of software supply chain security

This article has been indexed from InfoWorld Security If 2020 was the year that we became acutely aware of the consumer goods supply chain (toilet paper, anyone? Anyone?), then 2021 was the year that the software supply chain rose in our…

What most cloud-using CIOs want in 2022

This article has been indexed from InfoWorld Security Ten years ago, many CIOs had a negative opinion about cloud computing; few CIOs landed on the positive side. Cloud subject matter experts like me got walked out of the building on…

Why SBOM management is no longer optional

This article has been indexed from InfoWorld Security As with many zero-day vulnerabilities, organizations are scrambling to identify and remediate the impact of the Log4Shell vulnerability in Log4j. This particular vulnerability is extraordinarily dangerous because it was found in a…

Securing the Kubernetes software supply chain

This article has been indexed from InfoWorld Security Modern software development practices make securing the software supply chain more important than ever. Our code has dependencies on open source libraries which have dependencies on other libraries and so on—a chain…

How to detect the Log4j vulnerability in your applications

This article has been indexed from InfoWorld Security Yesterday the Apache Foundation released an emergency update for a critical zero-day vulnerability in Log4j, a ubiquitous logging tool included in almost every Java application. The issue has been named Log4Shell and…

1

This article has been indexed from InfoWorld Security Yesterday the Apache Foundation released an emergency update for a critical zero-day vulnerability in Log4j, a ubiquitous logging tool included in almost every Java application. The issue has been named Log4Shell and…

Integrate security into CI/CD with the Trivy scanner

This article has been indexed from InfoWorld Security Attacks on cloud-native infrastructures are on the rise. Research over a six-month period in 2021 shows a 26% increase in attacks on container environments over the previous six months. Malicious actors are…

GitHub will require 2FA for some NPM registry users

This article has been indexed from InfoWorld Security In light of two recent security incidents impacting the popular NPM registry for JavaScript packages, GitHub will require 2FA (two-factor authentication) for maintainers and admins of popular packages on NPM. The 2FA…

GitHub will require 2FA for some NPM registry users

This article has been indexed from InfoWorld Security In light of two recent security incidents impacting the popular NPM registry for JavaScript packages, GitHub will require 2FA (two-factor authentication) for maintainers and admins of popular packages on NPM. The 2FA…

Security is the Achilles’ heel of multicloud

This article has been indexed from InfoWorld Security Valtix recently released research that multicloud will be a strategic priority in 2022, according to the vast majority of more than 200 IT leaders in the United States who participated in the study.…

A quick guide to modern cryptography

This article has been indexed from InfoWorld Security Cryptography grows ever more prominent in our lives. Every time you log into an app or send an email, you are relying on an ingenious cryptographic infrastructure that is descended largely from…

The race to secure Kubernetes at run time

This article has been indexed from InfoWorld Security For software developers who primarily build their applications as a set of microservices deployed using containers and orchestrated with Kubernetes, a whole new set of security considerations has emerged beyond the build…

3 reasons devops must integrate agile and ITSM tools

This article has been indexed from InfoWorld Security Many organizations follow devops principles and want to transform into devops cultures. Some of the key practices include version control, continuous integration and delivery (CI/CD), infrastructure as code (IaC), applying machine learning…

When containers become a nightmare

This article has been indexed from InfoWorld Security Containers, certainly containers running on public clouds, are really old hat by now. These self-contained, lightweight software packages come with their own runtime environment and are relocatable from platform to platform, typically…

When containers become a nightmare

This article has been indexed from InfoWorld Security Containers, certainly containers running on public clouds, are really old hat by now. These self-contained, lightweight software packages come with their own runtime environment and are relocatable from platform to platform, typically…

3 things to add to your 2022 cloud to-do list

This article has been indexed from InfoWorld Security Cloud budgets have expanded in the last two years. Although most see the pandemic as the cause, the reality is that IT dollars have shifted to the cloud for pragmatic reasons as…

3 things to add to your 2022 cloud to-do list

This article has been indexed from InfoWorld Security Cloud budgets have expanded in the last two years. Although most see the pandemic as the cause, the reality is that IT dollars have shifted to the cloud for pragmatic reasons as…

How to prevent CSRF attacks in ASP.NET Core

This article has been indexed from InfoWorld Security Cross-site request forgery (CSRF) is an attack that tricks an end user into executing undesirable actions while logged into a web application. Taking advantage of the authenticated user’s permissions, a CSRF attack…

Cyber security in the public cloud

This article has been indexed from InfoWorld Security Among the biggest considerations companies face when selecting public cloud service providers is the level of cyber security they offer, meaning the features and capabilities they put in place to protect their…

How to secure REST with Spring Security

This article has been indexed from InfoWorld Security Securing web applications is an inherently complex proposition. Spring Security offers Java developers a powerful framework for addressing this need, but that power comes with a steep learning curve. This article offers…

Microsoft, Google partner on eBPF

This article has been indexed from InfoWorld Security Companies including Microsoft, Google, and Facebook are backing an initiative to promote the extended Berkley Packet Filter (eBPF), technology that enables developers to safely embed programs in any piece of software including…

How to use Auth0 with Node.js and Express

This article has been indexed from InfoWorld Security Cloud-based authentication and authorization platforms—sometimes known as IDaaS, or identity as a service — are an expanding area of cloud tooling, and it’s easy to see why. App security is difficult and…

Solving authorization for software developers

This article has been indexed from InfoWorld Security I’ve spoken to hundreds of development teams, and most of them still build authorization by hand, ad-hoc, and without a plan. That’s natural—no one has yet developed a “Stripe” or “Twilio” for…

Solving authorization for software developers

This article has been indexed from InfoWorld Security I’ve spoken to hundreds of development teams, and most of them still build authorization by hand, ad-hoc, and without a plan. That’s natural—no one has yet developed a “Stripe” or “Twilio” for…

Don’t be a ransomware victim

This article has been indexed from InfoWorld Security Ransomware is making the news more and more, and I suspect this will continue to happen for the next few years at least. Attackers mostly exploit neglect and a lack of expertise,…

Cloud security is still a work in progress

This article has been indexed from InfoWorld Security As a cloud architect, I am amazed that cloud security is still so hard. We’ve had identity access management (IAM) for more than a decade. Now we have deep encryption services, key…

What is Azure Confidential Ledger?

This article has been indexed from InfoWorld Security We live in a world where more and more of our personal information is held online. It’s often a single source of truth about us, the place where health information and financial…

Complexity is the biggest threat to cloud success and security

This article has been indexed from InfoWorld Security In the latest Agents of Transformation report, Agents of Transformation 2021: The Rise of Full-Stack Observability, 77% of global technicians report experiencing a higher level of complexity as a result of accelerated cloud…

Go fuzz to catch hard-to-find bugs in Go

This article has been indexed from InfoWorld Security Native fuzzing for the Google-created Go language is ready for beta testing, the Go project announced. The goal behind the new automated testing capability is to help Go developers improve code quality…

Go fuzz to catch hard-to-find bugs in Go

This article has been indexed from InfoWorld Security Native fuzzing for the Google-created Go language is ready for beta testing, the Go project announced. The goal behind the new automated testing capability is to help Go developers improve code quality…

Is it possible to automate all of cloud operations?

This article has been indexed from InfoWorld Security As I move from project to project, I’ve seen the latest trend is to leverage operational tools, such as AIops and security operations platforms to automate most of what it takes to…

Most cloud security problems breathe

This article has been indexed from InfoWorld Security A study by Ponemon and IBM indicates that misconfigured cloud servers cause 19% of data breaches. This is an expensive problem with an average cost of half a million dollars per breach.…

What ‘cross-cloud’ architects need to know

This article has been indexed from InfoWorld Security When I hear people say, “I’m a cross-cloud architect,” I wonder what the heck they mean. I’m seeing an emerging pattern in the cloud computing space where enterprises are morphing from dealing…

What ‘cross-cloud’ architects need to know

This article has been indexed from InfoWorld Security When I hear people say, “I’m a cross-cloud architect,” I wonder what the heck they mean. I’m seeing an emerging pattern in the cloud computing space where enterprises are morphing from dealing…

ProxyJump is safer than SSH agent forwarding

This article has been indexed from InfoWorld Security An SSH jump server is a proxy standing between clients and the rest of the SSH fleet. Jump hosts minimize threats by forcing all SSH traffic to go through a single hardened…

In search of good cybersecurity

This article has been indexed from InfoWorld Security I may be overstating a bit, but it seems like we can’t go a week without some breach or ransom attack hitting the news cycles. It’s even more frustrating when these incidents…

7 keys to selecting a low-code platform

This article has been indexed from InfoWorld Security It often makes business sense to code microservices, customized applications, innovative customer experiences, enterprise workflows, and proprietary databases. But there are also times when the business and technology teams should consider low-code…

7 keys to selecting a low-code platform

This article has been indexed from InfoWorld Security It often makes business sense to code microservices, customized applications, innovative customer experiences, enterprise workflows, and proprietary databases. But there are also times when the business and technology teams should consider low-code…

Don’t migrate your problems to the cloud

This article has been indexed from InfoWorld Security The cloud is typically a destination for systems needing to be modernized to take advantage of technologies such as AI, predictive analytics, or a hundred other cloud services. It’s typically cheaper, it…

When not to use edge computing

Big companies such as General Electric, Siemens, and Robert Bosch are using edge computing technology to optimize production. Manufacturing is a large consumer of edge approaches and technology. Typically, these edge systems are powered by artificial intelligence (AI) systems that…

What is unified policy as code, and why do you need it?

Read the original article: What is unified policy as code, and why do you need it? Uptime.Reliability.Efficiency. These used to be perks, elements of forward-thinking and premium-level enterprises. Now they’re a baseline expectation. Today, consumers expect information, resources, and services…

The cloud attack you didn’t see coming

Read the original article: The cloud attack you didn’t see coming You have to respect that ransomware attacks at least let you know you’ve been attacked. You’ll have an opportunity to defend yourself and batten down the hatches. However, a…

You could be hacked and not know it

Read the original article: You could be hacked and not know it You have to respect that ransomware attacks let you know you’ve been attacked. You’ll have an opportunity to defend yourself and batten down the hatches. However, a rising…

Authorization is the next big technical challenge

Read the original article: Authorization is the next big technical challenge Want to deliver messaging or voice calls for customers? You’ve got Twilio. Need to process credit card payments? Stripe has you covered. Need to run machine learning models or…

Google’s OSS-Fuzz extends fuzzing to Java apps

Read the original article: Google’s OSS-Fuzz extends fuzzing to Java apps Google’s open source fuzz-testing service, OSS-Fuzz, now supports applications written in Java and JVM-based languages. The capability was announced on March 10. OSS-Fuzz provides continuous fuzzing for open source…

Cybersecurity in 2021: Stopping the madness

Read the original article: Cybersecurity in 2021: Stopping the madness The challenges are greater than ever. But security pros have learned a lot – and with luck, the right strategic defenses can help even the highest-value targets withstand severe attacks.…

6 security risks in software development and how to address them

Read the original article: 6 security risks in software development and how to address them CIOs and their IT departments face significant business pressure to modernize applications, improve customer experiences, migrate applications to the cloud, and automate workflows. Agile development…

6 security risks in software development and how to address them

Read the original article: 6 security risks in software development and how to address them CIOs and their IT departments face significant business pressure to modernize applications, improve customer experiences, migrate applications to the cloud, and automate workflows. Agile development…

The future of work: Coming sooner than you think

Read the original article: The future of work: Coming sooner than you think What will your worklife be like years from now? Today’s work-from-home world has given us a glimpse of the future, as these five articles from CIO, Computerworld,…

Using OPA with GitOps to speed cloud-native development

Read the original article: Using OPA with GitOps to speed cloud-native development One risk in deploying fleets of powerful and flexible clusters on constantly changing infrastructure like Kubernetes is that mistakes happen. Even minute manual errors that slip past review…

How to bring zero-trust security to microservices

Read the original article: How to bring zero-trust security to microservices Transitioning to microservices has many advantages for teams building large applications, particularly those that must accelerate the pace of innovation, deployments, and time to market. Microservices also provide technology…

Using OPA for multicloud policy and process portability

Read the original article: Using OPA for multicloud policy and process portability As multicloud strategies become fully mainstream, companies and dev teams are having to figure out how to create consistent approaches among cloud environments. Multicloud, itself, is ubiquitous: Among…

Using OPA for multicloud policy and process portability

Read the original article: Using OPA for multicloud policy and process portability As multicloud strategies become fully mainstream, companies and dev teams are having to figure out how to create consistent approaches among cloud environments. Multicloud, itself, is ubiquitous: Among…

Anti-adversarial machine learning defenses start to take root

Read the original article: Anti-adversarial machine learning defenses start to take root Much of the anti-adversarial research has been on the potential for minute, largely undetectable alterations to images (researchers generally refer to these as “noise perturbations”) that cause AI’s…

4 steps to DevSecOps in your software supply chain

Read the original article: 4 steps to DevSecOps in your software supply chain Developers often want to do the “right” thing when it comes to security, but they don’t always know what that is. In order to help developers continue…

GNAP: OAuth the next generation

Read the original article: GNAP: OAuth the next generation The year was 2012, and a revised security protocol called OAuth 2 swept the web, allowing users to use security providers to easily log in to websites. Many single sign-on systems,…

4 steps to DevSecOps in your software supply chain

Read the original article: 4 steps to DevSecOps in your software supply chain Developers often want to do the “right” thing when it comes to security, but they don’t always know what that is. In order to help developers continue…

GNAP: OAuth the next generation

Read the original article: GNAP: OAuth the next generation The year was 2012, and a revised security protocol called OAuth 2 swept the web, allowing users to use security providers to easily log in to websites. Many single sign-on systems,…

Using OPA for cloud-native app authorization

Read the original article: Using OPA for cloud-native app authorization In the cloud-native space, microservice architectures and containers are reshaping the way that enterprises build and deploy applications. They function, in a word, differently than traditional monolithic applications. Microservices are…

IBM adds code risk analyzer to cloud-based CI/CD

Read the original article: IBM adds code risk analyzer to cloud-based CI/CD Looking to bring security and compliance analytics to devops, IBM has added its Code Risk Analyzer capability to its IBM Cloud Continuous Delivery service. Code Risk Analyzer is…

2 egregious cloud security threats the CSA missed

Read the original article: 2 egregious cloud security threats the CSA missed My interesting weekend reading was this Cloud Security Alliance (CSA) report, which was vendor sponsored, highlighting 11 cloud security threats that should be on top of everyone’s mind.…

Microsoft open-sources fuzzing test framework

Read the original article: Microsoft open-sources fuzzing test framework Microsoft is looking to help developers continuously fuzz-test code prior to release, via the open source OneFuzz framework. Described as a self-hosted fuzzing-as-a-service platform, OneFuzz enables developer-driven fuzzing to identify software…

Using OPA to safeguard Kubernetes

Read the original article: Using OPA to safeguard Kubernetes As more and more organizations move containerized applications into production, Kubernetes has become the de facto approach for managing those applications in private, public and hybrid cloud settings. In fact, at…

Using OPA to safeguard Kubernetes

Read the original article: Using OPA to safeguard Kubernetes As more and more organizations move containerized applications into production, Kubernetes has become the de facto approach for managing those applications in private, public and hybrid cloud settings. In fact, at…

The five best Kubernetes security practices

Read the original article: The five best Kubernetes security practices Everyone is moving to containers for their programs, and to manage them, almost everyone is using Kubernetes. That leads to one big problem: How do you secure Kubernetes itself?  …

The five best Kubernetes security practices

Read the original article: The five best Kubernetes security practices Everyone is moving to containers for their programs, and to manage them, almost everyone is using Kubernetes. That leads to one big problem: How do you secure Kubernetes itself?  …

OPA: A general-purpose policy engine for cloud-native

Read the original article: OPA: A general-purpose policy engine for cloud-native As your organization embraces the cloud, you may find that the dynamism and scale of the cloud-native stack requires a far more complicated security and compliance landscape. For instance,…

OPA: A general-purpose policy engine for cloud-native

Read the original article: OPA: A general-purpose policy engine for cloud-native As your organization embraces the cloud, you may find that the dynamism and scale of the cloud-native stack requires a far more complicated security and compliance landscape. For instance,…

Google Cloud adds security capabilities for sensitive workloads

Read the original article: Google Cloud adds security capabilities for sensitive workloads Google Cloud on July 14 introduced two new security services to its cloud platform, including a VM service launched as part of Google’s Confidential Computing portfolio. The services cater…

10 steps to automating security in Kubernetes pipelines

Read the original article: 10 steps to automating security in Kubernetes pipelines Kubernetes pipelines face an ever-increasing range of threats that demand more integrated and automated security across the application lifecycle. Making things more complex, critical vulnerabilities can make their…

10 steps to automating security in Kubernetes pipelines

Read the original article: 10 steps to automating security in Kubernetes pipelines Kubernetes pipelines face an ever-increasing range of threats that demand more integrated and automated security across the application lifecycle. Making things more complex, critical vulnerabilities can make their…

Visual Studio Code extension flags NPM vulnerabilities

Security developer Snyk has published a free extension for Microsoft’s popular Visual Studio Code editor that finds vulnerabilities in NPM packages. Introduced April 2, the open source Snyk Vuln Cost extension serves as a security scanner, providing feedback inline as…

Visual Studio Code extension flags NPM vulnerabilities

Security developer Snyk has published a free extension for Microsoft’s popular Visual Studio Code editor that finds vulnerabilities in NPM packages. Introduced April 2, the open source Snyk Vuln Cost extension serves as a security scanner, providing feedback inline as…

Zeek and Jitsi: 2 open source projects we need now

Everyone has heard of open source projects like Linux, Kubernetes, and MySQL. Far fewer have heard of ROS (Robot Operating System), Apache Flink, or InfluxDB, though these open source projects, too, are getting noticed. However, virtually no one has heard…

How to bring security into agile development and CI/CD

Devops came about because of the cultural, functional, and technical walls between development teams that want to release frequently and operations teams that need to preserve reliability and stability. Devops culture addresses the mindset, collaboration, and practices to achieve both…