Tag: InfoWorld Security

Most developers have adopted devops, survey says

As of the first quarter of 2024, 83% of developers were involved in devops-related activities such as performance monitoring, security testing, or CI/CD, according to the State of CI/CD Report 2024, published by the Continuous Delivery (CD) Foundation, a part…

Read more →

Better application networking and security with CAKES

Modern software applications are underpinned by a large and growing web of APIs, microservices, and cloud services that must be highly available, fault tolerant, and secure. The underlying networking technology must support all of these requirements, of course, but also…

Read more →

Rust gets security fix for Windows vulnerability

The Rust language team has published a point release of Rust to fix a critical vulnerability to the standard library that could benefit an attacker when using Windows. Rust 1.77.2, published on April 9, includes a fix for CVE-2024-24576. Before…

Read more →

Synopsys takes aim at software supply chain risks

Synopsys has introduced Black Duck Supply Chain Edition, a software composition analysis (SCA) package that helps organizations mitigate upstream risk in software supply chains, including from AI code. Announced April 9, Black Duck Supply Chain Edition is intended to address…

Read more →

Synopsys aims to mitigate software supply chain risks

Synopsys has introduced Black Duck Supply Chain Edition, a software composition analysis (SCA) package that helps organizations mitigate upstream risk in software supply chains, including from AI code. Announced April 9, Black Duck Supply Chain Edition is intended to address…

Read more →

Eclipse joins with industry groups to secure open source

The Eclipse Foundation announced that it is partnering with the Apache Software Foundation and other open source foundations to establish common specifications for secure software development based on existing open source best practices. In an April 2 blog post, Eclipse…

Read more →

Rust memory safety explained

Over the past decade, Rust has emerged as a language of choice for people who want to write fast, machine-native software that also has strong guarantees for memory safety. Other languages, like C, may run fast and close to the…

Read more →

Avoiding the dangers of AI-generated code

2023 has been a breakout year for developers and generative AI. GitHub Copilot graduated from its technical preview stage in June 2022, and OpenAI released ChatGPT in November 2022. Just 18 months later, according to a survey by Sourcegraph, 95%…

Read more →

10 cloud development gotchas to watch out for

The benefits of developing software in the cloud include increased flexibility and reliability, greater efficiency, and reduced costs. But cloud-based development also presents a host of challenges. Knowing what to watch out for is the first step to protecting your applications…

Read more →

Java 22 brings security enhancements

Java Development Kit (JDK) 22, released by Oracle March 19 as the latest version of standard Java, offers a number of security enhancements, covering areas ranging from an asymmetric key interface to a new security option for -XshowSettings that allows…

Read more →

GitHub previews AI-powered code scanning autofix

GitHub is previewing code scanning autofix, a feature that combines its GitHub Copilot AI assistant with its CodeQL code scanner to provide suggested fixes to discovered vulnerabilities. Code scanning autofix is available in a public beta to GitHub Advanced Security…

Read more →

C++ creator rebuts White House warning

C++ creator Bjarne Stroustrup has defended the widely used programming language in response to a Biden administration report that calls on developers to use memory-safe languages and avoid using vulnerable ones such as C++ and C. In a March 15…

Read more →

Open source is not insecure

Frank Crane wasn’t talking about open source when he famously said, “You may be deceived if you trust too much, but you will live in torment if you don’t trust enough.” But that’s a great way to summarize today’s gap…

Read more →

Feds seek attestation on secure software

The US federal government has released a software attestation form intended to ensure that software producers partnering with the government leverage minimum secure development techniques and tool sets. The form was announced March 11 by the Department of Homeland Security’s…

Read more →

JetBrains releases security fixes for TeamCity CI/CD system

JetBrains has released fixes for two critical security vulnerabilities in its TeamCity On-Premises CI/CD system discovered by cybersecurity company Rapid7. The two vulnerabilities reported in late-February by Rapid7 would enable an authenticated attacker with HTTP(S) access to a TeamCity On-Premises…

Read more →

Cloudflare announces Firewall for AI

Cloudflare has announced the development of Firewall for AI, a protection layer that can be deployed in front of large language models (LLMs) that promises to identify abuses before they reach the models. Unveiled March 4, Firewall for AI is…

Read more →

Biden executive order protects personal data

President Joseph Biden has issued an executive order intended to protect Americans’ sensitive personal data from exploitation from countries of concern including China, Russa, Iran, and North Korea. Issued February 28, the order authorizes the attorney general to prevent the…

Read more →

GitHub rolls out push protection on public repos

GitHub has begun rolling out push protection for all of its users, a secrets scanning feature that gives users the option to remove secrets from commits or bypass a block. The policy, announced February 29, affects supported secrets. It might…

Read more →

Why passkeys will replace passwords

With the growth of sophisticated attacks against critical software and infrastructure systems, multi-factor authentication (MFA) has emerged as a critical layer of defense against unauthorized access. An increasing number of enterprise and developer-facing technology applications and platforms, from GitHub to…

Read more →

White House urges developers to dump C and C++

US President Joe Biden’s administration wants software developers to use memory-safe programming languages and ditch vulnerable ones like C and C++. The White House Office of the National Cyber Director (ONCD), in a report released Monday, called on developers to…

Read more →

GitHub Copilot makes insecure code even less secure, Snyk says

GitHub’s AI-powered coding assistant, GitHub Copilot, may suggest insecure code when the user’s existing codebase contains security issues, according to developer security company Snyk. GitHub Copilot can replicate existing security issues in code, Snyk said in a blog post published…

Read more →

Martin Hellman: We’re playing Russian roulette

Martin Hellman achieved legendary status as co-inventor of the Diffie-Hellman public key exchange algorithm, a breakthrough in software and computer cryptography. That invention and his ongoing work in cryptography and digital signatures earned him a Turing award in 2015. He has since…

Read more →

MuleSoft unveils policy development kit for API gateway

Salesforce-owned MuleSoft has released the Anypoint Flex Gateway Policy Development Kit (PDK). The PDK allows developers of every skill level to quickly build policies to detect and protect sensitive data sent to APIs, the company said. Now a feature of…

Read more →

Protecting against software supply chain attacks

Last year’s MOVEit and 3CX vulnerabilities offered a stark reminder of the risk software supply chain attacks pose today. Threat actors exploit vulnerabilities to infiltrate a software provider’s network and modify the software’s original functionality with malicious code. Once the…

Read more →

Mobb unveils vulnerability fixer for GitHub users

Application security company Mobb has released an automatic vulnerability fixer for GitHub users. The tool monitors GitHub pull requests and offers code fixes within software development workflows. Unveiled January 23, Mobb Fixer provides developers with code fixes for security alerts…

Read more →

A guide to implementing fine-grained authorization

Authentication and authorization rank among the top priorities for application developers today. While they’re often used interchangeably, they actually represent two very different things. Yet in order to ensure a secure and seamless experience for users, both must work in concert. To illustrate the distinction…

Read more →

JFrog, AWS team up for machine learning in the cloud

Software supply chain provider JFrog is integrating with the Amazon SageMaker cloud-based machine learning platform to incorporate machine learning models into the software development lifecycle. The JFrog platform integration with Amazon SageMaker, available now, ensures artifacts produced by data scientists…

Read more →

How finops can make the cloud more secure

Cloud finops is the discipline of accounting for and optimizing cloud computing spending. It’s a reaction to years of undisciplined cloud spending or a way to bring order back to using cloud resources. Overall, it is a step in the…

Read more →

4 key devsecops skills for the generative AI era

When cloud computing became enterprise-ready, and tools such as continuous integration and continuous delivery, infrastructure as code, and Kubernetes became mainstream, it marked a clear paradigm shift in dev and ops. The work separating dev and ops became devops responsibilities,…

Read more →

You should be worried about cloud squatting

Most security issues in the cloud can be traced back to someone doing something stupid. Sorry to be that blunt, but I don’t see ingenious hackers out there. I do see misconfigured cloud resources, such as storage and databases, that…

Read more →

How software engineering will evolve in 2024

Software development is currently undergoing a profound transformation, marked by a quiet yet remarkable surge in advanced automation. This impending shift promises to streamline the creation and deployment of high-quality applications on an unprecedented scale. Rather than a single technology…

Read more →

3 ways to reduce stress on the DevSecOps team

I recently moderated a session for the CSO Cybersecurity Summit on building resilience and addressing employee anxiety amid organizational transformation. My session focused on the stresses and burnout experienced by security teams, including recent data showing that 94% of chief…

Read more →

Fortifying confidential computing in Microsoft Azure

One of the biggest challenges facing any enterprise using the public cloud is the fact that it’s public. Yes, your applications run in isolated virtual machines and your data sits in its own virtual storage appliances, but there’s still a…

Read more →

3 security best practices for all DevSecOps teams

It’s been over 10 years since Shannon Lietz introduced the term DevSecOps, aiming to get security a seat at the table with IT developers and operators. The question is, how far has security come since then? Do DevSecOps teams have…

Read more →

Cloud security and devops have work to do

If there is anything that keeps cloud development leaders up at night, it’s the fact that the risk of an impending security breach is scarily high. If I go around the room at any enterprise development meeting, devops engineers, cloud…

Read more →

6 security best practices for cloud-native applications

The emergence of cloud-native architectures has dramatically changed the ways applications are developed, deployed, and managed. While cloud-native architectures offer significant benefits in terms of scalability, elasticity, and flexibility, they also introduce unique security challenges. These challenges often diverge from…

Read more →

Security, privacy, and generative AI

Since the proliferation of large language models (LLMs), like OpenAI’s GPT-4, Meta’s Llama 2, and Google’s PaLM 2, we have seen an explosion of generative AI applications in almost every industry, cybersecurity included. However, for a majority of LLM applications,…

Read more →

Oracle open-sources Jipher for FIPS-compliant SSL

Oracle is open-sourcing Jipher, a Java Cryptography Architecture (JCA) provider built for security and performance that has been used by the company’s cloud platform, the company said on November 7. Jipher was developed for environments with FIPS (Federal Information Processing…

Read more →

Microsoft .NET 8 enhances ID management

.NET 8, a planned upgrade to Microsoft’s cross-platform, open source development platform, is set to improve identity management, authentication, and authorization thanks to enhancements in the security vein delivered by the ASP.NET Core team. Identity features in .NET 8 are…

Read more →

Is ChatGPT writing your code? Watch out for malware

Developers have long used sites like Stack Overflow as forums where they could get code examples and assistance. That community is rapidly being replaced by generative AI tools such as ChatGPT. Today, developers ask AI chatbots to help create sample code, translate…

Read more →

KubeCon points to the future of enterprise IT

Cloud has become synonymous with enterprise IT, but let’s not get ahead of ourselves. Though enterprises now spend roughly $545 billion annually on cloud infrastructure, according to IDC, and 41% of that spend goes to the top five cloud providers,…

Read more →

The state of API security in 2023

In today’s rapidly transforming digital world, APIs have become the linchpin for quick delivery of business functionality. These digital connectors underpin much of the enterprise innovation we witness today, from seamless customer experiences to integrated partner ecosystems. Yet, as the…

Read more →

3 things for your 2024 cloud to-do list

It’s budget time for many enterprises, and the question that I get most this time of year is: What should we work on in 2024 to improve our cloud computing deployments? I came up with my top three, with the…

Read more →

How generative AI changes cybersecurity

In the technology world, the latter half of the 2010s was mostly about slight tweaks, not sweeping changes: Smartphones got slightly better, and computer processing somewhat improved. Then OpenAI unveiled its ChatGPT in 2022 to the public, and—seemingly all at once—we were…

Read more →

What ChatGPT doesn’t say about Kubernetes in production

Like many technology organizations, when ChatGPT was publicly released, we wanted to compare its answers to those of a regular web search. We experimented by asking technical questions and requesting specific content. Not all answers were efficient or correct, but…

Read more →

JFrog adds ML model management to devsecops platform

Devsecops company JFrog on September 13 introduced ML Model Management, a set of capabilities for the JFrog Software Supply Chain Platform designed to streamline the management and security of machine learning models. Using ML Model Management and the JFrog Software…

Read more →

How to get a handle on shadow AI

CIOs and CISOs have long grappled with the challenge of shadow IT—technology that is being used within an enterprise but that is not officially sanctioned by the IT or security department. According to Gartner research, 41% of employees acquired, modified,…

Read more →

Centralized cloud security is now a must-have

The 2023 Cloud Security Report, sponsored by Fortinet, surveyed 752 cybersecurity professionals from around the globe and across all industries. Most respondents (90%) say having a single cloud security platform to configure and manage security consistently across their cloud deployments would…

Read more →

The lost art of cloud application engineering

AI is changing the programming world, which has been evolving for several years. I could talk about how the emerging practice of using AI-driven coders increases speed and reduces costs, but there are some downsides that many fail to see.…

Read more →

A new hope for software security

The Log4j vulnerability in December 2021 spotlighted the software supply chain as a massively neglected security surface area. It revealed just how interconnected our software artifacts are, and how our systems are only as secure as their weakest links. It…

Read more →

JFrog Curation blocks malicious open source software packages

JFrog has unveiled JFrog Curation, a devsecops system designed to prevent malicious or risky open source or third-party software packages from entering an organization’s software development pipeline. JFrog Curation blocks the use of risky open source software packages without compromising…

Read more →

Golang vulnerability checker flags Go vulnerabilities

Govulncheck, a command-line tool to help users of Google’s Go programming language find known vulnerabilities in project dependencies, has reached 1.0.0 status, the Go security team said. Unveiled July 13, Govulncheck can analyze both binaries and source code. It reduces…

Read more →

The unhappy reality of cloud security in 2023

The studies are coming fast these days. Thales Global Cloud Security Study for 2022 found that during the past 12 months, 45% of businesses have experienced a cloud data breach or failed to perform audits. (It would have been nice for this…

Read more →

Malicious hackers are weaponizing generative AI

Although I’m swearing off studies as blog fodder, it did come to my attention that Vulcan Cyber’s Voyager18 research team recently issued an advisory validating that generative AI, such as ChatGPT, would be turned into a weapon quickly, ready to attack…

Read more →

7 key features for Kubernetes and container security

Many organizations are starting out on their Kubernetes and container journey, while others are encountering complexity issues as they scale out their deployments. Containerized applications bring many benefits, but also introduce new types of security challenges. Uptycs reduces risk for…

Read more →

Disaster recovery in the cloud

It’s late on a Friday. You get a call from your CIO that data has been removed from XYZ public cloud server, and they need it back ASAP. It gets worse. First, there is no current backup copy of the…

Read more →

AppMap: A map to reduce developer toil

Software developers are the engine of growth and innovation that powers the products on which everyone relies. Developers are a company’s most valuable resource. The demand for software engineers worldwide will rise by 22% between 2020 and 2030, even with…

Read more →

How to reduce your devops tool sprawl

After spending the last decade investing in devops, many companies are experiencing a hangover of sorts: tool sprawl. While their software delivery processes have become more streamlined, more efficient, and more reliable, they also have many more tools to license,…

Read more →

Don’t overlook attack surface management

When it comes to securing cloud computing environments, one key aspect often goes overlooked: attack surface management (ASM). Why? Many cloud security training programs, including specific cloud provider certifications, don’t focus on it. Instead, they focus on specific tools and…

Read more →

Sigstore: Roots of trust for software artifacts

For the roughly five billion people who use the internet, only a tiny fraction have any knowledge of how Transport Layer Security (TLS), digital certificates, or public keys work. Say what you will about the security perils that users still…

Read more →

A practical guide to React Native authentication

Authentication is a crucial aspect of any app or service today, as it allows the app to determine who the user is and which actions they are authorized to perform. React Native authentication refers to the process of verifying the…

Read more →

3 overlooked cloud security attack vectors

A 2022 Thales Cloud Security study revealed that 88% of enterprises store a significant amount (at least 21%) of their sensitive data in the cloud. No surprise there. Indeed, I thought the percentage would be much higher. The same report showed that…

Read more →

Splunk adds new security and observability features

Splunk is adding new security and observability features to its Observability Cloud and Mission Control to identify threats and incidents more efficiently. The company’s Observability Cloud, which offers AIops-based infrastructure monitoring, application performance monitoring (APM) and intelligence, will get new…

Read more →

Observability will transform cloud security

Security observability is the ability to gain visibility into an organization’s security posture, including its ability to detect and respond to security threats and vulnerabilities. It involves collecting, analyzing, and visualizing security data to identify potential hazards and take proactive…

Read more →

Bringing observability to cloud security

Security observability is the ability to gain visibility into an organization’s security posture, including its ability to detect and respond to security threats and vulnerabilities. It involves collecting, analyzing, and visualizing security data to identify potential hazards and take proactive…

Read more →

Tailscale: Fast and easy VPNs for developers

Networking can be an annoying problem for software developers. I’m not talking about local area networking or browsing the web, but the much harder problem of ad hoc, inbound, wide area networking. Suppose you create a dazzling website on your…

Read more →

ReversingLabs adds new context-based secret detection capabilities

The software supply chain security tool will host new secret detection capabilities through the command-line interface to help developers prioritize remediation efforts. This article has been indexed from InfoWorld Security Read the original article: ReversingLabs adds new context-based secret detection…

Read more →

GitHub 2FA campaign begins

Following through on a pledge made last year, GitHub on March 13 will begin phasing in two-factor authentication (2FA) requirements for developers contributing code to the popular code sharing site. All developers will be required to comply by the end…

Read more →

Top 10 open source software risks for 2023

While open source software is the bedrock of modern software development, it is also the weakest link in the software supply chain, according to a report by Endor Labs. This article has been indexed from InfoWorld Security Read the original…

Read more →

The tech leader’s guide to 2023

Recently, I had the opportunity to ask over a dozen leading technologists for their hopes, predictions, and guidance for the year 2023. This article distills the far-ranging conversation and wealth of insight that came back to me. The year ahead looks…

Read more →

How multicloud changes devops

Devops or devsecops (I’ll use devops for this post) is more than just a fast way to build and deploy software within the cloud and on traditional systems. It’s now a solid standard, with best practices, processes, and widely accepted…

Read more →

C++ creator Bjarne Stroustrup defends its safety

The creator of C++, Bjarne Stroustrup, is defending the venerable programming language after the US National Security Agency (NSA) recently recommended against using it. NSA advises organizations to use memory safe languages instead. Responding to the agency’s November 2022 bulletin…

Read more →

C++ creator Bjarne Stroustrup defends its safety

The creator of C++, Bjarne Stroustrup, is defending the venerable programming language after the US National Security Agency (NSA) recently recommended against using it. NSA advises organizations to use memory safe languages instead. Responding to the agency’s November 2022 bulletin…

Read more →

Ubuntu Pro security subscriptions for Linux now available

Canonical’s Ubuntu Pro, a Linux security maintenance subscription service covering thousands of applications and toolchains in the open-source ecosystem, is generally available as of January 26. Released in beta in October, Ubuntu Pro helps users of Linux desktops and servers…

Read more →

Researchers warn of malicious Visual Studio Code extensions

Can developers trust extensions downloaded for Microsoft’s popular Visual Studio Code editor? Researchers at Aqua Nautilus say they have found that attackers could easily impersonate popular extensions and trick unknowing developers into downloading them. Some extensions may already have taken…

Read more →

Informatica to lay off 7% of its workforce to cut costs

The decision to lay off 450 staffers globally is expected to better align the company’s workforce to its cloud-focused strategic priorities and cut costs to suit current business needs, Informatica said in a statement. This article has been indexed from…

Read more →