Developers now encounter all kinds of tools and integrations coming at them from everywhere, for all parts of the software delivery process and an ever-increasing threat landscape. Trying to handle security with DevOps these days can sometimes leave us thinking like Ferris Bueller: “How could I be expected to handle school on a day like … continue reading
As we see an increase in use of open source software, a well-managed supply chain and secure software delivery pipelines are critical for business success, according to Nureen D’Souza, leader of Capital One’s Open-Source Program Office and speaker at cdCon 2022. “It’s important to implement a company-wide culture with security ingrained that allows developers to … continue reading
Today at Apple’s Worldwide Developers Conference (WWDC 22), Apple announced many new features for iOS, iPadOS, macOS, and Watch OS. Updates for iOS 16 focused on the lock screen which can now showcase favorite photos, customize font styles, and display a set of widgets to get information at a glance. It also expands the availability … continue reading
As a backbone of software ecosystems, security is a massive driver for acquiring new customers and ensuring they’re able to use software securely. However, maleficent forces have, and will, find their way into applications regardless of how vast or tall security gates are set up. Recently, a critical vulnerability in Apache Log4j, a popular Java … continue reading
Sonatype found that nearly 70% of dependency management decisions are suboptimal in a study that evaluated 100,000 production applications and 4,000,000 open-source component migrations. A large part of this is due to lack of security automation, explained Ax Sharma, senior security researcher, and advocate at Sonatype, in a webinar called “The Impact of Zero-Day Attacks … continue reading
Community Attestation Service (CAS) is an open-source service that helps users secure their software and is powered by Codenotary’s digital identity infrastructure. The project lets them create a Software Bill of Materials, notarize containers, and let others verify by running and provides a way to view notarized assets’ immutable history in immudb. CAS stores all … continue reading
Apple, Google, and Microsoft today announced plans to expand support for a common passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium. Whereas previous implementations of passwordless verification required users to sign in to each website or app with each device before they can use passwordless functionality, now users will … continue reading
Sysdig announced the release of Risk Spotlight, a vulnerability prioritization feature based on runtime intelligence. The feature enables teams to reduce vulnerabilities by 95% and allows developers to focus on shipping applications faster, according to Sysdig. It also delivers vulnerability details such as CVSS vector from multiple sources, the fix version, and links to publicly … continue reading
Even before the Log4j vulnerability led to the targeting of nearly one-half of global corporate networks, Java applications have presented abundant opportunities for hackers. After all, there are so many components to protect – server-side logic, client-side logic, data storage, data transportation, APIs and others – that it’s daunting to defend everything. In fact, serious … continue reading
GitHub announced a new feature for Dependabot alerts that helps developers see how vulnerabilities affect their code. Dependabot alerts use GitHub’s precise code navigation engine to determine if a repository directly calls a vulnerable function. The new feature marks a shift in how GitHub curates information on vulnerable packages from the Advisory Database to curating … continue reading
In late 2021, a vulnerability was detected in the Java logging package Log4j, which is the most popular framework for logging in Java. It is used in millions of applications. Not only that, but it is used as a dependency in over 7,000 open-source projects, according to research from software security company Sonatype. Given the … continue reading
The library operating system MirageOS 4.0 has been released with better integrations and a significant change in how MirageOS compiles projects. The project constructs unikernels for secure, high-performance, low-energy footprint applications across various hypervisor and embedded platforms. The MirageOS networking code powers Docker Desktop’s VPNKit and is also in use in Citrix Hypervisor, Nitrokey, Robur, … continue reading
